tetragon: Move return filter to kernel

api/v1/README.md

@@ -792,6 +792,7 @@ https://github.com/opencontainers/runtime-spec/blob/main/config.md#createcontain
 | action | [KprobeAction](#tetragon-KprobeAction) |  | Action performed when the kprobe matched. |
 | stack_trace | [StackTraceEntry](#tetragon-StackTraceEntry) | repeated | Kernel stack trace to the call. |
 | policy_name | [string](#string) |  | Name of the Tracing Policy that created that kprobe. |
+| return_action | [KprobeAction](#tetragon-KprobeAction) |  | Action performed when the return kprobe executed. |
 
 
 

api/v1/tetragon/tetragon.proto

@@ -425,6 +425,8 @@ message ProcessKprobe {
     repeated StackTraceEntry stack_trace = 7;
     // Name of the Tracing Policy that created that kprobe.
     string policy_name = 8;
+    // Action performed when the return kprobe executed.
+    KprobeAction return_action = 9;
 }
 
 message ProcessTracepoint {

bpf/process/bpf_generic_kprobe.c

@@ -202,7 +202,8 @@ generic_kprobe_filter_arg(void *ctx)
 	return filter_read_arg(ctx, (struct bpf_map_def *)&process_call_heap,
 			       (struct bpf_map_def *)&filter_map,
 			       (struct bpf_map_def *)&kprobe_calls,
-			       (struct bpf_map_def *)&config_map);
+			       (struct bpf_map_def *)&config_map,
+			       true);
 }
 
 __attribute__((section("kprobe/4"), used)) int

bpf/process/bpf_generic_retkprobe.c

@@ -25,11 +25,22 @@ struct {
 
 struct {
 	__uint(type, BPF_MAP_TYPE_PROG_ARRAY);
-	__uint(max_entries, 1);
+	__uint(max_entries, 6);
 	__uint(key_size, sizeof(__u32));
 	__uint(value_size, sizeof(__u32));
 } retkprobe_calls SEC(".maps");
 
+struct filter_map_value {
+	unsigned char buf[FILTER_SIZE];
+};
+
+struct {
+	__uint(type, BPF_MAP_TYPE_ARRAY);
+	__uint(max_entries, 1);
+	__type(key, int);
+	__type(value, struct filter_map_value);
+} filter_map SEC(".maps");
+
 struct {
 	__uint(type, BPF_MAP_TYPE_ARRAY);
 	__uint(max_entries, 1);
@@ -149,11 +160,30 @@ BPF_KRETPROBE(generic_retkprobe_event, unsigned long ret)
 	e->func_id = config->func_id;
 	e->common.size = size;
 
-	tail_call(ctx, &retkprobe_calls, 0);
+	tail_call(ctx, &retkprobe_calls, TAIL_CALL_ARGS);
 	return 1;
 }
 
-__attribute__((section("kprobe/0"), used)) int
+__attribute__((section("kprobe/3"), used)) int
+BPF_KRETPROBE(generic_retkprobe_filter_arg)
+{
+	return filter_read_arg(ctx, (struct bpf_map_def *)&process_call_heap,
+			       (struct bpf_map_def *)&filter_map,
+			       (struct bpf_map_def *)&retkprobe_calls,
+			       (struct bpf_map_def *)&config_map,
+			       false);
+}
+
+__attribute__((section("kprobe/4"), used)) int
+BPF_KRETPROBE(generic_retkprobe_actions)
+{
+	return generic_actions(ctx, (struct bpf_map_def *)&process_call_heap,
+			       (struct bpf_map_def *)&filter_map,
+			       (struct bpf_map_def *)&retkprobe_calls,
+			       NULL);
+}
+
+__attribute__((section("kprobe/5"), used)) int
 BPF_KRETPROBE(generic_retkprobe_output)
 {
 	return generic_output(ctx, (struct bpf_map_def *)&process_call_heap, MSG_OP_GENERIC_KPROBE);

bpf/process/bpf_generic_tracepoint.c

@@ -237,7 +237,8 @@ generic_tracepoint_arg(void *ctx)
 	return filter_read_arg(ctx, (struct bpf_map_def *)&tp_heap,
 			       (struct bpf_map_def *)&filter_map,
 			       (struct bpf_map_def *)&tp_calls,
-			       (struct bpf_map_def *)&config_map);
+			       (struct bpf_map_def *)&config_map,
+			       true);
 }
 
 __attribute__((section("tracepoint/4"), used)) int

bpf/process/bpf_generic_uprobe.c

@@ -145,7 +145,8 @@ generic_uprobe_filter_arg(void *ctx)
 	return filter_read_arg(ctx, (struct bpf_map_def *)&process_call_heap,
 			       (struct bpf_map_def *)&filter_map,
 			       (struct bpf_map_def *)&uprobe_calls,
-			       (struct bpf_map_def *)&config_map);
+			       (struct bpf_map_def *)&config_map,
+			       true);
 }
 
