diff --git a/api/v1/README.md b/api/v1/README.md index 10ef1ca93b7..20936476d10 100644 --- a/api/v1/README.md +++ b/api/v1/README.md @@ -826,6 +826,7 @@ loader sensor event triggered for loaded binary/library | event | [string](#string) | | Event of the subsystem. | | args | [KprobeArgument](#tetragon-KprobeArgument) | repeated | Arguments definition of the observed tracepoint. TODO: once we implement all we want, rename KprobeArgument to GenericArgument | | policy_name | [string](#string) | | Name of the policy that created that tracepoint. | +| action | [KprobeAction](#tetragon-KprobeAction) | | Action performed when the tracepoint matched. | @@ -975,6 +976,9 @@ RuntimeHookRequest synchronously propagates information to the agent about run-t | KPROBE_ACTION_DNSLOOKUP | 8 | GetURL action issue a DNS lookup against an URL from userspace. | | KPROBE_ACTION_NOPOST | 9 | NoPost action suppresses the transmission of the event to userspace. | | KPROBE_ACTION_SIGNAL | 10 | Signal action sends specified signal to the process. | +| KPROBE_ACTION_TRACKSOCK | 11 | TrackSock action tracks socket. | +| KPROBE_ACTION_UNTRACKSOCK | 12 | UntrackSock action un-tracks socket. | +| KPROBE_ACTION_NOTIFYKILLER | 13 | NotifyKiller action notifies killer sensor. | diff --git a/api/v1/tetragon/codegen/eventchecker/eventchecker.pb.go b/api/v1/tetragon/codegen/eventchecker/eventchecker.pb.go index e148e5f4076..01c8c5fdcef 100644 --- a/api/v1/tetragon/codegen/eventchecker/eventchecker.pb.go +++ b/api/v1/tetragon/codegen/eventchecker/eventchecker.pb.go @@ -1098,6 +1098,7 @@ type ProcessTracepointChecker struct { Event *stringmatcher.StringMatcher `json:"event,omitempty"` Args *KprobeArgumentListMatcher `json:"args,omitempty"` PolicyName *stringmatcher.StringMatcher `json:"policyName,omitempty"` + Action *KprobeActionChecker `json:"action,omitempty"` } // CheckEvent checks a single event and implements the EventChecker interface @@ -1169,6 +1170,11 @@ func (checker *ProcessTracepointChecker) Check(event *tetragon.ProcessTracepoint return fmt.Errorf("PolicyName check failed: %w", err) } } + if checker.Action != nil { + if err := checker.Action.Check(&event.Action); err != nil { + return fmt.Errorf("Action check failed: %w", err) + } + } return nil } if err := fieldChecks(); err != nil { @@ -1213,6 +1219,13 @@ func (checker *ProcessTracepointChecker) WithPolicyName(check *stringmatcher.Str return checker } +// WithAction adds a Action check to the ProcessTracepointChecker +func (checker *ProcessTracepointChecker) WithAction(check tetragon.KprobeAction) *ProcessTracepointChecker { + wrappedCheck := KprobeActionChecker(check) + checker.Action = &wrappedCheck + return checker +} + //FromProcessTracepoint populates the ProcessTracepointChecker using data from a ProcessTracepoint event func (checker *ProcessTracepointChecker) FromProcessTracepoint(event *tetragon.ProcessTracepoint) *ProcessTracepointChecker { if event == nil { @@ -1240,6 +1253,7 @@ func (checker *ProcessTracepointChecker) FromProcessTracepoint(event *tetragon.P checker.Args = lm } checker.PolicyName = stringmatcher.Full(event.PolicyName) + checker.Action = NewKprobeActionChecker(event.Action) return checker } diff --git a/api/v1/tetragon/tetragon.pb.go b/api/v1/tetragon/tetragon.pb.go index 1cb30f66715..1caa364382f 100644 --- a/api/v1/tetragon/tetragon.pb.go +++ b/api/v1/tetragon/tetragon.pb.go @@ -51,6 +51,12 @@ const ( KprobeAction_KPROBE_ACTION_NOPOST KprobeAction = 9 // Signal action sends specified signal to the process. KprobeAction_KPROBE_ACTION_SIGNAL KprobeAction = 10 + // TrackSock action tracks socket. + KprobeAction_KPROBE_ACTION_TRACKSOCK KprobeAction = 11 + // UntrackSock action un-tracks socket. + KprobeAction_KPROBE_ACTION_UNTRACKSOCK KprobeAction = 12 + // NotifyKiller action notifies killer sensor. + KprobeAction_KPROBE_ACTION_NOTIFYKILLER KprobeAction = 13 ) // Enum value maps for KprobeAction. @@ -67,19 +73,25 @@ var ( 8: "KPROBE_ACTION_DNSLOOKUP", 9: "KPROBE_ACTION_NOPOST", 10: "KPROBE_ACTION_SIGNAL", + 11: "KPROBE_ACTION_TRACKSOCK", + 12: "KPROBE_ACTION_UNTRACKSOCK", + 13: "KPROBE_ACTION_NOTIFYKILLER", } KprobeAction_value = map[string]int32{ - "KPROBE_ACTION_UNKNOWN": 0, - "KPROBE_ACTION_POST": 1, - "KPROBE_ACTION_FOLLOWFD": 2, - "KPROBE_ACTION_SIGKILL": 3, - "KPROBE_ACTION_UNFOLLOWFD": 4, - "KPROBE_ACTION_OVERRIDE": 5, - "KPROBE_ACTION_COPYFD": 6, - "KPROBE_ACTION_GETURL": 7, - "KPROBE_ACTION_DNSLOOKUP": 8, - "KPROBE_ACTION_NOPOST": 9, - "KPROBE_ACTION_SIGNAL": 10, + "KPROBE_ACTION_UNKNOWN": 0, + "KPROBE_ACTION_POST": 1, + "KPROBE_ACTION_FOLLOWFD": 2, + "KPROBE_ACTION_SIGKILL": 3, + "KPROBE_ACTION_UNFOLLOWFD": 4, + "KPROBE_ACTION_OVERRIDE": 5, + "KPROBE_ACTION_COPYFD": 6, + "KPROBE_ACTION_GETURL": 7, + "KPROBE_ACTION_DNSLOOKUP": 8, + "KPROBE_ACTION_NOPOST": 9, + "KPROBE_ACTION_SIGNAL": 10, + "KPROBE_ACTION_TRACKSOCK": 11, + "KPROBE_ACTION_UNTRACKSOCK": 12, + "KPROBE_ACTION_NOTIFYKILLER": 13, } ) @@ -2813,6 +2825,8 @@ type ProcessTracepoint struct { Args []*KprobeArgument `protobuf:"bytes,6,rep,name=args,proto3" json:"args,omitempty"` // Name of the policy that created that tracepoint. PolicyName string `protobuf:"bytes,7,opt,name=policy_name,json=policyName,proto3" json:"policy_name,omitempty"` + // Action performed when the tracepoint matched. + Action KprobeAction `protobuf:"varint,8,opt,name=action,proto3,enum=tetragon.KprobeAction" json:"action,omitempty"` } func (x *ProcessTracepoint) Reset() { @@ -2889,6 +2903,13 @@ func (x *ProcessTracepoint) GetPolicyName() string { return "" } +func (x *ProcessTracepoint) GetAction() KprobeAction { + if x != nil { + return x.Action + } + return KprobeAction_KPROBE_ACTION_UNKNOWN +} + type ProcessUprobe struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache @@ -3991,8 +4012,8 @@ var file_tetragon_tetragon_proto_rawDesc = []byte{ 0x6e, 0x2e, 0x53, 0x74, 0x61, 0x63, 0x6b, 0x54, 0x72, 0x61, 0x63, 0x65, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x0a, 0x73, 0x74, 0x61, 0x63, 0x6b, 0x54, 0x72, 0x61, 0x63, 0x65, 0x12, 0x1f, 0x0a, 0x0b, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x08, 0x20, 0x01, - 0x28, 0x09, 0x52, 0x0a, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x4e, 0x61, 0x6d, 0x65, 0x22, 0xe8, - 0x01, 0x0a, 0x11, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x54, 0x72, 0x61, 0x63, 0x65, 0x70, + 0x28, 0x09, 0x52, 0x0a, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x4e, 0x61, 0x6d, 0x65, 0x22, 0x98, + 0x02, 0x0a, 0x11, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x54, 0x72, 0x61, 0x63, 0x65, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x12, 0x2b, 0x0a, 0x07, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x52, 0x07, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, @@ -4006,7 +4027,10 @@ var file_tetragon_tetragon_proto_rawDesc = []byte{ 0x67, 0x6f, 0x6e, 0x2e, 0x4b, 0x70, 0x72, 0x6f, 0x62, 0x65, 0x41, 0x72, 0x67, 0x75, 0x6d, 0x65, 0x6e, 0x74, 0x52, 0x04, 0x61, 0x72, 0x67, 0x73, 0x12, 0x1f, 0x0a, 0x0b, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x70, - 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x4e, 0x61, 0x6d, 0x65, 0x22, 0xb4, 0x01, 0x0a, 0x0d, 0x50, 0x72, + 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x2e, 0x0a, 0x06, 0x61, 0x63, 0x74, + 0x69, 0x6f, 0x6e, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x16, 0x2e, 0x74, 0x65, 0x74, 0x72, + 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x4b, 0x70, 0x72, 0x6f, 0x62, 0x65, 0x41, 0x63, 0x74, 0x69, 0x6f, + 0x6e, 0x52, 0x06, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0xb4, 0x01, 0x0a, 0x0d, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x55, 0x70, 0x72, 0x6f, 0x62, 0x65, 0x12, 0x2b, 0x0a, 0x07, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x52, @@ -4087,7 +4111,7 @@ var file_tetragon_tetragon_proto_rawDesc = []byte{ 0x65, 0x73, 0x73, 0x12, 0x16, 0x0a, 0x06, 0x6f, 0x66, 0x66, 0x73, 0x65, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x04, 0x52, 0x06, 0x6f, 0x66, 0x66, 0x73, 0x65, 0x74, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x79, 0x6d, 0x62, 0x6f, 0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x79, 0x6d, - 0x62, 0x6f, 0x6c, 0x2a, 0xb7, 0x02, 0x0a, 0x0c, 0x4b, 0x70, 0x72, 0x6f, 0x62, 0x65, 0x41, 0x63, + 0x62, 0x6f, 0x6c, 0x2a, 0x93, 0x03, 0x0a, 0x0c, 0x4b, 0x70, 0x72, 0x6f, 0x62, 0x65, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x19, 0x0a, 0x15, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12, 0x16, 0x0a, 0x12, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, @@ -4106,38 +4130,43 @@ var file_tetragon_tetragon_proto_rawDesc = []byte{ 0x53, 0x4c, 0x4f, 0x4f, 0x4b, 0x55, 0x50, 0x10, 0x08, 0x12, 0x18, 0x0a, 0x14, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x4e, 0x4f, 0x50, 0x4f, 0x53, 0x54, 0x10, 0x09, 0x12, 0x18, 0x0a, 0x14, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, - 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x53, 0x49, 0x47, 0x4e, 0x41, 0x4c, 0x10, 0x0a, 0x2a, 0x4f, 0x0a, - 0x10, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x54, 0x79, 0x70, - 0x65, 0x12, 0x1c, 0x0a, 0x18, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, - 0x55, 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x10, 0x00, 0x12, - 0x1d, 0x0a, 0x19, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, - 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x10, 0x01, 0x2a, 0x7c, - 0x0a, 0x12, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x65, - 0x73, 0x75, 0x6c, 0x74, 0x12, 0x17, 0x0a, 0x13, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, - 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x10, 0x00, 0x12, 0x19, 0x0a, - 0x15, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x52, - 0x55, 0x4e, 0x4e, 0x49, 0x4e, 0x47, 0x10, 0x01, 0x12, 0x19, 0x0a, 0x15, 0x48, 0x45, 0x41, 0x4c, - 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x53, 0x54, 0x4f, 0x50, 0x50, 0x45, - 0x44, 0x10, 0x02, 0x12, 0x17, 0x0a, 0x13, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, - 0x41, 0x54, 0x55, 0x53, 0x5f, 0x45, 0x52, 0x52, 0x4f, 0x52, 0x10, 0x03, 0x2a, 0x8d, 0x02, 0x0a, - 0x0f, 0x54, 0x61, 0x69, 0x6e, 0x74, 0x65, 0x64, 0x42, 0x69, 0x74, 0x73, 0x54, 0x79, 0x70, 0x65, - 0x12, 0x0f, 0x0a, 0x0b, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x55, 0x4e, 0x53, 0x45, 0x54, 0x10, - 0x00, 0x12, 0x1c, 0x0a, 0x18, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x50, 0x52, 0x4f, 0x50, 0x52, - 0x49, 0x45, 0x54, 0x41, 0x52, 0x59, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x01, 0x12, - 0x17, 0x0a, 0x13, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x46, 0x4f, 0x52, 0x43, 0x45, 0x44, 0x5f, - 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x02, 0x12, 0x1e, 0x0a, 0x1a, 0x54, 0x41, 0x49, 0x4e, - 0x54, 0x5f, 0x46, 0x4f, 0x52, 0x43, 0x45, 0x44, 0x5f, 0x55, 0x4e, 0x4c, 0x4f, 0x41, 0x44, 0x5f, - 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x04, 0x12, 0x18, 0x0a, 0x13, 0x54, 0x41, 0x49, 0x4e, - 0x54, 0x5f, 0x53, 0x54, 0x41, 0x47, 0x45, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, - 0x80, 0x08, 0x12, 0x1d, 0x0a, 0x18, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x4f, 0x55, 0x54, 0x5f, - 0x4f, 0x46, 0x5f, 0x54, 0x52, 0x45, 0x45, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, - 0x20, 0x12, 0x1a, 0x0a, 0x15, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x55, 0x4e, 0x53, 0x49, 0x47, - 0x4e, 0x45, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x40, 0x12, 0x24, 0x0a, - 0x1e, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x4b, 0x45, 0x52, 0x4e, 0x45, 0x4c, 0x5f, 0x4c, 0x49, - 0x56, 0x45, 0x5f, 0x50, 0x41, 0x54, 0x43, 0x48, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, - 0x80, 0x80, 0x02, 0x12, 0x17, 0x0a, 0x11, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x54, 0x45, 0x53, - 0x54, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x80, 