Skip to content

fix(driver/bpf): fix socket_x and socketpair_x domain encoding#2477

Merged
ekoops merged 1 commit intomasterfrom
ekoops/fix-socketpair
Jun 17, 2025
Merged

fix(driver/bpf): fix socket_x and socketpair_x domain encoding#2477
ekoops merged 1 commit intomasterfrom
ekoops/fix-socketpair

Conversation

@ekoops
Copy link
Copy Markdown
Contributor

@ekoops ekoops commented Jun 13, 2025
edited
Loading

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind test

/kind feature

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area API-version

/area build

/area CI

/area driver-kmod

/area driver-bpf

/area driver-modern-bpf

/area libscap-engine-bpf

/area libscap-engine-gvisor

/area libscap-engine-kmod

/area libscap-engine-modern-bpf

/area libscap-engine-nodriver

/area libscap-engine-noop

/area libscap-engine-source-plugin

/area libscap-engine-savefile

/area libscap

/area libpman

/area libsinsp

/area tests

/area proposals

Does this PR require a change in the driver versions?

/version driver-API-version-major

/version driver-API-version-minor

/version driver-API-version-patch

/version driver-SCHEMA-version-major

/version driver-SCHEMA-version-minor

/version driver-SCHEMA-version-patch

What this PR does / why we need it:

This PR partially reverts changes introduced in commit dfdd45c (#2470) by replacing the usage of socket_family_to_scap helper with a calls to a new ad-hoc helper for the legacy bpf probe. To avoid breaking the verifier on old kernel version (i.e. oraclelinux-4.14), just convert user-provided negative socket family values to PPM_AF_UNSPEC and leave positive values as are. This simplified version relies on the fact that AF_* and corresponding PPM_AF_* macros map to the same values.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

NONE

@poiana
Copy link
Copy Markdown
Contributor

poiana commented Jun 13, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ekoops

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@poiana poiana requested review from Andreagit97 and hbrueckner June 13, 2025 07:58
@ekoops
Copy link
Copy Markdown
Contributor Author

ekoops commented Jun 13, 2025

/milestone 0.22.0

@poiana poiana added this to the 0.22.0 milestone Jun 13, 2025
@poiana poiana added the size/S label Jun 13, 2025
@github-actions
Copy link
Copy Markdown

github-actions bot commented Jun 13, 2025

Please double check driver/SCHEMA_VERSION file. See versioning.

/hold

@github-actions
Copy link
Copy Markdown

github-actions bot commented Jun 13, 2025
edited
Loading

Perf diff from master - unit tests

     5.29%     +0.25%  [.] sinsp_parser::reset
     1.61%     -0.23%  [.] next
     2.67%     -0.18%  [.] sinsp_thread_manager::get_thread_ref
     1.60%     +0.16%  [.] can_query_os_for_thread_info
     1.56%     +0.15%  [.] std::_Hashtable<long, std::pair<long const, std::shared_ptr<sinsp_threadinfo> >, std::allocator<std::pair<long const, std::shared_ptr<sinsp_threadinfo> > >, std::__detail::_Select1st, std::equal_to<long>, std::hash<long>, std::__detail::_Mod_range_hashing, std::__detail::_Default_ranged_hash, std::__detail::_Prime_rehash_policy, std::__detail::_Hashtable_traits<false, false, true> >::_M_find_before_node
     0.57%     -0.15%  [.] sinsp_parser::parse_context_switch
     1.44%     -0.15%  [.] scap_event_decode_params
     2.42%     +0.14%  [.] std::_Hashtable<unsigned long, std::pair<unsigned long const, std::shared_ptr<ppm_evt_hdr> >, std::allocator<std::pair<unsigned long const, std::shared_ptr<ppm_evt_hdr> > >, std::__detail::_Select1st, std::equal_to<unsigned long>, std::hash<unsigned long>, std::__detail::_Mod_range_hashing, std::__detail::_Default_ranged_hash, std::__detail::_Prime_rehash_policy, std::__detail::_Hashtable_traits<false, false, true> >::_M_find_before_node
     0.81%     -0.14%  [.] sinsp_evt::get_syscall_return_value
     0.90%     +0.13%  [.] sinsp_parser::event_cleanup

Heap diff from master - unit tests

peak heap memory consumption: 0B
peak RSS (including heaptrack overhead): 0B
total memory leaked: 0B

Heap diff from master - scap file

peak heap memory consumption: 0B
peak RSS (including heaptrack overhead): 0B
total memory leaked: 0B

