cilium · olsajiri · Sep 10, 2024 · Jun 16, 2024 · Feb 24, 2024 · Feb 21, 2024
@@ -30,7 +30,8 @@ PROCESS = bpf_execve_event.o bpf_execve_event_v53.o bpf_fork.o bpf_exit.o bpf_ge
 	  bpf_generic_lsm_v61.o \
 	  bpf_loader.o \
 	  bpf_cgroup.o \
-	  bpf_enforcer.o bpf_multi_enforcer.o bpf_fmodret_enforcer.o
+	  bpf_enforcer.o bpf_multi_enforcer.o bpf_fmodret_enforcer.o \
+	  bpf_map_test_p1.o bpf_map_test_p2.o
 
 CGROUP = bpf_cgroup_mkdir.o bpf_cgroup_rmdir.o bpf_cgroup_release.o
 BPFTEST = bpf_lseek.o

@@ -0,0 +1,30 @@
+// SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
+/* Copyright Authors of Cilium */
+
+#include "vmlinux.h"
+#include "api.h"
+#include "bpf_tracing.h"
+#include "bpf_helpers.h"
+#include "compiler.h"
+
+struct {
+	__uint(type, BPF_MAP_TYPE_HASH);
+	__uint(max_entries, 1);
+	__type(key, int);
+	__type(value, int);
+} m1 SEC(".maps");
+
+struct {
+	__uint(type, BPF_MAP_TYPE_HASH);
+	__uint(max_entries, 1);
+	__type(key, int);
+	__type(value, int);
+} m2 SEC(".maps");
+
+__attribute__((section("kprobe/wake_up_new_task"), used)) int
+BPF_KPROBE(p1)
+{
+	map_lookup_elem(&m1, &(int){ 0 });
+	map_lookup_elem(&m2, &(int){ 0 });
+	return 0;
+}
@@ -0,0 +1,30 @@
+// SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
+/* Copyright Authors of Cilium */
+
+#include "vmlinux.h"
+#include "api.h"
+#include "bpf_tracing.h"
+#include "bpf_helpers.h"
+#include "compiler.h"
+
+struct {
+	__uint(type, BPF_MAP_TYPE_HASH);
+	__uint(max_entries, 1);
+	__type(key, int);
+	__type(value, int);
+} m1 SEC(".maps");
+
+struct {
+	__uint(type, BPF_MAP_TYPE_HASH);
+	__uint(max_entries, 1);
+	__type(key, int);
+	__type(value, int);
+} m2 SEC(".maps");
+
+__attribute__((section("kprobe/wake_up_new_task"), used)) int
+BPF_KPROBE(p2)
+{
+	map_lookup_elem(&m1, &(int){ 0 });
+	map_lookup_elem(&m2, &(int){ 0 });
+	return 0;
+}
@@ -67,7 +67,7 @@ var (
 	TCPMonMap = program.MapBuilder("tcpmon_map", Execve)
 	/* Networking and Process Monitoring maps */
 	ExecveMap          = program.MapBuilder("execve_map", Execve)
-	ExecveTailCallsMap = program.MapBuilderPin("execve_calls", "execve_calls", Execve)
+	ExecveTailCallsMap = program.MapBuilderProgram("execve_calls", Execve)
 
 	ExecveJoinMap = program.MapBuilder("tg_execve_joined_info_map", ExecveBprmCommit)
 

@@ -62,6 +62,15 @@ func LoadConfig(bpfDir string, sens []*Sensor) error {
 	return nil
 }
 
+func (s *Sensor) setupProgsPinPath(bpfDir string) {
+	for _, p := range s.Progs {
+		// setup sensor based program pin path
+		p.PinPath = filepath.Join(sanitize(s.Policy), s.Name, p.PinName)
+		// and make the path
+		os.MkdirAll(filepath.Join(bpfDir, p.PinPath), os.ModeDir)
+	}
+}
+
 // Load loads the sensor, by loading all the BPF programs and maps.
 func (s *Sensor) Load(bpfDir string) error {
 	if s == nil {
@@ -77,7 +86,7 @@ func (s *Sensor) Load(bpfDir string) error {
 		return fmt.Errorf("tetragon, aborting minimum requirements not met: %w", err)
 	}
 
