From 5291df74c0327570a6e5a4231ac95448ac01e6a5 Mon Sep 17 00:00:00 2001 From: Kornilios Kourtis Date: Mon, 7 Oct 2024 14:57:13 +0200 Subject: [PATCH 01/12] bpf/Makefile: fix deps for enforcer DEPSDIR has a trailing slash so $(DEPSDIR)/foo.d does not match the dependency file and the rule is ignored. Fix this. Signed-off-by: Kornilios Kourtis --- bpf/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bpf/Makefile b/bpf/Makefile index 77ff1d2267e..df701b80681 100644 --- a/bpf/Makefile +++ b/bpf/Makefile @@ -109,14 +109,14 @@ $(DEPSDIR)bpf_enforcer.d: process/bpf_enforcer.c objs/bpf_multi_enforcer.ll: process/bpf_enforcer.c $(CLANG) $(CLANG_FLAGS) -D__BPF_OVERRIDE_RETURN -D__MULTI_KPROBE -c $< -o $@ -$(DEPSDIR)/bpf_multi_enforcer.d: process/bpf_enforcer.c +$(DEPSDIR)bpf_multi_enforcer.d: process/bpf_enforcer.c $(CLANG) $(CLANG_FLAGS) -D__BPF_OVERRIDE_RETURN -D__MULTI_KPROBE -MM -MP -MT $(patsubst $(DEPSDIR)%.d, $(OBJSDIR)%.ll, $@) $< > $@ ## bpf_fmodret_enforcer no bpf_override_return: we need fmod_ret objs/bpf_fmodret_enforcer.ll: process/bpf_enforcer.c $(CLANG) $(CLANG_FLAGS) -c $< -o $@ -$(DEPSDIR)/bpf_fmodret_enforcer.d: process/bpf_enforcer.c +$(DEPSDIR)bpf_fmodret_enforcer.d: process/bpf_enforcer.c $(CLANG) $(CLANG_FLAGS) -MM -MP -MT $(patsubst $(DEPSDIR)%.d, $(OBJSDIR)%.ll, $@) $< > $@ # PROCESSDIR From c72a5289c5c5fd0325da5dbeaad241aa002e7187 Mon Sep 17 00:00:00 2001 From: Kornilios Kourtis Date: Fri, 11 Oct 2024 12:15:46 +0200 Subject: [PATCH 02/12] sensors: add AddPostUnloadHook method Add an AddPostUnloadHook that allows multiple components to add a PostUnloadHook to a sensor. Signed-off-by: Kornilios Kourtis --- pkg/sensors/sensors.go | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/pkg/sensors/sensors.go b/pkg/sensors/sensors.go index 6f087dbe931..7f927183b06 100644 --- a/pkg/sensors/sensors.go +++ b/pkg/sensors/sensors.go @@ -4,6 +4,7 @@ package sensors import ( + "errors" "fmt" "strings" "sync" @@ -69,6 +70,20 @@ type Sensor struct { DestroyHook SensorHook } +func (s *Sensor) AddPostUnloadHook(hook SensorHook) { + if s.PostUnloadHook == nil { + s.PostUnloadHook = hook + return + } + + oldUnloadHook := s.PostUnloadHook + s.PostUnloadHook = func() error { + err1 := oldUnloadHook() + err2 := hook() + return errors.Join(err1, err2) + } +} + func sanitize(name string) string { return strings.ReplaceAll(name, "/", "_") } From 0f45fae4dba3a3802019bd8191a5291274f1424f Mon Sep 17 00:00:00 2001 From: Kornilios Kourtis Date: Fri, 11 Oct 2024 12:21:02 +0200 Subject: [PATCH 03/12] enforcer map: distinguish between owner and user Add helpers for enforcer map. Currently, there is only one map but a susbsequent commit will introduce another one. Have two calls: one for the enforcer sensor, which is the owner of the map and one for the kprobe sensors which are the users. Signed-off-by: Kornilios Kourtis --- pkg/sensors/tracing/enforcer.go | 17 +++++++++++------ pkg/sensors/tracing/generickprobe.go | 8 ++------ pkg/sensors/tracing/generictracepoint.go | 4 +--- 3 files changed, 14 insertions(+), 15 deletions(-) diff --git a/pkg/sensors/tracing/enforcer.go b/pkg/sensors/tracing/enforcer.go index b576bef93cd..045a1de77a5 100644 --- a/pkg/sensors/tracing/enforcer.go +++ b/pkg/sensors/tracing/enforcer.go @@ -49,8 +49,16 @@ func init() { sensors.RegisterPolicyHandlerAtInit("enforcer", gEnforcerPolicy) } -func enforcerMap(load ...*program.Program) *program.Map { - return program.MapBuilderPolicy(enforcerDataMapName, load...) +func enforcerMapsUser(load ...*program.Program) []*program.Map { + edm := program.MapUserPolicy(enforcerDataMapName, load...) + edm.SetMaxEntries(enforcerMapMaxEntries) + return []*program.Map{edm} +} + +func enforcerMaps(load ...*program.Program) []*program.Map { + edm := program.MapBuilderPolicy(enforcerDataMapName, load...) + edm.SetMaxEntries(enforcerMapMaxEntries) + return []*program.Map{edm} } func (kp *enforcerPolicy) enforcerGet(name string) (*enforcerHandler, bool) { @@ -313,10 +321,7 @@ func (kp *enforcerPolicy) createEnforcerSensor( return nil, fmt.Errorf("unexpected override method: %d", overrideMethod) } - enforcerDataMap := enforcerMap(progs...) - enforcerDataMap.SetMaxEntries(enforcerMapMaxEntries) - - maps = append(maps, enforcerDataMap) + maps = append(maps, enforcerMaps(progs...)...) if ok := kp.enforcerAdd(policyName, kh); !ok { return nil, fmt.Errorf("failed to add enforcer: '%s'", policyName) diff --git a/pkg/sensors/tracing/generickprobe.go b/pkg/sensors/tracing/generickprobe.go index f2e5bc33c47..cd01332e1f9 100644 --- a/pkg/sensors/tracing/generickprobe.go +++ b/pkg/sensors/tracing/generickprobe.go @@ -362,10 +362,8 @@ func createMultiKprobeSensor(policyName string, multiIDs []idtable.EntryID, has maps = append(maps, ratelimitMap) } - enforcerDataMap := enforcerMap(load) if has.enforcer { - enforcerDataMap.SetMaxEntries(enforcerMapMaxEntries) - maps = append(maps, enforcerDataMap) + maps = append(maps, enforcerMapsUser(load)...) } filterMap.SetMaxEntries(len(multiIDs)) @@ -976,10 +974,8 @@ func createKprobeSensorFromEntry(kprobeEntry *genericKprobe, maps = append(maps, ratelimitMap) } - enforcerDataMap := enforcerMap(load) if has.enforcer { - enforcerDataMap.SetMaxEntries(enforcerMapMaxEntries) - maps = append(maps, enforcerDataMap) + maps = append(maps, enforcerMapsUser(load)...) } overrideTasksMap := program.MapBuilderProgram("override_tasks", load) diff --git a/pkg/sensors/tracing/generictracepoint.go b/pkg/sensors/tracing/generictracepoint.go index fe77d30c663..43e9e6e109c 100644 --- a/pkg/sensors/tracing/generictracepoint.go +++ b/pkg/sensors/tracing/generictracepoint.go @@ -496,11 +496,9 @@ func createGenericTracepointSensor( } maps = append(maps, matchBinariesPaths) - enforcerDataMap := enforcerMap(prog0) if has.enforcer { - enforcerDataMap.SetMaxEntries(enforcerMapMaxEntries) + maps = append(maps, enforcerMapsUser(prog0)...) } - maps = append(maps, enforcerDataMap) selMatchBinariesMap := program.MapBuilderProgram("tg_mb_sel_opts", prog0) maps = append(maps, selMatchBinariesMap) From 7803664210dbef54a2e7f4c31f7238389b1e4667 Mon Sep 17 00:00:00 2001 From: Kornilios Kourtis Date: Fri, 11 Oct 2024 12:16:43 +0200 Subject: [PATCH 04/12] sensors: load enforcer first In the previous patches, we split the enforcer map users into owners (the enforcer sensor) and users (the tracing sensors). Given this change, we need to load the enforcer sensor first. So ensure that this happens. Signed-off-by: Kornilios Kourtis --- pkg/sensors/handler.go | 1 + pkg/sensors/sensors.go | 16 ++++++++++++++++ 2 files changed, 17 insertions(+) diff --git a/pkg/sensors/handler.go b/pkg/sensors/handler.go index c7cda782cb9..131f2038e03 100644 --- a/pkg/sensors/handler.go +++ b/pkg/sensors/handler.go @@ -346,5 +346,6 @@ func sensorsFromPolicyHandlers(tp tracingpolicy.TracingPolicy, filterID policyfi sensors = append(sensors, sensor) } + sortSensors(sensors) return sensors, nil } diff --git a/pkg/sensors/sensors.go b/pkg/sensors/sensors.go index 7f927183b06..9e0532233dc 100644 --- a/pkg/sensors/sensors.go +++ b/pkg/sensors/sensors.go @@ -6,6 +6,7 @@ package sensors import ( "errors" "fmt" + "sort" "strings" "sync" @@ -256,3 +257,18 @@ func progsCleanup() { func AllPrograms() []*program.Program { return append([]*program.Program{}, allPrograms...) } + +// sortSensors sort the sensors to enforce orderging constrains +func sortSensors(sensors []SensorIface) { + sort.Slice(sensors, func(i, j int) bool { + iName := sensors[i].GetName() + if iName == "__enforcer__" { + return true + } + jName := sensors[j].GetName() + if jName == "__enforcer__" { + return false + } + return iName < jName + }) +} From f053a160322d99220e23d77c05e20927081ca494 Mon Sep 17 00:00:00 2001 From: Kornilios Kourtis Date: Fri, 11 Oct 2024 12:33:32 +0200 Subject: [PATCH 05/12] crd: introduce EnforcerNotifyActionArgIndex It will be used in subsequent patches. Signed-off-by: Kornilios Kourtis --- pkg/k8s/apis/cilium.io/v1alpha1/types.go | 11 +++++++++++ .../tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go | 11 +++++++++++ 2 files changed, 22 insertions(+) diff --git a/pkg/k8s/apis/cilium.io/v1alpha1/types.go b/pkg/k8s/apis/cilium.io/v1alpha1/types.go index b09af0b590f..6f83231145d 100644 --- a/pkg/k8s/apis/cilium.io/v1alpha1/types.go +++ b/pkg/k8s/apis/cilium.io/v1alpha1/types.go @@ -247,6 +247,17 @@ type ActionSelector struct { // Enable collection of file hashes from integrity subsystem. // Only valid with the post action. ImaHash bool `json:"imaHash"` + + // NB: Describing the use of this is complicated. It is only used when a missed enforcer + // notification (via the NotifyEnforcer action) is detected. In this case, we increase a + // counter that resides in a bpf map to track the missed notification. One of the main uses + // of NotifyEnforcer is for raw_syscalls/sys_enter. In this case, if we want to know what + // was the syscall for which we missed the notification, we need to use the value of the + // first argument. The value here stores the index of the argument we want to use. + // + // Given the complexity and limited use of this field, we do not expose it to users (at + // least for now) and set it internally as needed. + EnforcerNotifyActionArgIndex *uint32 `json:"-"` } type TracepointSpec struct { diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go index b09af0b590f..6f83231145d 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go @@ -247,6 +247,17 @@ type ActionSelector struct { // Enable collection of file hashes from integrity subsystem. // Only valid with the post action. ImaHash bool `json:"imaHash"` + + // NB: Describing the use of this is complicated. It is only used when a missed enforcer + // notification (via the NotifyEnforcer action) is detected. In this case, we increase a + // counter that resides in a bpf map to track the missed notification. One of the main uses + // of NotifyEnforcer is for raw_syscalls/sys_enter. In this case, if we want to know what + // was the syscall for which we missed the notification, we need to use the value of the + // first argument. The value here stores the index of the argument we want to use. + // + // Given the complexity and limited use of this field, we do not expose it to users (at + // least for now) and set it internally as needed. + EnforcerNotifyActionArgIndex *uint32 `json:"-"` } type TracepointSpec struct { From 95e6fefdab9f1d8694328924e86ae1d9e5ef9592 Mon Sep 17 00:00:00 2001 From: Kornilios Kourtis Date: Fri, 11 Oct 2024 12:40:51 +0200 Subject: [PATCH 06/12] autochore: make crds Signed-off-by: Kornilios Kourtis --- .../cilium.io/v1alpha1/zz_generated.deepcopy.go | 13 +++++++++++-- .../cilium.io/v1alpha1/zz_generated.deepcopy.go | 13 +++++++++++-- 2 files changed, 22 insertions(+), 4 deletions(-) diff --git