cilium · olsajiri · Aug 16, 2024 · Aug 17, 2024 · Aug 17, 2024 · Aug 13, 2024
@@ -64,26 +64,26 @@ var (
 	).SetPolicy(basePolicy)
 
 	/* Event Ring map */
-	TCPMonMap = program.MapBuilder("tcpmon_map", Execve)
+	TCPMonMap = program.MapBuilder("tcpmon_map", Execve, Exit, Fork)
 	/* Networking and Process Monitoring maps */
-	ExecveMap          = program.MapBuilder("execve_map", Execve)
+	ExecveMap          = program.MapBuilder("execve_map", Execve, Exit, Fork, ExecveBprmCommit)
 	ExecveTailCallsMap = program.MapBuilderPin("execve_calls", "execve_calls", Execve)
 
-	ExecveJoinMap = program.MapBuilder("tg_execve_joined_info_map", ExecveBprmCommit)
+	ExecveJoinMap = program.MapBuilder("tg_execve_joined_info_map", Execve, Exit, Fork, ExecveBprmCommit)
 
 	/* Tetragon runtime configuration */
-	TetragonConfMap = program.MapBuilder("tg_conf_map", Execve)
+	TetragonConfMap = program.MapBuilder("tg_conf_map", Execve, Exit, Fork)
 
 	/* Internal statistics for debugging */
-	ExecveStats        = program.MapBuilder("execve_map_stats", Execve)
-	ExecveJoinMapStats = program.MapBuilder("tg_execve_joined_info_map_stats", ExecveBprmCommit)
-	StatsMap           = program.MapBuilder("tg_stats_map", Execve)
+	ExecveStats        = program.MapBuilder("execve_map_stats", Execve, Exit, Fork)
+	ExecveJoinMapStats = program.MapBuilder("tg_execve_joined_info_map_stats", Execve, Exit, Fork, ExecveBprmCommit)
+	StatsMap           = program.MapBuilder("tg_stats_map", Execve, Exit, Fork)
 
 	/* Cgroup rate data, attached to execve sensor */
 	CgroupRateMap        = program.MapBuilder("cgroup_rate_map", Execve, Exit, Fork, CgroupRmdir)
-	CgroupRateOptionsMap = program.MapBuilder("cgroup_rate_options_map", Execve)
+	CgroupRateOptionsMap = program.MapBuilder("cgroup_rate_options_map", Execve, Exit, Fork)
 
-	MatchBinariesSetMap = program.MapBuilder(mbset.MapName, Execve)
+	MatchBinariesSetMap = program.MapBuilder(mbset.MapName, Execve, Exit, Fork)
 
 	sensor = sensors.Sensor{
 		Name: basePolicy,
@@ -169,7 +169,6 @@ func GetInitialSensor() *sensors.Sensor {
 	sensorInit.Do(func() {
 		setupPrograms()
 		sensor.Progs = GetDefaultPrograms(option.CgroupRateEnabled())
-		sensor.Maps = GetDefaultMaps(option.CgroupRateEnabled())
 	})
 	return &sensor
 }
@@ -178,7 +177,6 @@ func GetInitialSensorTest() *sensors.Sensor {
 	sensorTestInit.Do(func() {
 		setupPrograms()
 		sensorTest.Progs = GetDefaultPrograms(true)
-		sensorTest.Maps = GetDefaultMaps(true)
 	})
 	return &sensorTest
 }

@@ -7,10 +7,8 @@ import (
 	"fmt"
 	"os"
 	"path"
-	"path/filepath"
 	"strings"
 
-	"github.com/cilium/ebpf"
 	cachedbtf "github.com/cilium/tetragon/pkg/btf"
 	"github.com/cilium/tetragon/pkg/kernels"
 	"github.com/cilium/tetragon/pkg/logger"
@@ -93,10 +91,6 @@ func (s *Sensor) Load(bpfDir string) error {
 		return fmt.Errorf("tetragon, aborting could not find BPF programs: %w", err)
 	}
 
-	if err := s.loadMaps(bpfDir); err != nil {
-		return fmt.Errorf("tetragon, aborting could not load sensor BPF maps: %w", err)
-	}
-
 	for _, p := range s.Progs {
 		if p.LoadState.IsLoaded() {
 			l.WithField("prog", p.Name).Info("BPF prog is already loaded, incrementing reference count")
@@ -113,7 +107,6 @@ func (s *Sensor) Load(bpfDir string) error {
 