-	os.Mkdir(bpfDir, os.ModeDir)
+	s.setupProgsPinPath(bpfDir)
 
 	l := logger.GetLogger()
 
@@ -209,6 +218,20 @@ func (s *Sensor) FindPrograms() error {
 	return nil
 }
 
+func (s *Sensor) setMapPinPath(m *program.Map) {
+	policy := sanitize(s.Policy)
+	switch m.Type {
+	case program.MapTypeGlobal:
+		m.PinPath = filepath.Join(m.Name)
+	case program.MapTypePolicy:
+		m.PinPath = filepath.Join(policy, m.Name)
+	case program.MapTypeSensor:
+		m.PinPath = filepath.Join(policy, s.Name, m.Name)
+	case program.MapTypeProgram:
+		m.PinPath = filepath.Join(policy, s.Name, m.Prog.PinName, m.Name)
+	}
+}
+
 // loadMaps loads all the BPF maps in the sensor.
 func (s *Sensor) loadMaps(bpfDir string) error {
 	l := logger.GetLogger()
@@ -222,7 +245,8 @@ func (s *Sensor) loadMaps(bpfDir string) error {
 			continue
 		}
 
-		pinPath := filepath.Join(bpfDir, m.PinName)
+		s.setMapPinPath(m)
+		pinPath := filepath.Join(bpfDir, m.PinPath)
 
 		spec, err := ebpf.LoadCollectionSpec(m.Prog.Name)
 		if err != nil {

@@ -32,17 +32,11 @@ type LoadOpts struct {
 }
 
 func linkPinPath(bpfDir string, load *Program, extra ...string) string {
-	pinPath := filepath.Join(bpfDir, load.PinPath)
-	if load.Override {
-		pinPath = pinPath + "_override"
-	}
-	if load.RetProbe {
-		pinPath = pinPath + "_return"
-	}
+	pinPath := filepath.Join(bpfDir, load.PinPath, "link")
 	if len(extra) != 0 {
 		pinPath = pinPath + "_" + strings.Join(extra, "_")
 	}
-	return pinPath + "_link"
+	return pinPath
 }
 
 func linkPin(lnk link.Link, bpfDir string, load *Program, extra ...string) error {
@@ -229,13 +223,13 @@ func kprobeAttachOverride(load *Program, bpfDir string,
 		return fmt.Errorf("failed to clone generic_kprobe_override program: %w", err)
 	}
 
-	pinPath := filepath.Join(bpfDir, fmt.Sprint(load.PinPath, "-override"))
+	pinPath := filepath.Join(bpfDir, load.PinPath, "prog_override")
 
 	if err := prog.Pin(pinPath); err != nil {
 		return fmt.Errorf("pinning '%s' to '%s' failed: %w", load.Label, pinPath, err)
 	}
 
-	load.unloaderOverride, err = kprobeAttach(load, prog, spec, load.Attach, bpfDir)
+	load.unloaderOverride, err = kprobeAttach(load, prog, spec, load.Attach, bpfDir, "override")
 	if err != nil {
 		logger.GetLogger().Warnf("Failed to attach override program: %w", err)
 	}
@@ -732,7 +726,7 @@ func installTailCalls(bpfDir string, spec *ebpf.CollectionSpec, coll *ebpf.Colle
 	}
 
 	if load.TcMap != nil {
-		if err := install(load.TcMap.PinName, load.TcPrefix); err != nil {
+		if err := install(load.TcMap.PinPath, load.TcPrefix); err != nil {
 			return err
 		}
 	}
@@ -817,7 +811,7 @@ func doLoadProgram(
 		var err error
 		var mapPath string
 		if pm, ok := load.PinMap[name]; ok {
-			mapPath = filepath.Join(bpfDir, pm.PinName)
+			mapPath = filepath.Join(bpfDir, pm.PinPath)
 		} else {
 			mapPath = filepath.Join(bpfDir, name)
 		}
@@ -869,8 +863,12 @@ func doLoadProgram(
 	}
 
