From 8e691584affae5d6afb59cb8a5801592f46c9cf0 Mon Sep 17 00:00:00 2001 From: Kevin Sheldrake Date: Thu, 29 Feb 2024 17:02:09 +0000 Subject: [PATCH] Tracepoints: Add support for data_loc params Tracepoint strings are typically presented as data_loc buffers. This commit provides support for these when they hold strings. Signed-off-by: Kevin Sheldrake --- bpf/process/bpf_generic_tracepoint.c | 11 +++++++++++ bpf/process/types/basic.h | 18 ++++++++++++++---- pkg/generictypes/generictypes.go | 4 ++++ .../v1alpha1/cilium.io_tracingpolicies.yaml | 4 ++++ .../cilium.io_tracingpoliciesnamespaced.yaml | 4 ++++ pkg/k8s/apis/cilium.io/v1alpha1/types.go | 2 +- pkg/k8s/apis/cilium.io/v1alpha1/version.go | 2 +- pkg/selectors/kernel.go | 6 +++++- pkg/sensors/tracing/generictracepoint.go | 2 +- .../v1alpha1/cilium.io_tracingpolicies.yaml | 4 ++++ .../cilium.io_tracingpoliciesnamespaced.yaml | 4 ++++ .../pkg/k8s/apis/cilium.io/v1alpha1/types.go | 2 +- .../pkg/k8s/apis/cilium.io/v1alpha1/version.go | 2 +- 13 files changed, 55 insertions(+), 10 deletions(-) diff --git a/bpf/process/bpf_generic_tracepoint.c b/bpf/process/bpf_generic_tracepoint.c index bab84891bdb..544db7e0ea2 100644 --- a/bpf/process/bpf_generic_tracepoint.c +++ b/bpf/process/bpf_generic_tracepoint.c @@ -68,12 +68,14 @@ static inline __attribute__((always_inline)) unsigned long get_ctx_ul(void *src, case s64_ty: case u64_ty: { u64 ret; + probe_read(&ret, sizeof(u64), src); return ret; } case size_type: { size_t ret; + probe_read(&ret, sizeof(size_t), src); return (unsigned long)ret; } @@ -81,6 +83,7 @@ static inline __attribute__((always_inline)) unsigned long get_ctx_ul(void *src, case nop_s32_ty: case s32_ty: { s32 ret; + probe_read(&ret, sizeof(u32), src); return ret; } @@ -88,6 +91,7 @@ static inline __attribute__((always_inline)) unsigned long get_ctx_ul(void *src, case nop_u32_ty: case u32_ty: { u32 ret; + probe_read(&ret, sizeof(u32), src); return ret; } @@ -99,6 +103,13 @@ static inline __attribute__((always_inline)) unsigned long get_ctx_ul(void *src, return (unsigned long)buff; } + case data_loc_type: { + u32 ret; + + probe_read(&ret, sizeof(ret), src); + return ret; + } + case const_buf_type: { return (unsigned long)src; } diff --git a/bpf/process/types/basic.h b/bpf/process/types/basic.h index e4fe4e1cf65..17004794748 100644 --- a/bpf/process/types/basic.h +++ b/bpf/process/types/basic.h @@ -75,6 +75,8 @@ enum { linux_binprm_type = 37, + data_loc_type = 38, + nop_s64_ty = -10, nop_u64_ty = -11, nop_u32_ty = -12, @@ -478,15 +480,15 @@ copy_path(char *args, const struct path *arg) } static inline __attribute__((always_inline)) long -copy_strings(char *args, unsigned long arg) +copy_strings(char *args, char *arg, int max_size) { int *s = (int *)args; long size; // probe_read_str() always nul-terminates the string. // So add one to the length to allow for it. This should - // result in us honouring our MAX_STRING correctly. - size = probe_read_str(&args[4], MAX_STRING + 1, (char *)arg); + // result in us honouring our max_size correctly. + size = probe_read_str(&args[4], max_size + 1, arg); if (size <= 1) return invalid_ty; // Remove the nul character from end. @@ -1801,6 +1803,7 @@ selector_arg_offset(__u8 *f, struct msg_generic_kprobe *e, __u32 selidx, pass &= filter_file_buf(filter, (struct string_buf *)args); break; case string_type: + case data_loc_type: /* for strings, we just encode the length */ pass &= filter_char_buf(filter, args, 4); break; @@ -2586,8 +2589,15 @@ read_call_arg(void *ctx, struct msg_generic_kprobe *e, int index, int type, } // fallthrough to copy_string case string_type: - size = copy_strings(args, arg); + size = copy_strings(args, (char *)arg, MAX_STRING); break; + case data_loc_type: { + // data_loc: lower 16 bits is offset from ctx; upper 16 bits is length + long dl_len = (arg >> 16) & 0xfff; // masked to 4095 chars + char *dl_loc = ctx + (arg & 0xffff); + + size = copy_strings(args, dl_loc, dl_len); + } break; case syscall64_type: case size_type: case s64_ty: diff --git a/pkg/generictypes/generictypes.go