tetragon: Execute actions in case we do not find process info

Signed-off-by: Jiri Olsa <[email protected]>
cilium · Jan 13, 2025 · c64e7e4 · c64e7e4
1 parent 8a322b3
commit c64e7e4
Show file tree

Hide file tree

Showing 5 changed files with 37 additions and 10 deletions.
diff --git a/bpf/lib/common.h b/bpf/lib/common.h
@@ -8,6 +8,7 @@
 #define MSG_COMMON_FLAG_KERNEL_STACKTRACE BIT(1)
 #define MSG_COMMON_FLAG_USER_STACKTRACE	  BIT(2)
 #define MSG_COMMON_FLAG_IMA_HASH	  BIT(3)
+#define MSG_COMMON_FLAG_PROCESS_NOT_FOUND BIT(4)
 
 /* Msg Layout */
 struct msg_common {

diff --git a/bpf/process/bpf_generic_kprobe.c b/bpf/process/bpf_generic_kprobe.c
@@ -97,10 +97,13 @@ generic_kprobe_process_filter(void *ctx)
 	int ret;
 
 	ret = generic_process_filter();
-	if (ret == PFILTER_CONTINUE)
+	switch (ret) {
+	case PFILTER_CONTINUE:
 		tail_call(ctx, &kprobe_calls, TAIL_CALL_FILTER);
-	else if (ret == PFILTER_ACCEPT)
+	case PFILTER_CURR_NOT_FOUND:
+	case PFILTER_ACCEPT:
 		tail_call(ctx, &kprobe_calls, TAIL_CALL_SETUP);
+	}
 	/* If filter does not accept drop it. Ideally we would
 	 * log error codes for later review, TBD.
 	 */

diff --git a/bpf/process/generic_calls.h b/bpf/process/generic_calls.h
@@ -56,6 +56,7 @@ generic_start_process_filter(void *ctx, struct bpf_map_def *calls)
 #endif
 
 	msg->lsm.post = false;
+	msg->common.flags = 0;
 
 	/* Tail call into filters. */
 	tail_call(ctx, calls, TAIL_CALL_FILTER);
@@ -126,7 +127,6 @@ generic_process_init(struct msg_generic_kprobe *e, u8 op, struct event_config *c
 {
 	e->common.op = op;
 
-	e->common.flags = 0;
 	e->common.pad[0] = 0;
 	e->common.pad[1] = 0;
 	e->common.size = 0;
@@ -344,17 +344,21 @@ has_action(struct selector_action *actions, __u32 idx)
 
 /* Currently supporting 2 actions for selector. */
 FUNC_INLINE bool
-do_actions(void *ctx, struct selector_action *actions)
+do_actions(void *ctx, struct selector_action *actions, unsigned long allowed)
 {
 	bool post = true;
 	__u32 l, i = 0;
+	int action;
 
 #ifndef __LARGE_BPF_PROG
 #pragma unroll
 #endif
 	for (l = 0; l < MAX_ACTIONS; l++) {
 		if (!has_action(actions, i))
 			break;
+		action = actions->act[i];
+		if (allowed && (allowed & (1 << action)) == 0)
+			continue;
 		i = do_action(ctx, i, actions, &post);
 	}
 
@@ -368,6 +372,7 @@ generic_actions(void *ctx, struct bpf_map_def *calls)
 	struct selector_action *actions;
 	struct msg_generic_kprobe *e;
 	int actoff, pass, zero = 0;
+	unsigned long allowed = 0;
 	bool postit;
 	__u8 *f;
 
@@ -383,6 +388,12 @@ generic_actions(void *ctx, struct bpf_map_def *calls)
 	if (!f)
 		return 0;
 
+	if (e->common.flags & MSG_COMMON_FLAG_PROCESS_NOT_FOUND) {
+		allowed |= 1 << ACTION_SIGKILL;
+		allowed |= 1 << ACTION_OVERRIDE;
+		allowed |= 1 << ACTION_SIGNAL;
+	}
+
 	asm volatile("%[pass] &= 0x7ff;\n"
 		     : [pass] "+r"(pass)
 		     :);
@@ -394,7 +405,7 @@ generic_actions(void *ctx, struct bpf_map_def *calls)
 		     :);
 	actions = (struct selector_action *)&f[actoff];
 