 __attribute__((section("uprobe/4"), used)) int

bpf/process/types/basic.h

@@ -1606,7 +1606,7 @@ generic_process_filter_binary(struct event_config *config)
 
 static inline __attribute__((always_inline)) int
 selector_arg_offset(__u8 *f, struct msg_generic_kprobe *e, __u32 selidx,
-		    bool early_binary_filter)
+		    bool early_binary_filter, bool is_entry)
 {
 	struct selector_arg_filters *filters;
 	struct selector_arg_filter *filter;
@@ -1622,20 +1622,24 @@ selector_arg_offset(__u8 *f, struct msg_generic_kprobe *e, __u32 selidx,
 
 	/* skip the selector size field */
 	seloff += 4;
-	/* skip the matchPids section by reading its length */
-	seloff += *(__u32 *)((__u64)f + (seloff & INDEX_MASK));
-	/* skip the matchNamespaces section by reading its length*/
-	seloff += *(__u32 *)((__u64)f + (seloff & INDEX_MASK));
-	/* skip matchCapabilitiess section by reading its length */
-	seloff += *(__u32 *)((__u64)f + (seloff & INDEX_MASK));
-	/* skip the matchNamespaceChanges by reading its length */
-	seloff += *(__u32 *)((__u64)f + (seloff & INDEX_MASK));
-	/* skip the matchCapabilityChanges by reading its length */
-	seloff += *(__u32 *)((__u64)f + (seloff & INDEX_MASK));
 
-	// check for match binary actions
-	if (!early_binary_filter && !match_binaries(selidx))
-		return 0;
+	/* skip selectors defined only for entry probe */
+	if (is_entry) {
+		/* skip the matchPids section by reading its length */
+		seloff += *(__u32 *)((__u64)f + (seloff & INDEX_MASK));
+		/* skip the matchNamespaces section by reading its length*/
+		seloff += *(__u32 *)((__u64)f + (seloff & INDEX_MASK));
+		/* skip matchCapabilitiess section by reading its length */
+		seloff += *(__u32 *)((__u64)f + (seloff & INDEX_MASK));
+		/* skip the matchNamespaceChanges by reading its length */
+		seloff += *(__u32 *)((__u64)f + (seloff & INDEX_MASK));
+		/* skip the matchCapabilityChanges by reading its length */
+		seloff += *(__u32 *)((__u64)f + (seloff & INDEX_MASK));
+
+		// check for match binary actions
+		if (!early_binary_filter && !match_binaries(selidx))
+			return 0;
+	}
 
 	/* Making binary selectors fixes size helps on some kernels */
 	seloff &= INDEX_MASK;
@@ -1720,7 +1724,7 @@ static inline __attribute__((always_inline)) int filter_args_reject(u64 id)
 
 static inline __attribute__((always_inline)) int
 filter_args(struct msg_generic_kprobe *e, int index, void *filter_map,
-	    bool early_binary_filter)
+	    bool early_binary_filter, bool is_entry)
 {
 	__u8 *f;
 
@@ -1742,7 +1746,7 @@ filter_args(struct msg_generic_kprobe *e, int index, void *filter_map,
 		return filter_args_reject(e->func_id);
 
 	if (e->sel.active[index]) {
-		int pass = selector_arg_offset(f, e, index, early_binary_filter);
+		int pass = selector_arg_offset(f, e, index, early_binary_filter, is_entry);
 		if (pass)
 			return pass;
 	}
@@ -2213,7 +2217,7 @@ do_actions(void *ctx, struct msg_generic_kprobe *e, struct selector_action *acti
 static inline __attribute__((always_inline)) long
 filter_read_arg(void *ctx, struct bpf_map_def *heap,
 		struct bpf_map_def *filter, struct bpf_map_def *tailcalls,
-		struct bpf_map_def *config_map)
+		struct bpf_map_def *config_map, bool is_entry)
 {
 	struct msg_generic_kprobe *e;
 	struct event_config *config;
@@ -2226,7 +2230,8 @@ filter_read_arg(void *ctx, struct bpf_map_def *heap,
 	if (!config)
 		return 0;
 	index = e->filter_tailcall_index;
-	pass = filter_args(e, index & MAX_SELECTORS_MASK, filter, config->flags & FLAGS_EARLY_FILTER);
+	pass = filter_args(e, index & MAX_SELECTORS_MASK, filter,
+			   config->flags & FLAGS_EARLY_FILTER, is_entry);
 	if (!pass) {
 		index++;
 		if (index <= MAX_SELECTORS && e->sel.active[index & MAX_SELECTORS_MASK]) {