b/pkg/generictypes/generictypes.go index 3dbb749f30f..d2f5a151f7c 100644 --- a/pkg/generictypes/generictypes.go +++ b/pkg/generictypes/generictypes.go @@ -51,6 +51,8 @@ const ( GenericLinuxBinprmType = 37 + GenericDataLoc = 38 + GenericNopType = -1 GenericInvalidType = -2 ) @@ -131,6 +133,8 @@ func GenericTypeFromString(arg string) int { return GenericCapEffective case "linux_binprm": return GenericLinuxBinprmType + case "data_loc": + return GenericDataLoc default: return GenericInvalidType } diff --git a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml index e1a961f362e..d83ff0becce 100644 --- a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml +++ b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml @@ -131,6 +131,7 @@ spec: - cap_permitted - cap_effective - linux_binprm + - data_loc type: string required: - index @@ -227,6 +228,7 @@ spec: - cap_permitted - cap_effective - linux_binprm + - data_loc type: string required: - index @@ -876,6 +878,7 @@ spec: - cap_permitted - cap_effective - linux_binprm + - data_loc type: string required: - index @@ -1431,6 +1434,7 @@ spec: - cap_permitted - cap_effective - linux_binprm + - data_loc type: string required: - index diff --git a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml index 27d2b6f9fdd..da8deb3a2d9 100644 --- a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml +++ b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml @@ -131,6 +131,7 @@ spec: - cap_permitted - cap_effective - linux_binprm + - data_loc type: string required: - index @@ -227,6 +228,7 @@ spec: - cap_permitted - cap_effective - linux_binprm + - data_loc type: string required: - index @@ -876,6 +878,7 @@ spec: - cap_permitted - cap_effective - linux_binprm + - data_loc type: string required: - index @@ -1431,6 +1434,7 @@ spec: - cap_permitted - cap_effective - linux_binprm + - data_loc type: string required: - index diff --git a/pkg/k8s/apis/cilium.io/v1alpha1/types.go b/pkg/k8s/apis/cilium.io/v1alpha1/types.go index 3b1b22a97cd..9dd87f6a1c9 100644 --- a/pkg/k8s/apis/cilium.io/v1alpha1/types.go +++ b/pkg/k8s/apis/cilium.io/v1alpha1/types.go @@ -55,7 +55,7 @@ type KProbeArg struct { // +kubebuilder:validation:Minimum=0 // Position of the argument. Index uint32 `json:"index"` - // +kubebuilder:validation:Enum=auto;int;int8;uint8;int16;uint16;uint32;int32;uint64;int64;char_buf;char_iovec;size_t;skb;sock;string;fd;file;filename;path;nop;bpf_attr;perf_event;bpf_map;user_namespace;capability;kiocb;iov_iter;cred;load_info;module;syscall64;kernel_cap_t;cap_inheritable;cap_permitted;cap_effective;linux_binprm + // +kubebuilder:validation:Enum=auto;int;int8;uint8;int16;uint16;uint32;int32;uint64;int64;char_buf;char_iovec;size_t;skb;sock;string;fd;file;filename;path;nop;bpf_attr;perf_event;bpf_map;user_namespace;capability;kiocb;iov_iter;cred;load_info;module;syscall64;kernel_cap_t;cap_inheritable;cap_permitted;cap_effective;linux_binprm;data_loc // +kubebuilder:default=auto // Argument type. Type string `json:"type"` diff --git a/pkg/k8s/apis/cilium.io/v1alpha1/version.go b/pkg/k8s/apis/cilium.io/v1alpha1/version.go index c244cfd50a1..47b1babd1bf 100644 --- a/pkg/k8s/apis/cilium.io/v1alpha1/version.go +++ b/pkg/k8s/apis/cilium.io/v1alpha1/version.go @@ -7,4 +7,4 @@ package v1alpha1 // Used to determine if CRD needs to be updated in cluster // // Developers: Bump patch for each change in the CRD schema. -const CustomResourceDefinitionSchemaVersion = "1.1.6" +const CustomResourceDefinitionSchemaVersion = "1.1.7" diff --git a/pkg/selectors/kernel.go b/pkg/selectors/kernel.go index 296603c69bb..702b6eb9340 100644 --- a/pkg/selectors/kernel.go +++ b/pkg/selectors/kernel.go @@ -178,6 +178,8 @@ const ( argTypeSyscall64 = 28 argTypeLinuxBinprm = 29 + + argTypeDataLoc = 38 ) var argTypeTable = map[string]uint32{ @@ -199,6 +201,7 @@ var argTypeTable = map[string]uint32{ "fqdn": argTypeFqdn, "syscall64": argTypeSyscall64, "linux_binprm": argTypeLinuxBinprm, + "data_loc": argTypeDataLoc, } var argTypeStringTable = map[uint32]string{ @@ -220,6 +223,7 @@ var argTypeStringTable = map[uint32]string{ argTypeFqdn: "fqdn", argTypeSyscall64: "syscall64", argTypeLinuxBinprm: "linux_binprm", + argTypeDataLoc: "data_loc", } const ( @@ -849,7 +853,7 @@ func ParseMatchArg(k *KernelSelectorState, arg *v1alpha1.ArgSelector, sig []v1al } case SelectorOpEQ, SelectorOpNEQ: switch ty { - case argTypeFd, argTypeFile, argTypePath, argTypeString, argTypeCharBuf, argTypeLinuxBinprm: + case argTypeFd, argTypeFile, argTypePath, argTypeString, argTypeCharBuf, argTypeLinuxBinprm, argTypeDataLoc: err := writeMatchStrings(k, arg.Values, ty) if err != nil { return fmt.Errorf("writeMatchStrings error: %w", err) diff --git a/pkg/sensors/tracing/generictracepoint.go b/pkg/sensors/tracing/generictracepoint.go index 2b3293653b2..df0d742da8a 100644 --- a/pkg/sensors/tracing/generictracepoint.go +++ b/pkg/sensors/tracing/generictracepoint.go @@ -745,7 +745,7 @@ func handleMsgGenericTracepoint( logger.GetLogger().Warnf("failed to read array argument: unexpected base type: %w", intTy.Base) } } - case gt.GenericStringType: + case gt.GenericStringType, gt.GenericDataLoc: if arg, err := parseString(r); err != nil { logger.GetLogger().WithError(err).Warn("error parsing arg type string") } else { diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml index e1a961f362e..d83ff0becce 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml @@ -131,6 +131,7 @@ spec: - cap_permitted - cap_effective - linux_binprm + - data_loc type: string required: - index @@ -227,6 +228,7 @@ spec: - cap_permitted - cap_effective - linux_binprm + - data_loc type: string required: - index @@ -876,6 +878,7 @@ spec: - cap_permitted - cap_effective - linux_binprm + - data_loc type: string required: - index @@ -1431,6 +1434,7 @@ spec: - cap_permitted - cap_effective - linux_binprm + - data_loc type: string required: - index diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml index 27d2b6f9fdd..da8deb3a2d9 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml @@ -131,6 +131,7 @@ spec: - cap_permitted - cap_effective - linux_binprm + - data_loc type: string required: - index @@ -227,6 +228,7 @@ spec: - cap_permitted - cap_effective - linux_binprm + - data_loc type: string required: - index @@ -876,6 +878,7 @@ spec: - cap_permitted - cap_effective - linux_binprm + - data_loc type: string required: - index @@ -1431,6 +1434,7 @@ spec: - cap_permitted - cap_effective - linux_binprm + - data_loc type: string required: - index diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go index 3b1b22a97cd..9dd87f6a1c9 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go @@ -55,7 +55,7 @@ type KProbeArg struct { // +kubebuilder:validation:Minimum=0 // Position of the argument. Index uint32 `json:"index"` - // +kubebuilder:validation:Enum=auto;int;int8;uint8;int16;uint16;uint32;int32;uint64;int64;char_buf;char_iovec;size_t;skb;sock;string;fd;file;filename;path;nop;bpf_attr;perf_event;bpf_map;user_namespace;capability;kiocb;iov_iter;cred;load_info;module;syscall64;kernel_cap_t;cap_inheritable;cap_permitted;cap_effective;linux_binprm + // +kubebuilder:validation:Enum=auto;int;int8;uint8;int16;uint16;uint32;int32;uint64;int64;char_buf;char_iovec;size_t;skb;sock;string;fd;file;filename;path;nop;bpf_attr;perf_event;bpf_map;user_namespace;capability;kiocb;iov_iter;cred;load_info;module;syscall64;kernel_cap_t;cap_inheritable;cap_permitted;cap_effective;linux_binprm;data_loc // +kubebuilder:default=auto // Argument type. Type string `json:"type"` diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/version.go b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/version.go index c244cfd50a1..47b1babd1bf 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/version.go +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/version.go @@ -7,4 +7,4 @@ package v1alpha1 // Used to determine if CRD needs to be updated in cluster // // Developers: Bump patch for each change in the CRD schema. -const CustomResourceDefinitionSchemaVersion = "1.1.6" +const CustomResourceDefinitionSchemaVersion = "1.1.7"