feat(sensors): support 38+ override on lsm funcs

Signed-off-by: Sam Wang (holyspectral) <[email protected]>

Author: holyspectral

pkg/sensors/load.go

@@ -65,8 +65,10 @@ func (s *Sensor) policyDir() string {
 
 func (s *Sensor) createDirs(bpfDir string) {
 	for _, p := range s.Progs {
-		// setup sensor based program pin path
-		p.PinPath = filepath.Join(s.policyDir(), s.Name, p.PinName)
+		// setup sensor based program pin path if it's not specified
+		if p.PinPath == "" {
+			p.PinPath = filepath.Join(s.policyDir(), s.Name, p.PinName)
+		}
 		// and make the path
 		if err := os.MkdirAll(filepath.Join(bpfDir, p.PinPath), os.ModeDir); err != nil {
 			logger.GetLogger().Warn("Failed to create program dir",

pkg/sensors/load_linux.go

@@ -19,6 +19,10 @@ import (
 )
 
 func (s *Sensor) setMapPinPath(m *program.Map) {
+	if m.PinPath != "" {
+		// Use the specified one when m.PinPath is already available.
+		return
+	}
 	policy := s.policyDir()
 	switch m.Type {
 	case program.MapTypeGlobal:

pkg/sensors/program/loader_linux.go

@@ -132,21 +132,10 @@ func KprobeOpen(load *Program) OpenFunc {
 		// The generic_kprobe_override program is part of bpf_generic_kprobe.o object,
 		// so let's disable it if the override is not configured. Otherwise it gets
 		// loaded and bpftool will show it.
-		if !load.Override {
+		if !load.Override || load.OverrideFmodRet {
 			disableProg(coll, "generic_kprobe_override")
-			disableProg(coll, "generic_fmodret_override")
-		} else {
-			if load.OverrideFmodRet {
-				spec, ok := coll.Programs["generic_fmodret_override"]
-				if !ok {
-					return errors.New("failed to find generic_fmodret_override")
-				}
-				spec.AttachTo = load.Attach
-				disableProg(coll, "generic_kprobe_override")
-			} else {
-				disableProg(coll, "generic_fmodret_override")
-			}
 		}
+		disableProg(coll, "generic_fmodret_override")
 		return nil
 	}
 }
@@ -266,15 +255,9 @@ func KprobeAttach(load *Program, bpfDir string) AttachFunc {
 	return func(coll *ebpf.Collection, collSpec *ebpf.CollectionSpec,
 		prog *ebpf.Program, spec *ebpf.ProgramSpec) (unloader.Unloader, error) {
 
-		if load.Override {
-			if load.OverrideFmodRet {
-				if err := fmodretAttachOverride(load, bpfDir, coll, collSpec); err != nil {
-					return nil, err
-				}
-			} else {
-				if err := kprobeAttachOverride(load, bpfDir, coll, collSpec); err != nil {
-					return nil, err
-				}
+		if load.Override && !load.OverrideFmodRet {
+			if err := kprobeAttachOverride(load, bpfDir, coll, collSpec); err != nil {
+				return nil, err
 			}
 		}
 

pkg/sensors/tracing/genericfmod_ret.go

@@ -0,0 +1,40 @@
+package tracing
+
+import (
+	"path"
+
+	"github.com/cilium/tetragon/pkg/config"
+	"github.com/cilium/tetragon/pkg/option"
+	"github.com/cilium/tetragon/pkg/sensors/program"
+)
+
+var fmodretMap map[string]*program.Program
+
+func getFmodRetProg(attachFunc string) (*program.Program, *program.Map) {
+	var fmodret *program.Program
+	var ok bool
+
+	if fmodretMap == nil {
+		fmodretMap = make(map[string]*program.Program)
+	}
+
+	loadProgName, _ := config.GenericKprobeObjs(false)
+
+	if fmodret, ok = fmodretMap[attachFunc]; !ok {
+
+		fmodret = program.Builder(
+			path.Join(option.Config.HubbleLib, loadProgName),
+			attachFunc,
+			"fmod_ret/security_task_prctl",
+			"fmod_ret/"+attachFunc,
+			"generic_fmod_ret")
+
+		fmodret.PinPath = "fmod_ret/" + attachFunc
+
+		fmodretmap := program.MapBuilder("override_tasks", fmodret)
+		fmodretmap.PinPath = path.Join("fmod_ret/", attachFunc, "override_tasks")
+
+		fmodretMap[attachFunc] = fmodret
+	}
+	return fmodret, fmodret.PinMap["override_tasks"]
+}

