cilium · kkourt · Oct 30, 2023 · Oct 20, 2023 · Sep 12, 2023 · Oct 20, 2023
@@ -0,0 +1,42 @@
+---
+title: "Options"
+icon: "overview"
+weight: 3
+description: "Pass options to hook"
+---
+
+It's possible to pass options through spec file as an array of name and value pairs:
+
+```yaml
+spec:
+  options:
+    - name: "option-1"
+      value: "True"
+    - name: "option-2"
+      value: "10"
+```
+
+Options array is passed and processed by each hook used in the spec file that
+supports options. At the moment it's availabe for kprobe hooks.
+
+- [`Kprobe Options`](#kprobe-options): options for kprobe hooks.
+
+## Kprobe options
+
+- [`disable-kprobe-multi`](#disable-kprobe-multi): disable kprobe multi link
+
+### disable-kprobe-multi
+
+This option disables kprobe multi link interface for all the kprobes defined in
+the spec file. If enabled, all the defined kprobes will be atached through standard
+kprobe interface. It stays enabled for another spec file without this option.
+
+It takes boolean as value, by default it's false.
+
+Example:
+
+```yaml
+  options:
+    - name: "disable-kprobe-multi"
+      value: "1"
+```
@@ -610,6 +610,20 @@ spec:
               loader:
                 description: Enable loader events
                 type: boolean
+              options:
+                description: A list of overloaded options
+                items:
+                  properties:
+                    name:
+                      description: Name of the option
+                      type: string
+                    value:
+                      description: Value of the option
+                      type: string
+                  required:
+                  - name
+                  type: object
+                type: array
               podSelector:
                 description: PodSelector selects pods that this policy applies to
                 properties:

@@ -610,6 +610,20 @@ spec:
               loader:
                 description: Enable loader events
                 type: boolean
+              options:
+                description: A list of overloaded options
+                items:
+                  properties:
+                    name:
+                      description: Name of the option
+                      type: string
+                    value:
+                      description: Value of the option
+                      type: string
+                  required:
+                  - name
+                  type: object
+                type: array
               podSelector:
                 description: PodSelector selects pods that this policy applies to
                 properties:

@@ -97,6 +97,10 @@ type TracingPolicySpec struct {
 	// +kubebuilder:validation:Optional
 	// A killer spec.
 	Killers []KillerSpec `json:"killers,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	// A list of overloaded options
+	Options []OptionSpec `json:"options,omitempty"`
 }
 
 func (tp *TracingPolicy) TpName() string {

@@ -259,6 +259,14 @@ type ListSpec struct {
 	Validated bool `json:"validated"`
 }
 
+type OptionSpec struct {
+	// Name of the option
+	Name string `json:"name"`
+	// +kubebuilder:validation:Optional
+	// Value of the option
+	Value string `json:"value"`
+}
+
 type PodInfoSpec struct {
 	// Host networking requested for this pod. Use the host's network namespace.
 	// If this option is set, the ports that will be used must be specified.

@@ -7,4 +7,4 @@ package v1alpha1
 // Used to determine if CRD needs to be updated in cluster
 //
 // Developers: Bump patch for each change in the CRD schema.
-const CustomResourceDefinitionSchemaVersion = "1.0.0"
+const CustomResourceDefinitionSchemaVersion = "1.0.1"
@@ -495,11 +495,10 @@ func getKprobeSymbols(symbol string, syscall bool, lists []v1alpha1.ListSpec) ([
 }
 
 func createGenericKprobeSensor(
+	spec *v1alpha1.TracingPolicySpec,
 	name string,
-	kprobes []v1alpha1.KProbeSpec,
 	policyID policyfilter.PolicyID,
 	policyName string,
-	lists []v1alpha1.ListSpec,
 	customHandler eventhandler.Handler,
 ) (*sensors.Sensor, error) {
 	var progs []*program.Program
@@ -508,11 +507,22 @@ func createGenericKprobeSensor(
 	var useMulti bool
 	var selMaps *selectors.KernelSelectorMaps
 
+	kprobes := spec.KProbes
+	lists := spec.Lists
+
+	options, err := getKprobeOptions(spec.Options)
+	if err != nil {
+		return nil, fmt.Errorf("failed to set options: %s", err)
+	}
+
 	// use multi kprobe only if:
-	// - it's not disabled by user
+	// - it's not disabled by spec option
+	// - it's not disabled by command line option
 	// - there's support detected
-	useMulti = !option.Config.DisableKprobeMulti &&
-		bpf.HasKprobeMulti()
+	if !options.DisableKprobeMulti {
+		useMulti = !option.Config.DisableKprobeMulti &&
+			bpf.HasKprobeMulti()
+	}
 
 	in := addKprobeIn{
 		useMulti:      useMulti,

@@ -67,17 +67,21 @@ func Test_SensorDestroyHook(t *testing.T) {
 		t.Errorf("genericKprobeTable expected initial length: 0, got: %d", genericKprobeTable.Len())
 	}
 
