From 9a9d21fa60376437d360599cbf821fe9882c5f82 Mon Sep 17 00:00:00 2001 From: Tristan d'Audibert Date: Tue, 19 Nov 2024 16:23:22 +0100 Subject: [PATCH] Add LSM dynamic parameter extraction in `genericlsm.go` This commit update `addLsm` function to use the parameters `ExtractParam` and `OverwriteType` in order to look for the child members in BTF structure. It does a basic split on `ExtractParam` and to obtain the path from the argument to the required data. Then, the array is gave to `btf.FindNextBTFType` to find the offsets to the data. The output is stored in EventConfig to keep the normal behaviour For example, if the arg 0 is `struct linux_binprm` and ExtractParam is set to `file.f_path.dentry.d_name.name`, the output will give an array of all the offsets from there parents as such [{ offset: 96, is_pointer: 0 }, { offset: 152, is_pointer: 1 }, ...] Signed-off-by: Tristan d'Audibert --- pkg/sensors/tracing/genericlsm.go | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/pkg/sensors/tracing/genericlsm.go b/pkg/sensors/tracing/genericlsm.go index 4c9d4a7002a..e51685b3923 100644 --- a/pkg/sensors/tracing/genericlsm.go +++ b/pkg/sensors/tracing/genericlsm.go @@ -16,6 +16,7 @@ import ( processapi "github.com/cilium/tetragon/pkg/api/processapi" api "github.com/cilium/tetragon/pkg/api/tracingapi" "github.com/cilium/tetragon/pkg/bpf" + "github.com/cilium/tetragon/pkg/btf" gt "github.com/cilium/tetragon/pkg/generictypes" "github.com/cilium/tetragon/pkg/grpc/tracing" "github.com/cilium/tetragon/pkg/idtable" @@ -209,6 +210,7 @@ type addLsmIn struct { func addLsm(f *v1alpha1.LsmHookSpec, in *addLsmIn) (id idtable.EntryID, err error) { var argSigPrinters []argPrinter var argsBTFSet [api.MaxArgsSupported]bool + var allArgsBtfChilds [api.EventConfigMaxArgs][api.MaxBtfArgChildDepth]api.ConfigBtfArgChild errFn := func(err error) (idtable.EntryID, error) { return idtable.UninitializedEntryID, err @@ -239,6 +241,34 @@ func addLsm(f *v1alpha1.LsmHookSpec, in *addLsmIn) (id idtable.EntryID, err erro if argType == gt.GenericInvalidType { return errFn(fmt.Errorf("Arg(%d) type '%s' unsupported", j, a.Type)) } + + if a.ExtractParam != "" && j < api.EventConfigMaxArgs { + allArgsBtfChilds[j] = [api.MaxBtfArgChildDepth]api.ConfigBtfArgChild{} + spec, err := btf.NewBTF() + if err != nil { + return errFn(fmt.Errorf("Unable to load BTF file")) + } + + partialPath := strings.Split(a.ExtractParam, ".") + if len(partialPath) > api.MaxBtfArgChildDepth { + return errFn(fmt.Errorf("Exausted research in BTF for type %s. The maximum depth allowed is %d", a.Type, api.MaxBtfArgChildDepth)) + } + + rootType, err := spec.AnyTypeByName(a.Type) + if err != nil { + return errFn(fmt.Errorf("Type %s has not been found in BTF", a.Type)) + } + lastChild, err := btf.FindNextBTFType(&allArgsBtfChilds[j], rootType, &partialPath, 0) + if err != nil { + return errFn(err) + } + if a.OverwriteType != "" { + argType = gt.GenericTypeFromString(a.OverwriteType) + } else { + argType = gt.GenericTypeFromBTF(*lastChild) + } + } + if a.MaxData { if argType != gt.GenericCharBuffer { logger.GetLogger().Warnf("maxData flag is ignored (supported for char_buf type)") @@ -263,6 +293,7 @@ func addLsm(f *v1alpha1.LsmHookSpec, in *addLsmIn) (id idtable.EntryID, err erro argSigPrinters = append(argSigPrinters, argP) } + config.BtfArgChild = allArgsBtfChilds config.ArgReturn = int32(0) config.ArgReturnCopy = int32(0)