a/pkg/k8s/apis/cilium.io/v1alpha1/zz_generated.deepcopy.go b/pkg/k8s/apis/cilium.io/v1alpha1/zz_generated.deepcopy.go index afa464eb9be..5d691abbc94 100644 --- a/pkg/k8s/apis/cilium.io/v1alpha1/zz_generated.deepcopy.go +++ b/pkg/k8s/apis/cilium.io/v1alpha1/zz_generated.deepcopy.go @@ -16,6 +16,11 @@ import ( // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ActionSelector) DeepCopyInto(out *ActionSelector) { *out = *in + if in.EnforcerNotifyActionArgIndex != nil { + in, out := &in.EnforcerNotifyActionArgIndex, &out.EnforcerNotifyActionArgIndex + *out = new(uint32) + **out = **in + } return } @@ -149,7 +154,9 @@ func (in *KProbeSelector) DeepCopyInto(out *KProbeSelector) { if in.MatchActions != nil { in, out := &in.MatchActions, &out.MatchActions *out = make([]ActionSelector, len(*in)) - copy(*out, *in) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } } if in.MatchReturnArgs != nil { in, out := &in.MatchReturnArgs, &out.MatchReturnArgs @@ -161,7 +168,9 @@ func (in *KProbeSelector) DeepCopyInto(out *KProbeSelector) { if in.MatchReturnActions != nil { in, out := &in.MatchReturnActions, &out.MatchReturnActions *out = make([]ActionSelector, len(*in)) - copy(*out, *in) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } } if in.MatchBinaries != nil { in, out := &in.MatchBinaries, &out.MatchBinaries diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/zz_generated.deepcopy.go b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/zz_generated.deepcopy.go index afa464eb9be..5d691abbc94 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/zz_generated.deepcopy.go +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/zz_generated.deepcopy.go @@ -16,6 +16,11 @@ import ( // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ActionSelector) DeepCopyInto(out *ActionSelector) { *out = *in + if in.EnforcerNotifyActionArgIndex != nil { + in, out := &in.EnforcerNotifyActionArgIndex, &out.EnforcerNotifyActionArgIndex + *out = new(uint32) + **out = **in + } return } @@ -149,7 +154,9 @@ func (in *KProbeSelector) DeepCopyInto(out *KProbeSelector) { if in.MatchActions != nil { in, out := &in.MatchActions, &out.MatchActions *out = make([]ActionSelector, len(*in)) - copy(*out, *in) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } } if in.MatchReturnArgs != nil { in, out := &in.MatchReturnArgs, &out.MatchReturnArgs @@ -161,7 +168,9 @@ func (in *KProbeSelector) DeepCopyInto(out *KProbeSelector) { if in.MatchReturnActions != nil { in, out := &in.MatchReturnActions, &out.MatchReturnActions *out = make([]ActionSelector, len(*in)) - copy(*out, *in) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } } if in.MatchBinaries != nil { in, out := &in.MatchBinaries, &out.MatchBinaries From 281be99a73ac7edbd006511e7fd3cb8da82b8ee2 Mon Sep 17 00:00:00 2001 From: Kornilios Kourtis Date: Fri, 11 Oct 2024 13:21:23 +0200 Subject: [PATCH 07/12] enforcer: track missed notifications This commit adds a enforcer map to track missed notifications from the enforcer. Notifications are missed when the enforcer bpf program did not run after the notification happened. This can, for example, if there is a NotifyEnforcer action from the raw_syscalls/sys_enter tracepoint without having the enforcer loaded into this program. For example: ``` apiVersion: cilium.io/v1alpha1 kind: TracingPolicy metadata: name: "kill-syscalls" spec: enforcers: - calls: - "sys_swapoff" # - "sys_getcpu" <-- missing entry tracepoints: - subsystem: "raw_syscalls" event: "sys_enter" args: - index: 4 type: "syscall64" selectors: - matchArgs: - index: 0 operator: "InMap" values: - 309 # getcpu - 168 # swapoff matchActions: - action: "NotifyEnforcer" argError: -1 argSig: 9 ``` The current version of the code, checks the enforcer map when it updates it for existing entries. Subsequent patches will improve this. Executing two getcpu calls from the same thread when the above policy is loaded, will result in the following entries: ``` bpftool map dump pinned /sys/fs/bpf/tetragon/kill-syscalls/enforcer_missed_notifications [{ "key": { "act_info": { "func_id": 0, "arg": 309 }, "reason": 1 }, "value": 1 } ] ``` Note that the syscall id is recorded so that we can know what was the missed syscall. Signed-off-by: Kornilios Kourtis --- bpf/lib/generic.h | 3 + bpf/process/bpf_enforcer.h | 62 +++++++++++++++++-- bpf/process/types/basic.h | 30 +++++++-- .../enforcermetrics/enforcermetrics.go | 9 +++ pkg/selectors/kernel.go | 5 ++ pkg/sensors/tracing/enforcer.go | 11 +++- 6 files changed, 110 insertions(+), 10 deletions(-) create mode 100644 pkg/metrics/enforcermetrics/enforcermetrics.go diff --git a/bpf/lib/generic.h b/bpf/lib/generic.h index eda1283a958..bf785b11bdb 100644 --- a/bpf/lib/generic.h +++ b/bpf/lib/generic.h @@ -33,6 +33,9 @@ struct msg_selector_data { #endif }; +/* value to mask an offsset into msg_generic_kprobe->args */ +#define GENERIC_MSG_ARGS_MASK 0x7ff + struct msg_generic_kprobe { struct msg_common common; struct msg_execve_key current; diff --git a/bpf/process/bpf_enforcer.h b/bpf/process/bpf_enforcer.h index b9d0fe38077..f71107870ae 100644 --- a/bpf/process/bpf_enforcer.h +++ b/bpf/process/bpf_enforcer.h @@ -7,10 +7,17 @@ #include "vmlinux.h" #include "bpf_helpers.h" +/* information to track how an enforcer notify action was triggered */ +struct enforcer_act_info { + __u32 func_id; + __u32 arg; +} __attribute__((packed)); + struct enforcer_data { __s16 error; __s16 signal; -}; + struct enforcer_act_info act_info; +} __attribute__((packed)); struct { __uint(type, BPF_MAP_TYPE_HASH); @@ -19,18 +26,65 @@ struct { __type(value, struct enforcer_data); } enforcer_data SEC(".maps"); -FUNC_INLINE void do_enforcer_action(int error, int signal) +enum enforcer_missed_reason { + ENFORCER_MISSED_OVERWRITTEN = 1, +}; + +struct enforcer_missed_key { + struct enforcer_act_info act_info; + __u32 reason; // see enforcer_missed_reason for values +} __attribute__((packed)); + +/* map to keep track of missed notifications */ +struct { + __uint(type, BPF_MAP_TYPE_HASH); + __uint(max_entries, 128); + __type(key, struct enforcer_missed_key); + __type(value, __u32); +} enforcer_missed_notifications SEC(".maps"); + +FUNC_INLINE void +enforcer_update_missed_notifications(struct enforcer_missed_key *key) +{ + int err; + __u32 *counter = map_lookup_elem(&enforcer_missed_notifications, key), one = 1; + + if (counter) { + __sync_fetch_and_add(counter, one); + return; + } + + err = map_update_elem(&enforcer_missed_notifications, key, &one, BPF_NOEXIST); + if (!err) + return; + + /* in case we raced with another thread and an entry was already created, retry to do a + * lookup + */ + counter = map_lookup_elem(&enforcer_missed_notifications, key); + if (counter) { + __sync_fetch_and_add(counter, one); + } +} + +FUNC_INLINE void do_enforcer_action(int error, int signal, struct enforcer_act_info act_info) { __u64 id = get_current_pid_tgid(); struct enforcer_data *ptr, data = { .error = (__s16)error, .signal = (__s16)signal, + .act_info = act_info, }; ptr = map_lookup_elem(&enforcer_data, &id); if (ptr) { - ptr->error = (__s16)error; - ptr->signal = (__s16)signal; + /* there is another entry already, update enforcer_missed_notifications */ + struct enforcer_missed_key missed_key = { + .act_info = ptr->act_info, + .reason = ENFORCER_MISSED_OVERWRITTEN, + }; + enforcer_update_missed_notifications(&missed_key); + *ptr = data; } else { map_update_elem(&enforcer_data, &id, &data, BPF_ANY); } diff --git a/bpf/process/types/basic.h b/bpf/process/types/basic.h index c2bad27b923..c76192c969a 100644 --- a/bpf/process/types/basic.h +++ b/bpf/process/types/basic.h @@ -1868,6 +1868,20 @@ installfd(struct msg_generic_kprobe *e, int fd, int name, bool follow) return err; } +FUNC_INLINE __u64 +msg_generic_arg_value_u64(struct msg_generic_kprobe *e, unsigned int arg_id, __u64 err_val) +{ + __u32 argoff; + __u64 *ret; + + if (arg_id > MAX_POSSIBLE_ARGS) + return err_val; + argoff = e->argsoff[arg_id]; + argoff &= GENERIC_MSG_ARGS_MASK; + ret = (__u64 *)&e->args[argoff]; + return *ret; +} + FUNC_INLINE int copyfd(struct msg_generic_kprobe *e, int oldfd, int newfd) { @@ -2143,12 +2157,18 @@ struct { } stack_trace_map SEC(".maps"); #if defined GENERIC_TRACEPOINT || defined GENERIC_KPROBE -FUNC_INLINE void do_action_notify_enforcer(int error, int signal) +FUNC_INLINE void do_action_notify_enforcer(struct msg_generic_kprobe *e, + int error, int signal, int info_arg_id) { - do_enforcer_action(error, signal); + __u64 argv = msg_generic_arg_value_u64(e, info_arg_id, 0); + struct enforcer_act_info info = { + .func_id = e->func_id, + .arg = argv, + }; + do_enforcer_action(error, signal, info); } #else -#define do_action_notify_enforcer(error, signal) +#define do_action_notify_enforcer(e, error, signal, info_arg_id) #endif FUNC_LOCAL __u32 @@ -2163,6 +2183,7 @@ do_action(void *ctx, __u32 i, struct selector_action *actions, int fdi, namei; int newfdi, oldfdi; int socki; + int argi __maybe_unused; int err = 0; int zero = 0; __u64 id; @@ -2257,7 +2278,8 @@ do_action(void *ctx, __u32 i, struct selector_action *actions, case ACTION_NOTIFY_ENFORCER: error = actions->act[++i]; signal = actions->act[++i]; - do_action_notify_enforcer(error, signal); + argi = actions->act[++i]; + do_action_notify_enforcer(e, error, signal, argi); break; default: break; diff --git a/pkg/metrics/enforcermetrics/enforcermetrics.go b/pkg/metrics/enforcermetrics/enforcermetrics.go new file mode 100644 index 00000000000..8c89bae6775 --- /dev/null +++ b/pkg/metrics/enforcermetrics/enforcermetrics.go @@ -0,0 +1,9 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright Authors of Tetragon + +package enforcermetrics + +const ( + EnforcerMissedMapName = "enforcer_missed_notifications" +) + diff --git a/pkg/selectors/kernel.go b/pkg/selectors/kernel.go index a2064a68a59..bd3b39fffdd 100644 --- a/pkg/selectors/kernel.go +++ b/pkg/selectors/kernel.go @@ -976,6 +976,11 @@ func ParseMatchAction(k *KernelSelectorState, action *v1alpha1.ActionSelector, a case ActionTypeNotifyEnforcer: WriteSelectorInt32(&k.data, action.ArgError) WriteSelectorUint32(&k.data, action.ArgSig) + actionArgIndex := ^uint32(1) + if action.EnforcerNotifyActionArgIndex != nil { + actionArgIndex = *(action.EnforcerNotifyActionArgIndex) + } + WriteSelectorUint32(&k.data, actionArgIndex) default: return fmt.Errorf("ParseMatchAction: act %d (%s) is missing a handler", act, actionTypeStringTable[act]) } diff --git a/pkg/sensors/tracing/enforcer.go b/pkg/sensors/tracing/enforcer.go index 045a1de77a5..69b3d7ab6e5 100644 --- a/pkg/sensors/tracing/enforcer.go +++ b/pkg/sensors/tracing/enforcer.go @@ -13,6 +13,7 @@ import ( "github.com/cilium/tetragon/pkg/bpf" "github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1" "github.com/cilium/tetragon/pkg/logger" + "github.com/cilium/tetragon/pkg/metrics/enforcermetrics" "github.com/cilium/tetragon/pkg/option" "github.com/cilium/tetragon/pkg/policyfilter" "github.com/cilium/tetragon/pkg/sensors" @@ -52,13 +53,19 @@ func init() { func enforcerMapsUser(load ...