From 4db97fa3ff50b9652a2a13185e0f6bebe3eb3455 Mon Sep 17 00:00:00 2001 From: Jiri Olsa Date: Mon, 3 Jul 2023 15:43:50 +0000 Subject: [PATCH] tetragon: Add notify killer action Adding support to notify killer program attached to syscalls with another action spec, like: matchActions: - action: "NotifyKiller" argError: -1 argSig: 9 It's possible to specify error for override and signal number to kill the current process with. Signed-off-by: Jiri Olsa --- bpf/process/bpf_generic_tracepoint.c | 3 ++ bpf/process/types/basic.h | 17 ++++++ pkg/selectors/kernel.go | 80 +++++++++++++++------------- 3 files changed, 63 insertions(+), 37 deletions(-) diff --git a/bpf/process/bpf_generic_tracepoint.c b/bpf/process/bpf_generic_tracepoint.c index efb6b039d1d..b3db429c7d1 100644 --- a/bpf/process/bpf_generic_tracepoint.c +++ b/bpf/process/bpf_generic_tracepoint.c @@ -6,6 +6,9 @@ #include "bpf_event.h" #include "bpf_task.h" + +#define GENERIC_TRACEPOINT + #include "retprobe_map.h" #include "types/operations.h" #include "types/basic.h" diff --git a/bpf/process/types/basic.h b/bpf/process/types/basic.h index aa0dc8baa7e..5c7e0bbc5d6 100644 --- a/bpf/process/types/basic.h +++ b/bpf/process/types/basic.h @@ -19,6 +19,7 @@ #include "../addr_lpm_maps.h" #include "common.h" #include "process/data_event.h" +#include "process/bpf_killer.h" /* Type IDs form API with user space generickprobe.go */ enum { @@ -83,6 +84,7 @@ enum { ACTION_SIGNAL = 9, ACTION_TRACKSOCK = 10, ACTION_UNTRACKSOCK = 11, + ACTION_NOTIFY_KILLER = 12, }; enum { @@ -1796,6 +1798,16 @@ update_pid_tid_from_sock(struct msg_generic_kprobe *e, __u64 sockaddr) } #endif +#ifdef GENERIC_TRACEPOINT +static inline __attribute__((always_inline)) void +do_action_notify_killer(int error, int signal) +{ + do_killer_action(error, signal); +} +#else +#define do_action_notify_killer(error, signal) +#endif + static inline __attribute__((always_inline)) __u32 do_action(__u32 i, struct msg_generic_kprobe *e, struct selector_action *actions, struct bpf_map_def *override_tasks, bool *post) @@ -1865,6 +1877,11 @@ do_action(__u32 i, struct msg_generic_kprobe *e, socki = actions->act[++i]; err = tracksock(e, socki, action == ACTION_TRACKSOCK); break; + case ACTION_NOTIFY_KILLER: + error = actions->act[++i]; + signal = actions->act[++i]; + do_action_notify_killer(error, signal); + break; default: break; } diff --git a/pkg/selectors/kernel.go b/pkg/selectors/kernel.go index 7a48e73b819..6f66e2d28e1 100644 --- a/pkg/selectors/kernel.go +++ b/pkg/selectors/kernel.go @@ -19,49 +19,52 @@ import ( ) const ( - ActionTypeInvalid = -1 - ActionTypePost = 0 - ActionTypeFollowFd = 1 - ActionTypeSigKill = 2 - ActionTypeUnfollowFd = 3 - ActionTypeOverride = 4 - ActionTypeCopyFd = 5 - ActionTypeGetUrl = 6 - ActionTypeDnsLookup = 7 - ActionTypeNoPost = 8 - ActionTypeSignal = 9 - ActionTypeTrackSock = 10 - ActionTypeUntrackSock = 11 + ActionTypeInvalid = -1 + ActionTypePost = 0 + ActionTypeFollowFd = 1 + ActionTypeSigKill = 2 + ActionTypeUnfollowFd = 3 + ActionTypeOverride = 4 + ActionTypeCopyFd = 5 + ActionTypeGetUrl = 6 + ActionTypeDnsLookup = 7 + ActionTypeNoPost = 8 + ActionTypeSignal = 9 + ActionTypeTrackSock = 10 + ActionTypeUntrackSock = 11 + ActionTypeNotifyKiller = 12 ) var actionTypeTable = map[string]uint32{ - "post": ActionTypePost, - "followfd": ActionTypeFollowFd, - "unfollowfd": ActionTypeUnfollowFd, - "sigkill": ActionTypeSigKill, - "override": ActionTypeOverride, - "copyfd": ActionTypeCopyFd, - "geturl": ActionTypeGetUrl, - "dnslookup": ActionTypeDnsLookup, - "nopost": ActionTypeNoPost, - "signal": ActionTypeSignal, - "tracksock": ActionTypeTrackSock, - "untracksock": ActionTypeUntrackSock, + "post": ActionTypePost, + "followfd": ActionTypeFollowFd, + "unfollowfd": ActionTypeUnfollowFd, + "sigkill": ActionTypeSigKill, + "override": ActionTypeOverride, + "copyfd": ActionTypeCopyFd, + "geturl": ActionTypeGetUrl, + "dnslookup": ActionTypeDnsLookup, + "nopost": ActionTypeNoPost, + "signal": ActionTypeSignal, + "tracksock": ActionTypeTrackSock, + "untracksock": ActionTypeUntrackSock, + "notifykiller": ActionTypeNotifyKiller, } var actionTypeStringTable = map[uint32]string{ - ActionTypePost: "post", - ActionTypeFollowFd: "followfd", - ActionTypeUnfollowFd: "unfollowfd", - ActionTypeSigKill: "sigkill", - ActionTypeOverride: "override", - ActionTypeCopyFd: "copyfd", - ActionTypeGetUrl: "geturl", - ActionTypeDnsLookup: "dnslookup", - ActionTypeNoPost: "nopost", - ActionTypeSignal: "signal", - ActionTypeTrackSock: "tracksock", - ActionTypeUntrackSock: "untracksock", + ActionTypePost: "post", + ActionTypeFollowFd: "followfd", + ActionTypeUnfollowFd: "unfollowfd", + ActionTypeSigKill: "sigkill", + ActionTypeOverride: "override", + ActionTypeCopyFd: "copyfd", + ActionTypeGetUrl: "geturl", + ActionTypeDnsLookup: "dnslookup", + ActionTypeNoPost: "nopost", + ActionTypeSignal: "signal", + ActionTypeTrackSock: "tracksock", + ActionTypeUntrackSock: "untracksock", + ActionTypeNotifyKiller: "notifykiller", } // Action argument table entry (for URL and FQDN arguments) @@ -869,6 +872,9 @@ func ParseMatchAction(k *KernelSelectorState, action *v1alpha1.ActionSelector, a case ActionTypeSigKill: // no arguments // NB: we should deprecate this action and just use ActionTypeSignal with SIGKILL + case ActionTypeNotifyKiller: + WriteSelectorInt32(k, action.ArgError) + WriteSelectorUint32(k, action.ArgSig) default: return fmt.Errorf("ParseMatchAction: act %d (%s) is missing a handler", act, actionTypeStringTable[act]) }