fix: agent - eBPF Fix the process matcher handling for UPROBE

deepflowio · Sep 26, 2024 · a091ca1 · a091ca1
1 parent 3fcd933
commit a091ca1
Show file tree

Hide file tree

Showing 11 changed files with 168 additions and 89 deletions.
diff --git a/agent/src/ebpf/test/test_match_pids.c b/agent/src/ebpf/test/test_match_pids.c
@@ -49,28 +49,31 @@ int main(void)
 	log_to_stdout = true;
 	init_match_pids_hash();
 	int pids[10] = { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 };
-	int ret = set_feature_pids(FEATURE_PROFILE_ONCPU, pids,
-				   sizeof(pids) / sizeof(pids[0]));
-	printf("  FEATURE_PROFILE_ONCPU set_feature_pids ret : %d\n", ret);
+	int ret = exec_set_feature_pids(FEATURE_PROFILE_ONCPU, pids,
+					sizeof(pids) / sizeof(pids[0]));
+	printf("  FEATURE_PROFILE_ONCPU exec_set_feature_pids ret : %d\n", ret);
 	ret =
-	    set_feature_pids(FEATURE_PROFILE_OFFCPU, pids,
-			     sizeof(pids) / sizeof(pids[0]));
-	printf("  FEATURE_PROFILE_OFFCPU set_feature_pids ret : %d\n", ret);
+	    exec_set_feature_pids(FEATURE_PROFILE_OFFCPU, pids,
+				  sizeof(pids) / sizeof(pids[0]));
+	printf("  FEATURE_PROFILE_OFFCPU exec_set_feature_pids ret : %d\n",
+	       ret);
 	{
 		int pids[] = { 11, 12, 34, 2000 };
 		ret =
-		    set_feature_pids(FEATURE_PROFILE_ONCPU, pids,
-				     sizeof(pids) / sizeof(pids[0]));
-		printf("  FEATURE_PROFILE_ONCPU set_feature_pids ret : %d\n",
-		       ret);
+		    exec_set_feature_pids(FEATURE_PROFILE_ONCPU, pids,
+					  sizeof(pids) / sizeof(pids[0]));
+		printf
+		    ("  FEATURE_PROFILE_ONCPU exec_set_feature_pids ret : %d\n",
+		     ret);
 	}
 	{
 		int pids[] = { 1 };
 		ret =
-		    set_feature_pids(FEATURE_PROFILE_ONCPU, pids,
-				     sizeof(pids) / sizeof(pids[0]));
-		printf("  FEATURE_PROFILE_ONCPU set_feature_pids ret : %d\n",
-		       ret);
+		    exec_set_feature_pids(FEATURE_PROFILE_ONCPU, pids,
+					  sizeof(pids) / sizeof(pids[0]));
+		printf
+		    ("  FEATURE_PROFILE_ONCPU exec_set_feature_pids ret : %d\n",
+		     ret);
 		count = 0;
 		print_match_pids_hash();
 	}

diff --git a/agent/src/ebpf/user/go_tracer.c b/agent/src/ebpf/user/go_tracer.c
@@ -58,6 +58,7 @@ struct process_event {
 	uint8_t type;		// EVENT_TYPE_PROC_EXEC or EVENT_TYPE_PROC_EXIT
 	char *path;		// Full path "/proc/<pid>/root/..."
 	int pid;		// Process ID
+	uint64_t stime;		// The start time of the process
 	uint32_t expire_time;	// Expiration Date, the number of seconds since the system started.
 };
 /* *INDENT-ON* */
@@ -744,10 +745,6 @@ int collect_go_uprobe_syms_from_procfs(struct tracer_probes_conf *conf)
 	struct dirent *entry = NULL;
 	DIR *fddir = NULL;
 
-	init_list_head(&proc_events_head);
-	init_list_head(&proc_info_head);
-	pthread_mutex_init(&mutex_proc_events_lock, NULL);
-
 	if (!is_feature_enabled(FEATURE_UPROBE_GOLANG))
 		return ETR_OK;
 
