diff --git a/bpf/lib/process.h b/bpf/lib/process.h index 3ced405f60e..240c8145eb4 100644 --- a/bpf/lib/process.h +++ b/bpf/lib/process.h @@ -366,7 +366,7 @@ struct { struct { __uint(type, BPF_MAP_TYPE_HASH); - __uint(max_entries, 32768); + __uint(max_entries, 1); __type(key, __u32); __type(value, struct execve_map_value); } execve_map SEC(".maps"); diff --git a/pkg/sensors/base/base.go b/pkg/sensors/base/base.go index dc8cf106fbb..f080fde22a5 100644 --- a/pkg/sensors/base/base.go +++ b/pkg/sensors/base/base.go @@ -17,6 +17,10 @@ import ( "github.com/cilium/tetragon/pkg/sensors/program" ) +const ( + execveMapMaxEntries = 32768 +) + var ( basePolicy = "__base__" @@ -55,7 +59,7 @@ var ( /* Event Ring map */ TCPMonMap = program.MapBuilder("tcpmon_map", Execve) /* Networking and Process Monitoring maps */ - ExecveMap = program.MapBuilder("execve_map", Execve) + ExecveMap = program.MapBuilder("execve_map", Execve, Exit, Fork, ExecveBprmCommit) ExecveTailCallsMap = program.MapBuilderProgram("execve_calls", Execve) ExecveJoinMap = program.MapBuilder("tg_execve_joined_info_map", ExecveBprmCommit) @@ -73,7 +77,7 @@ var ( ErrMetricsMap = program.MapBuilder(errmetrics.MapName, Execve) ) -func setupPrograms() { +func setupSensor() { // exit program function ks, err := ksyms.KernelSymbols() if err == nil { @@ -92,6 +96,8 @@ func setupPrograms() { } } logger.GetLogger().Infof("Exit probe on %s", Exit.Attach) + + ExecveMap.SetMaxEntries(execveMapMaxEntries) } func GetExecveMap() *program.Map { @@ -137,7 +143,7 @@ func initBaseSensor() *sensors.Sensor { sensor := sensors.Sensor{ Name: basePolicy, } - setupPrograms() + setupSensor() sensor.Progs = GetDefaultPrograms() sensor.Maps = GetDefaultMaps() return ApplyExtensions(&sensor) diff --git a/pkg/sensors/test/cgroups.go b/pkg/sensors/test/cgroups.go index 7c98bb2a40e..4eded504093 100644 --- a/pkg/sensors/test/cgroups.go +++ b/pkg/sensors/test/cgroups.go @@ -5,6 +5,7 @@ package test import ( "github.com/cilium/tetragon/pkg/sensors" + "github.com/cilium/tetragon/pkg/sensors/base" "github.com/cilium/tetragon/pkg/sensors/program" ) @@ -53,6 +54,7 @@ func getCgroupPrograms() []*program.Program { func getCgroupMaps() []*program.Map { maps := []*program.Map{ GetCgroupsTrackingMap(), + program.MapUserFrom(base.ExecveMap), } return maps } diff --git a/pkg/sensors/tracing/generickprobe.go b/pkg/sensors/tracing/generickprobe.go index 40a22551938..1465608565c 100644 --- a/pkg/sensors/tracing/generickprobe.go +++ b/pkg/sensors/tracing/generickprobe.go @@ -35,6 +35,7 @@ import ( "github.com/cilium/tetragon/pkg/policyfilter" "github.com/cilium/tetragon/pkg/selectors" "github.com/cilium/tetragon/pkg/sensors" + "github.com/cilium/tetragon/pkg/sensors/base" "github.com/cilium/tetragon/pkg/sensors/program" lru "github.com/hashicorp/golang-lru/v2" "github.com/sirupsen/logrus" @@ -665,6 +666,8 @@ func createGenericKprobeSensor( return nil, err } + maps = append(maps, program.MapUserFrom(base.ExecveMap)) + return &sensors.Sensor{ Name: name, Progs: progs, diff --git a/pkg/sensors/tracing/genericlsm.go b/pkg/sensors/tracing/genericlsm.go index 1f2a59268fd..a00da783f31 100644 --- a/pkg/sensors/tracing/genericlsm.go +++ b/pkg/sensors/tracing/genericlsm.go @@ -27,6 +27,7 @@ import ( "github.com/cilium/tetragon/pkg/policyfilter" "github.com/cilium/tetragon/pkg/selectors" "github.com/cilium/tetragon/pkg/sensors" + "github.com/cilium/tetragon/pkg/sensors/base" "github.com/cilium/tetragon/pkg/sensors/program" ) @@ -364,6 +365,8 @@ func createGenericLsmSensor( return nil, err } + maps = append(maps, program.MapUserFrom(base.ExecveMap)) + return &sensors.Sensor{ Name: name, Progs: progs, diff --git a/pkg/sensors/tracing/generictracepoint.go b/pkg/sensors/tracing/generictracepoint.go index 0c991a65e5d..a2ec9e431db 100644 --- a/pkg/sensors/tracing/generictracepoint.go +++ b/pkg/sensors/tracing/generictracepoint.go @@ -29,6 +29,7 @@ import ( "github.com/cilium/tetragon/pkg/reader/network" "github.com/cilium/tetragon/pkg/selectors" "github.com/cilium/tetragon/pkg/sensors" + "github.com/cilium/tetragon/pkg/sensors/base" "github.com/cilium/tetragon/pkg/sensors/program" "github.com/cilium/tetragon/pkg/syscallinfo" "github.com/cilium/tetragon/pkg/tracepoint" @@ -583,6 +584,8 @@ func createGenericTracepointSensor( maps = append(maps, selMatchBinariesMap) } + maps = append(maps, program.MapUserFrom(base.ExecveMap)) + ret.Progs = progs ret.Maps = maps return ret, nil diff --git a/pkg/sensors/tracing/genericuprobe.go b/pkg/sensors/tracing/genericuprobe.go index b830b6ef644..d924769ca65 100644 --- a/pkg/sensors/tracing/genericuprobe.go +++ b/pkg/sensors/tracing/genericuprobe.go @@ -24,6 +24,7 @@ import ( "github.com/cilium/tetragon/pkg/option" "github.com/cilium/tetragon/pkg/selectors" "github.com/cilium/tetragon/pkg/sensors" + "github.com/cilium/tetragon/pkg/sensors/base" "github.com/cilium/tetragon/pkg/sensors/program" ) @@ -284,6 +285,8 @@ func createGenericUprobeSensor( return nil, err } + maps = append(maps, program.MapUserFrom(base.ExecveMap)) + return &sensors.Sensor{ Name: name, Progs: progs, diff --git a/pkg/sensors/tracing/loader.go b/pkg/sensors/tracing/loader.go index 1e1e7b3e8af..5b39128be15 100644 --- a/pkg/sensors/tracing/loader.go +++ b/pkg/sensors/tracing/loader.go @@ -42,6 +42,7 @@ import ( "github.com/cilium/tetragon/pkg/observer" "github.com/cilium/tetragon/pkg/policyfilter" "github.com/cilium/tetragon/pkg/sensors" + "github.com/cilium/tetragon/pkg/sensors/base" "github.com/cilium/tetragon/pkg/sensors/program" "github.com/cilium/tetragon/pkg/strutils" "github.com/cilium/tetragon/pkg/tracingpolicy" @@ -67,7 +68,8 @@ var ( "loader", ) - idsMap = program.MapBuilder("ids_map", loader) + idsMap = program.MapBuilder("ids_map", loader) + execveMap = program.MapUserFrom(base.ExecveMap) loaderEnabled bool @@ -104,7 +106,7 @@ func GetLoaderSensor() *sensors.Sensor { return &sensors.Sensor{ Name: "__loader__", Progs: []*program.Program{loader}, - Maps: []*program.Map{idsMap}, + Maps: []*program.Map{idsMap, execveMap}, } }