0x10, 0x62, 0x06, 0x70, 0x72, - 0x6f, 0x74, 0x6f, 0x33, + 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x53, 0x49, 0x47, 0x4e, 0x41, 0x4c, 0x10, 0x0a, 0x12, 0x1b, 0x0a, + 0x17, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x54, + 0x52, 0x41, 0x43, 0x4b, 0x53, 0x4f, 0x43, 0x4b, 0x10, 0x0b, 0x12, 0x1d, 0x0a, 0x19, 0x4b, 0x50, + 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x55, 0x4e, 0x54, 0x52, + 0x41, 0x43, 0x4b, 0x53, 0x4f, 0x43, 0x4b, 0x10, 0x0c, 0x12, 0x1e, 0x0a, 0x1a, 0x4b, 0x50, 0x52, + 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x4e, 0x4f, 0x54, 0x49, 0x46, + 0x59, 0x4b, 0x49, 0x4c, 0x4c, 0x45, 0x52, 0x10, 0x0d, 0x2a, 0x4f, 0x0a, 0x10, 0x48, 0x65, 0x61, + 0x6c, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x54, 0x79, 0x70, 0x65, 0x12, 0x1c, 0x0a, + 0x18, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x54, + 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x10, 0x00, 0x12, 0x1d, 0x0a, 0x19, 0x48, + 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x54, 0x59, 0x50, + 0x45, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x10, 0x01, 0x2a, 0x7c, 0x0a, 0x12, 0x48, 0x65, + 0x61, 0x6c, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, + 0x12, 0x17, 0x0a, 0x13, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, + 0x53, 0x5f, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x10, 0x00, 0x12, 0x19, 0x0a, 0x15, 0x48, 0x45, 0x41, + 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x52, 0x55, 0x4e, 0x4e, 0x49, + 0x4e, 0x47, 0x10, 0x01, 0x12, 0x19, 0x0a, 0x15, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, + 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x53, 0x54, 0x4f, 0x50, 0x50, 0x45, 0x44, 0x10, 0x02, 0x12, + 0x17, 0x0a, 0x13, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, + 0x5f, 0x45, 0x52, 0x52, 0x4f, 0x52, 0x10, 0x03, 0x2a, 0x8d, 0x02, 0x0a, 0x0f, 0x54, 0x61, 0x69, + 0x6e, 0x74, 0x65, 0x64, 0x42, 0x69, 0x74, 0x73, 0x54, 0x79, 0x70, 0x65, 0x12, 0x0f, 0x0a, 0x0b, + 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x55, 0x4e, 0x53, 0x45, 0x54, 0x10, 0x00, 0x12, 0x1c, 0x0a, + 0x18, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x50, 0x52, 0x4f, 0x50, 0x52, 0x49, 0x45, 0x54, 0x41, + 0x52, 0x59, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x01, 0x12, 0x17, 0x0a, 0x13, 0x54, + 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x46, 0x4f, 0x52, 0x43, 0x45, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, + 0x4c, 0x45, 0x10, 0x02, 0x12, 0x1e, 0x0a, 0x1a, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x46, 0x4f, + 0x52, 0x43, 0x45, 0x44, 0x5f, 0x55, 0x4e, 0x4c, 0x4f, 0x41, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, + 0x4c, 0x45, 0x10, 0x04, 0x12, 0x18, 0x0a, 0x13, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x53, 0x54, + 0x41, 0x47, 0x45, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x08, 0x12, 0x1d, + 0x0a, 0x18, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x4f, 0x55, 0x54, 0x5f, 0x4f, 0x46, 0x5f, 0x54, + 0x52, 0x45, 0x45, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x20, 0x12, 0x1a, 0x0a, + 0x15, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x55, 0x4e, 0x53, 0x49, 0x47, 0x4e, 0x45, 0x44, 0x5f, + 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x40, 0x12, 0x24, 0x0a, 0x1e, 0x54, 0x41, 0x49, + 0x4e, 0x54, 0x5f, 0x4b, 0x45, 0x52, 0x4e, 0x45, 0x4c, 0x5f, 0x4c, 0x49, 0x56, 0x45, 0x5f, 0x50, + 0x41, 0x54, 0x43, 0x48, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x80, 0x02, 0x12, + 0x17, 0x0a, 0x11, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x54, 0x45, 0x53, 0x54, 0x5f, 0x4d, 0x4f, + 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x80, 0x10, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( @@ -4288,22 +4317,23 @@ var file_tetragon_tetragon_proto_depIdxs = []int32{ 13, // 79: tetragon.ProcessTracepoint.process:type_name -> tetragon.Process 13, // 80: tetragon.ProcessTracepoint.parent:type_name -> tetragon.Process 27, // 81: tetragon.ProcessTracepoint.args:type_name -> tetragon.KprobeArgument - 13, // 82: tetragon.ProcessUprobe.process:type_name -> tetragon.Process - 13, // 83: tetragon.ProcessUprobe.parent:type_name -> tetragon.Process - 48, // 84: tetragon.KernelModule.signature_ok:type_name -> google.protobuf.BoolValue - 3, // 85: tetragon.KernelModule.tainted:type_name -> tetragon.TaintedBitsType - 1, // 86: tetragon.GetHealthStatusRequest.event_set:type_name -> tetragon.HealthStatusType - 1, // 87: tetragon.HealthStatus.event:type_name -> tetragon.HealthStatusType - 2, // 88: tetragon.HealthStatus.status:type_name -> tetragon.HealthStatusResult - 34, // 89: tetragon.GetHealthStatusResponse.health_status:type_name -> tetragon.HealthStatus - 13, // 90: tetragon.ProcessLoader.process:type_name -> tetragon.Process - 39, // 91: tetragon.RuntimeHookRequest.createContainer:type_name -> tetragon.CreateContainer - 42, // 92: tetragon.CreateContainer.annotations:type_name -> tetragon.CreateContainer.AnnotationsEntry - 93, // [93:93] is the sub-list for method output_type - 93, // [93:93] is the sub-list for method input_type - 93, // [93:93] is the sub-list for extension type_name - 93, // [93:93] is the sub-list for extension extendee - 0, // [0:93] is the sub-list for field type_name + 0, // 82: tetragon.ProcessTracepoint.action:type_name -> tetragon.KprobeAction + 13, // 83: tetragon.ProcessUprobe.process:type_name -> tetragon.Process + 13, // 84: tetragon.ProcessUprobe.parent:type_name -> tetragon.Process + 48, // 85: tetragon.KernelModule.signature_ok:type_name -> google.protobuf.BoolValue + 3, // 86: tetragon.KernelModule.tainted:type_name -> tetragon.TaintedBitsType + 1, // 87: tetragon.GetHealthStatusRequest.event_set:type_name -> tetragon.HealthStatusType + 1, // 88: tetragon.HealthStatus.event:type_name -> tetragon.HealthStatusType + 2, // 89: tetragon.HealthStatus.status:type_name -> tetragon.HealthStatusResult + 34, // 90: tetragon.GetHealthStatusResponse.health_status:type_name -> tetragon.HealthStatus + 13, // 91: tetragon.ProcessLoader.process:type_name -> tetragon.Process + 39, // 92: tetragon.RuntimeHookRequest.createContainer:type_name -> tetragon.CreateContainer + 42, // 93: tetragon.CreateContainer.annotations:type_name -> tetragon.CreateContainer.AnnotationsEntry + 94, // [94:94] is the sub-list for method output_type + 94, // [94:94] is the sub-list for method input_type + 94, // [94:94] is the sub-list for extension type_name + 94, // [94:94] is the sub-list for extension extendee + 0, // [0:94] is the sub-list for field type_name } func init() { file_tetragon_tetragon_proto_init() } diff --git a/api/v1/tetragon/tetragon.proto b/api/v1/tetragon/tetragon.proto index 6597d98c08e..03bdf05b98d 100644 --- a/api/v1/tetragon/tetragon.proto +++ b/api/v1/tetragon/tetragon.proto @@ -404,6 +404,12 @@ enum KprobeAction { KPROBE_ACTION_NOPOST = 9; // Signal action sends specified signal to the process. KPROBE_ACTION_SIGNAL = 10; + // TrackSock action tracks socket. + KPROBE_ACTION_TRACKSOCK = 11; + // UntrackSock action un-tracks socket. + KPROBE_ACTION_UNTRACKSOCK = 12; + // NotifyKiller action notifies killer sensor. + KPROBE_ACTION_NOTIFYKILLER = 13; } message ProcessKprobe { @@ -439,6 +445,8 @@ message ProcessTracepoint { repeated KprobeArgument args = 6; // Name of the policy that created that tracepoint. string policy_name = 7; + // Action performed when the tracepoint matched. + KprobeAction action = 8; } message ProcessUprobe { diff --git a/bpf/Makefile b/bpf/Makefile index 9c681384bc4..0301a64cb8c 100644 --- a/bpf/Makefile +++ b/bpf/Makefile @@ -34,7 +34,8 @@ PROCESS = bpf_execve_event.o bpf_execve_event_v53.o bpf_fork.o bpf_exit.o bpf_ge bpf_generic_tracepoint_v61.o \ bpf_multi_kprobe_v61.o bpf_multi_retkprobe_v61.o \ bpf_generic_uprobe_v61.o \ - bpf_loader.o + bpf_loader.o \ + bpf_killer.o bpf_multi_killer.o CGROUP = bpf_cgroup_mkdir.o bpf_cgroup_rmdir.o bpf_cgroup_release.o BPFTEST = bpf_lseek.o bpf_globals.o @@ -120,6 +121,12 @@ objs/%_v53.ll: $(DEPSDIR)%.d: $(PROCESSDIR)%.c $(CLANG) $(CLANG_FLAGS) -MM -MP -MT $(patsubst $(DEPSDIR)%.d, $(OBJSDIR)%.ll, $@) $< > $@ +objs/bpf_multi_killer.ll: process/bpf_killer.c + $(CLANG) $(CLANG_FLAGS) -D__LARGE_BPF_PROG -D__MULTI_KPROBE -c $< -o $@ + +$(DEPSDIR)/bpf_multi_killer.d: process/bpf_killer.c + $(CLANG) $(CLANG_FLAGS) -D__LARGE_BPF_PROG -D__MULTI_KPROBE -MM -MP -MT $(patsubst $(DEPSDIR)%.d, $(OBJSDIR)%.ll, $@) $< > $@ + $(DEPSDIR)%_v53.d: $(CLANG) $(CLANG_FLAGS) -D__LARGE_BPF_PROG -MM -MP -MT $(patsubst $(DEPSDIR)%.d, $(OBJSDIR)%.ll, $@) $< > $@ diff --git a/bpf/process/bpf_generic_tracepoint.c b/bpf/process/bpf_generic_tracepoint.c index efb6b039d1d..b3db429c7d1 100644 --- a/bpf/process/bpf_generic_tracepoint.c +++ b/bpf/process/bpf_generic_tracepoint.c @@ -6,6 +6,9 @@ #include "bpf_event.h" #include "bpf_task.h" + +#define GENERIC_TRACEPOINT + #include "retprobe_map.h" #include "types/operations.h" #include "types/basic.h" diff --git a/bpf/process/bpf_killer.c b/bpf/process/bpf_killer.c new file mode 100644 index 00000000000..95a4147159f --- /dev/null +++ b/bpf/process/bpf_killer.c @@ -0,0 +1,28 @@ +#include "bpf_killer.h" + +char _license[] __attribute__((section("license"), used)) = "GPL"; + +#ifdef __MULTI_KPROBE +#define MAIN "kprobe.multi/killer" +#else +#define MAIN "kprobe/killer" +#endif + +__attribute__((section(MAIN), used)) int +killer(void *ctx) +{ + __u64 id = get_current_pid_tgid(); + struct killer_data *data; + + data = map_lookup_elem(&killer_data, &id); + if (!data) + return 0; + + if (data->error) + override_return(ctx, data->error); + if (data->signal) + send_signal(data->signal); + + map_delete_elem(&killer_data, &id); + return 0; +} diff --git a/bpf/process/bpf_killer.h b/bpf/process/bpf_killer.h new file mode 100644 index 00000000000..7b4076f2b90 --- /dev/null +++ b/bpf/process/bpf_killer.h @@ -0,0 +1,40 @@ +// SPDX-License-Identifier: GPL-2.0 +/* Copyright Authors of Cilium */ + +#ifndef __KILLER_H__ +#define __KILLER_H__ + +#include "vmlinux.h" +#include "bpf_helpers.h" + +struct killer_data { + __s16 error; + __s16 signal; +}; + +struct { + __uint(type, BPF_MAP_TYPE_HASH); + __uint(max_entries, 32768); + __type(key, __u64); + __type(value, struct killer_data); +} killer_data SEC(".maps"); + +static inline __attribute__((always_inline)) void +do_killer_action(int error, int signal) +{ + __u64 id = get_current_pid_tgid(); + struct killer_data *ptr, data = { + .error = (__s16)error, + .signal = (__s16)signal, + }; + + ptr = map_lookup_elem(&killer_data, &id); + if (ptr) { + ptr->error = (__s16)error; + ptr->signal = (__s16)signal; + } else { + map_update_elem(&killer_data, &id, &data, BPF_ANY); + } +} + +#endif /* __KILLER_H__ */ diff --git a/bpf/process/types/basic.h b/bpf/process/types/basic.h index d72520d9bdc..e00e2afa376 100644 --- a/bpf/process/types/basic.h +++ b/bpf/process/types/basic.h @@ -20,6 +20,7 @@ #include "../string_maps.h" #include "common.h" #include "process/data_event.h" +#include "process/bpf_killer.h" /* Type IDs form API with user space generickprobe.go */ enum { @@ -87,6 +88,7 @@ enum { ACTION_SIGNAL = 9, ACTION_TRACKSOCK = 10, ACTION_UNTRACKSOCK = 11, + ACTION_NOTIFY_KILLER = 12, }; enum { @@ -1968,6 +1970,16 @@ struct { __uint(value_size, sizeof(__u64) * PERF_MAX_STACK_DEPTH); } stack_trace_map SEC(".maps"); +#ifdef GENERIC_TRACEPOINT +static inline __attribute__((always_inline)) void +do_action_notify_killer(int error, int signal) +{ + do_killer_action(error, signal); +} +#else +#define do_action_notify_killer(error, signal) +#endif + static inline __attribute__((always_inline)) __u32 do_action(void *ctx, __u32 i, struct msg_generic_kprobe *e, struct selector_action *actions, struct bpf_map_def *override_tasks, bool *post) @@ -2050,6 +2062,11 @@ do_action(void *ctx, __u32 i, struct