From 955b4fb6ec0e6b8da9e7010df1b51ba60bf279ca Mon Sep 17 00:00:00 2001 From: Jiri Olsa Date: Fri, 16 Feb 2024 14:28:40 +0000 Subject: [PATCH 1/7] tetragon: Fix removeAllSensors handler The [0] commit added sensor's destroy hook and changed kprobe logic to cleanup genericKprobeTable in there. We also need to change removeAllSensors to do destroy instead of unload so the kprobe hook is executed. [0] 70e4fcd20ccd ("pkg/sensors: cleanup kprobe entry from table on destroy") Signed-off-by: Jiri Olsa --- pkg/sensors/handler.go | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/pkg/sensors/handler.go b/pkg/sensors/handler.go index e5bea372809..40fee9d8dc5 100644 --- a/pkg/sensors/handler.go +++ b/pkg/sensors/handler.go @@ -4,7 +4,6 @@ package sensors import ( - "errors" "fmt" slimv1 "github.com/cilium/cilium/pkg/k8s/slim/k8s/apis/meta/v1" @@ -251,15 +250,11 @@ func (h *handler) addSensor(op *sensorAdd) error { return nil } -func removeAllSensors(h *handler) error { - var errs error +func removeAllSensors(h *handler) { for _, col := range h.collections { - if err := col.unload(); err != nil { - errs = errors.Join(errs, err) - } + col.destroy() delete(h.collections, col.name) } - return errs } func (h *handler) removeSensor(op *sensorRemove) error { @@ -268,7 +263,8 @@ func (h *handler) removeSensor(op *sensorRemove) error { return fmt.Errorf("removeSensor called with all flag and sensor name %s", op.name) } - return removeAllSensors(h) + removeAllSensors(h) + return nil } col, exists := h.collections[op.name] if !exists { From 4c45719254d1e983697cc876869bc888f2ce947d Mon Sep 17 00:00:00 2001 From: Jiri Olsa Date: Fri, 16 Feb 2024 09:15:45 +0000 Subject: [PATCH 2/7] tetragon: Rename NOTIFYKILLER to NOTIFYENFORCER action Renaming NOTIFYKILLER to NOTIFYENFORCER action as a first step of the whole rename, so we have schema changes separated. Signed-off-by: Jiri Olsa --- api/v1/README.md | 2 +- api/v1/tetragon/tetragon.pb.go | 101 +++++++++--------- api/v1/tetragon/tetragon.proto | 4 +- docs/content/en/docs/reference/grpc-api.md | 2 +- pkg/grpc/tracing/tracing.go | 2 +- pkg/sensors/tracing/killer_amd64_test.go | 8 +- pkg/sensors/tracing/killer_test.go | 6 +- .../tetragon/api/v1/tetragon/tetragon.pb.go | 101 +++++++++--------- .../tetragon/api/v1/tetragon/tetragon.proto | 4 +- 9 files changed, 116 insertions(+), 114 deletions(-) diff --git a/api/v1/README.md b/api/v1/README.md index 1f4070adf67..eae30996977 100644 --- a/api/v1/README.md +++ b/api/v1/README.md @@ -1060,7 +1060,7 @@ RuntimeHookRequest synchronously propagates information to the agent about run-t | KPROBE_ACTION_SIGNAL | 10 | Signal action sends specified signal to the process. | | KPROBE_ACTION_TRACKSOCK | 11 | TrackSock action tracks socket. | | KPROBE_ACTION_UNTRACKSOCK | 12 | UntrackSock action un-tracks socket. | -| KPROBE_ACTION_NOTIFYKILLER | 13 | NotifyKiller action notifies killer sensor. | +| KPROBE_ACTION_NOTIFYENFORCER | 13 | NotifyEnforcer action notifies killer sensor. | diff --git a/api/v1/tetragon/tetragon.pb.go b/api/v1/tetragon/tetragon.pb.go index d96c7d79fd7..97e21b49981 100644 --- a/api/v1/tetragon/tetragon.pb.go +++ b/api/v1/tetragon/tetragon.pb.go @@ -55,8 +55,8 @@ const ( KprobeAction_KPROBE_ACTION_TRACKSOCK KprobeAction = 11 // UntrackSock action un-tracks socket. KprobeAction_KPROBE_ACTION_UNTRACKSOCK KprobeAction = 12 - // NotifyKiller action notifies killer sensor. - KprobeAction_KPROBE_ACTION_NOTIFYKILLER KprobeAction = 13 + // NotifyEnforcer action notifies killer sensor. + KprobeAction_KPROBE_ACTION_NOTIFYENFORCER KprobeAction = 13 ) // Enum value maps for KprobeAction. @@ -75,23 +75,23 @@ var ( 10: "KPROBE_ACTION_SIGNAL", 11: "KPROBE_ACTION_TRACKSOCK", 12: "KPROBE_ACTION_UNTRACKSOCK", - 13: "KPROBE_ACTION_NOTIFYKILLER", + 13: "KPROBE_ACTION_NOTIFYENFORCER", } KprobeAction_value = map[string]int32{ - "KPROBE_ACTION_UNKNOWN": 0, - "KPROBE_ACTION_POST": 1, - "KPROBE_ACTION_FOLLOWFD": 2, - "KPROBE_ACTION_SIGKILL": 3, - "KPROBE_ACTION_UNFOLLOWFD": 4, - "KPROBE_ACTION_OVERRIDE": 5, - "KPROBE_ACTION_COPYFD": 6, - "KPROBE_ACTION_GETURL": 7, - "KPROBE_ACTION_DNSLOOKUP": 8, - "KPROBE_ACTION_NOPOST": 9, - "KPROBE_ACTION_SIGNAL": 10, - "KPROBE_ACTION_TRACKSOCK": 11, - "KPROBE_ACTION_UNTRACKSOCK": 12, - "KPROBE_ACTION_NOTIFYKILLER": 13, + "KPROBE_ACTION_UNKNOWN": 0, + "KPROBE_ACTION_POST": 1, + "KPROBE_ACTION_FOLLOWFD": 2, + "KPROBE_ACTION_SIGKILL": 3, + "KPROBE_ACTION_UNFOLLOWFD": 4, + "KPROBE_ACTION_OVERRIDE": 5, + "KPROBE_ACTION_COPYFD": 6, + "KPROBE_ACTION_GETURL": 7, + "KPROBE_ACTION_DNSLOOKUP": 8, + "KPROBE_ACTION_NOPOST": 9, + "KPROBE_ACTION_SIGNAL": 10, + "KPROBE_ACTION_TRACKSOCK": 11, + "KPROBE_ACTION_UNTRACKSOCK": 12, + "KPROBE_ACTION_NOTIFYENFORCER": 13, } ) @@ -4444,7 +4444,7 @@ var file_tetragon_tetragon_proto_rawDesc = []byte{ 0x65, 0x73, 0x73, 0x12, 0x16, 0x0a, 0x06, 0x6f, 0x66, 0x66, 0x73, 0x65, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x04, 0x52, 0x06, 0x6f, 0x66, 0x66, 0x73, 0x65, 0x74, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x79, 0x6d, 0x62, 0x6f, 0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x79, 0x6d, - 0x62, 0x6f, 0x6c, 0x2a, 0x93, 0x03, 0x0a, 0x0c, 0x4b, 0x70, 0x72, 0x6f, 0x62, 0x65, 0x41, 0x63, + 0x62, 0x6f, 0x6c, 0x2a, 0x95, 0x03, 0x0a, 0x0c, 0x4b, 0x70, 0x72, 0x6f, 0x62, 0x65, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x19, 0x0a, 0x15, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12, 0x16, 0x0a, 0x12, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, @@ -4467,39 +4467,40 @@ var file_tetragon_tetragon_proto_rawDesc = []byte{ 0x17, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x54, 0x52, 0x41, 0x43, 0x4b, 0x53, 0x4f, 0x43, 0x4b, 0x10, 0x0b, 0x12, 0x1d, 0x0a, 0x19, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x55, 0x4e, 0x54, 0x52, - 0x41, 0x43, 0x4b, 0x53, 0x4f, 0x43, 0x4b, 0x10, 0x0c, 0x12, 0x1e, 0x0a, 0x1a, 0x4b, 0x50, 0x52, + 0x41, 0x43, 0x4b, 0x53, 0x4f, 0x43, 0x4b, 0x10, 0x0c, 0x12, 0x20, 0x0a, 0x1c, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x4e, 0x4f, 0x54, 0x49, 0x46, - 0x59, 0x4b, 0x49, 0x4c, 0x4c, 0x45, 0x52, 0x10, 0x0d, 0x2a, 0x4f, 0x0a, 0x10, 0x48, 0x65, 0x61, - 0x6c, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x54, 0x79, 0x70, 0x65, 0x12, 0x1c, 0x0a, - 0x18, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x54, - 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x10, 0x00, 0x12, 0x1d, 0x0a, 0x19, 0x48, - 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x54, 0x59, 0x50, - 0x45, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x10, 0x01, 0x2a, 0x7c, 0x0a, 0x12, 0x48, 0x65, - 0x61, 0x6c, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, - 0x12, 0x17, 0x0a, 0x13, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, - 0x53, 0x5f, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x10, 0x00, 0x12, 0x19, 0x0a, 0x15, 0x48, 0x45, 0x41, - 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x52, 0x55, 0x4e, 0x4e, 0x49, - 0x4e, 0x47, 0x10, 0x01, 0x12, 0x19, 0x0a, 0x15, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, - 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x53, 0x54, 0x4f, 0x50, 0x50, 0x45, 0x44, 0x10, 0x02, 0x12, - 0x17, 0x0a, 0x13, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, - 0x5f, 0x45, 0x52, 0x52, 0x4f, 0x52, 0x10, 0x03, 0x2a, 0x8d, 0x02, 0x0a, 0x0f, 0x54, 0x61, 0x69, - 0x6e, 0x74, 0x65, 0x64, 0x42, 0x69, 0x74, 0x73, 0x54, 0x79, 0x70, 0x65, 0x12, 0x0f, 0x0a, 0x0b, - 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x55, 0x4e, 0x53, 0x45, 0x54, 0x10, 0x00, 0x12, 0x1c, 0x0a, - 0x18, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x50, 0x52, 0x4f, 0x50, 0x52, 0x49, 0x45, 0x54, 0x41, - 0x52, 0x59, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x01, 0x12, 0x17, 0x0a, 0x13, 0x54, - 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x46, 0x4f, 0x52, 0x43, 0x45, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, - 0x4c, 0x45, 0x10, 0x02, 0x12, 0x1e, 0x0a, 0x1a, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x46, 0x4f, - 0x52, 0x43, 0x45, 0x44, 0x5f, 0x55, 0x4e, 0x4c, 0x4f, 0x41, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, - 0x4c, 0x45, 0x10, 0x04, 0x12, 0x18, 0x0a, 0x13, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x53, 0x54, - 0x41, 0x47, 0x45, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x08, 0x12, 0x1d, - 0x0a, 0x18, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x4f, 0x55, 0x54, 0x5f, 0x4f, 0x46, 0x5f, 0x54, - 0x52, 0x45, 0x45, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x20, 0x12, 0x1a, 0x0a, - 0x15, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x55, 0x4e, 0x53, 0x49, 0x47, 0x4e, 0x45, 0x44, 0x5f, - 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x40, 0x12, 0x24, 0x0a, 0x1e, 0x54, 0x41, 0x49, - 0x4e, 0x54, 0x5f, 0x4b, 0x45, 0x52, 0x4e, 0x45, 0x4c, 0x5f, 0x4c, 0x49, 0x56, 0x45, 0x5f, 0x50, - 0x41, 0x54, 0x43, 0x48, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x80, 0x02, 0x12, - 0x17, 0x0a, 0x11, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x54, 0x45, 0x53, 0x54, 0x5f, 0x4d, 0x4f, - 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x80, 0x10, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x59, 0x45, 0x4e, 0x46, 0x4f, 0x52, 0x43, 0x45, 0x52, 0x10, 0x0d, 0x2a, 0x4f, 0x0a, 0x10, 0x48, + 0x65, 0x61, 0x6c, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x54, 0x79, 0x70, 0x65, 0x12, + 0x1c, 0x0a, 0x18, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, + 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x10, 0x00, 0x12, 0x1d, 0x0a, + 0x19, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x54, + 0x59, 0x50, 0x45, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x10, 0x01, 0x2a, 0x7c, 0x0a, 0x12, + 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x65, 0x73, 0x75, + 0x6c, 0x74, 0x12, 0x17, 0x0a, 0x13, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, + 0x54, 0x55, 0x53, 0x5f, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x10, 0x00, 0x12, 0x19, 0x0a, 0x15, 0x48, + 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x52, 0x55, 0x4e, + 0x4e, 0x49, 0x4e, 0x47, 0x10, 0x01, 0x12, 0x19, 0x0a, 0x15, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, + 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x53, 0x54, 0x4f, 0x50, 0x50, 0x45, 0x44, 0x10, + 0x02, 0x12, 0x17, 0x0a, 0x13, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, + 0x55, 0x53, 0x5f, 0x45, 0x52, 0x52, 0x4f, 0x52, 0x10, 0x03, 0x2a, 0x8d, 0x02, 0x0a, 0x0f, 0x54, + 0x61, 0x69, 0x6e, 0x74, 0x65, 0x64, 0x42, 0x69, 0x74, 0x73, 0x54, 0x79, 0x70, 0x65, 0x12, 0x0f, + 0x0a, 0x0b, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x55, 0x4e, 0x53, 0x45, 0x54, 0x10, 0x00, 0x12, + 0x1c, 0x0a, 0x18, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x50, 0x52, 0x4f, 0x50, 0x52, 0x49, 0x45, + 0x54, 0x41, 0x52, 0x59, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x01, 0x12, 0x17, 0x0a, + 0x13, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x46, 0x4f, 0x52, 0x43, 0x45, 0x44, 0x5f, 0x4d, 0x4f, + 0x44, 0x55, 0x4c, 0x45, 0x10, 0x02, 0x12, 0x1e, 0x0a, 0x1a, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, + 0x46, 0x4f, 0x52, 0x43, 0x45, 0x44, 0x5f, 0x55, 0x4e, 0x4c, 0x4f, 0x41, 0x44, 0x5f, 0x4d, 0x4f, + 0x44, 0x55, 0x4c, 0x45, 0x10, 0x04, 0x12, 0x18, 0x0a, 0x13, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, + 0x53, 0x54, 0x41, 0x47, 0x45, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x08, + 0x12, 0x1d, 0x0a, 0x18, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x4f, 0x55, 0x54, 0x5f, 0x4f, 0x46, + 0x5f, 0x54, 0x52, 0x45, 0x45, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x20, 