From 8a51b83c8bb90cc926cf592bfb61bdd43685bded Mon Sep 17 00:00:00 2001 From: Jiri Olsa Date: Fri, 16 Feb 2024 13:09:04 +0000 Subject: [PATCH] tetragon: Rename killer code to enforcer Signed-off-by: Jiri Olsa --- pkg/sensors/tracing/generickprobe.go | 8 +- pkg/sensors/tracing/generictracepoint.go | 4 +- pkg/sensors/tracing/killer.go | 132 +++++++++++------------ pkg/sensors/tracing/killer_amd64_test.go | 32 +++--- pkg/sensors/tracing/killer_builder.go | 40 +++---- pkg/sensors/tracing/killer_test.go | 102 +++++++++--------- 6 files changed, 159 insertions(+), 159 deletions(-) diff --git a/pkg/sensors/tracing/generickprobe.go b/pkg/sensors/tracing/generickprobe.go index 642165b83f5..b9904248e56 100644 --- a/pkg/sensors/tracing/generickprobe.go +++ b/pkg/sensors/tracing/generickprobe.go @@ -318,8 +318,8 @@ func createMultiKprobeSensor(sensorPath, policyName string, multiIDs []idtable.E maps = append(maps, socktrack) } - killerDataMap := killerMap(policyName, load) - maps = append(maps, killerDataMap) + enforcerDataMap := enforcerMap(policyName, load) + maps = append(maps, enforcerDataMap) filterMap.SetMaxEntries(len(multiIDs)) configMap.SetMaxEntries(len(multiIDs)) @@ -868,8 +868,8 @@ func createKprobeSensorFromEntry(kprobeEntry *genericKprobe, sensorPath string, maps = append(maps, socktrack) } - killerDataMap := killerMap(kprobeEntry.policyName, load) - maps = append(maps, killerDataMap) + enforcerDataMap := enforcerMap(kprobeEntry.policyName, load) + maps = append(maps, enforcerDataMap) if kprobeEntry.loadArgs.retprobe { pinRetProg := sensors.PathJoin(pinPath, fmt.Sprintf("%s_ret_prog", kprobeEntry.funcName)) diff --git a/pkg/sensors/tracing/generictracepoint.go b/pkg/sensors/tracing/generictracepoint.go index 26d1e2ae150..f1080796fd9 100644 --- a/pkg/sensors/tracing/generictracepoint.go +++ b/pkg/sensors/tracing/generictracepoint.go @@ -472,8 +472,8 @@ func createGenericTracepointSensor( } maps = append(maps, matchBinariesPaths) - killerDataMap := killerMap(policyName, prog0) - maps = append(maps, killerDataMap) + enforcerDataMap := enforcerMap(policyName, prog0) + maps = append(maps, enforcerDataMap) selMatchBinariesMap := program.MapBuilderPin("tg_mb_sel_opts", sensors.PathJoin(pinPath, "tg_mb_sel_opts"), prog0) maps = append(maps, selMatchBinariesMap) diff --git a/pkg/sensors/tracing/killer.go b/pkg/sensors/tracing/killer.go index 777efbc0ab4..e637b1f6121 100644 --- a/pkg/sensors/tracing/killer.go +++ b/pkg/sensors/tracing/killer.go @@ -22,67 +22,67 @@ import ( ) const ( - killerDataMapName = "enforcer_data" + enforcerDataMapName = "enforcer_data" ) -type killerHandler struct { +type enforcerHandler struct { syscallsSyms []string } -type killerPolicy struct { - mu sync.Mutex - killers map[string]*killerHandler +type enforcerPolicy struct { + mu sync.Mutex + enforcers map[string]*enforcerHandler } -func newKillerPolicy() *killerPolicy { - return &killerPolicy{ - killers: map[string]*killerHandler{}, +func newEnforcerPolicy() *enforcerPolicy { + return &enforcerPolicy{ + enforcers: map[string]*enforcerHandler{}, } } var ( - // global killer policy - gKillerPolicy = newKillerPolicy() + // global enforcer policy + gEnforcerPolicy = newEnforcerPolicy() ) func init() { - sensors.RegisterProbeType("killer", gKillerPolicy) - sensors.RegisterPolicyHandlerAtInit("killer", gKillerPolicy) + sensors.RegisterProbeType("enforcer", gEnforcerPolicy) + sensors.RegisterPolicyHandlerAtInit("enforcer", gEnforcerPolicy) } -func killerMap(policyName string, load *program.Program) *program.Map { - return program.MapBuilderPin(killerDataMapName, - fmt.Sprintf("%s_%s", killerDataMapName, policyName), load) +func enforcerMap(policyName string, load *program.Program) *program.Map { + return program.MapBuilderPin(enforcerDataMapName, + fmt.Sprintf("%s_%s", enforcerDataMapName, policyName), load) } -func (kp *killerPolicy) killerGet(name string) (*killerHandler, bool) { +func (kp *enforcerPolicy) enforcerGet(name string) (*enforcerHandler, bool) { kp.mu.Lock() defer kp.mu.Unlock() - kh, ok := kp.killers[name] + kh, ok := kp.enforcers[name] return kh, ok } -func (kp *killerPolicy) killerAdd(name string, kh *killerHandler) bool { +func (kp *enforcerPolicy) enforcerAdd(name string, kh *enforcerHandler) bool { kp.mu.Lock() defer kp.mu.Unlock() - if _, ok := kp.killers[name]; ok { + if _, ok := kp.enforcers[name]; ok { return false } - kp.killers[name] = kh + kp.enforcers[name] = kh return true } -func (kp *killerPolicy) killerDel(name string) bool { +func (kp *enforcerPolicy) enforcerDel(name string) bool { kp.mu.Lock() defer kp.mu.Unlock() - if _, ok := kp.killers[name]; !ok { + if _, ok := kp.enforcers[name]; !ok { return false } - delete(kp.killers, name) + delete(kp.enforcers, name) return true } -func (kp *killerPolicy) PolicyHandler( +func (kp *enforcerPolicy) PolicyHandler( policy tracingpolicy.TracingPolicy, _ policyfilter.PolicyID, ) (*sensors.Sensor, error) { @@ -96,27 +96,27 @@ func (kp *killerPolicy) PolicyHandler( } } if len(spec.Enforcers) > 0 { - name := fmt.Sprintf("killer-sensor-%d", atomic.AddUint64(&sensorCounter, 1)) - return kp.createKillerSensor(spec.Enforcers, spec.Lists, spec.Options, name, policy.TpName()) + name := fmt.Sprintf("enforcer-sensor-%d", atomic.AddUint64(&sensorCounter, 1)) + return kp.createEnforcerSensor(spec.Enforcers, spec.Lists, spec.Options, name, policy.TpName()) } return nil, nil } -func (kp *killerPolicy) loadSingleKillerSensor( - kh *killerHandler, +func (kp *enforcerPolicy) loadSingleEnforcerSensor( + kh *enforcerHandler, bpfDir, mapDir string, load *program.Program, verbose int, ) error { if err := program.LoadKprobeProgramAttachMany(bpfDir, mapDir, load, kh.syscallsSyms, verbose); err == nil { - logger.GetLogger().Infof("Loaded killer sensor: %s", load.Attach) + logger.GetLogger().Infof("Loaded enforcer sensor: %s", load.Attach) } else { return err } return nil } -func (kp *killerPolicy) loadMultiKillerSensor( - kh *killerHandler, +func (kp *enforcerPolicy) loadMultiEnforcerSensor( + kh *enforcerHandler, bpfDir, mapDir string, load *program.Program, verbose int, ) error { data := &program.MultiKprobeAttachData{} @@ -129,32 +129,32 @@ func (kp *killerPolicy) loadMultiKillerSensor( return err } - logger.GetLogger().Infof("Loaded killer sensor: %s", load.Attach) + logger.GetLogger().Infof("Loaded enforcer sensor: %s", load.Attach) return nil } -func (kp *killerPolicy) LoadProbe(args sensors.LoadProbeArgs) error { +func (kp *enforcerPolicy) LoadProbe(args sensors.LoadProbeArgs) error { name, ok := args.Load.LoaderData.