tetragon: Add notify killer action

Adding support to notify killer program attached to syscalls with another action spec, like: matchActions: - action: "NotifyKiller" argError: -1 argSig: 9 It's possible to specify error for override and signal number to kill the current process with. Signed-off-by: Jiri Olsa <[email protected]>
cilium · Sep 5, 2023 · 4db97fa · 4db97fa
1 parent 5deebcf
commit 4db97fa
Show file tree

Hide file tree

Showing 3 changed files with 63 additions and 37 deletions.
diff --git a/bpf/process/bpf_generic_tracepoint.c b/bpf/process/bpf_generic_tracepoint.c
@@ -6,6 +6,9 @@
 
 #include "bpf_event.h"
 #include "bpf_task.h"
+
+#define GENERIC_TRACEPOINT
+
 #include "retprobe_map.h"
 #include "types/operations.h"
 #include "types/basic.h"

diff --git a/bpf/process/types/basic.h b/bpf/process/types/basic.h
@@ -19,6 +19,7 @@
 #include "../addr_lpm_maps.h"
 #include "common.h"
 #include "process/data_event.h"
+#include "process/bpf_killer.h"
 
 /* Type IDs form API with user space generickprobe.go */
 enum {
@@ -83,6 +84,7 @@ enum {
 	ACTION_SIGNAL = 9,
 	ACTION_TRACKSOCK = 10,
 	ACTION_UNTRACKSOCK = 11,
+	ACTION_NOTIFY_KILLER = 12,
 };
 
 enum {
@@ -1796,6 +1798,16 @@ update_pid_tid_from_sock(struct msg_generic_kprobe *e, __u64 sockaddr)
 }
 #endif
 
+#ifdef GENERIC_TRACEPOINT
+static inline __attribute__((always_inline)) void
+do_action_notify_killer(int error, int signal)
+{
+	do_killer_action(error, signal);
+}
+#else
+#define do_action_notify_killer(error, signal)
+#endif
+
 static inline __attribute__((always_inline)) __u32
 do_action(__u32 i, struct msg_generic_kprobe *e,
 	  struct selector_action *actions, struct bpf_map_def *override_tasks, bool *post)
@@ -1865,6 +1877,11 @@ do_action(__u32 i, struct msg_generic_kprobe *e,
 		socki = actions->act[++i];
 		err = tracksock(e, socki, action == ACTION_TRACKSOCK);
 		break;
+	case ACTION_NOTIFY_KILLER:
+		error = actions->act[++i];
+		signal = actions->act[++i];
+		do_action_notify_killer(error, signal);
+		break;
 	default:
 		break;
 	}

diff --git a/pkg/selectors/kernel.go b/pkg/selectors/kernel.go
@@ -19,49 +19,52 @@ import (
 )
 
 const (
-	ActionTypeInvalid     = -1
-	ActionTypePost        = 0
-	ActionTypeFollowFd    = 1
-	ActionTypeSigKill     = 2
-	ActionTypeUnfollowFd  = 3
-	ActionTypeOverride    = 4
-	ActionTypeCopyFd      = 5
-	ActionTypeGetUrl      = 6
-	ActionTypeDnsLookup   = 7
-	ActionTypeNoPost      = 8
-	ActionTypeSignal      = 9
-	ActionTypeTrackSock   = 10
-	ActionTypeUntrackSock = 11
+	ActionTypeInvalid      = -1
+	ActionTypePost         = 0
+	ActionTypeFollowFd     = 1
+	ActionTypeSigKill      = 2
+	ActionTypeUnfollowFd   = 3
+	ActionTypeOverride     = 4
+	ActionTypeCopyFd       = 5
+	ActionTypeGetUrl       = 6
+	ActionTypeDnsLookup    = 7
+	ActionTypeNoPost       = 8
+	ActionTypeSignal       = 9
+	ActionTypeTrackSock    = 10
+	ActionTypeUntrackSock  = 11
+	ActionTypeNotifyKiller = 12
 )
 
 var actionTypeTable = map[string]uint32{
-	"post":        ActionTypePost,
-	"followfd":    ActionTypeFollowFd,
-	"unfollowfd":  ActionTypeUnfollowFd,
-	"sigkill":     ActionTypeSigKill,
-	"override":    ActionTypeOverride,
-	"copyfd":      ActionTypeCopyFd,
-	"geturl":      ActionTypeGetUrl,
-	"dnslookup":   ActionTypeDnsLookup,
-	"nopost":      ActionTypeNoPost,
-	"signal":      ActionTypeSignal,
-	"tracksock":   ActionTypeTrackSock,
-	"untracksock": ActionTypeUntrackSock,
+	"post":         ActionTypePost,
+	"followfd":     ActionTypeFollowFd,
+	"unfollowfd":   ActionTypeUnfollowFd,
+	"sigkill":      ActionTypeSigKill,
+	"override":     ActionTypeOverride,
+	"copyfd":       ActionTypeCopyFd,
+	"geturl":       ActionTypeGetUrl,
+	"dnslookup":    ActionTypeDnsLookup,
+	"nopost":       ActionTypeNoPost,
+	"signal":       ActionTypeSignal,
+	"tracksock":    ActionTypeTrackSock,
+	"untracksock":  ActionTypeUntrackSock,
+	"notifykiller": ActionTypeNotifyKiller,
 }
 
 var actionTypeStringTable = map[uint32]string{
-	ActionTypePost:        "post",
-	ActionTypeFollowFd:    "followfd",
-	ActionTypeUnfollowFd:  "unfollowfd",
-	ActionTypeSigKill:     "sigkill",
-	ActionTypeOverride:    "override",
-	ActionTypeCopyFd:      "copyfd",
-	ActionTypeGetUrl:      "geturl",
-	ActionTypeDnsLookup:   "dnslookup",
-	ActionTypeNoPost:      "nopost",
-	ActionTypeSignal:      "signal",
-	ActionTypeTrackSock:   "tracksock",
-	ActionTypeUntrackSock: "untracksock",
+	ActionTypePost:         "post",
+	ActionTypeFollowFd:     "followfd",
+	ActionTypeUnfollowFd:   "unfollowfd",
+	ActionTypeSigKill:      "sigkill",
+	ActionTypeOverride:     "override",
+	ActionTypeCopyFd:       "copyfd",
+	ActionTypeGetUrl:       "geturl",
+	ActionTypeDnsLookup:    "dnslookup",
+	ActionTypeNoPost:       "nopost",
+	ActionTypeSignal:       "signal",
+	ActionTypeTrackSock:    "tracksock",
+	ActionTypeUntrackSock:  "untracksock",
+	ActionTypeNotifyKiller: "notifykiller",
 }
 
 // Action argument table entry (for URL and FQDN arguments)
@@ -869,6 +872,9 @@ func ParseMatchAction(k *KernelSelectorState, action *v1alpha1.ActionSelector, a
 	case ActionTypeSigKill:
 		// no arguments
 		// NB: we should deprecate this action and just use ActionTypeSignal with SIGKILL
+	case ActionTypeNotifyKiller:
+		WriteSelectorInt32(k, action.ArgError)
+		WriteSelectorUint32(k, action.ArgSig)
 	default:
 		return fmt.Errorf("ParseMatchAction: act %d (%s) is missing a handler", act, actionTypeStringTable[act])
 	}