msg_generic_kprobe *e, socki = actions->act[++i]; err = tracksock(e, socki, action == ACTION_TRACKSOCK); break; + case ACTION_NOTIFY_KILLER: + error = actions->act[++i]; + signal = actions->act[++i]; + do_action_notify_killer(error, signal); + break; default: break; } diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.pb.go b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.pb.go index 1cb30f66715..1caa364382f 100644 --- a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.pb.go +++ b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.pb.go @@ -51,6 +51,12 @@ const ( KprobeAction_KPROBE_ACTION_NOPOST KprobeAction = 9 // Signal action sends specified signal to the process. KprobeAction_KPROBE_ACTION_SIGNAL KprobeAction = 10 + // TrackSock action tracks socket. + KprobeAction_KPROBE_ACTION_TRACKSOCK KprobeAction = 11 + // UntrackSock action un-tracks socket. + KprobeAction_KPROBE_ACTION_UNTRACKSOCK KprobeAction = 12 + // NotifyKiller action notifies killer sensor. + KprobeAction_KPROBE_ACTION_NOTIFYKILLER KprobeAction = 13 ) // Enum value maps for KprobeAction. @@ -67,19 +73,25 @@ var ( 8: "KPROBE_ACTION_DNSLOOKUP", 9: "KPROBE_ACTION_NOPOST", 10: "KPROBE_ACTION_SIGNAL", + 11: "KPROBE_ACTION_TRACKSOCK", + 12: "KPROBE_ACTION_UNTRACKSOCK", + 13: "KPROBE_ACTION_NOTIFYKILLER", } KprobeAction_value = map[string]int32{ - "KPROBE_ACTION_UNKNOWN": 0, - "KPROBE_ACTION_POST": 1, - "KPROBE_ACTION_FOLLOWFD": 2, - "KPROBE_ACTION_SIGKILL": 3, - "KPROBE_ACTION_UNFOLLOWFD": 4, - "KPROBE_ACTION_OVERRIDE": 5, - "KPROBE_ACTION_COPYFD": 6, - "KPROBE_ACTION_GETURL": 7, - "KPROBE_ACTION_DNSLOOKUP": 8, - "KPROBE_ACTION_NOPOST": 9, - "KPROBE_ACTION_SIGNAL": 10, + "KPROBE_ACTION_UNKNOWN": 0, + "KPROBE_ACTION_POST": 1, + "KPROBE_ACTION_FOLLOWFD": 2, + "KPROBE_ACTION_SIGKILL": 3, + "KPROBE_ACTION_UNFOLLOWFD": 4, + "KPROBE_ACTION_OVERRIDE": 5, + "KPROBE_ACTION_COPYFD": 6, + "KPROBE_ACTION_GETURL": 7, + "KPROBE_ACTION_DNSLOOKUP": 8, + "KPROBE_ACTION_NOPOST": 9, + "KPROBE_ACTION_SIGNAL": 10, + "KPROBE_ACTION_TRACKSOCK": 11, + "KPROBE_ACTION_UNTRACKSOCK": 12, + "KPROBE_ACTION_NOTIFYKILLER": 13, } ) @@ -2813,6 +2825,8 @@ type ProcessTracepoint struct { Args []*KprobeArgument `protobuf:"bytes,6,rep,name=args,proto3" json:"args,omitempty"` // Name of the policy that created that tracepoint. PolicyName string `protobuf:"bytes,7,opt,name=policy_name,json=policyName,proto3" json:"policy_name,omitempty"` + // Action performed when the tracepoint matched. + Action KprobeAction `protobuf:"varint,8,opt,name=action,proto3,enum=tetragon.KprobeAction" json:"action,omitempty"` } func (x *ProcessTracepoint) Reset() { @@ -2889,6 +2903,13 @@ func (x *ProcessTracepoint) GetPolicyName() string { return "" } +func (x *ProcessTracepoint) GetAction() KprobeAction { + if x != nil { + return x.Action + } + return KprobeAction_KPROBE_ACTION_UNKNOWN +} + type ProcessUprobe struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache @@ -3991,8 +4012,8 @@ var file_tetragon_tetragon_proto_rawDesc = []byte{ 0x6e, 0x2e, 0x53, 0x74, 0x61, 0x63, 0x6b, 0x54, 0x72, 0x61, 0x63, 0x65, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x0a, 0x73, 0x74, 0x61, 0x63, 0x6b, 0x54, 0x72, 0x61, 0x63, 0x65, 0x12, 0x1f, 0x0a, 0x0b, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x08, 0x20, 0x01, - 0x28, 0x09, 0x52, 0x0a, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x4e, 0x61, 0x6d, 0x65, 0x22, 0xe8, - 0x01, 0x0a, 0x11, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x54, 0x72, 0x61, 0x63, 0x65, 0x70, + 0x28, 0x09, 0x52, 0x0a, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x4e, 0x61, 0x6d, 0x65, 0x22, 0x98, + 0x02, 0x0a, 0x11, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x54, 0x72, 0x61, 0x63, 0x65, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x12, 0x2b, 0x0a, 0x07, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x52, 0x07, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, @@ -4006,7 +4027,10 @@ var file_tetragon_tetragon_proto_rawDesc = []byte{ 0x67, 0x6f, 0x6e, 0x2e, 0x4b, 0x70, 0x72, 0x6f, 0x62, 0x65, 0x41, 0x72, 0x67, 0x75, 0x6d, 0x65, 0x6e, 0x74, 0x52, 0x04, 0x61, 0x72, 0x67, 0x73, 0x12, 0x1f, 0x0a, 0x0b, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x70, - 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x4e, 0x61, 0x6d, 0x65, 0x22, 0xb4, 0x01, 0x0a, 0x0d, 0x50, 0x72, + 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x2e, 0x0a, 0x06, 0x61, 0x63, 0x74, + 0x69, 0x6f, 0x6e, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x16, 0x2e, 0x74, 0x65, 0x74, 0x72, + 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x4b, 0x70, 0x72, 0x6f, 0x62, 0x65, 0x41, 0x63, 0x74, 0x69, 0x6f, + 0x6e, 0x52, 0x06, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0xb4, 0x01, 0x0a, 0x0d, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x55, 0x70, 0x72, 0x6f, 0x62, 0x65, 0x12, 0x2b, 0x0a, 0x07, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x52, @@ -4087,7 +4111,7 @@ var file_tetragon_tetragon_proto_rawDesc = []byte{ 0x65, 0x73, 0x73, 0x12, 0x16, 0x0a, 0x06, 0x6f, 0x66, 0x66, 0x73, 0x65, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x04, 0x52, 0x06, 0x6f, 0x66, 0x66, 0x73, 0x65, 0x74, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x79, 0x6d, 0x62, 0x6f, 0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x79, 0x6d, - 0x62, 0x6f, 0x6c, 0x2a, 0xb7, 0x02, 0x0a, 0x0c, 0x4b, 0x70, 0x72, 0x6f, 0x62, 0x65, 0x41, 0x63, + 0x62, 0x6f, 0x6c, 0x2a, 0x93, 0x03, 0x0a, 0x0c, 0x4b, 0x70, 0x72, 0x6f, 0x62, 0x65, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x19, 0x0a, 0x15, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12, 0x16, 0x0a, 0x12, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, @@ -4106,38 +4130,43 @@ var file_tetragon_tetragon_proto_rawDesc = []byte{ 0x53, 0x4c, 0x4f, 0x4f, 0x4b, 0x55, 0x50, 0x10, 0x08, 0x12, 0x18, 0x0a, 0x14, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x4e, 0x4f, 0x50, 0x4f, 0x53, 0x54, 0x10, 0x09, 0x12, 0x18, 0x0a, 0x14, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, - 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x53, 0x49, 0x47, 0x4e, 0x41, 0x4c, 0x10, 0x0a, 0x2a, 0x4f, 0x0a, - 0x10, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x54, 0x79, 0x70, - 0x65, 0x12, 0x1c, 0x0a, 0x18, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, - 0x55, 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x10, 0x00, 0x12, - 0x1d, 0x0a, 0x19, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, - 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x10, 0x01, 0x2a, 0x7c, - 0x0a, 0x12, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x65, - 0x73, 0x75, 0x6c, 0x74, 0x12, 0x17, 0x0a, 0x13, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, - 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x10, 0x00, 0x12, 0x19, 0x0a, - 0x15, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x52, - 0x55, 0x4e, 0x4e, 0x49, 0x4e, 0x47, 0x10, 0x01, 0x12, 0x19, 0x0a, 0x15, 0x48, 0x45, 0x41, 0x4c, - 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x53, 0x54, 0x4f, 0x50, 0x50, 0x45, - 0x44, 0x10, 0x02, 0x12, 0x17, 0x0a, 0x13, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, - 0x41, 0x54, 0x55, 0x53, 0x5f, 0x45, 0x52, 0x52, 0x4f, 0x52, 0x10, 0x03, 0x2a, 0x8d, 0x02, 0x0a, - 0x0f, 0x54, 0x61, 0x69, 0x6e, 0x74, 0x65, 0x64, 0x42, 0x69, 0x74, 0x73, 0x54, 0x79, 0x70, 0x65, - 0x12, 0x0f, 0x0a, 0x0b, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x55, 0x4e, 0x53, 0x45, 0x54, 0x10, - 0x00, 0x12, 0x1c, 0x0a, 0x18, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x50, 0x52, 0x4f, 0x50, 0x52, - 0x49, 0x45, 0x54, 0x41, 0x52, 0x59, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x01, 0x12, - 0x17, 0x0a, 0x13, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x46, 0x4f, 0x52, 0x43, 0x45, 0x44, 0x5f, - 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x02, 0x12, 0x1e, 0x0a, 0x1a, 0x54, 0x41, 0x49, 0x4e, - 0x54, 0x5f, 0x46, 0x4f, 0x52, 0x43, 0x45, 0x44, 0x5f, 0x55, 0x4e, 0x4c, 0x4f, 0x41, 0x44, 0x5f, - 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x04, 0x12, 0x18, 0x0a, 0x13, 0x54, 0x41, 0x49, 0x4e, - 0x54, 0x5f, 0x53, 0x54, 0x41, 0x47, 0x45, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, - 0x80, 0x08, 0x12, 0x1d, 0x0a, 0x18, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x4f, 0x55, 0x54, 0x5f, - 0x4f, 0x46, 0x5f, 0x54, 0x52, 0x45, 0x45, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, - 0x20, 0x12, 0x1a, 0x0a, 0x15, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x55, 0x4e, 0x53, 0x49, 0x47, - 0x4e, 0x45, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x40, 0x12, 0x24, 0x0a, - 0x1e, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x4b, 0x45, 0x52, 0x4e, 0x45, 0x4c, 0x5f, 0x4c, 0x49, - 0x56, 0x45, 0x5f, 0x50, 0x41, 0x54, 0x43, 0x48, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, - 0x80, 0x80, 0x02, 0x12, 0x17, 0x0a, 0x11, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x54, 0x45, 0x53, - 0x54, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x80, 0x10, 0x62, 0x06, 0x70, 0x72, - 0x6f, 0x74, 0x6f, 0x33, + 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x53, 0x49, 0x47, 0x4e, 0x41, 0x4c, 0x10, 0x0a, 0x12, 0x1b, 0x0a, + 0x17, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x54, + 0x52, 0x41, 0x43, 0x4b, 0x53, 0x4f, 0x43, 0x4b, 0x10, 0x0b, 0x12, 0x1d, 0x0a, 0x19, 0x4b, 0x50, + 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x55, 0x4e, 0x54, 0x52, + 0x41, 0x43, 0x4b, 0x53, 0x4f, 0x43, 0x4b, 0x10, 0x0c, 0x12, 0x1e, 0x0a, 0x1a, 0x4b, 0x50, 0x52, + 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x4e, 0x4f, 0x54, 0x49, 0x46, + 0x59, 0x4b, 0x49, 0x4c, 0x4c, 0x45, 0x52, 0x10, 0x0d, 0x2a, 0x4f, 0x0a, 0x10, 0x48, 0x65, 0x61, + 0x6c, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x54, 0x79, 0x70, 0x65, 0x12, 0x1c, 0x0a, + 0x18, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x54, + 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x10, 0x00, 0x12, 0x1d, 0x0a, 0x19, 0x48, + 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x54, 0x59, 0x50, + 0x45, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x10, 0x01, 0x2a, 0x7c, 0x0a, 0x12, 0x48, 0x65, + 0x61, 0x6c, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, + 0x12, 0x17, 0x0a, 0x13, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, + 0x53, 0x5f, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x10, 0x00, 0x12, 0x19, 0x0a, 0x15, 0x48, 0x45, 0x41, + 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x52, 0x55, 0x4e, 0x4e, 0x49, + 0x4e, 0x47, 0x10, 0x01, 0x12, 0x19, 0x0a, 0x15, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, + 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x53, 0x54, 0x4f, 0x50, 0x50, 0x45, 0x44, 0x10, 0x02, 0x12, + 0x17, 0x0a, 0x13, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, + 0x5f, 0x45, 0x52, 0x52, 0x4f, 0x52, 0x10, 0x03, 0x2a, 0x8d, 0x02, 0x0a, 0x0f, 0x54, 0x61, 0x69, + 0x6e, 0x74, 0x65, 0x64, 0x42, 0x69, 0x74, 0x73, 0x54, 0x79, 0x70, 0x65, 0x12, 0x0f, 0x0a, 0x0b, + 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x55, 0x4e, 0x53, 0x45, 0x54, 0x10, 0x00, 0x12, 0x1c, 0x0a, + 0x18, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x50, 0x52, 0x4f, 0x50, 0x52, 0x49, 0x45, 0x54, 0x41, + 0x52, 0x59, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x01, 0x12, 0x17, 0x0a, 0x13, 0x54, + 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x46, 0x4f, 0x52, 0x43, 0x45, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, + 0x4c, 0x45, 0x10, 0x02, 0x12, 0x1e, 0x0a, 0x1a, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x46, 0x4f, + 0x52, 0x43, 0x45, 0x44, 0x5f, 0x55, 0x4e, 0x4c, 0x4f, 0x41, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, + 0x4c, 0x45, 0x10, 0x04, 0x12, 0x18, 0x0a, 0x13, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x53, 0x54, + 0x41, 0x47, 