ebpf cached improvements

Simplify the cache of connections by storing only the PID of a process, instead of the Process object. We can obtain the Process object from the cache of processes by PID.
evilsocket · Jan 18, 2024 · 3343767 · 3343767
1 parent dc43d59
commit 3343767
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 25 deletions.
diff --git a/daemon/procmon/ebpf/cache.go b/daemon/procmon/ebpf/cache.go
@@ -3,14 +3,12 @@ package ebpf
 import (
 	"sync"
 	"time"
-
-	"github.com/evilsocket/opensnitch/daemon/procmon"
 )
 
 type ebpfCacheItem struct {
-	Proc     procmon.Process
-	LastSeen int64
 	Key      []byte
+	LastSeen int64
+	Pid      int
 }
 
 type ebpfCacheType struct {
@@ -27,10 +25,10 @@ var (
 )
 
 // NewEbpfCacheItem creates a new cache item.
-func NewEbpfCacheItem(key []byte, proc procmon.Process) *ebpfCacheItem {
+func NewEbpfCacheItem(key []byte, pid int) *ebpfCacheItem {
 	return &ebpfCacheItem{
 		Key:      key,
-		Proc:     proc,
+		Pid:      pid,
 		LastSeen: time.Now().UnixNano(),
 	}
 }
@@ -51,9 +49,9 @@ func NewEbpfCache() *ebpfCacheType {
 	}
 }
 
-func (e *ebpfCacheType) addNewItem(key interface{}, itemKey []byte, proc procmon.Process) {
+func (e *ebpfCacheType) addNewItem(key interface{}, itemKey []byte, pid int) {
 	e.mu.Lock()
-	e.Items[key] = NewEbpfCacheItem(itemKey, proc)
+	e.Items[key] = NewEbpfCacheItem(itemKey, pid)
 	e.mu.Unlock()
 }
 
@@ -83,17 +81,6 @@ func (e *ebpfCacheType) update(key interface{}, item *ebpfCacheItem) {
 	e.Items[key] = item
 }
 
-func (e *ebpfCacheType) updateByPid(proc *procmon.Process) {
-	e.mu.Lock()
-	defer e.mu.Unlock()
-	for k, item := range e.Items {
-		if proc.ID == item.Proc.ID {
-			e.update(k, item)
-		}
-	}
-
-}
-
 func (e *ebpfCacheType) Len() int {
 	e.mu.RLock()
 	defer e.mu.RUnlock()

diff --git a/daemon/procmon/ebpf/find.go b/daemon/procmon/ebpf/find.go
@@ -107,12 +107,13 @@ func getPidFromEbpf(proto string, srcPort uint, srcIP net.IP, dstIP net.IP, dstP
 		dstIP.String(),
 		strconv.FormatUint(uint64(dstPort), 10))
 	if cacheItem, isInCache := ebpfCache.isInCache(k); isInCache {
-		// should we re-read the info?
-		// environ vars might have changed
-		//proc.GetDetails()
 		deleteEbpfEntry(proto, unsafe.Pointer(&key[0]))
-		proc = &cacheItem.Proc
-		log.Debug("[ebpf conn] in cache: %s, %d -> %s", k, proc.ID, proc.Path)
+		if ev, found := procmon.EventsCache.IsInStoreByPID(cacheItem.Pid); found {
+			proc = &ev.Proc
+			log.Debug("[ebpf conn] in cache: %s, %d -> %s", k, proc.ID, proc.Path)
+			return
+		}
+		log.Info("[ebpf conn] in cache, with no proc %s, %d", k, cacheItem.Pid)
 		return
 	}
 
@@ -151,7 +152,7 @@ func getPidFromEbpf(proto string, srcPort uint, srcIP net.IP, dstIP net.IP, dstP
 	proc = findConnProcess(&value, k)
 
 	log.Debug("[ebpf conn] adding item to cache: %s", k)
-	ebpfCache.addNewItem(k, key, *proc)
+	ebpfCache.addNewItem(k, key, proc.ID)
 	if delItemIfFound {
 		deleteEbpfEntry(proto, unsafe.Pointer(&key[0]))
 	}