@@ -1018,6 +1015,7 @@ static void add_event_to_proc_header(struct bpf_tracer *tracer, int pid,
 	pe->path = path;
 	pe->pid = pid;
 	pe->type = type;
+	pe->stime = get_process_starttime(pid);
 	pe->expire_time = get_sys_uptime() + PROC_EVENT_DELAY_HANDLE_DEF;
 
 	pthread_mutex_lock(&mutex_proc_events_lock);
@@ -1036,9 +1034,6 @@ void go_process_exec(int pid)
 	if (tracer == NULL)
 		return;
 
-	if (tracer->state != TRACER_RUNNING)
-		return;
-
 	if (tracer->probes_count > OPEN_FILES_MAX) {
 		ebpf_warning("Probes count too many. The maximum is %d\n",
 			     OPEN_FILES_MAX);
@@ -1062,9 +1057,6 @@ void go_process_exit(int pid)
 	if (tracer == NULL)
 		return;
 
-	if (tracer->state != TRACER_RUNNING)
-		return;
-
 	process_exit_handle(pid, tracer);
 }
 
@@ -1098,6 +1090,12 @@ void go_process_events_handle(void)
 			free(pe->path);
 			free(pe);
 			pthread_mutex_unlock(&mutex_proc_events_lock);
+			// Confirm whether the process has changed?
+			if (pe->stime != get_process_starttime(pid)) {
+				free(path);
+				continue;
+			}
+
 			if (type == EVENT_TYPE_PROC_EXEC) {
 				if (access(path, F_OK) == 0) {
 					process_execute_handle(pid, tracer);
@@ -1111,3 +1109,19 @@ void go_process_events_handle(void)
 		}
 	} while (true);
 }
+
+void golang_trace_handle(int pid, enum match_pids_act act)
+{
+	if (act == MATCH_PID_ADD) {
+		go_process_exec(pid);
+	} else {
+		go_process_exit(pid);
+	}
+}
+
+void golang_trace_init(void)
+{
+	init_list_head(&proc_events_head);
+	init_list_head(&proc_info_head);
+	pthread_mutex_init(&mutex_proc_events_lock, NULL);
+}
diff --git a/agent/src/ebpf/user/go_tracer.h b/agent/src/ebpf/user/go_tracer.h
@@ -47,4 +47,6 @@ void update_proc_info_to_map(struct bpf_tracer *tracer);
 void go_process_exec(int pid);
 void go_process_exit(int pid);
 void go_process_events_handle(void);
+void golang_trace_handle(int pid, enum match_pids_act act);
+void golang_trace_init(void);
 #endif
diff --git a/agent/src/ebpf/user/proc.c b/agent/src/ebpf/user/proc.c
@@ -1041,12 +1041,12 @@ void add_event_to_proc_list(proc_event_list_t *list, struct bpf_tracer *tracer,
 
 	event->tracer = tracer;
 	event->pid = pid;
+	event->stime = get_process_starttime(pid);
 	event->expire_time = get_sys_uptime() + PROC_EVENT_HANDLE_DELAY;
 
 	pthread_mutex_lock(&list->m);
 	list_add_tail(&event->list, &list->head);
 	pthread_mutex_unlock(&list->m);
-	return;
 }
 
 struct process_create_event *get_first_event(proc_event_list_t *list)

diff --git a/agent/src/ebpf/user/proc.h b/agent/src/ebpf/user/proc.h
@@ -203,6 +203,7 @@ bool process_probing_check(int pid);
 struct process_create_event {
 	struct list_head list;
 	int pid;
+	uint64_t stime; // Process start time
 	uint32_t expire_time;
 	struct bpf_tracer *tracer;
 };

diff --git a/agent/src/ebpf/user/socket.c b/agent/src/ebpf/user/socket.c
@@ -329,10 +329,6 @@ static void socket_tracer_set_probes(struct tracer_probes_conf *tps)
 		config_probes_for_kfunc(tps);
 	else
 		config_probes_for_kprobe_and_tracepoint(tps);
-
-	// 收集go可执行文件uprobe符号信息
-	collect_go_uprobe_syms_from_procfs(tps);
-	collect_ssl_uprobe_syms_from_procfs(tps);
 }
 
