mirrors/opensnitch
1
0
Fork 0
mirror of https://github.com/evilsocket/opensnitch.git synced 2025-03-04 08:34:40 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

ebpf cached improvements

Browse source 
Simplify the cache of connections by storing only the PID of a process,
instead of the Process object.

We can obtain the Process object from the cache of processes by PID.
This commit is contained in:
Gustavo Iñiguez Goia 2024-01-18 01:25:19 +01:00
parent dc43d5913c
commit 33437672b2
Failed to generate hash of commit
2 changed files with 13 additions and 25 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
daemon/procmon/ebpf/cache.go
View file

@ -3,14 +3,12 @@ package ebpf
import (
"sync"
"time"
"github.com/evilsocket/opensnitch/daemon/procmon"
)
type ebpfCacheItem struct {
Proc procmon.Process
LastSeen int64
Key []byte
LastSeen int64
Pid int
}
type ebpfCacheType struct {
@ -27,10 +25,10 @@ var (
)
// NewEbpfCacheItem creates a new cache item.
func NewEbpfCacheItem(key []byte, proc procmon.Process) *ebpfCacheItem {
func NewEbpfCacheItem(key []byte, pid int) *ebpfCacheItem {
return &ebpfCacheItem{
Key: key,
Proc: proc,
Pid: pid,
LastSeen: time.Now().UnixNano(),
}
}
@ -51,9 +49,9 @@ func NewEbpfCache() *ebpfCacheType {
}
}
func (e *ebpfCacheType) addNewItem(key interface{}, itemKey []byte, proc procmon.Process) {
func (e *ebpfCacheType) addNewItem(key interface{}, itemKey []byte, pid int) {
e.mu.Lock()
e.Items[key] = NewEbpfCacheItem(itemKey, proc)
e.Items[key] = NewEbpfCacheItem(itemKey, pid)
e.mu.Unlock()
}
@ -83,17 +81,6 @@ func (e *ebpfCacheType) update(key interface{}, item *ebpfCacheItem) {
e.Items[key] = item
}
func (e *ebpfCacheType) updateByPid(proc *procmon.Process) {
e.mu.Lock()
defer e.mu.Unlock()
for k, item := range e.Items {
if proc.ID == item.Proc.ID {
e.update(k, item)
}
}
}
func (e *ebpfCacheType) Len() int {
e.mu.RLock()
defer e.mu.RUnlock()

11
daemon/procmon/ebpf/find.go
View file

@ -107,14 +107,15 @@ func getPidFromEbpf(proto string, srcPort uint, srcIP net.IP, dstIP net.IP, dstP
dstIP.String(),
strconv.FormatUint(uint64(dstPort), 10))
if cacheItem, isInCache := ebpfCache.isInCache(k); isInCache {
// should we re-read the info?
// environ vars might have changed
//proc.GetDetails()
deleteEbpfEntry(proto, unsafe.Pointer(&key[0]))
proc = &cacheItem.Proc
if ev, found := procmon.EventsCache.IsInStoreByPID(cacheItem.Pid); found {
proc = &ev.Proc
log.Debug("[ebpf conn] in cache: %s, %d -> %s", k, proc.ID, proc.Path)
return
}
log.Info("[ebpf conn] in cache, with no proc %s, %d", k, cacheItem.Pid)
return
}
err := m.LookupElement(ebpfMaps[proto].bpfmap, unsafe.Pointer(&key[0]), unsafe.Pointer(&value))
if err != nil {
@ -151,7 +152,7 @@ func getPidFromEbpf(proto string, srcPort uint, srcIP net.IP, dstIP net.IP, dstP
proc = findConnProcess(&value, k)
log.Debug("[ebpf conn] adding item to cache: %s", k)
ebpfCache.addNewItem(k, key, *proc)
ebpfCache.addNewItem(k, key, proc.ID)
if delItemIfFound {
deleteEbpfEntry(proto, unsafe.Pointer(&key[0]))
}