[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20240410085428.53093333cf4d768d6b420a11@kernel.org>
Date: Wed, 10 Apr 2024 08:54:28 +0900
From: Masami Hiramatsu (Google) <mhiramat@...nel.org>
To: Marco Elver <elver@...gle.com>
Cc: Steven Rostedt <rostedt@...dmis.org>, Eric Biederman
<ebiederm@...ssion.com>, Kees Cook <keescook@...omium.org>, Alexander Viro
<viro@...iv.linux.org.uk>, Christian Brauner <brauner@...nel.org>, Jan Kara
<jack@...e.cz>, Masami Hiramatsu <mhiramat@...nel.org>, Mathieu Desnoyers
<mathieu.desnoyers@...icios.com>, linux-mm@...ck.org,
linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-trace-kernel@...r.kernel.org, Dmitry Vyukov <dvyukov@...gle.com>
Subject: Re: [PATCH] tracing: Add new_exec tracepoint
On Tue, 9 Apr 2024 16:45:47 +0200
Marco Elver <elver@...gle.com> wrote:
> On Tue, 9 Apr 2024 at 16:31, Steven Rostedt <rostedt@...dmis.org> wrote:
> >
> > On Mon, 8 Apr 2024 11:01:54 +0200
> > Marco Elver <elver@...gle.com> wrote:
> >
> > > Add "new_exec" tracepoint, which is run right after the point of no
> > > return but before the current task assumes its new exec identity.
> > >
> > > Unlike the tracepoint "sched_process_exec", the "new_exec" tracepoint
> > > runs before flushing the old exec, i.e. while the task still has the
> > > original state (such as original MM), but when the new exec either
> > > succeeds or crashes (but never returns to the original exec).
> > >
> > > Being able to trace this event can be helpful in a number of use cases:
> > >
> > > * allowing tracing eBPF programs access to the original MM on exec,
> > > before current->mm is replaced;
> > > * counting exec in the original task (via perf event);
> > > * profiling flush time ("new_exec" to "sched_process_exec").
> > >
> > > Example of tracing output ("new_exec" and "sched_process_exec"):
> >
> > How common is this? And can't you just do the same with adding a kprobe?
>
> Our main use case would be to use this in BPF programs to become
> exec-aware, where using the sched_process_exec hook is too late. This
> is particularly important where the BPF program must stop inspecting
> the user space's VM when the task does exec to become a new process.
Just out of curiousity, would you like to audit that the user-program
is not malformed? (security tracepoint?) I think that is an interesting
idea. What kind of information you need?
>
> kprobe (or BPF's fentry) is brittle here, because begin_new_exec()'s
> permission check can still return an error which returns to the
> original task without crashing. Only at the point of no return are we
> guaranteed that the exec either succeeds, or the task is terminated on
> failure.
Just a note: That is BPF limitation, kprobe and kprobe events can put
a probe in the function body, but that is not supported on BPF (I guess
because it depends on kernel debuginfo.) You can add kprobe-event using
"perf probe" tool.
Thank you,
>
> I don't know if "common" is the right question here, because it's a
> chicken-egg problem: no tracepoint, we give up; we have the
> tracepoint, it unlocks a range of new use cases (that require robust
> solution to make BPF programs exec-aware, and a tracepoint is the only
> option IMHO).
>
> Thanks,
> -- Marco
--
Masami Hiramatsu (Google) <mhiramat@...nel.org>
Powered by blists - more mailing lists