tetragon: Add support to use security_ functions in killer

bpf/process/types/basic.h

@@ -2084,7 +2084,7 @@ struct {
 	__uint(value_size, sizeof(__u64) * PERF_MAX_STACK_DEPTH);
 } stack_trace_map SEC(".maps");
 
-#ifdef GENERIC_TRACEPOINT
+#if defined GENERIC_TRACEPOINT || defined GENERIC_KPROBE
 static inline __attribute__((always_inline)) void
 do_action_notify_killer(int error, int signal)
 {

contrib/tester-progs/Makefile

@@ -20,7 +20,8 @@ PROGS = sigkill-tester \
 	threads-exit \
 	killer-tester \
 	drop-privileges \
-	getcpu
+	getcpu \
+	direct-write-tester
 
 # For now killer-tester is compiled to 32-bit only on x86_64 as we want
 # to test 32-bit binaries and system calls compatibility layer.

contrib/tester-progs/direct-write-tester.c

@@ -0,0 +1,43 @@
+// SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
+// Copyright Authors of Tetragon
+
+#include <fcntl.h>
+#include <sys/syscall.h>
+#include <unistd.h>
+#include <string.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <stdio.h>
+
+#define BLOCKSIZE 4096
+#define O_DIRECT  00040000
+
+int main(int argc, char **argv)
+{
+	char *avd = "NEW_MESSAGE\n";
+	void *buffer;
+	int fd;
+
+	if (argc != 2)
+		exit(-1);
+
+	fd = open(argv[1], O_WRONLY | O_DIRECT | O_CREAT, S_IRWXU | S_IRWXG);
+	if (fd == -1) {
+		perror("open");
+		exit(-1);
+	}
+
+	posix_memalign(&buffer, BLOCKSIZE, BLOCKSIZE);
+	memset(buffer, 0, BLOCKSIZE);
+	memcpy(buffer, avd, strlen(avd) + 1);
+
+	ssize_t ret = pwrite(fd, buffer, BLOCKSIZE, 0);
+	if (ret == -1) {
+		perror("write");
+		exit(-1);
+	}
+
+	close(fd);
+	free(buffer);
+	return 0;
+}

docs/content/en/docs/concepts/tracing-policy/selectors.md

@@ -1015,7 +1015,7 @@ the `killer` program and attach it to specified syscalls.
 ```yaml
 spec:
   killers:
-  - syscalls:
+  - calls:
     - "list:dups"
 ```
 
@@ -1047,7 +1047,7 @@ spec:
     - "sys_dup"
     - "sys_dup2"
   killers:
-  - syscalls:
+  - calls:
     - "list:dups"
   tracepoints:
   - subsystem: "raw_syscalls"

examples/tracingpolicy/killer.yaml

@@ -11,7 +11,7 @@ spec:
     - "sys_dup2"
     - "__ia32_sys_dup"
   killers:
-  - syscalls:
+  - calls:
     - "list:dups"
   tracepoints:
   - subsystem: "raw_syscalls"

pkg/arch/arch.go

@@ -71,3 +71,12 @@ func CutSyscallPrefix(symbol string) (string, bool) {
 	}
 	return symbol, false
 }
+
+func HasSyscallPrefix(symbol string) bool {
+	for _, prefix := range supportedArchPrefix {
+		if strings.HasPrefix(symbol, prefix) {
+			return true
+		}
+	}
+	return false
+}

pkg/ftrace/ftrace.go

@@ -48,7 +48,10 @@ func ReadAvailFuncs(pattern string) ([]string, error) {
 	var r *regexp.Regexp
 
 	if pattern != "" {
-		r, _ = regexp.Compile(pattern)
+		r, err = regexp.Compile(pattern)
+		if err != nil {
+			return nil, err
+		}
 	}
 
 	final := []string{}

pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml

@@ -38,13 +38,13 @@ spec:
                 description: A killer spec.
                 items:
                   properties:
-                    syscalls:
-                      description: syscalls where killer is executed in
+                    calls:
+                      description: Calls where killer is executed in
                       items:
                         type: string
                       type: array
                   required:
-                  - syscalls
+                  - calls
                   type: object
                 type: array
               kprobes:

pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml

@@ -38,13 +38,13 @@ spec:
                 description: A killer spec.
                 items:
                   properties:
-                    syscalls:
-                      description: syscalls where killer is executed in
+                    calls:
+                      description: Calls where killer is executed in
                       items:
                         type: string
                       type: array
                   required:
-                  - syscalls
+                  - calls
                   type: object
                 type: array
               kprobes:

pkg/k8s/apis/cilium.io/v1alpha1/types.go

@@ -355,6 +355,6 @@ type PodInfoList struct {
 }
 
 type KillerSpec struct {
-	// syscalls where killer is executed in
-	Syscalls []string `json:"syscalls"`
+	// Calls where killer is executed in
+	Calls []string `json:"calls"`
 }

pkg/sensors/load.go

@@ -322,9 +322,15 @@ func loadInstance(bpfDir, mapDir string, load *program.Program, version, verbose
 	version = kernels.FixKernelVersion(version)
 	probe, ok := registeredProbeLoad[load.Type]
 	if ok {
-		logger.GetLogger().WithField("Program", load.Name).WithField("Type", load.Type).Info("Loading registered BPF probe")
+		logger.GetLogger().WithField("Program", load.Name).
+			WithField("Type", load.Type).
+			WithField("Attach", load.Attach).
+			Info("Loading registered BPF probe")
 	} else {
-		logger.GetLogger().WithField("Program", load.Name).WithField("Type", load.Type).Info("Loading BPF program")
+		logger.GetLogger().WithField("Program", load.Name).
+			WithField("Type", load.Type).
+			WithField("Attach", load.Attach).
+			Info("Loading BPF program")
 	}
 
 	switch load.Type {

pkg/sensors/tracing/generickprobe.go

@@ -311,6 +311,9 @@ func createMultiKprobeSensor(sensorPath string, multiIDs []idtable.EntryID) ([]*
 		maps = append(maps, socktrack)
 	}
 
