From eda3ea11827b17fdbc634a65028b7f2deb5637ca Mon Sep 17 00:00:00 2001 From: Jiri Olsa Date: Tue, 5 Sep 2023 10:30:27 +0000 Subject: [PATCH 01/14] tetragon: Add Validated field to ListSpec Adding Validated field to ListSpec to ensure the validation goes through just once, so it gets validated, sets the flag so another sensor won't run it again. Signed-off-by: Jiri Olsa --- .../client/crds/v1alpha1/cilium.io_tracingpolicies.yaml | 3 +++ .../crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml | 3 +++ pkg/k8s/apis/cilium.io/v1alpha1/types.go | 3 +++ .../client/crds/v1alpha1/cilium.io_tracingpolicies.yaml | 3 +++ .../crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml | 3 +++ .../cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go | 3 +++ 6 files changed, 18 insertions(+) diff --git a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml index 78a8ac0f776..4b2e31951a4 100644 --- a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml +++ b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml @@ -581,6 +581,9 @@ spec: - generated_syscalls - generated_ftrace type: string + validated: + description: List was validated + type: boolean values: description: Values of the list items: diff --git a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml index 69e05e36635..86aa9054578 100644 --- a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml +++ b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml @@ -581,6 +581,9 @@ spec: - generated_syscalls - generated_ftrace type: string + validated: + description: List was validated + type: boolean values: description: Values of the list items: diff --git a/pkg/k8s/apis/cilium.io/v1alpha1/types.go b/pkg/k8s/apis/cilium.io/v1alpha1/types.go index 08a0f1c7439..d4edad99621 100644 --- a/pkg/k8s/apis/cilium.io/v1alpha1/types.go +++ b/pkg/k8s/apis/cilium.io/v1alpha1/types.go @@ -254,6 +254,9 @@ type ListSpec struct { // +kubebuilder:validation:Optional // Pattern for 'generated' lists. Pattern *string `json:"pattern,omitempty"` + // +kubebuilder:validation:Optional + // List was validated + Validated bool `json:"validated"` } type PodInfoSpec struct { diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml index 78a8ac0f776..4b2e31951a4 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml @@ -581,6 +581,9 @@ spec: - generated_syscalls - generated_ftrace type: string + validated: + description: List was validated + type: boolean values: description: Values of the list items: diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml index 69e05e36635..86aa9054578 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml @@ -581,6 +581,9 @@ spec: - generated_syscalls - generated_ftrace type: string + validated: + description: List was validated + type: boolean values: description: Values of the list items: diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go index 08a0f1c7439..d4edad99621 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go @@ -254,6 +254,9 @@ type ListSpec struct { // +kubebuilder:validation:Optional // Pattern for 'generated' lists. Pattern *string `json:"pattern,omitempty"` + // +kubebuilder:validation:Optional + // List was validated + Validated bool `json:"validated"` } type PodInfoSpec struct { From 29c37f2f1567f75f9e840a921860aad8224b28cf Mon Sep 17 00:00:00 2001 From: Jiri Olsa Date: Tue, 29 Aug 2023 16:10:59 +0000 Subject: [PATCH 02/14] tetragon: Add preValidateLists function Adding preValidateLists function that iterates all the lists and validates them. Signed-off-by: Jiri Olsa --- pkg/sensors/tracing/generickprobe.go | 10 +++------- pkg/sensors/tracing/lists.go | 18 +++++++++++++++++- 2 files changed, 20 insertions(+), 8 deletions(-) diff --git a/pkg/sensors/tracing/generickprobe.go b/pkg/sensors/tracing/generickprobe.go index 57bfed8a76f..e3e8c917f46 100644 --- a/pkg/sensors/tracing/generickprobe.go +++ b/pkg/sensors/tracing/generickprobe.go @@ -340,13 +340,9 @@ func preValidateKprobes(name string, kprobes []v1alpha1.KProbeSpec, lists []v1al } // validate lists first - for i := range lists { - list := &lists[i] - - err := preValidateList(list) - if err != nil { - return err - } + err = preValidateLists(lists) + if err != nil { + return err } for i := range kprobes { diff --git a/pkg/sensors/tracing/lists.go b/pkg/sensors/tracing/lists.go index d6563a90a35..b0bb9803ef1 100644 --- a/pkg/sensors/tracing/lists.go +++ b/pkg/sensors/tracing/lists.go @@ -52,7 +52,7 @@ func isSyscallListType(typ string) bool { listTypeFromString(typ) == ListTypeGeneratedSyscalls } -func preValidateList(list *v1alpha1.ListSpec) (err error) { +func validateList(list *v1alpha1.ListSpec) (err error) { if listTypeFromString(list.Type) == ListTypeInvalid { return fmt.Errorf("Invalid list type: %s", list.Type) } @@ -97,6 +97,22 @@ func preValidateList(list *v1alpha1.ListSpec) (err error) { return nil } +func preValidateLists(lists []v1alpha1.ListSpec) (err error) { + for i := range lists { + list := &lists[i] + + if list.Validated { + continue + } + err := validateList(list) + if err != nil { + return err + } + list.Validated = true + } + return nil +} + type listReader struct { lists []v1alpha1.ListSpec } From c7853675645bf5b0d12c2904a824230e25c14e4a Mon Sep 17 00:00:00 2001 From: Jiri Olsa Date: Fri, 6 Oct 2023 12:15:48 +0000 Subject: [PATCH 03/14] tetragon: Pass symbol argument to kprobeAttach Passing symbol argument to kprobeAttach so we can use it in followich changes with different symbols. Signed-off-by: Jiri Olsa --- pkg/sensors/program/loader.go | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/pkg/sensors/program/loader.go b/pkg/sensors/program/loader.go index db0e9d44e05..1ec3742bced 100644 --- a/pkg/sensors/program/loader.go +++ b/pkg/sensors/program/loader.go @@ -140,13 +140,13 @@ func KprobeOpen(load *Program) OpenFunc { } } -func kprobeAttach(load *Program, prog *ebpf.Program, spec *ebpf.ProgramSpec) (unloader.Unloader, error) { +func kprobeAttach(load *Program, prog *ebpf.Program, spec *ebpf.ProgramSpec, symbol string) (unloader.Unloader, error) { var linkFn func() (link.Link, error) if load.RetProbe { - linkFn = func() (link.Link, error) { return link.Kretprobe(load.Attach, prog, nil) } + linkFn = func() (link.Link, error) { return link.Kretprobe(symbol, prog, nil) } } else { - linkFn = func() (link.Link, error) { return link.Kprobe(load.Attach, prog, nil) } + linkFn = func() (link.Link, error) { return link.Kprobe(symbol, prog, nil) } } lnk, err := linkFn() @@ -187,13 +187,13 @@ func KprobeAttach(load *Program, bpfDir string) AttachFunc { return nil, fmt.Errorf("pinning '%s' to '%s' failed: %w", load.Label, pinPath, err) } - load.unloaderOverride, err = kprobeAttach(load, progOverride, progOverrideSpec) + load.unloaderOverride, err = kprobeAttach(load, progOverride, progOverrideSpec, load.Attach) if err != nil { logger.GetLogger().Warnf("Failed to attach override program: %w", err) } } - return kprobeAttach(load, prog, spec) + return kprobeAttach(load, prog, spec, load.Attach) } } From 2245bce47fb0a76668ea26e290111f955d591e35 Mon Sep 17 00:00:00 2001 From: Jiri Olsa Date: Fri, 6 Oct 2023 12:13:04 +0000 Subject: [PATCH 04/14] tetragon: Add LoadKprobeProgramAttachMany function Adding LoadKprobeProgramAttachMany function that loads kprobe program and attaches it to symbols provided in array of strings. Note the program gets loaded just once. Signed-off-by: Jiri Olsa --- pkg/sensors/program/loader.go | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/pkg/sensors/program/loader.go b/pkg/sensors/program/loader.go index 1ec3742bced..47633441031 100644 --- a/pkg/sensors/program/loader.go +++ b/pkg/sensors/program/loader.go @@ -392,6 +392,35 @@ func LoadKprobeProgram(bpfDir, mapDir string, load *Program, verbose int) error return loadProgram(bpfDir, []string{mapDir}, load, opts, verbose) } +func KprobeAttachMany(load *Program, syms []string) AttachFunc { + return func(coll *ebpf.Collection, collSpec *ebpf.CollectionSpec, + prog *ebpf.Program, spec *ebpf.ProgramSpec) (unloader.Unloader, error) { + + unloader := unloader.ChainUnloader{ + unloader.PinUnloader{ + Prog: prog, + }, + } + + for idx := range syms { + un, err := kprobeAttach(load, prog, spec, syms[idx]) + if err != nil { + return nil, err + } + + unloader = append(unloader, un) + } + return unloader, nil + } +} + +func LoadKprobeProgramAttachMany(bpfDir, mapDir string, load *Program, syms []string, verbose int) error { + opts := &loadOpts{ + attach: KprobeAttachMany(load, syms), + } + return loadProgram(bpfDir, []string{mapDir}, load, opts, verbose) +} + func LoadUprobeProgram(bpfDir, mapDir string, load *Program, verbose int) error { var ci *customInstall for mName, mPath := range load.PinMap { From 5d9cc46fcf1df8e4bc14a511c5d024ee56582019 Mon Sep 17 00:00:00 2001 From: Jiri Olsa Date: Tue, 29 Aug 2023 16:01:30 +0000 Subject: [PATCH 05/14] tetragon: Add support for killer schema Add possibility to define killer in the schema like: killers: - syscalls: - "sys_dup" "sys.." Signed-off-by: Jiri Olsa --- .../v1alpha1/cilium.io_tracingpolicies.yaml | 13 +++++++++ .../cilium.io_tracingpoliciesnamespaced.yaml | 13 +++++++++ .../v1alpha1/tracing_policy_types.go | 4 +++ pkg/k8s/apis/cilium.io/v1alpha1/types.go | 5 ++++ .../v1alpha1/zz_generated.deepcopy.go | 28 +++++++++++++++++++ .../v1alpha1/cilium.io_tracingpolicies.yaml | 13 +++++++++ .../cilium.io_tracingpoliciesnamespaced.yaml | 13 +++++++++ .../v1alpha1/tracing_policy_types.go | 4 +++ .../pkg/k8s/apis/cilium.io/v1alpha1/types.go | 5 ++++ .../v1alpha1/zz_generated.deepcopy.go | 28 +++++++++++++++++++ 10 files changed, 126 insertions(+) diff --git a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml index 4b2e31951a4..b8a09a7d678 100644 --- a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml +++ b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml @@ -35,6 +35,19 @@ spec: spec: description: Tracing policy specification. properties: + killers: + description: A killer spec. + items: + properties: + syscalls: + description: syscalls where killer is executed in + items: + type: string + type: array + required: + - syscalls + type: object + type: array kprobes: description: A list of kprobe specs. items: diff --git a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml index 86aa9054578..4a7859a743b 100644 --- a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml +++ b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml @@ -35,6 +35,19 @@ spec: spec: description: Tracing policy specification. properties: + killers: + description: A killer spec. + items: + properties: + syscalls: + description: syscalls where killer is executed in + items: + type: string + type: array + required: + - syscalls + type: object + type: array kprobes: description: A list of kprobe specs. items: diff --git a/pkg/k8s/apis/cilium.io/v1alpha1/tracing_policy_types.go b/pkg/k8s/apis/cilium.io/v1alpha1/tracing_policy_types.go index b22742886c3..0423ae46318 100644 --- a/pkg/k8s/apis/cilium.io/v1alpha1/tracing_policy_types.go +++ b/pkg/k8s/apis/cilium.io/v1alpha1/tracing_policy_types.go @@ -93,6 +93,10 @@ type TracingPolicySpec struct { // +kubebuilder:validation:Optional // A list of list specs. Lists []ListSpec `json:"lists,omitempty"` + + // +kubebuilder:validation:Optional + // A killer spec. + Killers []KillerSpec `json:"killers,omitempty"` } func (tp *TracingPolicy) TpName() string { diff --git a/pkg/k8s/apis/cilium.io/v1alpha1/types.go b/pkg/k8s/apis/cilium.io/v1alpha1/types.go index d4edad99621..b8ff08c8005 100644 --- a/pkg/k8s/apis/cilium.io/v1alpha1/types.go +++ b/pkg/k8s/apis/cilium.io/v1alpha1/types.go @@ -319,3 +319,8 @@ type PodInfoList struct { metav1.ListMeta `json:"metadata,omitempty"` Items []PodInfo `json:"items"` } + +type KillerSpec struct { + // syscalls where killer is executed in + Syscalls []string `json:"syscalls"` +} diff --git a/pkg/k8s/apis/cilium.io/v1alpha1/zz_generated.deepcopy.go b/pkg/k8s/apis/cilium.io/v1alpha1/zz_generated.deepcopy.go index 4a397c1be55..6cc4449f79b 100644 --- a/pkg/k8s/apis/cilium.io/v1alpha1/zz_generated.deepcopy.go +++ b/pkg/k8s/apis/cilium.io/v1alpha1/zz_generated.deepcopy.go @@ -218,6 +218,27 @@ func (in *KProbeSpec) DeepCopy() *KProbeSpec { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *KillerSpec) DeepCopyInto(out *KillerSpec) { + *out = *in + if in.Syscalls != nil { + in, out := &in.Syscalls, &out.Syscalls + *out = make([]string, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KillerSpec. +func (in *KillerSpec) DeepCopy() *KillerSpec { + if in == nil { + return nil + } + out := new(KillerSpec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ListSpec) DeepCopyInto(out *ListSpec) { *out = *in @@ -607,6 +628,13 @@ func (in *TracingPolicySpec) DeepCopyInto(out *TracingPolicySpec) { (*in)[i].DeepCopyInto(&(*out)[i]) } } + if in.Killers != nil { + in, out := &in.Killers, &out.Killers + *out = make([]KillerSpec, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } return } diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml index 4b2e31951a4..b8a09a7d678 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml @@ -35,6 +35,19 @@ spec: spec: description: Tracing policy specification. properties: + killers: + description: A killer spec. + items: + properties: + syscalls: + description: syscalls where killer is executed in + items: + type: string + type: array + required: + - syscalls + type: object + type: array kprobes: description: A list of kprobe specs. items: diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml index 86aa9054578..4a7859a743b 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml @@ -35,6 +35,19 @@ spec: spec: description: Tracing policy specification. properties: + killers: + description: A killer spec. + items: + properties: + syscalls: + description: syscalls where killer is executed in + items: + type: string + type: array + required: + - syscalls + type: object + type: array kprobes: description: A list of kprobe specs. items: diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/tracing_policy_types.go b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/tracing_policy_types.go index b22742886c3..0423ae46318 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/tracing_policy_types.go +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/tracing_policy_types.go @@ -93,6 +93,10 @@ type TracingPolicySpec struct { // +kubebuilder:validation:Optional // A list of list specs. Lists []ListSpec `json:"lists,omitempty"` + + // +kubebuilder:validation:Optional + // A killer spec. + Killers []KillerSpec `json:"killers,omitempty"` } func (tp *TracingPolicy) TpName() string { diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go index d4edad99621..b8ff08c8005 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go @@ -319,3 +319,8 @@ type PodInfoList struct { metav1.ListMeta `json:"metadata,omitempty"` Items []PodInfo `json:"items"` } + +type KillerSpec struct { + // syscalls where killer is executed in + Syscalls []string `json:"syscalls"` +} diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/zz_generated.deepcopy.go b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/zz_generated.deepcopy.go index 4a397c1be55..6cc4449f79b 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/zz_generated.deepcopy.go +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/zz_generated.deepcopy.go @@ -218,6 +218,27 @@ func (in *KProbeSpec) DeepCopy() *KProbeSpec { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *KillerSpec) DeepCopyInto(out *KillerSpec) { + *out = *in + if in.Syscalls != nil { + in, out := &in.Syscalls, &out.Syscalls + *out = make([]string, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KillerSpec. +func (in *KillerSpec) DeepCopy() *KillerSpec { + if in == nil { + return nil + } + out := new(KillerSpec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ListSpec) DeepCopyInto(out *ListSpec) { *out = *in @@ -607,6 +628,13 @@ func (in *TracingPolicySpec) DeepCopyInto(out *TracingPolicySpec) { (*in)[i].DeepCopyInto(&(*out)[i]) } } + if in.Killers != nil { + in, out := &in.Killers, &out.Killers + *out = make([]KillerSpec, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } return } From eb7b9b044ed6c58844d142e6fa1a68cb30c1657c Mon Sep 17 00:00:00 2001 From: Jiri Olsa Date: Sat, 1 Jul 2023 09:57:49 +0000 Subject: [PATCH 06/14] tetragon: Add killer sensor Adding killer sensor that attaches to defined syscalls and overrides them or/and kill the process. Signed-off-by: Jiri Olsa --- pkg/sensors/tracing/generictracepoint.go | 3 + pkg/sensors/tracing/killer.go | 179 +++++++++++++++++++++++ 2 files changed, 182 insertions(+) create mode 100644 pkg/sensors/tracing/killer.go diff --git a/pkg/sensors/tracing/generictracepoint.go b/pkg/sensors/tracing/generictracepoint.go index f8ecf9a84a7..94d1ddaec38 100644 --- a/pkg/sensors/tracing/generictracepoint.go +++ b/pkg/sensors/tracing/generictracepoint.go @@ -460,6 +460,9 @@ func createGenericTracepointSensor( selNamesMap := program.MapBuilderPin("sel_names_map", sensors.PathJoin(pinPath, "sel_names_map"), prog0) maps = append(maps, selNamesMap) + + killerDataMap := program.MapBuilderPin("killer_data", "killer_data", prog0) + maps = append(maps, killerDataMap) } return &sensors.Sensor{ diff --git a/pkg/sensors/tracing/killer.go b/pkg/sensors/tracing/killer.go new file mode 100644 index 00000000000..6d73581238d --- /dev/null +++ b/pkg/sensors/tracing/killer.go @@ -0,0 +1,179 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright Authors of Tetragon + +package tracing + +import ( + "fmt" + "path" + "strings" + "sync/atomic" + + "github.com/cilium/tetragon/pkg/arch" + "github.com/cilium/tetragon/pkg/bpf" + "github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1" + "github.com/cilium/tetragon/pkg/logger" + "github.com/cilium/tetragon/pkg/option" + "github.com/cilium/tetragon/pkg/policyfilter" + "github.com/cilium/tetragon/pkg/sensors" + "github.com/cilium/tetragon/pkg/sensors/program" + "github.com/cilium/tetragon/pkg/tracingpolicy" +) + +type killerSensor struct{} + +func init() { + killer := &killerSensor{} + sensors.RegisterProbeType("killer", killer) + sensors.RegisterPolicyHandlerAtInit("killer", killerSensor{}) +} + +var ( + configured = false + syscallsSyms []string +) + +func (k killerSensor) PolicyHandler( + policy tracingpolicy.TracingPolicy, + _ policyfilter.PolicyID, +) (*sensors.Sensor, error) { + + spec := policy.TpSpec() + + if len(spec.Lists) > 0 { + err := preValidateLists(spec.Lists) + if err != nil { + return nil, err + } + } + if len(spec.Killers) > 0 { + name := fmt.Sprintf("killer-sensor-%d", atomic.AddUint64(&sensorCounter, 1)) + return createKillerSensor(spec.Killers, spec.Lists, name) + } + + return nil, nil +} + +func loadSingleKillerSensor(bpfDir, mapDir string, load *program.Program, verbose int) error { + if err := program.LoadKprobeProgramAttachMany(bpfDir, mapDir, load, syscallsSyms, verbose); err == nil { + logger.GetLogger().Infof("Loaded killer sensor: %s", load.Attach) + } else { + return err + } + + return nil +} + +func loadMultiKillerSensor(bpfDir, mapDir string, load *program.Program, verbose int) error { + data := &program.MultiKprobeAttachData{} + + for idx := range syscallsSyms { + data.Symbols = append(data.Symbols, syscallsSyms[idx]) + } + + load.SetAttachData(data) + + if err := program.LoadMultiKprobeProgram(bpfDir, mapDir, load, verbose); err != nil { + return err + } + + logger.GetLogger().Infof("Loaded killer sensor: %s", load.Attach) + return nil +} + +func (k *killerSensor) LoadProbe(args sensors.LoadProbeArgs) error { + if args.Load.Label == "kprobe/killer" { + return loadSingleKillerSensor(args.BPFDir, args.MapDir, args.Load, args.Verbose) + } + return loadMultiKillerSensor(args.BPFDir, args.MapDir, args.Load, args.Verbose) +} + +func unloadKiller() error { + configured = false + syscallsSyms = []string{} + logger.GetLogger().Infof("Cleaning up killer") + return nil +} + +func createKillerSensor( + killers []v1alpha1.KillerSpec, + lists []v1alpha1.ListSpec, + name string, +) (*sensors.Sensor, error) { + + if len(killers) > 1 { + return nil, fmt.Errorf("failed: we support only single killer sensor") + } + + if configured { + return nil, fmt.Errorf("failed: killer sensor is already configured") + } + + configured = true + + killer := killers[0] + + // get all the syscalls + for idx := range killer.Syscalls { + sym := killer.Syscalls[idx] + if strings.HasPrefix(sym, "list:") { + listName := sym[len("list:"):] + + list := getList(listName, lists) + if list == nil { + return nil, fmt.Errorf("Error list '%s' not found", listName) + } + + if !isSyscallListType(list.Type) { + return nil, fmt.Errorf("Error list '%s' is not syscall type", listName) + } + syscallsSyms = append(syscallsSyms, list.Values...) + continue + } + + pfxSym, err := arch.AddSyscallPrefix(sym) + if err != nil { + return nil, err + } + syscallsSyms = append(syscallsSyms, pfxSym) + } + + // register killer sensor + var load *program.Program + var progs []*program.Program + var maps []*program.Map + + useMulti := !option.Config.DisableKprobeMulti && bpf.HasKprobeMulti() + + attach := fmt.Sprintf("%d syscalls: %s", len(syscallsSyms), syscallsSyms) + prog := sensors.PathJoin(name, "killer_kprobe") + + if useMulti { + load = program.Builder( + path.Join(option.Config.HubbleLib, "bpf_multi_killer.o"), + attach, + "kprobe.multi/killer", + prog, + "killer") + + } else { + load = program.Builder( + path.Join(option.Config.HubbleLib, "bpf_killer.o"), + attach, + "kprobe/killer", + prog, + "killer") + } + + killerDataMap := program.MapBuilderPin("killer_data", "killer_data", load) + + progs = append(progs, load) + maps = append(maps, killerDataMap) + + return &sensors.Sensor{ + Name: "__killer__", + Progs: progs, + Maps: maps, + PostUnloadHook: unloadKiller, + }, nil +} From af2ddf26441f67e84551b60fcb77e764b5f5be47 Mon Sep 17 00:00:00 2001 From: Jiri Olsa Date: Wed, 21 Jun 2023 10:44:15 +0000 Subject: [PATCH 07/14] tetragon: Add bpf_killer bpf program Adding bpf_killer bpf program that allows to (when attached to syscall) override syscall or kill current process. Signed-off-by: Jiri Olsa --- bpf/Makefile | 9 ++++++++- bpf/process/bpf_killer.c | 28 ++++++++++++++++++++++++++++ bpf/process/bpf_killer.h | 40 ++++++++++++++++++++++++++++++++++++++++ 3 files changed, 76 insertions(+), 1 deletion(-) create mode 100644 bpf/process/bpf_killer.c create mode 100644 bpf/process/bpf_killer.h diff --git a/bpf/Makefile b/bpf/Makefile index 9c681384bc4..0301a64cb8c 100644 --- a/bpf/Makefile +++ b/bpf/Makefile @@ -34,7 +34,8 @@ PROCESS = bpf_execve_event.o bpf_execve_event_v53.o bpf_fork.o bpf_exit.o bpf_ge bpf_generic_tracepoint_v61.o \ bpf_multi_kprobe_v61.o bpf_multi_retkprobe_v61.o \ bpf_generic_uprobe_v61.o \ - bpf_loader.o + bpf_loader.o \ + bpf_killer.o bpf_multi_killer.o CGROUP = bpf_cgroup_mkdir.o bpf_cgroup_rmdir.o bpf_cgroup_release.o BPFTEST = bpf_lseek.o bpf_globals.o @@ -120,6 +121,12 @@ objs/%_v53.ll: $(DEPSDIR)%.d: $(PROCESSDIR)%.c $(CLANG) $(CLANG_FLAGS) -MM -MP -MT $(patsubst $(DEPSDIR)%.d, $(OBJSDIR)%.ll, $@) $< > $@ +objs/bpf_multi_killer.ll: process/bpf_killer.c + $(CLANG) $(CLANG_FLAGS) -D__LARGE_BPF_PROG -D__MULTI_KPROBE -c $< -o $@ + +$(DEPSDIR)/bpf_multi_killer.d: process/bpf_killer.c + $(CLANG) $(CLANG_FLAGS) -D__LARGE_BPF_PROG -D__MULTI_KPROBE -MM -MP -MT $(patsubst $(DEPSDIR)%.d, $(OBJSDIR)%.ll, $@) $< > $@ + $(DEPSDIR)%_v53.d: $(CLANG) $(CLANG_FLAGS) -D__LARGE_BPF_PROG -MM -MP -MT $(patsubst $(DEPSDIR)%.d, $(OBJSDIR)%.ll, $@) $< > $@ diff --git a/bpf/process/bpf_killer.c b/bpf/process/bpf_killer.c new file mode 100644 index 00000000000..95a4147159f --- /dev/null +++ b/bpf/process/bpf_killer.c @@ -0,0 +1,28 @@ +#include "bpf_killer.h" + +char _license[] __attribute__((section("license"), used)) = "GPL"; + +#ifdef __MULTI_KPROBE +#define MAIN "kprobe.multi/killer" +#else +#define MAIN "kprobe/killer" +#endif + +__attribute__((section(MAIN), used)) int +killer(void *ctx) +{ + __u64 id = get_current_pid_tgid(); + struct killer_data *data; + + data = map_lookup_elem(&killer_data, &id); + if (!data) + return 0; + + if (data->error) + override_return(ctx, data->error); + if (data->signal) + send_signal(data->signal); + + map_delete_elem(&killer_data, &id); + return 0; +} diff --git a/bpf/process/bpf_killer.h b/bpf/process/bpf_killer.h new file mode 100644 index 00000000000..7b4076f2b90 --- /dev/null +++ b/bpf/process/bpf_killer.h @@ -0,0 +1,40 @@ +// SPDX-License-Identifier: GPL-2.0 +/* Copyright Authors of Cilium */ + +#ifndef __KILLER_H__ +#define __KILLER_H__ + +#include "vmlinux.h" +#include "bpf_helpers.h" + +struct killer_data { + __s16 error; + __s16 signal; +}; + +struct { + __uint(type, BPF_MAP_TYPE_HASH); + __uint(max_entries, 32768); + __type(key, __u64); + __type(value, struct killer_data); +} killer_data SEC(".maps"); + +static inline __attribute__((always_inline)) void +do_killer_action(int error, int signal) +{ + __u64 id = get_current_pid_tgid(); + struct killer_data *ptr, data = { + .error = (__s16)error, + .signal = (__s16)signal, + }; + + ptr = map_lookup_elem(&killer_data, &id); + if (ptr) { + ptr->error = (__s16)error; + ptr->signal = (__s16)signal; + } else { + map_update_elem(&killer_data, &id, &data, BPF_ANY); + } +} + +#endif /* __KILLER_H__ */ From 83af10449038f9af59b2d1c3aca55f2b1935b9e0 Mon Sep 17 00:00:00 2001 From: Jiri Olsa Date: Mon, 3 Jul 2023 15:43:50 +0000 Subject: [PATCH 08/14] tetragon: Add notify killer action Adding support to notify killer program attached to syscalls with another action spec, like: matchActions: - action: "NotifyKiller" argError: -1 argSig: 9 It's possible to specify error for override and signal number to kill the current process with. Signed-off-by: Jiri Olsa --- bpf/process/bpf_generic_tracepoint.c | 3 ++ bpf/process/types/basic.h | 17 ++++++ pkg/selectors/kernel.go | 80 +++++++++++++++------------- 3 files changed, 63 insertions(+), 37 deletions(-) diff --git a/bpf/process/bpf_generic_tracepoint.c b/bpf/process/bpf_generic_tracepoint.c index efb6b039d1d..b3db429c7d1 100644 --- a/bpf/process/bpf_generic_tracepoint.c +++ b/bpf/process/bpf_generic_tracepoint.c @@ -6,6 +6,9 @@ #include "bpf_event.h" #include "bpf_task.h" + +#define GENERIC_TRACEPOINT + #include "retprobe_map.h" #include "types/operations.h" #include "types/basic.h" diff --git a/bpf/process/types/basic.h b/bpf/process/types/basic.h index d72520d9bdc..e00e2afa376 100644 --- a/bpf/process/types/basic.h +++ b/bpf/process/types/basic.h @@ -20,6 +20,7 @@ #include "../string_maps.h" #include "common.h" #include "process/data_event.h" +#include "process/bpf_killer.h" /* Type IDs form API with user space generickprobe.go */ enum { @@ -87,6 +88,7 @@ enum { ACTION_SIGNAL = 9, ACTION_TRACKSOCK = 10, ACTION_UNTRACKSOCK = 11, + ACTION_NOTIFY_KILLER = 12, }; enum { @@ -1968,6 +1970,16 @@ struct { __uint(value_size, sizeof(__u64) * PERF_MAX_STACK_DEPTH); } stack_trace_map