tetragon: Add bpf_killer bpf program

Adding bpf_killer bpf program that allows to (when attached to syscall) override syscall or kill current process. Signed-off-by: Jiri Olsa <[email protected]>
cilium · Aug 22, 2023 · c55b3a3 · c55b3a3
1 parent dca2209
commit c55b3a3
Show file tree

Hide file tree

Showing 3 changed files with 76 additions and 1 deletion.
diff --git a/bpf/Makefile b/bpf/Makefile
@@ -33,7 +33,8 @@ PROCESS = bpf_execve_event.o bpf_execve_event_v53.o bpf_fork.o bpf_exit.o bpf_ge
 	  bpf_generic_tracepoint_v61.o \
 	  bpf_multi_kprobe_v61.o bpf_multi_retkprobe_v61.o \
 	  bpf_generic_uprobe_v61.o \
-	  bpf_loader.o
+	  bpf_loader.o \
+	  bpf_killer.o bpf_multi_killer.o
 
 CGROUP = bpf_cgroup_mkdir.o bpf_cgroup_rmdir.o bpf_cgroup_release.o
 BPFTEST = bpf_lseek.o bpf_globals.o
@@ -114,6 +115,12 @@ objs/%_v53.ll:
 $(DEPSDIR)%.d: $(PROCESSDIR)%.c
 	$(CLANG) $(CLANG_FLAGS) -MM -MP -MT $(patsubst $(DEPSDIR)%.d, $(OBJSDIR)%.ll, $@)   $< > $@
 
+objs/bpf_multi_killer.ll: process/bpf_killer.c
+	$(CLANG) $(CLANG_FLAGS) -D__LARGE_BPF_PROG -D__MULTI_KPROBE -c $< -o $@
+
+$(DEPSDIR)/bpf_multi_killer.d: process/bpf_killer.c
+	$(CLANG) $(CLANG_FLAGS) -D__LARGE_BPF_PROG -D__MULTI_KPROBE -MM -MP -MT $(patsubst $(DEPSDIR)%.d, $(OBJSDIR)%.ll, $@) $< > $@
+
 $(DEPSDIR)%_v53.d:
 	$(CLANG) $(CLANG_FLAGS) -D__LARGE_BPF_PROG -MM -MP -MT $(patsubst $(DEPSDIR)%.d, $(OBJSDIR)%.ll, $@)   $< > $@
 

diff --git a/bpf/process/bpf_killer.c b/bpf/process/bpf_killer.c
@@ -0,0 +1,28 @@
+#include "bpf_killer.h"
+
+char _license[] __attribute__((section("license"), used)) = "GPL";
+
+#ifdef __MULTI_KPROBE
+#define MAIN "kprobe.multi/killer"
+#else
+#define MAIN "kprobe/killer"
+#endif
+
+__attribute__((section(MAIN), used)) int
+killer(void *ctx)
+{
+	__u64 id = get_current_pid_tgid();
+	struct killer_data *data;
+
+	data = map_lookup_elem(&killer_data, &id);
+	if (!data)
+		return 0;
+
+	if (data->error)
+		override_return(ctx, data->error);
+	if (data->signal)
+		send_signal(data->signal);
+
+	map_delete_elem(&killer_data, &id);
+	return 0;
+}
diff --git a/bpf/process/bpf_killer.h b/bpf/process/bpf_killer.h
@@ -0,0 +1,40 @@
+// SPDX-License-Identifier: GPL-2.0
+/* Copyright Authors of Cilium */
+
+#ifndef __KILLER_H__
+#define __KILLER_H__
+
+#include "vmlinux.h"
+#include "bpf_helpers.h"
+
+struct killer_data {
+	__s16 error;
+	__s16 signal;
+};
+
+struct {
+	__uint(type, BPF_MAP_TYPE_HASH);
+	__uint(max_entries, 32768);
+	__type(key, __u64);
+	__type(value, struct killer_data);
+} killer_data SEC(".maps");
+
+static inline __attribute__((always_inline)) void
+do_killer_action(int error, int signal)
+{
+	__u64 id = get_current_pid_tgid();
+	struct killer_data *ptr, data = {
+		.error = (__s16)error,
+		.signal = (__s16)signal,
+	};
+
+	ptr = map_lookup_elem(&killer_data, &id);
+	if (ptr) {
+		ptr->error = (__s16)error;
+		ptr->signal = (__s16)signal;
+	} else {
+		map_update_elem(&killer_data, &id, &data, BPF_ANY);
+	}
+}
+
+#endif /* __KILLER_H__ */