[usm] add regular and raw tracepoints /sched_process_exit

DataDog · Feb 11, 2025 · 6cf2d27 · 6cf2d27
1 parent 48ffdc4
commit 6cf2d27
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 0 deletions.
diff --git a/pkg/network/ebpf/c/protocols/flush.h b/pkg/network/ebpf/c/protocols/flush.h
@@ -28,4 +28,28 @@ int tracepoint__net__netif_receive_skb(void *ctx) {
     return 0;
 }
 
+SEC("tracepoint/sched/sched_process_exit")
+int tracepoint__sched__sched_process_exit(void *ctx) {
+    CHECK_BPF_PROGRAM_BYPASSED()
+    u64 pid_tgid = bpf_get_current_pid_tgid();
+
+    bpf_map_delete_elem(&ssl_read_args, &pid_tgid);
+    bpf_map_delete_elem(&ssl_read_ex_args, &pid_tgid);
+
+    return 0;
+}
+
+#if defined(COMPILE_PREBUILT) || defined(COMPILE_CORE) || (defined(COMPILE_RUNTIME) && LINUX_VERSION_CODE >= KERNEL_VERSION(4, 17, 0))
+SEC("raw_tracepoint/sched_process_exit")
+int raw_tracepoint__sched_process_exit(void *ctx) {
+    CHECK_BPF_PROGRAM_BYPASSED()
+    u64 pid_tgid = bpf_get_current_pid_tgid();
+
+    bpf_map_delete_elem(&ssl_read_args, &pid_tgid);
+    bpf_map_delete_elem(&ssl_read_ex_args, &pid_tgid);
+
+    return 0;
+}
+#endif
+
 #endif
diff --git a/pkg/network/usm/ebpf_main.go b/pkg/network/usm/ebpf_main.go
@@ -14,6 +14,7 @@ import (
 	"slices"
 	"unsafe"
 
+	"github.com/DataDog/datadog-agent/pkg/util/kernel"
 	manager "github.com/DataDog/ebpf-manager"
 	"github.com/cilium/ebpf"
 	"github.com/davecgh/go-spew/spew"
@@ -149,6 +150,29 @@ func newEBPFProgram(c *config.Config, connectionProtocolMap *ebpf.Map) (*ebpfPro
 		}
 	}
 
+	if kversion, err := kernel.HostVersion(); err == nil && kversion >= kernel.VersionCode(4, 17, 0) {
+		// Use a raw tracepoint on a supported kernel to intercept terminated threads and clear the corresponding maps.
+		mgr.Probes = append(mgr.Probes, []*manager.Probe{
+			{
+				ProbeIdentificationPair: manager.ProbeIdentificationPair{
+					EBPFFuncName: "raw_tracepoint__sched_process_exit",
+					UID:          probeUID,
+				},
+				TracepointName: "sched_process_exit",
+			},
+		}...)
+	} else {
+		// use a regular tracepoint to intercept terminated threads.
+		mgr.Probes = append(mgr.Probes, []*manager.Probe{
+			{
+				ProbeIdentificationPair: manager.ProbeIdentificationPair{
+					EBPFFuncName: "tracepoint__sched__sched_process_exit",
+					UID:          probeUID,
+				},
+			},
+		}...)
+	}
+
 	program := &ebpfProgram{
 		Manager:               ddebpf.NewManager(mgr, "usm", &ebpftelemetry.ErrorsTelemetryModifier{}),
 		cfg:                   c,