 	for _, mapLoad := range load.MapLoad {
+		pinPath := ""
+		if pm, ok := load.PinMap[mapLoad.Name]; ok {
+			pinPath = pm.PinPath
+		}
 		if m, ok := coll.Maps[mapLoad.Name]; ok {
-			if err := mapLoad.Load(m, mapLoad.Index); err != nil {
+			if err := mapLoad.Load(m, pinPath, mapLoad.Index); err != nil {
 				return nil, err
 			}
 		} else {
@@ -883,7 +881,7 @@ func doLoadProgram(
 		return nil, fmt.Errorf("program for section '%s' not found", load.Label)
 	}
 
-	pinPath := filepath.Join(bpfDir, load.PinPath)
+	pinPath := filepath.Join(bpfDir, load.PinPath, "prog")
 
 	if _, err := os.Stat(pinPath); err == nil {
 		logger.GetLogger().Debugf("Pin file '%s' already exists, repinning", load.PinPath)

@@ -16,20 +16,21 @@ func TestLoaderLinkPinPath(t *testing.T) {
 	var load *Program
 	var pin string
 
+	// standard link
 	load = Builder("", "", "", "event", "")
+	load.PinPath = "test/generic_kprobe/__x64_sys_linkat"
 	pin = linkPinPath(bpfDir, load)
-	assert.Equal(t, filepath.Join(bpfDir, "event_link"), pin)
+	assert.Equal(t, filepath.Join(bpfDir, "test/generic_kprobe/__x64_sys_linkat", "link"), pin)
 
+	// override link
 	load = Builder("", "", "", "event", "")
-	load.Override = true
-	pin = linkPinPath(bpfDir, load)
-	assert.Equal(t, filepath.Join(bpfDir, "event_override_link"), pin)
-
-	load = Builder("", "", "", "event", "").SetRetProbe(true)
-	pin = linkPinPath(bpfDir, load)
-	assert.Equal(t, filepath.Join(bpfDir, "event_return_link"), pin)
+	load.PinPath = "test/generic_kprobe/__x64_sys_linkat"
+	pin = linkPinPath(bpfDir, load, "override")
+	assert.Equal(t, filepath.Join(bpfDir, "test/generic_kprobe/__x64_sys_linkat", "link_override"), pin)
 
+	// many-kprobe link
 	load = Builder("", "", "", "event", "")
+	load.PinPath = "test/generic_kprobe/__x64_sys_linkat"
 	pin = linkPinPath(bpfDir, load, "1_sys_exit")
-	assert.Equal(t, filepath.Join(bpfDir, "event_1_sys_exit_link"), pin)
+	assert.Equal(t, filepath.Join(bpfDir, "test/generic_kprobe/__x64_sys_linkat", "link_1_sys_exit"), pin)
 }
@@ -1,6 +1,53 @@
 // SPDX-License-Identifier: Apache-2.0
 // Copyright Authors of Tetragon
 