(string) if !ok { return fmt.Errorf("invalid loadData type: expecting string and got: %T (%v)", args.Load.LoaderData, args.Load.LoaderData) } - kh, ok := kp.killerGet(name) + kh, ok := kp.enforcerGet(name) if !ok { - return fmt.Errorf("failed to get killer handler for '%s'", name) + return fmt.Errorf("failed to get enforcer handler for '%s'", name) } if args.Load.Label == "kprobe.multi/enforcer" { - return kp.loadMultiKillerSensor(kh, args.BPFDir, args.MapDir, args.Load, args.Verbose) + return kp.loadMultiEnforcerSensor(kh, args.BPFDir, args.MapDir, args.Load, args.Verbose) } if args.Load.Label == "kprobe/enforcer" { - return kp.loadSingleKillerSensor(kh, args.BPFDir, args.MapDir, args.Load, args.Verbose) + return kp.loadSingleEnforcerSensor(kh, args.BPFDir, args.MapDir, args.Load, args.Verbose) } if strings.HasPrefix(args.Load.Label, "fmod_ret/") { return program.LoadFmodRetProgram(args.BPFDir, args.MapDir, args.Load, "fmodret_enforcer", args.Verbose) } - return fmt.Errorf("killer loader: unknown label: %s", args.Load.Label) + return fmt.Errorf("enforcer loader: unknown label: %s", args.Load.Label) } // select proper override method based on configuration and spec options @@ -167,7 +167,7 @@ func selectOverrideMethod(overrideMethod OverrideMethod, hasSyscall bool) (Overr } else if bpf.HasModifyReturnSyscall() { overrideMethod = OverrideMethodFmodRet } else { - return OverrideMethodInvalid, fmt.Errorf("no override helper or mod_ret support: cannot load killer") + return OverrideMethodInvalid, fmt.Errorf("no override helper or mod_ret support: cannot load enforcer") } case OverrideMethodReturn: if !bpf.HasOverrideHelper() { @@ -182,30 +182,30 @@ func selectOverrideMethod(overrideMethod OverrideMethod, hasSyscall bool) (Overr return overrideMethod, nil } -func (kp *killerPolicy) createKillerSensor( - killers []v1alpha1.EnforcerSpec, +func (kp *enforcerPolicy) createEnforcerSensor( + enforcers []v1alpha1.EnforcerSpec, lists []v1alpha1.ListSpec, opts []v1alpha1.OptionSpec, name string, policyName string, ) (*sensors.Sensor, error) { - if len(killers) > 1 { - return nil, fmt.Errorf("failed: we support only single killer sensor") + if len(enforcers) > 1 { + return nil, fmt.Errorf("failed: we support only single enforcer sensor") } - killer := killers[0] + enforcer := enforcers[0] var ( hasSyscall bool hasSecurity bool ) - kh := &killerHandler{} + kh := &enforcerHandler{} // get all the syscalls - for idx := range killer.Calls { - sym := killer.Calls[idx] + for idx := range enforcer.Calls { + sym := enforcer.Calls[idx] if strings.HasPrefix(sym, "list:") { listName := sym[len("list:"):] @@ -230,7 +230,7 @@ func (kp *killerPolicy) createKillerSensor( isSecurity := strings.HasPrefix(sym, "security_") if !isSyscall && !isSecurity && !isPrefix { - return nil, fmt.Errorf("killer sensor requires either syscall or security_ functions") + return nil, fmt.Errorf("enforcer sensor requires either syscall or security_ functions") } if isSyscall { @@ -245,7 +245,7 @@ func (kp *killerPolicy) createKillerSensor( hasSecurity = hasSecurity || isSecurity } - // register killer sensor + // register enforcer sensor var load *program.Program var progs []*program.Program var maps []*program.Map @@ -255,7 +255,7 @@ func (kp *killerPolicy) createKillerSensor( } if !bpf.HasSignalHelper() { - return nil, fmt.Errorf("killer sensor requires signal helper which is not available") + return nil, fmt.Errorf("enforcer sensor requires signal helper which is not available") } // select proper override method based on configuration and spec options @@ -266,10 +266,10 @@ func (kp *killerPolicy) createKillerSensor( if hasSecurity && overrideMethod != OverrideMethodFmodRet { // fail if override-return is directly requested if overrideMethod == OverrideMethodReturn { - return nil, fmt.Errorf("killer: can't override security function with override-return") + return nil, fmt.Errorf("enforcer: can't override security function with override-return") } overrideMethod = OverrideMethodFmodRet - logger.GetLogger().Infof("killer: forcing fmod_ret (security_* call detected)") + logger.GetLogger().Infof("enforcer: forcing fmod_ret (security_* call detected)") } overrideMethod, err = selectOverrideMethod(overrideMethod, hasSyscall) @@ -277,11 +277,11 @@ func (kp *killerPolicy) createKillerSensor( return nil, err } - pinPath := sensors.PathJoin(name, "killer_kprobe") + pinPath := sensors.PathJoin(name, "enforcer_kprobe") switch overrideMethod { case OverrideMethodReturn: useMulti := !specOpts.DisableKprobeMulti && !option.Config.DisableKprobeMulti && bpf.HasKprobeMulti() - logger.GetLogger().Infof("killer: using override return (multi-kprobe: %t)", useMulti) + logger.GetLogger().Infof("enforcer: using override return (multi-kprobe: %t)", useMulti) label := "kprobe/enforcer" prog := "bpf_enforcer.o" if useMulti { @@ -294,20 +294,20 @@ func (kp *killerPolicy) createKillerSensor( attach, label, pinPath, - "killer"). + "enforcer"). SetLoaderData(name) progs = append(progs, load) case OverrideMethodFmodRet: // for fmod_ret, we need one program per syscall - logger.GetLogger().Infof("killer: using fmod_ret") + logger.GetLogger().Infof("enforcer: using fmod_ret") for _, syscallSym := range kh.syscallsSyms { load = program.Builder( path.Join(option.Config.HubbleLib, "bpf_fmodret_enforcer.o"), syscallSym, "fmod_ret/security_task_prctl", pinPath, - "killer"). + "enforcer"). SetLoaderData(name) progs = append(progs, load) } @@ -315,24 +315,24 @@ func (kp *killerPolicy) createKillerSensor( return nil, fmt.Errorf("unexpected override method: %d", overrideMethod) } - killerDataMap := killerMap(policyName, load) - maps = append(maps, killerDataMap) + enforcerDataMap := enforcerMap(policyName, load) + maps = append(maps, enforcerDataMap) - if ok := kp.killerAdd(name, kh); !ok { - return nil, fmt.Errorf("failed to add killer: '%s'", name) + if ok := kp.enforcerAdd(name, kh); !ok { + return nil, fmt.Errorf("failed to add enforcer: '%s'", name) } - logger.GetLogger().Infof("Added killer sensor '%s'", name) + logger.GetLogger().Infof("Added enforcer sensor '%s'", name) return &sensors.Sensor{ - Name: "__killer__", + Name: "__enforcer__", Progs: progs, Maps: maps, PostUnloadHook: func() error { - if ok := kp.killerDel(name); !ok { - logger.GetLogger().Infof("Failed to clean up killer sensor '%s'", name) + if ok := kp.enforcerDel(name); !ok { + logger.GetLogger().Infof("Failed to clean up enforcer sensor '%s'", name) } else { - logger.GetLogger().Infof("Cleaned up killer sensor '%s'", name) + logger.GetLogger().Infof("Cleaned up enforcer sensor '%s'", name) } return nil }, diff --git a/pkg/sensors/tracing/killer_amd64_test.go b/pkg/sensors/tracing/killer_amd64_test.go index 87cee5cde2f..1633b3c6001 100644 --- a/pkg/sensors/tracing/killer_amd64_test.go +++ b/pkg/sensors/tracing/killer_amd64_test.go @@ -18,11 +18,11 @@ import ( lc "github.com/cilium/tetragon/pkg/matchers/listmatcher" ) -func TestKillerOverride32(t *testing.T) { - testKillerCheckSkip(t) +func TestEnforcerOverride32(t *testing.T) { + testEnforcerCheckSkip(t) - test := testutils.RepoRootPath("contrib/tester-progs/killer-tester-32") - yaml := NewKillerSpecBuilder("killer-override"). + test := testutils.RepoRootPath("contrib/tester-progs/enforcer-tester-32") + yaml := NewEnforcerSpecBuilder("enforcer-override"). WithSyscallList("__ia32_sys_prctl"). WithMatchBinaries(test). WithOverrideValue(-17). // EEXIST @@ -44,14 +44,14 @@ func TestKillerOverride32(t *testing.T) { } } - testKiller(t, yaml, test, "", checker, checkerFunc) + testEnforcer(t, yaml, test, "", checker, checkerFunc) } -func