0x45, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x08, 0x12, 0x1d, + 0x0a, 0x18, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x4f, 0x55, 0x54, 0x5f, 0x4f, 0x46, 0x5f, 0x54, + 0x52, 0x45, 0x45, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x20, 0x12, 0x1a, 0x0a, + 0x15, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x55, 0x4e, 0x53, 0x49, 0x47, 0x4e, 0x45, 0x44, 0x5f, + 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x40, 0x12, 0x24, 0x0a, 0x1e, 0x54, 0x41, 0x49, + 0x4e, 0x54, 0x5f, 0x4b, 0x45, 0x52, 0x4e, 0x45, 0x4c, 0x5f, 0x4c, 0x49, 0x56, 0x45, 0x5f, 0x50, + 0x41, 0x54, 0x43, 0x48, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x80, 0x02, 0x12, + 0x17, 0x0a, 0x11, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x54, 0x45, 0x53, 0x54, 0x5f, 0x4d, 0x4f, + 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x80, 0x10, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( @@ -4288,22 +4317,23 @@ var file_tetragon_tetragon_proto_depIdxs = []int32{ 13, // 79: tetragon.ProcessTracepoint.process:type_name -> tetragon.Process 13, // 80: tetragon.ProcessTracepoint.parent:type_name -> tetragon.Process 27, // 81: tetragon.ProcessTracepoint.args:type_name -> tetragon.KprobeArgument - 13, // 82: tetragon.ProcessUprobe.process:type_name -> tetragon.Process - 13, // 83: tetragon.ProcessUprobe.parent:type_name -> tetragon.Process - 48, // 84: tetragon.KernelModule.signature_ok:type_name -> google.protobuf.BoolValue - 3, // 85: tetragon.KernelModule.tainted:type_name -> tetragon.TaintedBitsType - 1, // 86: tetragon.GetHealthStatusRequest.event_set:type_name -> tetragon.HealthStatusType - 1, // 87: tetragon.HealthStatus.event:type_name -> tetragon.HealthStatusType - 2, // 88: tetragon.HealthStatus.status:type_name -> tetragon.HealthStatusResult - 34, // 89: tetragon.GetHealthStatusResponse.health_status:type_name -> tetragon.HealthStatus - 13, // 90: tetragon.ProcessLoader.process:type_name -> tetragon.Process - 39, // 91: tetragon.RuntimeHookRequest.createContainer:type_name -> tetragon.CreateContainer - 42, // 92: tetragon.CreateContainer.annotations:type_name -> tetragon.CreateContainer.AnnotationsEntry - 93, // [93:93] is the sub-list for method output_type - 93, // [93:93] is the sub-list for method input_type - 93, // [93:93] is the sub-list for extension type_name - 93, // [93:93] is the sub-list for extension extendee - 0, // [0:93] is the sub-list for field type_name + 0, // 82: tetragon.ProcessTracepoint.action:type_name -> tetragon.KprobeAction + 13, // 83: tetragon.ProcessUprobe.process:type_name -> tetragon.Process + 13, // 84: tetragon.ProcessUprobe.parent:type_name -> tetragon.Process + 48, // 85: tetragon.KernelModule.signature_ok:type_name -> google.protobuf.BoolValue + 3, // 86: tetragon.KernelModule.tainted:type_name -> tetragon.TaintedBitsType + 1, // 87: tetragon.GetHealthStatusRequest.event_set:type_name -> tetragon.HealthStatusType + 1, // 88: tetragon.HealthStatus.event:type_name -> tetragon.HealthStatusType + 2, // 89: tetragon.HealthStatus.status:type_name -> tetragon.HealthStatusResult + 34, // 90: tetragon.GetHealthStatusResponse.health_status:type_name -> tetragon.HealthStatus + 13, // 91: tetragon.ProcessLoader.process:type_name -> tetragon.Process + 39, // 92: tetragon.RuntimeHookRequest.createContainer:type_name -> tetragon.CreateContainer + 42, // 93: tetragon.CreateContainer.annotations:type_name -> tetragon.CreateContainer.AnnotationsEntry + 94, // [94:94] is the sub-list for method output_type + 94, // [94:94] is the sub-list for method input_type + 94, // [94:94] is the sub-list for extension type_name + 94, // [94:94] is the sub-list for extension extendee + 0, // [0:94] is the sub-list for field type_name } func init() { file_tetragon_tetragon_proto_init() } diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto index 6597d98c08e..03bdf05b98d 100644 --- a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto +++ b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto @@ -404,6 +404,12 @@ enum KprobeAction { KPROBE_ACTION_NOPOST = 9; // Signal action sends specified signal to the process. KPROBE_ACTION_SIGNAL = 10; + // TrackSock action tracks socket. + KPROBE_ACTION_TRACKSOCK = 11; + // UntrackSock action un-tracks socket. + KPROBE_ACTION_UNTRACKSOCK = 12; + // NotifyKiller action notifies killer sensor. + KPROBE_ACTION_NOTIFYKILLER = 13; } message ProcessKprobe { @@ -439,6 +445,8 @@ message ProcessTracepoint { repeated KprobeArgument args = 6; // Name of the policy that created that tracepoint. string policy_name = 7; + // Action performed when the tracepoint matched. + KprobeAction action = 8; } message ProcessUprobe { diff --git a/contrib/tester-progs/Makefile b/contrib/tester-progs/Makefile index e2a67f1cbd6..1f735d563f1 100644 --- a/contrib/tester-progs/Makefile +++ b/contrib/tester-progs/Makefile @@ -17,7 +17,8 @@ PROGS = sigkill-tester \ lseek-pipe \ threads-tester \ bench-reader \ - threads-exit + threads-exit \ + killer-tester all: $(PROGS) diff --git a/contrib/tester-progs/killer-tester.c b/contrib/tester-progs/killer-tester.c new file mode 100644 index 00000000000..cb95fc68366 --- /dev/null +++ b/contrib/tester-progs/killer-tester.c @@ -0,0 +1,9 @@ +#include +#include +#include + +int main(void) +{ + prctl(0xffff, 0, 0, 0, 0); + return errno; +} diff --git a/docs/content/en/docs/concepts/tracing-policy/selectors.md b/docs/content/en/docs/concepts/tracing-policy/selectors.md index bb302ea49dd..e43f930ee73 100644 --- a/docs/content/en/docs/concepts/tracing-policy/selectors.md +++ b/docs/content/en/docs/concepts/tracing-policy/selectors.md @@ -501,6 +501,7 @@ matches. They are defined under `matchActions` and currently, the following - [NoPost action](#nopost-action) - [TrackSock action](#tracksock-action) - [UntrackSock action](#untracksock-action) +- [Notify Killer action](#notify-killer-action) {{< note >}} `Sigkill`, `Override`, `FollowFD`, `UnfollowFD`, `CopyFD`, `Post`, @@ -982,6 +983,100 @@ broken. Socket tracking is only available on kernel >=5.3. +### Notify Killer action + +The `NotifyKiller` action notifies the killer program to kill or override a syscall. + +It's meant to be used on systems with kernel that lacks multi kprobe feature, that +allows to attach many kprobes quickly). To workaround that the killer sensor uses +the raw syscall tracepoint and attaches simple program to syscalls that we need to +kill or override. + +The specs needs to have `killer` program definition, that instructs tetragon to load +the `killer` program and attach it to specified syscalls. + +```yaml +spec: + killers: + - syscalls: + - "list:dups" +``` + +The syscalls expects list of syscalls or `list:XXX` pointer to list. + +Note that currently only single killer definition is allowed. + + +The `NotifyKiller` action takes 2 arguments. + +```yaml +matchActions: +- action: "NotifyKiller" + argError: -1 + argSig: 9 +``` + +If specified the argError will be passed to `bpf_override_return` helper to override the syscall return value. +If specified the argSig will be passed to `bpf_send_signal` helper to override the syscall return value. + +The following is spec for killing `/usr/bin/bash` program whenever it calls `sys_dup` or `sys_dup2` syscalls. + +```yaml +spec: + lists: + - name: "dups" + type: "syscalls" + values: + - "sys_dup" + - "sys_dup2" + killers: + - syscalls: + - "list:dups" + tracepoints: + - subsystem: "raw_syscalls" + event: "sys_enter" + args: + - index: 4 + type: "uint64" + selectors: + - matchArgs: + - index: 0 + operator: "InMap" + values: + - "list:dups" + matchBinaries: + - operator: "In" + values: + - "/usr/bin/bash" + matchActions: + - action: "NotifyKiller" + argSig: 9 +``` + +Note as mentioned above the `NotifyKiller` with killer program is meant to be used only on kernel versions +with no support for fast attach of multiple kprobes (`kprobe_multi` link). + +With `kprobe_multi` link support the above example can be easily replaced with: + +```yaml +spec: + lists: + - name: "syscalls" + type: "syscalls" + values: + - "sys_dup" + - "sys_dup2" + kprobes: + - call: "list:syscalls" + selectors: + - matchBinaries: + - operator: "In" + values: + - "/usr/bin/bash" + matchActions: + - action: "Sigkill" +``` + ## Selector Semantics The `selector` semantics of the `CiliumTracingPolicy` follows the standard diff --git a/docs/content/en/docs/reference/grpc-api.md b/docs/content/en/docs/reference/grpc-api.md index d731052e902..b12831b48c2 100644 --- a/docs/content/en/docs/reference/grpc-api.md +++ b/docs/content/en/docs/reference/grpc-api.md @@ -495,6 +495,7 @@ loader sensor event triggered for loaded binary/library | event | [string](#string) | | Event of the subsystem. | | args | [KprobeArgument](#tetragon-KprobeArgument) | repeated | Arguments definition of the observed tracepoint. TODO: once we implement all we want, rename KprobeArgument to GenericArgument | | policy_name | [string](#string) | | Name of the policy that created that tracepoint. | +| action | [KprobeAction](#tetragon-KprobeAction) | | Action performed when the tracepoint matched. | @@ -590,6 +591,9 @@ RuntimeHookRequest synchronously propagates information to the agent about run-t | KPROBE_ACTION_DNSLOOKUP | 8 | GetURL action issue a DNS lookup against an URL from userspace. | | KPROBE_ACTION_NOPOST | 9 | NoPost action suppresses the transmission of the event to userspace. | | KPROBE_ACTION_SIGNAL | 10 | Signal action sends specified signal to the process. | +| KPROBE_ACTION_TRACKSOCK | 11 | TrackSock action tracks socket. | +| KPROBE_ACTION_UNTRACKSOCK | 12 | UntrackSock action un-tracks socket. | +| KPROBE_ACTION_NOTIFYKILLER | 13 | NotifyKiller action notifies killer sensor. | diff --git a/examples/tracingpolicy/killer.yaml b/examples/tracingpolicy/killer.yaml new file mode 100644 index 00000000000..cc32c13327b --- /dev/null +++ b/examples/tracingpolicy/killer.yaml @@ -0,0 +1,34 @@ +apiVersion: cilium.io/v1alpha1 +kind: TracingPolicy +metadata: + name: "kill-syscalls" +spec: + lists: + - name: "dups" + type: "syscalls" + values: + - "sys_dup" + - "sys_dup2" + killers: + - syscalls: + - "list:dups" + tracepoints: + - subsystem: "raw_syscalls" + event: "sys_enter" + args: + - index: 4 + type: "uint64" + selectors: + - matchArgs: + - index: 0 + operator: "InMap" + values: + - "list:dups" + matchBinaries: + - operator: "In" + values: + - "/usr/bin/bash" + matchActions: + - action: "NotifyKiller" + argError: -1 + argSig: 9 diff --git a/pkg/api/tracingapi/client_kprobe.go b/pkg/api/tracingapi/client_kprobe.go index 75b969b4b3b..25f498b5eef 100644 --- a/pkg/api/tracingapi/client_kprobe.go +++ b/pkg/api/tracingapi/client_kprobe.go @@ -12,16 +12,19 @@ const ( ) const ( - ActionPost = 0 - ActionFollowFd = 1 - ActionSigKill = 2 - ActionUnfollowFd = 3 - ActionOverride = 4 - ActionCopyFd = 5 - ActionGetUrl = 6 - ActionLookupDns = 7 - ActionNoPost = 8 - ActionSignal = 9 + ActionPost = 0 + ActionFollowFd = 1 + ActionSigKill = 2 + ActionUnfollowFd = 3 + ActionOverride = 4 + ActionCopyFd = 5 + ActionGetUrl = 6 + ActionLookupDns = 7 + ActionNoPost = 8 + ActionSignal = 9 + ActionTrackSock = 10 + ActionUntrackSock = 11 + ActionNotifyKiller = 12 ) const ( diff --git a/pkg/grpc/tracing/tracing.go b/pkg/grpc/tracing/tracing.go index 31154e4a585..7a74c070807 100644 --- a/pkg/grpc/tracing/tracing.go +++ b/pkg/grpc/tracing/tracing.go @@ -54,6 +54,12 @@ func kprobeAction(act uint64) tetragon.KprobeAction { return tetragon.KprobeAction_KPROBE_ACTION_NOPOST case tracingapi.ActionSignal: return tetragon.KprobeAction_KPROBE_ACTION_SIGNAL + case tracingapi.ActionTrackSock: + return tetragon.KprobeAction_KPROBE_ACTION_TRACKSOCK + case tracingapi.ActionUntrackSock: + return tetragon.KprobeAction_KPROBE_ACTION_UNTRACKSOCK + case tracingapi.ActionNotifyKiller: + return