tetragon: Load tail calls directly in execve program

Signed-off-by: Jiri Olsa <[email protected]>
cilium · Aug 17, 2024 · ef01bc5 · ef01bc5
1 parent 2224c7a
commit ef01bc5
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 7 deletions.
diff --git a/bpf/process/bpf_execve_event.c b/bpf/process/bpf_execve_event.c
@@ -13,14 +13,22 @@
 
 #include "policy_filter.h"
 
+int execve_rate(void *ctx);
+int execve_send(void *ctx);
+
 char _license[] __attribute__((section("license"), used)) = "Dual BSD/GPL";
 
 struct {
 	__uint(type, BPF_MAP_TYPE_PROG_ARRAY);
 	__uint(max_entries, 2);
 	__uint(key_size, sizeof(__u32));
-	__uint(value_size, sizeof(__u32));
-} execve_calls SEC(".maps");
+	__array(values, int(void *));
+} execve_calls SEC(".maps") = {
+	.values = {
+		[0] = (void *)&execve_rate,
+		[1] = (void *)&execve_send,
+	},
+};
 
 #include "data_event.h"
 
@@ -273,7 +281,7 @@ event_execve(struct trace_event_raw_sched_process_exec *ctx)
 	return 0;
 }
 
-__attribute__((section("tracepoint/0"), used)) int
+__attribute__((section("tracepoint"), used)) int
 execve_rate(void *ctx)
 {
 	struct msg_execve_event *msg;
@@ -318,7 +326,7 @@ void update_mb_bitset(struct binary *bin)
  * is to update the pid execve_map entry to reflect the new execve event that
  * has already been collected, then send it to the perf buffer.
  */
-__attribute__((section("tracepoint/1"), used)) int
+__attribute__((section("tracepoint"), used)) int
 execve_send(void *ctx)
 {
 	struct msg_execve_event *event;

diff --git a/pkg/sensors/base/base.go b/pkg/sensors/base/base.go
@@ -97,9 +97,6 @@ var (
 )
 
 func setupPrograms() {
-	// execve program tail calls details
-	Execve.SetTailCall("tracepoint", ExecveTailCallsMap)
-
 	// exit program function
 	ks, err := ksyms.KernelSymbols()
 	if err == nil {