pkg/sensors/tracing/generickprobe.go

@@ -53,12 +53,23 @@ type observerKprobeSensor struct {
 	name string
 }
 
+type fmodRetProgram struct {
+	name string
+}
+
 func init() {
 	kprobe := &observerKprobeSensor{
 		name: "kprobe sensor",
 	}
+
+	fmodRet := &fmodRetProgram{
+		name: "fmod_ret program",
+	}
+
 	sensors.RegisterProbeType("generic_kprobe", kprobe)
 	observer.RegisterEventHandlerAtInit(ops.MSG_OP_GENERIC_KPROBE, handleGenericKprobe)
+
+	sensors.RegisterProbeType("generic_fmod_ret", fmodRet)
 }
 
 type kprobeSelectors struct {
@@ -1073,11 +1084,25 @@ func createKprobeSensorFromEntry(polInfo *policyInfo, kprobeEntry *genericKprobe
 		maps = append(maps, program.MapUser(cgtracker.MapName, load))
 	}
 
-	overrideTasksMap := program.MapBuilderProgram("override_tasks", load)
-	if has.override {
-		overrideTasksMap.SetMaxEntries(overrideMapMaxEntries)
+	if load.Override && load.OverrideFmodRet {
+		// setup fmodret program and its input
+		fmodRetProg, fmodRetMap := getFmodRetProg(kprobeEntry.funcName)
+		progs = append(progs, fmodRetProg)
+		maps = append(maps, fmodRetMap)
+
+		// setup the output of kprobe
+		overrideTasksMap := program.MapBuilder("override_tasks", load)
+		overrideTasksMap.PinPath = path.Join("fmod_ret/", kprobeEntry.funcName, "override_tasks")
+
+		maps = append(maps, overrideTasksMap)
+	} else {
+		// kprobe override
+		overrideTasksMap := program.MapBuilderProgram("override_tasks", load)
+		if has.override {
+			overrideTasksMap.SetMaxEntries(overrideMapMaxEntries)
+		}
+		maps = append(maps, overrideTasksMap)
 	}
-	maps = append(maps, overrideTasksMap)
 
 	maps = append(maps, polInfo.policyConfMap(load), polInfo.policyStatsMap(load))
 
@@ -1234,6 +1259,17 @@ func loadMultiKprobeSensor(ids []idtable.EntryID, bpfDir string, load *program.P
 	return nil
 }
 
+func loadGenericFmodRetProgram(bpfDir string, load *program.Program, maps []*program.Map, verbose int) error {
+	if load.LoadState.IsLoaded() {
+		logger.GetLogger().Info(fmt.Sprintf("The generic fmodify return program on %s has been loaded", load.Attach))
+		return nil
+	}
+
+	logger.GetLogger().Info("loading generic fmod ret program", "prog", load)
+
+	return program.LoadFmodRetProgram(bpfDir, load, maps, "generic_fmodret_override", verbose)
+}
+
 func loadGenericKprobeSensor(bpfDir string, load *program.Program, maps []*program.Map, verbose int) error {
 	if id, ok := load.LoaderData.(idtable.EntryID); ok {
 		return loadSingleKprobeSensor(id, bpfDir, load, maps, verbose)
@@ -1461,3 +1497,7 @@ func retprobeMerge(prev pendingEvent, curr pendingEvent) *tracing.MsgGenericKpro
 func (k *observerKprobeSensor) LoadProbe(args sensors.LoadProbeArgs) error {
 	return loadGenericKprobeSensor(args.BPFDir, args.Load, args.Maps, args.Verbose)
 }
+
+func (k *fmodRetProgram) LoadProbe(args sensors.LoadProbeArgs) error {
+	return loadGenericFmodRetProgram(args.BPFDir, args.Load, args.Maps, args.Verbose)
+}