tetragon.KprobeAction_KPROBE_ACTION_NOTIFYKILLER default: return tetragon.KprobeAction_KPROBE_ACTION_UNKNOWN } @@ -332,6 +338,7 @@ type MsgGenericTracepointUnix struct { Event string Args []tracingapi.MsgGenericTracepointArg PolicyName string + Action uint64 } func (msg *MsgGenericTracepointUnix) Notify() bool { @@ -403,6 +410,7 @@ func (msg *MsgGenericTracepointUnix) HandleMessage() *tetragon.GetEventsResponse Event: msg.Event, Args: tetragonArgs, PolicyName: msg.PolicyName, + Action: kprobeAction(msg.Action), } if ec := eventcache.Get(); ec != nil && diff --git a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml index 78a8ac0f776..ec761c98e89 100644 --- a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml +++ b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml @@ -35,6 +35,19 @@ spec: spec: description: Tracing policy specification. properties: + killers: + description: A killer spec. + items: + properties: + syscalls: + description: syscalls where killer is executed in + items: + type: string + type: array + required: + - syscalls + type: object + type: array kprobes: description: A list of kprobe specs. items: @@ -227,6 +240,7 @@ spec: - Signal - TrackSock - UntrackSock + - NotifyKiller type: string argError: description: error value for override action @@ -581,6 +595,9 @@ spec: - generated_syscalls - generated_ftrace type: string + validated: + description: List was validated + type: boolean values: description: Values of the list items: @@ -757,6 +774,7 @@ spec: - Signal - TrackSock - UntrackSock + - NotifyKiller type: string argError: description: error value for override action @@ -1129,6 +1147,7 @@ spec: - Signal - TrackSock - UntrackSock + - NotifyKiller type: string argError: description: error value for override action diff --git a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml index 69e05e36635..ce8c9faaba1 100644 --- a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml +++ b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml @@ -35,6 +35,19 @@ spec: spec: description: Tracing policy specification. properties: + killers: + description: A killer spec. + items: + properties: + syscalls: + description: syscalls where killer is executed in + items: + type: string + type: array + required: + - syscalls + type: object + type: array kprobes: description: A list of kprobe specs. items: @@ -227,6 +240,7 @@ spec: - Signal - TrackSock - UntrackSock + - NotifyKiller type: string argError: description: error value for override action @@ -581,6 +595,9 @@ spec: - generated_syscalls - generated_ftrace type: string + validated: + description: List was validated + type: boolean values: description: Values of the list items: @@ -757,6 +774,7 @@ spec: - Signal - TrackSock - UntrackSock + - NotifyKiller type: string argError: description: error value for override action @@ -1129,6 +1147,7 @@ spec: - Signal - TrackSock - UntrackSock + - NotifyKiller type: string argError: description: error value for override action diff --git a/pkg/k8s/apis/cilium.io/v1alpha1/tracing_policy_types.go b/pkg/k8s/apis/cilium.io/v1alpha1/tracing_policy_types.go index b22742886c3..0423ae46318 100644 --- a/pkg/k8s/apis/cilium.io/v1alpha1/tracing_policy_types.go +++ b/pkg/k8s/apis/cilium.io/v1alpha1/tracing_policy_types.go @@ -93,6 +93,10 @@ type TracingPolicySpec struct { // +kubebuilder:validation:Optional // A list of list specs. Lists []ListSpec `json:"lists,omitempty"` + + // +kubebuilder:validation:Optional + // A killer spec. + Killers []KillerSpec `json:"killers,omitempty"` } func (tp *TracingPolicy) TpName() string { diff --git a/pkg/k8s/apis/cilium.io/v1alpha1/types.go b/pkg/k8s/apis/cilium.io/v1alpha1/types.go index 08a0f1c7439..c202953245c 100644 --- a/pkg/k8s/apis/cilium.io/v1alpha1/types.go +++ b/pkg/k8s/apis/cilium.io/v1alpha1/types.go @@ -184,7 +184,7 @@ type ArgSelector struct { } type ActionSelector struct { - // +kubebuilder:validation:Enum=Post;FollowFD;UnfollowFD;Sigkill;CopyFD;Override;GetUrl;DnsLookup;NoPost;Signal;TrackSock;UntrackSock + // +kubebuilder:validation:Enum=Post;FollowFD;UnfollowFD;Sigkill;CopyFD;Override;GetUrl;DnsLookup;NoPost;Signal;TrackSock;UntrackSock;NotifyKiller // Action to execute. Action string `json:"action"` // +kubebuilder:validation:Optional @@ -254,6 +254,9 @@ type ListSpec struct { // +kubebuilder:validation:Optional // Pattern for 'generated' lists. Pattern *string `json:"pattern,omitempty"` + // +kubebuilder:validation:Optional + // List was validated + Validated bool `json:"validated"` } type PodInfoSpec struct { @@ -316,3 +319,8 @@ type PodInfoList struct { metav1.ListMeta `json:"metadata,omitempty"` Items []PodInfo `json:"items"` } + +type KillerSpec struct { + // syscalls where killer is executed in + Syscalls []string `json:"syscalls"` +} diff --git a/pkg/k8s/apis/cilium.io/v1alpha1/zz_generated.deepcopy.go b/pkg/k8s/apis/cilium.io/v1alpha1/zz_generated.deepcopy.go index 4a397c1be55..6cc4449f79b 100644 --- a/pkg/k8s/apis/cilium.io/v1alpha1/zz_generated.deepcopy.go +++ b/pkg/k8s/apis/cilium.io/v1alpha1/zz_generated.deepcopy.go @@ -218,6 +218,27 @@ func (in *KProbeSpec) DeepCopy() *KProbeSpec { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *KillerSpec) DeepCopyInto(out *KillerSpec) { + *out = *in + if in.Syscalls != nil { + in, out := &in.Syscalls, &out.Syscalls + *out = make([]string, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KillerSpec. +func (in *KillerSpec) DeepCopy() *KillerSpec { + if in == nil { + return nil + } + out := new(KillerSpec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ListSpec) DeepCopyInto(out *ListSpec) { *out = *in @@ -607,6 +628,13 @@ func (in *TracingPolicySpec) DeepCopyInto(out *TracingPolicySpec) { (*in)[i].DeepCopyInto(&(*out)[i]) } } + if in.Killers != nil { + in, out := &in.Killers, &out.Killers + *out = make([]KillerSpec, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } return } diff --git a/pkg/selectors/kernel.go b/pkg/selectors/kernel.go index f94b23b92c4..d91597a2a46 100644 --- a/pkg/selectors/kernel.go +++ b/pkg/selectors/kernel.go @@ -19,49 +19,52 @@ import ( ) const ( - ActionTypeInvalid = -1 - ActionTypePost = 0 - ActionTypeFollowFd = 1 - ActionTypeSigKill = 2 - ActionTypeUnfollowFd = 3 - ActionTypeOverride = 4 - ActionTypeCopyFd = 5 - ActionTypeGetUrl = 6 - ActionTypeDnsLookup = 7 - ActionTypeNoPost = 8 - ActionTypeSignal = 9 - ActionTypeTrackSock = 10 - ActionTypeUntrackSock = 11 + ActionTypeInvalid = -1 + ActionTypePost = 0 + ActionTypeFollowFd = 1 + ActionTypeSigKill = 2 + ActionTypeUnfollowFd = 3 + ActionTypeOverride = 4 + ActionTypeCopyFd = 5 + ActionTypeGetUrl = 6 + ActionTypeDnsLookup = 7 + ActionTypeNoPost = 8 + ActionTypeSignal = 9 + ActionTypeTrackSock = 10 + ActionTypeUntrackSock = 11 + ActionTypeNotifyKiller = 12 ) var actionTypeTable = map[string]uint32{ - "post": ActionTypePost, - "followfd": ActionTypeFollowFd, - "unfollowfd": ActionTypeUnfollowFd, - "sigkill": ActionTypeSigKill, - "override": ActionTypeOverride, - "copyfd": ActionTypeCopyFd, - "geturl": ActionTypeGetUrl, - "dnslookup": ActionTypeDnsLookup, - "nopost": ActionTypeNoPost, - "signal": ActionTypeSignal, - "tracksock": ActionTypeTrackSock, - "untracksock": ActionTypeUntrackSock, + "post": ActionTypePost, + "followfd": ActionTypeFollowFd, + "unfollowfd": ActionTypeUnfollowFd, + "sigkill": ActionTypeSigKill, + "override": ActionTypeOverride, + "copyfd": ActionTypeCopyFd, + "geturl": ActionTypeGetUrl, + "dnslookup": ActionTypeDnsLookup, + "nopost": ActionTypeNoPost, + "signal": ActionTypeSignal, + "tracksock": ActionTypeTrackSock, + "untracksock": ActionTypeUntrackSock, + "notifykiller": ActionTypeNotifyKiller, } var actionTypeStringTable = map[uint32]string{ - ActionTypePost: "post", - ActionTypeFollowFd: "followfd", - ActionTypeUnfollowFd: "unfollowfd", - ActionTypeSigKill: "sigkill", - ActionTypeOverride: "override", - ActionTypeCopyFd: "copyfd", - ActionTypeGetUrl: "geturl", - ActionTypeDnsLookup: "dnslookup", - ActionTypeNoPost: "nopost", - ActionTypeSignal: "signal", - ActionTypeTrackSock: "tracksock", - ActionTypeUntrackSock: "untracksock", + ActionTypePost: "post", + ActionTypeFollowFd: "followfd", + ActionTypeUnfollowFd: "unfollowfd", + ActionTypeSigKill: "sigkill", + ActionTypeOverride: "override", + ActionTypeCopyFd: "copyfd", + ActionTypeGetUrl: "geturl", + ActionTypeDnsLookup: "dnslookup", + ActionTypeNoPost: "nopost", + ActionTypeSignal: "signal", + ActionTypeTrackSock: "tracksock", + ActionTypeUntrackSock: "untracksock", + ActionTypeNotifyKiller: "notifykiller", } // Action argument table entry (for URL and FQDN arguments) @@ -953,6 +956,9 @@ func ParseMatchAction(k *KernelSelectorState, action *v1alpha1.ActionSelector, a case ActionTypeSigKill: // no arguments // NB: we should deprecate this action and just use ActionTypeSignal with SIGKILL + case ActionTypeNotifyKiller: + WriteSelectorInt32(k, action.ArgError) + WriteSelectorUint32(k, action.ArgSig) default: return fmt.Errorf("ParseMatchAction: act %d (%s) is missing a handler", act, actionTypeStringTable[act]) } diff --git a/pkg/sensors/program/loader.go b/pkg/sensors/program/loader.go index db0e9d44e05..47633441031 100644 --- a/pkg/sensors/program/loader.go +++ b/pkg/sensors/program/loader.go @@ -140,13 +140,13 @@ func KprobeOpen(load *Program) OpenFunc { } } -func kprobeAttach(load *Program, prog *ebpf.Program, spec *ebpf.ProgramSpec) (unloader.Unloader, error) { +func kprobeAttach(load *Program, prog *ebpf.Program, spec *ebpf.ProgramSpec, symbol string) (unloader.Unloader, error) { var linkFn func() (link.Link, error) if load.RetProbe { - linkFn = func() (link.Link, error) { return link.Kretprobe(load.Attach, prog, nil) } + linkFn = func() (link.Link, error) { return link.Kretprobe(symbol, prog, nil) } } else { - linkFn = func() (link.Link, error) { return link.Kprobe(load.Attach, prog, nil) } + linkFn = func() (link.Link, error) { return link.Kprobe(symbol, prog, nil) } } lnk, err := linkFn() @@ -187,13 +187,13 @@ func KprobeAttach(load *Program, bpfDir string) AttachFunc { return nil, fmt.Errorf("pinning '%s' to '%s' failed: %w", load.Label, pinPath, err) } - load.unloaderOverride, err = kprobeAttach(load, progOverride, progOverrideSpec) + load.unloaderOverride, err = kprobeAttach(load, progOverride, progOverrideSpec, load.Attach) if err != nil { logger.GetLogger().Warnf("Failed to attach override program: %w", err) } } - return kprobeAttach(load, prog, spec) + return kprobeAttach(load, prog, spec, load.Attach) } } @@ -392,6 +392,35 @@ func LoadKprobeProgram(bpfDir, mapDir string, load *Program, verbose int) error return loadProgram(bpfDir, []string{mapDir}, load, opts, verbose) } +func KprobeAttachMany(load *Program, syms []string) AttachFunc { + return func(coll *ebpf.Collection, collSpec *ebpf.CollectionSpec, + prog *ebpf.Program, spec *ebpf.ProgramSpec) (unloader.Unloader, error) { + + unloader := unloader.ChainUnloader{ + unloader.PinUnloader{ + Prog: prog, + }, + } + + for idx := range syms { + un, err := kprobeAttach(load, prog, spec, syms[idx]) + if err != nil { + return nil, err + } + + unloader = append(unloader, un) + } + return unloader, nil + } +} + +func LoadKprobeProgramAttachMany(bpfDir, mapDir string, load *Program, syms []string, verbose int) error { + opts := &loadOpts{ + attach: KprobeAttachMany(load, syms), + } + return loadProgram(bpfDir, []string{mapDir}, load, opts, verbose) +} + func LoadUprobeProgram(bpfDir, mapDir string, load *Program, verbose int) error { var ci *customInstall for mName, mPath := range load.PinMap { diff --git a/pkg/sensors/tracing/generickprobe.go b/pkg/sensors/tracing/generickprobe.go index 57bfed8a76f..e3e8c917f46 100644 --- a/pkg/sensors/tracing/generickprobe.go +++ b/pkg/sensors/tracing/generickprobe.go @@ -340,13 +340,9 @@ func preValidateKprobes(name string, kprobes []v1alpha1.KProbeSpec, lists []v1al } // validate lists first - for i := range lists { - list := &lists[i] - - err := preValidateList(list) - if err != nil { - return err - } + err = preValidateLists(lists) + if err != nil { + return err } for i := range kprobes { diff --git a/pkg/sensors/tracing/generictracepoint.go b/pkg/sensors/tracing/generictracepoint.go index f8ecf9a84a7..c3f918e0b81 100644 --- a/pkg/sensors/tracing/generictracepoint.go +++ b/pkg/sensors/tracing/generictracepoint.go @@ -460,6 +460,9 @@ func createGenericTracepointSensor( selNamesMap := program.MapBuilderPin("sel_names_map", sensors.PathJoin(pinPath, "sel_names_map"), prog0) maps = append(maps, selNamesMap) + + killerDataMap := program.MapBuilderPin("killer_data", "killer_data", prog0) + maps = append(maps, killerDataMap) } return &sensors.Sensor{ @@ -619,6 +622,7 @@ func handleGenericTracepoint(r *bytes.Reader) ([]observer.Event, error) { Tid: m.Tid, Subsys: "UNKNOWN", Event: "UNKNOWN", + Action: m.ActionId, } tp, err := genericTracepointTable.getTracepoint(int(m.FuncId)) diff --git a/pkg/sensors/tracing/killer.go b/pkg/sensors/tracing/killer.go new file mode 100644 index 00000000000..6d73581238d --- /dev/null +++ b/pkg/sensors/tracing/killer.go @@ -0,0 +1,179 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright Authors of Tetragon + +package tracing + +import ( + "fmt" + "path" + "strings" + "sync/atomic" + + "github.com/cilium/tetragon/pkg/arch" + "github.com/cilium/tetragon/pkg/bpf" + "github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1" + "github.com/cilium/tetragon/pkg/logger" + "github.com/cilium/tetragon/pkg/option" + "github.com/cilium/tetragon/pkg/policyfilter" + "github.com/cilium/tetragon/pkg/sensors" + "github.com/cilium/tetragon/pkg/sensors/program" + "github.com/cilium/tetragon/pkg/tracingpolicy" +) + +type killerSensor struct{} + +func init() { + killer := &killerSensor{} + sensors.RegisterProbeType("killer", killer) + sensors.RegisterPolicyHandlerAtInit("killer", killerSensor{}) +} + +var ( + configured = false + syscallsSyms []string +) + +func (k killerSensor) PolicyHandler( + policy tracingpolicy.TracingPolicy, + _ policyfilter.PolicyID, +) (*sensors.Sensor, error) { + + spec := policy.TpSpec() + + if len(spec.Lists) > 0 { + err := preValidateLists(spec.Lists) + if err != nil { + return nil, err + } + } + if len(spec.Killers) > 0 { + name := fmt.Sprintf("killer-sensor-%d", atomic.AddUint64(&sensorCounter, 1)) + return createKillerSensor(spec.Killers, spec.Lists, name) + } + + return nil, nil +} + +func loadSingleKillerSensor(bpfDir, mapDir string, load *program.Program, verbose int) error { + if err := program.LoadKprobeProgramAttachMany(bpfDir, mapDir, load, syscallsSyms, verbose); err == nil { + logger.GetLogger().Infof("Loaded killer sensor: %s", load.Attach) + } else { + return err + } + + return nil +} + +func loadMultiKillerSensor(bpfDir, mapDir string, load *program.Program, verbose int) error { + data := &program.MultiKprobeAttachData{} + + for idx := range syscallsSyms { + data.Symbols = append(data.Symbols, syscallsSyms[idx]) + } + + load.SetAttachData(data) + + if err := program.LoadMultiKprobeProgram(bpfDir, mapDir, load, verbose); err != nil { + return err + } + + logger.GetLogger().Infof("Loaded killer sensor: %s", load.Attach) + return nil +} + +func (k *killerSensor) LoadProbe(args sensors.LoadProbeArgs) error { + if args.Load.Label == "kprobe/killer" { + return loadSingleKillerSensor(args.BPFDir, args.MapDir, args.Load, args.Verbose) + } + return loadMultiKillerSensor(args.BPFDir, args.MapDir, args.Load, args.Verbose) +} + +func unloadKiller() error { + configured = false + syscallsSyms = []string{} + logger.GetLogger().Infof("Cleaning up killer") + return nil +} + +func createKillerSensor( + killers []v1alpha1.KillerSpec, + lists []v1alpha1.ListSpec, + name string, +) (*sensors.Sensor, error) { + + if len(killers) > 1 { + return nil, fmt.Errorf("failed: we support only single killer sensor") + } + + if configured { + return nil, fmt.Errorf("failed: killer sensor is already configured") + } + + configured = true + + killer := killers[0] + + // get all the syscalls + for idx := range killer.Syscalls { + sym := killer.Syscalls[idx] + if strings.HasPrefix(sym, "list:") { + listName := sym[len("list:"):] + + list := getList(listName, lists) + if list == nil { + return nil, fmt.Errorf("Error list '%s' not found", listName) + } + + if !isSyscallListType(list.Type) { + return nil, fmt.Errorf("Error list '%s' is not syscall type", listName) + } + syscallsSyms = append(syscallsSyms, list.Values...) + continue + } + + pfxSym, err := arch.AddSyscallPrefix(sym) + if err != nil { + return nil, err + } + syscallsSyms = append(syscallsSyms, pfxSym) + } + + // register killer sensor + var load *program.Program + var progs []*program.Program + var maps []*program.Map + + useMulti := !option.Config.DisableKprobeMulti && bpf.HasKprobeMulti() + + attach := fmt.Sprintf("%d syscalls: %s", len(syscallsSyms), syscallsSyms) + prog := sensors.PathJoin(name, "killer_kprobe") + + if useMulti { + load = program.Builder( + path.Join(option.Config.HubbleLib, "bpf_multi_killer.o"), + attach, + "kprobe.multi/killer", + prog, + "killer") + + } else { + load = program.Builder( + path.Join(option.Config.HubbleLib, "bpf_killer.o"), + attach, + "kprobe/killer", + prog, + "killer") + } + + killerDataMap := program.MapBuilderPin("killer_data", "killer_data", load) + + progs = append(progs, load) + maps = append(maps, killerDataMap) + + return &sensors.Sensor{ + Name: "__killer__", + Progs: progs, + Maps: maps, + PostUnloadHook: unloadKiller, + }, nil +} diff --git a/pkg/sensors/tracing/killer_test.go b/pkg/sensors/tracing/killer_test.go new file mode 100644 index 00000000000..6b02cc564cb --- /dev/null +++ b/pkg/sensors/tracing/killer_test.go @@ -0,0 +1,221 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright Authors of Tetragon + +package tracing + +import ( + "context" + "os" + "os/exec" + "sync" + "syscall" + "testing" + + "github.com/cilium/tetragon/api/v1/tetragon" + "github.com/cilium/tetragon/api/v1/tetragon/codegen/eventchecker" + ec "github.com/cilium/tetragon/api/v1/tetragon/codegen/eventchecker" + "github.com/cilium/tetragon/pkg/bpf" + "github.com/cilium/tetragon/pkg/jsonchecker" + lc "github.com/cilium/tetragon/pkg/matchers/listmatcher" + "github.com/cilium/tetragon/pkg/observer/observertesthelper" + "github.com/cilium/tetragon/pkg/testutils" + tus "github.com/cilium/tetragon/pkg/testutils/sensors" + "github.com/stretchr/testify/assert" +) + +func test_killer(t *testing.T, configHook string, test string, + checker *eventchecker.UnorderedEventChecker, + checkerFunc func(err error, rc int)) { + + var doneWG, readyWG sync.WaitGroup + defer doneWG.Wait() + + ctx, cancel := context.WithTimeout(context.Background(), tus.Conf().CmdWaitTime) + defer cancel() + + err := os.WriteFile(testConfigFile, []byte(configHook), 0644) + if err != nil { + t.Fatalf("writeFile(%s): err %s", testConfigFile, err) + } + + obs, err := observertesthelper.GetDefaultObserverWithFile(t, ctx, testConfigFile, tus.Conf().TetragonLib, observertesthelper.WithMyPid()) + if err != nil { + t.Fatalf("GetDefaultObserverWithFile error: %s", err) + } + observertesthelper.LoopEvents(ctx, t, &doneWG, &readyWG, obs) + readyWG.Wait() + + cmd := exec.Command(test) + err = cmd.Run() + + checkerFunc(err, cmd.ProcessState.ExitCode()) + + err = jsonchecker.JsonTestCheck(t, checker) + assert.NoError(t, err) +} + +func TestKillerOverride(t *testing.T) { + if !bpf.HasOverrideHelper() { + t.Skip("skipping killer test, bpf_override_return helper not available") + } + + test := testutils.RepoRootPath("contrib/tester-progs/killer-tester") + configHook := ` +apiVersion: cilium.io/v1alpha1 +kind: TracingPolicy +metadata: + name: "kill-syscalls" +spec: + lists: + - name: "mine" + type: "syscalls" + values: + - "sys_prctl" + killers: + - syscalls: + - "list:mine" + tracepoints: + - subsystem: "raw_syscalls" + event: "sys_enter" + args: + - index: 4 + type: "uint64" + selectors: + - matchArgs: + - index: 0 + operator: "InMap" + values: + - "list:mine" + matchBinaries: + - operator: "In" + values: + - "` + test + `" + matchActions: + - action: "NotifyKiller" + argError: -17 # EEXIST +` + + tpChecker := ec.NewProcessTracepointChecker(""). + WithArgs(ec.NewKprobeArgumentListMatcher(). + WithOperator(lc.Ordered). + WithValues( + ec.NewKprobeArgumentChecker().WithSizeArg(syscall.SYS_PRCTL), + )). + WithAction(tetragon.KprobeAction_KPROBE_ACTION_NOTIFYKILLER) + + checker := ec.NewUnorderedEventChecker(tpChecker) + + checkerFunc := func(err error, rc int) { + if rc != int(syscall.EEXIST) { + t.Fatalf("Wrong exit code %d expected %d", rc, int(syscall.EEXIST)) + } + } + + test_killer(t, configHook, test, checker, checkerFunc) +} + +func TestKillerSignal(t *testing.T) { + if !bpf.HasOverrideHelper() { + t.Skip("skipping killer test, bpf_override_return helper not available") + } + + test := testutils.RepoRootPath("contrib/tester-progs/killer-tester") + configHook := ` +apiVersion: cilium.io/v1alpha1 +kind: TracingPolicy +metadata: + name: "kill-syscalls" +spec: + lists: + - name: "mine" + type: "syscalls" + values: + - "sys_prctl" + killers: + - syscalls: + - "list:mine" + tracepoints: + - subsystem: "raw_syscalls" + event: "sys_enter" + args: + - index: 4 + type: "uint64" + selectors: + - matchArgs: + - index: 0 + operator: "InMap" + values: + - "list:mine" + matchBinaries: + - operator: "In" + values: + - "` + test + `" + matchActions: + - action: "NotifyKiller" + argSig: 9 # SIGKILL +` + + tpChecker := ec.NewProcessTracepointChecker(""). + WithArgs(ec.NewKprobeArgumentListMatcher(). + WithOperator(lc.Ordered). + WithValues( + ec.NewKprobeArgumentChecker().WithSizeArg(syscall.SYS_PRCTL), + )). + WithAction(tetragon.KprobeAction_KPROBE_ACTION_NOTIFYKILLER) + + checker := ec.NewUnorderedEventChecker(tpChecker) + + checkerFunc := func(err error, rc int) { + if err == nil || err.Error() != "signal: killed" { + t.Fatalf("Wrong error '%v' expected 'killed'", err) + } + } + + test_killer(t, configHook, test, checker, checkerFunc) +} + +func TestKillerMulti(t *testing.T) { + if !bpf.HasOverrideHelper() { + t.Skip("skipping killer test, bpf_override_return helper not available") + } + + crd := ` +apiVersion: cilium.io/v1alpha1 +kind: TracingPolicy +metadata: + name: "kill-syscalls" +spec: + lists: + - name: "mine1" + type: "syscalls" + values: + - "sys_prctl" + - name: "mine2" + type: "syscalls" + values: + - "sys_prctl" + killers: + - syscalls: + - "list:mine1" + - syscalls: + - "list:mine2" + tracepoints: + - subsystem: "raw_syscalls" + event: "sys_enter" + args: + - index: 4 + type: "uint64" + selectors: + - matchArgs: + - index: 0 + operator: "InMap" + values: + - "list:mine1" + matchActions: + - action: "NotifyKiller" + argSig: 9 # SIGKILL +` + + err := checkCrd(t, crd) + assert.Error(t, err) +} diff --git a/pkg/sensors/tracing/lists.go b/pkg/sensors/tracing/lists.go index d6563a90a35..b0bb9803ef1 100644 --- a/pkg/sensors/tracing/lists.go +++ b/pkg/sensors/tracing/lists.go @@ -52,7 +52,7 @@ func isSyscallListType(typ string) bool { listTypeFromString(typ) == ListTypeGeneratedSyscalls } -func preValidateList(list *v1alpha1.ListSpec) (err error) { +func validateList(list *v1alpha1.ListSpec) (err error) { if listTypeFromString(list.Type) == ListTypeInvalid { return fmt.Errorf("Invalid list type: %s", list.Type) } @@ -97,6 +97,22 @@ func preValidateList(list *v1alpha1.ListSpec) (err error) { return nil } +func preValidateLists(lists []v1alpha1.ListSpec) (err error) { + for i := range lists { + list := &lists[i] + + if list.Validated { + continue + } + err := validateList(list) + if err != nil { + return err + } + list.Validated = true + } + return nil +} + type