+// We allow to define several types of maps:
+//
+//    MapTypeGlobal MapType = iota
+//    MapTypePolicy
+//    MapTypeSensor
+//    MapTypeProgram
+//
+//  Each type defines the maps position in the sysfs hierarchy:
+//
+//    MapTypeGlobal:     /sys/fs/bpf/tetragon/map
+//    MapTypePolicy:     /sys/fs/bpf/tetragon/policy/map
+//    MapTypeSensor:     /sys/fs/bpf/tetragon/policy/sensor/map
+//    MapTypeProgram:    /sys/fs/bpf/tetragon/policy/sensor/program/map
+//
+//  Each type has appropriate helper defined, which sets map's
+//  path to specific level of sysfs hierarchy:
+//
+//    MapTypeGlobal:     MapBuilder
+//    MapTypePolicy:     MapBuilderPolicy
+//    MapTypeSensor:     MapBuilderSensor
+//    MapTypeProgram:    MapBuilderProgram
+//
+//  It's possible to share map between more programs like:
+//
+//     m := MapBuilderSensor("map", prog1, prog2, prog3)
+//
+//  All prog1-3 programs will attach to m1 through:
+//
+//    /sys/fs/bpf/tetragon/policy/sensor/map
+//
+//  The idea is to share map on higher level which denotes to scope
+//  of the map, like:
+//
+//     /sys/fs/bpf/tetragon/map
+//      - map is global shared with all policies/sensors/programs
+//
+//     /sys/fs/bpf/tetragon/policy/map
+//      - map is local for policy, shared by all its sensors/programs
+//
+//     /sys/fs/bpf/tetragon/policy/sensors/map
+//      - map is local for sensor, shared by all its programs
+//
+//     /sys/fs/bpf/tetragon/policy/sensors/program/map
+//      - map is local for program, not shared at all
+//
+//  NOTE Please do not share MapTypeProgram maps, it brings confusion.
+
 package program
 
 import (
@@ -19,15 +66,25 @@ type MaxEntries struct {
 	Set bool
 }
 
+type MapType int
+
+const (
+	MapTypeGlobal MapType = iota
+	MapTypePolicy
+	MapTypeSensor
+	MapTypeProgram
+)
+
 // Map represents BPF maps.
 type Map struct {
 	Name         string
-	PinName      string
+	PinPath      string
 	Prog         *Program
 	PinState     State
 	MapHandle    *ebpf.Map
 	Entries      MaxEntries
 	InnerEntries MaxEntries
+	Type         MapType
 }
 
 // Map holds pointer to Program object as a source of its ebpf object
@@ -43,24 +100,40 @@ type Map struct {
 //	p.PinMap["map2"] = &map2
 //	...
 //	p.PinMap["mapX"] = &mapX
-func mapBuilder(name, pin string, lds ...*Program) *Map {
-	m := &Map{name, pin, lds[0], Idle(), nil, MaxEntries{0, false}, MaxEntries{0, false}}
+func mapBuilder(name string, ty MapType, lds ...*Program) *Map {
+	m := &Map{name, "", lds[0], Idle(), nil, MaxEntries{0, false}, MaxEntries{0, false}, ty}
 	for _, ld := range lds {
 		ld.PinMap[name] = m
 	}
 	return m
 }
 
 func MapBuilder(name string, lds ...*Program) *Map {
-	return mapBuilder(name, name, lds...)
+	return mapBuilder(name, MapTypeGlobal, lds...)
+}
+
+func MapBuilderProgram(name string, lds ...*Program) *Map {
+	return mapBuilder(name, MapTypeProgram, lds...)
+}
+
+func MapBuilderSensor(name string, lds ...*Program) *Map {
+	return mapBuilder(name, MapTypeSensor, lds...)
+}
+
+func MapBuilderPolicy(name string, lds ...*Program) *Map {
+	return mapBuilder(name, MapTypePolicy, lds...)
+}
+
+func MapBuilderType(name string, ty MapType, lds ...*Program) *Map {
+	return mapBuilder(name, ty, lds...)
 }
 
-func MapBuilderPin(name, pin string, lds ...*Program) *Map {
-	return mapBuilder(name, pin, lds...)
+func PolicyMapPath(mapDir, policy, name string) string {
+	return filepath.Join(mapDir, policy, name)
 }
 
 func (m *Map) Unload() error {
-	log := logger.GetLogger().WithField("map", m.Name).WithField("pin", m.PinName)
+	log := logger.GetLogger().WithField("map", m.Name).WithField("pin", m.Name)
 	if !m.PinState.IsLoaded() {
 		log.WithField("count", m.PinState.count).Debug("Refusing to unload map as it is not loaded")
 		return nil