SEC(".maps"); +#ifdef GENERIC_TRACEPOINT +static inline __attribute__((always_inline)) void +do_action_notify_killer(int error, int signal) +{ + do_killer_action(error, signal); +} +#else +#define do_action_notify_killer(error, signal) +#endif + static inline __attribute__((always_inline)) __u32 do_action(void *ctx, __u32 i, struct msg_generic_kprobe *e, struct selector_action *actions, struct bpf_map_def *override_tasks, bool *post) @@ -2050,6 +2062,11 @@ do_action(void *ctx, __u32 i, struct msg_generic_kprobe *e, socki = actions->act[++i]; err = tracksock(e, socki, action == ACTION_TRACKSOCK); break; + case ACTION_NOTIFY_KILLER: + error = actions->act[++i]; + signal = actions->act[++i]; + do_action_notify_killer(error, signal); + break; default: break; } diff --git a/pkg/selectors/kernel.go b/pkg/selectors/kernel.go index f94b23b92c4..d91597a2a46 100644 --- a/pkg/selectors/kernel.go +++ b/pkg/selectors/kernel.go @@ -19,49 +19,52 @@ import ( ) const ( - ActionTypeInvalid = -1 - ActionTypePost = 0 - ActionTypeFollowFd = 1 - ActionTypeSigKill = 2 - ActionTypeUnfollowFd = 3 - ActionTypeOverride = 4 - ActionTypeCopyFd = 5 - ActionTypeGetUrl = 6 - ActionTypeDnsLookup = 7 - ActionTypeNoPost = 8 - ActionTypeSignal = 9 - ActionTypeTrackSock = 10 - ActionTypeUntrackSock = 11 + ActionTypeInvalid = -1 + ActionTypePost = 0 + ActionTypeFollowFd = 1 + ActionTypeSigKill = 2 + ActionTypeUnfollowFd = 3 + ActionTypeOverride = 4 + ActionTypeCopyFd = 5 + ActionTypeGetUrl = 6 + ActionTypeDnsLookup = 7 + ActionTypeNoPost = 8 + ActionTypeSignal = 9 + ActionTypeTrackSock = 10 + ActionTypeUntrackSock = 11 + ActionTypeNotifyKiller = 12 ) var actionTypeTable = map[string]uint32{ - "post": ActionTypePost, - "followfd": ActionTypeFollowFd, - "unfollowfd": ActionTypeUnfollowFd, - "sigkill": ActionTypeSigKill, - "override": ActionTypeOverride, - "copyfd": ActionTypeCopyFd, - "geturl": ActionTypeGetUrl, - "dnslookup": ActionTypeDnsLookup, - "nopost": ActionTypeNoPost, - "signal": ActionTypeSignal, - "tracksock": ActionTypeTrackSock, - "untracksock": ActionTypeUntrackSock, + "post": ActionTypePost, + "followfd": ActionTypeFollowFd, + "unfollowfd": ActionTypeUnfollowFd, + "sigkill": ActionTypeSigKill, + "override": ActionTypeOverride, + "copyfd": ActionTypeCopyFd, + "geturl": ActionTypeGetUrl, + "dnslookup": ActionTypeDnsLookup, + "nopost": ActionTypeNoPost, + "signal": ActionTypeSignal, + "tracksock": ActionTypeTrackSock, + "untracksock": ActionTypeUntrackSock, + "notifykiller": ActionTypeNotifyKiller, } var actionTypeStringTable = map[uint32]string{ - ActionTypePost: "post", - ActionTypeFollowFd: "followfd", - ActionTypeUnfollowFd: "unfollowfd", - ActionTypeSigKill: "sigkill", - ActionTypeOverride: "override", - ActionTypeCopyFd: "copyfd", - ActionTypeGetUrl: "geturl", - ActionTypeDnsLookup: "dnslookup", - ActionTypeNoPost: "nopost", - ActionTypeSignal: "signal", - ActionTypeTrackSock: "tracksock", - ActionTypeUntrackSock: "untracksock", + ActionTypePost: "post", + ActionTypeFollowFd: "followfd", + ActionTypeUnfollowFd: "unfollowfd", + ActionTypeSigKill: "sigkill", + ActionTypeOverride: "override", + ActionTypeCopyFd: "copyfd", + ActionTypeGetUrl: "geturl", + ActionTypeDnsLookup: "dnslookup", + ActionTypeNoPost: "nopost", + ActionTypeSignal: "signal", + ActionTypeTrackSock: "tracksock", + ActionTypeUntrackSock: "untracksock", + ActionTypeNotifyKiller: "notifykiller", } // Action argument table entry (for URL and FQDN arguments) @@ -953,6 +956,9 @@ func ParseMatchAction(k *KernelSelectorState, action *v1alpha1.ActionSelector, a case ActionTypeSigKill: // no arguments // NB: we should deprecate this action and just use ActionTypeSignal with SIGKILL + case ActionTypeNotifyKiller: + WriteSelectorInt32(k, action.ArgError) + WriteSelectorUint32(k, action.ArgSig) default: return fmt.Errorf("ParseMatchAction: act %d (%s) is missing a handler", act, actionTypeStringTable[act]) } From a62464dec16959968ea6b1ecee09d1f297074f37 Mon Sep 17 00:00:00 2001 From: Jiri Olsa Date: Mon, 2 Oct 2023 09:29:00 -0400 Subject: [PATCH 09/14] tetragon: Add NotifyKiller to Action kubebuilder:validation enum So we can use it through kubectl. Signed-off-by: Jiri Olsa --- .../client/crds/v1alpha1/cilium.io_tracingpolicies.yaml | 3 +++ .../crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml | 3 +++ pkg/k8s/apis/cilium.io/v1alpha1/types.go | 2 +- .../client/crds/v1alpha1/cilium.io_tracingpolicies.yaml | 3 +++ .../crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml | 3 +++ .../cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go | 2 +- 6 files changed, 14 insertions(+), 2 deletions(-) diff --git a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml index b8a09a7d678..ec761c98e89 100644 --- a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml +++ b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml @@ -240,6 +240,7 @@ spec: - Signal - TrackSock - UntrackSock + - NotifyKiller type: string argError: description: error value for override action @@ -773,6 +774,7 @@ spec: - Signal - TrackSock - UntrackSock + - NotifyKiller type: string argError: description: error value for override action @@ -1145,6 +1147,7 @@ spec: - Signal - TrackSock - UntrackSock + - NotifyKiller type: string argError: description: error value for override action diff --git a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml index 4a7859a743b..ce8c9faaba1 100644 --- a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml +++ b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml @@ -240,6 +240,7 @@ spec: - Signal - TrackSock - UntrackSock + - NotifyKiller type: string argError: description: error value for override action @@ -773,6 +774,7 @@ spec: - Signal - TrackSock - UntrackSock + - NotifyKiller type: string argError: description: error value for override action @@ -1145,6 +1147,7 @@ spec: - Signal - TrackSock - UntrackSock + - NotifyKiller type: string argError: description: error value for override action diff --git a/pkg/k8s/apis/cilium.io/v1alpha1/types.go b/pkg/k8s/apis/cilium.io/v1alpha1/types.go index b8ff08c8005..c202953245c 100644 --- a/pkg/k8s/apis/cilium.io/v1alpha1/types.go +++ b/pkg/k8s/apis/cilium.io/v1alpha1/types.go @@ -184,7 +184,7 @@ type ArgSelector struct { } type ActionSelector struct { - // +kubebuilder:validation:Enum=Post;FollowFD;UnfollowFD;Sigkill;CopyFD;Override;GetUrl;DnsLookup;NoPost;Signal;TrackSock;UntrackSock + // +kubebuilder:validation:Enum=Post;FollowFD;UnfollowFD;Sigkill;CopyFD;Override;GetUrl;DnsLookup;NoPost;Signal;TrackSock;UntrackSock;NotifyKiller // Action to execute. Action string `json:"action"` // +kubebuilder:validation:Optional diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml index b8a09a7d678..ec761c98e89 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml @@ -240,6 +240,7 @@ spec: - Signal - TrackSock - UntrackSock + - NotifyKiller type: string argError: description: error value for override action @@ -773,6 +774,7 @@ spec: - Signal - TrackSock - UntrackSock + - NotifyKiller type: string argError: description: error value for override action @@ -1145,6 +1147,7 @@ spec: - Signal - TrackSock - UntrackSock + - NotifyKiller type: string argError: description: error value for override action diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml index 4a7859a743b..ce8c9faaba1 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml @@ -240,6 +240,7 @@ spec: - Signal - TrackSock - UntrackSock + - NotifyKiller type: string argError: description: error value for override action @@ -773,6 +774,7 @@ spec: - Signal - TrackSock - UntrackSock + - NotifyKiller type: string argError: description: error value for override action @@ -1145,6 +1147,7 @@ spec: - Signal - TrackSock - UntrackSock + - NotifyKiller type: string argError: description: error value for override action diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go index b8ff08c8005..c202953245c 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go @@ -184,7 +184,7 @@ type ArgSelector struct { } type ActionSelector struct { - // +kubebuilder:validation:Enum=Post;FollowFD;UnfollowFD;Sigkill;CopyFD;Override;GetUrl;DnsLookup;NoPost;Signal;TrackSock;UntrackSock + // +kubebuilder:validation:Enum=Post;FollowFD;UnfollowFD;Sigkill;CopyFD;Override;GetUrl;DnsLookup;NoPost;Signal;TrackSock;UntrackSock;NotifyKiller // Action to execute. Action string `json:"action"` // +kubebuilder:validation:Optional From da8e13524e22cc8fdd2434a41dd877b171b05fd7 Mon Sep 17 00:00:00 2001 From: Jiri Olsa Date: Wed, 21 Jun 2023 11:00:45 +0000 Subject: [PATCH 10/14] tetragon: Add example killer policy Adding example killer policy that setups sys_enter raw syscalls and add filter for sys_dup and sys_dup2 syscalls plus match for /usr/bin/bash binary and kill it through killer. Signed-off-by: Jiri Olsa --- examples/tracingpolicy/killer.yaml | 34 ++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 examples/tracingpolicy/killer.yaml diff --git a/examples/tracingpolicy/killer.yaml b/examples/tracingpolicy/killer.yaml new file mode 100644 index 00000000000..cc32c13327b --- /dev/null +++ b/examples/tracingpolicy/killer.yaml @@ -0,0 +1,34 @@ +apiVersion: cilium.io/v1alpha1 +kind: TracingPolicy +metadata: + name: "kill-syscalls" +spec: + lists: + - name: "dups" + type: "syscalls" + values: + - "sys_dup" + - "sys_dup2" + killers: + - syscalls: + - "list:dups" + tracepoints: + - subsystem: "raw_syscalls" + event: "sys_enter" + args: + - index: 4 + type: "uint64" + selectors: + - matchArgs: + - index: 0 + operator: "InMap" + values: + - "list:dups" + matchBinaries: + - operator: "In" + values: + - "/usr/bin/bash" + matchActions: + - action: "NotifyKiller" + argError: -1 + argSig: 9 From 8181f8e4529187bb93d7cc6a0b6df07a474bd42d Mon Sep 17 00:00:00 2001 From: Jiri Olsa Date: Mon, 2 Oct 2023 13:15:24 -0400 Subject: [PATCH 11/14] tetragon: Add action field to tracepoint event Adding action field to tracepoint event, so it's available in the event in case the action is triggered. Signed-off-by: Jiri Olsa --- api/v1/README.md | 1 + .../codegen/eventchecker/eventchecker.pb.go | 14 +++++ api/v1/tetragon/tetragon.pb.go | 51 ++++++++++++------- api/v1/tetragon/tetragon.proto | 2 + .../tetragon/api/v1/tetragon/tetragon.pb.go | 51 ++++++++++++------- .../tetragon/api/v1/tetragon/tetragon.proto | 2 + docs/content/en/docs/reference/grpc-api.md | 1 + .../codegen/eventchecker/eventchecker.pb.go | 14 +++++ .../tetragon/api/v1/tetragon/tetragon.pb.go | 51 ++++++++++++------- .../tetragon/api/v1/tetragon/tetragon.proto | 2 + 10 files changed, 132 insertions(+), 57 deletions(-) diff --git a/api/v1/README.md b/api/v1/README.md index 10ef1ca93b7..cbf698ab1a5 100644 --- a/api/v1/README.md +++ b/api/v1/README.md @@ -826,6 +826,7 @@ loader sensor event triggered for loaded binary/library | event | [string](#string) | | Event of the subsystem. | | args | [KprobeArgument](#tetragon-KprobeArgument) | repeated | Arguments definition of the observed tracepoint. TODO: once we implement all we want, rename KprobeArgument to GenericArgument | | policy_name | [string](#string) | | Name of the policy that created that tracepoint. | +| action | [KprobeAction](#tetragon-KprobeAction) | | Action performed when the tracepoint matched. | diff --git a/api/v1/tetragon/codegen/eventchecker/eventchecker.pb.go b/api/v1/tetragon/codegen/eventchecker/eventchecker.pb.go index e148e5f4076..01c8c5fdcef 100644 --- a/api/v1/tetragon/codegen/eventchecker/eventchecker.pb.go +++ b/api/v1/tetragon/codegen/eventchecker/eventchecker.pb.go @@ -1098,6 +1098,7 @@ type ProcessTracepointChecker struct { Event *stringmatcher.StringMatcher `json:"event,omitempty"` Args *KprobeArgumentListMatcher `json:"args,omitempty"` PolicyName *stringmatcher.StringMatcher `json:"policyName,omitempty"` + Action *KprobeActionChecker `json:"action,omitempty"` } // CheckEvent checks a single event and implements the EventChecker interface @@ -1169,6 +1170,11 @@ func (checker *ProcessTracepointChecker) Check(event *tetragon.ProcessTracepoint return fmt.Errorf("PolicyName check failed: %w", err) } } + if checker.Action != nil { + if err := checker.Action.Check(&event.Action); err != nil { + return fmt.Errorf("Action check failed: %w", err) + } + } return nil } if err := fieldChecks(); err != nil { @@ -1213,6 +1219,13 @@ func (checker *ProcessTracepointChecker) WithPolicyName(check *stringmatcher.Str return checker } +// WithAction adds a Action check to the ProcessTracepointChecker +func (checker *ProcessTracepointChecker) WithAction(check tetragon.KprobeAction) *ProcessTracepointChecker { + wrappedCheck := KprobeActionChecker(check) + checker.Action = &wrappedCheck + return checker +} + //FromProcessTracepoint populates the ProcessTracepointChecker using data from a ProcessTracepoint event func (checker *ProcessTracepointChecker) FromProcessTracepoint(event *tetragon.ProcessTracepoint) *ProcessTracepointChecker { if event == nil { @@ -1240,6 +1253,7 @@ func (checker *ProcessTracepointChecker) FromProcessTracepoint(event *tetragon.P checker.Args = lm } checker.PolicyName = stringmatcher.Full(event.PolicyName) + checker.Action = NewKprobeActionChecker(event.Action) return checker } diff --git a/api/v1/tetragon/tetragon.pb.go b/api/v1/tetragon/tetragon.pb.go index 1cb30f66715..3e1252b4d6a 100644 --- a/api/v1/tetragon/tetragon.pb.go +++ b/api/v1/tetragon/tetragon.pb.go @@ -2813,6 +2813,8 @@ type ProcessTracepoint struct { Args []*KprobeArgument `protobuf:"bytes,6,rep,name=args,proto3" json:"args,omitempty"` // Name of the policy that created that tracepoint. PolicyName string `protobuf:"bytes,7,opt,name=policy_name,json=policyName,proto3" json:"policy_name,omitempty"` + // Action performed when the tracepoint matched. + Action KprobeAction `protobuf:"varint,8,opt,name=action,proto3,enum=tetragon.KprobeAction" json:"action,omitempty"` } func (x *ProcessTracepoint) Reset() { @@ -2889,6 +2891,13 @@ func (x *ProcessTracepoint) GetPolicyName() string { return "" } +func (x *ProcessTracepoint) GetAction() KprobeAction { + if x != nil { + return x.Action + } + return KprobeAction_KPROBE_ACTION_UNKNOWN +} + type ProcessUprobe struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache @@ -3991,8 +4000,8 @@ var file_tetragon_tetragon_proto_rawDesc = []byte{ 0x6e, 0x2e, 0x53, 0x74, 0x61, 0x63, 0x6b, 0x54, 0x72, 0x61, 0x63, 0x65, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x0a, 0x73, 0x74, 0x61, 0x63, 0x6b, 0x54, 0x72, 0x61, 0x63, 0x65, 0x12, 0x1f, 0x0a, 0x0b, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x08, 0x20, 0x01, - 0x28, 0x09, 0x52, 0x0a, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x4e, 0x61, 0x6d, 0x65, 0x22, 0xe8, - 0x01, 0x0a, 0x11, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x54, 0x72, 0x61, 0x63, 0x65, 0x70, + 0x28, 0x09, 0x52, 0x0a, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x4e, 0x61, 0x6d, 0x65, 0x22, 0x98, + 0x02, 0x0a, 0x11, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x54, 0x72, 0x61, 0x63, 0x65, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x12, 0x2b, 0x0a, 0x07, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x52, 0x07, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, @@ -4006,7 +4015,10 @@ var file_tetragon_tetragon_proto_rawDesc = []byte{ 0x67, 0x6f, 0x6e, 0x2e, 0x4b, 0x70, 0x72, 0x6f, 0x62, 0x65, 0x41, 0x72, 0x67, 0x75, 0x6d, 0x65, 0x6e, 0x74, 0x52, 0x04, 0x61, 0x72, 0x67, 0x73, 0x12, 0x1f, 0x0a, 0x0b, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x70, - 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x4e, 0x61, 0x6d, 0x65, 0x22, 0xb4, 0x01, 0x0a, 0x0d, 0x50, 0x72, + 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x2e, 0x0a, 0x06, 0x61, 0x63, 0x74, + 0x69, 0x6f, 0x6e, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x16, 0x2e, 0x74, 0x65, 0x74, 0x72, + 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x4b, 0x70, 0x72, 0x6f, 0x62, 0x65, 0x41, 0x63, 0x74, 0x69, 0x6f, + 0x6e, 0x52, 0x06, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0xb4, 0x01, 0x0a, 0x0d, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x55, 0x70, 0x72, 0x6f, 0x62, 0x65, 0x12, 0x2b, 0x0a, 0x07, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x52, @@ -4288,22 +4300,23 @@ var file_tetragon_tetragon_proto_depIdxs = []int32{ 13, // 79: tetragon.ProcessTracepoint.process:type_name -> tetragon.Process 13, // 80: tetragon.ProcessTracepoint.parent:type_name -> tetragon.Process 27, // 81: tetragon.ProcessTracepoint.args:type_name -> tetragon.KprobeArgument - 13, // 82: tetragon.ProcessUprobe.process:type_name -> tetragon.Process - 13, // 83: tetragon.ProcessUprobe.parent:type_name -> tetragon.Process - 48, // 84: tetragon.KernelModule.signature_ok:type_name -> google.protobuf.BoolValue - 3, // 85: tetragon.KernelModule.tainted:type_name -> tetragon.TaintedBitsType - 1, // 86: tetragon.GetHealthStatusRequest.event_set:type_name -> tetragon.HealthStatusType - 1, // 87: tetragon.HealthStatus.event:type_name -> tetragon.HealthStatusType - 2, // 88: tetragon.HealthStatus.status:type_name -> tetragon.HealthStatusResult - 34, // 89: tetragon.GetHealthStatusResponse.health_status:type_name -> tetragon.HealthStatus - 13, // 90: tetragon.ProcessLoader.process:type_name -> tetragon.Process - 39, // 91: tetragon.RuntimeHookRequest.createContainer:type_name -> tetragon.CreateContainer - 42, // 92: tetragon.CreateContainer.annotations:type_name -> tetragon.CreateContainer.AnnotationsEntry - 93, // [93:93] is the sub-list for method output_type - 93, // [93:93] is the sub-list for method input_type - 93, // [93:93] is the sub-list for extension type_name - 93, // [93:93] is the sub-list for extension extendee - 0, // [0:93] is the sub-list for field type_name + 0, // 82: tetragon.ProcessTracepoint.action:type_name -> tetragon.KprobeAction + 13, // 83: tetragon.ProcessUprobe.process:type_name -> tetragon.Process + 13, // 84: tetragon.ProcessUprobe.parent:type_name -> tetragon.Process + 48, // 85: tetragon.KernelModule.signature_ok:type_name -> google.protobuf.BoolValue + 3, // 86: tetragon.KernelModule.tainted:type_name -> tetragon.TaintedBitsType + 1, // 87: tetragon.GetHealthStatusRequest.event_set:type_name -> tetragon.HealthStatusType + 1, // 88: tetragon.HealthStatus.event:type_name -> tetragon.HealthStatusType + 2, // 89: tetragon.HealthStatus.status:type_name -> tetragon.HealthStatusResult + 34, // 90: tetragon.GetHealthStatusResponse.health_status:type_name -> tetragon.HealthStatus + 13, // 91: tetragon.ProcessLoader.process:type_name -> tetragon.Process + 39, // 92: tetragon.RuntimeHookRequest.createContainer:type_name -> tetragon.CreateContainer + 42, // 93: tetragon.CreateContainer.annotations:type_name -> tetragon.CreateContainer.AnnotationsEntry + 94, // [94:94] is the sub-list for method output_type + 94, // [94:94] is the sub-list for method input_type + 94, // [94:94] is the sub-list for extension type_name + 94, // [94:94] is the sub-list for extension extendee + 0, // [0:94] is the sub-list for field type_name } func init() { file_tetragon_tetragon_proto_init() } diff --git a/api/v1/tetragon/tetragon.proto b/api/v1/tetragon/tetragon.proto index 6597d98c08e..b405cc4b887 100644 --- a/api/v1/tetragon/tetragon.proto +++ b/api/v1/tetragon/tetragon.proto @@ -439,6 +439,8 @@ message ProcessTracepoint { repeated KprobeArgument args = 6; // Name of the policy that created that tracepoint. string policy_name = 7; + // Action performed when the tracepoint matched. + KprobeAction action = 8; } message ProcessUprobe { diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.pb.go b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.pb.go index 1cb30f66715..3e1252b4d6a 100644 --- a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.pb.go +++ b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.pb.go @@ -2813,6 +2813,8 @@ type ProcessTracepoint struct { Args []*KprobeArgument `protobuf:"bytes,6,rep,name=args,proto3" json:"args,omitempty"` // Name of the policy that created that tracepoint. PolicyName string `protobuf:"bytes,7,opt,name=policy_name,json=policyName,proto3" json:"policy_name,omitempty"` + // Action performed when the tracepoint matched. + Action KprobeAction `protobuf:"varint,8,opt,name=action,proto3,enum=tetragon.KprobeAction" json:"action,omitempty"` } func (x *ProcessTracepoint) Reset() { @@ -2889,6 +2891,13 @@ func (x *ProcessTracepoint) GetPolicyName() string { return "" } +func (x *ProcessTracepoint) GetAction() KprobeAction { + if x != nil { + return x.Action + } + return KprobeAction_KPROBE_ACTION_UNKNOWN +} + type ProcessUprobe struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache @@ -3991,8 +4000,8 @@ var file_tetragon_tetragon_proto_rawDesc = []byte{ 0x6e, 0x2e, 0x53, 0x74, 0x61, 0x63, 0x6b, 0x54, 0x72, 0x61, 0x63, 0x65, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x0a, 0x73, 0x74, 0x61, 0x63, 0x6b, 0x54, 0x72, 0x61, 0x63, 0x65, 0x12, 0x1f, 0x0a, 0x0b, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x08, 0x20, 0x01, - 0x28, 0x09, 0x52, 0x0a, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x4e, 0x61, 0x6d, 0x65, 0x22, 0xe8, - 0x01, 0x0a, 0x11, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x54, 0x72, 0x61, 0x63, 0x65, 0x70, + 0x28, 0x09, 0x52, 0x0a, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x4e, 0x61, 0x6d, 0x65, 0x22, 0x98, + 0x02, 0x0a, 0x11, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x54, 0x72, 0x61, 0x63, 0x65, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x12, 0x2b, 0x0a, 0x07, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x52, 0x07, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, @@ -4006,7 +4015,10 @@ var file_tetragon_tetragon_proto_rawDesc = []byte{ 0x67, 0x6f, 0x6e, 0x2e, 0x4b, 0x70, 0x72, 0x6f, 0x62, 0x65, 0x41, 0x72, 0x67, 0x75, 0x6d, 0x65, 0x6e, 0x74, 0x52, 0x04, 0x61, 0x72, 0x67, 0x73, 0x12, 0x1f, 0x0a, 0x0b, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x70, - 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x4e, 0x61, 0x6d, 0x65, 0x22, 0xb4, 0x01, 0x0a, 0x0d, 0x50, 0x72, + 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x2e, 0x0a, 0x06, 0x61, 0x63, 0x74, + 0x69, 0x6f, 0x6e, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x16, 0x2e, 0x74, 0x65, 0x74, 0x72, + 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x4b, 0x70, 0x72, 0x6f, 0x62, 0x65, 0x41, 0x63, 0x74, 0x69, 0x6f, + 0x6e, 0x52, 0x06, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0xb4, 0x01, 0x0a, 0x0d, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x55, 0x70, 0x72, 0x6f, 0x62, 0x65, 0x12, 0x2b, 0x0a, 0x07, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x52, @@ -4288,22 +4300,23 @@ var file_tetragon_tetragon_proto_depIdxs = []int32{ 13, // 79: tetragon.ProcessTracepoint.process:type_name -> tetragon.Process 13, // 80: tetragon.ProcessTracepoint.parent:type_name -> tetragon.Process 27, // 81: tetragon.ProcessTracepoint.args:type_name -> tetragon.KprobeArgument - 13, // 82: tetragon.ProcessUprobe.process:type_name -> tetragon.Process - 13, // 83: tetragon.ProcessUprobe.parent:type_name -> tetragon.Process - 48, // 84: tetragon.KernelModule.signature_ok:type_name -> google.protobuf.BoolValue - 3, // 85: tetragon.KernelModule.tainted:type_name -> tetragon.TaintedBitsType - 1, // 86: tetragon.GetHealthStatusRequest.event_set:type_name -> tetragon.HealthStatusType - 1, // 87: tetragon.HealthStatus.event:type_name -> tetragon.HealthStatusType - 2, // 88: tetragon.HealthStatus.status:type_name -> tetragon.HealthStatusResult - 34, // 89: tetragon.GetHealthStatusResponse.health_status:type_name -> tetragon.HealthStatus - 13, // 90: tetragon.ProcessLoader.process:type_name -> tetragon.Process - 39, // 91: tetragon.RuntimeHookRequest.createContainer:type_name -> tetragon.CreateContainer - 42, // 92: tetragon.CreateContainer.annotations:type_name -> tetragon.CreateContainer.AnnotationsEntry - 93, // [93:93] is the sub-list for method output_type - 93, // [93:93] is the sub-list for method input_type - 93, // [93:93] is the sub-list for extension type_name - 93, // [93:93] is the sub-list for extension extendee - 0, // [0:93] is the sub-list for field type_name + 0, // 82: tetragon.ProcessTracepoint.action:type_name -> tetragon.KprobeAction + 13, // 83: tetragon.ProcessUprobe.process:type_name -> tetragon.Process + 13, // 84: tetragon.ProcessUprobe.parent:type_name -> tetragon.Process + 48, // 85: tetragon.KernelModule.signature_ok:type_name -> google.protobuf.BoolValue + 3, // 86: tetragon.KernelModule.tainted:type_name -> tetragon.TaintedBitsType + 1, // 87: tetragon.GetHealthStatusRequest.event_set:type_name -> tetragon.HealthStatusType + 1, // 88: tetragon.HealthStatus.event:type_name -> tetragon.HealthStatusType + 2, // 89: tetragon.HealthStatus.status:type_name -> tetragon.HealthStatusResult + 34, // 90: tetragon.GetHealthStatusResponse.health_status:type_name -> tetragon.HealthStatus + 13, // 91: tetragon.ProcessLoader.process:type_name -> tetragon.Process + 39, // 92: tetragon.RuntimeHookRequest.createContainer:type_name -> tetragon.CreateContainer + 42, // 93: tetragon.CreateContainer.annotations:type_name -> tetragon.CreateContainer.AnnotationsEntry + 94, // [94:94] is the sub-list for method output_type + 94, // [94:94] is the sub-list for method input_type + 94, // [94:94] is the sub-list for extension type_name + 94, // [94:94] is the sub-list for extension extendee + 0, // [0:94] is the sub-list for field type_name } func init() { file_tetragon_tetragon_proto_init() } diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto index 6597d98c08e..b405cc4b887 100644 --- a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto +++ b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto @@ -439,6 +439,8 @@ message ProcessTracepoint { repeated KprobeArgument args = 6; // Name of the policy that created that tracepoint. string policy_name = 7; + // Action performed when the tracepoint matched. + KprobeAction action = 8; } message ProcessUprobe { diff --git a/docs/content/en/docs/reference/grpc-api.md b/docs/content/en/docs/reference/grpc-api.md index d731052e902..b783bd6d813 100644 --- a/docs/content/en/docs/reference/grpc-api.md +++ b/docs/content/en/docs/reference/grpc-api.md @@ -495,6 +495,7 @@ loader sensor event triggered for loaded binary/library | event | [string](#string) | | Event of the subsystem. | | args | [KprobeArgument](#tetragon-KprobeArgument) | repeated | Arguments definition of the observed tracepoint. TODO: once we implement all we want, rename KprobeArgument to GenericArgument | | policy_name | [string](#string) | | Name of the policy that created that tracepoint. | +| action | [KprobeAction](#tetragon-KprobeAction) | | Action performed when the tracepoint matched. | diff --git a/vendor/github.com/cilium/tetragon/api/v1/tetragon/codegen/eventchecker/eventchecker.pb.go b/vendor/github.com/cilium/tetragon/api/v1/tetragon/codegen/eventchecker/eventchecker.pb.go index e148e5f4076..01c8c5fdcef 100644 --- a/vendor/github.com/cilium/tetragon/api/v1/tetragon/codegen/eventchecker/eventchecker.pb.go +++ b/vendor/github.com/cilium/tetragon/api/v1/tetragon/codegen/eventchecker/eventchecker.pb.go @@ -1098,6 +1098,7 @@ type ProcessTracepointChecker struct { Event *stringmatcher.StringMatcher `json:"event,omitempty"` Args *KprobeArgumentListMatcher `json:"args,omitempty"` PolicyName *stringmatcher.StringMatcher `json:"policyName,omitempty"` + Action *KprobeActionChecker `json:"action,omitempty"` } // CheckEvent checks a single event and implements the EventChecker interface @@ -1169,6 +1170,11 @@ func (checker *ProcessTracepointChecker) Check(event *tetragon.ProcessTracepoint return fmt.Errorf("PolicyName check failed: %w", err) } } + if checker.Action != nil { + if err := checker.Action.Check(&event.Action); err != nil { + return fmt.Errorf("Action check failed: %w", err) + } + } return nil } if err := fieldChecks(); err != nil { @@ -1213,6 +1219,13 @@ func (checker *ProcessTracepointChecker) WithPolicyName(check *stringmatcher.Str return checker } +// WithAction adds a Action check to the ProcessTracepointChecker +func (checker *ProcessTracepointChecker) WithAction(check tetragon.KprobeAction) *ProcessTracepointChecker { + wrappedCheck := KprobeActionChecker(check) + checker.Action = &wrappedCheck + return checker +} + //FromProcessTracepoint populates the ProcessTracepointChecker using data from a ProcessTracepoint event func (checker *ProcessTracepointChecker) FromProcessTracepoint(event *tetragon.ProcessTracepoint) *ProcessTracepointChecker { if event == nil { @@ -1240,6 +1253,7 @@ func (checker *ProcessTracepointChecker) FromProcessTracepoint(event *tetragon.P checker.Args = lm } checker.PolicyName = stringmatcher.Full(event.PolicyName) + checker.Action = NewKprobeActionChecker(event.Action) return checker } diff --git a/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.pb.go b/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.pb.go index 1cb30f66715..3e1252b4d6a 100644 --- a/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.pb.go +++ b/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.pb.go @@ -2813,6 +2813,8 @@ type ProcessTracepoint struct { Args []*KprobeArgument `protobuf:"bytes,6,rep,name=args,proto3" json:"args,omitempty"` // Name of the policy that created that tracepoint. PolicyName string `protobuf:"bytes,7,opt,name=policy_name,json=policyName,proto3" json:"policy_name,omitempty"` + // Action performed when the tracepoint matched. + Action KprobeAction `protobuf:"varint,8,opt,name=action,proto3,enum=tetragon.KprobeAction" json:"action,omitempty"` } func (x *ProcessTracepoint) Reset() { @@ -2889,6 +2891,13 @@ func (x *ProcessTracepoint) GetPolicyName() string { return "" } +func (x *ProcessTracepoint) GetAction() KprobeAction { + if x != nil { + return x.Action + } + return KprobeAction_KPROBE_ACTION_UNKNOWN +} + type ProcessUprobe struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache @@ -3991,8 +4000,8 @@ var file_tetragon_tetragon_proto_rawDesc = []byte{ 0x6e, 0x2e, 0x53, 0x74, 0x61, 0x63, 0x6b, 0x54, 0x72, 0x61, 0x63, 0x65, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x0a, 0x73, 0x74, 0x61, 0x63, 0x6b, 0x54, 0x72, 0x61, 0x63, 0x65, 0x12, 0x1f, 0x0a, 0x0b, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x08, 0x20, 0x01, - 0x28, 0x09, 0x52, 0x0a, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x4e, 0x61, 0x6d, 0x65, 0x22, 0xe8, - 0x01, 0x0a, 0x11, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x54, 0x72, 0x61, 0x63, 0x65, 0x70, + 0x28, 0x09, 0x52, 0x0a, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x4e, 0x61, 0x6d, 0x65, 0x22, 0x98, + 0x02, 0x0a, 0x11, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x54, 0x72, 0x61, 0x63, 0x65, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x12, 0x2b, 0x0a, 0x07, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x52, 0x07, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, @@ -4006,7 +4015,10 @@ var file_tetragon_tetragon_proto_rawDesc = []byte{ 0x67, 0x6f, 0x6e, 0x2e, 0x4b, 0x70, 0x72, 0x6f, 0x62, 0x65, 0x41, 0x72, 0x67, 0x75, 0x6d, 0x65, 0x6e, 0x74, 0x52, 0x04, 0x61, 0x72, 0x67, 0x73, 0x12, 0x1f, 0x0a, 0x0b, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x70, - 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x4e, 0x61, 0x6d, 0x65, 0x22, 0xb4, 0x01, 0x0a, 0x0d, 0x50, 0x72, + 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x2e, 0x0a, 0x06, 0x61, 0x63, 0x74, + 0x69, 0x6f, 0x6e, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x16, 0x2e, 0x74, 0x65, 0x74, 0x72, + 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x4b, 0x70, 0x72, 0x6f, 0x62, 0x65, 0x41, 0x63, 0x74, 0x69, 0x6f, + 0x6e, 0x52, 0x06, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0xb4, 0x01, 0x0a, 0x0d, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x55, 0x70, 0x72, 0x6f, 0x62, 0x65, 0x12, 0x2b, 0x0a, 0x07, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x52, @@ -4288,22 +4300,23 @@ var file_tetragon_tetragon_proto_depIdxs = []int32{ 13, // 79: tetragon.ProcessTracepoint.process:type_name -> tetragon.Process 13, // 80: tetragon.ProcessTracepoint.parent:type_name -> tetragon.Process 27, // 81: tetragon.ProcessTracepoint.args:type_name -> tetragon.KprobeArgument - 13, // 82: tetragon.ProcessUprobe.process:type_name -> tetragon.Process - 13, // 83: tetragon.ProcessUprobe.parent:type_name -> tetragon.Process - 48, // 84: tetragon.KernelModule.signature_ok:type_name -> google.protobuf.BoolValue - 3, // 85: tetragon.KernelModule.tainted:type_name -> tetragon.TaintedBitsType - 1, // 86: tetragon.GetHealthStatusRequest.event_set:type_name -> tetragon.HealthStatusType - 1, // 87: tetragon.HealthStatus.event:type_name -> tetragon.HealthStatusType - 2, // 88: tetragon.HealthStatus.status:type_name -> tetragon.HealthStatusResult - 34, // 89: tetragon.GetHealthStatusResponse.health_status:type_name -> tetragon.HealthStatus - 13, // 90: tetragon.ProcessLoader.process:type_name -> tetragon.Process - 39, // 91: tetragon.RuntimeHookRequest.createContainer:type_name -> tetragon.CreateContainer - 42, // 92: tetragon.CreateContainer.annotations:type_name -> tetragon.CreateContainer.AnnotationsEntry - 93, // [93:93] is the sub-list for method output_type - 93, // [93:93] is the sub-list for method input_type - 93, // [93:93] is the sub-list for extension type_name - 93, // [93:93] is the sub-list for extension extendee - 0, // [0:93] is the sub-list for field type_name + 0, // 82: tetragon.ProcessTracepoint.action:type_name -> tetragon.KprobeAction + 13, // 83: tetragon.ProcessUprobe.process:type_name -> tetragon.Process + 13, // 84: tetragon.ProcessUprobe.parent:type_name -> tetragon.Process + 48, // 85: tetragon.KernelModule.signature_ok:type_name -> google.protobuf.BoolValue + 3, // 86: tetragon.KernelModule.tainted:type_name -> tetragon.TaintedBitsType + 1, // 87: tetragon.GetHealthStatusRequest.event_set:type_name -> tetragon.HealthStatusType + 1, // 88: tetragon.HealthStatus.event:type_name -> tetragon.HealthStatusType + 2, // 89: tetragon.HealthStatus.status:type_name -> tetragon.HealthStatusResult + 34, // 90: tetragon.GetHealthStatusResponse.health_status:type_name -> tetragon.HealthStatus + 13, // 91: tetragon.ProcessLoader.process:type_name -> tetragon.Process + 39, // 92: tetragon.RuntimeHookRequest.createContainer:type_name -> tetragon.CreateContainer + 42, // 93: tetragon.CreateContainer.annotations:type_name -> tetragon.CreateContainer.AnnotationsEntry + 94, // [94:94] is the sub-list for method output_type + 94, // [94:94] is the sub-list for method input_type + 94, // [94:94] is the sub-list for extension type_name + 94, // [94:94] is the sub-list for extension extendee + 0, // [0:94] is the sub-list for field type_name } func init() { file_tetragon_tetragon_proto_init() } diff --git a/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto b/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto index 6597d98c08e..b405cc4b887 100644 --- a/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto +++ b/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto @@ -439,6 +439,8 @@ message ProcessTracepoint { repeated KprobeArgument args = 6; // Name of the policy that created that tracepoint. string policy_name = 7; + // Action performed when the tracepoint matched. + KprobeAction action = 8; } message ProcessUprobe { From d2965c52cf856fee1e874c0c1aeae0b5ab6bbcff Mon Sep 17 00:00:00 2001 From: Jiri Olsa Date: Mon, 2 Oct 2023 13:20:20 -0400 Subject: [PATCH 12/14] tetragon: Update kprobe/tracepoint event action definitions Catching up with kprobe/tracepoint event action enum definitions. Signed-off-by: Jiri Olsa --- api/v1/README.md | 3 + api/v1/tetragon/tetragon.pb.go | 105 ++++++++++-------- api/v1/tetragon/tetragon.proto | 6 + .../tetragon/api/v1/tetragon/tetragon.pb.go | 105 ++++++++++-------- .../tetragon/api/v1/tetragon/tetragon.proto | 6 + docs/content/en/docs/reference/grpc-api.md | 3 + pkg/api/tracingapi/client_kprobe.go | 23 ++-- pkg/grpc/tracing/tracing.go | 8 ++ pkg/sensors/tracing/generictracepoint.go | 1 + .../tetragon/api/v1/tetragon/tetragon.pb.go | 105 ++++++++++-------- .../tetragon/api/v1/tetragon/tetragon.proto | 6 + 11 files changed, 229 insertions(+), 142 deletions(-) diff --git a/api/v1/README.md b/api/v1/README.md index cbf698ab1a5..20936476d10 100644 --- a/api/v1/README.md +++ b/api/v1/README.md @@ -976,6 +976,9 @@ RuntimeHookRequest synchronously propagates information to the agent about run-t | KPROBE_ACTION_DNSLOOKUP | 8 | GetURL action issue a DNS lookup against an URL from userspace. | | KPROBE_ACTION_NOPOST | 9 | NoPost action suppresses the transmission of the event to userspace. | | KPROBE_ACTION_SIGNAL | 10 | Signal action sends specified signal to the process. | +| KPROBE_ACTION_TRACKSOCK | 11 | TrackSock action tracks socket. | +| KPROBE_ACTION_UNTRACKSOCK | 12 | UntrackSock action un-tracks socket. | +| KPROBE_ACTION_NOTIFYKILLER | 13 | NotifyKiller action notifies killer sensor. | diff --git a/api/v1/tetragon/tetragon.pb.go b/api/v1/tetragon/tetragon.pb.go index 3e1252b4d6a..1caa364382f 100644 --- a/api/v1/tetragon/tetragon.pb.go +++ b/api/v1/tetragon/tetragon.pb.go @@ -51,6 +51,12 @@ const ( KprobeAction_KPROBE_ACTION_NOPOST KprobeAction = 9 // Signal action sends specified signal to the process. KprobeAction_KPROBE_ACTION_SIGNAL KprobeAction = 10 + // TrackSock action tracks socket. + KprobeAction_KPROBE_ACTION_TRACKSOCK KprobeAction = 11 + // UntrackSock action un-tracks socket. + KprobeAction_KPROBE_ACTION_UNTRACKSOCK KprobeAction = 12 + // NotifyKiller action notifies killer sensor. + KprobeAction_KPROBE_ACTION_NOTIFYKILLER KprobeAction = 13 ) // Enum value maps for KprobeAction. @@ -67,19 +73,25 @@ var ( 8: "KPROBE_ACTION_DNSLOOKUP", 9: "KPROBE_ACTION_NOPOST", 10: "KPROBE_ACTION_SIGNAL", + 11: "KPROBE_ACTION_TRACKSOCK", + 12: "KPROBE_ACTION_UNTRACKSOCK", + 13: "KPROBE_ACTION_NOTIFYKILLER", } KprobeAction_value = map[string]int32{ - "KPROBE_ACTION_UNKNOWN": 0, - "KPROBE_ACTION_POST": 1, - "KPROBE_ACTION_FOLLOWFD": 2, - "KPROBE_ACTION_SIGKILL": 3, - "KPROBE_ACTION_UNFOLLOWFD": 4, - "KPROBE_ACTION_OVERRIDE": 5, - "KPROBE_ACTION_COPYFD": 6, - "KPROBE_ACTION_GETURL": 7, - "KPROBE_ACTION_DNSLOOKUP": 8, - "KPROBE_ACTION_NOPOST": 9, - "KPROBE_ACTION_SIGNAL": 10, + "KPROBE_ACTION_UNKNOWN": 0, + "KPROBE_ACTION_POST": 1, + "KPROBE_ACTION_FOLLOWFD": 2, + "KPROBE_ACTION_SIGKILL": 3, + "KPROBE_ACTION_UNFOLLOWFD": 4, + "KPROBE_ACTION_OVERRIDE": 5, + "KPROBE_ACTION_COPYFD": 6, + "KPROBE_ACTION_GETURL": 7, + "KPROBE_ACTION_DNSLOOKUP": 8, + "KPROBE_ACTION_NOPOST": 9, + "KPROBE_ACTION_SIGNAL": 10, + "KPROBE_ACTION_TRACKSOCK": 11, + "KPROBE_ACTION_UNTRACKSOCK": 12, + "KPROBE_ACTION_NOTIFYKILLER": 13, } ) @@ -4099,7 +4111,7 @@ var file_tetragon_tetragon_proto_rawDesc = []byte{ 0x65, 0x73, 0x73, 0x12, 0x16, 0x0a, 0x06, 0x6f, 0x66, 0x66, 0x73, 0x65, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x04, 0x52, 0x06, 0x6f, 0x66, 0x66, 0x73, 0x65, 0x74, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x79, 0x6d, 0x62, 0x6f, 0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x79, 0x6d, - 0x62, 0x6f, 0x6c, 0x2a, 0xb7, 0x02, 0x0a, 0x0c, 0x4b, 0x70, 0x72, 0x6f, 0x62, 0x65, 0x41, 0x63, + 0x62, 0x6f, 0x6c, 0x2a, 0x93, 0x03, 0x0a, 0x0c, 0x4b, 0x70, 0x72, 0x6f, 0x62, 0x65, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x19, 0x0a, 0x15, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12, 0x16, 0x0a, 0x12, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, @@ -4118,38 +4130,43 @@ var file_tetragon_tetragon_proto_rawDesc = []byte{ 0x53, 0x4c, 0x4f, 0x4f, 0x4b, 0x55, 0x50, 0x10, 0x08, 0x12, 0x18, 0x0a, 0x14, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x4e, 0x4f, 0x50, 0x4f, 0x53, 0x54, 0x10, 0x09, 0x12, 0x18, 0x0a, 0x14, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, - 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x53, 0x49, 0x47, 0x4e, 0x41, 0x4c, 0x10, 0x0a, 0x2a, 0x4f, 0x0a, - 0x10, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x54, 0x79, 0x70, - 0x65, 0x12, 0x1c, 0x0a, 0x18, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, - 0x55, 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x10, 0x00, 0x12, - 0x1d, 0x0a, 0x19, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, - 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x10, 0x01, 0x2a, 0x7c, - 0x0a, 0x12, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x65, - 0x73, 0x75, 0x6c, 0x74, 0x12, 