listReader struct { lists []v1alpha1.ListSpec } diff --git a/vendor/github.com/cilium/tetragon/api/v1/tetragon/codegen/eventchecker/eventchecker.pb.go b/vendor/github.com/cilium/tetragon/api/v1/tetragon/codegen/eventchecker/eventchecker.pb.go index e148e5f4076..01c8c5fdcef 100644 --- a/vendor/github.com/cilium/tetragon/api/v1/tetragon/codegen/eventchecker/eventchecker.pb.go +++ b/vendor/github.com/cilium/tetragon/api/v1/tetragon/codegen/eventchecker/eventchecker.pb.go @@ -1098,6 +1098,7 @@ type ProcessTracepointChecker struct { Event *stringmatcher.StringMatcher `json:"event,omitempty"` Args *KprobeArgumentListMatcher `json:"args,omitempty"` PolicyName *stringmatcher.StringMatcher `json:"policyName,omitempty"` + Action *KprobeActionChecker `json:"action,omitempty"` } // CheckEvent checks a single event and implements the EventChecker interface @@ -1169,6 +1170,11 @@ func (checker *ProcessTracepointChecker) Check(event *tetragon.ProcessTracepoint return fmt.Errorf("PolicyName check failed: %w", err) } } + if checker.Action != nil { + if err := checker.Action.Check(&event.Action); err != nil { + return fmt.Errorf("Action check failed: %w", err) + } + } return nil } if err := fieldChecks(); err != nil { @@ -1213,6 +1219,13 @@ func (checker *ProcessTracepointChecker) WithPolicyName(check *stringmatcher.Str return checker } +// WithAction adds a Action check to the ProcessTracepointChecker +func (checker *ProcessTracepointChecker) WithAction(check tetragon.KprobeAction) *ProcessTracepointChecker { + wrappedCheck := KprobeActionChecker(check) + checker.Action = &wrappedCheck + return checker +} + //FromProcessTracepoint populates the ProcessTracepointChecker using data from a ProcessTracepoint event func (checker *ProcessTracepointChecker) FromProcessTracepoint(event *tetragon.ProcessTracepoint) *ProcessTracepointChecker { if event == nil { @@ -1240,6 +1253,7 @@ func (checker *ProcessTracepointChecker) FromProcessTracepoint(event *tetragon.P checker.Args = lm } checker.PolicyName = stringmatcher.Full(event.PolicyName) + checker.Action = NewKprobeActionChecker(event.Action) return checker } diff --git a/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.pb.go b/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.pb.go index 1cb30f66715..1caa364382f 100644 --- a/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.pb.go +++ b/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.pb.go @@ -51,6 +51,12 @@ const ( KprobeAction_KPROBE_ACTION_NOPOST KprobeAction = 9 // Signal action sends specified signal to the process. KprobeAction_KPROBE_ACTION_SIGNAL KprobeAction = 10 + // TrackSock action tracks socket. + KprobeAction_KPROBE_ACTION_TRACKSOCK KprobeAction = 11 + // UntrackSock action un-tracks socket. + KprobeAction_KPROBE_ACTION_UNTRACKSOCK KprobeAction = 12 + // NotifyKiller action notifies killer sensor. + KprobeAction_KPROBE_ACTION_NOTIFYKILLER KprobeAction = 13 ) // Enum value maps for KprobeAction. @@ -67,19 +73,25 @@ var ( 8: "KPROBE_ACTION_DNSLOOKUP", 9: "KPROBE_ACTION_NOPOST", 10: "KPROBE_ACTION_SIGNAL", + 11: "KPROBE_ACTION_TRACKSOCK", + 12: "KPROBE_ACTION_UNTRACKSOCK", + 13: "KPROBE_ACTION_NOTIFYKILLER", } KprobeAction_value = map[string]int32{ - "KPROBE_ACTION_UNKNOWN": 0, - "KPROBE_ACTION_POST": 1, - "KPROBE_ACTION_FOLLOWFD": 2, - "KPROBE_ACTION_SIGKILL": 3, - "KPROBE_ACTION_UNFOLLOWFD": 4, - "KPROBE_ACTION_OVERRIDE": 5, - "KPROBE_ACTION_COPYFD": 6, - "KPROBE_ACTION_GETURL": 7, - "KPROBE_ACTION_DNSLOOKUP": 8, - "KPROBE_ACTION_NOPOST": 9, - "KPROBE_ACTION_SIGNAL": 10, + "KPROBE_ACTION_UNKNOWN": 0, + "KPROBE_ACTION_POST": 1, + "KPROBE_ACTION_FOLLOWFD": 2, + "KPROBE_ACTION_SIGKILL": 3, + "KPROBE_ACTION_UNFOLLOWFD": 4, + "KPROBE_ACTION_OVERRIDE": 5, + "KPROBE_ACTION_COPYFD": 6, + "KPROBE_ACTION_GETURL": 7, + "KPROBE_ACTION_DNSLOOKUP": 8, + "KPROBE_ACTION_NOPOST": 9, + "KPROBE_ACTION_SIGNAL": 10, + "KPROBE_ACTION_TRACKSOCK": 11, + "KPROBE_ACTION_UNTRACKSOCK": 12, + "KPROBE_ACTION_NOTIFYKILLER": 13, } ) @@ -2813,6 +2825,8 @@ type ProcessTracepoint struct { Args []*KprobeArgument `protobuf:"bytes,6,rep,name=args,proto3" json:"args,omitempty"` // Name of the policy that created that tracepoint. PolicyName string `protobuf:"bytes,7,opt,name=policy_name,json=policyName,proto3" json:"policy_name,omitempty"` + // Action performed when the tracepoint matched. + Action KprobeAction `protobuf:"varint,8,opt,name=action,proto3,enum=tetragon.KprobeAction" json:"action,omitempty"` } func (x *ProcessTracepoint) Reset() { @@ -2889,6 +2903,13 @@ func (x *ProcessTracepoint) GetPolicyName() string { return "" } +func (x *ProcessTracepoint) GetAction() KprobeAction { + if x != nil { + return x.Action + } + return KprobeAction_KPROBE_ACTION_UNKNOWN +} + type ProcessUprobe struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache @@ -3991,8 +4012,8 @@ var file_tetragon_tetragon_proto_rawDesc = []byte{ 0x6e, 0x2e, 0x53, 0x74, 0x61, 0x63, 0x6b, 0x54, 0x72, 0x61, 0x63, 0x65, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x0a, 0x73, 0x74, 0x61, 0x63, 0x6b, 0x54, 0x72, 0x61, 0x63, 0x65, 0x12, 0x1f, 0x0a, 0x0b, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x08, 0x20, 0x01, - 0x28, 0x09, 0x52, 0x0a, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x4e, 0x61, 0x6d, 0x65, 0x22, 0xe8, - 0x01, 0x0a, 0x11, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x54, 0x72, 0x61, 0x63, 0x65, 0x70, + 0x28, 0x09, 0x52, 0x0a, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x4e, 0x61, 0x6d, 0x65, 0x22, 0x98, + 0x02, 0x0a, 0x11, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x54, 0x72, 0x61, 0x63, 0x65, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x12, 0x2b, 0x0a, 0x07, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x52, 0x07, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, @@ -4006,7 +4027,10 @@ var file_tetragon_tetragon_proto_rawDesc = []byte{ 0x67, 0x6f, 0x6e, 0x2e, 0x4b, 0x70, 0x72, 0x6f, 0x62, 0x65, 0x41, 0x72, 0x67, 0x75, 0x6d, 0x65, 0x6e, 0x74, 0x52, 0x04, 0x61, 0x72, 0x67, 0x73, 0x12, 0x1f, 0x0a, 0x0b, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x70, - 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x4e, 0x61, 0x6d, 0x65, 0x22, 0xb4, 0x01, 0x0a, 0x0d, 0x50, 0x72, + 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x2e, 0x0a, 0x06, 0x61, 0x63, 0x74, + 0x69, 0x6f, 0x6e, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x16, 0x2e, 0x74, 0x65, 0x74, 0x72, + 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x4b, 0x70, 0x72, 0x6f, 0x62, 0x65, 0x41, 0x63, 0x74, 0x69, 0x6f, + 0x6e, 0x52, 0x06, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0xb4, 0x01, 0x0a, 0x0d, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x55, 0x70, 0x72, 0x6f, 0x62, 0x65, 0x12, 0x2b, 0x0a, 0x07, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x52, @@ -4087,7 +4111,7 @@ var file_tetragon_tetragon_proto_rawDesc = []byte{ 0x65, 0x73, 0x73, 0x12, 0x16, 0x0a, 0x06, 0x6f, 0x66, 0x66, 0x73, 0x65, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x04, 0x52, 0x06, 0x6f, 0x66, 0x66, 0x73, 0x65, 0x74, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x79, 0x6d, 0x62, 0x6f, 0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x79, 0x6d, - 0x62, 0x6f, 0x6c, 0x2a, 0xb7, 0x02, 0x0a, 0x0c, 0x4b, 0x70, 0x72, 0x6f, 0x62, 0x65, 0x41, 0x63, + 0x62, 0x6f, 0x6c, 0x2a, 0x93, 0x03, 0x0a, 0x0c, 0x4b, 0x70, 0x72, 0x6f, 0x62, 0x65, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x19, 0x0a, 0x15, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12, 0x16, 0x0a, 0x12, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, @@ -4106,38 +4130,43 @@ var file_tetragon_tetragon_proto_rawDesc = []byte{ 0x53, 0x4c, 0x4f, 0x4f, 0x4b, 0x55, 0x50, 0x10, 0x08, 0x12, 0x18, 0x0a, 0x14, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x4e, 0x4f, 0x50, 0x4f, 0x53, 0x54, 0x10, 0x09, 0x12, 0x18, 0x0a, 0x14, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, - 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x53, 0x49, 0x47, 0x4e, 0x41, 0x4c, 0x10, 0x0a, 0x2a, 0x4f, 0x0a, - 0x10, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x54, 0x79, 0x70, - 0x65, 0x12, 0x1c, 0x0a, 0x18, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, - 0x55, 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x10, 0x00, 0x12, - 0x1d, 0x0a, 0x19, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, - 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x10, 0x01, 0x2a, 0x7c, - 0x0a, 0x12, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x65, - 0x73, 0x75, 0x6c, 0x74, 0x12, 0x17, 0x0a, 0x13, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, - 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x10, 0x00, 0x12, 0x19, 0x0a, - 0x15, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x52, - 0x55, 0x4e, 0x4e, 0x49, 0x4e, 0x47, 0x10, 0x01, 0x12, 0x19, 0x0a, 0x15, 0x48, 0x45, 0x41, 0x4c, - 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x53, 0x54, 0x4f, 0x50, 0x50, 0x45, - 0x44, 0x10, 0x02, 0x12, 0x17, 0x0a, 0x13, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, - 0x41, 0x54, 0x55, 0x53, 0x5f, 0x45, 0x52, 0x52, 0x4f, 0x52, 0x10, 0x03, 0x2a, 0x8d, 0x02, 0x0a, - 0x0f, 0x54, 0x61, 0x69, 0x6e, 0x74, 0x65, 0x64, 0x42, 0x69, 0x74, 0x73, 0x54, 0x79, 0x70, 0x65, - 0x12, 0x0f, 0x0a, 0x0b, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x55, 0x4e, 0x53, 0x45, 0x54, 0x10, - 0x00, 0x12, 0x1c, 0x0a, 0x18, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x50, 0x52, 0x4f, 0x50, 0x52, - 0x49, 0x45, 0x54, 0x41, 0x52, 0x59, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x01, 0x12, - 0x17, 0x0a, 0x13, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x46, 0x4f, 0x52, 0x43, 0x45, 0x44, 0x5f, - 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x02, 0x12, 0x1e, 0x0a, 0x1a, 0x54, 0x41, 0x49, 0x4e, - 0x54, 0x5f, 0x46, 0x4f, 0x52, 0x43, 0x45, 0x44, 0x5f, 0x55, 0x4e, 0x4c, 0x4f, 0x41, 0x44, 0x5f, - 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x04, 0x12, 0x18, 0x0a, 0x13, 0x54, 0x41, 0x49, 0x4e, - 0x54, 0x5f, 0x53, 0x54, 0x41, 0x47, 0x45, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, - 0x80, 0x08, 0x12, 0x1d, 0x0a, 0x18, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x4f, 0x55, 0x54, 0x5f, - 0x4f, 0x46, 0x5f, 0x54, 0x52, 0x45, 0x45, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, - 0x20, 0x12, 0x1a, 0x0a, 0x15, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x55, 0x4e, 0x53, 0x49, 0x47, - 0x4e, 0x45, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x40, 0x12, 0x24, 0x0a, - 0x1e, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x4b, 0x45, 0x52, 0x4e, 0x45, 0x4c, 0x5f, 0x4c, 0x49, - 0x56, 0x45, 0x5f, 0x50, 0x41, 0x54, 0x43, 0x48, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, - 0x80, 0x80, 0x02, 0x12, 0x17, 0x0a, 0x11, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x54, 0x45, 0x53, - 0x54, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x80, 0x10, 0x62, 0x06, 0x70, 0x72, - 0x6f, 0x74, 0x6f, 0x33, + 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x53, 0x49, 0x47, 0x4e, 0x41, 0x4c, 0x10, 0x0a, 0x12, 0x1b, 0x0a, + 0x17, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x54, + 0x52, 0x41, 0x43, 0x4b, 0x53, 0x4f, 0x43, 0x4b, 0x10, 0x0b, 0x12, 0x1d, 0x0a, 0x19, 0x4b, 0x50, + 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x55, 0x4e, 0x54, 0x52, + 0x41, 0x43, 0x4b, 0x53, 0x4f, 0x43, 0x4b, 0x10, 0x0c, 0x12, 0x1e, 0x0a, 0x1a, 0x4b, 0x50, 0x52, + 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x4e, 0x4f, 0x54, 0x49, 0x46, + 0x59, 0x4b, 0x49, 0x4c, 0x4c, 0x45, 0x52, 0x10, 0x0d, 0x2a, 0x4f, 0x0a, 0x10, 0x48, 0x65, 0x61, + 0x6c, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x54, 0x79, 0x70, 0x65, 0x12, 0x1c, 0x0a, + 0x18, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x54, + 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x10, 0x00, 0x12, 0x1d, 0x0a, 