Kprobe: Add struct socket * config

security_socket_* functions take a struct socket * as an argument. We
don't currently support this type. This commit adds configuration for
the socket types.

Signed-off-by: Kevin Sheldrake <[email protected]>

pkg/selectors/kernel.go

@@ -642,8 +642,8 @@ func writeMatchValues(k *KernelSelectorState, values []string, ty, op uint32) er
 				return fmt.Errorf("MatchArgs value %s invalid: %w", v, err)
 			}
 			WriteSelectorUint64(&k.data, uint64(i))
-		case gt.GenericSockType, gt.GenericSkbType, gt.GenericSockaddrType, gt.GenericNetDev:
-			return fmt.Errorf("MatchArgs type sock, skb, sockaddr and net_device do not support operator %s", selectorOpStringTable[op])
+		case gt.GenericSockType, gt.GenericSkbType, gt.GenericSockaddrType, gt.GenericSocketType, gt.GenericNetDev:
+			return fmt.Errorf("MatchArgs type sock, socket, skb, sockaddr and net_device do not support operator %s", selectorOpStringTable[op])
 		case gt.GenericCharIovec:
 			return fmt.Errorf("MatchArgs values %s unsupported", v)
 		}
@@ -810,19 +810,19 @@ func ParseMatchArg(k *KernelSelectorState, arg *v1alpha1.ArgSelector, sig []v1al
 			return fmt.Errorf("writePostfixStrings error: %w", err)
 		}
 	case SelectorOpSport, SelectorOpDport, SelectorOpNotSport, SelectorOpNotDport, SelectorOpProtocol, SelectorOpFamily, SelectorOpState:
-		if ty != gt.GenericSockType && ty != gt.GenericSkbType && ty != gt.GenericSockaddrType {
-			return fmt.Errorf("sock/skb/sockaddr operators specified for non-sock/skb/sockaddr type")
+		if ty != gt.GenericSockType && ty != gt.GenericSkbType && ty != gt.GenericSockaddrType && ty != gt.GenericSocketType {
+			return fmt.Errorf("sock/socket/skb/sockaddr operators specified for non-sock/socket/skb/sockaddr type")
 		}
 		if ty == gt.GenericSockaddrType && (op == SelectorOpDport || op == SelectorOpNotDport || op == SelectorOpProtocol || op == SelectorOpState) {
 			return fmt.Errorf("sockaddr only supports [not]saddr, [not]sport[priv], and family")
 		}
-		err := writeMatchRangesInMap(k, arg.Values, gt.GenericU64Type, op) // force type for ports and protocols as ty is sock/skb/sockaddr
+		err := writeMatchRangesInMap(k, arg.Values, gt.GenericU64Type, op) // force type for ports and protocols as ty is sock/socket/skb/sockaddr
 		if err != nil {
 			return fmt.Errorf("writeMatchRangesInMap error: %w", err)
 		}
 	case SelectorOpSaddr, SelectorOpDaddr, SelectorOpNotSaddr, SelectorOpNotDaddr:
-		if ty != gt.GenericSockType && ty != gt.GenericSkbType && ty != gt.GenericSockaddrType {
-			return fmt.Errorf("sock/skb/sockaddr operators specified for non-sock/skb/sockaddr type")
+		if ty != gt.GenericSockType && ty != gt.GenericSkbType && ty != gt.GenericSockaddrType && ty != gt.GenericSocketType {
+			return fmt.Errorf("sock/socket/skb/sockaddr operators specified for non-sock/socket/skb/sockaddr type")
 		}
 		if ty == gt.GenericSockaddrType && (op == SelectorOpDaddr || op == SelectorOpNotDaddr) {
 			return fmt.Errorf("sockaddr only supports [not]saddr, [not]sport[priv], and family")
@@ -833,8 +833,8 @@ func ParseMatchArg(k *KernelSelectorState, arg *v1alpha1.ArgSelector, sig []v1al
 		}
 	case SelectorOpSportPriv, SelectorOpDportPriv, SelectorOpNotSportPriv, SelectorOpNotDportPriv:
 		// These selectors do not take any values, but we do check that they are only used for sock/skb.
-		if ty != gt.GenericSockType && ty != gt.GenericSkbType && ty != gt.GenericSockaddrType {
-			return fmt.Errorf("sock/skb/sockaddr operators specified for non-sock/skb/sockaddr type")
+		if ty != gt.GenericSockType && ty != gt.GenericSkbType && ty != gt.GenericSockaddrType && ty != gt.GenericSocketType {
+			return fmt.Errorf("sock/socket/skb/sockaddr operators specified for non-sock/socket/skb/sockaddr type")
 		}
 		if ty == gt.GenericSockaddrType && (op == SelectorOpDportPriv || op == SelectorOpNotDportPriv) {
 			return fmt.Errorf("sockaddr only supports [not]saddr, [not]sport[priv], and family")

