Improve tracking of connectionless UDP syscalls (#1741)

Author: Molter73

.editorconfig

@@ -10,6 +10,10 @@ trim_trailing_whitespace = true
 indent_style = space
 indent_size = 2
 
+[integration-tests/**.c]
+indent_style = space
+indent_size = 2
+
 [*.sh]
 indent_style = space
 indent_size = 4

collector/lib/CollectorConfig.cpp

@@ -60,6 +60,8 @@ BoolEnvVar use_podman_ce("ROX_COLLECTOR_CE_USE_PODMAN", false);
 
 BoolEnvVar enable_introspection("ROX_COLLECTOR_INTROSPECTION_ENABLE", false);
 
+BoolEnvVar track_send_recv("ROX_COLLECTOR_TRACK_SEND_RECV", false);
+
 // Collector arguments alternatives
 StringEnvVar log_level("ROX_COLLECTOR_LOG_LEVEL");
 IntEnvVar scrape_interval("ROX_COLLECTOR_SCRAPE_INTERVAL");
@@ -103,9 +105,16 @@ void CollectorConfig::InitCollectorConfig(CollectorArgs* args) {
   use_docker_ce_ = use_docker_ce.value();
   use_podman_ce_ = use_podman_ce.value();
   enable_introspection_ = enable_introspection.value();
+  track_send_recv_ = track_send_recv.value();
 
   for (const auto& syscall : kSyscalls) {
-    syscalls_.push_back(syscall);
+    syscalls_.emplace_back(syscall);
+  }
+
+  if (track_send_recv_) {
+    for (const auto& syscall : kSendRecvSyscalls) {
+      syscalls_.emplace_back(syscall);
+    }
   }
 
   // Get hostname
@@ -454,7 +463,8 @@ std::ostream& operator<<(std::ostream& os, const CollectorConfig& c) {
          << ", set_import_users:" << c.ImportUsers()
          << ", collect_connection_status:" << c.CollectConnectionStatus()
          << ", enable_detailed_metrics:" << c.EnableDetailedMetrics()
-         << ", enable_external_ips:" << c.EnableExternalIPs();
+         << ", enable_external_ips:" << c.EnableExternalIPs()
+         << ", track_send_recv:" << c.TrackingSendRecv();
 }
 
 // Returns size of ring buffers to be allocated.

collector/lib/CollectorConfig.h

@@ -48,6 +48,14 @@ class CollectorConfig {
 #endif
       "vfork",
   };
+  static constexpr const char* kSendRecvSyscalls[] = {
+      "sendto",
+      "sendmsg",
+      "sendmmsg",
+      "recvfrom",
+      "recvmsg",
+      "recvmmsg",
+  };
   static const UnorderedSet<L4ProtoPortPair> kIgnoredL4ProtoPortPairs;
   static constexpr bool kEnableProcessesListeningOnPorts = true;
 
@@ -82,6 +90,7 @@ class CollectorConfig {
   bool UseDockerCe() const { return use_docker_ce_; }
   bool UsePodmanCe() const { return use_podman_ce_; }
   bool IsIntrospectionEnabled() const { return enable_introspection_; }
+  bool TrackingSendRecv() const { return track_send_recv_; }
   const std::vector<double>& GetConnectionStatsQuantiles() const { return connection_stats_quantiles_; }
   double GetConnectionStatsError() const { return connection_stats_error_; }
   unsigned int GetConnectionStatsWindow() const { return connection_stats_window_; }
@@ -122,6 +131,7 @@ class CollectorConfig {
   bool use_docker_ce_;
   bool use_podman_ce_;
   bool enable_introspection_;
+  bool track_send_recv_;
   std::vector<double> connection_stats_quantiles_;
   double connection_stats_error_;
   unsigned int connection_stats_window_;

collector/lib/NetworkSignalHandler.cpp

@@ -24,14 +24,25 @@ EventMap<Modifier> modifiers = {
         {"connect<", Modifier::ADD},
         {"accept<", Modifier::ADD},
         {"getsockopt<", Modifier::ADD},
+        {"sendto<", Modifier::ADD},
+        {"sendto>", Modifier::ADD},
+        {"sendmsg<", Modifier::ADD},
+        {"sendmsg>", Modifier::ADD},
+        {"sendmmsg<", Modifier::ADD},
+        {"recvfrom<", Modifier::ADD},
+        {"recvfrom>", Modifier::ADD},
+        {"recvmsg<", Modifier::ADD},
+        {"recvmsg>", Modifier::ADD},
+        {"recvmmsg<", Modifier::ADD},
+        {"recvmmsg>", Modifier::ADD},
     },
     Modifier::INVALID,
 };
 