*program.Program) []*program.Map { edm := program.MapUserPolicy(enforcerDataMapName, load...) edm.SetMaxEntries(enforcerMapMaxEntries) - return []*program.Map{edm} + return []*program.Map{ + edm, + program.MapUserPolicy(enforcermetrics.EnforcerMissedMapName, load...), + } } func enforcerMaps(load ...*program.Program) []*program.Map { edm := program.MapBuilderPolicy(enforcerDataMapName, load...) edm.SetMaxEntries(enforcerMapMaxEntries) - return []*program.Map{edm} + return []*program.Map{ + edm, + program.MapBuilderPolicy(enforcermetrics.EnforcerMissedMapName, load...), + } } func (kp *enforcerPolicy) enforcerGet(name string) (*enforcerHandler, bool) { From 9f3b74eba9e745c41fcea06451a8b13a0c380494 Mon Sep 17 00:00:00 2001 From: Kornilios Kourtis Date: Fri, 11 Oct 2024 13:21:40 +0200 Subject: [PATCH 08/12] enforcer: add metric for missed notifications This commit adds a metric for enforcer missed notifications. The metric is implemented by reading the bpf map introduced in the previous patch. The metric is a counter with the system call name, the policy and the reason as labels. tetragon_enforcer_missed_notifications_total{info="getcpu",policy="kill-syscalls",reason="overwritten"} 2 When the policy is unloaded, the metric is removed. Signed-off-by: Kornilios Kourtis --- .../enforcermetrics/enforcermetrics.go | 134 ++++++++++++++++++ pkg/metricsconfig/healthmetrics.go | 3 + pkg/sensors/tracing/generictracepoint.go | 89 ++++++++++-- 3 files changed, 218 insertions(+), 8 deletions(-) diff --git a/pkg/metrics/enforcermetrics/enforcermetrics.go b/pkg/metrics/enforcermetrics/enforcermetrics.go index 8c89bae6775..2bf93496eac 100644 --- a/pkg/metrics/enforcermetrics/enforcermetrics.go +++ b/pkg/metrics/enforcermetrics/enforcermetrics.go @@ -3,7 +3,141 @@ package enforcermetrics +import ( + "sync" + + "github.com/cilium/ebpf" + "github.com/cilium/tetragon/pkg/bpf" + "github.com/cilium/tetragon/pkg/metrics" + "github.com/cilium/tetragon/pkg/metrics/consts" + "github.com/cilium/tetragon/pkg/sensors/program" + "github.com/prometheus/client_golang/prometheus" +) + const ( EnforcerMissedMapName = "enforcer_missed_notifications" ) +var gState = newState() + +func NewCollector() metrics.CollectorWithInit { + return gState.newCollector() +} + +func RegisterInfo(policy string, funcID uint32, argToInfo func(arg uint32) string) { + gState.registerInfo(policy, funcID, argToInfo) +} + +func UnregisterPolicy(policy string) { + gState.unregisterPolicy(policy) +} + +type state struct { + missedNotifications metrics.CustomMetric + // mu protects policies + mu sync.Mutex + // policies with an enforcer + // policy_name -> func_id -> (arg -> info) + policies map[string]map[uint32]func(arg uint32) string +} + +func newState() *state { + + st := &state{ + policies: map[string]map[uint32]func(arg uint32) string{}, + } + st.missedNotifications = metrics.MustNewCustomCounter(metrics.NewOpts( + consts.MetricsNamespace, "enforcer", "missed_notifications_total", + "The number of missed notifications by the enforcer.", + nil, []metrics.ConstrainedLabel{ + // NB: these corresponds to "enum enforcer_missed_reason" in bpf. Unknown values + // are mapped to "unspecified" + {Name: "reason", Values: enforcerMissedNotificationsReasons}, + }, []metrics.UnconstrainedLabel{ + {Name: "policy", ExampleValue: "enforcer_policy"}, + {Name: "info", ExampleValue: ""}, + }, + )) + return st +} + +func (st *state) newCollector() metrics.CollectorWithInit { + return metrics.NewCustomCollector( + metrics.CustomMetrics{ + st.missedNotifications, + }, + st.collect, + collectForDocs, + ) +} + +// NB: should match bpf's struct enforcer_missed_key +type enforcerMissedMapKey struct { + FuncId uint32 + Arg uint32 + Reason uint32 +} + +var enforcerMissedNotificationsReasons = []string{"unspecified", "no_action", "overwritten"} + +func (mk *enforcerMissedMapKey) reason() string { + // NB: see bpf's enforcer_missed_reason + switch mk.Reason { + case 1: + return "overwritten" + default: + return "unspecified" + } +} + +func (st *state) registerInfo(policy string, funcID uint32, argToInfoFn func(uint32) string) { + st.mu.Lock() + defer st.mu.Unlock() + + m, ok := st.policies[policy] + if !ok { + st.policies[policy] = map[uint32]func(uint32) string{ + funcID: argToInfoFn, + } + return + } + m[funcID] = argToInfoFn +} + +func (st *state) collect(ch chan<- prometheus.Metric) { + st.mu.Lock() + defer st.mu.Unlock() + + for policy, polM := range st.policies { + path := program.PolicyMapPath(bpf.MapPrefixPath(), policy, EnforcerMissedMapName) + m, err := ebpf.LoadPinnedMap(path, &ebpf.LoadPinOptions{ + ReadOnly: true, + }) + if err != nil { + continue + } + + var key enforcerMissedMapKey + var cnt uint32 + iter := m.Iterate() + for iter.Next(&key, &cnt) { + info := "" + if fn, ok := polM[key.FuncId]; ok { + info = fn(key.Arg) + } + ch <- st.missedNotifications.MustMetric( + float64(cnt), + key.reason(), + policy, + info, + ) + } + } +} + +func (st *state) unregisterPolicy(policy string) { + delete(st.policies, policy) +} + +func collectForDocs(_ chan<- prometheus.Metric) { +} diff --git a/pkg/metricsconfig/healthmetrics.go b/pkg/metricsconfig/healthmetrics.go index 4fdb51f498b..0d4ede7b1e4 100644 --- a/pkg/metricsconfig/healthmetrics.go +++ b/pkg/metricsconfig/healthmetrics.go @@ -11,6 +11,7 @@ import ( "github.com/cilium/tetragon/pkg/grpc/tracing" "github.com/cilium/tetragon/pkg/metrics" "github.com/cilium/tetragon/pkg/metrics/cgroupratemetrics" + "github.com/cilium/tetragon/pkg/metrics/enforcermetrics" "github.com/cilium/tetragon/pkg/metrics/errormetrics" "github.com/cilium/tetragon/pkg/metrics/eventmetrics" "github.com/cilium/tetragon/pkg/metrics/kprobemetrics" @@ -93,4 +94,6 @@ func registerHealthMetrics(group metrics.Group) { group.MustRegister(grpcmetrics.NewServerMetrics()) // missed metris group.MustRegister(kprobemetrics.NewBPFCollector()) + // enforcer metrics + group.MustRegister(enforcermetrics.NewCollector()) } diff --git a/pkg/sensors/tracing/generictracepoint.go b/pkg/sensors/tracing/generictracepoint.go index 43e9e6e109c..692be4a1965 100644 --- a/pkg/sensors/tracing/generictracepoint.go +++ b/pkg/sensors/tracing/generictracepoint.go @@ -21,6 +21,7 @@ import ( "github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1" "github.com/cilium/tetragon/pkg/kernels" "github.com/cilium/tetragon/pkg/logger" + "github.com/cilium/tetragon/pkg/metrics/enforcermetrics" "github.com/cilium/tetragon/pkg/observer" "github.com/cilium/tetragon/pkg/option" "github.com/cilium/tetragon/pkg/policyfilter" @@ -28,6 +29,7 @@ import ( "github.com/cilium/tetragon/pkg/selectors" "github.com/cilium/tetragon/pkg/sensors" "github.com/cilium/tetragon/pkg/sensors/program" + "github.com/cilium/tetragon/pkg/syscallinfo" "github.com/cilium/tetragon/pkg/tracepoint" "github.com/sirupsen/logrus" @@ -356,6 +358,70 @@ func createGenericTracepoint( return ret, nil } +func tpValidateAndAdjustEnforcerAction( + sensor *sensors.Sensor, + tp *v1alpha1.TracepointSpec, + tpID int, + policyName string, + spec *v1alpha1.TracingPolicySpec) error { + + registeredEnforcerMetrics := false + for si := range tp.Selectors { + sel := &tp.Selectors[si] + for ai := range sel.MatchActions { + act := &sel.MatchActions[ai] + if act.Action == "NotifyEnforcer" { + if len(spec.Enforcers) == 0 { + return fmt.Errorf("NotifyEnforcer action specified, but spec contains no enforcers") + } + + // EnforcerNotifyActionArgIndex already set, do nothing + if act.EnforcerNotifyActionArgIndex != nil { + continue + } + + switch { + case tp.Subsystem == "raw_syscalls" && tp.Event == "sys_enter": + for i, arg := range tp.Args { + // syscall id + if arg.Index == 4 { + val := uint32(i) + act.EnforcerNotifyActionArgIndex = &val + } + } + defaultABI, _ := syscallinfo.DefaultABI() + enforcermetrics.RegisterInfo(policyName, uint32(tpID), func(arg uint32) string { + syscallID := parseSyscall64Value(uint64(arg)) + sysName, _ := syscallinfo.GetSyscallName(syscallID.ABI, int(syscallID.ID)) + if sysName == "" { + sysName = fmt.Sprintf("syscall-%d", syscallID.ID) + } + if syscallID.ABI != defaultABI { + sysName = fmt.Sprintf("%s/%s", syscallID.ABI, sysName) + } + return sysName + }) + registeredEnforcerMetrics = true + default: + enforcermetrics.RegisterInfo(policyName, uint32(tpID), func(_ uint32) string { + return fmt.Sprintf("%s/%s", tp.Subsystem, tp.Event) + }) + + } + } + } + } + + if registeredEnforcerMetrics { + sensor.AddPostUnloadHook(func() error { + enforcermetrics.UnregisterPolicy(policyName) + return nil + }) + } + + return nil +} + // createGenericTracepointSensor will create a sensor that can be loaded based on a generic tracepoint configuration func createGenericTracepointSensor( spec *v1alpha1.TracingPolicySpec, @@ -368,9 +434,20 @@ func createGenericTracepointSensor( confs := spec.Tracepoints lists := spec.Lists + ret := &sensors.Sensor{ + Name: name, + Policy: policyName, + Namespace: namespace, + } + tracepoints := make([]*genericTracepoint, 0, len(confs)) for i := range confs { - tp, err := createGenericTracepoint(name, &confs[i], policyID, policyName, customHandler) + tpSpec := &confs[i] + err := tpValidateAndAdjustEnforcerAction(ret, tpSpec, i, policyName, spec) + if err != nil { + return nil, err + } + tp, err := createGenericTracepoint(name, tpSpec, policyID, policyName, customHandler) if err != nil { return nil, err } @@ -504,13 +581,9 @@ func createGenericTracepointSensor( maps = append(maps, selMatchBinariesMap) } - return &sensors.Sensor{ - Name: name, - Progs: progs, - Maps: maps, - Policy: policyName, - Namespace: namespace, - }, nil + ret.Progs = progs + ret.Maps = maps + return ret, nil } func (tp *genericTracepoint) InitKernelSelectors(lists []v1alpha1.ListSpec) error { From 1a7f3aefa34422659aec42743a0e4ac6cfd6a37d Mon Sep 17 00:00:00 2001 From: Kornilios Kourtis Date: Fri, 11 Oct 2024 13:38:48 +0200 Subject: [PATCH 09/12] enforcer: add CleanupEnforcerNotification action Previous commits introduced a bpf map to track missed enforcer notifications, by checking the enforcer map for existing entries when attempting to set a new one. As an improvement, we want to introduce an action allowing to check for enforcer missed notifications. The intention is to use this action when exiting system calls. This commit introduces the policy and proto changes. Signed-off-by: Kornilios Kourtis --- api/v1/tetragon/tetragon.proto | 2 ++ pkg/k8s/apis/cilium.io/v1alpha1/types.go | 2 +- pkg/k8s/apis/cilium.io/v1alpha1/version.go | 2 +- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/api/v1/tetragon/tetragon.proto