tetragon: Separate execve sensor into taill calls

Signed-off-by: Jiri Olsa <jolsa@kernel.org>
cilium · Sep 23, 2022 · 77f05e5 · 77f05e5
1 parent 1b48cb8
commit 77f05e5
Show file tree

Hide file tree

Showing 5 changed files with 54 additions and 10 deletions.
diff --git a/bpf/lib/process.h b/bpf/lib/process.h
@@ -262,6 +262,7 @@ struct msg_execve_event {
 		struct msg_process process;
 		char buffer[PADDED_BUFFER];
 	};
+	__u32 binary;
 }; // All fields aligned so no 'packed' attribute.
 
 struct execve_map_value {

diff --git a/bpf/process/bpf_execve_event.c b/bpf/process/bpf_execve_event.c
@@ -11,6 +11,13 @@
 
 char _license[] __attribute__((section("license"), used)) = "GPL";
 
+struct {
+	__uint(type, BPF_MAP_TYPE_PROG_ARRAY);
+	__uint(max_entries, 1);
+	__type(key, __u32);
+	__type(value, __u32);
+} execve_calls SEC(".maps");
+
 #ifdef __LARGE_BPF_PROG
 #include "data_event.h"
 
@@ -157,17 +164,13 @@ event_execve(struct sched_execve_args *ctx)
 {
 	struct task_struct *task = (struct task_struct *)get_current_task();
 	struct msg_execve_event *event;
-	struct execve_map_value *curr, *parent;
+	struct execve_map_value *parent;
 	struct msg_process *execve;
 	uint32_t binary = 0;
 	bool walker = 0;
 	__u32 zero = 0;
-	uint64_t size;
 	__u32 pid;
 	unsigned short fileoff;
-#if defined(__NS_CHANGES_FILTER) || defined(__CAP_CHANGES_FILTER)
-	bool init_curr = 0;
-#endif
 
 	event = map_lookup_elem(&execve_msg_heap_map, &zero);
 	if (!event)
@@ -185,10 +188,37 @@ event_execve(struct sched_execve_args *ctx)
 	fileoff = ctx->filename & 0xFFFF;
 	binary = event_filename_builder(ctx, execve, pid, EVENT_EXECVE, binary,
 					(char *)ctx + fileoff);
+	event->binary = binary;
+
 	event_args_builder(ctx, event);
 	compiler_barrier();
 	__event_get_task_info(event, MSG_OP_EXECVE, walker, true);
 
+	tail_call(ctx, &execve_calls, 0);
+	return 0;
+}
+
+__attribute__((section("tracepoint/0"), used)) int
+execve_send(struct sched_execve_args *ctx)
+{
+	struct msg_execve_event *event;
+	struct execve_map_value *curr;
+	struct msg_process *execve;
+	__u32 zero = 0;
+	uint64_t size;
+	__u32 pid;
+#if defined(__NS_CHANGES_FILTER) || defined(__CAP_CHANGES_FILTER)
+	bool init_curr = 0;
+#endif
+
+	event = map_lookup_elem(&execve_msg_heap_map, &zero);
+	if (!event)
+		return 0;
+
+	execve = &event->process;
+
+	pid = (get_current_pid_tgid() >> 32);
+
 	curr = execve_map_get(pid);
 	if (curr) {
 #if defined(__NS_CHANGES_FILTER) || defined(__CAP_CHANGES_FILTER)
@@ -215,7 +245,7 @@ event_execve(struct sched_execve_args *ctx)
 			curr->key.ktime = execve->ktime;
 		}
 		curr->flags = 0;
-		curr->binary = binary;
+		curr->binary = event->binary;
 #ifdef __NS_CHANGES_FILTER
 		if (init_curr)
 			memcpy(&(curr->ns), &(event->ns),

diff --git a/pkg/sensors/base/base.go b/pkg/sensors/base/base.go
@@ -50,6 +50,9 @@ var (
 	ExecveMap    = program.MapBuilder("execve_map", Execve)
 	ExecveMapV53 = program.MapBuilder("execve_map", ExecveV53)
 