0x12, + 0x1a, 0x0a, 0x15, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x55, 0x4e, 0x53, 0x49, 0x47, 0x4e, 0x45, + 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x40, 0x12, 0x24, 0x0a, 0x1e, 0x54, + 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x4b, 0x45, 0x52, 0x4e, 0x45, 0x4c, 0x5f, 0x4c, 0x49, 0x56, 0x45, + 0x5f, 0x50, 0x41, 0x54, 0x43, 0x48, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x80, + 0x02, 0x12, 0x17, 0x0a, 0x11, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x54, 0x45, 0x53, 0x54, 0x5f, + 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x80, 0x10, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, + 0x6f, 0x33, } var ( diff --git a/api/v1/tetragon/tetragon.proto b/api/v1/tetragon/tetragon.proto index c4b493c6e49..a559086c616 100644 --- a/api/v1/tetragon/tetragon.proto +++ b/api/v1/tetragon/tetragon.proto @@ -436,8 +436,8 @@ enum KprobeAction { KPROBE_ACTION_TRACKSOCK = 11; // UntrackSock action un-tracks socket. KPROBE_ACTION_UNTRACKSOCK = 12; - // NotifyKiller action notifies killer sensor. - KPROBE_ACTION_NOTIFYKILLER = 13; + // NotifyEnforcer action notifies killer sensor. + KPROBE_ACTION_NOTIFYENFORCER = 13; } message ProcessKprobe { diff --git a/docs/content/en/docs/reference/grpc-api.md b/docs/content/en/docs/reference/grpc-api.md index 87a6cd6e704..03c6ff2c2fe 100644 --- a/docs/content/en/docs/reference/grpc-api.md +++ b/docs/content/en/docs/reference/grpc-api.md @@ -643,7 +643,7 @@ RuntimeHookRequest synchronously propagates information to the agent about run-t | KPROBE_ACTION_SIGNAL | 10 | Signal action sends specified signal to the process. | | KPROBE_ACTION_TRACKSOCK | 11 | TrackSock action tracks socket. | | KPROBE_ACTION_UNTRACKSOCK | 12 | UntrackSock action un-tracks socket. | -| KPROBE_ACTION_NOTIFYKILLER | 13 | NotifyKiller action notifies killer sensor. | +| KPROBE_ACTION_NOTIFYENFORCER | 13 | NotifyEnforcer action notifies killer sensor. | diff --git a/pkg/grpc/tracing/tracing.go b/pkg/grpc/tracing/tracing.go index 90c44aa1365..4162a8ce950 100644 --- a/pkg/grpc/tracing/tracing.go +++ b/pkg/grpc/tracing/tracing.go @@ -60,7 +60,7 @@ func kprobeAction(act uint64) tetragon.KprobeAction { case tracingapi.ActionUntrackSock: return tetragon.KprobeAction_KPROBE_ACTION_UNTRACKSOCK case tracingapi.ActionNotifyKiller: - return tetragon.KprobeAction_KPROBE_ACTION_NOTIFYKILLER + return tetragon.KprobeAction_KPROBE_ACTION_NOTIFYENFORCER default: return tetragon.KprobeAction_KPROBE_ACTION_UNKNOWN } diff --git a/pkg/sensors/tracing/killer_amd64_test.go b/pkg/sensors/tracing/killer_amd64_test.go index 0e853175f8c..87cee5cde2f 100644 --- a/pkg/sensors/tracing/killer_amd64_test.go +++ b/pkg/sensors/tracing/killer_amd64_test.go @@ -34,7 +34,7 @@ func TestKillerOverride32(t *testing.T) { WithValues( ec.NewKprobeArgumentChecker().WithSizeArg(i386.SYS_PRCTL), )). - WithAction(tetragon.KprobeAction_KPROBE_ACTION_NOTIFYKILLER) + WithAction(tetragon.KprobeAction_KPROBE_ACTION_NOTIFYENFORCER) checker := ec.NewUnorderedEventChecker(tpChecker) @@ -64,7 +64,7 @@ func TestKillerSignal32(t *testing.T) { WithValues( ec.NewKprobeArgumentChecker().WithSizeArg(i386.SYS_PRCTL), )). - WithAction(tetragon.KprobeAction_KPROBE_ACTION_NOTIFYKILLER) + WithAction(tetragon.KprobeAction_KPROBE_ACTION_NOTIFYENFORCER) checker := ec.NewUnorderedEventChecker(tpChecker) @@ -95,7 +95,7 @@ func TestKillerOverrideBothBits(t *testing.T) { WithValues( ec.NewKprobeArgumentChecker().WithSizeArg(i386.SYS_PRCTL), )). - WithAction(tetragon.KprobeAction_KPROBE_ACTION_NOTIFYKILLER) + WithAction(tetragon.KprobeAction_KPROBE_ACTION_NOTIFYENFORCER) tpChecker64 := ec.NewProcessTracepointChecker(""). WithArgs(ec.NewKprobeArgumentListMatcher(). @@ -103,7 +103,7 @@ func TestKillerOverrideBothBits(t *testing.T) { WithValues( ec.NewKprobeArgumentChecker().WithSizeArg(syscall.SYS_PRCTL), )). - WithAction(tetragon.KprobeAction_KPROBE_ACTION_NOTIFYKILLER) + WithAction(tetragon.KprobeAction_KPROBE_ACTION_NOTIFYENFORCER) checker := ec.NewUnorderedEventChecker(tpChecker32, tpChecker64) diff --git a/pkg/sensors/tracing/killer_test.go b/pkg/sensors/tracing/killer_test.go index 06059c70503..3a7bedebb5e 100644 --- a/pkg/sensors/tracing/killer_test.go +++ b/pkg/sensors/tracing/killer_test.go @@ -97,7 +97,7 @@ func TestKillerOverride(t *testing.T) { WithValues( ec.NewKprobeArgumentChecker().WithSizeArg(unix.SYS_GETCPU), )). - WithAction(tetragon.KprobeAction_KPROBE_ACTION_NOTIFYKILLER) + WithAction(tetragon.KprobeAction_KPROBE_ACTION_NOTIFYENFORCER) checker := ec.NewUnorderedEventChecker(tpChecker) @@ -145,7 +145,7 @@ func TestKillerSignal(t *testing.T) { WithValues( ec.NewKprobeArgumentChecker().WithSizeArg(syscall.SYS_PRCTL), )). - WithAction(tetragon.KprobeAction_KPROBE_ACTION_NOTIFYKILLER) + WithAction(tetragon.KprobeAction_KPROBE_ACTION_NOTIFYENFORCER) checker := ec.NewUnorderedEventChecker(tpChecker) @@ -221,7 +221,7 @@ func testSecurity(t *testing.T, tracingPolicy, tempFile string) { WithProcess(ec.NewProcessChecker(). WithBinary(sm.Suffix(testBin))). WithFunctionName(sm.Full(arch.AddSyscallPrefixTestHelper(t, "sys_pwrite64"))). - WithAction(tetragon.KprobeAction_KPROBE_ACTION_NOTIFYKILLER). + WithAction(tetragon.KprobeAction_KPROBE_ACTION_NOTIFYENFORCER). WithArgs(ec.NewKprobeArgumentListMatcher(). WithOperator(lc.Ordered). WithValues( diff --git a/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.pb.go b/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.pb.go index d96c7d79fd7..97e21b49981 100644 --- a/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.pb.go +++ b/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.pb.go @@ -55,8 +55,8 @@ const ( KprobeAction_KPROBE_ACTION_TRACKSOCK KprobeAction = 11 // UntrackSock action un-tracks socket. KprobeAction_KPROBE_ACTION_UNTRACKSOCK KprobeAction = 12 - // NotifyKiller action notifies killer sensor. - KprobeAction_KPROBE_ACTION_NOTIFYKILLER KprobeAction = 13 + // NotifyEnforcer action notifies killer sensor. + KprobeAction_KPROBE_ACTION_NOTIFYENFORCER KprobeAction = 13 ) // Enum value maps for KprobeAction. @@ -75,23 +75,23 @@ var ( 10: "KPROBE_ACTION_SIGNAL", 11: "KPROBE_ACTION_TRACKSOCK", 12: "KPROBE_ACTION_UNTRACKSOCK", - 13: "KPROBE_ACTION_NOTIFYKILLER", + 13: "KPROBE_ACTION_NOTIFYENFORCER", } KprobeAction_value = map[string]int32{ - "KPROBE_ACTION_UNKNOWN": 0, - "KPROBE_ACTION_POST": 1, - "KPROBE_ACTION_FOLLOWFD": 2, - "KPROBE_ACTION_SIGKILL": 3, - "KPROBE_ACTION_UNFOLLOWFD": 4, - "KPROBE_ACTION_OVERRIDE": 5, - "KPROBE_ACTION_COPYFD": 6, - "KPROBE_ACTION_GETURL": 7, - "KPROBE_ACTION_DNSLOOKUP": 8, - "KPROBE_ACTION_NOPOST": 9, - "KPROBE_ACTION_SIGNAL": 10, - "KPROBE_ACTION_TRACKSOCK": 11, - "KPROBE_ACTION_UNTRACKSOCK": 12, - "KPROBE_ACTION_NOTIFYKILLER": 13, + "KPROBE_ACTION_UNKNOWN": 0, + "KPROBE_ACTION_POST": 1, + "KPROBE_ACTION_FOLLOWFD": 2, + "KPROBE_ACTION_SIGKILL": 3, + "KPROBE_ACTION_UNFOLLOWFD": 4, + "KPROBE_ACTION_OVERRIDE": 5, + "KPROBE_ACTION_COPYFD": 6, + "KPROBE_ACTION_GETURL": 7, + "KPROBE_ACTION_DNSLOOKUP": 8, + "KPROBE_ACTION_NOPOST": 9, + "KPROBE_ACTION_SIGNAL": 10, + "KPROBE_ACTION_TRACKSOCK": 11, + "KPROBE_ACTION_UNTRACKSOCK": 12, + "KPROBE_ACTION_NOTIFYENFORCER": 13, } ) @@ -4444,7 +4444,7 @@ var file_tetragon_tetragon_proto_rawDesc = []byte{ 0x65, 0x73, 0x73, 0x12, 0x16, 0x0a, 0x06, 0x6f, 0x66, 0x66, 0x73, 0x65, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x04, 0x52, 0x06, 0x6f, 0x66, 0x66, 0x73, 0x65, 0x74, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x79, 0x6d, 0x62, 0x6f, 0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x79, 0x6d, - 0x62, 0x6f, 0x6c, 0x2a, 0x93, 0x03, 0x0a, 0x0c, 0x4b, 0x70, 0x72, 0x6f, 0x62, 0x65, 0x41, 0x63, + 0x62, 0x6f, 0x6c, 0x2a, 0x95, 0x03, 0x0a, 0x0c, 0x4b, 0x70, 0x72, 0x6f, 0x62, 0x65, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x19, 0x0a, 0x15, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12, 0x16, 0x0a, 0x12, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, @@ -4467,39 +4467,40 @@ var file_tetragon_tetragon_proto_rawDesc = []byte{ 0x17, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x54, 0x52, 0x41, 0x43, 0x4b, 0x53, 0x4f, 0x43, 0x4b, 0x10, 0x0b, 0x12, 0x1d, 0x0a, 0x19, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x55, 0x4e, 0x54, 0x52, - 0x41, 0x43, 0x4b, 0x53, 0x4f, 0x43, 0x4b, 0x10, 0x0c, 0x12, 0x1e, 0x0a, 0x1a, 0x4b, 0x50, 0x52, + 0x41, 0x43, 0x4b, 0x53, 0x4f, 0x43, 0x4b, 0x10, 0x0c, 0x12, 0x20, 0x0a, 0x1c, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x4e, 0x4f, 0x54, 0x49, 0x46, - 0x59, 0x4b, 0x49, 0x4c, 0x4c, 0x45, 0x52, 0x10, 0x0d, 0x2a, 0x4f, 0x0a, 0x10, 0x48, 0x65, 0x61, - 0x6c, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x54, 0x79, 0x70, 0x65, 0x12, 0x1c, 0x0a, - 0x18, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x54, - 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x10, 0x00, 0x12, 0x1d, 0x0a, 0x19, 0x48, - 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x54, 0x59, 0x50, - 0x45, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x10, 0x01, 0x2a, 0x7c, 0x0a, 0x12, 0x48, 0x65, - 0x61, 0x6c, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, - 0x12, 0x17, 0x0a, 0x13, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, - 0x53, 0x5f, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x10, 0x00, 0x12, 0x19, 0x0a, 0x15, 0x48, 0x45, 0x41, - 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x52, 0x55, 0x4e, 0x4e, 0x49, - 0x4e, 0x47, 0x10, 0x01, 0x12, 0x19, 0x0a, 0x15, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, - 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x53, 0x54, 0x4f, 0x50, 0x50, 0x45, 0x44, 0x10, 0x02, 0x12, - 0x17, 0x0a, 0x13, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, - 0x5f, 0x45, 0x52, 0x52, 0x4f, 0x52, 0x10, 0x03, 0x2a, 0x8d, 0x02, 0x0a, 0x0f, 0x54, 0x61, 0x69, - 0x6e, 0x74, 0x65, 0x64, 0x42, 0x69, 0x74, 0x73, 0x54, 0x79, 0x70, 0x65, 0x12, 0x0f, 0x0a, 0x0b, - 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x55, 0x4e, 0x53, 0x45, 0x54, 0x10, 0x00, 0x12, 0x1c, 0x0a, - 0x18, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x50, 0x52, 0x4f, 0x50, 0x52, 0x49, 0x45, 0x54, 0x41, - 0x52, 0x59, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x01, 0x12, 0x17, 0x0a, 0x13, 0x54, - 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x46, 0x4f, 0x52, 0x43, 0x45, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, - 0x4c, 0x45, 0x10, 0x02, 0x12, 0x1e, 0x0a, 0x1a, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x46, 0x4f, - 0x52, 0x43, 0x45, 0x44, 0x5f, 0x55, 0x4e, 0x4c, 0x4f, 0x41, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, - 0x4c, 0x45, 0x10, 0x04, 0x12, 0x18, 0x0a, 0x13, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x53, 0x54, - 0x41, 0x47, 0x45, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x08, 0x12, 0x1d, - 0x0a, 0x18, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x4f, 0x55, 0x54, 0x5f, 0x4f, 0x46, 0x5f, 0x54, - 0x52, 0x45, 0x45, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x20, 0x12, 0x1a, 0x0a, - 0x15, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x55, 0x4e, 0x53, 0x49, 0x47, 0x4e, 0x45, 0x44, 0x5f, - 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x40, 0x12, 0x24, 0x0a, 0x1e, 0x54, 0x41, 0x49, - 0x4e, 0x54, 0x5f, 0x4b, 0x45, 0x52, 0x4e, 0x45, 0x4c, 0x5f, 0x4c, 0x49, 0x56, 0x45, 0x5f, 0x50, - 0x41, 0x54, 0x43, 0x48, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x80, 0x02, 0x12, - 0x17, 0x0a, 0x11, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x54, 0x45, 0x53, 0x54, 0x5f, 0x4d, 0x4f, - 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x80, 