 	// Add the *loaded* programs and maps, so they can be unloaded later
 	progsAdd(s.Progs)
-	AllMaps = append(AllMaps, s.Maps...)
 
 	l.WithField("sensor", s.Name).Infof("Loaded BPF maps and events for sensor successfully")
 	s.Loaded = true
@@ -136,9 +129,11 @@ func (s *Sensor) Unload() error {
 		unloadProgram(p)
 	}
 
-	for _, m := range s.Maps {
-		if err := m.Unload(); err != nil {
-			logger.GetLogger().WithError(err).WithField("map", s.Name).Warn("Failed to unload map")
+	for _, p := range s.Progs {
+		for name, m := range p.PinMap {
+			if err := m.Unload(); err != nil {
+				logger.GetLogger().WithError(err).WithField("map", name).Warn("Failed to unload map")
+			}
 		}
 	}
 
@@ -200,76 +195,24 @@ func (s *Sensor) FindPrograms() error {
 		if err := s.findProgram(p); err != nil {
 			return err
 		}
-	}
-	for _, m := range s.Maps {
-		if err := s.findProgram(m.Prog); err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-// loadMaps loads all the BPF maps in the sensor.
-func (s *Sensor) loadMaps(bpfDir string) error {
-	l := logger.GetLogger()
-	for _, m := range s.Maps {
-		if m.PinState.IsLoaded() {
-			l.WithFields(logrus.Fields{
-				"sensor": s.Name,
-				"map":    m.Name,
-			}).Info("map is already loaded, incrementing reference count")
-			m.PinState.RefInc()
-			continue
-		}
-
-		pinPath := filepath.Join(bpfDir, m.PinName)
-
-		spec, err := ebpf.LoadCollectionSpec(m.Prog.Name)
-		if err != nil {
-			return fmt.Errorf("failed to open collection '%s': %w", m.Prog.Name, err)
-		}
-		mapSpec, ok := spec.Maps[m.Name]
-		if !ok {
-			return fmt.Errorf("map '%s' not found from '%s'", m.Name, m.Prog.Name)
-		}
-
-		if max, ok := m.GetMaxEntries(); ok {
-			mapSpec.MaxEntries = max
-		}
-
-		if innerMax, ok := m.GetMaxInnerEntries(); ok {
-			if innerMs := mapSpec.InnerMap; innerMs != nil {
-				mapSpec.InnerMap.MaxEntries = innerMax
+		for _, m := range p.PinMap {
+			if err := s.findProgram(m.Prog); err != nil {
+				return err
 			}
 		}
-
-		if err := m.LoadOrCreatePinnedMap(pinPath, mapSpec); err != nil {
-			return fmt.Errorf("failed to load map '%s' for sensor '%s': %w", m.Name, s.Name, err)
-		}
-
-		l.WithFields(logrus.Fields{
-			"sensor": s.Name,
-			"map":    m.Name,
-			"path":   pinPath,
-			"max":    m.Entries,
-		}).Info("tetragon, map loaded.")
 	}
-
 	return nil
 }
 
 func mergeSensors(sensors []*Sensor) *Sensor {
 	var progs []*program.Program
-	var maps []*program.Map
 
 	for _, s := range sensors {
 		progs = append(progs, s.Progs...)
-		maps = append(maps, s.Maps...)
 	}
 	return &Sensor{
 		Name:  "__main__",
 		Progs: progs,
-		Maps:  maps,
 	}
 }
 
@@ -283,7 +226,7 @@ func observerLoadInstance(bpfDir string, load *program.Program) error {
 	l.WithFields(logrus.Fields{
 		"prog":         load.Name,
 		"kern_version": version,
-	}).Debug("observerLoadInstance", load.Name, version)
+	}).Debugf("observerLoadInstance %s %d", load.Name, version)
 	if load.Type == "tracepoint" {
 		err = loadInstance(bpfDir, load, version, option.Config.Verbosity)
 		if err != nil {

@@ -863,6 +863,26 @@ func doLoadProgram(
 	}
 	defer coll.Close()
 
+	// Pin all requested maps
+	for name, m := range coll.Maps {
+		// Is the map refferenced by program
+		if _, ok := refMaps[name]; !ok {
+			continue
+		}
+		// Is the map already pinned
+		if _, ok := pinnedMaps[name]; ok {
+			continue
+		}
+		// Do we want the map to be pinned?
+		pm, ok := load.PinMap[name]
+		if !ok {
+			continue
+		}
+		if err := pm.CloneAndPin(bpfDir, m); err != nil {
+			return nil, fmt.Errorf("map pinning failed: %s", err)
+		}
+	}
+
 	err = installTailCalls(bpfDir, spec, coll, load)
 	if err != nil {
 		return nil, fmt.Errorf("installing tail calls failed: %s", err)

