Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add process creation and destruction hooks to netebpfext #3307

Closed
wants to merge 4 commits into from
Closed

Add process creation and destruction hooks to netebpfext #3307

wants to merge 4 commits into from

Conversation

Alan-Jowett
Copy link
Member

Description

Add support for invoking new eBPF program type on process creation and termination.

Testing

CI/CD

Documentation

TBD

Installation

No.

dthaler
dthaler reviewed Feb 28, 2024
View reviewed changes
include/ebpf_nethooks.h Outdated Show resolved Hide resolved
dthaler
dthaler reviewed Feb 29, 2024
View reviewed changes
include/ebpf_nethooks.h Outdated Show resolved Hide resolved
@Alan-Jowett Alan-Jowett force-pushed the psebpfext branch 2 times, most recently from f43bef5 to f61aaa1 Compare March 2, 2024 22:27
dthaler
dthaler reviewed Mar 3, 2024
View reviewed changes
include/bpf_helper_defs.h Outdated Show resolved Hide resolved
include/bpf_helper_defs.h Outdated Show resolved Hide resolved
tests/sample/utility.c Outdated Show resolved Hide resolved
Switch to utf-8 to save space
b438d19 
Signed-off-by: Alan Jowett <[email protected]>
dthaler
dthaler reviewed Mar 5, 2024
View reviewed changes
include/ebpf_nethooks.h
*
* @param[in] context \ref process_md_t
* @return STATUS_SUCCESS to permit the operation, or a failure NTSTATUS value to deny the operation.
* Value of STATUS_SUCCESS is 0x0.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems odd to say what the value of STATUS_SUCCESS is without saying what range of values are "a failure". I'd either remove line 295 (my preference), or else say more... e.g., failure values have the high bit set.

Still if the point is to document that values 0x1 through 0x7fffffff are not legal to return, the hook still has to do something if they are returned. E.g., what happens if the BPF program returns STATUS_PENDING?

netebpfext/net_ebpf_ext_process.c
net_ebpf_extension_hook_client_t* client_context =
net_ebpf_extension_hook_get_next_attached_client(_ebpf_process_hook_provider_context, NULL);
while (client_context != NULL) {
NTSTATUS status = 0;
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
NTSTATUS status = 0;
NTSTATUS status = STATUS_SUCCESS;

netebpfext/net_ebpf_ext_process.c
NET_EBPF_EXT_TRACELOG_KEYWORD_PROCESS,
"net_ebpf_extension_hook_client_enter_rundown failed");
}
// If the client returns a non-zero value, stop calling the other clients.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NT_SUCCESS(status) and "non-zero value" are not the same thing. See https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/87fba13e-bf06-450e-83b1-9241dc81e781

tests/netebpfext_unit/netebpfext_unit.cpp
uint64_t some_value;
} fake_eprocess = {};

usersime_invoke_process_creation_notify_routine(
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't "usersime" be "usersim"?

tests/netebpfext_unit/netebpfext_unit.cpp
test_process_client_context_t* client_context = (test_process_client_context_t*)client_process_context;

client_context->process_context = *process_context;
*result = STATUS_ACCESS_DENIED;
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd also recommend adding a unit test for a program that returns a value that is neither STATUS_SUCCESS nor a failure code. E.g., STATUS_PENDING.

@Alan-Jowett Alan-Jowett deleted the psebpfext branch April 27, 2024 18:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dthaler dthaler dthaler left review comments

@poornagmsft poornagmsft Awaiting requested review from poornagmsft poornagmsft will be requested when the pull request is marked ready for review poornagmsft is a code owner

@saxena-anurag saxena-anurag Awaiting requested review from saxena-anurag saxena-anurag will be requested when the pull request is marked ready for review saxena-anurag is a code owner

@shankarseal shankarseal Awaiting requested review from shankarseal shankarseal will be requested when the pull request is marked ready for review shankarseal is a code owner

@dv-msft dv-msft Awaiting requested review from dv-msft dv-msft will be requested when the pull request is marked ready for review dv-msft is a code owner

@gtrevi gtrevi Awaiting requested review from gtrevi gtrevi will be requested when the pull request is marked ready for review gtrevi is a code owner

@shpalani shpalani Awaiting requested review from shpalani shpalani will be requested when the pull request is marked ready for review shpalani is a code owner

@matthewige matthewige Awaiting requested review from matthewige matthewige will be requested when the pull request is marked ready for review matthewige is a code owner

@mtfriesen mtfriesen Awaiting requested review from mtfriesen mtfriesen will be requested when the pull request is marked ready for review mtfriesen is a code owner

@rectified95 rectified95 Awaiting requested review from rectified95 rectified95 will be requested when the pull request is marked ready for review rectified95 is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Alan-Jowett @dthaler