tetragon: Setup execve_map max entries

Signed-off-by: Jiri Olsa <[email protected]>
cilium · Jan 7, 2025 · 7b664dd · 7b664dd
1 parent 0118a0d
commit 7b664dd
Show file tree

Hide file tree

Showing 7 changed files with 42 additions and 6 deletions.
diff --git a/bpf/lib/process.h b/bpf/lib/process.h
@@ -366,7 +366,7 @@ struct {
 
 struct {
 	__uint(type, BPF_MAP_TYPE_HASH);
-	__uint(max_entries, 32768);
+	__uint(max_entries, 1);
 	__type(key, __u32);
 	__type(value, struct execve_map_value);
 } execve_map SEC(".maps");

diff --git a/pkg/sensors/base/base.go b/pkg/sensors/base/base.go
@@ -5,6 +5,9 @@ package base
 
 import (
 	"log"
+	"os"
+	"strconv"
+	"strings"
 	"sync"
 	"testing"
 
@@ -55,7 +58,7 @@ var (
 	/* Event Ring map */
 	TCPMonMap = program.MapBuilder("tcpmon_map", Execve)
 	/* Networking and Process Monitoring maps */
-	ExecveMap          = program.MapBuilder("execve_map", Execve)
+	ExecveMap          = program.MapBuilder("execve_map", Execve, Exit, Fork, ExecveBprmCommit)
 	ExecveTailCallsMap = program.MapBuilderProgram("execve_calls", Execve)
 
 	ExecveJoinMap = program.MapBuilder("tg_execve_joined_info_map", ExecveBprmCommit)
@@ -73,7 +76,17 @@ var (
 	ErrMetricsMap = program.MapBuilder(errmetrics.MapName, Execve)
 )
 
-func setupPrograms() {
+func readFileDefault(path string, def int64) int64 {
+	if data, err := os.ReadFile(path); err == nil {
+		str := strings.TrimRight(string(data), "\n")
+		if val, err := strconv.ParseInt(str, 10, 32); err == nil {
+			return val
+		}
+	}
+	return def
+}
+
+func setupSensor() {
 	// exit program function
 	ks, err := ksyms.KernelSymbols()
 	if err == nil {
@@ -92,6 +105,10 @@ func setupPrograms() {
 		}
 	}
 	logger.GetLogger().Infof("Exit probe on %s", Exit.Attach)
+
+	threads := readFileDefault("/proc/sys/kernel/threads-max", 32768)
+	ExecveMap.SetMaxEntries(int(threads))
+	logger.GetLogger().Infof("Set execve_map entries %d", threads)
 }
 
 func GetExecveMap() *program.Map {
@@ -137,7 +154,7 @@ func initBaseSensor() *sensors.Sensor {
 	sensor := sensors.Sensor{
 		Name: basePolicy,
 	}
-	setupPrograms()
+	setupSensor()
 	sensor.Progs = GetDefaultPrograms()
 	sensor.Maps = GetDefaultMaps()
 	return ApplyExtensions(&sensor)

diff --git a/pkg/sensors/tracing/generickprobe.go b/pkg/sensors/tracing/generickprobe.go
@@ -35,6 +35,7 @@ import (
 	"github.com/cilium/tetragon/pkg/policyfilter"
 	"github.com/cilium/tetragon/pkg/selectors"
 	"github.com/cilium/tetragon/pkg/sensors"
+	"github.com/cilium/tetragon/pkg/sensors/base"
 	"github.com/cilium/tetragon/pkg/sensors/program"
 	lru "github.com/hashicorp/golang-lru/v2"
 	"github.com/sirupsen/logrus"
@@ -379,6 +380,8 @@ func createMultiKprobeSensor(policyName string, multiIDs []idtable.EntryID, has
 	}
 	maps = append(maps, overrideTasksMap)
 
+	maps = append(maps, program.MapUser(base.ExecveMap.Name, load))
+
 	if len(multiRetIDs) != 0 {
 		loadret := program.Builder(
 			path.Join(option.Config.HubbleLib, loadProgRetName),
@@ -419,6 +422,8 @@ func createMultiKprobeSensor(policyName string, multiIDs []idtable.EntryID, has
 
 		retConfigMap.SetMaxEntries(len(multiRetIDs))
 		retFilterMap.SetMaxEntries(len(multiRetIDs))
+
+		maps = append(maps, program.MapUser(base.ExecveMap.Name, loadret))
 	}
 
 	return progs, maps, nil
@@ -1007,6 +1012,8 @@ func createKprobeSensorFromEntry(kprobeEntry *genericKprobe,
 	}
 	maps = append(maps, overrideTasksMap)
 
+	maps = append(maps, program.MapUser(base.ExecveMap.Name, load))
+
 	if kprobeEntry.loadArgs.retprobe {
 		pinRetProg := sensors.PathJoin(fmt.Sprintf("%s_return", kprobeEntry.funcName))
 		if kprobeEntry.instance != 0 {
@@ -1051,6 +1058,7 @@ func createKprobeSensorFromEntry(kprobeEntry *genericKprobe,
 			socktrack := program.MapBuilderSensor("socktrack_map", loadret)
 			maps = append(maps, socktrack)
 		}
+		maps = append(maps, program.MapUser(base.ExecveMap.Name, loadret))
 	}
 
 	logger.GetLogger().WithField("override", kprobeEntry.hasOverride).