pkg/selectors/kernel_test.go

@@ -224,6 +224,7 @@ func TestParseMatchArg(t *testing.T) {
 		v1alpha1.KProbeArg{Index: 7, Type: "skb", SizeArgIndex: 0, ReturnCopy: false},
 		v1alpha1.KProbeArg{Index: 8, Type: "sock", SizeArgIndex: 0, ReturnCopy: false},
 		v1alpha1.KProbeArg{Index: 9, Type: "sockaddr", SizeArgIndex: 0, ReturnCopy: false},
+		v1alpha1.KProbeArg{Index: 10, Type: "socket", SizeArgIndex: 0, ReturnCopy: false},
 	}
 
 	arg1 := &v1alpha1.ArgSelector{Index: 1, Operator: "Equal", Values: []string{"foobar"}}
@@ -333,6 +334,20 @@ func TestParseMatchArg(t *testing.T) {
 		t.Errorf("parseMatchArg: error %v expected %v bytes %v parsing %v\n", err, expected7, d.e[nextArg:d.off], arg7)
 	}
 
+	nextArg = d.off
+	arg8 := &v1alpha1.ArgSelector{Index: 10, Operator: "SAddr", Values: []string{"127.0.0.1", "::1/128"}}
+	expected8 := []byte{
+		0x0A, 0x00, 0x00, 0x00, // Index == 10
+		13, 0x00, 0x00, 0x00, // operator == saddr
+		16, 0x00, 0x00, 0x00, // length == 16
+		0x29, 0x00, 0x00, 0x00, // value type == socket
+		1, 0x00, 0x00, 0x00, // Addr4LPM mapid = 1
+		0x00, 0x00, 0x00, 0x00, // Addr6LPM mapid = 0
+	}
+	if err := ParseMatchArg(k, arg8, sig); err != nil || bytes.Equal(expected8, d.e[nextArg:d.off]) == false {
+		t.Errorf("parseMatchArg: error %v expected %v bytes %v parsing %v\n", err, expected8, d.e[nextArg:d.off], arg8)
+	}
+
 	if kernels.EnableLargeProgs() { // multiple match args are supported only in kernels >= 5.4
 		length := []byte{
 			108, 0x00, 0x00, 0x00,

pkg/sensors/tracing/args.go

@@ -241,7 +241,7 @@ func getArg(r *bytes.Reader, a argPrinter) api.MsgGenericKprobeArg {
 		arg.SecPathOLen = skb.SecPathOLen
 		arg.Label = a.label
 		return arg
-	case gt.GenericSockType:
+	case gt.GenericSockType, gt.GenericSocketType:
 		var sock api.MsgGenericKprobeSock
 		var arg api.MsgGenericKprobeArgSock
 

pkg/sensors/tracing/generictracepoint.go

@@ -879,7 +879,7 @@ func handleMsgGenericTracepoint(
 			arg.SecPathLen = skb.SecPathLen
 			arg.SecPathOLen = skb.SecPathOLen
 			unix.Args = append(unix.Args, arg)
-		case gt.GenericSockType:
+		case gt.GenericSockType, gt.GenericSocketType:
 			var sock api.MsgGenericKprobeSock
 			var arg api.MsgGenericKprobeArgSock