0x19, 0x48, + 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x54, 0x59, 0x50, + 0x45, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x10, 0x01, 0x2a, 0x7c, 0x0a, 0x12, 0x48, 0x65, + 0x61, 0x6c, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, + 0x12, 0x17, 0x0a, 0x13, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, + 0x53, 0x5f, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x10, 0x00, 0x12, 0x19, 0x0a, 0x15, 0x48, 0x45, 0x41, + 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x52, 0x55, 0x4e, 0x4e, 0x49, + 0x4e, 0x47, 0x10, 0x01, 0x12, 0x19, 0x0a, 0x15, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, + 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x53, 0x54, 0x4f, 0x50, 0x50, 0x45, 0x44, 0x10, 0x02, 0x12, + 0x17, 0x0a, 0x13, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, + 0x5f, 0x45, 0x52, 0x52, 0x4f, 0x52, 0x10, 0x03, 0x2a, 0x8d, 0x02, 0x0a, 0x0f, 0x54, 0x61, 0x69, + 0x6e, 0x74, 0x65, 0x64, 0x42, 0x69, 0x74, 0x73, 0x54, 0x79, 0x70, 0x65, 0x12, 0x0f, 0x0a, 0x0b, + 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x55, 0x4e, 0x53, 0x45, 0x54, 0x10, 0x00, 0x12, 0x1c, 0x0a, + 0x18, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x50, 0x52, 0x4f, 0x50, 0x52, 0x49, 0x45, 0x54, 0x41, + 0x52, 0x59, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x01, 0x12, 0x17, 0x0a, 0x13, 0x54, + 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x46, 0x4f, 0x52, 0x43, 0x45, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, + 0x4c, 0x45, 0x10, 0x02, 0x12, 0x1e, 0x0a, 0x1a, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x46, 0x4f, + 0x52, 0x43, 0x45, 0x44, 0x5f, 0x55, 0x4e, 0x4c, 0x4f, 0x41, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, + 0x4c, 0x45, 0x10, 0x04, 0x12, 0x18, 0x0a, 0x13, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x53, 0x54, + 0x41, 0x47, 0x45, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x08, 0x12, 0x1d, + 0x0a, 0x18, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x4f, 0x55, 0x54, 0x5f, 0x4f, 0x46, 0x5f, 0x54, + 0x52, 0x45, 0x45, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x20, 0x12, 0x1a, 0x0a, + 0x15, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x55, 0x4e, 0x53, 0x49, 0x47, 0x4e, 0x45, 0x44, 0x5f, + 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x40, 0x12, 0x24, 0x0a, 0x1e, 0x54, 0x41, 0x49, + 0x4e, 0x54, 0x5f, 0x4b, 0x45, 0x52, 0x4e, 0x45, 0x4c, 0x5f, 0x4c, 0x49, 0x56, 0x45, 0x5f, 0x50, + 0x41, 0x54, 0x43, 0x48, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x80, 0x02, 0x12, + 0x17, 0x0a, 0x11, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x54, 0x45, 0x53, 0x54, 0x5f, 0x4d, 0x4f, + 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x80, 0x10, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( @@ -4288,22 +4317,23 @@ var file_tetragon_tetragon_proto_depIdxs = []int32{ 13, // 79: tetragon.ProcessTracepoint.process:type_name -> tetragon.Process 13, // 80: tetragon.ProcessTracepoint.parent:type_name -> tetragon.Process 27, // 81: tetragon.ProcessTracepoint.args:type_name -> tetragon.KprobeArgument - 13, // 82: tetragon.ProcessUprobe.process:type_name -> tetragon.Process - 13, // 83: tetragon.ProcessUprobe.parent:type_name -> tetragon.Process - 48, // 84: tetragon.KernelModule.signature_ok:type_name -> google.protobuf.BoolValue - 3, // 85: tetragon.KernelModule.tainted:type_name -> tetragon.TaintedBitsType - 1, // 86: tetragon.GetHealthStatusRequest.event_set:type_name -> tetragon.HealthStatusType - 1, // 87: tetragon.HealthStatus.event:type_name -> tetragon.HealthStatusType - 2, // 88: tetragon.HealthStatus.status:type_name -> tetragon.HealthStatusResult - 34, // 89: tetragon.GetHealthStatusResponse.health_status:type_name -> tetragon.HealthStatus - 13, // 90: tetragon.ProcessLoader.process:type_name -> tetragon.Process - 39, // 91: tetragon.RuntimeHookRequest.createContainer:type_name -> tetragon.CreateContainer - 42, // 92: tetragon.CreateContainer.annotations:type_name -> tetragon.CreateContainer.AnnotationsEntry - 93, // [93:93] is the sub-list for method output_type - 93, // [93:93] is the sub-list for method input_type - 93, // [93:93] is the sub-list for extension type_name - 93, // [93:93] is the sub-list for extension extendee - 0, // [0:93] is the sub-list for field type_name + 0, // 82: tetragon.ProcessTracepoint.action:type_name -> tetragon.KprobeAction + 13, // 83: tetragon.ProcessUprobe.process:type_name -> tetragon.Process + 13, // 84: tetragon.ProcessUprobe.parent:type_name -> tetragon.Process + 48, // 85: tetragon.KernelModule.signature_ok:type_name -> google.protobuf.BoolValue + 3, // 86: tetragon.KernelModule.tainted:type_name -> tetragon.TaintedBitsType + 1, // 87: tetragon.GetHealthStatusRequest.event_set:type_name -> tetragon.HealthStatusType + 1, // 88: tetragon.HealthStatus.event:type_name -> tetragon.HealthStatusType + 2, // 89: tetragon.HealthStatus.status:type_name -> tetragon.HealthStatusResult + 34, // 90: tetragon.GetHealthStatusResponse.health_status:type_name -> tetragon.HealthStatus + 13, // 91: tetragon.ProcessLoader.process:type_name -> tetragon.Process + 39, // 92: tetragon.RuntimeHookRequest.createContainer:type_name -> tetragon.CreateContainer + 42, // 93: tetragon.CreateContainer.annotations:type_name -> tetragon.CreateContainer.AnnotationsEntry + 94, // [94:94] is the sub-list for method output_type + 94, // [94:94] is the sub-list for method input_type + 94, // [94:94] is the sub-list for extension type_name + 94, // [94:94] is the sub-list for extension extendee + 0, // [0:94] is the sub-list for field type_name } func init() { file_tetragon_tetragon_proto_init() } diff --git a/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto b/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto index 6597d98c08e..03bdf05b98d 100644 --- a/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto +++ b/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto @@ -404,6 +404,12 @@ enum KprobeAction { KPROBE_ACTION_NOPOST = 9; // Signal action sends specified signal to the process. KPROBE_ACTION_SIGNAL = 10; + // TrackSock action tracks socket. + KPROBE_ACTION_TRACKSOCK = 11; + // UntrackSock action un-tracks socket. + KPROBE_ACTION_UNTRACKSOCK = 12; + // NotifyKiller action notifies killer sensor. + KPROBE_ACTION_NOTIFYKILLER = 13; } message ProcessKprobe { @@ -439,6 +445,8 @@ message ProcessTracepoint { repeated KprobeArgument args = 6; // Name of the policy that created that tracepoint. string policy_name = 7; + // Action performed when the tracepoint matched. + KprobeAction action = 8; } message ProcessUprobe { diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml index 78a8ac0f776..ec761c98e89 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml @@ -35,6 +35,19 @@ spec: spec: description: Tracing policy specification. properties: + killers: + description: A killer spec. + items: + properties: + syscalls: + description: syscalls where killer is executed in + items: + type: string + type: array + required: + - syscalls + type: object + type: array kprobes: description: A list of kprobe specs. items: @@ -227,6 +240,7 @@ spec: - Signal - TrackSock - UntrackSock + - NotifyKiller type: string argError: description: error value for override action @@ -581,6 +595,9 @@ spec: - generated_syscalls - generated_ftrace type: string + validated: + description: List was validated + type: boolean values: description: Values of the list items: @@ -757,6 +774,7 @@ spec: - Signal - TrackSock - UntrackSock + - NotifyKiller type: string argError: description: error value for override action @@ -1129,6 +1147,7 @@ spec: - Signal - TrackSock - UntrackSock + - NotifyKiller type: string argError: description: error value for override action diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml index 69e05e36635..ce8c9faaba1 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml @@ -35,6 +35,19 @@ spec: spec: description: Tracing policy specification. properties: + killers: + description: A killer spec. + items: + properties: + syscalls: + description: syscalls where killer is executed in + items: + type: string + type: array + required: + - syscalls + type: object + type: array kprobes: description: A list of kprobe specs. items: @@ -227,6 +240,7 @@ spec: - Signal - TrackSock - UntrackSock + - NotifyKiller type: string argError: description: error value for override action @@ -581,6 +595,9 @@ spec: - generated_syscalls - generated_ftrace type: string + validated: + description: List was validated + type: boolean values: description: Values of the list items: @@ -757,6 +774,7 @@ spec: - Signal - TrackSock - UntrackSock + - NotifyKiller type: string argError: description: error value for override action @@ -1129,6 +1147,7 @@ spec: - Signal - TrackSock - UntrackSock + - NotifyKiller type: string argError: description: error value for override action diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/tracing_policy_types.go b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/tracing_policy_types.go index b22742886c3..0423ae46318 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/tracing_policy_types.go +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/tracing_policy_types.go @@ -93,6 +93,10 @@ type TracingPolicySpec struct { // +kubebuilder:validation:Optional // A list of list specs. Lists []ListSpec `json:"lists,omitempty"` + + // +kubebuilder:validation:Optional + // A killer spec. + Killers []KillerSpec `json:"killers,omitempty"` } func (tp *TracingPolicy) TpName() string { diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go index 08a0f1c7439..c202953245c 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go @@ -184,7 +184,7 @@ type ArgSelector struct { } type ActionSelector struct { - // +kubebuilder:validation:Enum=Post;FollowFD;UnfollowFD;Sigkill;CopyFD;Override;GetUrl;DnsLookup;NoPost;Signal;TrackSock;UntrackSock + // +kubebuilder:validation:Enum=Post;FollowFD;UnfollowFD;Sigkill;CopyFD;Override;GetUrl;DnsLookup;NoPost;Signal;TrackSock;UntrackSock;NotifyKiller // Action to execute. Action string `json:"action"` // +kubebuilder:validation:Optional @@ -254,6 +254,9 @@ type ListSpec struct { // +kubebuilder:validation:Optional // Pattern for 'generated' lists. Pattern *string `json:"pattern,omitempty"` + // +kubebuilder:validation:Optional + // List was validated + Validated bool `json:"validated"` } type PodInfoSpec struct { @@ -316,3 +319,8 @@ type PodInfoList struct { metav1.ListMeta `json:"metadata,omitempty"` Items []PodInfo `json:"items"` } + +type KillerSpec struct { + // syscalls where killer is executed in + Syscalls []string `json:"syscalls"` +} diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/zz_generated.deepcopy.go b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/zz_generated.deepcopy.go index 4a397c1be55..6cc4449f79b 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/zz_generated.deepcopy.go +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/zz_generated.deepcopy.go @@ -218,6 +218,27 @@ func (in *KProbeSpec) DeepCopy() *KProbeSpec { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *KillerSpec) DeepCopyInto(out *KillerSpec) { + *out = *in + if in.Syscalls != nil { + in, out := &in.Syscalls, &out.Syscalls + *out = make([]string, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KillerSpec. +func (in *KillerSpec) DeepCopy() *KillerSpec { + if in == nil { + return nil + } + out := new(KillerSpec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ListSpec) DeepCopyInto(out *ListSpec) { *out = *in @@ -607,6 +628,13 @@ func (in *TracingPolicySpec) DeepCopyInto(out *TracingPolicySpec) { (*in)[i].DeepCopyInto(&(*out)[i]) } } + if in.Killers != nil { + in, out := &in.Killers, &out.Killers + *out = make([]KillerSpec, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } return }