@@ -153,6 +153,21 @@ func (m *Map) LoadOrCreatePinnedMap(pinPath string, mapSpec *ebpf.MapSpec) error
 	return nil
 }
 
+func (m *Map) CloneAndPin(bpfDir string, handle *ebpf.Map) error {
+	var err error
+
+	m.MapHandle, err = handle.Clone()
+	if err != nil {
+		return fmt.Errorf("failed to clone map '%s': %w", m.Name, err)
+	}
+	pinPath := filepath.Join(bpfDir, m.PinName)
+	if err = m.MapHandle.Pin(pinPath); err != nil {
+		return fmt.Errorf("failed to pin to %s: %w", pinPath, err)
+	}
+	m.PinState.RefInc()
+	return nil
+}
+
 func isValidSubdir(d string) bool {
 	dir := filepath.Base(d)
 	return dir != "." && dir != ".."

@@ -41,8 +41,6 @@ type Sensor struct {
 	Name string
 	// Progs are all the BPF programs that exist on the filesystem.
 	Progs []*program.Program
-	// Maps are all the BPF Maps that the progs use.
-	Maps []*program.Map
 	// Loaded indicates whether the sensor has been Loaded.
 	Loaded bool
 	// Destroyed indicates whether the sensor had been destroyed.
@@ -84,19 +82,16 @@ type SensorHook func() error
 
 func SensorCombine(name string, sensors ...*Sensor) *Sensor {
 	progs := []*program.Program{}
-	maps := []*program.Map{}
 	for _, s := range sensors {
 		progs = append(progs, s.Progs...)
-		maps = append(maps, s.Maps...)
 	}
-	return SensorBuilder(name, progs, maps)
+	return SensorBuilder(name, progs)
 }
 
-func SensorBuilder(name string, p []*program.Program, m []*program.Map) *Sensor {
+func SensorBuilder(name string, p []*program.Program) *Sensor {
 	return &Sensor{
 		Name:  name,
 		Progs: p,
-		Maps:  m,
 	}
 }
 

@@ -50,18 +50,10 @@ func getCgroupPrograms() []*program.Program {
 	return progs
 }
 
-func getCgroupMaps() []*program.Map {
-	maps := []*program.Map{
-		GetCgroupsTrackingMap(),
-	}
-	return maps
-}
-
 // GetCgroupSensor returns the Cgroups base sensor
 func GetCgroupSensor() *sensors.Sensor {
 	return &sensors.Sensor{
 		Name:  "test-sensor-cgroups",
 		Progs: getCgroupPrograms(),
-		Maps:  getCgroupMaps(),
 	}
 }
@@ -66,7 +66,6 @@ func GetTestSensor() *sensors.Sensor {
 		sensors.PathJoin(sensorName, "test_lseek_prog"),
 		"tracepoint",
 	)}
-	maps := []*program.Map{}
-	sensor := &sensors.Sensor{Name: sensorName, Progs: progs, Maps: maps}
+	sensor := &sensors.Sensor{Name: sensorName, Progs: progs}
 	return sensor
 }
@@ -248,7 +248,6 @@ func (kp *enforcerPolicy) createEnforcerSensor(
 	// register enforcer sensor
 	var load *program.Program
 	var progs []*program.Program
-	var maps []*program.Map
 	specOpts, err := getSpecOptions(opts)
 	if err != nil {
 		return nil, fmt.Errorf("failed to get spec options: %s", err)
@@ -318,8 +317,6 @@ func (kp *enforcerPolicy) createEnforcerSensor(
 	enforcerDataMap := enforcerMap(policyName, progs...)
 	enforcerDataMap.SetMaxEntries(enforcerMapMaxEntries)
 
-	maps = append(maps, enforcerDataMap)
-
 	if ok := kp.enforcerAdd(name, kh); !ok {
 		return nil, fmt.Errorf("failed to add enforcer: '%s'", name)
 	}
@@ -329,7 +326,6 @@ func (kp *enforcerPolicy) createEnforcerSensor(
 	return &sensors.Sensor{
 		Name:  "__enforcer__",
 		Progs: progs,
-		Maps:  maps,
 		PostUnloadHook: func() error {
 			if ok := kp.enforcerDel(name); !ok {
 				logger.GetLogger().Infof("Failed to clean up enforcer sensor '%s'", name)