tetragon: Add throttle logic to execve program

Signed-off-by: Jiri Olsa <[email protected]>
cilium · Mar 4, 2024 · 891e246 · 891e246
1 parent 95f598d
commit 891e246
Show file tree

Hide file tree

Showing 4 changed files with 49 additions and 4 deletions.
diff --git a/bpf/process/bpf_execve_event.c b/bpf/process/bpf_execve_event.c
@@ -8,12 +8,13 @@
 #include "bpf_task.h"
 #include "bpf_process_event.h"
 #include "bpf_helpers.h"
+#include "bpf_rate.h"
 
 char _license[] __attribute__((section("license"), used)) = "Dual BSD/GPL";
 
 struct {
 	__uint(type, BPF_MAP_TYPE_PROG_ARRAY);
-	__uint(max_entries, 1);
+	__uint(max_entries, 2);
 	__uint(key_size, sizeof(__u32));
 	__uint(value_size, sizeof(__u32));
 } execve_calls SEC(".maps");
@@ -235,14 +236,22 @@ event_execve(struct sched_execve_args *ctx)
 	return 0;
 }
 
+__attribute__((section("tracepoint/0"), used)) int
+execve_rate(struct sched_execve_args *ctx)
+{
+	if (execve_cgroup_rate(ctx))
+		tail_call(ctx, &execve_calls, 1);
+	return 0;
+}
+
 /**
  * execve_send() sends the collected execve event data.
  *
  * This function is the last tail call of the execve event, its sole purpose
  * is to update the pid execve_map entry to reflect the new execve event that
  * has already been collected, then send it to the perf buffer.
  */
-__attribute__((section("tracepoint/0"), used)) int
+__attribute__((section("tracepoint/1"), used)) int
 execve_send(struct sched_execve_args *ctx)
 {
 	struct msg_execve_event *event;

diff --git a/bpf/process/bpf_rate.h b/bpf/process/bpf_rate.h
@@ -5,6 +5,7 @@
 #define __RATE_H__
 
 #include "bpf_tracing.h"
+#include "bpf_time.h"
 
 struct cgroup_rate_key {
 	__u8 op;
@@ -123,4 +124,27 @@ send_throttle(struct sched_execve_args *ctx, __u8 event)
 				 BPF_F_CURRENT_CPU, msg, size);
 }
 
+static inline __attribute__((always_inline)) bool
+execve_cgroup_rate(struct sched_execve_args *ctx)
+{
+	struct cgroup_rate_key key = { .op = MSG_OP_EXECVE };
+	struct cgroup_rate_settings settings = {
+		.tokens      = 1000,
+		.interval_ns = 1 * NSEC_PER_SEC,
+		.throttle_ns = 5 * NSEC_PER_SEC,
+	};
+	struct msg_execve_event *msg;
+	bool throttle = false, send;
+
+	msg = map_lookup_elem(&execve_msg_heap_map, &(__u32){ 0 });
+	if (!msg)
+		return 0;
+
+	key.cgroupid = msg->kube.cgrpid;
+	send = cgroup_rate(&key, msg->common.ktime, &settings, &throttle);
+	if (throttle)
+		send_throttle(ctx, MSG_OP_EXECVE);
+	return send;
+}
+
 #endif /* __RATE_H__ */
diff --git a/bpf/process/bpf_time.h b/bpf/process/bpf_time.h
@@ -0,0 +1,11 @@
+/* SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause) */
+/* Copyright Authors of Cilium */
+
+#ifndef __LIB_TIME_H_
+#define __LIB_TIME_H_
+
+#define NSEC_PER_SEC  (1000ULL * 1000ULL * 1000UL)
+#define NSEC_PER_MSEC (1000ULL * 1000ULL)
+#define NSEC_PER_USEC (1000UL)
+
+#endif /* __LIB_TIME_H_ */
diff --git a/pkg/testutils/sensors/load.go b/pkg/testutils/sensors/load.go
@@ -135,12 +135,13 @@ func mergeInBaseSensorMaps(t *testing.T, sensorMaps []SensorMap, sensorProgs []S
 		2: SensorProg{Name: "event_wake_up_new_task", Type: ebpf.Kprobe},
 		3: SensorProg{Name: "execve_send", Type: ebpf.TracePoint},
 		4: SensorProg{Name: "tg_kp_bprm_committing_creds", Type: ebpf.Kprobe},
+		5: SensorProg{Name: "execve_rate", Type: ebpf.TracePoint},
 	}
 
 	var baseMaps = []SensorMap{
 		// all programs
-		SensorMap{Name: "execve_map", Progs: []uint{0, 1, 2, 3, 4}},
-		SensorMap{Name: "tcpmon_map", Progs: []uint{0, 1, 2, 3}},
+		SensorMap{Name: "execve_map", Progs: []uint{0, 1, 2, 3, 4, 5}},
+		SensorMap{Name: "tcpmon_map", Progs: []uint{0, 1, 2, 3, 5}},
 
 		// all but event_execve
 		SensorMap{Name: "execve_map_stats", Progs: []uint{1, 2}},