Description
Our eBPF telemetry hooks intercepting file and sys_execve loops are verified by the Linux Kernel prior to loading. To improve efficiency and avoid CPU caching misalignment across heterogeneous worker node infrastructures, we would like to enforce explicit 8-byte boundaries on all kernel trace payload events.
Proposed Scope
- Audit structures defined inside
sentinel_common.h and ensure 32-bit and 64-bit alignment patterns prevent memory footprint padding issues across runtime limits.
- Confirm the placement of
__attribute__((packed)) directives on all communication payloads.
- Review bounds checks immediately preceding critical memory read helpers like
bpf_probe_read_user_str or bpf_probe_read_kernel_str to verify the verifier is fully informed of bounds layout definitions.
Expected Files to Modify
sentinel_common.h or sentinel_bpf.c in kernel bytecode targets.
Verification Steps
- Run native compiler scripts and confirm compiler symbols map output cleanly.
- Ensure the bytecode successfully passes the local eBPF loader verification checks and does not lead to loading errors.
Description
Our eBPF telemetry hooks intercepting file and sys_execve loops are verified by the Linux Kernel prior to loading. To improve efficiency and avoid CPU caching misalignment across heterogeneous worker node infrastructures, we would like to enforce explicit 8-byte boundaries on all kernel trace payload events.
Proposed Scope
sentinel_common.hand ensure 32-bit and 64-bit alignment patterns prevent memory footprint padding issues across runtime limits.__attribute__((packed))directives on all communication payloads.bpf_probe_read_user_strorbpf_probe_read_kernel_strto verify the verifier is fully informed of bounds layout definitions.Expected Files to Modify
sentinel_common.horsentinel_bpf.cin kernel bytecode targets.Verification Steps