From c55b3a3944f756008405d52ede04d655313d693f Mon Sep 17 00:00:00 2001 From: Jiri Olsa Date: Wed, 21 Jun 2023 10:44:15 +0000 Subject: [PATCH] tetragon: Add bpf_killer bpf program Adding bpf_killer bpf program that allows to (when attached to syscall) override syscall or kill current process. Signed-off-by: Jiri Olsa --- bpf/Makefile | 9 ++++++++- bpf/process/bpf_killer.c | 28 ++++++++++++++++++++++++++++ bpf/process/bpf_killer.h | 40 ++++++++++++++++++++++++++++++++++++++++ 3 files changed, 76 insertions(+), 1 deletion(-) create mode 100644 bpf/process/bpf_killer.c create mode 100644 bpf/process/bpf_killer.h diff --git a/bpf/Makefile b/bpf/Makefile index e976ea4131d..a74b5ec9ff2 100644 --- a/bpf/Makefile +++ b/bpf/Makefile @@ -33,7 +33,8 @@ PROCESS = bpf_execve_event.o bpf_execve_event_v53.o bpf_fork.o bpf_exit.o bpf_ge bpf_generic_tracepoint_v61.o \ bpf_multi_kprobe_v61.o bpf_multi_retkprobe_v61.o \ bpf_generic_uprobe_v61.o \ - bpf_loader.o + bpf_loader.o \ + bpf_killer.o bpf_multi_killer.o CGROUP = bpf_cgroup_mkdir.o bpf_cgroup_rmdir.o bpf_cgroup_release.o BPFTEST = bpf_lseek.o bpf_globals.o @@ -114,6 +115,12 @@ objs/%_v53.ll: $(DEPSDIR)%.d: $(PROCESSDIR)%.c $(CLANG) $(CLANG_FLAGS) -MM -MP -MT $(patsubst $(DEPSDIR)%.d, $(OBJSDIR)%.ll, $@) $< > $@ +objs/bpf_multi_killer.ll: process/bpf_killer.c + $(CLANG) $(CLANG_FLAGS) -D__LARGE_BPF_PROG -D__MULTI_KPROBE -c $< -o $@ + +$(DEPSDIR)/bpf_multi_killer.d: process/bpf_killer.c + $(CLANG) $(CLANG_FLAGS) -D__LARGE_BPF_PROG -D__MULTI_KPROBE -MM -MP -MT $(patsubst $(DEPSDIR)%.d, $(OBJSDIR)%.ll, $@) $< > $@ + $(DEPSDIR)%_v53.d: $(CLANG) $(CLANG_FLAGS) -D__LARGE_BPF_PROG -MM -MP -MT $(patsubst $(DEPSDIR)%.d, $(OBJSDIR)%.ll, $@) $< > $@ diff --git a/bpf/process/bpf_killer.c b/bpf/process/bpf_killer.c new file mode 100644 index 00000000000..95a4147159f --- /dev/null +++ b/bpf/process/bpf_killer.c @@ -0,0 +1,28 @@ +#include "bpf_killer.h" + +char _license[] __attribute__((section("license"), used)) = "GPL"; + +#ifdef __MULTI_KPROBE +#define MAIN "kprobe.multi/killer" +#else +#define MAIN "kprobe/killer" +#endif + +__attribute__((section(MAIN), used)) int +killer(void *ctx) +{ + __u64 id = get_current_pid_tgid(); + struct killer_data *data; + + data = map_lookup_elem(&killer_data, &id); + if (!data) + return 0; + + if (data->error) + override_return(ctx, data->error); + if (data->signal) + send_signal(data->signal); + + map_delete_elem(&killer_data, &id); + return 0; +} diff --git a/bpf/process/bpf_killer.h b/bpf/process/bpf_killer.h new file mode 100644 index 00000000000..7b4076f2b90 --- /dev/null +++ b/bpf/process/bpf_killer.h @@ -0,0 +1,40 @@ +// SPDX-License-Identifier: GPL-2.0 +/* Copyright Authors of Cilium */ + +#ifndef __KILLER_H__ +#define __KILLER_H__ + +#include "vmlinux.h" +#include "bpf_helpers.h" + +struct killer_data { + __s16 error; + __s16 signal; +}; + +struct { + __uint(type, BPF_MAP_TYPE_HASH); + __uint(max_entries, 32768); + __type(key, __u64); + __type(value, struct killer_data); +} killer_data SEC(".maps"); + +static inline __attribute__((always_inline)) void +do_killer_action(int error, int signal) +{ + __u64 id = get_current_pid_tgid(); + struct killer_data *ptr, data = { + .error = (__s16)error, + .signal = (__s16)signal, + }; + + ptr = map_lookup_elem(&killer_data, &id); + if (ptr) { + ptr->error = (__s16)error; + ptr->signal = (__s16)signal; + } else { + map_update_elem(&killer_data, &id, &data, BPF_ANY); + } +} + +#endif /* __KILLER_H__ */