b/api/v1/tetragon/tetragon.proto index 4a1d7f293f8..4dfa730b8cd 100644 --- a/api/v1/tetragon/tetragon.proto +++ b/api/v1/tetragon/tetragon.proto @@ -473,6 +473,8 @@ enum KprobeAction { KPROBE_ACTION_UNTRACKSOCK = 12; // NotifyEnforcer action notifies enforcer sensor. KPROBE_ACTION_NOTIFYENFORCER = 13; + // CleanupEnforcerNotification action cleanups any state left by NotifyEnforcer + KPROBE_ACTION_CLEANUPENFORCERNOTIFICATION = 14; } message ProcessKprobe { diff --git a/pkg/k8s/apis/cilium.io/v1alpha1/types.go b/pkg/k8s/apis/cilium.io/v1alpha1/types.go index 6f83231145d..801d7016341 100644 --- a/pkg/k8s/apis/cilium.io/v1alpha1/types.go +++ b/pkg/k8s/apis/cilium.io/v1alpha1/types.go @@ -200,7 +200,7 @@ type ArgSelector struct { } type ActionSelector struct { - // +kubebuilder:validation:Enum=Post;FollowFD;UnfollowFD;Sigkill;CopyFD;Override;GetUrl;DnsLookup;NoPost;Signal;TrackSock;UntrackSock;NotifyEnforcer + // +kubebuilder:validation:Enum=Post;FollowFD;UnfollowFD;Sigkill;CopyFD;Override;GetUrl;DnsLookup;NoPost;Signal;TrackSock;UntrackSock;NotifyEnforcer;CleanupEnforcerNotification // Action to execute. Action string `json:"action"` // +kubebuilder:validation:Optional diff --git a/pkg/k8s/apis/cilium.io/v1alpha1/version.go b/pkg/k8s/apis/cilium.io/v1alpha1/version.go index 97148d94720..9f7e4002e6a 100644 --- a/pkg/k8s/apis/cilium.io/v1alpha1/version.go +++ b/pkg/k8s/apis/cilium.io/v1alpha1/version.go @@ -7,4 +7,4 @@ package v1alpha1 // Used to determine if CRD needs to be updated in cluster // // Developers: Bump patch for each change in the CRD schema. -const CustomResourceDefinitionSchemaVersion = "1.3.4" +const CustomResourceDefinitionSchemaVersion = "1.3.5" From 1c0ddd8e776ee6ec0f498f20e13e06c92083c942 Mon Sep 17 00:00:00 2001 From: Kornilios Kourtis Date: Fri, 11 Oct 2024 13:43:46 +0200 Subject: [PATCH 10/12] autochore: make crds protogen Signed-off-by: Kornilios Kourtis --- api/v1/README.md | 1 + api/v1/tetragon/tetragon.pb.go | 99 ++++++++++--------- .../tetragon/api/v1/tetragon/tetragon.pb.go | 99 ++++++++++--------- .../tetragon/api/v1/tetragon/tetragon.proto | 2 + docs/content/en/docs/reference/grpc-api.md | 1 + .../crds-yaml/cilium.io_tracingpolicies.yaml | 8 ++ .../cilium.io_tracingpoliciesnamespaced.yaml | 8 ++ .../v1alpha1/cilium.io_tracingpolicies.yaml | 8 ++ .../cilium.io_tracingpoliciesnamespaced.yaml | 8 ++ .../tetragon/api/v1/tetragon/tetragon.pb.go | 99 ++++++++++--------- .../tetragon/api/v1/tetragon/tetragon.proto | 2 + .../v1alpha1/cilium.io_tracingpolicies.yaml | 8 ++ .../cilium.io_tracingpoliciesnamespaced.yaml | 8 ++ .../pkg/k8s/apis/cilium.io/v1alpha1/types.go | 2 +- .../k8s/apis/cilium.io/v1alpha1/version.go | 2 +- 15 files changed, 215 insertions(+), 140 deletions(-) diff --git a/api/v1/README.md b/api/v1/README.md index 1570ab3f35d..552c4a02e35 100644 --- a/api/v1/README.md +++ b/api/v1/README.md @@ -1237,6 +1237,7 @@ User records | KPROBE_ACTION_TRACKSOCK | 11 | TrackSock action tracks socket. | | KPROBE_ACTION_UNTRACKSOCK | 12 | UntrackSock action un-tracks socket. | | KPROBE_ACTION_NOTIFYENFORCER | 13 | NotifyEnforcer action notifies enforcer sensor. | +| KPROBE_ACTION_CLEANUPENFORCERNOTIFICATION | 14 | CleanupEnforcerNotification action cleanups any state left by NotifyEnforcer | diff --git a/api/v1/tetragon/tetragon.pb.go b/api/v1/tetragon/tetragon.pb.go index cbd25237a22..719d29cc305 100644 --- a/api/v1/tetragon/tetragon.pb.go +++ b/api/v1/tetragon/tetragon.pb.go @@ -57,6 +57,8 @@ const ( KprobeAction_KPROBE_ACTION_UNTRACKSOCK KprobeAction = 12 // NotifyEnforcer action notifies enforcer sensor. KprobeAction_KPROBE_ACTION_NOTIFYENFORCER KprobeAction = 13 + // CleanupEnforcerNotification action cleanups any state left by NotifyEnforcer + KprobeAction_KPROBE_ACTION_CLEANUPENFORCERNOTIFICATION KprobeAction = 14 ) // Enum value maps for KprobeAction. @@ -76,22 +78,24 @@ var ( 11: "KPROBE_ACTION_TRACKSOCK", 12: "KPROBE_ACTION_UNTRACKSOCK", 13: "KPROBE_ACTION_NOTIFYENFORCER", + 14: "KPROBE_ACTION_CLEANUPENFORCERNOTIFICATION", } KprobeAction_value = map[string]int32{ - "KPROBE_ACTION_UNKNOWN": 0, - "KPROBE_ACTION_POST": 1, - "KPROBE_ACTION_FOLLOWFD": 2, - "KPROBE_ACTION_SIGKILL": 3, - "KPROBE_ACTION_UNFOLLOWFD": 4, - "KPROBE_ACTION_OVERRIDE": 5, - "KPROBE_ACTION_COPYFD": 6, - "KPROBE_ACTION_GETURL": 7, - "KPROBE_ACTION_DNSLOOKUP": 8, - "KPROBE_ACTION_NOPOST": 9, - "KPROBE_ACTION_SIGNAL": 10, - "KPROBE_ACTION_TRACKSOCK": 11, - "KPROBE_ACTION_UNTRACKSOCK": 12, - "KPROBE_ACTION_NOTIFYENFORCER": 13, + "KPROBE_ACTION_UNKNOWN": 0, + "KPROBE_ACTION_POST": 1, + "KPROBE_ACTION_FOLLOWFD": 2, + "KPROBE_ACTION_SIGKILL": 3, + "KPROBE_ACTION_UNFOLLOWFD": 4, + "KPROBE_ACTION_OVERRIDE": 5, + "KPROBE_ACTION_COPYFD": 6, + "KPROBE_ACTION_GETURL": 7, + "KPROBE_ACTION_DNSLOOKUP": 8, + "KPROBE_ACTION_NOPOST": 9, + "KPROBE_ACTION_SIGNAL": 10, + "KPROBE_ACTION_TRACKSOCK": 11, + "KPROBE_ACTION_UNTRACKSOCK": 12, + "KPROBE_ACTION_NOTIFYENFORCER": 13, + "KPROBE_ACTION_CLEANUPENFORCERNOTIFICATION": 14, } ) @@ -4970,7 +4974,7 @@ var file_tetragon_tetragon_proto_rawDesc = []byte{ 0x52, 0x06, 0x6f, 0x66, 0x66, 0x73, 0x65, 0x74, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x79, 0x6d, 0x62, 0x6f, 0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x79, 0x6d, 0x62, 0x6f, 0x6c, 0x12, 0x16, 0x0a, 0x06, 0x6d, 0x6f, 0x64, 0x75, 0x6c, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, - 0x52, 0x06, 0x6d, 0x6f, 0x64, 0x75, 0x6c, 0x65, 0x2a, 0x95, 0x03, 0x0a, 0x0c, 0x4b, 0x70, 0x72, + 0x52, 0x06, 0x6d, 0x6f, 0x64, 0x75, 0x6c, 0x65, 0x2a, 0xc4, 0x03, 0x0a, 0x0c, 0x4b, 0x70, 0x72, 0x6f, 0x62, 0x65, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x19, 0x0a, 0x15, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12, 0x16, 0x0a, 0x12, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, @@ -4996,37 +5000,40 @@ var file_tetragon_tetragon_proto_rawDesc = []byte{ 0x5f, 0x55, 0x4e, 0x54, 0x52, 0x41, 0x43, 0x4b, 0x53, 0x4f, 0x43, 0x4b, 0x10, 0x0c, 0x12, 0x20, 0x0a, 0x1c, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x4e, 0x4f, 0x54, 0x49, 0x46, 0x59, 0x45, 0x4e, 0x46, 0x4f, 0x52, 0x43, 0x45, 0x52, 0x10, 0x0d, - 0x2a, 0x4f, 0x0a, 0x10, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, - 0x54, 0x79, 0x70, 0x65, 0x12, 0x1c, 0x0a, 0x18, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, - 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x44, 0x45, 0x46, - 0x10, 0x00, 0x12, 0x1d, 0x0a, 0x19, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, - 0x54, 0x55, 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x10, - 0x01, 0x2a, 0x7c, 0x0a, 0x12, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, - 0x73, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x12, 0x17, 0x0a, 0x13, 0x48, 0x45, 0x41, 0x4c, 0x54, - 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x10, 0x00, - 0x12, 0x19, 0x0a, 0x15, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, - 0x53, 0x5f, 0x52, 0x55, 0x4e, 0x4e, 0x49, 0x4e, 0x47, 0x10, 0x01, 0x12, 0x19, 0x0a, 0x15, 0x48, - 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x53, 0x54, 0x4f, - 0x50, 0x50, 0x45, 0x44, 0x10, 0x02, 0x12, 0x17, 0x0a, 0x13, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, - 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x45, 0x52, 0x52, 0x4f, 0x52, 0x10, 0x03, 0x2a, - 0x8d, 0x02, 0x0a, 0x0f, 0x54, 0x61, 0x69, 0x6e, 0x74, 0x65, 0x64, 0x42, 0x69, 0x74, 0x73, 0x54, - 0x79, 0x70, 0x65, 0x12, 0x0f, 0x0a, 0x0b, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x55, 0x4e, 0x53, - 0x45, 0x54, 0x10, 0x00, 0x12, 0x1c, 0x0a, 0x18, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x50, 0x52, - 0x4f, 0x50, 0x52, 0x49, 0x45, 0x54, 0x41, 0x52, 0x59, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, - 0x10, 0x01, 0x12, 0x17, 0x0a, 0x13, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x46, 0x4f, 0x52, 0x43, - 0x45, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x02, 0x12, 0x1e, 0x0a, 0x1a, 0x54, - 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x46, 0x4f, 0x52, 0x43, 0x45, 0x44, 0x5f, 0x55, 0x4e, 0x4c, 0x4f, - 0x41, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x04, 0x12, 0x18, 0x0a, 0x13, 0x54, - 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x53, 0x54, 0x41, 0x47, 0x45, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, - 0x4c, 0x45, 0x10, 0x80, 0x08, 0x12, 0x1d, 0x0a, 0x18, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x4f, - 0x55, 0x54, 0x5f, 0x4f, 0x46, 0x5f, 0x54, 0x52, 0x45, 0x45, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, - 0x45, 0x10, 0x80, 0x20, 0x12, 0x1a, 0x0a, 0x15, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x55, 0x4e, - 0x53, 0x49, 0x47, 0x4e, 0x45, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x40, - 0x12, 0x24, 0x0a, 0x1e, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x4b, 0x45, 0x52, 0x4e, 0x45, 0x4c, - 0x5f, 0x4c, 0x49, 0x56, 0x45, 0x5f, 0x50, 0x41, 0x54, 0x43, 0x48, 0x5f, 0x4d, 0x4f, 0x44, 0x55, - 0x4c, 0x45, 0x10, 0x80, 0x80, 0x02, 0x12, 0x17, 0x0a, 0x11, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, - 0x54, 0x45, 0x53, 0x54, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x80, 0x10, 0x62, - 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x12, 0x2d, 0x0a, 0x29, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, + 0x4e, 0x5f, 0x43, 0x4c, 0x45, 0x41, 0x4e, 0x55, 0x50, 0x45, 0x4e, 0x46, 0x4f, 0x52, 0x43, 0x45, + 0x52, 0x4e, 0x4f, 0x54, 0x49, 0x46, 0x49, 0x43, 0x41, 0x54, 0x49, 0x4f, 0x4e, 0x10, 0x0e, 0x2a, + 0x4f, 0x0a, 0x10, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x54, + 0x79, 0x70, 0x65, 0x12, 0x1c, 0x0a, 0x18, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, + 0x41, 0x54, 0x55, 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x10, + 0x00, 0x12, 0x1d, 0x0a, 0x19, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, + 0x55, 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x10, 0x01, + 0x2a, 0x7c, 0x0a, 0x12, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, + 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x12, 0x17, 0x0a, 0x13, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, + 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x10, 0x00, 0x12, + 0x19, 0x0a, 0x15, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, + 0x5f, 0x52, 0x55, 0x4e, 0x4e, 0x49, 0x4e, 0x47, 0x10, 0x01, 0x12, 0x19, 0x0a, 0x15, 0x48, 0x45, + 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x53, 0x54, 0x4f, 0x50, + 0x50, 0x45, 0x44, 0x10, 0x02, 0x12, 0x17, 0x0a, 0x13, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, + 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x45, 0x52, 0x52, 0x4f, 0x52, 0x10, 0x03, 0x2a, 0x8d, + 0x02, 0x0a, 0x0f, 0x54, 0x61, 0x69, 0x6e, 0x74, 0x65, 0x64, 0x42, 0x69, 0x74, 0x73, 0x54, 0x79, + 0x70, 0x65, 0x12, 0x0f, 0x0a, 0x0b, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x55, 