Benchmarks diff from master

Comparing gbench_data.json to /root/actions-runner/_work/libs/libs/build/gbench_data.json
Benchmark                                                         Time             CPU      Time Old      Time New       CPU Old       CPU New
----------------------------------------------------------------------------------------------------------------------------------------------
BM_sinsp_split_mean                                            +0.0062         +0.0062           147           148           147           148
BM_sinsp_split_median                                          +0.0039         +0.0039           147           148           147           148
BM_sinsp_split_stddev                                          -0.1302         -0.1310             1             1             1             1
BM_sinsp_split_cv                                              -0.1356         -0.1363             0             0             0             0
BM_sinsp_concatenate_paths_relative_path_mean                  -0.0224         -0.0224            58            57            58            57
BM_sinsp_concatenate_paths_relative_path_median                -0.0100         -0.0100            57            57            57            57
BM_sinsp_concatenate_paths_relative_path_stddev                -0.7029         -0.7029             1             0             1             0
BM_sinsp_concatenate_paths_relative_path_cv                    -0.6961         -0.6961             0             0             0             0
BM_sinsp_concatenate_paths_empty_path_mean                     -0.0099         -0.0099            24            24            24            24
BM_sinsp_concatenate_paths_empty_path_median                   -0.0098         -0.0098            24            24            24            24
BM_sinsp_concatenate_paths_empty_path_stddev                   +1.3851         +1.3734             0             0             0             0
BM_sinsp_concatenate_paths_empty_path_cv                       +1.4090         +1.3972             0             0             0             0
BM_sinsp_concatenate_paths_absolute_path_mean                  -0.0335         -0.0335            60            58            60            58
BM_sinsp_concatenate_paths_absolute_path_median                -0.0155         -0.0155            60            59            60            59
BM_sinsp_concatenate_paths_absolute_path_stddev                +6.1839         +6.1758             0             3             0             3
BM_sinsp_concatenate_paths_absolute_path_cv                    +6.4326         +6.4242             0             0             0             0

@codecov
Copy link
Copy Markdown

codecov bot commented Jun 13, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 77.88%. Comparing base (8aad951) to head (95b08f0).
Report is 2 commits behind head on master.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master    #2477   +/-   ##
=======================================
  Coverage   77.88%   77.88%           
=======================================
  Files         251      251           
  Lines       31071    31071           
  Branches     4653     4653           
=======================================
  Hits        24201    24201           
  Misses       6870     6870
Flag Coverage Δ
libsinsp 77.88% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@ekoops ekoops force-pushed the ekoops/fix-socketpair branch from 3e2c78d to d7e4911 Compare June 13, 2025 08:42
@github-actions
Copy link
Copy Markdown

github-actions bot commented Jun 13, 2025
edited
Loading

X64 kernel testing matrix

KERNEL CMAKE-CONFIGURE KMOD BUILD KMOD SCAP-OPEN BPF-PROBE BUILD BPF-PROBE SCAP-OPEN MODERN-BPF SCAP-OPEN
amazonlinux2-4.19 🟢 🟢 🟢 🟢 🟢 🟡
amazonlinux2-5.10 🟢 🟢 🟢 🟢 🟢 🟢
amazonlinux2-5.15 🟢 🟢 🟢 🟢 🟢 🟢
amazonlinux2-5.4 🟢 🟢 🟢 🟢 🟢 🟡
amazonlinux2022-5.15 🟢 🟢 🟢 🟢 🟢 🟢
amazonlinux2023-6.1 🟢 🟢 🟢 🟢 🟢 🟢
archlinux-6.0 🟢 🟢 🟢 🟢 🟢 🟢
archlinux-6.7 🟢 🟢 🟢 🟢 🟢 🟢
centos-3.10 🟢 🟢 🟢 🟡 🟡 🟡
centos-4.18 🟢 🟢 🟢 🟢 🟢 🟢
centos-5.14 🟢 🟢 🟢 🟢 🟢 🟢
fedora-5.17 🟢 🟢 🟢 🟢 🟢 🟢
fedora-5.8 🟢 🟢 🟢 🟢 🟢 🟢
fedora-6.2 🟢 🟢 🟢 🟢 🟢 🟢
oraclelinux-3.10 🟢 🟢 🟢 🟡 🟡 🟡
oraclelinux-4.14 🟢 🟢 🟢 🟢 🟢 🟡
oraclelinux-5.15 🟢 🟢 🟢 🟢 🟢 🟢
oraclelinux-5.4 🟢 🟢 🟢 🟢 🟢 🟡
ubuntu-4.15 🟢 🟢 🟢 🟢 🟢 🟡
ubuntu-5.8 🟢 🟢 🟢 🟢 🟢 🟡
ubuntu-6.5 🟢 🟢 🟢 🟢 🟢 🟢

ARM64 kernel testing matrix

KERNEL CMAKE-CONFIGURE KMOD BUILD KMOD SCAP-OPEN BPF-PROBE BUILD BPF-PROBE SCAP-OPEN MODERN-BPF SCAP-OPEN
amazonlinux2-5.4 🟢 🟢 🟢 🟢 🟢 🟡
amazonlinux2022-5.15 🟢 🟢 🟢 🟢 🟢 🟢
fedora-6.2 🟢 🟢 🟢 🟢 🟢 🟢
oraclelinux-4.14 🟢 🟢 🟢 🟡 🟡 🟡
oraclelinux-5.15 🟢 🟢 🟢 🟢 🟢 🟢
ubuntu-6.5 🟢 🟢 🟢 🟢 🟢 🟢

@ekoops
Copy link
Copy Markdown
Contributor Author

ekoops commented Jun 13, 2025

Unfortunately, splitting the fillers into two smaller ones didn't fix the issue. I'll use this PR to experiment and trying to find a solution.