+	ExecveTailCallsMap    = program.MapBuilderPin("execve_calls", "execve_calls", Execve)
+	ExecveTailCallsMapV53 = program.MapBuilderPin("execve_calls", "execve_calls", ExecveV53)
+
 	/* Policy maps populated from base programs */
 	NamesMap    = program.MapBuilder("names_map", Execve)
 	NamesMapV53 = program.MapBuilder("names_map", ExecveV53)
@@ -104,6 +107,7 @@ func GetDefaultMaps() []*program.Map {
 		maps = append(maps,
 			ExecveMapV53,
 			ExecveStatsV53,
+			ExecveTailCallsMapV53,
 			NamesMapV53,
 			TCPMonMapV53,
 			TetragonConfMapV53,
@@ -112,6 +116,7 @@ func GetDefaultMaps() []*program.Map {
 		maps = append(maps,
 			ExecveMap,
 			ExecveStats,
+			ExecveTailCallsMap,
 			NamesMap,
 			TCPMonMap,
 			TetragonConfMap,

diff --git a/pkg/sensors/program/loader.go b/pkg/sensors/program/loader.go
@@ -138,7 +138,7 @@ func NoAttach(load *Program) AttachFunc {
 func LoadTracepointProgram(bpfDir, mapDir string, load *Program, verbose int) error {
 	var ci *customInstall
 	for mName, mPath := range load.PinMap {
-		if mName == "tp_calls" {
+		if mName == "tp_calls" || mName == "execve_calls" {
 			ci = &customInstall{mPath, "tracepoint"}
 			break
 		}

diff --git a/pkg/testutils/sensors/load.go b/pkg/testutils/sensors/load.go
@@ -7,6 +7,7 @@ import (
 	"testing"
 
 	"github.com/cilium/ebpf"
+	"github.com/cilium/tetragon/pkg/kernels"
 	"github.com/cilium/tetragon/pkg/sensors"
 	"github.com/cilium/tetragon/pkg/sensors/program"
 )
@@ -117,12 +118,13 @@ func mergeInBaseSensorMaps(sensorMaps []SensorMap, sensorProgs []SensorProg, t *
 		0: SensorProg{Name: "event_execve", Type: ebpf.TracePoint},
 		1: SensorProg{Name: "event_exit", Type: ebpf.TracePoint},
 		2: SensorProg{Name: "event_wake_up_new_task", Type: ebpf.Kprobe},
+		3: SensorProg{Name: "execve_send", Type: ebpf.TracePoint},
 	}
+
 	var baseMaps = []SensorMap{
 		// all programs
-		SensorMap{Name: "execve_map", Progs: []uint{0, 1, 2}},
-		SensorMap{Name: "execve_map_stats", Progs: []uint{0, 1, 2}},
-		SensorMap{Name: "tcpmon_map", Progs: []uint{0, 1, 2}},
+		SensorMap{Name: "execve_map", Progs: []uint{0, 1, 2, 3}},
+		SensorMap{Name: "execve_map_stats", Progs: []uint{1, 2, 3}},
 
 		// event_execve
 		SensorMap{Name: "names_map", Progs: []uint{0}},
@@ -132,6 +134,12 @@ func mergeInBaseSensorMaps(sensorMaps []SensorMap, sensorProgs []SensorProg, t *
 		SensorMap{Name: "execve_val", Progs: []uint{2}},
 	}
 
+	if kernels.EnableLargeProgs() {
+		baseMaps = append(baseMaps, SensorMap{Name: "tcpmon_map", Progs: []uint{0, 1, 2, 3}})
+	} else {
+		baseMaps = append(baseMaps, SensorMap{Name: "tcpmon_map", Progs: []uint{1, 2, 3}})
+	}
+
 	return mergeSensorMaps(sensorMaps, baseMaps, sensorProgs, baseProgs, t)
 }