0x4e, 0x53, 0x45, + 0x54, 0x10, 0x00, 0x12, 0x1c, 0x0a, 0x18, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x50, 0x52, 0x4f, + 0x50, 0x52, 0x49, 0x45, 0x54, 0x41, 0x52, 0x59, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, + 0x01, 0x12, 0x17, 0x0a, 0x13, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x46, 0x4f, 0x52, 0x43, 0x45, + 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x02, 0x12, 0x1e, 0x0a, 0x1a, 0x54, 0x41, + 0x49, 0x4e, 0x54, 0x5f, 0x46, 0x4f, 0x52, 0x43, 0x45, 0x44, 0x5f, 0x55, 0x4e, 0x4c, 0x4f, 0x41, + 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x04, 0x12, 0x18, 0x0a, 0x13, 0x54, 0x41, + 0x49, 0x4e, 0x54, 0x5f, 0x53, 0x54, 0x41, 0x47, 0x45, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, + 0x45, 0x10, 0x80, 0x08, 0x12, 0x1d, 0x0a, 0x18, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x4f, 0x55, + 0x54, 0x5f, 0x4f, 0x46, 0x5f, 0x54, 0x52, 0x45, 0x45, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, + 0x10, 0x80, 0x20, 0x12, 0x1a, 0x0a, 0x15, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x55, 0x4e, 0x53, + 0x49, 0x47, 0x4e, 0x45, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x40, 0x12, + 0x24, 0x0a, 0x1e, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x4b, 0x45, 0x52, 0x4e, 0x45, 0x4c, 0x5f, + 0x4c, 0x49, 0x56, 0x45, 0x5f, 0x50, 0x41, 0x54, 0x43, 0x48, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, + 0x45, 0x10, 0x80, 0x80, 0x02, 0x12, 0x17, 0x0a, 0x11, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x54, + 0x45, 0x53, 0x54, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x80, 0x10, 0x62, 0x06, + 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( diff --git a/contrib/tetragon-rthooks/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.pb.go b/contrib/tetragon-rthooks/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.pb.go index cbd25237a22..719d29cc305 100644 --- a/contrib/tetragon-rthooks/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.pb.go +++ b/contrib/tetragon-rthooks/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.pb.go @@ -57,6 +57,8 @@ const ( KprobeAction_KPROBE_ACTION_UNTRACKSOCK KprobeAction = 12 // NotifyEnforcer action notifies enforcer sensor. KprobeAction_KPROBE_ACTION_NOTIFYENFORCER KprobeAction = 13 + // CleanupEnforcerNotification action cleanups any state left by NotifyEnforcer + KprobeAction_KPROBE_ACTION_CLEANUPENFORCERNOTIFICATION KprobeAction = 14 ) // Enum value maps for KprobeAction. @@ -76,22 +78,24 @@ var ( 11: "KPROBE_ACTION_TRACKSOCK", 12: "KPROBE_ACTION_UNTRACKSOCK", 13: "KPROBE_ACTION_NOTIFYENFORCER", + 14: "KPROBE_ACTION_CLEANUPENFORCERNOTIFICATION", } KprobeAction_value = map[string]int32{ - "KPROBE_ACTION_UNKNOWN": 0, - "KPROBE_ACTION_POST": 1, - "KPROBE_ACTION_FOLLOWFD": 2, - "KPROBE_ACTION_SIGKILL": 3, - "KPROBE_ACTION_UNFOLLOWFD": 4, - "KPROBE_ACTION_OVERRIDE": 5, - "KPROBE_ACTION_COPYFD": 6, - "KPROBE_ACTION_GETURL": 7, - "KPROBE_ACTION_DNSLOOKUP": 8, - "KPROBE_ACTION_NOPOST": 9, - "KPROBE_ACTION_SIGNAL": 10, - "KPROBE_ACTION_TRACKSOCK": 11, - "KPROBE_ACTION_UNTRACKSOCK": 12, - "KPROBE_ACTION_NOTIFYENFORCER": 13, + "KPROBE_ACTION_UNKNOWN": 0, + "KPROBE_ACTION_POST": 1, + "KPROBE_ACTION_FOLLOWFD": 2, + "KPROBE_ACTION_SIGKILL": 3, + "KPROBE_ACTION_UNFOLLOWFD": 4, + "KPROBE_ACTION_OVERRIDE": 5, + "KPROBE_ACTION_COPYFD": 6, + "KPROBE_ACTION_GETURL": 7, + "KPROBE_ACTION_DNSLOOKUP": 8, + "KPROBE_ACTION_NOPOST": 9, + "KPROBE_ACTION_SIGNAL": 10, + "KPROBE_ACTION_TRACKSOCK": 11, + "KPROBE_ACTION_UNTRACKSOCK": 12, + "KPROBE_ACTION_NOTIFYENFORCER": 13, + "KPROBE_ACTION_CLEANUPENFORCERNOTIFICATION": 14, } ) @@ -4970,7 +4974,7 @@ var file_tetragon_tetragon_proto_rawDesc = []byte{ 0x52, 0x06, 0x6f, 0x66, 0x66, 0x73, 0x65, 0x74, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x79, 0x6d, 0x62, 0x6f, 0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x79, 0x6d, 0x62, 0x6f, 0x6c, 0x12, 0x16, 0x0a, 0x06, 0x6d, 0x6f, 0x64, 0x75, 0x6c, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, - 0x52, 0x06, 0x6d, 0x6f, 0x64, 0x75, 0x6c, 0x65, 0x2a, 0x95, 0x03, 0x0a, 0x0c, 0x4b, 0x70, 0x72, + 0x52, 0x06, 0x6d, 0x6f, 0x64, 0x75, 0x6c, 0x65, 0x2a, 0xc4, 0x03, 0x0a, 0x0c, 0x4b, 0x70, 0x72, 0x6f, 0x62, 0x65, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x19, 0x0a, 0x15, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12, 0x16, 0x0a, 0x12, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, @@ -4996,37 +5000,40 @@ var file_tetragon_tetragon_proto_rawDesc = []byte{ 0x5f, 0x55, 0x4e, 0x54, 0x52, 0x41, 0x43, 0x4b, 0x53, 0x4f, 0x43, 0x4b, 0x10, 0x0c, 0x12, 0x20, 0x0a, 0x1c, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x4e, 0x4f, 0x54, 0x49, 0x46, 0x59, 0x45, 0x4e, 0x46, 0x4f, 0x52, 0x43, 0x45, 0x52, 0x10, 0x0d, - 0x2a, 0x4f, 0x0a, 0x10, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, - 0x54, 0x79, 0x70, 0x65, 0x12, 0x1c, 0x0a, 0x18, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, - 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x44, 0x45, 0x46, - 0x10, 0x00, 0x12, 0x1d, 0x0a, 0x19, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, - 0x54, 0x55, 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x10, - 0x01, 0x2a, 0x7c, 0x0a, 0x12, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, - 0x73, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x12, 0x17, 0x0a, 0x13, 0x48, 0x45, 0x41, 0x4c, 0x54, - 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x10, 0x00, - 0x12, 0x19, 0x0a, 0x15, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, - 0x53, 0x5f, 0x52, 0x55, 0x4e, 0x4e, 0x49, 0x4e, 0x47, 0x10, 0x01, 0x12, 0x19, 0x0a, 0x15, 0x48, - 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x53, 0x54, 0x4f, - 0x50, 0x50, 0x45, 0x44, 0x10, 0x02, 0x12, 0x17, 0x0a, 0x13, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, - 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x45, 0x52, 0x52, 0x4f, 0x52, 0x10, 0x03, 0x2a, - 0x8d, 0x02, 0x0a, 0x0f, 0x54, 0x61, 0x69, 0x6e, 0x74, 0x65, 0x64, 0x42, 0x69, 0x74, 0x73, 0x54, - 0x79, 0x70, 0x65, 0x12, 0x0f, 0x0a, 0x0b, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x55, 0x4e, 0x53, - 0x45, 0x54, 0x10, 0x00, 0x12, 0x1c, 0x0a, 0x18, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x50, 0x52, - 0x4f, 0x50, 0x52, 0x49, 0x45, 0x54, 0x41, 0x52, 0x59, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, - 0x10, 0x01, 0x12, 0x17, 0x0a, 0x13, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x46, 0x4f, 0x52, 0x43, - 0x45, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x02, 0x12, 0x1e, 0x0a, 0x1a, 0x54, - 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x46, 0x4f, 0x52, 0x43, 0x45, 0x44, 0x5f, 0x55, 0x4e, 0x4c, 0x4f, - 0x41, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x04, 0x12, 0x18, 0x0a, 0x13, 0x54, - 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x53, 0x54, 0x41, 0x47, 0x45, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, - 0x4c, 0x45, 0x10, 0x80, 0x08, 0x12, 0x1d, 0x0a, 0x18, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x4f, - 0x55, 0x54, 0x5f, 0x4f, 0x46, 0x5f, 0x54, 0x52, 0x45, 0x45, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, - 0x45, 0x10, 0x80, 0x20, 0x12, 0x1a, 0x0a, 0x15, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x55, 0x4e, - 0x53, 0x49, 0x47, 0x4e, 0x45, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x40, - 0x12, 0x24, 0x0a, 0x1e, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x4b, 0x45, 0x52, 0x4e, 0x45, 0x4c, - 0x5f, 0x4c, 0x49, 0x56, 0x45, 0x5f, 0x50, 0x41, 0x54, 0x43, 0x48, 0x5f, 0x4d, 0x4f, 0x44, 0x55, - 0x4c, 0x45, 0x10, 0x80, 0x80, 0x02, 0x12, 0x17, 0x0a, 0x11, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, - 0x54, 0x45, 0x53, 0x54, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x80, 0x10, 0x62, - 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x12, 0x2d, 0x0a, 0x29, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, + 0x4e, 0x5f, 0x43, 0x4c, 0x45, 0x41, 0x4e, 0x55, 0x50, 0x45, 0x4e, 0x46, 0x4f, 0x52, 0x43, 0x45, + 0x52, 0x4e, 0x4f, 0x54, 0x49, 0x46, 0x49, 0x43, 0x41, 0x54, 0x49, 0x4f, 0x4e, 0x10, 0x0e, 0x2a, + 0x4f, 0x0a, 0x10, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x54, + 0x79, 0x70, 0x65, 0x12, 0x1c, 0x0a, 0x18, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, + 0x41, 0x54, 0x55, 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x10, + 0x00, 0x12, 0x1d, 0x0a, 0x19, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, + 0x55, 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x10, 0x01, + 0x2a, 0x7c, 0x0a, 0x12, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, + 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x12, 0x17, 0x0a, 0x13, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, + 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x10, 0x00, 0x12, + 0x19, 0x0a, 0x15, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, + 0x5f, 0x52, 0x55, 0x4e, 0x4e, 0x49, 0x4e, 0x47, 0x10, 0x01, 0x12, 0x19, 0x0a, 0x15, 0x48, 0x45, + 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x53, 0x54, 0x4f, 0x50, + 0x50, 0x45, 0x44, 0x10, 0x02, 0x12, 0x17, 0x0a, 0x13, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, + 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x45, 0x52, 0x52, 0x4f, 0x52, 0x10, 0x03, 0x2a, 0x8d, + 0x02, 0x0a, 0x0f, 0x54, 0x61, 0x69, 0x6e, 0x74, 0x65, 0x64, 0x42, 0x69, 0x74, 0x73, 0x54, 0x79, + 0x70, 0x65, 0x12, 0x0f, 0x0a, 0x0b, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x55, 0x4e, 0x53, 0x45, + 0x54, 0x10, 0x00, 0x12, 0x1c, 0x0a, 0x18, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x50, 0x52, 0x4f, + 0x50, 0x52, 0x49, 0x45, 0x54, 0x41, 0x52, 0x59, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, + 0x01, 0x12, 0x17, 0x0a, 0x13, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x46, 0x4f, 0x52, 0x43, 0x45, + 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x02, 0x12, 0x1e, 0x0a, 0x1a, 0x54, 0x41, + 0x49, 0x4e, 0x54, 0x5f, 0x46, 0x4f, 0x52, 0x43, 0x45, 0x44, 0x5f, 0x55, 0x4e, 0x4c, 0x4f, 0x41, + 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x04, 0x12, 0x18, 0x0a, 0x13, 0x54, 0x41, + 0x49, 0x4e, 0x54, 0x5f, 0x53, 0x54, 0x41, 0x47, 0x45, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, + 0x45, 0x10, 0x80, 0x08, 0x12, 0x1d, 0x0a, 0x18, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x4f, 0x55, + 0x54, 0x5f, 0x4f, 0x46, 0x5f, 0x54, 0x52, 0x45, 0x45, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, + 0x10, 0x80, 0x20, 0x12, 0x1a, 0x0a, 0x15, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x55, 0x4e, 0x53, + 0x49, 0x47, 0x4e, 0x45, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x40, 0x12, + 0x24, 0x0a, 0x1e, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x4b, 0x45, 0x52, 0x4e, 0x45, 0x4c, 0x5f, + 0x4c, 0x49, 0x56, 0x45, 0x5f, 0x50, 0x41, 0x54, 0x43, 