0x10, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x59, 0x45, 0x4e, 0x46, 0x4f, 0x52, 0x43, 0x45, 0x52, 0x10, 0x0d, 0x2a, 0x4f, 0x0a, 0x10, 0x48, + 0x65, 0x61, 0x6c, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x54, 0x79, 0x70, 0x65, 0x12, + 0x1c, 0x0a, 0x18, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, + 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x10, 0x00, 0x12, 0x1d, 0x0a, + 0x19, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x54, + 0x59, 0x50, 0x45, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x10, 0x01, 0x2a, 0x7c, 0x0a, 0x12, + 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x65, 0x73, 0x75, + 0x6c, 0x74, 0x12, 0x17, 0x0a, 0x13, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, + 0x54, 0x55, 0x53, 0x5f, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x10, 0x00, 0x12, 0x19, 0x0a, 0x15, 0x48, + 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x52, 0x55, 0x4e, + 0x4e, 0x49, 0x4e, 0x47, 0x10, 0x01, 0x12, 0x19, 0x0a, 0x15, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, + 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x53, 0x54, 0x4f, 0x50, 0x50, 0x45, 0x44, 0x10, + 0x02, 0x12, 0x17, 0x0a, 0x13, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, + 0x55, 0x53, 0x5f, 0x45, 0x52, 0x52, 0x4f, 0x52, 0x10, 0x03, 0x2a, 0x8d, 0x02, 0x0a, 0x0f, 0x54, + 0x61, 0x69, 0x6e, 0x74, 0x65, 0x64, 0x42, 0x69, 0x74, 0x73, 0x54, 0x79, 0x70, 0x65, 0x12, 0x0f, + 0x0a, 0x0b, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x55, 0x4e, 0x53, 0x45, 0x54, 0x10, 0x00, 0x12, + 0x1c, 0x0a, 0x18, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x50, 0x52, 0x4f, 0x50, 0x52, 0x49, 0x45, + 0x54, 0x41, 0x52, 0x59, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x01, 0x12, 0x17, 0x0a, + 0x13, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x46, 0x4f, 0x52, 0x43, 0x45, 0x44, 0x5f, 0x4d, 0x4f, + 0x44, 0x55, 0x4c, 0x45, 0x10, 0x02, 0x12, 0x1e, 0x0a, 0x1a, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, + 0x46, 0x4f, 0x52, 0x43, 0x45, 0x44, 0x5f, 0x55, 0x4e, 0x4c, 0x4f, 0x41, 0x44, 0x5f, 0x4d, 0x4f, + 0x44, 0x55, 0x4c, 0x45, 0x10, 0x04, 0x12, 0x18, 0x0a, 0x13, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, + 0x53, 0x54, 0x41, 0x47, 0x45, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x08, + 0x12, 0x1d, 0x0a, 0x18, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x4f, 0x55, 0x54, 0x5f, 0x4f, 0x46, + 0x5f, 0x54, 0x52, 0x45, 0x45, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x20, 0x12, + 0x1a, 0x0a, 0x15, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x55, 0x4e, 0x53, 0x49, 0x47, 0x4e, 0x45, + 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x40, 0x12, 0x24, 0x0a, 0x1e, 0x54, + 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x4b, 0x45, 0x52, 0x4e, 0x45, 0x4c, 0x5f, 0x4c, 0x49, 0x56, 0x45, + 0x5f, 0x50, 0x41, 0x54, 0x43, 0x48, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x80, + 0x02, 0x12, 0x17, 0x0a, 0x11, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x54, 0x45, 0x53, 0x54, 0x5f, + 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x80, 0x10, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, + 0x6f, 0x33, } var ( diff --git a/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto b/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto index c4b493c6e49..a559086c616 100644 --- a/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto +++ b/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto @@ -436,8 +436,8 @@ enum KprobeAction { KPROBE_ACTION_TRACKSOCK = 11; // UntrackSock action un-tracks socket. KPROBE_ACTION_UNTRACKSOCK = 12; - // NotifyKiller action notifies killer sensor. - KPROBE_ACTION_NOTIFYKILLER = 13; + // NotifyEnforcer action notifies killer sensor. + KPROBE_ACTION_NOTIFYENFORCER = 13; } message ProcessKprobe { From 9295fab75541ba020b5fdb5edbe365a09c88a398 Mon Sep 17 00:00:00 2001 From: Jiri Olsa Date: Fri, 16 Feb 2024 09:01:46 +0000 Subject: [PATCH 3/7] tetragon: Rename killer bpf sensor to enforcer Renaming killer bpf sensor to enforcer including the file object names. Signed-off-by: Jiri Olsa --- bpf/Makefile | 22 +++++++++--------- bpf/process/{bpf_killer.c => bpf_enforcer.c} | 24 ++++++++++---------- bpf/process/{bpf_killer.h => bpf_enforcer.h} | 20 ++++++++-------- bpf/process/types/basic.h | 10 ++++---- pkg/sensors/tracing/killer.go | 18 +++++++-------- 5 files changed, 47 insertions(+), 47 deletions(-) rename bpf/process/{bpf_killer.c => bpf_enforcer.c} (65%) rename bpf/process/{bpf_killer.h => bpf_enforcer.h} (59%) diff --git a/bpf/Makefile b/bpf/Makefile index b8947f5d262..c04f90dd7b7 100644 --- a/bpf/Makefile +++ b/bpf/Makefile @@ -26,7 +26,7 @@ PROCESS = bpf_execve_event.o bpf_execve_event_v53.o bpf_fork.o bpf_exit.o bpf_ge bpf_multi_kprobe_v511.o bpf_multi_retkprobe_v511.o \ bpf_generic_uprobe_v511.o \ bpf_loader.o \ - bpf_killer.o bpf_multi_killer.o bpf_fmodret_killer.o + bpf_enforcer.o bpf_multi_enforcer.o bpf_fmodret_enforcer.o CGROUP = bpf_cgroup_mkdir.o bpf_cgroup_rmdir.o bpf_cgroup_release.o BPFTEST = bpf_lseek.o bpf_globals.o @@ -82,27 +82,27 @@ $(DEPSDIR)%.d: $(ALIGNCHECKERDIR)%.c $(CLANG) $(CLANG_FLAGS) -MM -MP -MT $(patsubst $(DEPSDIR)%.d, $(OBJSDIR)%.ll, $@) $< > $@ -# Killer programs: bpf_killer, bpf_multi_killer, bpf_fmodret_killer +# Enforcer programs: bpf_enforcer, bpf_multi_enforcer, bpf_fmodret_enforcer -## bpf_killer: __BPF_OVERRIDE_RETURN, but no __MULTI_KPROBE -objs/bpf_killer.ll: process/bpf_killer.c +## bpf_enforcer: __BPF_OVERRIDE_RETURN, but no __MULTI_KPROBE +objs/bpf_enforcer.ll: process/bpf_enforcer.c $(CLANG) $(CLANG_FLAGS) -D__BPF_OVERRIDE_RETURN -c $< -o $@ -$(DEPSDIR)bpf_killer.d: process/bpf_killer.c +$(DEPSDIR)bpf_enforcer.d: process/bpf_enforcer.c $(CLANG) $(CLANG_FLAGS) -D__BPF_OVERRIDE_RETURN -MM -MP -MT $(patsubst $(DEPSDIR)%.d, $(OBJSDIR)%.ll, $@) $< > $@ -## bpf_multi_killer: __BPF_OVERRIDE_RETURN and __MULTI_KPROBE -objs/bpf_multi_killer.ll: process/bpf_killer.c +## bpf_multi_enforcer: __BPF_OVERRIDE_RETURN and __MULTI_KPROBE +objs/bpf_multi_enforcer.ll: process/bpf_enforcer.c $(CLANG) $(CLANG_FLAGS) -D__BPF_OVERRIDE_RETURN -D__MULTI_KPROBE -c $< -o $@ -$(DEPSDIR)/bpf_multi_killer.d: process/bpf_killer.c +$(DEPSDIR)/bpf_multi_enforcer.d: process/bpf_enforcer.c $(CLANG) $(CLANG_FLAGS) -D__BPF_OVERRIDE_RETURN -D__MULTI_KPROBE -MM -MP -MT $(patsubst $(DEPSDIR)%.d, $(OBJSDIR)%.ll, $@) $< > $@ -## bpf_fmodret_killer no bpf_override_return: we need fmod_ret -objs/bpf_fmodret_killer.ll: process/bpf_killer.c +## bpf_fmodret_enforcer no bpf_override_return: we need fmod_ret +objs/bpf_fmodret_enforcer.ll: process/bpf_enforcer.c $(CLANG) $(CLANG_FLAGS) -c $< -o $@ -$(DEPSDIR)/bpf_fmodret_killer.d: process/bpf_killer.c +$(DEPSDIR)/bpf_fmodret_enforcer.d: process/bpf_enforcer.c $(CLANG) $(CLANG_FLAGS) -MM -MP -MT $(patsubst $(DEPSDIR)%.d, $(OBJSDIR)%.ll, $@) $< > $@ # PROCESSDIR diff --git a/bpf/process/bpf_killer.c b/bpf/process/bpf_enforcer.c similarity index 65% rename from bpf/process/bpf_killer.c rename to bpf/process/bpf_enforcer.c index 6a6a456e36c..df94f7399bf 100644 --- a/bpf/process/bpf_killer.c +++ b/bpf/process/bpf_enforcer.c @@ -1,32 +1,32 @@ -#include "bpf_killer.h" +#include "bpf_enforcer.h" char _license[] __attribute__((section("license"), used)) = "Dual BSD/GPL"; static inline __attribute__((always_inline)) int -do_killer(void *ctx) +do_enforcer(void *ctx) { __u64 id = get_current_pid_tgid(); - struct killer_data *data; + struct enforcer_data *data; - data = map_lookup_elem(&killer_data, &id); + data = map_lookup_elem(&enforcer_data, &id); if (!data) return 0; if (data->signal) send_signal(data->signal); - map_delete_elem(&killer_data, &id); + map_delete_elem(&enforcer_data, &id); return data->error; } #if defined(__BPF_OVERRIDE_RETURN) #ifdef __MULTI_KPROBE -#define MAIN "kprobe.multi/killer" -#define FUNC kprobe_multi_killer +#define MAIN "kprobe.multi/enforcer" +#define FUNC kprobe_multi_enforcer #else -#define MAIN "kprobe/killer" -#define FUNC kprobe_killer +#define MAIN "kprobe/enforcer" +#define FUNC kprobe_enforcer #endif __attribute__((section(MAIN), used)) int @@ -34,7 +34,7 @@ FUNC(void *ctx) { long ret; - ret = do_killer(ctx); + ret = do_enforcer(ctx); if (ret) override_return(ctx, ret); @@ -47,9 +47,9 @@ FUNC(void *ctx) * in normal run the function is set by tetragon dynamically. */ __attribute__((section("fmod_ret/security_task_prctl"), used)) long -fmodret_killer(void *ctx) +fmodret_enforcer(void *ctx) { - return do_killer(ctx); + return do_enforcer(ctx); } #endif diff --git a/bpf/process/bpf_killer.h b/bpf/process/bpf_enforcer.h similarity index 59% rename from bpf/process/bpf_killer.h rename to bpf/process/bpf_enforcer.h index c4d5380e34f..cf9b6f30a2d 100644 --- a/bpf/process/bpf_killer.h +++ b/bpf/process/bpf_enforcer.h @@ -1,13 +1,13 @@ // SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause) /* Copyright Authors of Cilium */ -#ifndef __KILLER_H__ -#define __KILLER_H__ +#ifndef __ENFORCER_H__ +#define __ENFORCER_H__ #include "vmlinux.h" #include "bpf_helpers.h" -struct killer_data { +struct enforcer_data { __s16 error; __s16 signal; }; @@ -16,25 +16,25 @@ struct { __uint(type, BPF_MAP_TYPE_HASH); __uint(max_entries, 32768); __type(key, __u64); - __type(value, struct killer_data); -} killer_data SEC(".maps"); + __type(value, struct enforcer_data); +} enforcer_data SEC(".maps"); static inline __attribute__((always_inline)) void -do_killer_action(int error, int signal) +do_enforcer_action(int error, int signal) { __u64 id = get_current_pid_tgid(); - struct killer_data *ptr, data = { + struct enforcer_data *ptr, data = { .error = (__s16)error, .signal = (__s16)signal, }; - ptr = map_lookup_elem(&killer_data, &id); + ptr = map_lookup_elem(&enforcer_data, &id); if (ptr) { ptr->error = (__s16)error; ptr->signal = (__s16)signal; } else { - map_update_elem(&killer_data, &id, &data, BPF_ANY); + map_update_elem(&enforcer_data, &id, &data, BPF_ANY); } } -#endif /* __KILLER_H__ */ +#endif /* __ENFORCER_H__ */ diff --git a/bpf/process/types/basic.h b/bpf/process/types/basic.h index 9934a4e67d7..e4fe4e1cf65 100644 --- a/bpf/process/types/basic.h +++ b/bpf/process/types/basic.h @@ -20,7 +20,7 @@ #include "../string_maps.h" #include "common.h" #include "process/data_event.h" -#include "process/bpf_killer.h" +#include "process/bpf_enforcer.h" /* Type IDs form API with user space generickprobe.go */ enum { @@ -2218,12 +2218,12 @@ struct { #if defined GENERIC_TRACEPOINT || defined GENERIC_KPROBE static inline __attribute__((always_inline)) void -do_action_notify_killer(int error, int signal) +do_action_notify_enforcer(int error, int signal) { - do_killer_action(error, signal); + do_enforcer_action(error, signal); } #else -#define do_action_notify_killer(error, signal) +#define do_action_notify_enforcer(error, signal) #endif static inline __attribute__((always_inline)) __u32 @@ -2312,7 +2312,7 @@ do_action(void *ctx, __u32 i, struct msg_generic_kprobe *e, case ACTION_NOTIFY_KILLER: error = actions->act[++i]; signal = actions->act[++i]; - do_action_notify_killer(error, signal); + do_action_notify_enforcer(error, signal); break; default: break; diff --git a/pkg/sensors/tracing/killer.go b/pkg/sensors/tracing/killer.go index dd4ebcfcc0d..ee37b14f86a 100644 --- a/pkg/sensors/tracing/killer.go +++ b/pkg/sensors/tracing/killer.go @@ -22,7 +22,7 @@ import ( ) const ( - killerDataMapName = "killer_data" + killerDataMapName = "enforcer_data" ) type killerHandler struct { @@ -143,15 +143,15 @@ func (kp *killerPolicy) LoadProbe(args sensors.LoadProbeArgs) error { if !ok { return fmt.Errorf("failed to get killer