-
Notifications
You must be signed in to change notification settings - Fork 376
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tetragon: Add killer sensor #1205
Conversation
✅ Deploy Preview for tetragon ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
c13973c
to
21daede
Compare
b27c59f
to
69718d7
Compare
967b56c
to
8bf3a4e
Compare
7b67b6d
to
2725b32
Compare
1c0e273
to
edc5374
Compare
ec97b4c
to
bf75c17
Compare
dd6bd1c
to
82a64dc
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🚀
Have a couple of nits, but this looks good! Thanks!
@@ -576,6 +576,9 @@ spec: | |||
- generated_syscalls | |||
- generated_ftrace | |||
type: string | |||
validated: | |||
description: List was validated | |||
type: boolean |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So from what I can tell, this option means that no validation will be performed.
Maybe ignore-validation
is a better name?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it's there to ensure the validation goes through just once, so it gets validated,
sets the flag so another sensor won't run it again, I'll update changelog with that, sry
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is there a way we could avoid implementation things to be visible/editable from the UI (the yaml)?
this is typically that could go into the status
of the resource instead of the spec
.
@@ -315,3 +315,8 @@ type PodInfoList struct { | |||
metav1.ListMeta `json:"metadata,omitempty"` | |||
Items []PodInfo `json:"items"` | |||
} | |||
|
|||
type KillerSpec struct { | |||
// syscalls to kill |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How about description: syscalls where killer is executed in
?
AFAIU, these are the syscalls where we will load the killer and do the check on whether to "kill" the process or not.
api/v1/tetragon/tetragon.proto
Outdated
@@ -433,6 +433,8 @@ message ProcessTracepoint { | |||
// Arguments definition of the observed tracepoint. | |||
// TODO: once we implement all we want, rename KprobeArgument to GenericArgument | |||
repeated KprobeArgument args = 6; | |||
// Action performed when the kprobe matched. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/kprobe/tracepoint/?
@@ -897,6 +898,95 @@ broken. | |||
|
|||
Socket tracking is only available on kernel >=5.3. | |||
|
|||
### Notify Killer action | |||
|
|||
The `NotifyKiller` action notifies the killer program to kill or override syscall. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The `NotifyKiller` action notifies the killer program to kill or override syscall. | |
The `NotifyKiller` action notifies the killer program to kill or override a syscall. |
The `NotifyKiller` action notifies the killer program to kill or override syscall. | ||
|
||
The specs needs to have `killer` program definition, that instructs tetragon to load | ||
`killer` program and attach it to specified syscalls. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
`killer` program and attach it to specified syscalls. | |
the `killer` program and attach it to specified syscalls. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, only docs nits and agree with Kornilios points above!! The way your commits are done makes this really easy to review, would love to learn to do the same.
If pecified the argError will be passed to `bpf_override_return` helper to override the syscall return value. | ||
If pecified the argSig will be passed to `bpf_send_signal` helper to override the syscall return value. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If pecified the argError will be passed to `bpf_override_return` helper to override the syscall return value. | |
If pecified the argSig will be passed to `bpf_send_signal` helper to override the syscall return value. | |
If specified the argError will be passed to `bpf_override_return` helper to override the syscall return value. | |
If specified the argSig will be passed to `bpf_send_signal` helper to override the syscall return value. |
Note the `NotifyKiller` with killer program is meant to be used only on kernel versions | ||
with no support for fast attach of multiple kprobes (`kprobe_multi` link). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would it be possible to move that to the very beginning, after the "The NotifyKiller
action notifies the killer program to kill or override syscall." sentence? Also, could we have a little more details on the why of this feature? Why this is interesting and maybe useful for the reader?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok, I'll add some description at the beginning, thanks
Adding Validated field to ListSpec to ensure the validation goes through just once, so it gets validated, sets the flag so another sensor won't run it again. Signed-off-by: Jiri Olsa <[email protected]>
Adding preValidateLists function that iterates all the lists and validates them. Signed-off-by: Jiri Olsa <[email protected]>
Passing symbol argument to kprobeAttach so we can use it in followich changes with different symbols. Signed-off-by: Jiri Olsa <[email protected]>
Adding LoadKprobeProgramAttachMany function that loads kprobe program and attaches it to symbols provided in array of strings. Note the program gets loaded just once. Signed-off-by: Jiri Olsa <[email protected]>
Add possibility to define killer in the schema like: killers: - syscalls: - "sys_dup" "sys.." Signed-off-by: Jiri Olsa <[email protected]>
Adding killer sensor that attaches to defined syscalls and overrides them or/and kill the process. Signed-off-by: Jiri Olsa <[email protected]>
Adding bpf_killer bpf program that allows to (when attached to syscall) override syscall or kill current process. Signed-off-by: Jiri Olsa <[email protected]>
Adding support to notify killer program attached to syscalls with another action spec, like: matchActions: - action: "NotifyKiller" argError: -1 argSig: 9 It's possible to specify error for override and signal number to kill the current process with. Signed-off-by: Jiri Olsa <[email protected]>
So we can use it through kubectl. Signed-off-by: Jiri Olsa <[email protected]>
Adding example killer policy that setups sys_enter raw syscalls and add filter for sys_dup and sys_dup2 syscalls plus match for /usr/bin/bash binary and kill it through killer. Signed-off-by: Jiri Olsa <[email protected]>
Adding action field to tracepoint event, so it's available in the event in case the action is triggered. Signed-off-by: Jiri Olsa <[email protected]>
Catching up with kprobe/tracepoint event action enum definitions. Signed-off-by: Jiri Olsa <[email protected]>
Adding test for killer sensor and testing both killing application matching the selector and overriding syscall that matches the selector. Signed-off-by: Jiri Olsa <[email protected]>
Signed-off-by: Jiri Olsa <[email protected]>
adding support to have fast way (when multi kprobe link is not available)
of attaching killer/override program to multiple syscalls
details in: https://github.com/olsajiri/tetragon/blob/killer/docs/content/en/docs/concepts/tracing-policy/selectors.md#notify-killer-action