diff --git a/bpf/lib/process.h b/bpf/lib/process.h index d2876fb6fe6..21beb689847 100644 --- a/bpf/lib/process.h +++ b/bpf/lib/process.h @@ -366,7 +366,7 @@ struct { struct { __uint(type, BPF_MAP_TYPE_HASH); - __uint(max_entries, 32768); + __uint(max_entries, 1); __type(key, __u32); __type(value, struct execve_map_value); } execve_map SEC(".maps"); diff --git a/pkg/sensors/base/base.go b/pkg/sensors/base/base.go index dc8cf106fbb..395f2663759 100644 --- a/pkg/sensors/base/base.go +++ b/pkg/sensors/base/base.go @@ -5,6 +5,9 @@ package base import ( "log" + "os" + "strconv" + "strings" "sync" "testing" @@ -55,7 +58,7 @@ var ( /* Event Ring map */ TCPMonMap = program.MapBuilder("tcpmon_map", Execve) /* Networking and Process Monitoring maps */ - ExecveMap = program.MapBuilder("execve_map", Execve) + ExecveMap = program.MapBuilder("execve_map", Execve, Exit, Fork, ExecveBprmCommit) ExecveTailCallsMap = program.MapBuilderProgram("execve_calls", Execve) ExecveJoinMap = program.MapBuilder("tg_execve_joined_info_map", ExecveBprmCommit) @@ -73,7 +76,17 @@ var ( ErrMetricsMap = program.MapBuilder(errmetrics.MapName, Execve) ) -func setupPrograms() { +func readFileDefault(path string, def int64) int64 { + if data, err := os.ReadFile(path); err == nil { + str := strings.TrimRight(string(data), "\n") + if val, err := strconv.ParseInt(str, 10, 32); err == nil { + return val + } + } + return def +} + +func setupSensor() { // exit program function ks, err := ksyms.KernelSymbols() if err == nil { @@ -92,6 +105,10 @@ func setupPrograms() { } } logger.GetLogger().Infof("Exit probe on %s", Exit.Attach) + + threads := readFileDefault("/proc/sys/kernel/threads-max", 32768) + ExecveMap.SetMaxEntries(int(threads)) + logger.GetLogger().Infof("Set execve_map entries %d", threads) } func GetExecveMap() *program.Map { @@ -137,7 +154,7 @@ func initBaseSensor() *sensors.Sensor { sensor := sensors.Sensor{ Name: basePolicy, } - setupPrograms() + setupSensor() sensor.Progs = GetDefaultPrograms() sensor.Maps = GetDefaultMaps() return ApplyExtensions(&sensor) diff --git a/pkg/sensors/tracing/generickprobe.go b/pkg/sensors/tracing/generickprobe.go index 0b7a7f97222..e9587c7fb53 100644 --- a/pkg/sensors/tracing/generickprobe.go +++ b/pkg/sensors/tracing/generickprobe.go @@ -35,6 +35,7 @@ import ( "github.com/cilium/tetragon/pkg/policyfilter" "github.com/cilium/tetragon/pkg/selectors" "github.com/cilium/tetragon/pkg/sensors" + "github.com/cilium/tetragon/pkg/sensors/base" "github.com/cilium/tetragon/pkg/sensors/program" lru "github.com/hashicorp/golang-lru/v2" "github.com/sirupsen/logrus" @@ -379,6 +380,8 @@ func createMultiKprobeSensor(policyName string, multiIDs []idtable.EntryID, has } maps = append(maps, overrideTasksMap) + maps = append(maps, program.MapUser(base.ExecveMap.Name, load)) + if len(multiRetIDs) != 0 { loadret := program.Builder( path.Join(option.Config.HubbleLib, loadProgRetName), @@ -419,6 +422,8 @@ func createMultiKprobeSensor(policyName string, multiIDs []idtable.EntryID, has retConfigMap.SetMaxEntries(len(multiRetIDs)) retFilterMap.SetMaxEntries(len(multiRetIDs)) + + maps = append(maps, program.MapUser(base.ExecveMap.Name, loadret)) } return progs, maps, nil @@ -1007,6 +1012,8 @@ func createKprobeSensorFromEntry(kprobeEntry *genericKprobe, } maps = append(maps, overrideTasksMap) + maps = append(maps, program.MapUser(base.ExecveMap.Name, load)) + if kprobeEntry.loadArgs.retprobe { pinRetProg := sensors.PathJoin(fmt.Sprintf("%s_return", kprobeEntry.funcName)) if kprobeEntry.instance != 0 { @@ -1051,6 +1058,7 @@ func createKprobeSensorFromEntry(kprobeEntry *genericKprobe, socktrack := program.MapBuilderSensor("socktrack_map", loadret) maps = append(maps, socktrack) } + maps = append(maps, program.MapUser(base.ExecveMap.Name, loadret)) } logger.GetLogger().WithField("override", kprobeEntry.hasOverride). diff --git a/pkg/sensors/tracing/genericlsm.go b/pkg/sensors/tracing/genericlsm.go index 699ba08b2ea..3bcc5f573eb 100644 --- a/pkg/sensors/tracing/genericlsm.go +++ b/pkg/sensors/tracing/genericlsm.go @@ -27,6 +27,7 @@ import ( "github.com/cilium/tetragon/pkg/policyfilter" "github.com/cilium/tetragon/pkg/selectors" "github.com/cilium/tetragon/pkg/sensors" + "github.com/cilium/tetragon/pkg/sensors/base" "github.com/cilium/tetragon/pkg/sensors/program" ) @@ -518,6 +519,8 @@ func createLsmSensorFromEntry(lsmEntry *genericLsm, overrideTasksMapOutput := program.MapBuilderProgram("override_tasks", loadOutput) maps = append(maps, overrideTasksMapOutput) + maps = append(maps, program.MapUser(base.ExecveMap.Name, load, loadOutput)) + logger.GetLogger(). Infof("Added generic lsm sensor: %s -> %s", load.Name, load.Attach) return progs, maps diff --git a/pkg/sensors/tracing/generictracepoint.go b/pkg/sensors/tracing/generictracepoint.go index 2ddab7967ea..31231601a79 100644 --- a/pkg/sensors/tracing/generictracepoint.go +++ b/pkg/sensors/tracing/generictracepoint.go @@ -29,6 +29,7 @@ import ( "github.com/cilium/tetragon/pkg/reader/network" "github.com/cilium/tetragon/pkg/selectors" "github.com/cilium/tetragon/pkg/sensors" + "github.com/cilium/tetragon/pkg/sensors/base" "github.com/cilium/tetragon/pkg/sensors/program" "github.com/cilium/tetragon/pkg/syscallinfo" "github.com/cilium/tetragon/pkg/tracepoint" @@ -581,6 +582,8 @@ func createGenericTracepointSensor( selMatchBinariesMap := program.MapBuilderProgram("tg_mb_sel_opts", prog0) maps = append(maps, selMatchBinariesMap) + + maps = append(maps, program.MapUser(base.ExecveMap.Name, prog0)) } ret.Progs = progs diff --git a/pkg/sensors/tracing/genericuprobe.go b/pkg/sensors/tracing/genericuprobe.go index 3406ff772e7..3819cd55b67 100644 --- a/pkg/sensors/tracing/genericuprobe.go +++ b/pkg/sensors/tracing/genericuprobe.go @@ -24,6 +24,7 @@ import ( "github.com/cilium/tetragon/pkg/option" "github.com/cilium/tetragon/pkg/selectors" "github.com/cilium/tetragon/pkg/sensors" + "github.com/cilium/tetragon/pkg/sensors/base" "github.com/cilium/tetragon/pkg/sensors/program" ) @@ -420,6 +421,7 @@ func createMultiUprobeSensor(sensorPath string, multiIDs []idtable.EntryID, poli filterMap := program.MapBuilderProgram("filter_map", load) maps = append(maps, configMap, tailCalls, filterMap) + maps = append(maps, program.MapUser(base.ExecveMap.Name, load)) filterMap.SetMaxEntries(len(multiIDs)) configMap.SetMaxEntries(len(multiIDs)) @@ -473,5 +475,6 @@ func createUprobeSensorFromEntry(uprobeEntry *genericUprobe, filterMap := program.MapBuilderProgram("filter_map", load) selMatchBinariesMap := program.MapBuilderProgram("tg_mb_sel_opts", load) maps = append(maps, configMap, tailCalls, filterMap, selMatchBinariesMap) + maps = append(maps, program.MapUser(base.ExecveMap.Name, load)) return progs, maps } diff --git a/pkg/sensors/tracing/loader.go b/pkg/sensors/tracing/loader.go index 43fe98d0df6..78133980ef5 100644 --- a/pkg/sensors/tracing/loader.go +++ b/pkg/sensors/tracing/loader.go @@ -42,6 +42,7 @@ import ( "github.com/cilium/tetragon/pkg/observer" "github.com/cilium/tetragon/pkg/policyfilter" "github.com/cilium/tetragon/pkg/sensors" + "github.com/cilium/tetragon/pkg/sensors/base" "github.com/cilium/tetragon/pkg/sensors/program" "github.com/cilium/tetragon/pkg/strutils" "github.com/cilium/tetragon/pkg/tracingpolicy" @@ -67,7 +68,8 @@ var ( "loader", ) - idsMap = program.MapBuilder("ids_map", loader) + idsMap = program.MapBuilder("ids_map", loader) + execveMap = program.MapUser(base.ExecveMap.Name, loader) loaderEnabled bool @@ -104,7 +106,7 @@ func GetLoaderSensor() *sensors.Sensor { return &sensors.Sensor{ Name: "__loader__", Progs: []*program.Program{loader}, - Maps: []*program.Map{idsMap}, + Maps: []*program.Map{idsMap, execveMap}, } }