Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

tetragon: Add killer sensor #1205

Merged
merged 14 commits into from
Oct 12, 2023
Merged

tetragon: Add killer sensor #1205

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
eda3ea1
tetragon: Add Validated field to ListSpec
olsajiri Sep 5, 2023
29c37f2
tetragon: Add preValidateLists function
olsajiri Aug 29, 2023
c785367
tetragon: Pass symbol argument to kprobeAttach
olsajiri Oct 6, 2023
2245bce
tetragon: Add LoadKprobeProgramAttachMany function
olsajiri Oct 6, 2023
5d9cc46
tetragon: Add support for killer schema
olsajiri Aug 29, 2023
eb7b9b0
tetragon: Add killer sensor
olsajiri Jul 1, 2023
af2ddf2
tetragon: Add bpf_killer bpf program
olsajiri Jun 21, 2023
83af104
tetragon: Add notify killer action
olsajiri Jul 3, 2023
a62464d
tetragon: Add NotifyKiller to Action kubebuilder:validation enum
olsajiri Oct 2, 2023
da8e135
tetragon: Add example killer policy
olsajiri Jun 21, 2023
8181f8e
tetragon: Add action field to tracepoint event
olsajiri Oct 2, 2023
d2965c5
tetragon: Update kprobe/tracepoint event action definitions
olsajiri Oct 2, 2023
9d1e2ed
tetragon: Add killer tests
olsajiri Aug 29, 2023
2d80318
tetragon: Add doc for killer sensor
olsajiri Sep 23, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions api/v1/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -826,6 +826,7 @@ loader sensor event triggered for loaded binary/library
| event | [string](#string) | | Event of the subsystem. |
| args | [KprobeArgument](#tetragon-KprobeArgument) | repeated | Arguments definition of the observed tracepoint. TODO: once we implement all we want, rename KprobeArgument to GenericArgument |
| policy_name | [string](#string) | | Name of the policy that created that tracepoint. |
| action | [KprobeAction](#tetragon-KprobeAction) | | Action performed when the tracepoint matched. |



Expand Down Expand Up @@ -975,6 +976,9 @@ RuntimeHookRequest synchronously propagates information to the agent about run-t
| KPROBE_ACTION_DNSLOOKUP | 8 | GetURL action issue a DNS lookup against an URL from userspace. |
| KPROBE_ACTION_NOPOST | 9 | NoPost action suppresses the transmission of the event to userspace. |
| KPROBE_ACTION_SIGNAL | 10 | Signal action sends specified signal to the process. |
| KPROBE_ACTION_TRACKSOCK | 11 | TrackSock action tracks socket. |
| KPROBE_ACTION_UNTRACKSOCK | 12 | UntrackSock action un-tracks socket. |
| KPROBE_ACTION_NOTIFYKILLER | 13 | NotifyKiller action notifies killer sensor. |



Expand Down
14 changes: 14 additions & 0 deletions api/v1/tetragon/codegen/eventchecker/eventchecker.pb.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

156 changes: 93 additions & 63 deletions api/v1/tetragon/tetragon.pb.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

8 changes: 8 additions & 0 deletions api/v1/tetragon/tetragon.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -404,6 +404,12 @@ enum KprobeAction {
KPROBE_ACTION_NOPOST = 9;
// Signal action sends specified signal to the process.
KPROBE_ACTION_SIGNAL = 10;
// TrackSock action tracks socket.
KPROBE_ACTION_TRACKSOCK = 11;
// UntrackSock action un-tracks socket.
KPROBE_ACTION_UNTRACKSOCK = 12;
// NotifyKiller action notifies killer sensor.
KPROBE_ACTION_NOTIFYKILLER = 13;
}

message ProcessKprobe {
Expand Down Expand Up @@ -439,6 +445,8 @@ message ProcessTracepoint {
repeated KprobeArgument args = 6;
// Name of the policy that created that tracepoint.
string policy_name = 7;
// Action performed when the tracepoint matched.
KprobeAction action = 8;
}

message ProcessUprobe {
Expand Down
9 changes: 8 additions & 1 deletion bpf/Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,8 @@ PROCESS = bpf_execve_event.o bpf_execve_event_v53.o bpf_fork.o bpf_exit.o bpf_ge
bpf_generic_tracepoint_v61.o \
bpf_multi_kprobe_v61.o bpf_multi_retkprobe_v61.o \
bpf_generic_uprobe_v61.o \
bpf_loader.o
bpf_loader.o \
bpf_killer.o bpf_multi_killer.o

CGROUP = bpf_cgroup_mkdir.o bpf_cgroup_rmdir.o bpf_cgroup_release.o
BPFTEST = bpf_lseek.o bpf_globals.o
Expand Down Expand Up @@ -120,6 +121,12 @@ objs/%_v53.ll:
$(DEPSDIR)%.d: $(PROCESSDIR)%.c
$(CLANG) $(CLANG_FLAGS) -MM -MP -MT $(patsubst $(DEPSDIR)%.d, $(OBJSDIR)%.ll, $@) $< > $@

objs/bpf_multi_killer.ll: process/bpf_killer.c
$(CLANG) $(CLANG_FLAGS) -D__LARGE_BPF_PROG -D__MULTI_KPROBE -c $< -o $@

$(DEPSDIR)/bpf_multi_killer.d: process/bpf_killer.c
$(CLANG) $(CLANG_FLAGS) -D__LARGE_BPF_PROG -D__MULTI_KPROBE -MM -MP -MT $(patsubst $(DEPSDIR)%.d, $(OBJSDIR)%.ll, $@) $< > $@

$(DEPSDIR)%_v53.d:
$(CLANG) $(CLANG_FLAGS) -D__LARGE_BPF_PROG -MM -MP -MT $(patsubst $(DEPSDIR)%.d, $(OBJSDIR)%.ll, $@) $< > $@

Expand Down
3 changes: 3 additions & 0 deletions bpf/process/bpf_generic_tracepoint.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,9 @@

#include "bpf_event.h"
#include "bpf_task.h"

#define GENERIC_TRACEPOINT

#include "retprobe_map.h"
#include "types/operations.h"
#include "types/basic.h"
Expand Down
Loading
Loading