handler for '%s'", name) } - if args.Load.Label == "kprobe.multi/killer" { + if args.Load.Label == "kprobe.multi/enforcer" { return kp.loadMultiKillerSensor(kh, args.BPFDir, args.Load, args.Verbose) } - if args.Load.Label == "kprobe/killer" { + if args.Load.Label == "kprobe/enforcer" { return kp.loadSingleKillerSensor(kh, args.BPFDir, args.Load, args.Verbose) } if strings.HasPrefix(args.Load.Label, "fmod_ret/") { - return program.LoadFmodRetProgram(args.BPFDir, args.Load, "fmodret_killer", args.Verbose) + return program.LoadFmodRetProgram(args.BPFDir, args.Load, "fmodret_enforcer", args.Verbose) } return fmt.Errorf("killer loader: unknown label: %s", args.Load.Label) @@ -282,11 +282,11 @@ func (kp *killerPolicy) createKillerSensor( case OverrideMethodReturn: useMulti := !specOpts.DisableKprobeMulti && !option.Config.DisableKprobeMulti && bpf.HasKprobeMulti() logger.GetLogger().Infof("killer: using override return (multi-kprobe: %t)", useMulti) - label := "kprobe/killer" - prog := "bpf_killer.o" + label := "kprobe/enforcer" + prog := "bpf_enforcer.o" if useMulti { - label = "kprobe.multi/killer" - prog = "bpf_multi_killer.o" + label = "kprobe.multi/enforcer" + prog = "bpf_multi_enforcer.o" } attach := fmt.Sprintf("%d syscalls: %s", len(kh.syscallsSyms), kh.syscallsSyms) load = program.Builder( @@ -303,7 +303,7 @@ func (kp *killerPolicy) createKillerSensor( logger.GetLogger().Infof("killer: using fmod_ret") for _, syscallSym := range kh.syscallsSyms { load = program.Builder( - path.Join(option.Config.HubbleLib, "bpf_fmodret_killer.o"), + path.Join(option.Config.HubbleLib, "bpf_fmodret_enforcer.o"), syscallSym, "fmod_ret/security_task_prctl", pinPath, From a459bf350952026a6a37ad2de6d19c0ed618f5ab Mon Sep 17 00:00:00 2001 From: Jiri Olsa Date: Fri, 16 Feb 2024 09:58:37 +0000 Subject: [PATCH 4/7] tetragon: Rename killer spec to enforcer Renaming killer spec to enforcer to have the spec changes separated. Signed-off-by: Jiri Olsa --- examples/tracingpolicy/killer.yaml | 4 +- .../v1alpha1/cilium.io_tracingpolicies.yaml | 16 ++-- .../cilium.io_tracingpoliciesnamespaced.yaml | 16 ++-- .../v1alpha1/tracing_policy_types.go | 2 +- pkg/k8s/apis/cilium.io/v1alpha1/types.go | 6 +- pkg/k8s/apis/cilium.io/v1alpha1/version.go | 2 +- .../v1alpha1/zz_generated.deepcopy.go | 48 +++++------ pkg/selectors/kernel.go | 82 +++++++++---------- pkg/sensors/tracing/killer.go | 6 +- pkg/sensors/tracing/killer_builder.go | 8 +- pkg/sensors/tracing/killer_test.go | 16 ++-- .../v1alpha1/cilium.io_tracingpolicies.yaml | 16 ++-- .../cilium.io_tracingpoliciesnamespaced.yaml | 16 ++-- .../v1alpha1/tracing_policy_types.go | 2 +- .../pkg/k8s/apis/cilium.io/v1alpha1/types.go | 6 +- .../k8s/apis/cilium.io/v1alpha1/version.go | 2 +- .../v1alpha1/zz_generated.deepcopy.go | 48 +++++------ 17 files changed, 148 insertions(+), 148 deletions(-) diff --git a/examples/tracingpolicy/killer.yaml b/examples/tracingpolicy/killer.yaml index ea708abcdbb..94a38a603cc 100644 --- a/examples/tracingpolicy/killer.yaml +++ b/examples/tracingpolicy/killer.yaml @@ -10,7 +10,7 @@ spec: - "sys_dup" - "sys_dup2" - "__ia32_sys_dup" - killers: + enforcers: - calls: - "list:dups" tracepoints: @@ -30,6 +30,6 @@ spec: values: - "/usr/bin/bash" matchActions: - - action: "NotifyKiller" + - action: "NotifyEnforcer" argError: -1 argSig: 9 diff --git a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml index 8f01c49a8a0..e1a961f362e 100644 --- a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml +++ b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml @@ -34,12 +34,12 @@ spec: spec: description: Tracing policy specification. properties: - killers: + enforcers: description: A killer spec. items: properties: calls: - description: Calls where killer is executed in + description: Calls where enforcer is executed in items: type: string type: array @@ -264,7 +264,7 @@ spec: - Signal - TrackSock - UntrackSock - - NotifyKiller + - NotifyEnforcer type: string argError: description: error value for override action @@ -572,7 +572,7 @@ spec: - Signal - TrackSock - UntrackSock - - NotifyKiller + - NotifyEnforcer type: string argError: description: error value for override action @@ -918,7 +918,7 @@ spec: - Signal - TrackSock - UntrackSock - - NotifyKiller + - NotifyEnforcer type: string argError: description: error value for override action @@ -1226,7 +1226,7 @@ spec: - Signal - TrackSock - UntrackSock - - NotifyKiller + - NotifyEnforcer type: string argError: description: error value for override action @@ -1473,7 +1473,7 @@ spec: - Signal - TrackSock - UntrackSock - - NotifyKiller + - NotifyEnforcer type: string argError: description: error value for override action @@ -1781,7 +1781,7 @@ spec: - Signal - TrackSock - UntrackSock - - NotifyKiller + - NotifyEnforcer type: string argError: description: error value for override action diff --git a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml index 90b80052686..27d2b6f9fdd 100644 --- a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml +++ b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml @@ -34,12 +34,12 @@ spec: spec: description: Tracing policy specification. properties: - killers: + enforcers: description: A killer spec. items: properties: calls: - description: Calls where killer is executed in + description: Calls where enforcer is executed in items: type: string type: array @@ -264,7 +264,7 @@ spec: - Signal - TrackSock - UntrackSock - - NotifyKiller + - NotifyEnforcer type: string argError: description: error value for override action @@ -572,7 +572,7 @@ spec: - Signal - TrackSock - UntrackSock - - NotifyKiller + - NotifyEnforcer type: string argError: description: error value for override action @@ -918,7 +918,7 @@ spec: - Signal - TrackSock - UntrackSock - - NotifyKiller + - NotifyEnforcer type: string argError: description: error value for override action @@ -1226,7 +1226,7 @@ spec: - Signal - TrackSock - UntrackSock - - NotifyKiller + - NotifyEnforcer type: string argError: description: error value for override action @@ -1473,7 +1473,7 @@ spec: - Signal - TrackSock - UntrackSock - - NotifyKiller + - NotifyEnforcer type: string argError: description: error value for override action @@ -1781,7 +1781,7 @@ spec: - Signal - TrackSock - UntrackSock - - NotifyKiller + - NotifyEnforcer type: string argError: description: error value for override action diff --git a/pkg/k8s/apis/cilium.io/v1alpha1/tracing_policy_types.go b/pkg/k8s/apis/cilium.io/v1alpha1/tracing_policy_types.go index 935b68686d4..f8a45dc9c91 100644 --- a/pkg/k8s/apis/cilium.io/v1alpha1/tracing_policy_types.go +++ b/pkg/k8s/apis/cilium.io/v1alpha1/tracing_policy_types.go @@ -96,7 +96,7 @@ type TracingPolicySpec struct { // +kubebuilder:validation:Optional // A killer spec. - Killers []KillerSpec `json:"killers,omitempty"` + Enforcers []EnforcerSpec `json:"enforcers,omitempty"` // +kubebuilder:validation:Optional // A list of overloaded options diff --git a/pkg/k8s/apis/cilium.io/v1alpha1/types.go b/pkg/k8s/apis/cilium.io/v1alpha1/types.go index 62125807c65..3b1b22a97cd 100644 --- a/pkg/k8s/apis/cilium.io/v1alpha1/types.go +++ b/pkg/k8s/apis/cilium.io/v1alpha1/types.go @@ -191,7 +191,7 @@ type ArgSelector struct { } type ActionSelector struct { - // +kubebuilder:validation:Enum=Post;FollowFD;UnfollowFD;Sigkill;CopyFD;Override;GetUrl;DnsLookup;NoPost;Signal;TrackSock;UntrackSock;NotifyKiller + // +kubebuilder:validation:Enum=Post;FollowFD;UnfollowFD;Sigkill;CopyFD;Override;GetUrl;DnsLookup;NoPost;Signal;TrackSock;UntrackSock;NotifyEnforcer // Action to execute. Action string `json:"action"` // +kubebuilder:validation:Optional @@ -354,7 +354,7 @@ type PodInfoList struct { Items []PodInfo `json:"items"` } -type KillerSpec struct { - // Calls where killer is executed in +type EnforcerSpec struct { + // Calls where enforcer is executed in Calls []string `json:"calls"` } diff --git a/pkg/k8s/apis/cilium.io/v1alpha1/version.go b/pkg/k8s/apis/cilium.io/v1alpha1/version.go index a530ed77ef6..c244cfd50a1 100644 --- a/pkg/k8s/apis/cilium.io/v1alpha1/version.go +++ b/pkg/k8s/apis/cilium.io/v1alpha1/version.go @@ -7,4 +7,4 @@ package v1alpha1 // Used to determine if CRD needs to be updated in cluster // // Developers: Bump patch for each change in the CRD schema. -const CustomResourceDefinitionSchemaVersion = "1.1.5" +const CustomResourceDefinitionSchemaVersion = "1.1.6" diff --git a/pkg/k8s/apis/cilium.io/v1alpha1/zz_generated.deepcopy.go b/pkg/k8s/apis/cilium.io/v1alpha1/zz_generated.deepcopy.go index ee75b704aae..78e6da551f3 100644 --- a/pkg/k8s/apis/cilium.io/v1alpha1/zz_generated.deepcopy.go +++ b/pkg/k8s/apis/cilium.io/v1alpha1/zz_generated.deepcopy.go @@ -92,6 +92,27 @@ func (in *CapabilitiesSelector) DeepCopy() *CapabilitiesSelector { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *EnforcerSpec) DeepCopyInto(out *EnforcerSpec) { + *out = *in + if in.Calls != nil { + in, out := &in.Calls, &out.Calls + *out = make([]string, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EnforcerSpec. +func (in *EnforcerSpec) DeepCopy() *EnforcerSpec { + if in == nil { + return nil + } + out := new(EnforcerSpec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *KProbeArg) DeepCopyInto(out *KProbeArg) { *out = *in @@ -223,27 +244,6 @@ func (in *KProbeSpec) DeepCopy() *KProbeSpec { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *KillerSpec) DeepCopyInto(out *KillerSpec) { - *out = *in - if in.Calls != nil { - in, out := &in.Calls, &out.Calls - *out = make([]string, len(*in)) - copy(*out, *in) - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KillerSpec. -func (in *KillerSpec) DeepCopy() *KillerSpec { - if in == nil { - return nil - } - out := new(KillerSpec) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ListSpec) DeepCopyInto(out *ListSpec) { *out = *in @@ -649,9 +649,9 @@ func (in *TracingPolicySpec) DeepCopyInto(out *TracingPolicySpec) { (*in)[i].DeepCopyInto(&(*out)[i]) } } - if in.Killers != nil { - in, out := &in.Killers, &out.Killers - *out = make([]KillerSpec, len(*in)) + if in.Enforcers != nil { + in, out := &in.Enforcers, &out.Enforcers + *out = make([]EnforcerSpec, len(*in)) for i := range *in { (*in)[i].DeepCopyInto(&(*out)[i]) } diff --git a/pkg/selectors/kernel.go b/pkg/selectors/kernel.go index b6dc8da5e19..296603c69bb 100644 --- a/pkg/selectors/kernel.go +++ b/pkg/selectors/kernel.go @@ -20,52 +20,52 @@ import ( ) const ( - ActionTypeInvalid = -1 - ActionTypePost = 0 - ActionTypeFollowFd = 1 - ActionTypeSigKill = 2 - ActionTypeUnfollowFd = 3 - ActionTypeOverride = 4 - ActionTypeCopyFd = 5 - ActionTypeGetUrl = 6 - ActionTypeDnsLookup = 7 - ActionTypeNoPost = 8 - ActionTypeSignal = 9 - ActionTypeTrackSock = 10 - ActionTypeUntrackSock = 11 - ActionTypeNotifyKiller = 12 + ActionTypeInvalid = -1 + ActionTypePost = 0 + ActionTypeFollowFd = 1 + ActionTypeSigKill = 2 + ActionTypeUnfollowFd = 3 + ActionTypeOverride = 4 + ActionTypeCopyFd = 5 + ActionTypeGetUrl = 6 + ActionTypeDnsLookup = 7 + ActionTypeNoPost = 8 + ActionTypeSignal = 9 + ActionTypeTrackSock = 10 + ActionTypeUntrackSock = 11 + ActionTypeNotifyEnforcer = 12 ) var actionTypeTable = map[string]uint32{ - "post": ActionTypePost, - "followfd": ActionTypeFollowFd, - "unfollowfd": ActionTypeUnfollowFd, - "sigkill": ActionTypeSigKill, - "override": ActionTypeOverride, - "copyfd": ActionTypeCopyFd, - "geturl": ActionTypeGetUrl, - "dnslookup": ActionTypeDnsLookup, - "nopost": ActionTypeNoPost, - "signal": ActionTypeSignal, - "tracksock": ActionTypeTrackSock, - "untracksock": ActionTypeUntrackSock, - "notifykiller": ActionTypeNotifyKiller, + "post": ActionTypePost, + "followfd": ActionTypeFollowFd, + "unfollowfd": ActionTypeUnfollowFd, + "sigkill": ActionTypeSigKill, + "override": ActionTypeOverride, + "copyfd": ActionTypeCopyFd, + "geturl": ActionTypeGetUrl, + "dnslookup": ActionTypeDnsLookup, + "nopost": ActionTypeNoPost, + "signal": ActionTypeSignal, + "tracksock": ActionTypeTrackSock, + "untracksock": ActionTypeUntrackSock, + "notifyenforcer": ActionTypeNotifyEnforcer, } var