0x48, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, + 0x45, 0x10, 0x80, 0x80, 0x02, 0x12, 0x17, 0x0a, 0x11, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x54, + 0x45, 0x53, 0x54, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x80, 0x10, 0x62, 0x06, + 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( diff --git a/contrib/tetragon-rthooks/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto b/contrib/tetragon-rthooks/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto index 4a1d7f293f8..4dfa730b8cd 100644 --- a/contrib/tetragon-rthooks/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto +++ b/contrib/tetragon-rthooks/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto @@ -473,6 +473,8 @@ enum KprobeAction { KPROBE_ACTION_UNTRACKSOCK = 12; // NotifyEnforcer action notifies enforcer sensor. KPROBE_ACTION_NOTIFYENFORCER = 13; + // CleanupEnforcerNotification action cleanups any state left by NotifyEnforcer + KPROBE_ACTION_CLEANUPENFORCERNOTIFICATION = 14; } message ProcessKprobe { diff --git a/docs/content/en/docs/reference/grpc-api.md b/docs/content/en/docs/reference/grpc-api.md index c1d19596cff..cc3d3ef878a 100644 --- a/docs/content/en/docs/reference/grpc-api.md +++ b/docs/content/en/docs/reference/grpc-api.md @@ -756,6 +756,7 @@ User records | KPROBE_ACTION_TRACKSOCK | 11 | TrackSock action tracks socket. | | KPROBE_ACTION_UNTRACKSOCK | 12 | UntrackSock action un-tracks socket. | | KPROBE_ACTION_NOTIFYENFORCER | 13 | NotifyEnforcer action notifies enforcer sensor. | +| KPROBE_ACTION_CLEANUPENFORCERNOTIFICATION | 14 | CleanupEnforcerNotification action cleanups any state left by NotifyEnforcer | diff --git a/install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpolicies.yaml b/install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpolicies.yaml index 0019b25f9a3..6506281dac0 100644 --- a/install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpolicies.yaml +++ b/install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpolicies.yaml @@ -332,6 +332,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - CleanupEnforcerNotification type: string argError: description: error value for override action @@ -653,6 +654,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - CleanupEnforcerNotification type: string argError: description: error value for override action @@ -947,6 +949,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - CleanupEnforcerNotification type: string argError: description: error value for override action @@ -1268,6 +1271,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - CleanupEnforcerNotification type: string argError: description: error value for override action @@ -1595,6 +1599,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - CleanupEnforcerNotification type: string argError: description: error value for override action @@ -1916,6 +1921,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - CleanupEnforcerNotification type: string argError: description: error value for override action @@ -2178,6 +2184,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - CleanupEnforcerNotification type: string argError: description: error value for override action @@ -2499,6 +2506,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - CleanupEnforcerNotification type: string argError: description: error value for override action diff --git a/install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpoliciesnamespaced.yaml b/install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpoliciesnamespaced.yaml index 57beae0adbc..544d33e731f 100644 --- a/install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpoliciesnamespaced.yaml +++ b/install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpoliciesnamespaced.yaml @@ -332,6 +332,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - CleanupEnforcerNotification type: string argError: description: error value for override action @@ -653,6 +654,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - CleanupEnforcerNotification type: string argError: description: error value for override action @@ -947,6 +949,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - CleanupEnforcerNotification type: string argError: description: error value for override action @@ -1268,6 +1271,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - CleanupEnforcerNotification type: string argError: description: error value for override action @@ -1595,6 +1599,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - CleanupEnforcerNotification type: string argError: description: error value for override action @@ -1916,6 +1921,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - CleanupEnforcerNotification type: string argError: description: error value for override action @@ -2178,6 +2184,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - CleanupEnforcerNotification type: string argError: description: error value for override action @@ -2499,6 +2506,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - CleanupEnforcerNotification type: string argError: description: error value for override action diff --git a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml index 0019b25f9a3..6506281dac0 100644 --- a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml +++ b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml @@ -332,6 +332,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - CleanupEnforcerNotification type: string argError: description: error value for override action @@ -653,6 +654,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - CleanupEnforcerNotification type: string argError: description: error value for override action @@ -947,6 +949,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - CleanupEnforcerNotification type: string argError: description: error value for override action @@ -1268,6 +1271,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - CleanupEnforcerNotification type: string argError: description: error value for override action @@ -1595,6 +1599,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - CleanupEnforcerNotification type: string argError: description: error value for override action @@ -1916,6 +1921,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - CleanupEnforcerNotification type: string argError: description: error value for override action @@ -2178,6 +2184,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - CleanupEnforcerNotification type: string argError: description: error value for override action @@ -2499,6 +2506,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - CleanupEnforcerNotification type: string argError: description: error value for override action diff --git a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml index 57beae0adbc..544d33e731f 100644 --- a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml +++ b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml @@ -332,6 +332,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - CleanupEnforcerNotification type: string argError: description: error value for override action @@ -653,6 +654,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - CleanupEnforcerNotification type: string argError: description: error value for override action @@ -947,6 +949,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - CleanupEnforcerNotification type: string argError: description: error value for override action @@ -1268,6 +1271,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - CleanupEnforcerNotification type: string argError: description: error value for override action @@ -1595,6 +1599,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - CleanupEnforcerNotification type: string argError: description: error value for override action @@ -1916,6 +1921,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - CleanupEnforcerNotification type: string argError: description: error value for override action @@ -2178,6 +2184,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - CleanupEnforcerNotification type: string argError: description: error value for override action @@ -2499,6 +2506,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - CleanupEnforcerNotification type: string argError: description: error value for override action diff --git a/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.pb.go b/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.pb.go index cbd25237a22..719d29cc305 100644 --- a/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.pb.go +++ b/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.pb.go @@ -57,6 +57,8 @@ const ( KprobeAction_KPROBE_ACTION_UNTRACKSOCK KprobeAction = 12 // NotifyEnforcer action notifies enforcer sensor. KprobeAction_KPROBE_ACTION_NOTIFYENFORCER KprobeAction = 13 + // CleanupEnforcerNotification action cleanups any state left by NotifyEnforcer + KprobeAction_KPROBE_ACTION_CLEANUPENFORCERNOTIFICATION KprobeAction = 14 ) // Enum value maps for KprobeAction. @@ -76,22 +78,24 @@ var ( 11: "KPROBE_ACTION_TRACKSOCK", 12: "KPROBE_ACTION_UNTRACKSOCK", 13: "KPROBE_ACTION_NOTIFYENFORCER", + 14: "KPROBE_ACTION_CLEANUPENFORCERNOTIFICATION", } KprobeAction_value = map[string]int32{ - "KPROBE_ACTION_UNKNOWN": 0, - "KPROBE_ACTION_POST": 1, - "KPROBE_ACTION_FOLLOWFD": 2, - "KPROBE_ACTION_SIGKILL": 3, - "KPROBE_ACTION_UNFOLLOWFD": 4, - "KPROBE_ACTION_OVERRIDE": 5, - "KPROBE_ACTION_COPYFD": 6, - "KPROBE_ACTION_GETURL": 7, - "KPROBE_ACTION_DNSLOOKUP": 8, - "KPROBE_ACTION_NOPOST": 9, - "KPROBE_ACTION_SIGNAL": 10, - "KPROBE_ACTION_TRACKSOCK": 11, - "KPROBE_ACTION_UNTRACKSOCK": 12, - "KPROBE_ACTION_NOTIFYENFORCER": 13, + "KPROBE_ACTION_UNKNOWN": 0, + "KPROBE_ACTION_POST": 1, + "KPROBE_ACTION_FOLLOWFD": 2, + "KPROBE_ACTION_SIGKILL": 3, + "KPROBE_ACTION_UNFOLLOWFD": 4, + "KPROBE_ACTION_OVERRIDE": 5, + "KPROBE_ACTION_COPYFD": 6, + "KPROBE_ACTION_GETURL": 7, + "KPROBE_ACTION_DNSLOOKUP": 8, + "KPROBE_ACTION_NOPOST": 9, + "KPROBE_ACTION_SIGNAL": 10, + "KPROBE_ACTION_TRACKSOCK": 11, + "KPROBE_ACTION_UNTRACKSOCK": 12, + "KPROBE_ACTION_NOTIFYENFORCER": 13, + "KPROBE_ACTION_CLEANUPENFORCERNOTIFICATION": 14, } ) @@ -4970,7 +4974,7 @@ var file_tetragon_tetragon_proto_rawDesc = []byte{ 0x52, 0x06, 0x6f, 0x66, 0x66, 0x73, 0x65, 0x74, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x79, 0x6d, 0x62, 0x6f, 0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x79, 0x6d, 0x62, 0x6f, 0x6c, 0x12, 0x16, 0x0a, 0x06, 0x6d, 0x6f, 0x64, 0x75, 0x6c, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, - 0x52, 0x06, 0x6d, 0x6f, 0x64, 0x75, 0x6c, 0x65, 0x2a, 0x95, 0x03, 0x0a, 0x0c, 0x4b, 0x70, 0x72, + 0x52, 0x06, 0x6d, 0x6f, 0x64, 0x75, 0x6c, 0x65, 0x2a, 0xc4, 0x03, 0x0a, 0x0c, 0x4b, 0x70, 0x72, 0x6f, 0x62, 0x65, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x19, 0x0a, 0x15, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12, 0x16, 