feat(events): create access_remote_vm event #3551
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
abeb60f to
deb4ef0
Compare
deb4ef0 to
93d376b
Compare
93d376b to
59f34a5
Compare
|
I loved the event! It LGTM, definitely. There are just minor spell nits, some comments to be added to make it easier to understand your intents (if my interpretation is correct). A small "point to clear" would be the VMA naming strategy/logic. I left a question for you there. Also, If you could add a simple Nice work! |
59f34a5 to
275d6db
Compare
275d6db to
06d025f
Compare
0ff94d2 to
3a5c024
Compare
ee989e1 to
97963ff
Compare
|
Looks like the tests failed but when looking at the output the event (at least on 4.18) worked. Needs some fine tuning I believe. |
|
You can see that the problem is the version check, because the |
bc33179 to
24d5e97
Compare
Add to each probe the option to determine its relevance according to the OS version. If a probe is irrelevant, an attempt to load it won't be initiated. This allows to have different probes for events according to OS version.
The first 6 arguments are passed to functions using registers. From the 7th forward, the arguments pass through the stack. For this reason, only saving the first 6 arguments was supported until now. This commit add the 7th argument also to the saved args between kprobe and kretprobe.
An event for accessing the memroy of a process externally (can be the same process) by the mem file of the process in procfs. Co-authored-by: OriGlassman <39296766+origlassman@users.noreply.github.com>
Add e2e test to check that the access_remote_vm works well.
24d5e97 to
789bd69
Compare
|
We have this update #3875 Please rebase your PR against main to make use of the new workflow setup. |
|
Not going to be implemented |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
1. Explain what the PR does
An event for accessing the memory of a process externally (can be the same process) by the mem file of the process in procfs.
789bd69 test(events): add e2e test to access_remote_vm
fd6e01a feat(events): create access_remote_vm event
0854a88 feat(ebpf): support 7 arguments saving for kretprobe
491ba04 feat(events): add probe relevance attribute
Fix #3518
2. Explain how to test it
3. Other comments