Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Spike] Use BPF_ITER to enumerate already running processes #155

Open
lrishi opened this issue Oct 1, 2022 · 0 comments
Open

[Spike] Use BPF_ITER to enumerate already running processes #155

lrishi opened this issue Oct 1, 2022 · 0 comments
Assignees
@rhysre

Comments

@lrishi
Copy link
Contributor

lrishi commented Oct 1, 2022

Currently, eBPF sensor does not report already running processes.

Investigate use of a BPF_ITER program to enumerate all the already running tasks
(and consequently, disable the already running logic in endpoint when eBPF sensor is used)

Resources/References:
https://developers.facebook.com/blog/post/2022/03/31/bpf-iterator-retrieving-kernel-data-with-flexibility-and-efficiency/
https://elixir.bootlin.com/linux/latest/source/kernel/bpf/bpf_iter.c
@lrishi lrishi changed the title Use BPF_ITER to enumerate already running processes [Spike] Use BPF_ITER to enumerate already running processes Oct 5, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rhysre rhysre

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lrishi @rhysre