0x0a, 0x12, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, @@ -4996,37 +5000,40 @@ var file_tetragon_tetragon_proto_rawDesc = []byte{ 0x5f, 0x55, 0x4e, 0x54, 0x52, 0x41, 0x43, 0x4b, 0x53, 0x4f, 0x43, 0x4b, 0x10, 0x0c, 0x12, 0x20, 0x0a, 0x1c, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x4e, 0x4f, 0x54, 0x49, 0x46, 0x59, 0x45, 0x4e, 0x46, 0x4f, 0x52, 0x43, 0x45, 0x52, 0x10, 0x0d, - 0x2a, 0x4f, 0x0a, 0x10, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, - 0x54, 0x79, 0x70, 0x65, 0x12, 0x1c, 0x0a, 0x18, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, - 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x44, 0x45, 0x46, - 0x10, 0x00, 0x12, 0x1d, 0x0a, 0x19, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, - 0x54, 0x55, 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x10, - 0x01, 0x2a, 0x7c, 0x0a, 0x12, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, - 0x73, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x12, 0x17, 0x0a, 0x13, 0x48, 0x45, 0x41, 0x4c, 0x54, - 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x10, 0x00, - 0x12, 0x19, 0x0a, 0x15, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, - 0x53, 0x5f, 0x52, 0x55, 0x4e, 0x4e, 0x49, 0x4e, 0x47, 0x10, 0x01, 0x12, 0x19, 0x0a, 0x15, 0x48, - 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x53, 0x54, 0x4f, - 0x50, 0x50, 0x45, 0x44, 0x10, 0x02, 0x12, 0x17, 0x0a, 0x13, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, - 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x45, 0x52, 0x52, 0x4f, 0x52, 0x10, 0x03, 0x2a, - 0x8d, 0x02, 0x0a, 0x0f, 0x54, 0x61, 0x69, 0x6e, 0x74, 0x65, 0x64, 0x42, 0x69, 0x74, 0x73, 0x54, - 0x79, 0x70, 0x65, 0x12, 0x0f, 0x0a, 0x0b, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x55, 0x4e, 0x53, - 0x45, 0x54, 0x10, 0x00, 0x12, 0x1c, 0x0a, 0x18, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x50, 0x52, - 0x4f, 0x50, 0x52, 0x49, 0x45, 0x54, 0x41, 0x52, 0x59, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, - 0x10, 0x01, 0x12, 0x17, 0x0a, 0x13, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x46, 0x4f, 0x52, 0x43, - 0x45, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x02, 0x12, 0x1e, 0x0a, 0x1a, 0x54, - 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x46, 0x4f, 0x52, 0x43, 0x45, 0x44, 0x5f, 0x55, 0x4e, 0x4c, 0x4f, - 0x41, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x04, 0x12, 0x18, 0x0a, 0x13, 0x54, - 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x53, 0x54, 0x41, 0x47, 0x45, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, - 0x4c, 0x45, 0x10, 0x80, 0x08, 0x12, 0x1d, 0x0a, 0x18, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x4f, - 0x55, 0x54, 0x5f, 0x4f, 0x46, 0x5f, 0x54, 0x52, 0x45, 0x45, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, - 0x45, 0x10, 0x80, 0x20, 0x12, 0x1a, 0x0a, 0x15, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x55, 0x4e, - 0x53, 0x49, 0x47, 0x4e, 0x45, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x40, - 0x12, 0x24, 0x0a, 0x1e, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x4b, 0x45, 0x52, 0x4e, 0x45, 0x4c, - 0x5f, 0x4c, 0x49, 0x56, 0x45, 0x5f, 0x50, 0x41, 0x54, 0x43, 0x48, 0x5f, 0x4d, 0x4f, 0x44, 0x55, - 0x4c, 0x45, 0x10, 0x80, 0x80, 0x02, 0x12, 0x17, 0x0a, 0x11, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, - 0x54, 0x45, 0x53, 0x54, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x80, 0x10, 0x62, - 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x12, 0x2d, 0x0a, 0x29, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, + 0x4e, 0x5f, 0x43, 0x4c, 0x45, 0x41, 0x4e, 0x55, 0x50, 0x45, 0x4e, 0x46, 0x4f, 0x52, 0x43, 0x45, + 0x52, 0x4e, 0x4f, 0x54, 0x49, 0x46, 0x49, 0x43, 0x41, 0x54, 0x49, 0x4f, 0x4e, 0x10, 0x0e, 0x2a, + 0x4f, 0x0a, 0x10, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x54, + 0x79, 0x70, 0x65, 0x12, 0x1c, 0x0a, 0x18, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, + 0x41, 0x54, 0x55, 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x10, + 0x00, 0x12, 0x1d, 0x0a, 0x19, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, + 0x55, 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x10, 0x01, + 0x2a, 0x7c, 0x0a, 0x12, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, + 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x12, 0x17, 0x0a, 0x13, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, + 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x10, 0x00, 0x12, + 0x19, 0x0a, 0x15, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, + 0x5f, 0x52, 0x55, 0x4e, 0x4e, 0x49, 0x4e, 0x47, 0x10, 0x01, 0x12, 0x19, 0x0a, 0x15, 0x48, 0x45, + 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x53, 0x54, 0x4f, 0x50, + 0x50, 0x45, 0x44, 0x10, 0x02, 0x12, 0x17, 0x0a, 0x13, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, + 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x45, 0x52, 0x52, 0x4f, 0x52, 0x10, 0x03, 0x2a, 0x8d, + 0x02, 0x0a, 0x0f, 0x54, 0x61, 0x69, 0x6e, 0x74, 0x65, 0x64, 0x42, 0x69, 0x74, 0x73, 0x54, 0x79, + 0x70, 0x65, 0x12, 0x0f, 0x0a, 0x0b, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x55, 0x4e, 0x53, 0x45, + 0x54, 0x10, 0x00, 0x12, 0x1c, 0x0a, 0x18, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x50, 0x52, 0x4f, + 0x50, 0x52, 0x49, 0x45, 0x54, 0x41, 0x52, 0x59, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, + 0x01, 0x12, 0x17, 0x0a, 0x13, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x46, 0x4f, 0x52, 0x43, 0x45, + 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x02, 0x12, 0x1e, 0x0a, 0x1a, 0x54, 0x41, + 0x49, 0x4e, 0x54, 0x5f, 0x46, 0x4f, 0x52, 0x43, 0x45, 0x44, 0x5f, 0x55, 0x4e, 0x4c, 0x4f, 0x41, + 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x04, 0x12, 0x18, 0x0a, 0x13, 0x54, 0x41, + 0x49, 0x4e, 0x54, 0x5f, 0x53, 0x54, 0x41, 0x47, 0x45, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, + 0x45, 0x10, 0x80, 0x08, 0x12, 0x1d, 0x0a, 0x18, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x4f, 0x55, + 0x54, 0x5f, 0x4f, 0x46, 0x5f, 0x54, 0x52, 0x45, 0x45, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, + 0x10, 0x80, 0x20, 0x12, 0x1a, 0x0a, 0x15, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x55, 0x4e, 0x53, + 0x49, 0x47, 0x4e, 0x45, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x40, 0x12, + 0x24, 0x0a, 0x1e, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x4b, 0x45, 0x52, 0x4e, 0x45, 0x4c, 0x5f, + 0x4c, 0x49, 0x56, 0x45, 0x5f, 0x50, 0x41, 0x54, 0x43, 0x48, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, + 0x45, 0x10, 0x80, 0x80, 0x02, 0x12, 0x17, 0x0a, 0x11, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x54, + 0x45, 0x53, 0x54, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x80, 0x10, 0x62, 0x06, + 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( diff --git a/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto b/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto index 4a1d7f293f8..4dfa730b8cd 100644 --- a/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto +++ b/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto @@ -473,6 +473,8 @@ enum KprobeAction { KPROBE_ACTION_UNTRACKSOCK = 12; // NotifyEnforcer action notifies enforcer sensor. KPROBE_ACTION_NOTIFYENFORCER = 13; + // CleanupEnforcerNotification action cleanups any state left by NotifyEnforcer + KPROBE_ACTION_CLEANUPENFORCERNOTIFICATION = 14; } message ProcessKprobe { diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml index 0019b25f9a3..6506281dac0 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml @@ -332,6 +332,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - CleanupEnforcerNotification type: string argError: description: error value for override action @@ -653,6 +654,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - CleanupEnforcerNotification type: string argError: description: error value for override action @@ -947,6 +949,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - CleanupEnforcerNotification type: string argError: description: error value for override action @@ -1268,6 +1271,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - CleanupEnforcerNotification type: string argError: description: error value for override action @@ -1595,6 +1599,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - CleanupEnforcerNotification type: string argError: description: error value for override action @@ -1916,6 +1921,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - CleanupEnforcerNotification type: string argError: description: error value for override action @@ -2178,6 +2184,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - CleanupEnforcerNotification type: string argError: description: error value for override action @@ -2499,6 +2506,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - CleanupEnforcerNotification type: string argError: description: error value for override action diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml index 57beae0adbc..544d33e731f 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml @@ -332,6 +332,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - CleanupEnforcerNotification type: string argError: description: error value for override action @@ -653,6 +654,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - CleanupEnforcerNotification type: string argError: description: error value for override action @@ -947,6 +949,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - CleanupEnforcerNotification type: string argError: description: error value for override action @@ -1268,6 +1271,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - CleanupEnforcerNotification type: string argError: description: error value for override action @@ -1595,6 +1599,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - CleanupEnforcerNotification type: string argError: description: error value for override action @@ -1916,6 +1921,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - CleanupEnforcerNotification type: string argError: description: error value for override action @@ -2178,6 +2184,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - CleanupEnforcerNotification type: string argError: description: error value for override action @@ -2499,6 +2506,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - CleanupEnforcerNotification type: string argError: description: error value for override action diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go index 6f83231145d..801d7016341 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go @@ -200,7 +200,7 @@ type ArgSelector struct { } type ActionSelector struct { - // +kubebuilder:validation:Enum=Post;FollowFD;UnfollowFD;Sigkill;CopyFD;Override;GetUrl;DnsLookup;NoPost;Signal;TrackSock;UntrackSock;NotifyEnforcer + // +kubebuilder:validation:Enum=Post;FollowFD;UnfollowFD;Sigkill;CopyFD;Override;GetUrl;DnsLookup;NoPost;Signal;TrackSock;UntrackSock;NotifyEnforcer;CleanupEnforcerNotification // Action to execute. Action string `json:"action"` // +kubebuilder:validation:Optional diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/version.go b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/version.go index 97148d94720..9f7e4002e6a 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/version.go +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/version.go @@ -7,4 +7,4 @@ package v1alpha1 // Used to determine if CRD needs to be updated in cluster // // Developers: Bump patch for each change in the CRD schema. -const CustomResourceDefinitionSchemaVersion = "1.3.4" +const CustomResourceDefinitionSchemaVersion = "1.3.5" From 16489e72a66771d45d3f982d11ffb57d0b9d105b Mon Sep 17 00:00:00 2001 From: Kornilios Kourtis Date: Fri, 11 Oct 2024 13:45:32 +0200 Subject: [PATCH 11/12] enforcer: implement CleanupEnforcerNotification This allows to specify an action (CleanupEnforcerNotification) that checks whether the enforcer notification succeeded. For example, the following policy: ``` apiVersion: cilium.io/v1alpha1 kind: TracingPolicy metadata: name: "kill-syscalls" spec: enforcers: - calls: - "sys_swapoff" # - "sys_getcpu" tracepoints: - subsystem: "raw_syscalls" event: "sys_enter" args: - index: 4 type: "syscall64" selectors: - matchArgs: - index: 0 operator: "InMap" values: - 309 # getcpu - 168 # swapoff matchActions: - action: "NotifyEnforcer" argError: -1 argSig: 9 - subsystem: "raw_syscalls" event: "sys_exit" selectors: - matchActions: - action: "CleanupEnforcerNotification" - action: "NoPost" ``` Detects missing notifications by adding such a function in the raw_syscalls/sys_exit tracepoint. This means that missed enforcements can be detected even if there is no other notifcation for the same thread. The metric output in this case would be: tetragon_enforcer_missed_notifications_total{info="getcpu",policy="kill-syscalls",reason="no_action"} 3 Signed-off-by: Kornilios Kourtis --- bpf/process/bpf_enforcer.h | 16 ++++ bpf/process/types/basic.h | 3 + pkg/api/tracingapi/client_kprobe.go | 27 +++--- pkg/grpc/tracing/tracing.go | 2 + .../enforcermetrics/enforcermetrics.go | 2 + pkg/selectors/kernel.go | 84 ++++++++++--------- 6 files changed, 81 insertions(+), 53 deletions(-) diff --git a/bpf/process/bpf_enforcer.h b/bpf/process/bpf_enforcer.h index f71107870ae..2686c383e5c 100644 --- a/bpf/process/bpf_enforcer.h +++ b/bpf/process/bpf_enforcer.h @@ -28,6 +28,7 @@ struct { enum enforcer_missed_reason { ENFORCER_MISSED_OVERWRITTEN = 1, + ENFORCER_MISSED_NOACTION = 2, }; struct enforcer_missed_key { @@ -67,6 +68,21 @@ enforcer_update_missed_notifications(struct enforcer_missed_key *key) } } +FUNC_INLINE void do_enforcer_cleanup(void) +{ + struct enforcer_data *ptr; + __u64 id = get_current_pid_tgid(); + + ptr = map_lookup_elem(&enforcer_data, &id); + if (ptr) { + struct enforcer_missed_key missed_key = { + .act_info = ptr->act_info, + .reason = ENFORCER_MISSED_NOACTION, + }; + enforcer_update_missed_notifications(&missed_key); + } +} + FUNC_INLINE void do_enforcer_action(int error, int signal, struct enforcer_act_info act_info) { __u64 id = get_current_pid_tgid(); diff --git a/bpf/process/types/basic.h b/bpf/process/types/basic.h index c76192c969a..dea49981378 100644 --- a/bpf/process/types/basic.h +++ b/bpf/process/types/basic.h @@ -109,6 +109,7 @@ enum { ACTION_TRACKSOCK = 10, ACTION_UNTRACKSOCK = 11, ACTION_NOTIFY_ENFORCER = 12, + ACTION_CLEANUP_ENFORCER_NOTIFICATION = 13, }; enum { @@ -2281,6 +2282,8 @@ do_action(void *ctx, __u32 i, struct selector_action *actions, argi = actions->act[++i]; do_action_notify_enforcer(e, error, signal, argi); break; + case ACTION_CLEANUP_ENFORCER_NOTIFICATION: + do_enforcer_cleanup(); default: break; } diff --git a/pkg/api/tracingapi/client_kprobe.go b/pkg/api/tracingapi/client_kprobe.go index f8a609484e2..67d0f15a154 100644 --- a/pkg/api/tracingapi/client_kprobe.go +++ b/pkg/api/tracingapi/client_kprobe.go @@ -12,19 +12,20 @@ const ( ) const ( - ActionPost = 0 - ActionFollowFd = 1 - ActionSigKill = 2 - ActionUnfollowFd = 3 - ActionOverride = 4 - ActionCopyFd = 5 - ActionGetUrl = 6 - ActionLookupDns = 7 - ActionNoPost = 8 - ActionSignal = 9 - ActionTrackSock = 10 - ActionUntrackSock = 11 - ActionNotifyEnforcer = 12 + ActionPost = 0 + ActionFollowFd = 1 + ActionSigKill = 2 + ActionUnfollowFd = 3 + ActionOverride = 4 + ActionCopyFd = 5 + ActionGetUrl = 6 + ActionLookupDns = 7 + ActionNoPost = 8 + ActionSignal = 9 + ActionTrackSock = 10 + ActionUntrackSock = 11 + ActionNotifyEnforcer = 12 + ActionCleanupEnforcerNotification = 13 ) const ( diff --git a/pkg/grpc/tracing/tracing.go b/pkg/grpc/tracing/tracing.go index 052b957659c..e0176435df7 100644 --- a/pkg/grpc/tracing/tracing.go +++ b/pkg/grpc/tracing/tracing.go @@ -63,6 +63,8 @@ func kprobeAction(act uint64) tetragon.KprobeAction { return tetragon.KprobeAction_KPROBE_ACTION_UNTRACKSOCK case tracingapi.ActionNotifyEnforcer: return tetragon.KprobeAction_KPROBE_ACTION_NOTIFYENFORCER + case tracingapi.ActionCleanupEnforcerNotification: + return tetragon.KprobeAction_KPROBE_ACTION_CLEANUPENFORCERNOTIFICATION default: return tetragon.KprobeAction_KPROBE_ACTION_UNKNOWN } diff --git a/pkg/metrics/enforcermetrics/enforcermetrics.go b/pkg/metrics/enforcermetrics/enforcermetrics.go index 2bf93496eac..5c038bcf251 100644 --- a/pkg/metrics/enforcermetrics/enforcermetrics.go +++ b/pkg/metrics/enforcermetrics/enforcermetrics.go @@ -85,6 +85,8 @@ func (mk *enforcerMissedMapKey) reason() string { switch mk.Reason { case 1: return "overwritten" + case 2: + return "no_action" default: return "unspecified" } diff --git a/pkg/selectors/kernel.go b/pkg/selectors/kernel.go index bd3b39fffdd..7d4f02d8740 100644 --- a/pkg/selectors/kernel.go +++ b/pkg/selectors/kernel.go @@ -22,52 +22,54 @@ import ( ) const ( - ActionTypeInvalid = -1 - ActionTypePost = 0 - ActionTypeFollowFd = 1 - ActionTypeSigKill = 2 - ActionTypeUnfollowFd = 3 - ActionTypeOverride = 4 - ActionTypeCopyFd = 5 - ActionTypeGetUrl = 6 - ActionTypeDnsLookup = 7 - ActionTypeNoPost = 8 - ActionTypeSignal = 9 - ActionTypeTrackSock = 10 - ActionTypeUntrackSock = 11 - ActionTypeNotifyEnforcer = 12 + ActionTypeInvalid = -1 + ActionTypePost = 0 + ActionTypeFollowFd = 1 + ActionTypeSigKill = 2 + ActionTypeUnfollowFd = 3 + ActionTypeOverride = 4 + ActionTypeCopyFd = 5 + ActionTypeGetUrl = 6 + ActionTypeDnsLookup = 7 + ActionTypeNoPost = 8 + ActionTypeSignal = 9 + ActionTypeTrackSock = 10 + ActionTypeUntrackSock = 11 + ActionTypeNotifyEnforcer = 12 + ActionTypeCleanupEnforcerNotification = 13 ) var actionTypeTable = map[string]uint32{ - "post": ActionTypePost, - "followfd": ActionTypeFollowFd, - "unfollowfd": ActionTypeUnfollowFd, - "sigkill": ActionTypeSigKill, - "override": ActionTypeOverride, - "copyfd": ActionTypeCopyFd, - "geturl": ActionTypeGetUrl, - "dnslookup": ActionTypeDnsLookup, - "nopost": ActionTypeNoPost, - "signal": ActionTypeSignal, - "tracksock": ActionTypeTrackSock, - "untracksock": ActionTypeUntrackSock, - "notifyenforcer": ActionTypeNotifyEnforcer, + "post": ActionTypePost, + "followfd": ActionTypeFollowFd, + "unfollowfd": ActionTypeUnfollowFd, + "sigkill": ActionTypeSigKill, + "override": ActionTypeOverride, + "copyfd": ActionTypeCopyFd, + "geturl": ActionTypeGetUrl, + "dnslookup": ActionTypeDnsLookup, + "nopost": ActionTypeNoPost, + "signal": ActionTypeSignal, + "tracksock": ActionTypeTrackSock, + "untracksock": ActionTypeUntrackSock, + "notifyenforcer": ActionTypeNotifyEnforcer, + "cleanupenforcernotification": ActionTypeCleanupEnforcerNotification, } var actionTypeStringTable = map[uint32]string{ - ActionTypePost: "post", - ActionTypeFollowFd: "followfd", - ActionTypeUnfollowFd: "unfollowfd", - ActionTypeSigKill: "sigkill", - ActionTypeOverride: "override", - ActionTypeCopyFd: "copyfd", - ActionTypeGetUrl: "geturl", - ActionTypeDnsLookup: "dnslookup", - ActionTypeNoPost: "nopost", - ActionTypeSignal: "signal", - ActionTypeTrackSock: "tracksock", - ActionTypeUntrackSock: "untracksock", - ActionTypeNotifyEnforcer: "notifyenforcer", + ActionTypePost: "post", + ActionTypeFollowFd: "followfd", + ActionTypeUnfollowFd: "unfollowfd", + ActionTypeSigKill: "sigkill", + ActionTypeOverride: "override", + ActionTypeCopyFd: "copyfd", + ActionTypeGetUrl: "geturl", + ActionTypeDnsLookup: "dnslookup", + ActionTypeNoPost: "nopost", + ActionTypeSignal: "signal", + ActionTypeTrackSock: "tracksock", + ActionTypeUntrackSock: "untracksock", + ActionTypeCleanupEnforcerNotification: "cleanupenforcernotification", } const ( @@ -981,6 +983,8 @@ func ParseMatchAction(k *KernelSelectorState, action *v1alpha1.ActionSelector, a actionArgIndex = *(action.EnforcerNotifyActionArgIndex) } WriteSelectorUint32(&k.data, actionArgIndex) + case ActionTypeCleanupEnforcerNotification: + // no arguments default: return fmt.Errorf("ParseMatchAction: act %d (%s) is missing a handler", act, actionTypeStringTable[act]) } From 9c49fc4253378bdfadd2e28cb985b55fadf63019 Mon Sep 17 00:00:00 2001 From: Kornilios Kourtis Date: Fri, 11 Oct 2024 13:58:15 +0200 Subject: [PATCH 12/12] enforcer: add docs for missed notifications metric Signed-off-by: Kornilios Kourtis --- docs/content/en/docs/reference/metrics.md | 10 ++++++++++ pkg/metrics/enforcermetrics/enforcermetrics.go | 5 +++-- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/docs/content/en/docs/reference/metrics.md b/docs/content/en/docs/reference/metrics.md index 0314a205809..686dcbb3e2c 100644 --- a/docs/content/en/docs/reference/metrics.md +++ b/docs/content/en/docs/reference/metrics.md @@ -65,6 +65,16 @@ The number of data events by type. For internal use only. | ----- | ------ | | `event` | `Added, Appended, Bad, Matched, NotMatched, Received` | +### `tetragon_enforcer_missed_notifications_total` + +The number of missed notifications by the enforcer. + +| label | values | +| ----- | ------ | +| `info ` | `syscall` | +| `policy` | `policy-name` | +| `reason` | `reason` | + ### `tetragon_errors_total` The total number of Tetragon errors. For internal use only. diff --git a/pkg/metrics/enforcermetrics/enforcermetrics.go b/pkg/metrics/enforcermetrics/enforcermetrics.go index 5c038bcf251..1ddfb626ad5 100644 --- a/pkg/metrics/enforcermetrics/enforcermetrics.go +++ b/pkg/metrics/enforcermetrics/enforcermetrics.go @@ -67,7 +67,7 @@ func (st *state) newCollector() metrics.CollectorWithInit { st.missedNotifications, }, st.collect, - collectForDocs, + st.collectForDocs, ) } @@ -141,5 +141,6 @@ func (st *state) unregisterPolicy(policy string) { delete(st.policies, policy) } -func collectForDocs(_ chan<- prometheus.Metric) { +func (st *state) collectForDocs(ch chan<- prometheus.Metric) { + ch <- st.missedNotifications.MustMetric(0, "reason", "policy-name", "syscall") }