[pull] main from aquasecurity:main #154
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![pull[bot]](https://avatars.githubusercontent.com/in/12910?s=60&v=4){kind=small}
This considers the size of the types based on vmlinux.h.
io_destroy, io_getevents, io_submit and io_cancel were using an inexistent type for ctx_id. The same for io_setup's ctx_idp parameter.
When parseArgument() fails, error message should be printed to help debugging.
When unable to locate a syscall symbol, instead of printing an error and terminate the hook checker goroutine, be more graceful: print a warning and skip hook check only for the specific syscall
On startup, there could be a case where a kernel module is being loaded before the hidden kernel module initialization function is called and finished.
Running tool: /home/gg/.goenv/versions/1.22.4/bin/go test -benchmem -run=^$ -tags ebpf -bench ^Benchmark_newProcStatus$ github.com/aquasecurity/tracee/pkg/utils/proc -benchtime=10000000x goos: linux goarch: amd64 pkg: github.com/aquasecurity/tracee/pkg/utils/proc cpu: AMD Ryzen 9 7950X 16-Core Processor Benchmark_newProcStatus-32 10000000 13203 ns/op 17851 B/op 137 allocs/op PASS ok github.com/aquasecurity/tracee/pkg/utils/proc 132.033s
This short-circuits the status parsing by avoiding fully parsing all status fields. It also makes ProcStatus a concrete type that contains only the fields we are interested in, what reduces the memory footprint. To reduce the size of the function it now uses a map to lookup the field handler functions. --- Running tool: /home/gg/.goenv/versions/1.22.4/bin/go test -benchmem -run=^$ -tags ebpf -bench ^Benchmark_newProcStatus$ github.com/aquasecurity/tracee/pkg/utils/proc -benchtime=10000000x goos: linux goarch: amd64 pkg: github.com/aquasecurity/tracee/pkg/utils/proc cpu: AMD Ryzen 9 7950X 16-Core Processor Benchmark_newProcStatus-32 10000000 5551 ns/op 5136 B/op 29 allocs/op PASS ok github.com/aquasecurity/tracee/pkg/utils/proc 55.516s --- | Metric | Old Bench. | New Bench. | Improvement (%) | |--------------------------|------------|------------|-----------------| | Execution Time (ns/op) | 13203 | 5551 | ~57.9% faster | | Memory Allocations (B/op)| 17851 | 5136 | ~71.2% reduction| | Allocations (allocs/op) | 137 | 29 | ~78.8% reduction| | Total Time (seconds) | 132.033 | 55.516 | ~57.9% faster |
Running tool: /home/gg/.goenv/versions/1.22.4/bin/go test -benchmem -run=^$ -tags ebpf -bench ^Benchmark_newProcStat$ github.com/aquasecurity/tracee/pkg/utils/proc -benchtime=10000000x goos: linux goarch: amd64 pkg: github.com/aquasecurity/tracee/pkg/utils/proc cpu: AMD Ryzen 9 7950X 16-Core Processor Benchmark_newProcStat-32 10000000 14336 ns/op 2976 B/op 45 allocs/op PASS ok github.com/aquasecurity/tracee/pkg/utils/proc 143.369s
This short-circuits the stat parsing by avoiding fully parsing all stat fields. It also removed ProcStat unused fields leaving the unique we are interested in, what reduces the memory footprint. To reduce the size of the function it now uses a array to lookup the field handler functions. It also fixes a possible error when parsing the stat file of a process with a comm field that contains inner parenthesis. Beyond that, instead of using a complex regex to change the comm field, it now uses a simple index based approach. --- Running tool: /home/gg/.goenv/versions/1.22.4/bin/go test -benchmem -run=^$ -tags ebpf -bench ^Benchmark_newProcStat$ github.com/aquasecurity/tracee/pkg/utils/proc -benchtime=10000000x goos: linux goarch: amd64 pkg: github.com/aquasecurity/tracee/pkg/utils/proc cpu: AMD Ryzen 9 7950X 16-Core Processor Benchmark_newProcStat-32 10000000 5152 ns/op 2168 B/op 8 allocs/op PASS ok github.com/aquasecurity/tracee/pkg/utils/proc 51.527s --- | Metric | Old Bench | New Bench | Improvement (%) | |--------------------------|------------|------------|-----------------| | Execution Time (ns/op) | 14336 | 5152 | ~64.1% faster | | Memory Allocations (B/op)| 2976 | 2168 | ~27.2% reduction| | Allocations (allocs/op) | 45 | 8 | ~82.2% reduction| | Total Time (seconds) | 143.369 | 51.527 | ~64.1% faster |
The field started_time fetched from /proc stat file and passed as ticks to ClockTicksToNsSinceBootTime() is an uint64.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot]
Can you help keep this open source service alive? 💖 Please sponsor : )