Kprobe: Add test and examples for new types

The sockaddr and socket types were added. This commit adds a test and two example policies. Signed-off-by: Kevin Sheldrake <[email protected]>
cilium · Jan 30, 2025 · 2865fb0 · 2865fb0
1 parent a755275
commit 2865fb0
Show file tree

Hide file tree

Showing 4 changed files with 180 additions and 1 deletion.
diff --git a/docs/content/en/docs/concepts/tracing-policy/selectors.md b/docs/content/en/docs/concepts/tracing-policy/selectors.md
@@ -1591,7 +1591,8 @@ The operator `Prefix` checks if the certain argument starts with the defined val
 while the operator `Postfix` compares if the argument matches to the defined value
 as trailing.
 
-The operators relating to ports, addresses and protocol are used with sock or skb
+The operators relating to ports, addresses and protocol are used with sock, skb,
+sockaddr and socket
 types. Port operators can accept a range of ports specified as `min:max` as well
 as lists of individual ports. Address operators can accept IPv4/6 CIDR ranges as well
 as lists of individual addresses.

diff --git a/examples/tracingpolicy/security-socket-connect-block-others.yaml b/examples/tracingpolicy/security-socket-connect-block-others.yaml
@@ -0,0 +1,58 @@
+apiVersion: cilium.io/v1alpha1
+kind: TracingPolicy
+metadata:
+  name: "security-socket-connect"
+spec:
+  kprobes:
+  - call: "security_socket_connect"
+    syscall: false
+    args:
+    - index: 0
+      type: "socket"
+    - index: 1
+      type: "sockaddr"
+    - index: 2
+      type: "int"
+    selectors:
+    - matchArgs:
+      - index: 0
+        operator: "Protocol"
+        values:
+        - "IPPROTO_TCP"
+      - index: 1
+        operator: "Family"
+        values:
+        - "AF_INET"
+        - "AF_INET6"
+      - index: 1
+        operator: "SAddr"
+        values:
+        - "192.168.1.1"
+      - index: 1
+        operator: "SPort"
+        values:
+        - 80
+      matchBinaries:
+      - operator: "In"
+        values:
+        - "/usr/bin/curl"
+      matchActions:
+      - action: Post
+    - matchArgs:
+      - index: 0
+        operator: "Protocol"
+        values:
+        - "IPPROTO_TCP"
+      - index: 1
+        operator: "Family"
+        values:
+        - "AF_INET"
+        - "AF_INET6"
+      matchBinaries:
+      - operator: "In"
+        values:
+        - "/usr/bin/curl"
+      matchActions:
+      - action: "Override"
+        argError: 1
+
diff --git a/examples/tracingpolicy/security-socket-connect.yaml b/examples/tracingpolicy/security-socket-connect.yaml
@@ -0,0 +1,20 @@
+apiVersion: cilium.io/v1alpha1
+kind: TracingPolicy
+metadata:
+  name: "security-socket-connect"
+spec:
+  kprobes:
+  - call: "security_socket_connect"
+    syscall: false
+    args:
+    - index: 1
+      type: "sockaddr"
+    - index: 2
+      type: "int"
+    selectors:
+    - matchArgs:
+      - index: 1
+        operator: "Family"
+        values:
+        - "AF_INET"
+        - "AF_INET6"
diff --git a/pkg/sensors/tracing/kprobe_test.go b/pkg/sensors/tracing/kprobe_test.go
@@ -5599,6 +5599,106 @@ spec:
 	assert.NoError(t, err)
 }
 
+func TestKprobeSocketAndSockaddr(t *testing.T) {
+	var doneWG, readyWG sync.WaitGroup
+	defer doneWG.Wait()
+
+	ctx, cancel := context.WithTimeout(context.Background(), tus.Conf().CmdWaitTime)
+	defer cancel()
+
+	hookFull := `apiVersion: cilium.io/v1alpha1
+kind: TracingPolicy
+metadata:
+  name: "security-socket-connect"
+spec:
+  kprobes:
+  - call: "security_socket_connect"
+    syscall: false
+    args:
+    - index: 0
+      type: "socket"
+    - index: 1
+      type: "sockaddr"
+    selectors:
+    - matchArgs:
+      - index: 0
+        operator: "Protocol"
+        values:
+        - "IPPROTO_TCP"
+      - index: 1
+        operator: "SAddr"
+        values:
+        - "127.0.0.1"
+      - index: 1
+        operator: "SPort"
+        values:
+        - "9919"
+      - index: 1
+        operator: "Family"
+        values:
+        - "AF_INET"
+`
+	hookPart := `apiVersion: cilium.io/v1alpha1
+kind: TracingPolicy
+metadata:
+  name: "security-socket-connect"
+spec:
+  kprobes:
+  - call: "security_socket_connect"
+    syscall: false
+    args:
+    - index: 0
+      type: "socket"
+    - index: 1
+      type: "sockaddr"
+    selectors:
+    - matchArgs:
+      - index: 0
+        operator: "Protocol"
+        values:
+        - "IPPROTO_TCP"
+`
+
+	if kernels.EnableLargeProgs() {
+		createCrdFile(t, hookFull)
+	} else {
+		createCrdFile(t, hookPart)
+	}
+
+	obs, err := observertesthelper.GetDefaultObserverWithFile(t, ctx, testConfigFile, tus.Conf().TetragonLib)
+	if err != nil {
+		t.Fatalf("GetDefaultObserverWithFile error: %s", err)
+	}
+	observertesthelper.LoopEvents(ctx, t, &doneWG, &readyWG, obs)
+	readyWG.Wait()
+
+	tcpReady := make(chan bool)
+	go miniTcpNopServer(tcpReady)
+	<-tcpReady
+	addr, err := net.ResolveTCPAddr("tcp", "127.0.0.1:9919")
+	assert.NoError(t, err)
+	_, err = net.DialTCP("tcp", nil, addr)
+	assert.NoError(t, err)
+
+	kpChecker := ec.NewProcessKprobeChecker("security-socket-connect-checker").
+		WithFunctionName(sm.Full("security_socket_connect")).
+		WithArgs(ec.NewKprobeArgumentListMatcher().
+			WithValues(
+				ec.NewKprobeArgumentChecker().WithSockaddrArg(ec.NewKprobeSockaddrChecker().
+					WithAddr(sm.Full("127.0.0.1")).
+					WithPort(9919).
+					WithFamily(sm.Full("AF_INET"))),
+				ec.NewKprobeArgumentChecker().WithSockArg(ec.NewKprobeSockChecker().
+					WithProtocol(sm.Full("IPPROTO_TCP")),
+				),
+			))
+
+	checker := ec.NewUnorderedEventChecker(kpChecker)
+
+	err = jsonchecker.JsonTestCheck(t, checker)
+	assert.NoError(t, err)
+}
+
 func TestKprobeSkb(t *testing.T) {
 	var doneWG, readyWG sync.WaitGroup
 	defer doneWG.Wait()