Received: by 2002:ab2:687:0:b0:1f4:6588:b3a7 with SMTP id s7csp112383lqe; Tue, 9 Apr 2024 16:54:43 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCVtPCnnjKRkIf3oqctG0/gn52B8e8HBlIBNqr6L//KSPYWDAxjlYHlf3JkFMIeh3BnxT6n9tu9+IYG4jT4oS0J+n1A6QjjqQoDwkoVFFw== X-Google-Smtp-Source: AGHT+IFn+3mUwUMc6Nx+HN/tHEH3WlacbAN9AnWjpO0QJQsKTxVmPk0QKBTXjx3m2hZndWA0VKUq X-Received: by 2002:a05:6870:d894:b0:22e:cbb6:7295 with SMTP id oe20-20020a056870d89400b0022ecbb67295mr1232044oac.21.1712706883302; Tue, 09 Apr 2024 16:54:43 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1712706883; cv=pass; d=google.com; s=arc-20160816; b=WcuTFCzu5DoxlDYVlfIa73Y+CCFmG6vHqvlBhl7RpNNa5ac8Q3JOhQCZPmaHCALyWX 68fJH9/+7R8wG6UVgJK7yc5tdi3D79oAKuf/sX+c+0BVwr3nqsDqGYvoYDxyWDRrWbx8 +pen0rPnGW5kvcKEWzttoQilP5ovRaxRhSsO0D7wdZy/obiee25aXbOykk9s7OWuU+rI K9PbcXKkCcwRNLMfh3PF6jpXGco+crktYlwuMmhqLBZ1S+mHL6C3v+TwKcvYVoVZ2/TQ wlg7oQpuJPa48U1ihKptV9K0z2Vd2JFf9cMgMvkCTzdCOzN9WOSxjxGny06UaOmGM+0F BE1g== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :subject:cc:to:from:date:dkim-signature; bh=eWJPFimcD1LFvR4R9EcfDpsxprCMH5/d7paQfWIfIz0=; fh=n1VOoWSepWoxpiw4F/+Fj3dH3YRqE4qA/npB3lzx1nE=; b=WRuU12t/AlIczHN1TvYOr0fLhNCdugZicGpSGz49ugvOT+f36zHWGUi+lB212eyDRB utlHONMj2usVo21vfMAV8QlNdNj9q7ukWljy9o0/py4eQdFjzKvj7HBjBHlEaItNnZOz i5lN+/noUT2q2wYZczndejRfDhM0pjCB6r49mZKWJWoQO9n0fNttR9oBJeR2BDqAv/Qv GiOoHycOSuX9RVpK6M3HwX0pjFQcL5ihIbfg3svMq5bBmsghgoJkxeX79518KZ6xXVip n5pHa+PmDYT5aXBpA8mRtQ1zX32y+A2QDZF7Uk8ptwi6snKqRaK8ra5seyKRjP4cnoQO GgJQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=NwojOdW2; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-137736-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-137736-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id w19-20020a05620a445300b0078d75e13f15si1583502qkp.410.2024.04.09.16.54.43 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 09 Apr 2024 16:54:43 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-137736-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=NwojOdW2; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-137736-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-137736-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id F1A6D1C21592 for ; Tue, 9 Apr 2024 23:54:42 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 100241591FC; Tue, 9 Apr 2024 23:54:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="NwojOdW2" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 316DC158851; Tue, 9 Apr 2024 23:54:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712706874; cv=none; b=UxfnAUfeVIS0i1dEM06AGUz3RUndetzFlEPrDGJtZdJxVfveNZ0mqDEldOpetpwCU2YJvnosWL/OUf3W7HU2WYE/x2TauW+0CLkKMtdoQ0jW3A1Xq0fczPTF8d4fS0uaZVSCbOi6U7YdIaL2yb2mail+CiwmgCKfHQIncFB8Pck= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712706874; c=relaxed/simple; bh=t1NhF4nrxdQhhoLefZQtEgoMWYKkMCdVLx8xtlo79Mw=; h=Date:From:To:Cc:Subject:Message-Id:In-Reply-To:References: Mime-Version:Content-Type; b=mxTXIlVg2YKnKjxPh6neoT4PnQdX2iPlsIelqBXtAA2rn5iK7uNr1HAcj4ppYRkSkey7C5DPiX6LJrPV7ps7IZQij4SqqSz0MNgyGSX+3EBNBu/S3lV3Dz0mvqc8rHmNZ5U0rsX45/kzgReRFVEqtS7DPXQPEMkf4ERvgC9kxGg= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=NwojOdW2; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6E1A9C433F1; Tue, 9 Apr 2024 23:54:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1712706873; bh=t1NhF4nrxdQhhoLefZQtEgoMWYKkMCdVLx8xtlo79Mw=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=NwojOdW2AUtmiM4odkHOSUKtAmqdBkpXq4Sienw6hV91VcOgqBhaTkP76EaYBwmvm