0x17, 0x0a, 0x13, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, - 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x10, 0x00, 0x12, 0x19, 0x0a, - 0x15, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x52, - 0x55, 0x4e, 0x4e, 0x49, 0x4e, 0x47, 0x10, 0x01, 0x12, 0x19, 0x0a, 0x15, 0x48, 0x45, 0x41, 0x4c, - 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x53, 0x54, 0x4f, 0x50, 0x50, 0x45, - 0x44, 0x10, 0x02, 0x12, 0x17, 0x0a, 0x13, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, - 0x41, 0x54, 0x55, 0x53, 0x5f, 0x45, 0x52, 0x52, 0x4f, 0x52, 0x10, 0x03, 0x2a, 0x8d, 0x02, 0x0a, - 0x0f, 0x54, 0x61, 0x69, 0x6e, 0x74, 0x65, 0x64, 0x42, 0x69, 0x74, 0x73, 0x54, 0x79, 0x70, 0x65, - 0x12, 0x0f, 0x0a, 0x0b, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x55, 0x4e, 0x53, 0x45, 0x54, 0x10, - 0x00, 0x12, 0x1c, 0x0a, 0x18, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x50, 0x52, 0x4f, 0x50, 0x52, - 0x49, 0x45, 0x54, 0x41, 0x52, 0x59, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x01, 0x12, - 0x17, 0x0a, 0x13, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x46, 0x4f, 0x52, 0x43, 0x45, 0x44, 0x5f, - 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x02, 0x12, 0x1e, 0x0a, 0x1a, 0x54, 0x41, 0x49, 0x4e, - 0x54, 0x5f, 0x46, 0x4f, 0x52, 0x43, 0x45, 0x44, 0x5f, 0x55, 0x4e, 0x4c, 0x4f, 0x41, 0x44, 0x5f, - 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x04, 0x12, 0x18, 0x0a, 0x13, 0x54, 0x41, 0x49, 0x4e, - 0x54, 0x5f, 0x53, 0x54, 0x41, 0x47, 0x45, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, - 0x80, 0x08, 0x12, 0x1d, 0x0a, 0x18, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x4f, 0x55, 0x54, 0x5f, - 0x4f, 0x46, 0x5f, 0x54, 0x52, 0x45, 0x45, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, - 0x20, 0x12, 0x1a, 0x0a, 0x15, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x55, 0x4e, 0x53, 0x49, 0x47, - 0x4e, 0x45, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x40, 0x12, 0x24, 0x0a, - 0x1e, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x4b, 0x45, 0x52, 0x4e, 0x45, 0x4c, 0x5f, 0x4c, 0x49, - 0x56, 0x45, 0x5f, 0x50, 0x41, 0x54, 0x43, 0x48, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, - 0x80, 0x80, 0x02, 0x12, 0x17, 0x0a, 0x11, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x54, 0x45, 0x53, - 0x54, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x80, 0x10, 0x62, 0x06, 0x70, 0x72, - 0x6f, 0x74, 0x6f, 0x33, + 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x53, 0x49, 0x47, 0x4e, 0x41, 0x4c, 0x10, 0x0a, 0x12, 0x1b, 0x0a, + 0x17, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x54, + 0x52, 0x41, 0x43, 0x4b, 0x53, 0x4f, 0x43, 0x4b, 0x10, 0x0b, 0x12, 0x1d, 0x0a, 0x19, 0x4b, 0x50, + 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x55, 0x4e, 0x54, 0x52, + 0x41, 0x43, 0x4b, 0x53, 0x4f, 0x43, 0x4b, 0x10, 0x0c, 0x12, 0x1e, 0x0a, 0x1a, 0x4b, 0x50, 0x52, + 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x4e, 0x4f, 0x54, 0x49, 0x46, + 0x59, 0x4b, 0x49, 0x4c, 0x4c, 0x45, 0x52, 0x10, 0x0d, 0x2a, 0x4f, 0x0a, 0x10, 0x48, 0x65, 0x61, + 0x6c, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x54, 0x79, 0x70, 0x65, 0x12, 0x1c, 0x0a, + 0x18, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x54, + 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x10, 0x00, 0x12, 0x1d, 0x0a, 0x19, 0x48, + 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x54, 0x59, 0x50, + 0x45, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x10, 0x01, 0x2a, 0x7c, 0x0a, 0x12, 0x48, 0x65, + 0x61, 0x6c, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, + 0x12, 0x17, 0x0a, 0x13, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, + 0x53, 0x5f, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x10, 0x00, 0x12, 0x19, 0x0a, 0x15, 0x48, 0x45, 0x41, + 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x52, 0x55, 0x4e, 0x4e, 0x49, + 0x4e, 0x47, 0x10, 0x01, 0x12, 0x19, 0x0a, 0x15, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, + 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x53, 0x54, 0x4f, 0x50, 0x50, 0x45, 0x44, 0x10, 0x02, 0x12, + 0x17, 0x0a, 0x13, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, + 0x5f, 0x45, 0x52, 0x52, 0x4f, 0x52, 0x10, 0x03, 0x2a, 0x8d, 0x02, 0x0a, 0x0f, 0x54, 0x61, 0x69, + 0x6e, 0x74, 0x65, 0x64, 0x42, 0x69, 0x74, 0x73, 0x54, 0x79, 0x70, 0x65, 0x12, 0x0f, 0x0a, 0x0b, + 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x55, 0x4e, 0x53, 0x45, 0x54, 0x10, 0x00, 0x12, 0x1c, 0x0a, + 0x18, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x50, 0x52, 0x4f, 0x50, 0x52, 0x49, 0x45, 0x54, 0x41, + 0x52, 0x59, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x01, 0x12, 0x17, 0x0a, 0x13, 0x54, + 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x46, 0x4f, 0x52, 0x43, 0x45, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, + 0x4c, 0x45, 0x10, 0x02, 0x12, 0x1e, 0x0a, 0x1a, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x46, 0x4f, + 0x52, 0x43, 0x45, 0x44, 0x5f, 0x55, 0x4e, 0x4c, 0x4f, 0x41, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, + 0x4c, 0x45, 0x10, 0x04, 0x12, 0x18, 0x0a, 0x13, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x53, 0x54, + 0x41, 0x47, 0x45, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x08, 0x12, 0x1d, + 0x0a, 0x18, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x4f, 0x55, 0x54, 0x5f, 0x4f, 0x46, 0x5f, 0x54, + 0x52, 0x45, 0x45, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x20, 0x12, 0x1a, 0x0a, + 0x15, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x55, 0x4e, 0x53, 0x49, 0x47, 0x4e, 0x45, 0x44, 0x5f, + 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x40, 0x12, 0x24, 0x0a, 0x1e, 0x54, 0x41, 0x49, + 0x4e, 0x54, 0x5f, 0x4b, 0x45, 0x52, 0x4e, 0x45, 0x4c, 0x5f, 0x4c, 0x49, 0x56, 0x45, 0x5f, 0x50, + 0x41, 0x54, 0x43, 0x48, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x80, 0x02, 0x12, + 0x17, 0x0a, 0x11, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x54, 0x45, 0x53, 0x54, 0x5f, 0x4d, 0x4f, + 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x80, 0x10, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( diff --git a/api/v1/tetragon/tetragon.proto b/api/v1/tetragon/tetragon.proto index b405cc4b887..03bdf05b98d 100644 --- a/api/v1/tetragon/tetragon.proto +++ b/api/v1/tetragon/tetragon.proto @@ -404,6 +404,12 @@ enum KprobeAction { KPROBE_ACTION_NOPOST = 9; // Signal action sends specified signal to the process. KPROBE_ACTION_SIGNAL = 10; + // TrackSock action tracks socket. + KPROBE_ACTION_TRACKSOCK = 11; + // UntrackSock action un-tracks socket. + KPROBE_ACTION_UNTRACKSOCK = 12; + // NotifyKiller action notifies killer sensor. + KPROBE_ACTION_NOTIFYKILLER = 13; } message ProcessKprobe { diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.pb.go b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.pb.go index 3e1252b4d6a..1caa364382f 100644 --- a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.pb.go +++ b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.pb.go @@ -51,6 +51,12 @@ const ( KprobeAction_KPROBE_ACTION_NOPOST KprobeAction = 9 // Signal action sends specified signal to the process. KprobeAction_KPROBE_ACTION_SIGNAL KprobeAction = 10 + // TrackSock action tracks socket. + KprobeAction_KPROBE_ACTION_TRACKSOCK KprobeAction = 11 + // UntrackSock action un-tracks socket. + KprobeAction_KPROBE_ACTION_UNTRACKSOCK KprobeAction = 12 + // NotifyKiller action notifies killer sensor. + KprobeAction_KPROBE_ACTION_NOTIFYKILLER KprobeAction = 13 ) // Enum value maps for KprobeAction. @@ -67,19 +73,25 @@ var ( 8: "KPROBE_ACTION_DNSLOOKUP", 9: "KPROBE_ACTION_NOPOST", 10: "KPROBE_ACTION_SIGNAL", + 11: "KPROBE_ACTION_TRACKSOCK", + 12: "KPROBE_ACTION_UNTRACKSOCK", + 13: "KPROBE_ACTION_NOTIFYKILLER", } KprobeAction_value = map[string]int32{ - "KPROBE_ACTION_UNKNOWN": 0, - "KPROBE_ACTION_POST": 1, - "KPROBE_ACTION_FOLLOWFD": 2, - "KPROBE_ACTION_SIGKILL": 3, - "KPROBE_ACTION_UNFOLLOWFD": 4, - "KPROBE_ACTION_OVERRIDE": 5, - "KPROBE_ACTION_COPYFD": 6, - "KPROBE_ACTION_GETURL": 7, - "KPROBE_ACTION_DNSLOOKUP": 8, - "KPROBE_ACTION_NOPOST": 9, - "KPROBE_ACTION_SIGNAL": 10, + "KPROBE_ACTION_UNKNOWN": 0, + "KPROBE_ACTION_POST": 1, + "KPROBE_ACTION_FOLLOWFD": 2, + "KPROBE_ACTION_SIGKILL": 3, + "KPROBE_ACTION_UNFOLLOWFD": 4, + "KPROBE_ACTION_OVERRIDE": 5, + "KPROBE_ACTION_COPYFD": 6, + "KPROBE_ACTION_GETURL": 7, + "KPROBE_ACTION_DNSLOOKUP": 8, + "KPROBE_ACTION_NOPOST": 9, + "KPROBE_ACTION_SIGNAL": 10, + "KPROBE_ACTION_TRACKSOCK": 11, + "KPROBE_ACTION_UNTRACKSOCK": 12, + "KPROBE_ACTION_NOTIFYKILLER": 13, } ) @@ -4099,7 +4111,7 @@ var file_tetragon_tetragon_proto_rawDesc = []byte{ 0x65, 0x73, 0x73, 0x12, 0x16, 0x0a, 0x06, 0x6f, 0x66, 0x66, 0x73, 0x65, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x04, 0x52, 0x06, 0x6f, 0x66, 0x66, 0x73, 0x65, 0x74, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x79, 0x6d, 0x62, 0x6f, 0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x79, 0x6d, - 0x62, 0x6f, 0x6c, 0x2a, 0xb7, 0x02, 0x0a, 0x0c, 0x4b, 0x70, 0x72, 0x6f, 0x62, 0x65, 0x41, 0x63, + 0x62, 0x6f, 0x6c, 0x2a, 0x93, 0x03, 0x0a, 0x0c, 0x4b, 0x70, 0x72, 0x6f, 0x62, 0x65, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x19, 0x0a, 0x15, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12, 0x16, 0x0a, 0x12, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, @@ -4118,38 +4130,43 @@ var file_tetragon_tetragon_proto_rawDesc = []byte{ 0x53, 0x4c, 0x4f, 0x4f, 0x4b, 0x55, 0x50, 0x10, 0x08, 0x12, 0x18, 0x0a, 0x14, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x4e, 0x4f, 0x50, 0x4f, 0x53, 0x54, 0x10, 0x09, 0x12, 0x18, 0x0a, 0x14, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, - 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x53, 0x49, 0x47, 0x4e, 0x41, 0x4c, 0x10, 0x0a, 0x2a, 0x4f, 0x0a, - 0x10, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x54, 0x79, 0x70, - 0x65, 0x12, 0x1c, 0x0a, 0x18, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, - 0x55, 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x10, 0x00, 0x12, - 0x1d, 0x0a, 0x19, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, - 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x10, 0x01, 0x2a, 0x7c, - 0x0a, 0x12, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x65, - 0x73, 0x75, 0x6c, 0x74, 0x12, 0x17, 0x0a, 0x13, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, - 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x10, 0x00, 0x12, 0x19, 0x0a, - 0x15, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x52, - 0x55, 0x4e, 0x4e, 0x49, 0x4e, 0x47, 0x10, 0x01, 0x12, 0x19, 0x0a, 0x15, 0x48, 0x45, 0x41, 0x4c, - 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x53, 0x54, 0x4f, 0x50, 0x50, 0x45, - 0x44, 0x10, 0x02, 0x12, 0x17, 0x0a, 0x13, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, - 0x41, 0x54, 0x55, 0x53, 0x5f, 0x45, 0x52, 0x52, 0x4f, 0x52, 0x10, 0x03, 0x2a, 0x8d, 0x02, 0x0a, - 0x0f, 0x54, 0x61, 0x69, 0x6e, 0x74, 0x65, 0x64, 0x42, 0x69, 0x74, 0x73, 0x54, 0x79, 0x70, 0x65, - 0x12, 0x0f, 0x0a, 0x0b, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x55, 0x4e, 0x53, 0x45, 0x54, 0x10, - 0x00, 0x12, 0x1c, 0x0a, 0x18, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x50, 0x52, 0x4f, 0x50, 0x52, - 0x49, 0x45, 0x54, 0x41, 0x52, 0x59, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x01, 0x12, - 0x17, 0x0a, 0x13, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x46, 0x4f, 0x52, 0x43, 0x45, 0x44, 0x5f, - 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x02, 0x12, 0x1e, 0x0a, 0x1a, 0x54, 0x41, 0x49, 0x4e, - 0x54, 0x5f, 0x46, 0x4f, 0x52, 0x43, 0x45, 0x44, 0x5f, 0x55, 0x4e, 0x4c, 0x4f, 0x41, 0x44, 0x5f, - 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x04, 0x12, 0x18, 0x0a, 0x13, 0x54, 0x41, 0x49, 0x4e, - 0x54, 0x5f, 0x53, 0x54, 0x41, 0x47, 0x45, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, - 0x80, 0x08, 0x12, 0x1d, 0x0a, 0x18, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x4f, 0x55, 0x54, 0x5f, - 0x4f, 0x46, 0x5f, 0x54, 0x52, 0x45, 0x45, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, - 0x20, 0x12, 0x1a, 0x0a, 0x15, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x55, 0x4e, 0x53, 0x49, 0x47, - 0x4e, 0x45, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x40, 0x12, 0x24, 0x0a, - 0x1e, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x4b, 0x45, 0x52, 0x4e, 0x45, 0x4c, 0x5f, 0x4c, 0x49, - 0x56, 0x45, 0x5f, 0x50, 0x41, 0x54, 0x43, 0x48, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, - 0x80, 0x80, 0x02, 0x12, 0x17, 0x0a, 0x11, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x54, 0x45, 0x53, - 0x54, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x80, 0x10, 0x62, 0x06, 0x70, 0x72, - 0x6f, 0x74, 0x6f, 0x33, + 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x53, 0x49, 0x47, 0x4e, 0x41, 0x4c, 0x10, 0x0a, 0x12, 0x1b, 0x0a, + 0x17, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x54, + 0x52, 0x41, 0x43, 0x4b, 0x53, 0x4f, 0x43, 0x4b, 0x10, 0x0b, 0x12, 0x1d, 0x0a, 0x19, 0x4b, 0x50, + 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x55, 0x4e, 0x54, 0x52, + 0x41, 0x43, 0x4b, 0x53, 0x4f, 0x43, 0x4b, 0x10, 0x0c, 0x12, 0x1e, 0x0a, 0x1a, 0x4b, 0x50, 0x52, + 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x4e, 0x4f, 0x54, 0x49, 0x46, + 0x59, 0x4b, 0x49, 0x4c, 0x4c, 0x45, 0x52, 0x10, 0x0d, 0x2a, 0x4f, 0x0a, 0x10, 0x48, 0x65, 0x61, + 0x6c, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x54, 0x79, 0x70, 0x65, 0x12, 0x1c, 0x0a, + 0x18, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x54, + 