tetragon: Add throttle event processing

Signed-off-by: Jiri Olsa <[email protected]>
cilium · Mar 4, 2024 · 84184c3 · 84184c3
1 parent a2fce80
commit 84184c3
Show file tree

Hide file tree

Showing 4 changed files with 101 additions and 0 deletions.
diff --git a/pkg/api/ops/ops.go b/pkg/api/ops/ops.go
@@ -33,6 +33,8 @@ const (
 
 	MSG_OP_LOADER = 26
 
+	MSG_OP_THROTTLE = 27
+
 	// just for testing
 	MSG_OP_TEST = 254
 )

diff --git a/pkg/api/processapi/processapi.go b/pkg/api/processapi/processapi.go
@@ -215,6 +215,13 @@ type MsgCgroupEvent struct {
 	Path          [CGROUP_PATH_LENGTH]byte `align:"path"`           // Full path of the cgroup on fs
 }
 
+type MsgThrottle struct {
+	Common  MsgCommon
+	Current MsgExecveKey
+	Event   uint8
+	Pad     [7]uint8
+}
+
 type KernelStats struct {
 	SentFailed [256]uint64 `align:"sent_failed"`
 }
diff --git a/pkg/grpc/exec/exec.go b/pkg/grpc/exec/exec.go
@@ -545,3 +545,72 @@ func (msg *MsgProcessCleanupEventUnix) HandleMessage() *tetragon.GetEventsRespon
 func (msg *MsgProcessCleanupEventUnix) Cast(_ interface{}) notify.Message {
 	return &MsgProcessCleanupEventUnix{}
 }
+
+type MsgProcessThrottleUnix struct {
+	Msg   *processapi.MsgThrottle
+	Event uint8
+}
+
+func GetProcessThrottle(msg *MsgProcessThrottleUnix) *tetragon.ProcessThrottle {
+	var tetragonParent, tetragonProcess *tetragon.Process
+
+	proc, parent := process.GetParentProcessInternal(msg.Msg.Current.Pid, msg.Msg.Current.Ktime)
+	if proc == nil {
+		tetragonProcess = &tetragon.Process{
+			Pid:       &wrapperspb.UInt32Value{Value: msg.Msg.Current.Pid},
+			StartTime: ktime.ToProto(msg.Msg.Current.Ktime),
+		}
+	} else {
+		tetragonProcess = proc.UnsafeGetProcess()
+		if err := proc.AnnotateProcess(option.Config.EnableProcessCred, option.Config.EnableProcessNs); err != nil {
+			logger.GetLogger().WithError(err).WithField("processId", tetragonProcess.Pid).
+				Debugf("Failed to annotate process with capabilities and namespaces info")
+		}
+	}
+
+	if parent != nil {
+		tetragonParent = parent.UnsafeGetProcess()
+	}
+
+	tetragonEvent := &tetragon.ProcessThrottle{
+		Process: tetragonProcess,
+		Parent:  tetragonParent,
+		Op:      tetragon.OpType(msg.Event),
+	}
+
+	if ec := eventcache.Get(); ec != nil &&
+		(ec.Needed(tetragonProcess) || (tetragonProcess.Pid.Value > 1)) {
+		ec.Add(nil, tetragonEvent, msg.Msg.Common.Ktime, msg.Msg.Current.Ktime, msg)
+		return nil
+	}
+
+	return tetragonEvent
+}
+
+func (msg *MsgProcessThrottleUnix) Notify() bool {
+	return true
+}
+
+func (msg *MsgProcessThrottleUnix) RetryInternal(ev notify.Event, timestamp uint64) (*process.ProcessInternal, error) {
+	return eventcache.HandleGenericInternal(ev, msg.Msg.Current.Pid, nil, timestamp)
+}
+
+func (msg *MsgProcessThrottleUnix) Retry(internal *process.ProcessInternal, ev notify.Event) error {
+	return eventcache.HandleGenericEvent(internal, ev, nil)
+}
+
+func (msg *MsgProcessThrottleUnix) HandleMessage() *tetragon.GetEventsResponse {
+	k := GetProcessThrottle(msg)
+	if k == nil {
+		return nil
+	}
+	return &tetragon.GetEventsResponse{
+		Event:    &tetragon.GetEventsResponse_ProcessThrottle{ProcessThrottle: k},
+		NodeName: nodeName,
+	}
+}
+
+func (msg *MsgProcessThrottleUnix) Cast(o interface{}) notify.Message {
+	t := o.(MsgProcessThrottleUnix)
+	return &t
+}
diff --git a/pkg/sensors/exec/exec.go b/pkg/sensors/exec/exec.go
@@ -224,6 +224,28 @@ func handleCgroupEvent(r *bytes.Reader) ([]observer.Event, error) {
 	return []observer.Event{msgUnix}, nil
 }
 
+type OpVal uint8
+
+func (op OpVal) EventType() int32 {
+	return [...]int32{
+		5:  1, // ops.MSG_OP_EXECVE -> tetragon.PROCESS_EXEC
+		23: 5, // ops.MSG_OP_CLONE  -> tetragon.PROCESS_EXIT
+	}[op]
+}
+
+func handleThrottleEvent(r *bytes.Reader) ([]observer.Event, error) {
+	m := processapi.MsgThrottle{}
+	err := binary.Read(r, binary.LittleEndian, &m)
+	if err != nil {
+		return nil, err
+	}
+	msg := &exec.MsgProcessThrottleUnix{
+		Msg:   &m,
+		Event: m.Event,
+	}
+	return []observer.Event{msg}, nil
+}
+
 type execProbe struct{}
 
 func (e *execProbe) LoadProbe(args sensors.LoadProbeArgs) error {
@@ -245,4 +267,5 @@ func AddExec() {
 	observer.RegisterEventHandlerAtInit(ops.MSG_OP_EXIT, handleExit)
 	observer.RegisterEventHandlerAtInit(ops.MSG_OP_CLONE, handleClone)
 	observer.RegisterEventHandlerAtInit(ops.MSG_OP_CGROUP, handleCgroupEvent)
+	observer.RegisterEventHandlerAtInit(ops.MSG_OP_THROTTLE, handleThrottleEvent)
 }