MBkGDAY6vmhV262dis86jOzkdodmqdQOnR2F23XwGnbtXO3VsZgxs5qTAFAHqp04uA zFyIk7eMTdtL4aGRMgDaBvjZzkourZhvpq0j8eSOAUwk9zdyMZZuhjkWzeC4TVyTMc 0YdNVxcu1YDvf3IxXdYZK9qX586ukiLZj9FwOM+I2YY8t/K9jUCK4bGIpvIEZ8P6zi TlOjbfmbpw23dA7/cVNp44QysvPU+TUeiWYqFr2b73mrRqrfsBQwB6ZdKdueiIl/AM 4pezmDgjCkQNw== Date: Wed, 10 Apr 2024 08:54:28 +0900 From: Masami Hiramatsu (Google) To: Marco Elver Cc: Steven Rostedt , Eric Biederman , Kees Cook , Alexander Viro , Christian Brauner , Jan Kara , Masami Hiramatsu , Mathieu Desnoyers , linux-mm@kvack.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-trace-kernel@vger.kernel.org, Dmitry Vyukov Subject: Re: [PATCH] tracing: Add new_exec tracepoint Message-Id: <20240410085428.53093333cf4d768d6b420a11@kernel.org> In-Reply-To: References: <20240408090205.3714934-1-elver@google.com> <20240409103327.7a9012fa@gandalf.local.home> X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.33; x86_64-pc-linux-gnu) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Tue, 9 Apr 2024 16:45:47 +0200 Marco Elver wrote: > On Tue, 9 Apr 2024 at 16:31, Steven Rostedt wrote: > > > > On Mon, 8 Apr 2024 11:01:54 +0200 > > Marco Elver wrote: > > > > > Add "new_exec" tracepoint, which is run right after the point of no > > > return but before the current task assumes its new exec identity. > > > > > > Unlike the tracepoint "sched_process_exec", the "new_exec" tracepoint > > > runs before flushing the old exec, i.e. while the task still has the > > > original state (such as original MM), but when the new exec either > > > succeeds or crashes (but never returns to the original exec). > > > > > > Being able to trace this event can be helpful in a number of use cases: > > > > > > * allowing tracing eBPF programs access to the original MM on exec, > > > before current->mm is replaced; > > > * counting exec in the original task (via perf event); > > > * profiling flush time ("new_exec" to "sched_process_exec"). > > > > > > Example of tracing output ("new_exec" and "sched_process_exec"): > > > > How common is this? And can't you just do the same with adding a kprobe? > > Our main use case would be to use this in BPF programs to become > exec-aware, where using the sched_process_exec hook is too late. This > is particularly important where the BPF program must stop inspecting > the user space's VM when the task does exec to become a new process. Just out of curiousity, would you like to audit that the user-program is not malformed? (security tracepoint?) I think that is an interesting idea. What kind of information you need? > > kprobe (or BPF's fentry) is brittle here, because begin_new_exec()'s > permission check can still return an error which returns to the > original task without crashing. Only at the point of no return are we > guaranteed that the exec either succeeds, or the task is terminated on > failure. Just a note: That is BPF limitation, kprobe and kprobe events can put a probe in the function body, but that is not supported on BPF (I guess because it depends on kernel debuginfo.) You can add kprobe-event using "perf probe" tool. Thank you, > > I don't know if "common" is the right question here, because it's a > chicken-egg problem: no tracepoint, we give up; we have the > tracepoint, it unlocks a range of new use cases (that require robust > solution to make BPF programs exec-aware, and a tracepoint is the only > option IMHO). > > Thanks, > -- Marco -- Masami Hiramatsu (Google)