 /* ==========================================================
@@ -748,17 +744,11 @@ static void process_event(struct process_event_t *e)
 		if (e->maybe_thread && !is_user_process(e->pid))
 			return;
 		update_proc_info_cache(e->pid, PROC_EXEC);
-		go_process_exec(e->pid);
-		ssl_process_exec(e->pid);
-		extended_process_exec(e->pid);
 		unwind_process_exec(e->pid);
 	} else if (e->meta.event_type == EVENT_TYPE_PROC_EXIT) {
 		/* Cache for updating process information used in
 		 * symbol resolution. */
 		update_proc_info_cache(e->pid, PROC_EXIT);
-		go_process_exit(e->pid);
-		ssl_process_exit(e->pid);
-		extended_process_exit(e->pid);
 		unwind_process_exit(e->pid);
 	}
 }
@@ -2119,10 +2109,7 @@ static void reconfig_load_resources(struct bpf_tracer *tracer, char *load_name,
 	for (i = 0; i < tps->kfuncs_nr; i++)
 		free(tps->kfuncs[i].name);
 	tps->kfuncs_nr = 0;
-	if (g_k_type == K_TYPE_KFUNC)
-		config_probes_for_kfunc(tps);
-	else
-		config_probes_for_kprobe_and_tracepoint(tps);
+	socket_tracer_set_probes(tps);
 }
 
 /**
@@ -2209,7 +2196,8 @@ int running_socket_tracer(tracer_callback_t handle,
 	memset(tps, 0, sizeof(*tps));
 	init_list_head(&tps->uprobe_syms_head);
 	socket_tracer_set_probes(tps);
-
+	golang_trace_init();
+	openssl_trace_init();
 	create_and_init_proc_info_caches();
 
 	struct bpf_tracer *tracer =
@@ -2313,9 +2301,6 @@ int running_socket_tracer(tracer_callback_t handle,
 
 	tracer->data_limit_max = socket_data_limit_max;
 
-	// Update go offsets to eBPF "proc_info_map"
-	update_proc_info_to_map(tracer);
-
 	// Insert prog of output data into map for using BPF Tail Calls.
 	insert_output_prog_to_map(tracer);
 
@@ -3146,3 +3131,11 @@ int disable_syscall_trace_id(void)
 	ebpf_info("Disable tracing feature.\n");
 	return 0;
 }
+
+void uprobe_match_pid_handle(int feat, int pid, enum match_pids_act act)
+{
+	if (feat == FEATURE_UPROBE_GOLANG)
+		golang_trace_handle(pid, act);
+	else if (feat == FEATURE_UPROBE_OPENSSL)
+		openssl_trace_handle(pid, act);
+}
diff --git a/agent/src/ebpf/user/socket.h b/agent/src/ebpf/user/socket.h
@@ -415,4 +415,5 @@ int disable_syscall_trace_id(void);
  */
 void config_probe(struct tracer_probes_conf *tps, int type, const char *fn,
 		  const char *tp_name, bool is_exit);
+void uprobe_match_pid_handle(int feat, int pid, enum match_pids_act act);
 #endif /* DF_USER_SOCKET_H */
diff --git a/agent/src/ebpf/user/ssl_tracer.c b/agent/src/ebpf/user/ssl_tracer.c
@@ -30,6 +30,7 @@
 
 static proc_event_list_t proc_events;
 