+	spec := &v1alpha1.TracingPolicySpec{}
+
+	spec.KProbes = []v1alpha1.KProbeSpec{
+		{
+			Call:    "test_symbol",
+			Syscall: false,
+		},
+	}
+
 	// we use createGenericKprobeSensor because it's where the DestroyHook is
 	// created. It would be technically more correct if it was added just after
 	// insertion in the table in AddKprobe, but this is done by the caller to
 	// have just DestroyHook that regroups all the potential multiple kprobes
 	// contained in one sensor.
-	sensor, err := createGenericKprobeSensor("test_sensor", []v1alpha1.KProbeSpec{
-		{
-			Call:    "test_symbol",
-			Syscall: false,
-		},
-	}, 0, "test_policy", nil, nil)
+	sensor, err := createGenericKprobeSensor(spec, "test_sensor", 0, "test_policy", nil)
 	if err != nil {
 		t.Errorf("createGenericKprobeSensor err expected: nil, got: %s", err)
 	}

@@ -148,10 +148,6 @@ func (t *tracepointTable) getTracepoint(idx int) (*genericTracepoint, error) {
 	return nil, fmt.Errorf("tracepoint table: invalid id:%d (len=%d)", idx, len(t.arr))
 }
 
-// GenericTracepointConf is the configuration for a generic tracepoint. This is
-// a caller-defined structure that configures a tracepoint.
-type GenericTracepointConf = v1alpha1.TracepointSpec
-
 // getTracepointMetaArg is a temporary helper to find meta values while tracepoint
 // converts into new CRD and config formats.
 func getTracepointMetaValue(arg *v1alpha1.KProbeArg) int {
@@ -318,7 +314,7 @@ func buildGenericTracepointArgs(info *tracepoint.Tracepoint, specArgs []v1alpha1
 // the user-provided configuration
 func createGenericTracepoint(
 	sensorName string,
-	conf *GenericTracepointConf,
+	conf *v1alpha1.TracepointSpec,
 	policyID policyfilter.PolicyID,
 	policyName string,
 	customHandler eventhandler.Handler,
@@ -354,7 +350,7 @@ func createGenericTracepoint(
 // createGenericTracepointSensor will create a sensor that can be loaded based on a generic tracepoint configuration
 func createGenericTracepointSensor(
 	name string,
-	confs []GenericTracepointConf,
+	confs []v1alpha1.TracepointSpec,
 	policyID policyfilter.PolicyID,
 	policyName string,
 	lists []v1alpha1.ListSpec,

@@ -2212,10 +2212,6 @@ func TestKprobeOverrideSecurity(t *testing.T) {
 		t.Skip("skipping fmod_ret support is not available")
 	}
 
-	if !option.Config.DisableKprobeMulti && bpf.HasKprobeMulti() {
-		t.Skip("skipping fmod_ret does not work with kprobe multi")
-	}
-
 	pidStr := strconv.Itoa(int(observertesthelper.GetMyPid()))
 
 	file, err := os.CreateTemp(t.TempDir(), "kprobe-override-")
@@ -2230,6 +2226,9 @@ kind: TracingPolicy
 metadata:
   name: "sys-openat-override"
 spec:
+  options:
+    - name: "disable-kprobe-multi"
+      value: "1"
   kprobes:
   - call: "security_file_open"
     syscall: false

@@ -0,0 +1,47 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright Authors of Tetragon
+
+package tracing
+
+import (
+	"fmt"
+	"strconv"
+
+	"github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1"
+	"github.com/cilium/tetragon/pkg/logger"
+	"github.com/cilium/tetragon/pkg/option"
+)
+
+type kprobeOptions struct {
+	DisableKprobeMulti bool
+}
+
+type opt struct {
+	set func(val string, options *kprobeOptions) error
+}
+
+// Allowed kprobe options
+var opts = map[string]opt{
+	option.KeyDisableKprobeMulti: opt{
+		set: func(str string, options *kprobeOptions) (err error) {
+			options.DisableKprobeMulti, err = strconv.ParseBool(str)
+			return err
+		},
+	},
+}
+
+func getKprobeOptions(specs []v1alpha1.OptionSpec) (*kprobeOptions, error) {
+	options := &kprobeOptions{}
+
+	for _, spec := range specs {
+		opt, ok := opts[spec.Name]
+		if ok {
+			if err := opt.set(spec.Value, options); err != nil {
+				return nil, fmt.Errorf("failed to set option %s: %s", spec.Name, err)
+			}
+			logger.GetLogger().Infof("Set option %s = %s", spec.Name, spec.Value)
+		}
+	}
+
+	return options, nil
+}
@@ -182,7 +182,7 @@ func TestNamespacedPolicies(t *testing.T) {
 		},
 	}
 
-	tpSpec := GenericTracepointConf{
+	tpSpec := v1alpha1.TracepointSpec{
 		Subsystem: "syscalls",
 		Event:     "sys_enter_lseek",
 		Args: []v1alpha1.KProbeArg{

@@ -38,7 +38,7 @@ func (h policyHandler) PolicyHandler(
 		if err != nil {
 			return nil, fmt.Errorf("validation failed: %w", err)
 		}
-		return createGenericKprobeSensor(name, spec.KProbes, policyID, policyName, spec.Lists, handler)
+		return createGenericKprobeSensor(spec, name, policyID, policyName, handler)
 	}
 	if len(spec.Tracepoints) > 0 {
 		name := fmt.Sprintf("gtp-sensor-%d", atomic.AddUint64(&sensorCounter, 1))