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x10, 0x00, 0x12, 0x1d, 0x0a, 0x19, 0x48, + 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x54, 0x59, 0x50, + 0x45, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x10, 0x01, 0x2a, 0x7c, 0x0a, 0x12, 0x48, 0x65, + 0x61, 0x6c, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, + 0x12, 0x17, 0x0a, 0x13, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, + 0x53, 0x5f, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x10, 0x00, 0x12, 0x19, 0x0a, 0x15, 0x48, 0x45, 0x41, + 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x52, 0x55, 0x4e, 0x4e, 0x49, + 0x4e, 0x47, 0x10, 0x01, 0x12, 0x19, 0x0a, 0x15, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, + 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x53, 0x54, 0x4f, 0x50, 0x50, 0x45, 0x44, 0x10, 0x02, 0x12, + 0x17, 0x0a, 0x13, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, + 0x5f, 0x45, 0x52, 0x52, 0x4f, 0x52, 0x10, 0x03, 0x2a, 0x8d, 0x02, 0x0a, 0x0f, 0x54, 0x61, 0x69, + 0x6e, 0x74, 0x65, 0x64, 0x42, 0x69, 0x74, 0x73, 0x54, 0x79, 0x70, 0x65, 0x12, 0x0f, 0x0a, 0x0b, + 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x55, 0x4e, 0x53, 0x45, 0x54, 0x10, 0x00, 0x12, 0x1c, 0x0a, + 0x18, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x50, 0x52, 0x4f, 0x50, 0x52, 0x49, 0x45, 0x54, 0x41, + 0x52, 0x59, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x01, 0x12, 0x17, 0x0a, 0x13, 0x54, + 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x46, 0x4f, 0x52, 0x43, 0x45, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, + 0x4c, 0x45, 0x10, 0x02, 0x12, 0x1e, 0x0a, 0x1a, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x46, 0x4f, + 0x52, 0x43, 0x45, 0x44, 0x5f, 0x55, 0x4e, 0x4c, 0x4f, 0x41, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, + 0x4c, 0x45, 0x10, 0x04, 0x12, 0x18, 0x0a, 0x13, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x53, 0x54, + 0x41, 0x47, 0x45, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x08, 0x12, 0x1d, + 0x0a, 0x18, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x4f, 0x55, 0x54, 0x5f, 0x4f, 0x46, 0x5f, 0x54, + 0x52, 0x45, 0x45, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x20, 0x12, 0x1a, 0x0a, + 0x15, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x55, 0x4e, 0x53, 0x49, 0x47, 0x4e, 0x45, 0x44, 0x5f, + 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x40, 0x12, 0x24, 0x0a, 0x1e, 0x54, 0x41, 0x49, + 0x4e, 0x54, 0x5f, 0x4b, 0x45, 0x52, 0x4e, 0x45, 0x4c, 0x5f, 0x4c, 0x49, 0x56, 0x45, 0x5f, 0x50, + 0x41, 0x54, 0x43, 0x48, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x80, 0x02, 0x12, + 0x17, 0x0a, 0x11, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x54, 0x45, 0x53, 0x54, 0x5f, 0x4d, 0x4f, + 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x80, 0x10, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto index b405cc4b887..03bdf05b98d 100644 --- a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto +++ b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto @@ -404,6 +404,12 @@ enum KprobeAction { KPROBE_ACTION_NOPOST = 9; // Signal action sends specified signal to the process. KPROBE_ACTION_SIGNAL = 10; + // TrackSock action tracks socket. + KPROBE_ACTION_TRACKSOCK = 11; + // UntrackSock action un-tracks socket. + KPROBE_ACTION_UNTRACKSOCK = 12; + // NotifyKiller action notifies killer sensor. + KPROBE_ACTION_NOTIFYKILLER = 13; } message ProcessKprobe { diff --git a/docs/content/en/docs/reference/grpc-api.md b/docs/content/en/docs/reference/grpc-api.md index b783bd6d813..b12831b48c2 100644 --- a/docs/content/en/docs/reference/grpc-api.md +++ b/docs/content/en/docs/reference/grpc-api.md @@ -591,6 +591,9 @@ RuntimeHookRequest synchronously propagates information to the agent about run-t | KPROBE_ACTION_DNSLOOKUP | 8 | GetURL action issue a DNS lookup against an URL from userspace. | | KPROBE_ACTION_NOPOST | 9 | NoPost action suppresses the transmission of the event to userspace. | | KPROBE_ACTION_SIGNAL | 10 | Signal action sends specified signal to the process. | +| KPROBE_ACTION_TRACKSOCK | 11 | TrackSock action tracks socket. | +| KPROBE_ACTION_UNTRACKSOCK | 12 | UntrackSock action un-tracks socket. | +| KPROBE_ACTION_NOTIFYKILLER | 13 | NotifyKiller action notifies killer sensor. | diff --git a/pkg/api/tracingapi/client_kprobe.go b/pkg/api/tracingapi/client_kprobe.go index 75b969b4b3b..25f498b5eef 100644 --- a/pkg/api/tracingapi/client_kprobe.go +++ b/pkg/api/tracingapi/client_kprobe.go @@ -12,16 +12,19 @@ const ( ) const ( - ActionPost = 0 - ActionFollowFd = 1 - ActionSigKill = 2 - ActionUnfollowFd = 3 - ActionOverride = 4 - ActionCopyFd = 5 - ActionGetUrl = 6 - ActionLookupDns = 7 - ActionNoPost = 8 - ActionSignal = 9 + ActionPost = 0 + ActionFollowFd = 1 + ActionSigKill = 2 + ActionUnfollowFd = 3 + ActionOverride = 4 + ActionCopyFd = 5 + ActionGetUrl = 6 + ActionLookupDns = 7 + ActionNoPost = 8 + ActionSignal = 9 + ActionTrackSock = 10 + ActionUntrackSock = 11 + ActionNotifyKiller = 12 ) const ( diff --git a/pkg/grpc/tracing/tracing.go b/pkg/grpc/tracing/tracing.go index 31154e4a585..7a74c070807 100644 --- a/pkg/grpc/tracing/tracing.go +++ b/pkg/grpc/tracing/tracing.go @@ -54,6 +54,12 @@ func kprobeAction(act uint64) tetragon.KprobeAction { return tetragon.KprobeAction_KPROBE_ACTION_NOPOST case tracingapi.ActionSignal: return tetragon.KprobeAction_KPROBE_ACTION_SIGNAL + case tracingapi.ActionTrackSock: + return tetragon.KprobeAction_KPROBE_ACTION_TRACKSOCK + case tracingapi.ActionUntrackSock: + return tetragon.KprobeAction_KPROBE_ACTION_UNTRACKSOCK + case tracingapi.ActionNotifyKiller: + return tetragon.KprobeAction_KPROBE_ACTION_NOTIFYKILLER default: return tetragon.KprobeAction_KPROBE_ACTION_UNKNOWN } @@ -332,6 +338,7 @@ type MsgGenericTracepointUnix struct { Event string Args []tracingapi.MsgGenericTracepointArg PolicyName string + Action uint64 } func (msg *MsgGenericTracepointUnix) Notify() bool { @@ -403,6 +410,7 @@ func (msg *MsgGenericTracepointUnix) HandleMessage() *tetragon.GetEventsResponse Event: msg.Event, Args: tetragonArgs, PolicyName: msg.PolicyName, + Action: kprobeAction(msg.Action), } if ec := eventcache.Get(); ec != nil && diff --git a/pkg/sensors/tracing/generictracepoint.go b/pkg/sensors/tracing/generictracepoint.go index 94d1ddaec38..c3f918e0b81 100644 --- a/pkg/sensors/tracing/generictracepoint.go +++ b/pkg/sensors/tracing/generictracepoint.go @@ -622,6 +622,7 @@ func handleGenericTracepoint(r *bytes.Reader) ([]observer.Event, error) { Tid: m.Tid, Subsys: "UNKNOWN", Event: "UNKNOWN", + Action: m.ActionId, } tp, err := genericTracepointTable.getTracepoint(int(m.FuncId)) diff --git a/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.pb.go b/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.pb.go index 3e1252b4d6a..1caa364382f 100644 --- a/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.pb.go +++ b/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.pb.go @@ -51,6 +51,12 @@ const ( KprobeAction_KPROBE_ACTION_NOPOST KprobeAction = 9 // Signal action sends specified signal to the process. KprobeAction_KPROBE_ACTION_SIGNAL KprobeAction = 10 + // TrackSock action tracks socket. + KprobeAction_KPROBE_ACTION_TRACKSOCK KprobeAction = 11 + // UntrackSock action un-tracks socket. + KprobeAction_KPROBE_ACTION_UNTRACKSOCK KprobeAction = 12 + // NotifyKiller action notifies killer sensor. + KprobeAction_KPROBE_ACTION_NOTIFYKILLER KprobeAction = 13 ) // Enum value maps for KprobeAction. @@ -67,19 +73,25 @@ var ( 8: "KPROBE_ACTION_DNSLOOKUP", 9: "KPROBE_ACTION_NOPOST", 10: "KPROBE_ACTION_SIGNAL", + 11: "KPROBE_ACTION_TRACKSOCK", + 12: "KPROBE_ACTION_UNTRACKSOCK", + 13: "KPROBE_ACTION_NOTIFYKILLER", } KprobeAction_value = map[string]int32{ - "KPROBE_ACTION_UNKNOWN": 0, - "KPROBE_ACTION_POST": 1, - "KPROBE_ACTION_FOLLOWFD": 2, - "KPROBE_ACTION_SIGKILL": 3, - "KPROBE_ACTION_UNFOLLOWFD": 4, - "KPROBE_ACTION_OVERRIDE": 5, - "KPROBE_ACTION_COPYFD": 6, - "KPROBE_ACTION_GETURL": 7, - "KPROBE_ACTION_DNSLOOKUP": 8, - "KPROBE_ACTION_NOPOST": 9, - "KPROBE_ACTION_SIGNAL": 10, + "KPROBE_ACTION_UNKNOWN": 0, + "KPROBE_ACTION_POST": 1, + "KPROBE_ACTION_FOLLOWFD": 2, + "KPROBE_ACTION_SIGKILL": 3, + "KPROBE_ACTION_UNFOLLOWFD": 4, + "KPROBE_ACTION_OVERRIDE": 5, + "KPROBE_ACTION_COPYFD": 6, + "KPROBE_ACTION_GETURL": 7, + "KPROBE_ACTION_DNSLOOKUP": 8, + "KPROBE_ACTION_NOPOST": 9, + "KPROBE_ACTION_SIGNAL": 10, + "KPROBE_ACTION_TRACKSOCK": 11, + "KPROBE_ACTION_UNTRACKSOCK": 12, + "KPROBE_ACTION_NOTIFYKILLER": 13, } ) @@ -4099,7 +4111,7 @@ var file_tetragon_tetragon_proto_rawDesc = []byte{ 0x65, 0x73, 0x73, 0x12, 0x16, 0x0a, 0x06, 0x6f, 0x66, 0x66, 0x73, 0x65, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x04, 0x52, 0x06, 0x6f, 0x66, 0x66, 0x73, 0x65, 0x74, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x79, 0x6d, 0x62, 0x6f, 0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x79, 0x6d, - 0x62, 0x6f, 0x6c, 0x2a, 0xb7, 0x02, 0x0a, 0x0c, 0x4b, 0x70, 0x72, 0x6f, 0x62, 0x65, 0x41, 0x63, + 0x62, 0x6f, 0x6c, 0x2a, 0x93, 0x03, 0x0a, 0x0c, 0x4b, 0x70, 0x72, 0x6f, 0x62, 0x65, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x19, 0x0a, 0x15, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12, 0x16, 0x0a, 0x12, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, @@ -4118,38 +4130,43 @@ var file_tetragon_tetragon_proto_rawDesc = []byte{ 0x53, 0x4c, 0x4f, 0x4f, 0x4b, 0x55, 0x50, 0x10, 0x08, 0x12, 0x18, 0x0a, 0x14, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x4e, 0x4f, 0x50, 0x4f, 0x53, 0x54, 0x10, 0x09, 0x12, 0x18, 0x0a, 0x14, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, - 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x53, 0x49, 0x47, 0x4e, 0x41, 0x4c, 0x10, 0x0a, 0x2a, 0x4f, 0x0a, - 0x10, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x54, 0x79, 0x70, - 0x65, 0x12, 0x1c, 0x0a, 0x18, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, - 0x55, 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x10, 0x00, 0x12, - 0x1d, 0x0a, 0x19, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, - 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x10, 0x01, 0x2a, 0x7c, - 0x0a, 0x12, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x65, - 0x73, 0x75, 0x6c, 0x74, 0x12, 0x17, 0x0a, 0x13, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, - 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x10, 0x00, 0x12, 0x19, 0x0a, - 0x15, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x52, - 0x55, 0x4e, 0x4e, 0x49, 0x4e, 0x47, 0x10, 0x01, 0x12, 0x19, 0x0a, 0x15, 0x48, 0x45, 0x41, 0x4c, - 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x53, 0x54, 0x4f, 0x50, 0x50, 0x45, - 0x44, 0x10, 0x02, 0x12, 0x17, 0x0a, 0x13, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, - 0x41, 0x54, 0x55, 0x53, 0x5f, 0x45, 0x52, 0x52, 0x4f, 0x52, 0x10, 0x03, 0x2a, 0x8d, 0x02, 0x0a, - 0x0f, 0x54, 0x61, 0x69, 0x6e, 0x74, 0x65, 0x64, 0x42, 0x69, 0x74, 0x73, 0x54, 0x79, 0x70, 0x65, - 0x12, 0x0f, 0x0a, 0x0b, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x55, 0x4e, 0x53, 0x45, 0x54, 0x10, - 0x00, 0x12, 0x1c, 0x0a, 0x18, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x50, 0x52, 0x4f, 0x50, 0x52, - 0x49, 0x45, 0x54, 0x41, 0x52, 0x59, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x01, 0x12, - 0x17, 0x0a, 0x13, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x46, 0x4f, 0x52, 0x43, 0x45, 0x44, 0x5f, - 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x02, 0x12, 0x1e, 0x0a, 0x1a, 0x54, 0x41, 0x49, 0x4e, - 0x54, 0x5f, 0x46, 0x4f, 0x52, 0x43, 0x45, 0x44, 0x5f, 0x55, 0x4e, 0x4c, 0x4f, 0x41, 0x44, 0x5f, - 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x04, 0x12, 0x18, 0x0a, 0x13, 0x54, 0x41, 0x49, 0x4e, - 0x54, 0x5f, 0x53, 0x54, 0x41, 0x47, 0x45, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, - 0x80, 0x08, 0x12, 0x1d, 0x0a, 0x18, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x4f, 0x55, 0x54, 0x5f, - 0x4f, 0x46, 0x5f, 0x54, 0x52, 0x45, 0x45, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, - 0x20, 0x12, 0x1a, 0x0a, 0x15, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x55, 0x4e, 0x53, 0x49, 0x47, - 0x4e, 0x45, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x40, 0x12, 0x24, 0x0a, - 0x1e, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x4b, 0x45, 0x52, 0x4e, 0x45, 0x4c, 0x5f, 0x4c, 0x49, - 0x56, 0x45, 0x5f, 0x50, 0x41, 0x54, 0x43, 0x48, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, - 0x80, 0x80, 0x02, 0x12, 0x17, 0x0a, 0x11, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x54, 0x45, 0x53, - 0x54, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x80, 0x10, 0x62, 0x06, 0x70, 0x72, - 0x6f, 0x74, 0x6f, 0x33, + 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x53, 0x49, 0x47, 0x4e, 0x41, 0x4c, 0x10, 0x0a, 0x12, 0x1b, 0x0a, + 0x17, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x54, + 0x52, 0x41, 0x43, 0x4b, 0x53, 0x4f, 0x43, 0x4b, 0x10, 0x0b, 0x12, 0x1d, 0x0a, 0x19, 0x4b, 0x50, + 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x55, 0x4e, 0x54, 0x52, + 0x41, 0x43, 0x4b, 0x53, 0x4f, 0x43, 0x4b, 0x10, 0x0c, 0x12, 0x1e, 0x0a, 0x1a, 0x4b, 0x50, 0x52, + 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x4e, 0x4f, 0x54, 0x49, 0x46, + 0x59, 0x4b, 0x49, 0x4c, 0x4c, 0x45, 0x52, 0x10, 0x0d, 0x2a, 0x4f, 0x0a, 0x10, 0x48, 0x65, 0x61, + 0x6c, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x54, 0x79, 0x70, 0x65, 0x12, 0x1c, 0x0a, + 0x18, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x54, + 