mirrors/opensnitch
1
0
Fork 0
mirror of https://github.com/evilsocket/opensnitch.git synced 2025-03-04 08:34:40 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

ebpf cached improvements

Browse source 
Simplify the cache of connections by storing only the PID of a process,
instead of the Process object.

We can obtain the Process object from the cache of processes by PID.
This commit is contained in:
Gustavo Iñiguez Goia 2024-01-18 01:25:19 +01:00
parent dc43d5913c
commit 33437672b2
Failed to generate hash of commit
2 changed files with 13 additions and 25 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
daemon/procmon/ebpf/cache.go
View file

@ -3,14 +3,12 @@ package ebpf
import ( import (
"sync" "sync"
"time" "time"
"github.com/evilsocket/opensnitch/daemon/procmon"
) )
type ebpfCacheItem struct { type ebpfCacheItem struct {
Proc procmon.Process
LastSeen int64
Key []byte Key []byte
LastSeen int64
Pid int
} }
type ebpfCacheType struct { type ebpfCacheType struct {
@ -27,10 +25,10 @@ var (
) )
// NewEbpfCacheItem creates a new cache item. // NewEbpfCacheItem creates a new cache item.
func NewEbpfCacheItem(key []byte, proc procmon.Process) *ebpfCacheItem { func NewEbpfCacheItem(key []byte, pid int) *ebpfCacheItem {
return &ebpfCacheItem{ return &ebpfCacheItem{
Key: key, Key: key,
Proc: proc, Pid: pid,
LastSeen: time.Now().UnixNano(), LastSeen: time.Now().UnixNano(),
} }
} }
@ -51,9 +49,9 @@ func NewEbpfCache() *ebpfCacheType {
} }
} }
func (e *ebpfCacheType) addNewItem(key interface{}, itemKey []byte, proc procmon.Process) { func (e *ebpfCacheType) addNewItem(key interface{}, itemKey []byte, pid int) {
e.mu.Lock() e.mu.Lock()
e.Items[key] = NewEbpfCacheItem(itemKey, proc) e.Items[key] = NewEbpfCacheItem(itemKey, pid)
e.mu.Unlock() e.mu.Unlock()
} }
@ -83,17 +81,6 @@ func (e *ebpfCacheType) update(key interface{}, item *ebpfCacheItem) {
e.Items[key] = item e.Items[key] = item
} }
func (e *ebpfCacheType) updateByPid(proc *procmon.Process) {
e.mu.Lock()
defer e.mu.Unlock()
for k, item := range e.Items {
if proc.ID == item.Proc.ID {
e.update(k, item)
}
}
}
func (e *ebpfCacheType) Len() int { func (e *ebpfCacheType) Len() int {
e.mu.RLock() e.mu.RLock()
defer e.mu.RUnlock() defer e.mu.RUnlock()

13
daemon/procmon/ebpf/find.go
View file

@ -107,12 +107,13 @@ func getPidFromEbpf(proto string, srcPort uint, srcIP net.IP, dstIP net.IP, dstP
dstIP.String(), dstIP.String(),
strconv.FormatUint(uint64(dstPort), 10)) strconv.FormatUint(uint64(dstPort), 10))
if cacheItem, isInCache := ebpfCache.isInCache(k); isInCache { if cacheItem, isInCache := ebpfCache.isInCache(k); isInCache {
// should we re-read the info?
// environ vars might have changed
//proc.GetDetails()
deleteEbpfEntry(proto, unsafe.Pointer(&key[0])) deleteEbpfEntry(proto, unsafe.Pointer(&key[0]))
proc = &cacheItem.Proc if ev, found := procmon.EventsCache.IsInStoreByPID(cacheItem.Pid); found {
log.Debug("[ebpf conn] in cache: %s, %d -> %s", k, proc.ID, proc.Path) proc = &ev.Proc
log.Debug("[ebpf conn] in cache: %s, %d -> %s", k, proc.ID, proc.Path)
return
}
log.Info("[ebpf conn] in cache, with no proc %s, %d", k, cacheItem.Pid)
return return
} }
@ -151,7 +152,7 @@ func getPidFromEbpf(proto string, srcPort uint, srcIP net.IP, dstIP net.IP, dstP
proc = findConnProcess(&value, k) proc = findConnProcess(&value, k)
log.Debug("[ebpf conn] adding item to cache: %s", k) log.Debug("[ebpf conn] adding item to cache: %s", k)
ebpfCache.addNewItem(k, key, *proc) ebpfCache.addNewItem(k, key, proc.ID)
if delItemIfFound { if delItemIfFound {
deleteEbpfEntry(proto, unsafe.Pointer(&key[0])) deleteEbpfEntry(proto, unsafe.Pointer(&key[0]))
} }