 }  // namespace
 
 NetworkSignalHandler::NetworkSignalHandler(sinsp* inspector, std::shared_ptr<ConnectionTracker> conn_tracker, system_inspector::Stats* stats)
-    : event_extractor_(std::make_unique<system_inspector::EventExtractor>()), conn_tracker_(std::move(conn_tracker)), stats_(stats), collect_connection_status_(true) {
+    : event_extractor_(std::make_unique<system_inspector::EventExtractor>()), conn_tracker_(std::move(conn_tracker)), stats_(stats), collect_connection_status_(true), track_send_recv_(false) {
   event_extractor_->Init(inspector);
 }
 
@@ -141,6 +152,28 @@ SignalHandler::Result NetworkSignalHandler::HandleSignal(sinsp_evt* evt) {
 }
 
 std::vector<std::string> NetworkSignalHandler::GetRelevantEvents() {
+  if (track_send_recv_) {
+    return {
+        "close<",
+        "shutdown<",
+        "connect<",
+        "accept<",
+        "getsockopt<",
+        "sendto<",
+        "sendto>",
+        "sendmsg<",
+        "sendmsg>",
+        "sendmmsg<",
+        "recvfrom<",
+        "recvfrom>",
+        "recvmsg<",
+        "recvmsg>",
+        "recvmmsg<",
+        "recvmmsg>",
+        "recvmsg<",
+        "recvmsg>",
+    };
+  }
   return {"close<", "shutdown<", "connect<", "accept<", "getsockopt<"};
 }
 

collector/lib/NetworkSignalHandler.h

@@ -29,6 +29,7 @@ class NetworkSignalHandler final : public SignalHandler {
   bool Stop() override;
 
   void SetCollectConnectionStatus(bool collect_connection_status) { collect_connection_status_ = collect_connection_status; }
+  void SetTrackSendRecv(bool track_send_recv) { track_send_recv_ = track_send_recv; }
 
  private:
   std::optional<Connection> GetConnection(sinsp_evt* evt);
@@ -38,6 +39,7 @@ class NetworkSignalHandler final : public SignalHandler {
   system_inspector::Stats* stats_;
 
   bool collect_connection_status_;
+  bool track_send_recv_;
 };
 
 }  // namespace collector

collector/lib/system-inspector/Service.cpp

@@ -46,6 +46,7 @@ void Service::Init(const CollectorConfig& config, std::shared_ptr<ConnectionTrac
     auto network_signal_handler_ = MakeUnique<NetworkSignalHandler>(inspector_.get(), conn_tracker, &userspace_stats_);
 
     network_signal_handler_->SetCollectConnectionStatus(config.CollectConnectionStatus());
+    network_signal_handler_->SetTrackSendRecv(config.TrackingSendRecv());
 
     AddSignalHandler(std::move(network_signal_handler_));
   }

falcosecurity-libs

@@ -1 +1 @@
-1.2.1
+2.0.0

integration-tests/container/QA_TAG

@@ -0,0 +1,17 @@
+FROM fedora:40 AS builder
+
+WORKDIR /tmp
+COPY udp-server.c .
+COPY udp-client.c .
+
+RUN dnf install -y gcc && \
+    gcc udp-server.c -Wall -Wpedantic -Werror -o udp-server && \
+    gcc udp-client.c -Wall -Wpedantic -Werror -o udp-client
+
+FROM fedora:40
+
+COPY --from=builder /tmp/udp-server /usr/local/bin
+COPY --from=builder /tmp/udp-client /usr/local/bin
+EXPOSE 9090
+
+ENTRYPOINT ["udp-server"]

integration-tests/container/udp/Containerfile

@@ -0,0 +1,25 @@
+BASE_PATH = .
+include ../Makefile-constants.mk
+
+.DEFAULT_GOAL = all
+
+COLLECTOR_QA_UDP_TAG := udp
+
+ifneq ($(COLLECTOR_QA_TAG),)
+COLLECTOR_QA_UDP_TAG=udp-$(COLLECTOR_QA_TAG)
+endif
+
+.PHONY: all
+all: build
+
+.PHONY: build
+build:
+	@docker buildx build --load --platform ${PLATFORM} \
+		-t quay.io/rhacs-eng/qa-multi-arch:$(COLLECTOR_QA_UDP_TAG) \
+		-f Containerfile .
+
+.PHONY: build-and-push
+build-and-push:
+	@docker buildx build --push --platform ${PLATFORM} \
+		-t quay.io/rhacs-eng/qa-multi-arch:$(COLLECTOR_QA_UDP_TAG) \
+		-f Containerfile .