+	killerDataMap := program.MapBuilderPin(killerDataMapName, killerDataMapName, load)
+	maps = append(maps, killerDataMap)
+
 	filterMap.SetMaxEntries(len(multiIDs))
 	configMap.SetMaxEntries(len(multiIDs))
 
@@ -858,6 +861,9 @@ func createKprobeSensorFromEntry(kprobeEntry *genericKprobe, sensorPath string,
 		maps = append(maps, socktrack)
 	}
 
+	killerDataMap := program.MapBuilderPin(killerDataMapName, killerDataMapName, load)
+	maps = append(maps, killerDataMap)
+
 	if kprobeEntry.loadArgs.retprobe {
 		pinRetProg := sensors.PathJoin(pinPath, fmt.Sprintf("%s_ret_prog", kprobeEntry.funcName))
 		loadret := program.Builder(

pkg/sensors/tracing/killer.go

@@ -108,7 +108,7 @@ func (kh *killerHandler) LoadProbe(args sensors.LoadProbeArgs) error {
 }
 
 // select proper override method based on configuration and spec options
-func selectOverrideMethod(specOpts *specOptions) (OverrideMethod, error) {
+func selectOverrideMethod(specOpts *specOptions, hasSyscall bool) (OverrideMethod, error) {
 	overrideMethod := specOpts.OverrideMethod
 	switch overrideMethod {
 	case OverrideMethodDefault:
@@ -125,7 +125,7 @@ func selectOverrideMethod(specOpts *specOptions) (OverrideMethod, error) {
 			return OverrideMethodInvalid, fmt.Errorf("option override return set, but it is not supported")
 		}
 	case OverrideMethodFmodRet:
-		if !bpf.HasModifyReturnSyscall() {
+		if !bpf.HasModifyReturn() || (hasSyscall && !bpf.HasModifyReturnSyscall()) {
 			return OverrideMethodInvalid, fmt.Errorf("option fmod_ret set, but it is not supported")
 		}
 	}
@@ -158,9 +158,11 @@ func (kh *killerHandler) createKillerSensor(
 
 	killer := killers[0]
 
+	var hasSyscall bool
+
 	// get all the syscalls
-	for idx := range killer.Syscalls {
-		sym := killer.Syscalls[idx]
+	for idx := range killer.Calls {
+		sym := killer.Calls[idx]
 		if strings.HasPrefix(sym, "list:") {
 			listName := sym[len("list:"):]
 
@@ -169,18 +171,34 @@ func (kh *killerHandler) createKillerSensor(
 				return nil, fmt.Errorf("Error list '%s' not found", listName)
 			}
 
-			if !isSyscallListType(list.Type) {
-				return nil, fmt.Errorf("Error list '%s' is not syscall type", listName)
-			}
 			kh.syscallsSyms = append(kh.syscallsSyms, list.Values...)
 			continue
 		}
 
-		pfxSym, err := arch.AddSyscallPrefix(sym)
-		if err != nil {
-			return nil, err
+		kh.syscallsSyms = append(kh.syscallsSyms, sym)
+	}
+
+	var err error
+
+	// fix syscalls
+	for idx, sym := range kh.syscallsSyms {
+		isPrefix := arch.HasSyscallPrefix(sym)
+		isSyscall := strings.HasPrefix(sym, "sys_")
+		isSecurity := strings.HasPrefix(sym, "security_")
+
+		if !isSyscall && !isSecurity && !isPrefix {
+			return nil, fmt.Errorf("killer sensor requires either syscall or security_ functions")
+		}
+
+		if isSyscall {
+			sym, err = arch.AddSyscallPrefix(sym)
+			if err != nil {
+				return nil, err
+			}
+			kh.syscallsSyms[idx] = sym
 		}
-		kh.syscallsSyms = append(kh.syscallsSyms, pfxSym)
+
+		hasSyscall = hasSyscall || isSyscall || isPrefix
 	}
 
 	// register killer sensor
@@ -197,7 +215,7 @@ func (kh *killerHandler) createKillerSensor(
 	}
 
 	// select proper override method based on configuration and spec options
-	overrideMethod, err := selectOverrideMethod(specOpts)
+	overrideMethod, err := selectOverrideMethod(specOpts, hasSyscall)
 	if err != nil {
 		return nil, err
 	}

pkg/sensors/tracing/killer_builder.go

@@ -124,7 +124,7 @@ func (ksb *KillerSpecBuilder) Build() (*v1alpha1.TracingPolicy, error) {
 			Validated: false,
 		})
 		killers = append(killers, v1alpha1.KillerSpec{
-			Syscalls: []string{listName},
+			Calls: []string{listName},
 		})
 	}