From b5df4ea1ae89dfebf3b7730c0cfdc3a6349f9c08 Mon Sep 17 00:00:00 2001 From: Kevin Sheldrake Date: Thu, 29 Feb 2024 19:07:55 +0000 Subject: [PATCH] Tracepoints: Add support for skb and sock types Tracepoints can have socket and datagram pointers as parameters. This commit adds support for them. Signed-off-by: Kevin Sheldrake --- bpf/process/bpf_generic_tracepoint.c | 14 +++++++ pkg/grpc/tracing/tracing.go | 50 ++++++++++++++++++++++++ pkg/sensors/tracing/generictracepoint.go | 44 +++++++++++++++++++++ 3 files changed, 108 insertions(+) diff --git a/bpf/process/bpf_generic_tracepoint.c b/bpf/process/bpf_generic_tracepoint.c index 89cf728d628..f84367b9b23 100644 --- a/bpf/process/bpf_generic_tracepoint.c +++ b/bpf/process/bpf_generic_tracepoint.c @@ -114,6 +114,20 @@ static inline __attribute__((always_inline)) unsigned long get_ctx_ul(void *src, return (unsigned long)src; } + case skb_type: { + struct sk_buff *skb; + + probe_read(&skb, sizeof(struct sk_buff *), src); + return (unsigned long)skb; + } + + case sock_type: { + struct sock *sk; + + probe_read(&sk, sizeof(struct sock *), src); + return (unsigned long)sk; + } + default: case nop_ty: return 0; diff --git a/pkg/grpc/tracing/tracing.go b/pkg/grpc/tracing/tracing.go index 4162a8ce950..1b2239747b6 100644 --- a/pkg/grpc/tracing/tracing.go +++ b/pkg/grpc/tracing/tracing.go @@ -385,6 +385,16 @@ func (msg *MsgGenericTracepointUnix) Retry(internal *process.ProcessInternal, ev return eventcache.HandleGenericEvent(internal, ev, &msg.Msg.Tid) } +func familyString(family uint16) string { + switch family { + case unix.AF_INET: + return "AF_INET" + case unix.AF_INET6: + return "AF_INET6" + } + return "" +} + func (msg *MsgGenericTracepointUnix) HandleMessage() *tetragon.GetEventsResponse { var tetragonParent, tetragonProcess *tetragon.Process @@ -430,6 +440,46 @@ func (msg *MsgGenericTracepointUnix) HandleMessage() *tetragon.GetEventsResponse BytesArg: v, }}) + case tracingapi.MsgGenericKprobeArgSkb: + skb := tetragon.KprobeSkb{ + Family: familyString(v.Family), + Hash: v.Hash, + Len: v.Len, + Priority: v.Priority, + Mark: v.Mark, + Saddr: v.Saddr, + Daddr: v.Daddr, + Sport: v.Sport, + Dport: v.Dport, + Proto: v.Proto, + Protocol: network.InetProtocol(uint16(v.Proto)), + SecPathLen: v.SecPathLen, + SecPathOlen: v.SecPathOLen, + } + + tetragonArgs = append(tetragonArgs, &tetragon.KprobeArgument{Arg: &tetragon.KprobeArgument_SkbArg{ + SkbArg: &skb, + }}) + + case tracingapi.MsgGenericKprobeArgSock: + sk := tetragon.KprobeSock{ + Family: familyString(v.Family), + Type: network.InetType(v.Type), + Protocol: network.InetProtocol(uint16(v.Protocol)), + Mark: v.Mark, + Priority: v.Priority, + Saddr: v.Saddr, + Daddr: v.Daddr, + Sport: v.Sport, + Dport: v.Dport, + Cookie: v.Sockaddr, + State: network.TcpState(v.State), + } + + tetragonArgs = append(tetragonArgs, &tetragon.KprobeArgument{Arg: &tetragon.KprobeArgument_SockArg{ + SockArg: &sk, + }}) + default: logger.GetLogger().Warnf("handleGenericTracepointMessage: unhandled value: %+v (%T)", arg, arg) } diff --git a/pkg/sensors/tracing/generictracepoint.go b/pkg/sensors/tracing/generictracepoint.go index 1c4f3afdae5..2e8274195c4 100644 --- a/pkg/sensors/tracing/generictracepoint.go +++ b/pkg/sensors/tracing/generictracepoint.go @@ -24,6 +24,7 @@ import ( "github.com/cilium/tetragon/pkg/observer" "github.com/cilium/tetragon/pkg/option" "github.com/cilium/tetragon/pkg/policyfilter" + "github.com/cilium/tetragon/pkg/reader/network" "github.com/cilium/tetragon/pkg/selectors" "github.com/cilium/tetragon/pkg/sensors" "github.com/cilium/tetragon/pkg/sensors/program" @@ -754,6 +755,49 @@ func handleMsgGenericTracepoint( } else { unix.Args = append(unix.Args, arg) } + case gt.GenericSkbType: + var skb api.MsgGenericKprobeSkb + var arg api.MsgGenericKprobeArgSkb + + err := binary.Read(r, binary.LittleEndian, &skb) + if err != nil { + logger.GetLogger().WithError(err).Warnf("skb type err") + } + + arg.Hash = skb.Hash + arg.Len = skb.Len + arg.Priority = skb.Priority + arg.Mark = skb.Mark + arg.Family = skb.Tuple.Family + arg.Saddr = network.GetIP(skb.Tuple.Saddr, skb.Tuple.Family).String() + arg.Daddr = network.GetIP(skb.Tuple.Daddr, skb.Tuple.Family).String() + arg.Sport = uint32(skb.Tuple.Sport) + arg.Dport = uint32(skb.Tuple.Dport) + arg.Proto = uint32(skb.Tuple.Protocol) + arg.SecPathLen = skb.SecPathLen + arg.SecPathOLen = skb.SecPathOLen + unix.Args = append(unix.Args, arg) + case gt.GenericSockType: + var sock api.MsgGenericKprobeSock + var arg api.MsgGenericKprobeArgSock + + err := binary.Read(r, binary.LittleEndian, &sock) + if err != nil { + logger.GetLogger().WithError(err).Warnf("sock type err") + } + + arg.Family = sock.Tuple.Family + arg.State = sock.State + arg.Type = sock.Type + arg.Protocol = sock.Tuple.Protocol + arg.Mark = sock.Mark + arg.Priority = sock.Priority + arg.Saddr = network.GetIP(sock.Tuple.Saddr, sock.Tuple.Family).String() + arg.Daddr = network.GetIP(sock.Tuple.Daddr, sock.Tuple.Family).String() + arg.Sport = uint32(sock.Tuple.Sport) + arg.Dport = uint32(sock.Tuple.Dport) + arg.Sockaddr = sock.Sockaddr + unix.Args = append(unix.Args, arg) default: logger.GetLogger().Warnf("handleGenericTracepoint: ignoring: %+v", out)