From 33437672b2f003a696e482e31b31488eeafddf21 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gustavo=20I=C3=B1iguez=20Goia?= Date: Thu, 18 Jan 2024 01:25:19 +0100 Subject: [PATCH] ebpf cached improvements Simplify the cache of connections by storing only the PID of a process, instead of the Process object. We can obtain the Process object from the cache of processes by PID. --- daemon/procmon/ebpf/cache.go | 25 ++++++------------------- daemon/procmon/ebpf/find.go | 13 +++++++------ 2 files changed, 13 insertions(+), 25 deletions(-) diff --git a/daemon/procmon/ebpf/cache.go b/daemon/procmon/ebpf/cache.go index de0e900c..40676c1d 100644 --- a/daemon/procmon/ebpf/cache.go +++ b/daemon/procmon/ebpf/cache.go @@ -3,14 +3,12 @@ package ebpf import ( "sync" "time" - - "github.com/evilsocket/opensnitch/daemon/procmon" ) type ebpfCacheItem struct { - Proc procmon.Process - LastSeen int64 Key []byte + LastSeen int64 + Pid int } type ebpfCacheType struct { @@ -27,10 +25,10 @@ var ( ) // NewEbpfCacheItem creates a new cache item. -func NewEbpfCacheItem(key []byte, proc procmon.Process) *ebpfCacheItem { +func NewEbpfCacheItem(key []byte, pid int) *ebpfCacheItem { return &ebpfCacheItem{ Key: key, - Proc: proc, + Pid: pid, LastSeen: time.Now().UnixNano(), } } @@ -51,9 +49,9 @@ func NewEbpfCache() *ebpfCacheType { } } -func (e *ebpfCacheType) addNewItem(key interface{}, itemKey []byte, proc procmon.Process) { +func (e *ebpfCacheType) addNewItem(key interface{}, itemKey []byte, pid int) { e.mu.Lock() - e.Items[key] = NewEbpfCacheItem(itemKey, proc) + e.Items[key] = NewEbpfCacheItem(itemKey, pid) e.mu.Unlock() } @@ -83,17 +81,6 @@ func (e *ebpfCacheType) update(key interface{}, item *ebpfCacheItem) { e.Items[key] = item } -func (e *ebpfCacheType) updateByPid(proc *procmon.Process) { - e.mu.Lock() - defer e.mu.Unlock() - for k, item := range e.Items { - if proc.ID == item.Proc.ID { - e.update(k, item) - } - } - -} - func (e *ebpfCacheType) Len() int { e.mu.RLock() defer e.mu.RUnlock() diff --git a/daemon/procmon/ebpf/find.go b/daemon/procmon/ebpf/find.go index 0f49287a..0890e1c3 100644 --- a/daemon/procmon/ebpf/find.go +++ b/daemon/procmon/ebpf/find.go @@ -107,12 +107,13 @@ func getPidFromEbpf(proto string, srcPort uint, srcIP net.IP, dstIP net.IP, dstP dstIP.String(), strconv.FormatUint(uint64(dstPort), 10)) if cacheItem, isInCache := ebpfCache.isInCache(k); isInCache { - // should we re-read the info? - // environ vars might have changed - //proc.GetDetails() deleteEbpfEntry(proto, unsafe.Pointer(&key[0])) - proc = &cacheItem.Proc - log.Debug("[ebpf conn] in cache: %s, %d -> %s", k, proc.ID, proc.Path) + if ev, found := procmon.EventsCache.IsInStoreByPID(cacheItem.Pid); found { + proc = &ev.Proc + log.Debug("[ebpf conn] in cache: %s, %d -> %s", k, proc.ID, proc.Path) + return + } + log.Info("[ebpf conn] in cache, with no proc %s, %d", k, cacheItem.Pid) return } @@ -151,7 +152,7 @@ func getPidFromEbpf(proto string, srcPort uint, srcIP net.IP, dstIP net.IP, dstP proc = findConnProcess(&value, k) log.Debug("[ebpf conn] adding item to cache: %s", k) - ebpfCache.addNewItem(k, key, *proc) + ebpfCache.addNewItem(k, key, proc.ID) if delItemIfFound { deleteEbpfEntry(proto, unsafe.Pointer(&key[0])) }