+/* *INDENT-OFF* */
 static struct symbol symbols[] = {
 	{
 		.type = OPENSSL_UPROBE,
@@ -56,6 +57,7 @@ static struct symbol symbols[] = {
 		.is_probe_ret = true,
 	},
 };
+/* *INDENT-ON* */
 
 static void openssl_parse_and_register(int pid, struct tracer_probes_conf *conf)
 {
@@ -72,7 +74,8 @@ static void openssl_parse_and_register(int pid, struct tracer_probes_conf *conf)
 		goto out;
 
 	ebpf_info("openssl uprobe, pid:%d, path:%s\n", pid, path);
-	add_probe_sym_to_tracer_probes(pid, path, conf, symbols, NELEMS(symbols));
+	add_probe_sym_to_tracer_probes(pid, path, conf, symbols,
+				       NELEMS(symbols));
 
 out:
 	free(path);
@@ -85,7 +88,7 @@ static void clear_ssl_probes_by_pid(struct bpf_tracer *tracer, int pid)
 	struct list_head *p, *n;
 	struct symbol_uprobe *sym_uprobe;
 
-	list_for_each_safe (p, n, &tracer->probes_head) {
+	list_for_each_safe(p, n, &tracer->probes_head) {
 		probe = container_of(p, struct probe, list);
 		if (!(probe->type == UPROBE && probe->private_data != NULL))
 			continue;
@@ -116,13 +119,11 @@ int collect_ssl_uprobe_syms_from_procfs(struct tracer_probes_conf *conf)
 		return ETR_OK;
 
 	if (!kernel_version_check()) {
-		ebpf_warning("Uprobe openssl requires Linux version 4.17+ or Linux 3.10.0\n");
+		ebpf_warning
+		    ("Uprobe openssl requires Linux version 4.17+ or Linux 3.10.0\n");
 		return ETR_OK;
 	}
 
-	init_list_head(&proc_events.head);
-	pthread_mutex_init(&proc_events.m, NULL);
-
 	fddir = opendir("/proc/");
 	if (!fddir) {
 		ebpf_warning("Failed to open %s.\n");
@@ -163,9 +164,6 @@ void ssl_process_exec(int pid)
 	if (tracer == NULL)
 		return;
 
-	if (tracer->state != TRACER_RUNNING)
-		return;
-
 	if (tracer->probes_count > OPEN_FILES_MAX) {
 		ebpf_warning("Probes count too many. The maximum is %d\n",
 			     OPEN_FILES_MAX);
@@ -189,9 +187,6 @@ void ssl_process_exit(int pid)
 	if (tracer == NULL)
 		return;
 
-	if (tracer->state != TRACER_RUNNING)
-		return;
-
 	pthread_mutex_lock(&tracer->mutex_probes_lock);
 	clear_ssl_probes_by_pid(tracer, pid);
 	pthread_mutex_unlock(&tracer->mutex_probes_lock);
@@ -210,6 +205,9 @@ void ssl_events_handle(void)
 		if (get_sys_uptime() < event->expire_time)
 			break;
 
+		if (event->stime != get_process_starttime(event->pid))
+			goto next;
+
 		tracer = event->tracer;
 		if (tracer) {
 			pthread_mutex_lock(&tracer->mutex_probes_lock);
@@ -219,8 +217,24 @@ void ssl_events_handle(void)
 			pthread_mutex_unlock(&tracer->mutex_probes_lock);
 		}
 
+	next:
 		remove_event(&proc_events, event);
 		free(event);
 
 	} while (true);
 }
+
+void openssl_trace_handle(int pid, enum match_pids_act act)
+{
+	if (act == MATCH_PID_ADD) {
+		ssl_process_exec(pid);
+	} else {
+		ssl_process_exit(pid);
+	}
+}
+
+void openssl_trace_init(void)
+{
+	init_list_head(&proc_events.head);
+	pthread_mutex_init(&proc_events.m, NULL);
+}
diff --git a/agent/src/ebpf/user/ssl_tracer.h b/agent/src/ebpf/user/ssl_tracer.h
@@ -30,5 +30,6 @@ void ssl_events_handle(void);
 
 // Process exit, reclaim resources
 void ssl_process_exit(int pid);
-
+void openssl_trace_handle(int pid, enum match_pids_act act);
+void openssl_trace_init(void);
 #endif