@ekoops ekoops force-pushed the ekoops/fix-socketpair branch 3 times, most recently from 51a0c6b to cd5ad61 Compare June 13, 2025 09:50
@poiana poiana added size/XL and removed size/S labels Jun 13, 2025
@ekoops ekoops force-pushed the ekoops/fix-socketpair branch from cd5ad61 to c7ebd80 Compare June 13, 2025 10:15
@poiana poiana added size/L and removed size/XL labels Jun 13, 2025
@ekoops ekoops force-pushed the ekoops/fix-socketpair branch from c7ebd80 to bf65765 Compare June 13, 2025 10:35
@ekoops ekoops mentioned this pull request Jun 13, 2025
Merged
@ekoops ekoops force-pushed the ekoops/fix-socketpair branch from bd3e81c to 823d001 Compare June 13, 2025 14:35
@poiana poiana added size/S and removed size/M labels Jun 13, 2025
@ekoops ekoops force-pushed the ekoops/fix-socketpair branch from 823d001 to 4d7e410 Compare June 13, 2025 14:51
@poiana poiana added size/M and removed size/S labels Jun 13, 2025
@ekoops ekoops force-pushed the ekoops/fix-socketpair branch from 4d7e410 to 30a9a08 Compare June 13, 2025 15:31
@poiana poiana added size/L and removed size/M labels Jun 13, 2025
@ekoops ekoops mentioned this pull request Jun 16, 2025
Merged
@ekoops ekoops force-pushed the ekoops/fix-socketpair branch from 30a9a08 to 962dfbf Compare June 16, 2025 16:02
@poiana poiana added size/S and removed size/L labels Jun 16, 2025
@ekoops ekoops changed the title fix(driver/bpf): split f_sys_socketpair_x into two fillers fix(driver/bpf): fix socket_x and socketpair_x domain encoding Jun 16, 2025
@ekoops
fix(driver/bpf): fix socket_x and socketpair_x domain encoding
95b08f0 
Partially revert changes introduced in
dfdd45c by replacing the usage
of `socket_family_to_scap` helper with a calls to a new ad-hoc helper
for the legacy bpf probe. To avoid breaking the verifier on old kernel
version, just convert user-provided negative socket family values to
`PPM_AF_UNSPEC` and leave positive values as are. This simplified
version relies on the fact that `AF_*` and corresponding `PPM_AF_*`
macros map to the same values.

Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
@ekoops ekoops force-pushed the ekoops/fix-socketpair branch from 962dfbf to 95b08f0 Compare June 16, 2025 16:05
@ekoops
Copy link
Copy Markdown
Contributor Author

ekoops commented Jun 17, 2025

New changes pushed, and fortunately, everything works now 😄. The schema version error is a false positive.

@poiana poiana added the lgtm label Jun 17, 2025
@poiana
Copy link
Copy Markdown
Contributor

poiana commented Jun 17, 2025

LGTM label has been added.

DetailsGit tree hash: b44bd97a9fd37b9b52908b4c5a0a5e47b575b7e1

@github-project-automation github-project-automation bot moved this from Todo to In progress in Falco Roadmap Jun 17, 2025
@ekoops ekoops merged commit 0fb9d35 into master Jun 17, 2025
56 of 58 checks passed
@poiana poiana deleted the ekoops/fix-socketpair branch June 17, 2025 12:38
@github-project-automation github-project-automation bot moved this from In progress to Done in Falco Roadmap Jun 17, 2025
@ekoops ekoops mentioned this pull request Jun 17, 2025
Merged
@leogr leogr modified the milestones: 0.22.0, 9.0.0+driver Oct 16, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@leogr leogr leogr approved these changes

@jasondellaluce jasondellaluce jasondellaluce approved these changes

@Andreagit97 Andreagit97 Awaiting requested review from Andreagit97

@hbrueckner hbrueckner Awaiting requested review from hbrueckner

Assignees

@leogr leogr

@jasondellaluce jasondellaluce

Labels

approved area/driver-bpf dco-signoff: yes do-not-merge/hold kind/bug Something isn't working lgtm release-note-none size/S

Projects

Falco Roadmap
Archived in project

Milestone

9.0.0+driver

Development

Successfully merging this pull request may close these issues.

4 participants

@ekoops @poiana @leogr @jasondellaluce