-	postit = do_actions(ctx, actions);
+	postit = do_actions(ctx, actions, allowed);
 	if (postit)
 		tail_call(ctx, calls, TAIL_CALL_SEND);
 	return postit;
@@ -525,7 +536,7 @@ FUNC_INLINE int generic_retkprobe(void *ctx, struct bpf_map_def *calls, unsigned
 	enter = event_find_curr(&ppid, &walker);
 
 	e->common.op = MSG_OP_GENERIC_KPROBE;
-	e->common.flags |= MSG_COMMON_FLAG_RETURN;
+	e->common.flags = MSG_COMMON_FLAG_RETURN;
 	e->common.pad[0] = 0;
 	e->common.pad[1] = 0;
 	e->common.size = size;
@@ -558,7 +569,7 @@ FUNC_INLINE int generic_retkprobe(void *ctx, struct bpf_map_def *calls, unsigned
 // msg_generic_hdr structure.
 FUNC_INLINE int generic_process_filter(void)
 {
-	int selectors, pass, curr, zero = 0;
+	int selectors, pass, curr, zero = 0, i;
 	struct execve_map_value *enter;
 	struct msg_generic_kprobe *msg;
 	struct msg_execve_key *current;
@@ -570,15 +581,21 @@ FUNC_INLINE int generic_process_filter(void)
 	if (!msg)
 		return 0;
 
+	sel = &msg->sel;
+
 	enter = event_find_curr(&ppid, &walker);
-	if (!enter)
+	if (!enter) {
+		msg->common.flags |= MSG_COMMON_FLAG_PROCESS_NOT_FOUND;
+		for (i = 0; i < MAX_CONFIGURED_SELECTORS; i++)
+			msg->sel.active[i] = true;
+		sel->active[SELECTORS_ACTIVE] = true;
 		return PFILTER_CURR_NOT_FOUND;
+	}
 
 	f = map_lookup_elem(&filter_map, &msg->idx);
 	if (!f)
 		return PFILTER_ERROR;
 
-	sel = &msg->sel;
 	current = &msg->current;
 
 	curr = sel->curr;
@@ -668,6 +685,11 @@ FUNC_INLINE long generic_filter_arg(void *ctx, struct bpf_map_def *tailcalls,
 		tail_call(ctx, tailcalls, TAIL_CALL_ACTIONS);
 	}
 
+	// We did not pass pid filter, but there are no actions,
+	// let's drop the event and do nothing.
+	if (e->common.flags & MSG_COMMON_FLAG_PROCESS_NOT_FOUND)
+		return 0;
+
 	tail_call(ctx, tailcalls, TAIL_CALL_SEND);
 	return 0;
 }

diff --git a/bpf/process/pfilter.h b/bpf/process/pfilter.h
@@ -76,11 +76,11 @@ filter_pidsets(__u64 ty, __u64 flags, __u64 sel, struct execve_map_value *enter)
 
 // generic_process_filter return value
 enum {
+	PFILTER_CURR_NOT_FOUND = 4, // event_find_curr() failed
 	PFILTER_ERROR = 3, // these should never happen
 	PFILTER_CONTINUE = 2, // filter check continue
 	PFILTER_ACCEPT = 1, // filter check passed
 	PFILTER_REJECT = 0, // filter check failed
-	PFILTER_CURR_NOT_FOUND = 0, // event_find_curr() failed
 };
 
 FUNC_INLINE int

diff --git a/pkg/api/processapi/processapi.go b/pkg/api/processapi/processapi.go
@@ -44,6 +44,7 @@ const (
 	MSG_COMMON_FLAG_KERNEL_STACKTRACE = 0x2
 	MSG_COMMON_FLAG_USER_STACKTRACE   = 0x4
 	MSG_COMMON_FLAG_IMA_HASH          = 0x8
+	MSG_COMMON_FLAG_PROCESS_NOT_FOUND = 0x16
 
 	BINARY_PATH_MAX_LEN = 256
 	MAX_ARG_LENGTH      = 256