tetragon: extract struct dentry member using CO:RE

[dwindsor]

Thanks for contributing! Please ensure your pull request adheres to the following guidelines:

• All commits contain a well written commit message and are signed-off (see Submitting a pull request).
• All code is covered by unit and/or end-to-end tests where feasible.
• All generated files are updated if needed (see Making changes).
• Provide a title or release-note blurb suitable for the release notes (see guidelines).
• Update documentation and write an upgrade note if needed (see guidelines).
• Are you a user of Tetragon? Please add yourself to the Users doc in the Cilium repository.

Fixes: #2573

<!-- Enter the release note text here if needed or remove this section! -->

[netlify]

✅ Deploy Preview for tetragon ready!

Name	Link
🔨 Latest commit	6e29ad2
🔍 Latest deploy log	https://app.netlify.com/sites/tetragon/deploys/66992639e725e50008a84182
😎 Deploy Preview	https://deploy-preview-2574--tetragon.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[dwindsor]

Hi! I'm encountering the following error when attempting to build these changes, and am not quite sure why... 🤔

Following the same procedures as 9889f27, I'm getting this error:

shell time="2024-06-17T12:16:50-04:00" level=fatal msg="Failed to start tetragon" error="failed loading tracing policy file \"/home/dave/src/github.com/dwindsor/tetragon/examples/tracingpolicy/security_inode_follow_link.yaml\": validation failed: \"follow-symlink\": validation failure list:\nspec.kprobes[0].args[0].type in body should be one of [auto int int8 uint8 int16 uint16 uint32 int32 uint64 int64 char_buf char_iovec size_t skb sock string fd file filename path nop bpf_attr perf_event bpf_map user_namespace capability kiocb iov_iter cred load_info module syscall64 kernel_cap_t cap_inheritable cap_permitted cap_effective linux_binprm data_loc net_device]"

Using the following Tracing Policy:

apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
  name: "follow-symlink"
spec:
  kprobes:
  - call: "security_inode_follow_link"
    syscall: false
    args:
    - index: 0
      type: "dentry"
    returnArg:
      index: 0
      type: "int"
    selectors:
    - matchArgs:
      - index: 0
        operator: "Equal"
        values:
        - "/tmp/softlink"

It appears the procedure has changed at least slightly since 9889f27, as 577a2ac introduced some changes.

i've tried following the same procedure as 9268fd0, but haven't had luck so far. I'll keep trying but wanted to see if anyone had any pointers?

cc: @kevsecurity @mtardy @jrfastab

[dwindsor]

I forgot to run make crds; not sure if that target was around last time?

Either way, above errors are fixed =)

[kkourt]

I forgot to run make crds; not sure if that target was around last time?

It was renamed from make generate to make crds recently: c26e483

Either way, above errors are fixed =)

Thanks! I plan to review this tomorrow.

Could you also fix the static check failures? Running make check locally should perform the same tests. This is not required for the review, but it's something that needs to be fixed before merging.

[kkourt]

Thanks, from a quick look this LGTM overall.

Can you please squash the fixes into the relevant original commits? (git rebase --interactive using the squash and fixup actions should help).

It would also be great if a test was added for this newly-introduced functionality. Happy to provide some pointers and help out in doing so.

[kkourt]

Please keep the same minor number and just change the patch version since this follows the Tetragon version. So in this case, this should be 1.2.1.

[dwindsor]

Thanks for the review @kkourt! I've responded to your comments and fixed the formatting issues, but I'm having trouble getting the test to work.

Running the test program on my system, I see the relevant event being produced in tetra:

{
  "process_kprobe": {
    "process": {
      "exec_id": "bGF0ZXJhbHVzOjI0ODQ0MzUwNjU1MzM4OjMyNjQ2MQ==",
      "pid": 326461,
      "uid": 1000,
      "cwd": "/home/dave/src/github.com/dwindsor/tetragon/contrib/tester-progs",
      "binary": "/home/dave/src/github.com/dwindsor/tetragon/contrib/tester-progs/symlink-tester",
      "flags": "execve clone",
      "start_time": "2024-06-27T21:39:16.896790982Z",
      "auid": 1000,
      "parent_exec_id": "bGF0ZXJhbHVzOjU2NTkyMTAwMDAwMDA6ODUyNjE=",
      "refcnt": 1,
      "tid": 326461
    },
    "parent": {
      "exec_id": "bGF0ZXJhbHVzOjU2NTkyMTAwMDAwMDA6ODUyNjE=",
      "pid": 85261,
      "uid": 1000,
      "cwd": "/tmp",
      "binary": "/usr/bin/bash",
      "flags": "procFS auid",
      "start_time": "2024-06-27T16:19:31.756135483Z",
      "auid": 1000,
      "parent_exec_id": "bGF0ZXJhbHVzOjU2NTkyMDAwMDAwMDA6ODUyNjA=",
      "tid": 85261
    },
    "function_name": "security_inode_follow_link",
    "args": [
      {
        "dentry_arg": {
          "name": "/tmp/id"
        }
      }
    ],
    "action": "KPROBE_ACTION_POST",
    "policy_name": "path-traversal-block",
    "return_action": "KPROBE_ACTION_POST"
  },
  "node_name": "lateralus",
  "time": "2024-06-27T21:39:16.897100809Z"
}

[kkourt]

Hi,

Thanks for the review @kkourt! I've responded to your comments and fixed the formatting issues, but I'm having trouble getting the test to work.

Thanks.

I think the issue might be that you are killing the test program before it has a chance to do the operation. I've tried the test locally, and this seems to work for me:

diff --git a/pkg/sensors/tracing/kprobe_test.go b/pkg/sensors/tracing/kprobe_test.go                                                                                                                                                                                                                                           
index db8a53f0b..55fcbbaa6 100644                                                                                                                                                                                                                                                                                              
--- a/pkg/sensors/tracing/kprobe_test.go                                                                                                                                                                                                                                                                                       
+++ b/pkg/sensors/tracing/kprobe_test.go                                                                                                                                                                                                                                                                                       
@@ -6049,7 +6049,6 @@ func TestDentryExtractPath(t *testing.T) {                                                                                                                                                                                                                                                               
        ops := func() {                                                                                                                                                                                                                                                                                                        
                err = command.Start()                                                                                                                                                                                                                                                                                          
                assert.NoError(t, err)                                                                                                                                                                                                                                                                                         
-               defer command.Process.Kill()                                                                                                                                                                                                                                                                                   
        }                                                                                                                                                                                                                                                                                                                      
                                                                                                                                                                                                                                                                                                                               
        events := perfring.RunTestEvents(t, ctx, ops)         

$ sudo $(which go) test ./pkg/sensors/tracing -bpf-lib $(pwd)/bpf/objs -test.run TestDentryExtractPath                                                                                                                                                                       
ok      github.com/cilium/tetragon/pkg/sensors/tracing  1.325s                                                                                                                                                                                                                                                                     

Could you also rebase to latest main? I believe it should address some of the e2e test failures.

[olsajiri]

could you please split the change into separate logical parts? like at least bpf bits. tests, schema changes.. anything that makes sense to split, thnx

[dwindsor]

Hi @kkourt, thanks for the pointers! Your suggestion worked.

@olsajiri I've split the PR into logical patches. Some CI is failing now but for unrelated reasons.

Thanks!

[kkourt]

Hi @kkourt, thanks for the pointers! Your suggestion worked.

@olsajiri I've split the PR into logical patches. Some CI is failing now but for unrelated reasons.

Thanks, can you also rebase? There seem to be conflicts. The conflicts seem to be in the auto-generated files, so it should be easy to resolve.

[dwindsor]

Hi @kkourt, thanks for the pointers! Your suggestion worked.
@olsajiri I've split the PR into logical patches. Some CI is failing now but for unrelated reasons.

Thanks, can you also rebase? There seem to be conflicts. The conflicts seem to be in the auto-generated files, so it should be easy to resolve.

Thanks! I've tried running make crds, but it shows no differences to push

[kkourt]

Hi @kkourt, thanks for the pointers! Your suggestion worked.
@olsajiri I've split the PR into logical patches. Some CI is failing now but for unrelated reasons.

Thanks, can you also rebase? There seem to be conflicts. The conflicts seem to be in the auto-generated files, so it should be easy to resolve.

Thanks! I've tried running make crds, but it shows no differences to push

Have you tried running make protogen as well? The conflicts seem to be related to protobuf definitions.

[kkourt]

Moving this to draft since there are many conflicts.