diff --git a/pkg/sensors/tracing/genericlsm.go b/pkg/sensors/tracing/genericlsm.go
@@ -27,6 +27,7 @@ import (
 	"github.com/cilium/tetragon/pkg/policyfilter"
 	"github.com/cilium/tetragon/pkg/selectors"
 	"github.com/cilium/tetragon/pkg/sensors"
+	"github.com/cilium/tetragon/pkg/sensors/base"
 	"github.com/cilium/tetragon/pkg/sensors/program"
 )
 
@@ -518,6 +519,8 @@ func createLsmSensorFromEntry(lsmEntry *genericLsm,
 	overrideTasksMapOutput := program.MapBuilderProgram("override_tasks", loadOutput)
 	maps = append(maps, overrideTasksMapOutput)
 
+	maps = append(maps, program.MapUser(base.ExecveMap.Name, load, loadOutput))
+
 	logger.GetLogger().
 		Infof("Added generic lsm sensor: %s -> %s", load.Name, load.Attach)
 	return progs, maps

diff --git a/pkg/sensors/tracing/generictracepoint.go b/pkg/sensors/tracing/generictracepoint.go
@@ -29,6 +29,7 @@ import (
 	"github.com/cilium/tetragon/pkg/reader/network"
 	"github.com/cilium/tetragon/pkg/selectors"
 	"github.com/cilium/tetragon/pkg/sensors"
+	"github.com/cilium/tetragon/pkg/sensors/base"
 	"github.com/cilium/tetragon/pkg/sensors/program"
 	"github.com/cilium/tetragon/pkg/syscallinfo"
 	"github.com/cilium/tetragon/pkg/tracepoint"
@@ -581,6 +582,8 @@ func createGenericTracepointSensor(
 
 		selMatchBinariesMap := program.MapBuilderProgram("tg_mb_sel_opts", prog0)
 		maps = append(maps, selMatchBinariesMap)
+
+		maps = append(maps, program.MapUser(base.ExecveMap.Name, prog0))
 	}
 
 	ret.Progs = progs

diff --git a/pkg/sensors/tracing/genericuprobe.go b/pkg/sensors/tracing/genericuprobe.go
@@ -24,6 +24,7 @@ import (
 	"github.com/cilium/tetragon/pkg/option"
 	"github.com/cilium/tetragon/pkg/selectors"
 	"github.com/cilium/tetragon/pkg/sensors"
+	"github.com/cilium/tetragon/pkg/sensors/base"
 	"github.com/cilium/tetragon/pkg/sensors/program"
 )
 
@@ -420,6 +421,7 @@ func createMultiUprobeSensor(sensorPath string, multiIDs []idtable.EntryID, poli
 	filterMap := program.MapBuilderProgram("filter_map", load)
 
 	maps = append(maps, configMap, tailCalls, filterMap)
+	maps = append(maps, program.MapUser(base.ExecveMap.Name, load))
 
 	filterMap.SetMaxEntries(len(multiIDs))
 	configMap.SetMaxEntries(len(multiIDs))
@@ -473,5 +475,6 @@ func createUprobeSensorFromEntry(uprobeEntry *genericUprobe,
 	filterMap := program.MapBuilderProgram("filter_map", load)
 	selMatchBinariesMap := program.MapBuilderProgram("tg_mb_sel_opts", load)
 	maps = append(maps, configMap, tailCalls, filterMap, selMatchBinariesMap)
+	maps = append(maps, program.MapUser(base.ExecveMap.Name, load))
 	return progs, maps
 }
diff --git a/pkg/sensors/tracing/loader.go b/pkg/sensors/tracing/loader.go
@@ -42,6 +42,7 @@ import (
 	"github.com/cilium/tetragon/pkg/observer"
 	"github.com/cilium/tetragon/pkg/policyfilter"
 	"github.com/cilium/tetragon/pkg/sensors"
+	"github.com/cilium/tetragon/pkg/sensors/base"
 	"github.com/cilium/tetragon/pkg/sensors/program"
 	"github.com/cilium/tetragon/pkg/strutils"
 	"github.com/cilium/tetragon/pkg/tracingpolicy"
@@ -67,7 +68,8 @@ var (
 		"loader",
 	)
 
-	idsMap = program.MapBuilder("ids_map", loader)
+	idsMap    = program.MapBuilder("ids_map", loader)
+	execveMap = program.MapUser(base.ExecveMap.Name, loader)
 
 	loaderEnabled bool
 
@@ -104,7 +106,7 @@ func GetLoaderSensor() *sensors.Sensor {
 	return &sensors.Sensor{
 		Name:  "__loader__",
 		Progs: []*program.Program{loader},
-		Maps:  []*program.Map{idsMap},
+		Maps:  []*program.Map{idsMap, execveMap},
 	}
 }