actionTypeStringTable = map[uint32]string{ - ActionTypePost: "post", - ActionTypeFollowFd: "followfd", - ActionTypeUnfollowFd: "unfollowfd", - ActionTypeSigKill: "sigkill", - ActionTypeOverride: "override", - ActionTypeCopyFd: "copyfd", - ActionTypeGetUrl: "geturl", - ActionTypeDnsLookup: "dnslookup", - ActionTypeNoPost: "nopost", - ActionTypeSignal: "signal", - ActionTypeTrackSock: "tracksock", - ActionTypeUntrackSock: "untracksock", - ActionTypeNotifyKiller: "notifykiller", + ActionTypePost: "post", + ActionTypeFollowFd: "followfd", + ActionTypeUnfollowFd: "unfollowfd", + ActionTypeSigKill: "sigkill", + ActionTypeOverride: "override", + ActionTypeCopyFd: "copyfd", + ActionTypeGetUrl: "geturl", + ActionTypeDnsLookup: "dnslookup", + ActionTypeNoPost: "nopost", + ActionTypeSignal: "signal", + ActionTypeTrackSock: "tracksock", + ActionTypeUntrackSock: "untracksock", + ActionTypeNotifyEnforcer: "notifyenforcer", } const ( @@ -1026,7 +1026,7 @@ func ParseMatchAction(k *KernelSelectorState, action *v1alpha1.ActionSelector, a case ActionTypeSigKill: // no arguments // NB: we should deprecate this action and just use ActionTypeSignal with SIGKILL - case ActionTypeNotifyKiller: + case ActionTypeNotifyEnforcer: WriteSelectorInt32(&k.data, action.ArgError) WriteSelectorUint32(&k.data, action.ArgSig) default: diff --git a/pkg/sensors/tracing/killer.go b/pkg/sensors/tracing/killer.go index ee37b14f86a..13e9ffa53e8 100644 --- a/pkg/sensors/tracing/killer.go +++ b/pkg/sensors/tracing/killer.go @@ -95,9 +95,9 @@ func (kp *killerPolicy) PolicyHandler( return nil, err } } - if len(spec.Killers) > 0 { + if len(spec.Enforcers) > 0 { name := fmt.Sprintf("killer-sensor-%d", atomic.AddUint64(&sensorCounter, 1)) - return kp.createKillerSensor(spec.Killers, spec.Lists, spec.Options, name, policy.TpName()) + return kp.createKillerSensor(spec.Enforcers, spec.Lists, spec.Options, name, policy.TpName()) } return nil, nil @@ -183,7 +183,7 @@ func selectOverrideMethod(overrideMethod OverrideMethod, hasSyscall bool) (Overr } func (kp *killerPolicy) createKillerSensor( - killers []v1alpha1.KillerSpec, + killers []v1alpha1.EnforcerSpec, lists []v1alpha1.ListSpec, opts []v1alpha1.OptionSpec, name string, diff --git a/pkg/sensors/tracing/killer_builder.go b/pkg/sensors/tracing/killer_builder.go index d95b85db83c..8d0fef0b10c 100644 --- a/pkg/sensors/tracing/killer_builder.go +++ b/pkg/sensors/tracing/killer_builder.go @@ -103,7 +103,7 @@ func (ksb *KillerSpecBuilder) Build() (*v1alpha1.TracingPolicy, error) { var listNames []string var lists []v1alpha1.ListSpec - var killers []v1alpha1.KillerSpec + var killers []v1alpha1.EnforcerSpec var matchBinaries []v1alpha1.BinarySelector var options []v1alpha1.OptionSpec @@ -123,7 +123,7 @@ func (ksb *KillerSpecBuilder) Build() (*v1alpha1.TracingPolicy, error) { Pattern: nil, Validated: false, }) - killers = append(killers, v1alpha1.KillerSpec{ + killers = append(killers, v1alpha1.EnforcerSpec{ Calls: []string{listName}, }) } @@ -192,8 +192,8 @@ func (ksb *KillerSpecBuilder) Build() (*v1alpha1.TracingPolicy, error) { MatchBinaries: matchBinaries, }}, }}, - Killers: killers, - Options: options, + Enforcers: killers, + Options: options, }, }, nil } diff --git a/pkg/sensors/tracing/killer_test.go b/pkg/sensors/tracing/killer_test.go index 3a7bedebb5e..dd9ebb554ab 100644 --- a/pkg/sensors/tracing/killer_test.go +++ b/pkg/sensors/tracing/killer_test.go @@ -252,7 +252,7 @@ func testSecurity(t *testing.T, tracingPolicy, tempFile string) { // - attaches probe to pwrite // - attaches killer to security_file_permission // - executes SigKill action for attempted pwrite to specific file -// - executes NotifyKiller action to instruct killer to override the +// - executes NotifyEnforcer action to instruct killer to override the // security_file_permission return value with -1 // - tests that no data got written to the monitored file @@ -324,7 +324,7 @@ spec: - "` + tempFile + `" matchActions: - action: Sigkill - - action: "NotifyKiller" + - action: "NotifyEnforcer" argError: -1 ` @@ -333,17 +333,17 @@ spec: // Testing the ability to kill the process before it executes the syscall, // in similar way as in TestKillerSecuritySigKill test. -// The only difference is we use the NotifyKiller to send the signal instead +// The only difference is we use the NotifyEnforcer to send the signal instead // of using SigKill action. // // The testing spec below: // - attaches probe to pwrite // - attaches killer to security_file_permission -// - executes NotifyKiller to instruct killer to send sigkill to current process +// - executes NotifyEnforcer to instruct killer to send sigkill to current process // and override the security_file_permission return value with -1 // - tests that no data got written to the monitored file -func TestKillerSecurityNotifyKiller(t *testing.T) { +func TestKillerSecurityNotifyEnforcer(t *testing.T) { if !bpf.HasSignalHelper() { t.Skip("skipping killer test, bpf_send_signal helper not available") } @@ -410,7 +410,7 @@ spec: values: - "` + tempFile + `" matchActions: - - action: "NotifyKiller" + - action: "NotifyEnforcer" argError: -1 argSig: 9 ` @@ -477,7 +477,7 @@ spec: values: - "` + testBin + `" matchActions: - - action: "NotifyKiller" + - action: "NotifyEnforcer" argError: -1 argSig: 9 ` @@ -519,7 +519,7 @@ spec: values: - "` + testBin + `" matchActions: - - action: "NotifyKiller" + - action: "NotifyEnforcer" argError: -1 argSig: 9 ` diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml index 8f01c49a8a0..e1a961f362e 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml @@ -34,12 +34,12 @@ spec: spec: description: Tracing policy specification. properties: - killers: + enforcers: description: A killer spec. items: properties: calls: - description: Calls where killer is executed in + description: Calls where enforcer is executed in items: type: string type: array @@ -264,7 +264,7 @@ spec: - Signal - TrackSock - UntrackSock - - NotifyKiller + - NotifyEnforcer type: string argError: description: error value for override action @@ -572,7 +572,7 @@ spec: - Signal - TrackSock - UntrackSock - - NotifyKiller + - NotifyEnforcer type: string argError: description: error value for override action @@ -918,7 +918,7 @@ spec: - Signal - TrackSock - UntrackSock - - NotifyKiller + - NotifyEnforcer type: string argError: description: error value for override action @@ -1226,7 +1226,7 @@ spec: - Signal - TrackSock - UntrackSock - - NotifyKiller + - NotifyEnforcer type: string argError: description: error value for override action @@ -1473,7 +1473,7 @@ spec: - Signal - TrackSock - UntrackSock - - NotifyKiller + - NotifyEnforcer type: string argError: description: error value for override action @@ -1781,7 +1781,7 @@ spec: - Signal - TrackSock - UntrackSock - - NotifyKiller + - NotifyEnforcer type: string argError: description: error value for override action diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml index 90b80052686..27d2b6f9fdd 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml @@ -34,12 +34,12 @@ spec: spec: description: Tracing policy specification. properties: - killers: + enforcers: description: A killer spec. items: properties: calls: - description: Calls where killer is executed in + description: Calls where enforcer is executed in items: type: string type: array @@ -264,7 +264,7 @@ spec: - Signal - TrackSock - UntrackSock - - NotifyKiller + - NotifyEnforcer type: string argError: description: error value for override action @@ -572,7 +572,7 @@ spec: - Signal - TrackSock - UntrackSock - - NotifyKiller + - NotifyEnforcer type: string argError: description: error value for override action @@ -918,7 +918,7 @@ spec: - Signal - TrackSock - UntrackSock - - NotifyKiller + - NotifyEnforcer type: string argError: description: error value for override action @@ -1226,7 +1226,7 @@ spec: - Signal - TrackSock - UntrackSock - - NotifyKiller + - NotifyEnforcer type: string argError: description: error value for override action @@ -1473,7 +1473,7 @@ spec: - Signal - TrackSock - UntrackSock - - NotifyKiller + - NotifyEnforcer type: string argError: description: error value for override action @@ -1781,7 +1781,7 @@ spec: - Signal - TrackSock - UntrackSock - - NotifyKiller + - NotifyEnforcer type: string argError: description: error value for override action diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/tracing_policy_types.go b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/tracing_policy_types.go index 935b68686d4..f8a45dc9c91 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/tracing_policy_types.go +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/tracing_policy_types.go @@ -96,7 +96,7 @@ type TracingPolicySpec struct { // +kubebuilder:validation:Optional // A killer spec. - Killers []KillerSpec `json:"killers,omitempty"` + Enforcers []EnforcerSpec `json:"enforcers,omitempty"` // +kubebuilder:validation:Optional // A list of overloaded options diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go index 62125807c65..3b1b22a97cd 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go @@ -191,7 +191,7 @@ type ArgSelector struct { } type ActionSelector struct { - // +kubebuilder:validation:Enum=Post;FollowFD;UnfollowFD;Sigkill;CopyFD;Override;GetUrl;DnsLookup;NoPost;Signal;TrackSock;UntrackSock;NotifyKiller + // +kubebuilder:validation:Enum=Post;FollowFD;UnfollowFD;Sigkill;CopyFD;Override;GetUrl;DnsLookup;NoPost;Signal;TrackSock;UntrackSock;NotifyEnforcer // Action to execute. Action string `json:"action"` // +kubebuilder:validation:Optional @@ -354,7 +354,7 @@ type PodInfoList struct { Items []PodInfo `json:"items"` } -type KillerSpec struct { - // Calls where killer is executed in +type EnforcerSpec struct { + // Calls where enforcer is executed in Calls []string `json:"calls"` } diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/version.go b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/version.go index a530ed77ef6..c244cfd50a1 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/version.go +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/version.go @@ -7,4 +7,4 @@ package v1alpha1 // Used to determine if CRD needs to be updated in cluster // // Developers: Bump patch for each change in the CRD schema. -const CustomResourceDefinitionSchemaVersion = "1.1.5" +const CustomResourceDefinitionSchemaVersion = "1.1.6" diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/zz_generated.deepcopy.go b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/zz_generated.deepcopy.go index ee75b704aae..78e6da551f3 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/zz_generated.deepcopy.go +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/zz_generated.deepcopy.go @@ -92,6 +92,27 @@ func (in *CapabilitiesSelector) DeepCopy() *CapabilitiesSelector { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *EnforcerSpec) DeepCopyInto(out *EnforcerSpec) { + *out = *in + if in.Calls != nil { + in, out := &in.Calls, &out.Calls + *out = make([]string, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EnforcerSpec. +func (in *EnforcerSpec) DeepCopy() *EnforcerSpec { + if in == nil { + return nil + } + out := new(EnforcerSpec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *KProbeArg) DeepCopyInto(out *KProbeArg) { *out = *in @@ -223,27 +244,6 @@ func (in *KProbeSpec) DeepCopy() *KProbeSpec { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *KillerSpec) DeepCopyInto(out *KillerSpec) { - *out = *in - if in.Calls != nil { - in, out := &in.Calls, &out.Calls - *out = make([]string, len(*in)) - copy(*out, *in) - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KillerSpec. -func (in *KillerSpec) DeepCopy() *KillerSpec { - if in == nil { - return nil - } - out := new(KillerSpec) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ListSpec) DeepCopyInto(out *ListSpec) { *out = *in @@ -649,9 +649,9 @@ func (in *TracingPolicySpec) DeepCopyInto(out *TracingPolicySpec) { (*in)[i].DeepCopyInto(&(*out)[i]) } } - if in.Killers != nil { - in, out := &in.Killers, &out.Killers - *out = make([]KillerSpec, len(*in)) + if in.Enforcers != nil { + in, out := &in.Enforcers, &out.Enforcers + *out = make([]EnforcerSpec, len(*in)) for i := range *in { (*in)[i].DeepCopyInto(&(*out)[i]) } From 9b3341d823bcbbbfc9e6b4547647bf026f6203eb Mon Sep 17 00:00:00 2001 From: Jiri Olsa Date: Fri, 16 Feb 2024 13:09:04 +0000 Subject: [PATCH 5/7] tetragon: Rename killer go code to enforcer Renaming killer go code to enforcer. Signed-off-by: Jiri Olsa --- pkg/sensors/tracing/generickprobe.go | 8 +- pkg/sensors/tracing/generictracepoint.go | 4 +- pkg/sensors/tracing/killer.go | 132 +++++++++++------------ pkg/sensors/tracing/killer_amd64_test.go | 32 +++--- pkg/sensors/tracing/killer_builder.go | 40 +++---- pkg/sensors/tracing/killer_test.go | 102 +++++++++--------- 6 files changed, 159 insertions(+), 159 deletions(-) diff --git a/pkg/sensors/tracing/generickprobe.go b/pkg/sensors/tracing/generickprobe.go index f9fea967d1e..490441aaac8 100644 --- a/pkg/sensors/tracing/generickprobe.go +++ b/pkg/sensors/tracing/generickprobe.go @@ -318,8 +318,8 @@ func createMultiKprobeSensor(sensorPath, policyName string, multiIDs []idtable.E maps = append(maps, socktrack) } - killerDataMap := killerMap(policyName, load) - maps = append(maps, killerDataMap) + enforcerDataMap := enforcerMap(policyName, load) + maps = append(maps, enforcerDataMap) filterMap.SetMaxEntries(len(multiIDs)) configMap.SetMaxEntries(len(multiIDs)) @@ -868,8 +868,8 @@ func createKprobeSensorFromEntry(kprobeEntry *genericKprobe, sensorPath string, maps = append(maps, socktrack) } - killerDataMap := killerMap(kprobeEntry.policyName, load) - maps = append(maps, killerDataMap) + enforcerDataMap := enforcerMap(kprobeEntry.policyName, load) + maps = append(maps, enforcerDataMap) if kprobeEntry.loadArgs.retprobe { pinRetProg := sensors.PathJoin(pinPath, fmt.Sprintf("%s_ret_prog", kprobeEntry.funcName)) diff --git a/pkg/sensors/tracing/generictracepoint.go b/pkg/sensors/tracing/generictracepoint.go index 3a096b9776e..2b3293653b2 100644 --- a/pkg/sensors/tracing/generictracepoint.go +++ b/pkg/sensors/tracing/generictracepoint.go @@ -472,8 +472,8 @@ func createGenericTracepointSensor( } maps = append(maps, matchBinariesPaths) - killerDataMap := killerMap(policyName, prog0) - maps = append(maps, killerDataMap) + enforcerDataMap := enforcerMap(policyName, prog0) + maps = append(maps, enforcerDataMap) selMatchBinariesMap := program.MapBuilderPin("tg_mb_sel_opts", sensors.PathJoin(pinPath, "tg_mb_sel_opts"), prog0) maps = append(maps, selMatchBinariesMap) diff --git a/pkg/sensors/tracing/killer.go b/pkg/sensors/tracing/killer.go index 13e9ffa53e8..3abbf132158 100644 --- a/pkg/sensors/tracing/killer.go +++ b/pkg/sensors/tracing/killer.go @@ -22,67 +22,67 @@ import ( ) const ( - killerDataMapName = "enforcer_data" + enforcerDataMapName = "enforcer_data" ) -type killerHandler struct { +type enforcerHandler struct { syscallsSyms []string } -type killerPolicy struct { - mu sync.Mutex - killers map[string]*killerHandler +type enforcerPolicy struct { + mu sync.Mutex + enforcers map[string]*enforcerHandler } -func newKillerPolicy() *killerPolicy { - return &killerPolicy{ - killers: map[string]*killerHandler{}, +func newEnforcerPolicy() *enforcerPolicy { + return &enforcerPolicy{ + enforcers: map[string]*enforcerHandler{}, } } var ( - // global killer policy - gKillerPolicy = newKillerPolicy() + // global enforcer policy + gEnforcerPolicy = newEnforcerPolicy() ) func init() { - sensors.RegisterProbeType("killer", gKillerPolicy) - sensors.RegisterPolicyHandlerAtInit("killer", gKillerPolicy) + sensors.RegisterProbeType("enforcer", gEnforcerPolicy) + sensors.RegisterPolicyHandlerAtInit("enforcer", gEnforcerPolicy) } -func killerMap(policyName string, load *program.Program) *program.Map { - return program.MapBuilderPin(killerDataMapName, - fmt.Sprintf("%s_%s", killerDataMapName, policyName), load) +func enforcerMap(policyName string, load *program.Program) *program.Map { + return program.MapBuilderPin(enforcerDataMapName, + fmt.Sprintf("%s_%s", enforcerDataMapName, policyName), load) } -func (kp *killerPolicy) killerGet(name string) (*killerHandler, bool) { +func (kp *enforcerPolicy) enforcerGet(name string) (*enforcerHandler, bool) { kp.mu.Lock() defer kp.mu.Unlock() - kh, ok := kp.killers[name] + kh, ok := kp.enforcers[name] return kh, ok } -func (kp *killerPolicy) killerAdd(name string, kh *killerHandler) bool { +func (kp *enforcerPolicy) enforcerAdd(name string, kh *enforcerHandler) bool { kp.mu.Lock() defer kp.mu.Unlock() - if _, ok := kp.killers[name]; ok { + if _, ok := kp.enforcers[name]; ok { return false } - kp.killers[name] = kh + kp.enforcers[name] = kh return true } -func (kp *killerPolicy) killerDel(name string) bool { +func (kp *enforcerPolicy) enforcerDel(name string) bool { kp.mu.Lock() defer kp.mu.Unlock() - if _, ok := kp.killers[name]; !ok { + if _, ok := kp.enforcers[name]; !ok { return false } - delete(kp.killers, name) + delete(kp.enforcers, name) return true } -func (kp *killerPolicy) PolicyHandler( +func (kp *enforcerPolicy) PolicyHandler( policy tracingpolicy.TracingPolicy, _ policyfilter.PolicyID, ) (*sensors.Sensor, error) { @@ -96,27 +96,27 @@ func (kp *killerPolicy) PolicyHandler( } } if len(spec.Enforcers) > 0 { - name := fmt.Sprintf("killer-sensor-%d", atomic.AddUint64(&sensorCounter, 1)) - return kp.createKillerSensor(spec.Enforcers, spec.Lists, spec.Options, name, policy.TpName()) + name := fmt.Sprintf("enforcer-sensor-%d", atomic.AddUint64(&sensorCounter, 1)) + return kp.createEnforcerSensor(spec.Enforcers, spec.Lists, spec.Options, name, policy.TpName()) } return nil, nil } -func (kp *killerPolicy) loadSingleKillerSensor( - kh *killerHandler, +func (kp *enforcerPolicy) loadSingleEnforcerSensor( + kh *enforcerHandler, bpfDir string, load *program.Program, verbose int, ) error { if err := program.LoadKprobeProgramAttachMany(bpfDir, load, kh.syscallsSyms, verbose); err == nil { - logger.GetLogger().Infof("Loaded killer sensor: %s", load.Attach) + logger.GetLogger().Infof("Loaded enforcer sensor: %s", load.Attach) } else { return err } return nil } -func (kp *killerPolicy) loadMultiKillerSensor( - kh *killerHandler, +func (kp *enforcerPolicy) loadMultiEnforcerSensor( + kh *enforcerHandler, bpfDir string, load *program.Program, verbose int, ) error { data := &program.MultiKprobeAttachData{} @@ -129,32 +129,32 @@ func (kp *killerPolicy) loadMultiKillerSensor( return err } - logger.GetLogger().Infof("Loaded killer sensor: %s", load.Attach) + logger.GetLogger().Infof("Loaded enforcer sensor: %s", load.Attach) return nil } -func (kp *killerPolicy) LoadProbe(args sensors.LoadProbeArgs) error { +func (kp *enforcerPolicy) LoadProbe(args sensors.LoadProbeArgs) error { name, ok := args.Load.LoaderData.(string) if !ok { return fmt.Errorf("invalid loadData type: expecting string and got: %T (%v)", args.Load.LoaderData, args.Load.LoaderData) } - kh, ok := kp.killerGet(name) + kh, ok := kp.enforcerGet(name) if !ok { - return fmt.Errorf("failed to get killer handler for '%s'", name) + return fmt.Errorf("failed to get enforcer handler for '%s'", name) } if args.Load.Label == "kprobe.multi/enforcer" { - return kp.loadMultiKillerSensor(kh, args.BPFDir, args.Load, args.Verbose) + return kp.loadMultiEnforcerSensor(kh, args.BPFDir, args.Load, args.Verbose) } if args.Load.Label == "kprobe/enforcer" { - return kp.loadSingleKillerSensor(kh, args.BPFDir, args.Load, args.Verbose) + return kp.loadSingleEnforcerSensor(kh, args.BPFDir, args.Load, args.Verbose) } if strings.HasPrefix(args.Load.Label, "fmod_ret/") { return program.LoadFmodRetProgram(args.BPFDir, args.Load, "fmodret_enforcer", args.Verbose) } - return fmt.Errorf("killer loader: unknown label: %s", args.Load.Label) + return fmt.Errorf("enforcer loader: unknown label: %s", args.Load.Label) } // select proper override method based on configuration and spec options @@ -167,7 +167,7 @@ func selectOverrideMethod(overrideMethod OverrideMethod, hasSyscall bool) (Overr } else if bpf.HasModifyReturnSyscall() { overrideMethod = OverrideMethodFmodRet } else { - return OverrideMethodInvalid, fmt.Errorf("no override helper or mod_ret support: cannot load killer") + return OverrideMethodInvalid, fmt.Errorf("no override helper or mod_ret support: cannot load enforcer") } case OverrideMethodReturn: if !bpf.HasOverrideHelper() { @@ -182,30 +182,30 @@ func selectOverrideMethod(overrideMethod OverrideMethod, hasSyscall bool) (Overr return overrideMethod, nil } -func (kp *killerPolicy) createKillerSensor( - killers []v1alpha1.EnforcerSpec, +func (kp *enforcerPolicy) createEnforcerSensor( + enforcers []v1alpha1.EnforcerSpec, lists []v1alpha1.ListSpec, opts []v1alpha1.OptionSpec, name string, policyName string, ) (*sensors.Sensor, error) { - if len(killers) > 1 { - return nil, fmt.Errorf("failed: we support only single killer sensor") + if len(enforcers) > 1 { + return nil, fmt.Errorf("failed: we support only single enforcer sensor") } - killer := killers[0] + enforcer := enforcers[0] var ( hasSyscall bool hasSecurity bool ) - kh := &killerHandler{} + kh := &enforcerHandler{} // get all the syscalls - for idx := range killer.Calls { - sym := killer.Calls[idx] + for idx := range enforcer.Calls { + sym := enforcer.Calls[idx] if strings.HasPrefix(sym, "list:") { listName := sym[len("list:"):] @@ -230,7 +230,7 @@ func (kp *killerPolicy) createKillerSensor( isSecurity := strings.HasPrefix(sym, "security_") if !isSyscall && !isSecurity && !isPrefix { - return nil, fmt.Errorf("killer sensor requires either syscall or security_ functions") + return nil, fmt.Errorf("enforcer sensor requires either syscall or security_ functions") } if isSyscall { @@ -245,7 +245,7 @@ func (kp *killerPolicy) createKillerSensor( hasSecurity = hasSecurity || isSecurity } - // register killer sensor + // register enforcer sensor var load *program.Program var progs []*program.Program var maps []*program.Map @@ -255,7 +255,7 @@ func (kp *killerPolicy) createKillerSensor( } if !bpf.HasSignalHelper() { - return nil, fmt.Errorf("killer sensor requires signal helper which is not available") + return nil, fmt.Errorf("enforcer sensor requires signal helper which is not available") } // select proper override method based on configuration and spec options @@ -266,10 +266,10 @@ func (kp *killerPolicy) createKillerSensor( if hasSecurity && overrideMethod != OverrideMethodFmodRet { // fail if override-return is directly requested if overrideMethod == OverrideMethodReturn { - return nil, fmt.Errorf("killer: can't override security function with override-return") + return nil, fmt.Errorf("enforcer: can't override security function with override-return") } overrideMethod = OverrideMethodFmodRet - logger.GetLogger().Infof("killer: forcing fmod_ret (security_* call detected)") + logger.GetLogger().Infof("enforcer: forcing fmod_ret (security_* call detected)") } overrideMethod, err = selectOverrideMethod(overrideMethod, hasSyscall) @@ -277,11 +277,11 @@ func (kp *killerPolicy) createKillerSensor( return nil, err } - pinPath := sensors.PathJoin(name, "killer_kprobe") + pinPath := sensors.PathJoin(name, "enforcer_kprobe") switch overrideMethod { case OverrideMethodReturn: useMulti := !specOpts.DisableKprobeMulti && !option.Config.DisableKprobeMulti && bpf.HasKprobeMulti() - logger.GetLogger().Infof("killer: using override return (multi-kprobe: %t)", useMulti) + logger.GetLogger().Infof("enforcer: using override return (multi-kprobe: %t)", useMulti) label := "kprobe/enforcer" prog := "bpf_enforcer.o" if useMulti { @@ -294,20 +294,20 @@ func (kp *killerPolicy) createKillerSensor( attach, label, pinPath, - "killer"). + "enforcer"). SetLoaderData(name) progs = append(progs, load) case OverrideMethodFmodRet: // for fmod_ret, we need one program per syscall - logger.GetLogger().Infof("killer: using fmod_ret") + logger.GetLogger().Infof("enforcer: using fmod_ret") for _, syscallSym := range kh.syscallsSyms { load = program.Builder( path.Join(option.Config.HubbleLib, "bpf_fmodret_enforcer.o"), syscallSym, "fmod_ret/security_task_prctl", pinPath, - "killer"). + "enforcer"). SetLoaderData(name) progs = append(progs, load) } @@ -315,24 +315,24 @@ func (kp *killerPolicy) createKillerSensor( return nil, fmt.Errorf("unexpected override method: %d", overrideMethod) } - killerDataMap := killerMap(policyName, load) - maps = append(maps, killerDataMap) + enforcerDataMap := enforcerMap(policyName, load) + maps = append(maps, enforcerDataMap) - if ok := kp.killerAdd(name, kh); !ok { - return nil, fmt.Errorf("failed to add killer: '%s'", name) + if ok := kp.enforcerAdd(name, kh); !ok { + return nil, fmt.Errorf("failed to add enforcer: '%s'", name) } - logger.GetLogger().Infof("Added killer sensor '%s'", name) + logger.GetLogger().Infof("Added enforcer sensor '%s'", name) return &sensors.Sensor{ - Name: "__killer__", + Name: "__enforcer__", Progs: progs, Maps: maps, PostUnloadHook: func() error { - if ok := kp.killerDel(name); !ok { - logger.GetLogger().Infof("Failed to clean up killer sensor '%s'", name) + if ok := kp.enforcerDel(name); !ok { + logger.GetLogger().Infof("Failed to clean up enforcer sensor '%s'", name) } else { - logger.GetLogger().Infof("Cleaned up killer sensor '%s'", name) + logger.GetLogger().Infof("Cleaned up enforcer sensor '%s'", name) } return nil }, diff --git a/pkg/sensors/tracing/killer_amd64_test.go b/pkg/sensors/tracing/killer_amd64_test.go index 87cee5cde2f..1633b3c6001 100644 --- a/pkg/sensors/tracing/killer_amd64_test.go +++ b/pkg/sensors/tracing/killer_amd64_test.go @@ -18,11 +18,11 @@ import ( lc "github.com/cilium/tetragon/pkg/matchers/listmatcher" ) -func TestKillerOverride32(t *testing.T) { - testKillerCheckSkip(t) +func TestEnforcerOverride32(t *testing.T) { + testEnforcerCheckSkip(t) - test := testutils.RepoRootPath("contrib/tester-progs/killer-tester-32") - yaml := NewKillerSpecBuilder("killer-override"). + test := testutils.RepoRootPath("contrib/tester-progs/enforcer-tester-32") + yaml := NewEnforcerSpecBuilder("enforcer-override"). WithSyscallList("__ia32_sys_prctl"). WithMatchBinaries(test). WithOverrideValue(-17). // EEXIST @@ -44,14 +44,14 @@ func TestKillerOverride32(t *testing.T) { } } - testKiller(t, yaml, test, "", checker, checkerFunc) + testEnforcer(t, yaml, test, "", checker, checkerFunc) } -func TestKillerSignal32(t *testing.T) { - testKillerCheckSkip(t) +func TestEnforcerSignal32(t *testing.T) { + testEnforcerCheckSkip(t) - test := testutils.RepoRootPath("contrib/tester-progs/killer-tester-32") - yaml := NewKillerSpecBuilder("killer-signal"). + test := testutils.RepoRootPath("contrib/tester-progs/enforcer-tester-32") + yaml := NewEnforcerSpecBuilder("enforcer-signal"). WithSyscallList("__ia32_sys_prctl"). WithMatchBinaries(test). WithOverrideValue(-17). // EEXIST @@ -74,16 +74,16 @@ func TestKillerSignal32(t *testing.T) { } } - testKiller(t, yaml, test, "", checker, checkerFunc) + testEnforcer(t, yaml, test, "", checker, checkerFunc) } -func TestKillerOverrideBothBits(t *testing.T) { - testKillerCheckSkip(t) +func TestEnforcerOverrideBothBits(t *testing.T) { + testEnforcerCheckSkip(t) - test32 := testutils.RepoRootPath("contrib/tester-progs/killer-tester-32") - test64 := testutils.RepoRootPath("contrib/tester-progs/killer-tester") + test32 := testutils.RepoRootPath("contrib/tester-progs/enforcer-tester-32") + test64 := testutils.RepoRootPath("contrib/tester-progs/enforcer-tester") - yaml := NewKillerSpecBuilder("killer-override"). + yaml := NewEnforcerSpecBuilder("enforcer-override"). WithSyscallList("__ia32_sys_prctl", "sys_prctl"). WithMatchBinaries(test32, test64). WithOverrideValue(-17). // EEXIST @@ -113,5 +113,5 @@ func TestKillerOverrideBothBits(t *testing.T) { } } - testKiller(t, yaml, test64, test32, checker, checkerFunc) + testEnforcer(t, yaml, test64, test32, checker, checkerFunc) } diff --git a/pkg/sensors/tracing/killer_builder.go b/pkg/sensors/tracing/killer_builder.go index 8d0fef0b10c..c01c05363b1 100644 --- a/pkg/sensors/tracing/killer_builder.go +++ b/pkg/sensors/tracing/killer_builder.go @@ -14,7 +14,7 @@ import ( "github.com/cilium/tetragon/pkg/option" ) -type KillerSpecBuilder struct { +type EnforcerSpecBuilder struct { name string syscalls [][]string kill *uint32 @@ -24,61 +24,61 @@ type KillerSpecBuilder struct { multiKprobe *bool } -func NewKillerSpecBuilder(name string) *KillerSpecBuilder { - return &KillerSpecBuilder{ +func NewEnforcerSpecBuilder(name string) *EnforcerSpecBuilder { + return &EnforcerSpecBuilder{ name: name, } } -func (ksb *KillerSpecBuilder) WithSyscallList(calls ...string) *KillerSpecBuilder { +func (ksb *EnforcerSpecBuilder) WithSyscallList(calls ...string) *EnforcerSpecBuilder { ksb.syscalls = append(ksb.syscalls, calls) return ksb } -func (ksb *KillerSpecBuilder) WithKill(sig uint32) *KillerSpecBuilder { +func (ksb *EnforcerSpecBuilder) WithKill(sig uint32) *EnforcerSpecBuilder { ksb.kill = &sig return ksb } -func (ksb *KillerSpecBuilder) WithMultiKprobe() *KillerSpecBuilder { +func (ksb *EnforcerSpecBuilder) WithMultiKprobe() *EnforcerSpecBuilder { multi := true ksb.multiKprobe = &multi return ksb } -func (ksb *KillerSpecBuilder) WithoutMultiKprobe() *KillerSpecBuilder { +func (ksb *EnforcerSpecBuilder) WithoutMultiKprobe() *EnforcerSpecBuilder { multi := false ksb.multiKprobe = &multi return ksb } -func (ksb *KillerSpecBuilder) WithOverrideValue(ret int32) *KillerSpecBuilder { +func (ksb *EnforcerSpecBuilder) WithOverrideValue(ret int32) *EnforcerSpecBuilder { ksb.override = &ret return ksb } -func (ksb *KillerSpecBuilder) WithMatchBinaries(bins ...string) *KillerSpecBuilder { +func (ksb *EnforcerSpecBuilder) WithMatchBinaries(bins ...string) *EnforcerSpecBuilder { ksb.binaries = append(ksb.binaries, bins...) return ksb } -func (ksb *KillerSpecBuilder) WithOverrideReturn() *KillerSpecBuilder { +func (ksb *EnforcerSpecBuilder) WithOverrideReturn() *EnforcerSpecBuilder { ksb.overrideMethod = valOverrideReturn return ksb } -func (ksb *KillerSpecBuilder) WithFmodRet() *KillerSpecBuilder { +func (ksb *EnforcerSpecBuilder) WithFmodRet() *EnforcerSpecBuilder { ksb.overrideMethod = valFmodRet return ksb } -func (ksb *KillerSpecBuilder) WithDefaultOverride() *KillerSpecBuilder { +func (ksb *EnforcerSpecBuilder) WithDefaultOverride() *EnforcerSpecBuilder { ksb.overrideMethod = "" return ksb } -func (ksb *KillerSpecBuilder) MustBuild() *v1alpha1.TracingPolicy { +func (ksb *EnforcerSpecBuilder) MustBuild() *v1alpha1.TracingPolicy { spec, err := ksb.Build() if err != nil { log.Fatalf("MustBuild failed with %v", err) @@ -86,7 +86,7 @@ func (ksb *KillerSpecBuilder) MustBuild() *v1alpha1.TracingPolicy { return spec } -func (ksb *KillerSpecBuilder) MustYAML() string { +func (ksb *EnforcerSpecBuilder) MustYAML() string { tp, err := ksb.Build() if err != nil { log.Fatalf("MustYAML: build failed with %v", err) @@ -99,11 +99,11 @@ func (ksb *KillerSpecBuilder) MustYAML() string { return string(b) } -func (ksb *KillerSpecBuilder) Build() (*v1alpha1.TracingPolicy, error) { +func (ksb *EnforcerSpecBuilder) Build() (*v1alpha1.TracingPolicy, error) { var listNames []string var lists []v1alpha1.ListSpec - var killers []v1alpha1.EnforcerSpec + var enforcers []v1alpha1.EnforcerSpec var matchBinaries []v1alpha1.BinarySelector var options []v1alpha1.OptionSpec @@ -123,15 +123,15 @@ func (ksb *KillerSpecBuilder) Build() (*v1alpha1.TracingPolicy, error) { Pattern: nil, Validated: false, }) - killers = append(killers, v1alpha1.EnforcerSpec{ + enforcers = append(enforcers, v1alpha1.EnforcerSpec{ Calls: []string{listName}, }) } - actions := []v1alpha1.ActionSelector{{Action: "NotifyKiller"}} + actions := []v1alpha1.ActionSelector{{Action: "NotifyEnforcer"}} act := &actions[0] if ksb.kill == nil && ksb.override == nil { - return nil, fmt.Errorf("need either override or kill to notify killer") + return nil, fmt.Errorf("need either override or kill to notify enforcer") } if ksb.kill != nil { act.ArgSig = *ksb.kill @@ -192,7 +192,7 @@ func (ksb *KillerSpecBuilder) Build() (*v1alpha1.TracingPolicy, error) { MatchBinaries: matchBinaries, }}, }}, - Enforcers: killers, + Enforcers: enforcers, Options: options, }, }, nil diff --git a/pkg/sensors/tracing/killer_test.go b/pkg/sensors/tracing/killer_test.go index dd9ebb554ab..1b7943ce75f 100644 --- a/pkg/sensors/tracing/killer_test.go +++ b/pkg/sensors/tracing/killer_test.go @@ -32,16 +32,16 @@ import ( "golang.org/x/sys/unix" ) -func testKillerCheckSkip(t *testing.T) { +func testEnforcerCheckSkip(t *testing.T) { if !bpf.HasSignalHelper() { - t.Skip("skipping killer test, bpf_send_signal helper not available") + t.Skip("skipping enforcer test, bpf_send_signal helper not available") } if !bpf.HasOverrideHelper() && !bpf.HasModifyReturnSyscall() { t.Skip("skipping test, neither bpf_override_return nor fmod_ret for syscalls is available") } } -func testKiller(t *testing.T, configHook string, +func testEnforcer(t *testing.T, configHook string, test string, test2 string, checker *eventchecker.UnorderedEventChecker, checkerFunc func(err error, rc int)) { @@ -80,12 +80,12 @@ func testKiller(t *testing.T, configHook string, assert.NoError(t, err) } -func TestKillerOverride(t *testing.T) { - testKillerCheckSkip(t) +func TestEnforcerOverride(t *testing.T) { + testEnforcerCheckSkip(t) test := testutils.RepoRootPath("contrib/tester-progs/getcpu") - builder := func() *KillerSpecBuilder { - return NewKillerSpecBuilder("killer-override"). + builder := func() *EnforcerSpecBuilder { + return NewEnforcerSpecBuilder("enforcer-override"). WithSyscallList("sys_getcpu"). WithMatchBinaries(test). WithOverrideValue(-17) // EEXIST @@ -117,12 +117,12 @@ func TestKillerOverride(t *testing.T) { t.Skip("no multi-kprobe support") } yaml := builder().WithOverrideReturn().WithMultiKprobe().MustYAML() - testKiller(t, yaml, test, "", checker, checkerFunc) + testEnforcer(t, yaml, test, "", checker, checkerFunc) }) t.Run("kprobe (no multi)", func(t *testing.T) { yaml := builder().WithOverrideReturn().WithoutMultiKprobe().MustYAML() - testKiller(t, yaml, test, "", checker, checkerFunc) + testEnforcer(t, yaml, test, "", checker, checkerFunc) }) }) t.Run("fmod_ret", func(t *testing.T) { @@ -130,14 +130,14 @@ func TestKillerOverride(t *testing.T) { t.Skip("fmod_ret not supported") } yaml := builder().WithFmodRet().MustYAML() - testKiller(t, yaml, test, "", checker, checkerFunc) + testEnforcer(t, yaml, test, "", checker, checkerFunc) }) } -func TestKillerSignal(t *testing.T) { - testKillerCheckSkip(t) +func TestEnforcerSignal(t *testing.T) { + testEnforcerCheckSkip(t) - test := testutils.RepoRootPath("contrib/tester-progs/killer-tester") + test := testutils.RepoRootPath("contrib/tester-progs/enforcer-tester") tpChecker := ec.NewProcessTracepointChecker(""). WithArgs(ec.NewKprobeArgumentListMatcher(). @@ -155,8 +155,8 @@ func TestKillerSignal(t *testing.T) { } } - builder := func() *KillerSpecBuilder { - return NewKillerSpecBuilder("killer-signal"). + builder := func() *EnforcerSpecBuilder { + return NewEnforcerSpecBuilder("enforcer-signal"). WithSyscallList("sys_prctl"). WithMatchBinaries(test). WithOverrideValue(-17). // EEXIST @@ -172,18 +172,18 @@ func TestKillerSignal(t *testing.T) { } yaml := builder().WithMultiKprobe().MustYAML() - testKiller(t, yaml, test, "", checker, checkerFunc) + testEnforcer(t, yaml, test, "", checker, checkerFunc) }) t.Run("kprobe (no multi)", func(t *testing.T) { yaml := builder().WithoutMultiKprobe().MustYAML() - testKiller(t, yaml, test, "", checker, checkerFunc) + testEnforcer(t, yaml, test, "", checker, checkerFunc) }) } -func TestKillerMultiNotSupported(t *testing.T) { - yaml := NewKillerSpecBuilder("killer-multi"). +func TestEnforcerMultiNotSupported(t *testing.T) { + yaml := NewEnforcerSpecBuilder("enforcer-multi"). WithSyscallList("sys_prctl"). WithSyscallList("sys_dup"). WithOverrideValue(-17). // EEXIST @@ -244,25 +244,25 @@ func testSecurity(t *testing.T, tracingPolicy, tempFile string) { // in this case direct pwrite syscall. // Standard Sigkill action kills executed from sys_pwrite probe kills the // process, but only after the pwrite syscall is executed. -// Now we can mitigate that by attaching killer to security_file_permission +// Now we can mitigate that by attaching enforcer to security_file_permission // function and override its return value to prevent the pwrite syscall // execution. // // The testing spec below: // - attaches probe to pwrite -// - attaches killer to security_file_permission +// - attaches enforcer to security_file_permission // - executes SigKill action for attempted pwrite to specific file -// - executes NotifyEnforcer action to instruct killer to override the +// - executes NotifyEnforcer action to instruct enforcer to override the // security_file_permission return value with -1 // - tests that no data got written to the monitored file -func TestKillerSecuritySigKill(t *testing.T) { +func TestEnforcerSecuritySigKill(t *testing.T) { if !bpf.HasSignalHelper() { - t.Skip("skipping killer test, bpf_send_signal helper not available") + t.Skip("skipping enforcer test, bpf_send_signal helper not available") } if !bpf.HasModifyReturn() { - t.Skip("skipping killer test, fmod_ret is not available") + t.Skip("skipping enforcer test, fmod_ret is not available") } if !kernels.EnableLargeProgs() { @@ -280,7 +280,7 @@ spec: options: - name: "override-method" value: "fmod-ret" - killers: + enforcers: - calls: - "security_file_permission" kprobes: @@ -332,24 +332,24 @@ spec: } // Testing the ability to kill the process before it executes the syscall, -// in similar way as in TestKillerSecuritySigKill test. +// in similar way as in TestEnforcerSecuritySigKill test. // The only difference is we use the NotifyEnforcer to send the signal instead // of using SigKill action. // // The testing spec below: // - attaches probe to pwrite -// - attaches killer to security_file_permission -// - executes NotifyEnforcer to instruct killer to send sigkill to current process +// - attaches enforcer to security_file_permission +// - executes NotifyEnforcer to instruct enforcer to send sigkill to current process // and override the security_file_permission return value with -1 // - tests that no data got written to the monitored file -func TestKillerSecurityNotifyEnforcer(t *testing.T) { +func TestEnforcerSecurityNotifyEnforcer(t *testing.T) { if !bpf.HasSignalHelper() { - t.Skip("skipping killer test, bpf_send_signal helper not available") + t.Skip("skipping enforcer test, bpf_send_signal helper not available") } if !bpf.HasModifyReturn() { - t.Skip("skipping killer test, fmod_ret is not available") + t.Skip("skipping enforcer test, fmod_ret is not available") } if !kernels.EnableLargeProgs() { @@ -367,7 +367,7 @@ spec: options: - name: "override-method" value: "fmod-ret" - killers: + enforcers: - calls: - "security_file_permission" kprobes: @@ -419,39 +419,39 @@ spec: } // This test loads 2 policies: -// - first set standard killer tracepoint setup on sys_prctl +// - first set standard enforcer tracepoint setup on sys_prctl // with first argument value 0xffff -// - second set standard killer tracepoint setup on sys_prctl +// - second set standard enforcer tracepoint setup on sys_prctl // with first argument value 0xfffe // then make sure both policies catch and kill. -func TestKillerMulti(t *testing.T) { +func TestEnforcerMulti(t *testing.T) { if !bpf.HasSignalHelper() { - t.Skip("skipping killer test, bpf_send_signal helper not available") + t.Skip("skipping enforcer test, bpf_send_signal helper not available") } if !bpf.HasModifyReturn() { - t.Skip("skipping killer test, fmod_ret is not available") + t.Skip("skipping enforcer test, fmod_ret is not available") } if !kernels.EnableLargeProgs() { t.Skip("Older kernels do not support matchArgs for more than one arguments") } - testBin := testutils.RepoRootPath("contrib/tester-progs/killer-tester") + testBin := testutils.RepoRootPath("contrib/tester-progs/enforcer-tester") policyYAML1 := ` apiVersion: cilium.io/v1alpha1 kind: TracingPolicy metadata: - name: "killer-prctl-1" + name: "enforcer-prctl-1" spec: lists: - name: "prctl" type: "syscalls" values: - "sys_prctl" - killers: + enforcers: - calls: - "list:prctl" tracepoints: @@ -486,14 +486,14 @@ spec: apiVersion: cilium.io/v1alpha1 kind: TracingPolicy metadata: - name: "killer-prctl-2" + name: "enforcer-prctl-2" spec: lists: - name: "prctl" type: "syscalls" values: - "sys_prctl" - killers: + enforcers: - calls: - "list:prctl" tracepoints: @@ -541,13 +541,13 @@ spec: option.Config.HubbleLib = tus.Conf().TetragonLib tus.LoadSensor(t, base.GetInitialSensor()) - sensor1, err := gKillerPolicy.PolicyHandler(policy1, policyfilter.NoFilterID) + sensor1, err := gEnforcerPolicy.PolicyHandler(policy1, policyfilter.NoFilterID) assert.NoError(t, err) sensor2, err := policyHandler{}.PolicyHandler(policy1, policyfilter.NoFilterID) assert.NoError(t, err) - sensor3, err := gKillerPolicy.PolicyHandler(policy2, policyfilter.NoFilterID) + sensor3, err := gEnforcerPolicy.PolicyHandler(policy2, policyfilter.NoFilterID) assert.NoError(t, err) sensor4, err := policyHandler{}.PolicyHandler(policy2, policyfilter.NoFilterID) @@ -561,7 +561,7 @@ spec: t.Logf("All policies loaded\n") - // 'killer-tester 0xffff' should be killed by policy 1 + // 'enforcer-tester 0xffff' should be killed by policy 1 cmd := exec.Command(testBin, "0xffff") err = cmd.Run() @@ -569,7 +569,7 @@ spec: t.Fatalf("Wrong error '%v' expected 'killed'", err) } - // 'killer-tester 0xfffe' should be killed by policy 2 + // 'enforcer-tester 0xfffe' should be killed by policy 2 cmd = exec.Command(testBin, "0xfffe") err = cmd.Run() @@ -577,7 +577,7 @@ spec: t.Fatalf("Wrong error '%v' expected 'killed'", err) } - // 'killer-tester 0xfffd' should NOT get killed + // 'enforcer-tester 0xfffd' should NOT get killed cmd = exec.Command(testBin, "0xfffd") err = cmd.Run() @@ -591,7 +591,7 @@ spec: t.Logf("Unloaded policy 1\n") - // 'killer-tester 0xffff' should NOT get killed now + // 'enforcer-tester 0xffff' should NOT get killed now cmd = exec.Command(testBin, "0xffff") err = cmd.Run() @@ -599,7 +599,7 @@ spec: t.Fatalf("Wrong error '%v' expected 'exit status 22'", err) } - // 'killer-tester 0xfffe' should be killed by policy 2 + // 'enforcer-tester 0xfffe' should be killed by policy 2 cmd = exec.Command(testBin, "0xfffe") err = cmd.Run() @@ -613,7 +613,7 @@ spec: t.Logf("Unloaded policy 2\n") - // 'killer-tester 0xfffe' should NOT get killed now + // 'enforcer-tester 0xfffe' should NOT get killed now cmd = exec.Command(testBin, "0xfffe") err = cmd.Run() From 0fa8d862747b9ab29e95b4bfdf1ea10a8f06572f Mon Sep 17 00:00:00 2001 From: Jiri Olsa Date: Fri, 16 Feb 2024 13:31:16 +0000 Subject: [PATCH 6/7] tetragon: Rename killer go objects to enforcer Renaming killer go objects to enforcer. Signed-off-by: Jiri Olsa --- pkg/sensors/tracing/{killer.go => enforcer.go} | 0 .../tracing/{killer_amd64_test.go => enforcer_amd64_test.go} | 0 pkg/sensors/tracing/{killer_builder.go => enforcer_builder.go} | 0 pkg/sensors/tracing/{killer_test.go => enforcer_test.go} | 0 4 files changed, 0 insertions(+), 0 deletions(-) rename pkg/sensors/tracing/{killer.go => enforcer.go} (100%) rename pkg/sensors/tracing/{killer_amd64_test.go => enforcer_amd64_test.go} (100%) rename pkg/sensors/tracing/{killer_builder.go => enforcer_builder.go} (100%) rename pkg/sensors/tracing/{killer_test.go => enforcer_test.go} (100%) diff --git a/pkg/sensors/tracing/killer.go b/pkg/sensors/tracing/enforcer.go similarity index 100% rename from pkg/sensors/tracing/killer.go rename to pkg/sensors/tracing/enforcer.go diff --git a/pkg/sensors/tracing/killer_amd64_test.go b/pkg/sensors/tracing/enforcer_amd64_test.go similarity index 100% rename from pkg/sensors/tracing/killer_amd64_test.go rename to pkg/sensors/tracing/enforcer_amd64_test.go diff --git a/pkg/sensors/tracing/killer_builder.go b/pkg/sensors/tracing/enforcer_builder.go similarity index 100% rename from pkg/sensors/tracing/killer_builder.go rename to pkg/sensors/tracing/enforcer_builder.go diff --git a/pkg/sensors/tracing/killer_test.go b/pkg/sensors/tracing/enforcer_test.go similarity index 100% rename from pkg/sensors/tracing/killer_test.go rename to pkg/sensors/tracing/enforcer_test.go From 24732176879f00dcaa395712bd47e0cd04485a47 Mon Sep 17 00:00:00 2001 From: Jiri Olsa Date: Fri, 16 Feb 2024 13:19:15 +0000 Subject: [PATCH 7/7] tetragon: Rename killer-tester to enforcer-tester Renaming killer-tester to enforcer-tester. Signed-off-by: Jiri Olsa --- contrib/tester-progs/Makefile | 8 ++++---- .../tester-progs/{killer-tester.c => enforcer-tester.c} | 0 2 files changed, 4 insertions(+), 4 deletions(-) rename contrib/tester-progs/{killer-tester.c => enforcer-tester.c} (100%) diff --git a/contrib/tester-progs/Makefile b/contrib/tester-progs/Makefile index 4b5ecbe33b9..77ff318a6eb 100644 --- a/contrib/tester-progs/Makefile +++ b/contrib/tester-progs/Makefile @@ -18,16 +18,16 @@ PROGS = sigkill-tester \ threads-tester \ bench-reader \ threads-exit \ - killer-tester \ + enforcer-tester \ drop-privileges \ getcpu \ direct-write-tester \ change-capabilities -# For now killer-tester is compiled to 32-bit only on x86_64 as we want +# For now enforcer-tester is compiled to 32-bit only on x86_64 as we want # to test 32-bit binaries and system calls compatibility layer. ifeq ($(shell uname -m),x86_64) - PROGS += killer-tester-32 + PROGS += enforcer-tester-32 endif all: $(PROGS) @@ -79,7 +79,7 @@ uprobe-test-2: uprobe-test-1 # -m32 is an x86_64 flag. # NB(kkourt) we compile this as static to avoid the need for ia32 libs in VMs -killer-tester-32: killer-tester.c +enforcer-tester-32: enforcer-tester.c $(GCC) -Wall -m32 -static $< -o $@ lseek-pipe: FORCE diff --git a/contrib/tester-progs/killer-tester.c b/contrib/tester-progs/enforcer-tester.c similarity index 100% rename from contrib/tester-progs/killer-tester.c rename to contrib/tester-progs/enforcer-tester.c