Workaround for raw tracepoint performance issues

shenping-bd · shenping-bd · commit dca31e516bf5 · 2024-12-23T14:19:48.000+08:00
raw tracepoint could lead &gt; 10% performance penality for syscall
intensive scenarios with linux kernels &lt; 5.4, especially CentOS7.

Disable raw tracepoint and DNS hooking for these kernels. Users
could enable it with kernel module parameters like:
    insmod hids_driver.ko RAWTP_HOOK=1 DNS_HOOK=1

Signed-off-by: shenping.matt &lt;shenping.matt@bytedance.com&gt;
diff --git a/driver/LKM/src/smith_hook.c b/driver/LKM/src/smith_hook.c
@@ -46,27 +46,41 @@ SMITH_HOOK(SETSID, 1);
 SMITH_HOOK(PRCTL, 1);
 SMITH_HOOK(MEMFD_CREATE, 1);
 SMITH_HOOK(MOUNT, 1);
-SMITH_HOOK(DNS, 1);
 SMITH_HOOK(USERMODEHELPER, 1);
 SMITH_HOOK(UDEV, 1);
 SMITH_HOOK(CHMOD, 1);
-
-SMITH_HOOK(WRITE, 0);
-SMITH_HOOK(ACCEPT, 0);
-SMITH_HOOK(OPEN, 0);
-SMITH_HOOK(MPROTECT, 0);
 SMITH_HOOK(NANOSLEEP, 0);
-SMITH_HOOK(KILL, 0);
-SMITH_HOOK(RM, 0);
-SMITH_HOOK(EXIT, 0);
 
-static int FAKE_SLEEP = 0;
-static int FAKE_RM = 0;
+SMITH_HOOK(WRITE, SANDBOX);
+SMITH_HOOK(ACCEPT, SANDBOX);
+SMITH_HOOK(OPEN, SANDBOX);
+SMITH_HOOK(MPROTECT, SANDBOX);
+SMITH_HOOK(KILL, SANDBOX);
+SMITH_HOOK(RM, SANDBOX);
+SMITH_HOOK(EXIT, SANDBOX);
+
+/*
+ *
+ * raw tracepoint brings severe performance penalty for syscall-intensive ops.
+ * so disabled by default, and enabled only for SANDBOX or kernels >= 5.4.210
+ *
+ */
+SMITH_HOOK(RAWTP, SANDBOX || (LINUX_VERSION_CODE >= KERNEL_VERSION(5, 4, 210)));
+SMITH_HOOK(DNS, SANDBOX || (LINUX_VERSION_CODE >= KERNEL_VERSION(5, 4, 210)));
+
+static int FAKE_RM = SANDBOX;
 
+#if SANDBOX
+static int PID_TREE_LIMIT = 100;
+static int PID_TREE_LIMIT_LOW = 100;
+static int EXECVE_GET_SOCK_PID_LIMIT = 100;
+static int EXECVE_GET_SOCK_FD_LIMIT = 100;
+#else
 static int PID_TREE_LIMIT = 12;
 static int PID_TREE_LIMIT_LOW = 8;
 static int EXECVE_GET_SOCK_PID_LIMIT = 4;
 static int EXECVE_GET_SOCK_FD_LIMIT = 12;  /* maximum fd numbers to be queried */
+#endif
 
 static char connect_syscall_kprobe_state = 0x0;
 static char execve_kretprobe_state = 0x0;
@@ -2702,6 +2716,10 @@ static int __init smith_sysret_init(void)
 {
     int i, rc;
 
+    /* skip raw tracepoint registration */
+    if (!RAWTP_HOOK)
+        return 0;
+
     /* check the tracepoints of our interest */
     rc = smith_assert_tracepoints();
     if (rc) {
@@ -2732,6 +2750,10 @@ static void smith_sysret_fini(void)
 {
     int i;
 
+    /* skip raw tracepoint unregistration */
+    if (!RAWTP_HOOK)
+        return;
+
     /* register callbacks for the tracepoints of our interest */
     for (i = NUM_TRACE_POINTS; i > 0; i--)
         smith_unregister_tracepoint(&g_smith_tracepoints[i - 1]);
@@ -4804,28 +4826,6 @@ static void __init install_kprobe(void)
 {
     int ret;
 
-    if (SANDBOX == 1) {
-        DNS_HOOK = 1;
-        USERMODEHELPER_HOOK = 1;
-        //MPROTECT_HOOK = 1;
-        ACCEPT_HOOK = 1;
-        OPEN_HOOK = 1;
-        MPROTECT_HOOK = 1;
-        //NANOSLEEP_HOOK = 1;
-        KILL_HOOK = 1;
-        RM_HOOK = 1;
-        EXIT_HOOK = 1;
-        WRITE_HOOK = 1;
-
-        PID_TREE_LIMIT = 100;
-        PID_TREE_LIMIT_LOW = 100;
-        EXECVE_GET_SOCK_PID_LIMIT = 100;
-        EXECVE_GET_SOCK_FD_LIMIT = 100;
-
-        FAKE_SLEEP = 1;
-        FAKE_RM = 1;
-    }
-
     if (UDEV_HOOK == 1) {
         static void (*smith_usb_register_notify) (struct notifier_block * nb);
         smith_usb_register_notify = __symbol_get("usb_register_notify");
