diff --git a/bpf/process/bpf_execve_event.c b/bpf/process/bpf_execve_event.c index a00ae3a115f..8b2bb51f1fe 100644 --- a/bpf/process/bpf_execve_event.c +++ b/bpf/process/bpf_execve_event.c @@ -8,12 +8,13 @@ #include "bpf_task.h" #include "bpf_process_event.h" #include "bpf_helpers.h" +#include "bpf_rate.h" char _license[] __attribute__((section("license"), used)) = "Dual BSD/GPL"; struct { __uint(type, BPF_MAP_TYPE_PROG_ARRAY); - __uint(max_entries, 1); + __uint(max_entries, 2); __uint(key_size, sizeof(__u32)); __uint(value_size, sizeof(__u32)); } execve_calls SEC(".maps"); @@ -235,6 +236,14 @@ event_execve(struct sched_execve_args *ctx) return 0; } +__attribute__((section("tracepoint/0"), used)) int +execve_rate(struct sched_execve_args *ctx) +{ + if (execve_cgroup_rate(ctx)) + tail_call(ctx, &execve_calls, 1); + return 0; +} + /** * execve_send() sends the collected execve event data. * @@ -242,7 +251,7 @@ event_execve(struct sched_execve_args *ctx) * is to update the pid execve_map entry to reflect the new execve event that * has already been collected, then send it to the perf buffer. */ -__attribute__((section("tracepoint/0"), used)) int +__attribute__((section("tracepoint/1"), used)) int execve_send(struct sched_execve_args *ctx) { struct msg_execve_event *event; diff --git a/bpf/process/bpf_rate.h b/bpf/process/bpf_rate.h index ae3df0d6c4e..25e726980e8 100644 --- a/bpf/process/bpf_rate.h +++ b/bpf/process/bpf_rate.h @@ -5,6 +5,7 @@ #define __RATE_H__ #include "bpf_tracing.h" +#include "bpf_time.h" struct cgroup_rate_key { __u8 op; @@ -123,4 +124,27 @@ send_throttle(struct sched_execve_args *ctx, __u8 event) BPF_F_CURRENT_CPU, msg, size); } +static inline __attribute__((always_inline)) bool +execve_cgroup_rate(struct sched_execve_args *ctx) +{ + struct cgroup_rate_key key = { .op = MSG_OP_EXECVE }; + struct cgroup_rate_settings settings = { + .tokens = 1000, + .interval_ns = 1 * NSEC_PER_SEC, + .throttle_ns = 5 * NSEC_PER_SEC, + }; + struct msg_execve_event *msg; + bool throttle = false, send; + + msg = map_lookup_elem(&execve_msg_heap_map, &(__u32){ 0 }); + if (!msg) + return 0; + + key.cgroupid = msg->kube.cgrpid; + send = cgroup_rate(&key, msg->common.ktime, &settings, &throttle); + if (throttle) + send_throttle(ctx, MSG_OP_EXECVE); + return send; +} + #endif /* __RATE_H__ */ diff --git a/bpf/process/bpf_time.h b/bpf/process/bpf_time.h new file mode 100644 index 00000000000..f672f1c3b7d --- /dev/null +++ b/bpf/process/bpf_time.h @@ -0,0 +1,11 @@ +/* SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause) */ +/* Copyright Authors of Cilium */ + +#ifndef __LIB_TIME_H_ +#define __LIB_TIME_H_ + +#define NSEC_PER_SEC (1000ULL * 1000ULL * 1000UL) +#define NSEC_PER_MSEC (1000ULL * 1000ULL) +#define NSEC_PER_USEC (1000UL) + +#endif /* __LIB_TIME_H_ */ diff --git a/pkg/testutils/sensors/load.go b/pkg/testutils/sensors/load.go index 2d34ef05adb..a6c46531023 100644 --- a/pkg/testutils/sensors/load.go +++ b/pkg/testutils/sensors/load.go @@ -135,12 +135,13 @@ func mergeInBaseSensorMaps(t *testing.T, sensorMaps []SensorMap, sensorProgs []S 2: SensorProg{Name: "event_wake_up_new_task", Type: ebpf.Kprobe}, 3: SensorProg{Name: "execve_send", Type: ebpf.TracePoint}, 4: SensorProg{Name: "tg_kp_bprm_committing_creds", Type: ebpf.Kprobe}, + 5: SensorProg{Name: "execve_rate", Type: ebpf.TracePoint}, } var baseMaps = []SensorMap{ // all programs - SensorMap{Name: "execve_map", Progs: []uint{0, 1, 2, 3, 4}}, - SensorMap{Name: "tcpmon_map", Progs: []uint{0, 1, 2, 3}}, + SensorMap{Name: "execve_map", Progs: []uint{0, 1, 2, 3, 4, 5}}, + SensorMap{Name: "tcpmon_map", Progs: []uint{0, 1, 2, 3, 5}}, // all but event_execve SensorMap{Name: "execve_map_stats", Progs: []uint{1, 2}},