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x10, 0x00, 0x12, 0x1d, 0x0a, 0x19, 0x48, + 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x54, 0x59, 0x50, + 0x45, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x10, 0x01, 0x2a, 0x7c, 0x0a, 0x12, 0x48, 0x65, + 0x61, 0x6c, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, + 0x12, 0x17, 0x0a, 0x13, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, + 0x53, 0x5f, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x10, 0x00, 0x12, 0x19, 0x0a, 0x15, 0x48, 0x45, 0x41, + 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x52, 0x55, 0x4e, 0x4e, 0x49, + 0x4e, 0x47, 0x10, 0x01, 0x12, 0x19, 0x0a, 0x15, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, + 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x53, 0x54, 0x4f, 0x50, 0x50, 0x45, 0x44, 0x10, 0x02, 0x12, + 0x17, 0x0a, 0x13, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, + 0x5f, 0x45, 0x52, 0x52, 0x4f, 0x52, 0x10, 0x03, 0x2a, 0x8d, 0x02, 0x0a, 0x0f, 0x54, 0x61, 0x69, + 0x6e, 0x74, 0x65, 0x64, 0x42, 0x69, 0x74, 0x73, 0x54, 0x79, 0x70, 0x65, 0x12, 0x0f, 0x0a, 0x0b, + 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x55, 0x4e, 0x53, 0x45, 0x54, 0x10, 0x00, 0x12, 0x1c, 0x0a, + 0x18, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x50, 0x52, 0x4f, 0x50, 0x52, 0x49, 0x45, 0x54, 0x41, + 0x52, 0x59, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x01, 0x12, 0x17, 0x0a, 0x13, 0x54, + 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x46, 0x4f, 0x52, 0x43, 0x45, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, + 0x4c, 0x45, 0x10, 0x02, 0x12, 0x1e, 0x0a, 0x1a, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x46, 0x4f, + 0x52, 0x43, 0x45, 0x44, 0x5f, 0x55, 0x4e, 0x4c, 0x4f, 0x41, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, + 0x4c, 0x45, 0x10, 0x04, 0x12, 0x18, 0x0a, 0x13, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x53, 0x54, + 0x41, 0x47, 0x45, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x08, 0x12, 0x1d, + 0x0a, 0x18, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x4f, 0x55, 0x54, 0x5f, 0x4f, 0x46, 0x5f, 0x54, + 0x52, 0x45, 0x45, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x20, 0x12, 0x1a, 0x0a, + 0x15, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x55, 0x4e, 0x53, 0x49, 0x47, 0x4e, 0x45, 0x44, 0x5f, + 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x40, 0x12, 0x24, 0x0a, 0x1e, 0x54, 0x41, 0x49, + 0x4e, 0x54, 0x5f, 0x4b, 0x45, 0x52, 0x4e, 0x45, 0x4c, 0x5f, 0x4c, 0x49, 0x56, 0x45, 0x5f, 0x50, + 0x41, 0x54, 0x43, 0x48, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x80, 0x02, 0x12, + 0x17, 0x0a, 0x11, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x54, 0x45, 0x53, 0x54, 0x5f, 0x4d, 0x4f, + 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x80, 0x10, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( diff --git a/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto b/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto index b405cc4b887..03bdf05b98d 100644 --- a/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto +++ b/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto @@ -404,6 +404,12 @@ enum KprobeAction { KPROBE_ACTION_NOPOST = 9; // Signal action sends specified signal to the process. KPROBE_ACTION_SIGNAL = 10; + // TrackSock action tracks socket. + KPROBE_ACTION_TRACKSOCK = 11; + // UntrackSock action un-tracks socket. + KPROBE_ACTION_UNTRACKSOCK = 12; + // NotifyKiller action notifies killer sensor. + KPROBE_ACTION_NOTIFYKILLER = 13; } message ProcessKprobe { From 9d1e2ed07431c3b768be6b0b8593eec268975849 Mon Sep 17 00:00:00 2001 From: Jiri Olsa Date: Tue, 29 Aug 2023 21:58:00 +0000 Subject: [PATCH 13/14] tetragon: Add killer tests Adding test for killer sensor and testing both killing application matching the selector and overriding syscall that matches the selector. Signed-off-by: Jiri Olsa --- contrib/tester-progs/Makefile | 3 +- contrib/tester-progs/killer-tester.c | 9 ++ pkg/sensors/tracing/killer_test.go | 221 +++++++++++++++++++++++++++ 3 files changed, 232 insertions(+), 1 deletion(-) create mode 100644 contrib/tester-progs/killer-tester.c create mode 100644 pkg/sensors/tracing/killer_test.go diff --git a/contrib/tester-progs/Makefile b/contrib/tester-progs/Makefile index e2a67f1cbd6..1f735d563f1 100644 --- a/contrib/tester-progs/Makefile +++ b/contrib/tester-progs/Makefile @@ -17,7 +17,8 @@ PROGS = sigkill-tester \ lseek-pipe \ threads-tester \ bench-reader \ - threads-exit + threads-exit \ + killer-tester all: $(PROGS) diff --git a/contrib/tester-progs/killer-tester.c b/contrib/tester-progs/killer-tester.c new file mode 100644 index 00000000000..cb95fc68366 --- /dev/null +++ b/contrib/tester-progs/killer-tester.c @@ -0,0 +1,9 @@ +#include +#include +#include + +int main(void) +{ + prctl(0xffff, 0, 0, 0, 0); + return errno; +} diff --git a/pkg/sensors/tracing/killer_test.go b/pkg/sensors/tracing/killer_test.go new file mode 100644 index 00000000000..6b02cc564cb --- /dev/null +++ b/pkg/sensors/tracing/killer_test.go @@ -0,0 +1,221 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright Authors of Tetragon + +package tracing + +import ( + "context" + "os" + "os/exec" + "sync" + "syscall" + "testing" + + "github.com/cilium/tetragon/api/v1/tetragon" + "github.com/cilium/tetragon/api/v1/tetragon/codegen/eventchecker" + ec "github.com/cilium/tetragon/api/v1/tetragon/codegen/eventchecker" + "github.com/cilium/tetragon/pkg/bpf" + "github.com/cilium/tetragon/pkg/jsonchecker" + lc "github.com/cilium/tetragon/pkg/matchers/listmatcher" + "github.com/cilium/tetragon/pkg/observer/observertesthelper" + "github.com/cilium/tetragon/pkg/testutils" + tus "github.com/cilium/tetragon/pkg/testutils/sensors" + "github.com/stretchr/testify/assert" +) + +func test_killer(t *testing.T, configHook string, test string, + checker *eventchecker.UnorderedEventChecker, + checkerFunc func(err error, rc int)) { + + var doneWG, readyWG sync.WaitGroup + defer doneWG.Wait() + + ctx, cancel := context.WithTimeout(context.Background(), tus.Conf().CmdWaitTime) + defer cancel() + + err := os.WriteFile(testConfigFile, []byte(configHook), 0644) + if err != nil { + t.Fatalf("writeFile(%s): err %s", testConfigFile, err) + } + + obs, err := observertesthelper.GetDefaultObserverWithFile(t, ctx, testConfigFile, tus.Conf().TetragonLib, observertesthelper.WithMyPid()) + if err != nil { + t.Fatalf("GetDefaultObserverWithFile error: %s", err) + } + observertesthelper.LoopEvents(ctx, t, &doneWG, &readyWG, obs) + readyWG.Wait() + + cmd := exec.Command(test) + err = cmd.Run() + + checkerFunc(err, cmd.ProcessState.ExitCode()) + + err = jsonchecker.JsonTestCheck(t, checker) + assert.NoError(t, err) +} + +func TestKillerOverride(t *testing.T) { + if !bpf.HasOverrideHelper() { + t.Skip("skipping killer test, bpf_override_return helper not available") + } + + test := testutils.RepoRootPath("contrib/tester-progs/killer-tester") + configHook := ` +apiVersion: cilium.io/v1alpha1 +kind: TracingPolicy +metadata: + name: "kill-syscalls" +spec: + lists: + - name: "mine" + type: "syscalls" + values: + - "sys_prctl" + killers: + - syscalls: + - "list:mine" + tracepoints: + - subsystem: "raw_syscalls" + event: "sys_enter" + args: + - index: 4 + type: "uint64" + selectors: + - matchArgs: + - index: 0 + operator: "InMap" + values: + - "list:mine" + matchBinaries: + - operator: "In" + values: + - "` + test + `" + matchActions: + - action: "NotifyKiller" + argError: -17 # EEXIST +` + + tpChecker := ec.NewProcessTracepointChecker(""). + WithArgs(ec.NewKprobeArgumentListMatcher(). + WithOperator(lc.Ordered). + WithValues( + ec.NewKprobeArgumentChecker().WithSizeArg(syscall.SYS_PRCTL), + )). + WithAction(tetragon.KprobeAction_KPROBE_ACTION_NOTIFYKILLER) + + checker := ec.NewUnorderedEventChecker(tpChecker) + + checkerFunc := func(err error, rc int) { + if rc != int(syscall.EEXIST) { + t.Fatalf("Wrong exit code %d expected %d", rc, int(syscall.EEXIST)) + } + } + + test_killer(t, configHook, test, checker, checkerFunc) +} + +func TestKillerSignal(t *testing.T) { + if !bpf.HasOverrideHelper() { + t.Skip("skipping killer test, bpf_override_return helper not available") + } + + test := testutils.RepoRootPath("contrib/tester-progs/killer-tester") + configHook := ` +apiVersion: cilium.io/v1alpha1 +kind: TracingPolicy +metadata: + name: "kill-syscalls" +spec: + lists: + - name: "mine" + type: "syscalls" + values: + - "sys_prctl" + killers: + - syscalls: + - "list:mine" + tracepoints: + - subsystem: "raw_syscalls" + event: "sys_enter" + args: + - index: 4 + type: "uint64" + selectors: + - matchArgs: + - index: 0 + operator: "InMap" + values: + - "list:mine" + matchBinaries: + - operator: "In" + values: + - "` + test + `" + matchActions: + - action: "NotifyKiller" + argSig: 9 # SIGKILL +` + + tpChecker := ec.NewProcessTracepointChecker(""). + WithArgs(ec.NewKprobeArgumentListMatcher(). + WithOperator(lc.Ordered). + WithValues( + ec.NewKprobeArgumentChecker().WithSizeArg(syscall.SYS_PRCTL), + )). + WithAction(tetragon.KprobeAction_KPROBE_ACTION_NOTIFYKILLER) + + checker := ec.NewUnorderedEventChecker(tpChecker) + + checkerFunc := func(err error, rc int) { + if err == nil || err.Error() != "signal: killed" { + t.Fatalf("Wrong error '%v' expected 'killed'", err) + } + } + + test_killer(t, configHook, test, checker, checkerFunc) +} + +func TestKillerMulti(t *testing.T) { + if !bpf.HasOverrideHelper() { + t.Skip("skipping killer test, bpf_override_return helper not available") + } + + crd := ` +apiVersion: cilium.io/v1alpha1 +kind: TracingPolicy +metadata: + name: "kill-syscalls" +spec: + lists: + - name: "mine1" + type: "syscalls" + values: + - "sys_prctl" + - name: "mine2" + type: "syscalls" + values: + - "sys_prctl" + killers: + - syscalls: + - "list:mine1" + - syscalls: + - "list:mine2" + tracepoints: + - subsystem: "raw_syscalls" + event: "sys_enter" + args: + - index: 4 + type: "uint64" + selectors: + - matchArgs: + - index: 0 + operator: "InMap" + values: + - "list:mine1" + matchActions: + - action: "NotifyKiller" + argSig: 9 # SIGKILL +` + + err := checkCrd(t, crd) + assert.Error(t, err) +} From 2d80318afa691edfb08f2989f657612cac51c47d Mon Sep 17 00:00:00 2001 From: Jiri Olsa Date: Sat, 23 Sep 2023 20:29:05 +0000 Subject: [PATCH 14/14] tetragon: Add doc for killer sensor Signed-off-by: Jiri Olsa --- .../docs/concepts/tracing-policy/selectors.md | 95 +++++++++++++++++++ 1 file changed, 95 insertions(+) diff --git a/docs/content/en/docs/concepts/tracing-policy/selectors.md b/docs/content/en/docs/concepts/tracing-policy/selectors.md index bb302ea49dd..e43f930ee73 100644 --- a/docs/content/en/docs/concepts/tracing-policy/selectors.md +++ b/docs/content/en/docs/concepts/tracing-policy/selectors.md @@ -501,6 +501,7 @@ matches. They are defined under `matchActions` and currently, the following - [NoPost action](#nopost-action) - [TrackSock action](#tracksock-action) - [UntrackSock action](#untracksock-action) +- [Notify Killer action](#notify-killer-action) {{< note >}} `Sigkill`, `Override`, `FollowFD`, `UnfollowFD`, `CopyFD`, `Post`, @@ -982,6 +983,100 @@ broken. Socket tracking is only available on kernel >=5.3. +### Notify Killer action + +The `NotifyKiller` action notifies the killer program to kill or override a syscall. + +It's meant to be used on systems with kernel that lacks multi kprobe feature, that +allows to attach many kprobes quickly). To workaround that the killer sensor uses +the raw syscall tracepoint and attaches simple program to syscalls that we need to +kill or override. + +The specs needs to have `killer` program definition, that instructs tetragon to load +the `killer` program and attach it to specified syscalls. + +```yaml +spec: + killers: + - syscalls: + - "list:dups" +``` + +The syscalls expects list of syscalls or `list:XXX` pointer to list. + +Note that currently only single killer definition is allowed. + + +The `NotifyKiller` action takes 2 arguments. + +```yaml +matchActions: +- action: "NotifyKiller" + argError: -1 + argSig: 9 +``` + +If specified the argError will be passed to `bpf_override_return` helper to override the syscall return value. +If specified the argSig will be passed to `bpf_send_signal` helper to override the syscall return value. + +The following is spec for killing `/usr/bin/bash` program whenever it calls `sys_dup` or `sys_dup2` syscalls. + +```yaml +spec: + lists: + - name: "dups" + type: "syscalls" + values: + - "sys_dup" + - "sys_dup2" + killers: + - syscalls: + - "list:dups" + tracepoints: + - subsystem: "raw_syscalls" + event: "sys_enter" + args: + - index: 4 + type: "uint64" + selectors: + - matchArgs: + - index: 0 + operator: "InMap" + values: + - "list:dups" + matchBinaries: + - operator: "In" + values: + - "/usr/bin/bash" + matchActions: + - action: "NotifyKiller" + argSig: 9 +``` + +Note as mentioned above the `NotifyKiller` with killer program is meant to be used only on kernel versions +with no support for fast attach of multiple kprobes (`kprobe_multi` link). + +With `kprobe_multi` link support the above example can be easily replaced with: + +```yaml +spec: + lists: + - name: "syscalls" + type: "syscalls" + values: + - "sys_dup" + - "sys_dup2" + kprobes: + - call: "list:syscalls" + selectors: + - matchBinaries: + - operator: "In" + values: + - "/usr/bin/bash" + matchActions: + - action: "Sigkill" +``` + ## Selector Semantics The `selector` semantics of the `CiliumTracingPolicy` follows the standard