Tracepoints: Add support for skb and sock types

Tracepoints can have socket and datagram pointers as parameters. This commit adds support for them. Signed-off-by: Kevin Sheldrake <kevin.sheldrake@isovalent.com>
cilium · Feb 29, 2024 · b5df4ea · b5df4ea
1 parent 577a2ac
commit b5df4ea
Show file tree

Hide file tree

Showing 3 changed files with 108 additions and 0 deletions.
diff --git a/bpf/process/bpf_generic_tracepoint.c b/bpf/process/bpf_generic_tracepoint.c
@@ -114,6 +114,20 @@ static inline __attribute__((always_inline)) unsigned long get_ctx_ul(void *src,
 		return (unsigned long)src;
 	}
 
+	case skb_type: {
+		struct sk_buff *skb;
+
+		probe_read(&skb, sizeof(struct sk_buff *), src);
+		return (unsigned long)skb;
+	}
+
+	case sock_type: {
+		struct sock *sk;
+
+		probe_read(&sk, sizeof(struct sock *), src);
+		return (unsigned long)sk;
+	}
+
 	default:
 	case nop_ty:
 		return 0;

diff --git a/pkg/grpc/tracing/tracing.go b/pkg/grpc/tracing/tracing.go
@@ -385,6 +385,16 @@ func (msg *MsgGenericTracepointUnix) Retry(internal *process.ProcessInternal, ev
 	return eventcache.HandleGenericEvent(internal, ev, &msg.Msg.Tid)
 }
 
+func familyString(family uint16) string {
+	switch family {
+	case unix.AF_INET:
+		return "AF_INET"
+	case unix.AF_INET6:
+		return "AF_INET6"
+	}
+	return ""
+}
+
 func (msg *MsgGenericTracepointUnix) HandleMessage() *tetragon.GetEventsResponse {
 	var tetragonParent, tetragonProcess *tetragon.Process
 
@@ -430,6 +440,46 @@ func (msg *MsgGenericTracepointUnix) HandleMessage() *tetragon.GetEventsResponse
 				BytesArg: v,
 			}})
 
+		case tracingapi.MsgGenericKprobeArgSkb:
+			skb := tetragon.KprobeSkb{
+				Family:      familyString(v.Family),
+				Hash:        v.Hash,
+				Len:         v.Len,
+				Priority:    v.Priority,
+				Mark:        v.Mark,
+				Saddr:       v.Saddr,
+				Daddr:       v.Daddr,
+				Sport:       v.Sport,
+				Dport:       v.Dport,
+				Proto:       v.Proto,
+				Protocol:    network.InetProtocol(uint16(v.Proto)),
+				SecPathLen:  v.SecPathLen,
+				SecPathOlen: v.SecPathOLen,
+			}
+
+			tetragonArgs = append(tetragonArgs, &tetragon.KprobeArgument{Arg: &tetragon.KprobeArgument_SkbArg{
+				SkbArg: &skb,
+			}})
+
+		case tracingapi.MsgGenericKprobeArgSock:
+			sk := tetragon.KprobeSock{
+				Family:   familyString(v.Family),
+				Type:     network.InetType(v.Type),
+				Protocol: network.InetProtocol(uint16(v.Protocol)),
+				Mark:     v.Mark,
+				Priority: v.Priority,
+				Saddr:    v.Saddr,
+				Daddr:    v.Daddr,
+				Sport:    v.Sport,
+				Dport:    v.Dport,
+				Cookie:   v.Sockaddr,
+				State:    network.TcpState(v.State),
+			}
+
+			tetragonArgs = append(tetragonArgs, &tetragon.KprobeArgument{Arg: &tetragon.KprobeArgument_SockArg{
+				SockArg: &sk,
+			}})
+
 		default:
 			logger.GetLogger().Warnf("handleGenericTracepointMessage: unhandled value: %+v (%T)", arg, arg)
 		}

diff --git a/pkg/sensors/tracing/generictracepoint.go b/pkg/sensors/tracing/generictracepoint.go
@@ -24,6 +24,7 @@ import (
 	"github.com/cilium/tetragon/pkg/observer"
 	"github.com/cilium/tetragon/pkg/option"
 	"github.com/cilium/tetragon/pkg/policyfilter"
+	"github.com/cilium/tetragon/pkg/reader/network"
 	"github.com/cilium/tetragon/pkg/selectors"
 	"github.com/cilium/tetragon/pkg/sensors"
 	"github.com/cilium/tetragon/pkg/sensors/program"
@@ -754,6 +755,49 @@ func handleMsgGenericTracepoint(
 			} else {
 				unix.Args = append(unix.Args, arg)
 			}
+		case gt.GenericSkbType:
+			var skb api.MsgGenericKprobeSkb
+			var arg api.MsgGenericKprobeArgSkb
+
+			err := binary.Read(r, binary.LittleEndian, &skb)
+			if err != nil {
+				logger.GetLogger().WithError(err).Warnf("skb type err")
+			}
+
+			arg.Hash = skb.Hash
+			arg.Len = skb.Len
+			arg.Priority = skb.Priority
+			arg.Mark = skb.Mark
+			arg.Family = skb.Tuple.Family
+			arg.Saddr = network.GetIP(skb.Tuple.Saddr, skb.Tuple.Family).String()
+			arg.Daddr = network.GetIP(skb.Tuple.Daddr, skb.Tuple.Family).String()
+			arg.Sport = uint32(skb.Tuple.Sport)
+			arg.Dport = uint32(skb.Tuple.Dport)
+			arg.Proto = uint32(skb.Tuple.Protocol)
+			arg.SecPathLen = skb.SecPathLen
+			arg.SecPathOLen = skb.SecPathOLen
+			unix.Args = append(unix.Args, arg)
+		case gt.GenericSockType:
+			var sock api.MsgGenericKprobeSock
+			var arg api.MsgGenericKprobeArgSock
+
+			err := binary.Read(r, binary.LittleEndian, &sock)
+			if err != nil {
+				logger.GetLogger().WithError(err).Warnf("sock type err")
+			}
+
+			arg.Family = sock.Tuple.Family
+			arg.State = sock.State
+			arg.Type = sock.Type
+			arg.Protocol = sock.Tuple.Protocol
+			arg.Mark = sock.Mark
+			arg.Priority = sock.Priority
+			arg.Saddr = network.GetIP(sock.Tuple.Saddr, sock.Tuple.Family).String()
+			arg.Daddr = network.GetIP(sock.Tuple.Daddr, sock.Tuple.Family).String()
+			arg.Sport = uint32(sock.Tuple.Sport)
+			arg.Dport = uint32(sock.Tuple.Dport)
+			arg.Sockaddr = sock.Sockaddr
+			unix.Args = append(unix.Args, arg)
 
 		default:
 			logger.GetLogger().Warnf("handleGenericTracepoint: ignoring:  %+v", out)