killer: Add test for multiple killer policies in effect

Loading 2 different killer policies in the test and making sure they catch and kill. Signed-off-by: Jiri Olsa <[email protected]>
cilium · Feb 12, 2024 · 1bf9127 · 1bf9127
1 parent 7d230d7
commit 1bf9127
Showing 1 changed file with 164 additions and 0 deletions.
diff --git a/pkg/sensors/tracing/killer_test.go b/pkg/sensors/tracing/killer_test.go
@@ -20,9 +20,14 @@ import (
 	"github.com/cilium/tetragon/pkg/kernels"
 	lc "github.com/cilium/tetragon/pkg/matchers/listmatcher"
 	sm "github.com/cilium/tetragon/pkg/matchers/stringmatcher"
+	"github.com/cilium/tetragon/pkg/observer"
 	"github.com/cilium/tetragon/pkg/observer/observertesthelper"
+	"github.com/cilium/tetragon/pkg/option"
+	"github.com/cilium/tetragon/pkg/sensors/base"
+	testsensor "github.com/cilium/tetragon/pkg/sensors/test"
 	"github.com/cilium/tetragon/pkg/testutils"
 	tus "github.com/cilium/tetragon/pkg/testutils/sensors"
+	"github.com/cilium/tetragon/pkg/tracingpolicy"
 	"github.com/stretchr/testify/assert"
 	"golang.org/x/sys/unix"
 )
@@ -412,3 +417,162 @@ spec:
 
 	testSecurity(t, tracingPolicy, tempFile)
 }
+
+// This test loads 2 policies:
+// - first set standard killer tracepoint setup on sys_prctl
+//   with first argument value 0xffff
+// - second set standard killer tracepoint setup on sys_prctl
+//   with first argument value 0xfffe
+// then make sure both policies catch and kill.
+
+func TestKillerMulti(t *testing.T) {
+	if !bpf.HasSignalHelper() {
+		t.Skip("skipping killer test, bpf_send_signal helper not available")
+	}
+
+	if !bpf.HasModifyReturn() {
+		t.Skip("skipping killer test, fmod_ret is not available")
+	}
+
+	if !kernels.EnableLargeProgs() {
+		t.Skip("Older kernels do not support matchArgs for more than one arguments")
+	}
+
+	policyYAML1 := `
+apiVersion: cilium.io/v1alpha1
+kind: TracingPolicy
+metadata:
+  name: "killer-prctl-1"
+spec:
+  lists:
+  - name: "prctl"
+    type: "syscalls"
+    values:
+    - "sys_prctl"
+  killers:
+  - calls:
+    - "list:prctl"
+  tracepoints:
+  - subsystem: "raw_syscalls"
+    event: "sys_enter"
+    args:
+    - index: 4
+      type: "syscall64"
+    - index: 5
+      type: "int64"
+    selectors:
+    - matchArgs:
+      - index: 0
+        operator: "InMap"
+        values:
+        - "list:prctl"
+      - index: 1
+        operator: "Equal"
+        values:
+        - 0xffff
+      matchBinaries:
+      - operator: "In"
+        values:
+        - "/home/jolsa/tetragon/contrib/tester-progs/killer-tester"
+      matchActions:
+      - action: "NotifyKiller"
+        argError: -1
+        argSig: 9
+`
+
+	policyYAML2 := `
+apiVersion: cilium.io/v1alpha1
+kind: TracingPolicy
+metadata:
+  name: "killer-prctl-2"
+spec:
+  lists:
+  - name: "prctl"
+    type: "syscalls"
+    values:
+    - "sys_prctl"
+  killers:
+  - calls:
+    - "list:prctl"
+  tracepoints:
+  - subsystem: "raw_syscalls"
+    event: "sys_enter"
+    args:
+    - index: 4
+      type: "syscall64"
+    - index: 5
+      type: "int64"
+    selectors:
+    - matchArgs:
+      - index: 0
+        operator: "InMap"
+        values:
+        - "list:prctl"
+      - index: 1
+        operator: "Equal"
+        values:
+        - 0xfffe
+      matchBinaries:
+      - operator: "In"
+        values:
+        - "/home/jolsa/tetragon/contrib/tester-progs/killer-tester"
+      matchActions:
+      - action: "NotifyKiller"
+        argError: -1
+        argSig: 9
+`
+
+	policy1, err := tracingpolicy.FromYAML(policyYAML1)
+	if err != nil {
+		t.Errorf("FromYAML policyYAML1 error %s", err)
+	}
+
+	policy2, err := tracingpolicy.FromYAML(policyYAML2)
+	if err != nil {
+		t.Errorf("FromYAML policyYAML2 error %s", err)
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), tus.Conf().CmdWaitTime)
+	defer cancel()
+
+	if err := observer.InitDataCache(1024); err != nil {
+		t.Fatalf("observertesthelper.InitDataCache: %s", err)
+	}
+
+	option.Config.HubbleLib = tus.Conf().TetragonLib
+	tus.LoadSensor(t, base.GetInitialSensor())
+	tus.LoadSensor(t, testsensor.GetTestSensor())
+	sm := tus.GetTestSensorManager(ctx, t)
+
+	err = sm.Manager.AddTracingPolicy(ctx, policy1)
+	assert.NoError(t, err)
+
+	err = sm.Manager.AddTracingPolicy(ctx, policy2)
+	assert.NoError(t, err)
+
+	testBin := testutils.RepoRootPath("contrib/tester-progs/killer-tester")
+
+	// killed by policy 1
+	cmd := exec.Command(testBin, "0xffff")
+	err = cmd.Run()
+
+	if err == nil || err.Error() != "signal: killed" {
+		t.Fatalf("Wrong error '%v' expected 'killed'", err)
+	}
+
+	// killed by policy 2
+	cmd = exec.Command(testBin, "0xfffe")
+	err = cmd.Run()
+
+	if err == nil || err.Error() != "signal: killed" {
+		t.Fatalf("Wrong error '%v' expected 'killed'", err)
+	}
+
+	// should not get killed
+	cmd = exec.Command(testBin, "0xfffd")
+	err = cmd.Run()
+
+	if err == nil || err.Error() != "exit status 22" {
+		t.Fatalf("Wrong error '%v' expected 'exit status 22'", err)
+	}
+}