TestKillerSignal32(t *testing.T) { - testKillerCheckSkip(t) +func TestEnforcerSignal32(t *testing.T) { + testEnforcerCheckSkip(t) - test := testutils.RepoRootPath("contrib/tester-progs/killer-tester-32") - yaml := NewKillerSpecBuilder("killer-signal"). + test := testutils.RepoRootPath("contrib/tester-progs/enforcer-tester-32") + yaml := NewEnforcerSpecBuilder("enforcer-signal"). WithSyscallList("__ia32_sys_prctl"). WithMatchBinaries(test). WithOverrideValue(-17). // EEXIST @@ -74,16 +74,16 @@ func TestKillerSignal32(t *testing.T) { } } - testKiller(t, yaml, test, "", checker, checkerFunc) + testEnforcer(t, yaml, test, "", checker, checkerFunc) } -func TestKillerOverrideBothBits(t *testing.T) { - testKillerCheckSkip(t) +func TestEnforcerOverrideBothBits(t *testing.T) { + testEnforcerCheckSkip(t) - test32 := testutils.RepoRootPath("contrib/tester-progs/killer-tester-32") - test64 := testutils.RepoRootPath("contrib/tester-progs/killer-tester") + test32 := testutils.RepoRootPath("contrib/tester-progs/enforcer-tester-32") + test64 := testutils.RepoRootPath("contrib/tester-progs/enforcer-tester") - yaml := NewKillerSpecBuilder("killer-override"). + yaml := NewEnforcerSpecBuilder("enforcer-override"). WithSyscallList("__ia32_sys_prctl", "sys_prctl"). WithMatchBinaries(test32, test64). WithOverrideValue(-17). // EEXIST @@ -113,5 +113,5 @@ func TestKillerOverrideBothBits(t *testing.T) { } } - testKiller(t, yaml, test64, test32, checker, checkerFunc) + testEnforcer(t, yaml, test64, test32, checker, checkerFunc) } diff --git a/pkg/sensors/tracing/killer_builder.go b/pkg/sensors/tracing/killer_builder.go index 8d0fef0b10c..c01c05363b1 100644 --- a/pkg/sensors/tracing/killer_builder.go +++ b/pkg/sensors/tracing/killer_builder.go @@ -14,7 +14,7 @@ import ( "github.com/cilium/tetragon/pkg/option" ) -type KillerSpecBuilder struct { +type EnforcerSpecBuilder struct { name string syscalls [][]string kill *uint32 @@ -24,61 +24,61 @@ type KillerSpecBuilder struct { multiKprobe *bool } -func NewKillerSpecBuilder(name string) *KillerSpecBuilder { - return &KillerSpecBuilder{ +func NewEnforcerSpecBuilder(name string) *EnforcerSpecBuilder { + return &EnforcerSpecBuilder{ name: name, } } -func (ksb *KillerSpecBuilder) WithSyscallList(calls ...string) *KillerSpecBuilder { +func (ksb *EnforcerSpecBuilder) WithSyscallList(calls ...string) *EnforcerSpecBuilder { ksb.syscalls = append(ksb.syscalls, calls) return ksb } -func (ksb *KillerSpecBuilder) WithKill(sig uint32) *KillerSpecBuilder { +func (ksb *EnforcerSpecBuilder) WithKill(sig uint32) *EnforcerSpecBuilder { ksb.kill = &sig return ksb } -func (ksb *KillerSpecBuilder) WithMultiKprobe() *KillerSpecBuilder { +func (ksb *EnforcerSpecBuilder) WithMultiKprobe() *EnforcerSpecBuilder { multi := true ksb.multiKprobe = &multi return ksb } -func (ksb *KillerSpecBuilder) WithoutMultiKprobe() *KillerSpecBuilder { +func (ksb *EnforcerSpecBuilder) WithoutMultiKprobe() *EnforcerSpecBuilder { multi := false ksb.multiKprobe = &multi return ksb } -func (ksb *KillerSpecBuilder) WithOverrideValue(ret int32) *KillerSpecBuilder { +func (ksb *EnforcerSpecBuilder) WithOverrideValue(ret int32) *EnforcerSpecBuilder { ksb.override = &ret return ksb } -func (ksb *KillerSpecBuilder) WithMatchBinaries(bins ...string) *KillerSpecBuilder { +func (ksb *EnforcerSpecBuilder) WithMatchBinaries(bins ...string) *EnforcerSpecBuilder { ksb.binaries = append(ksb.binaries, bins...) return ksb } -func (ksb *KillerSpecBuilder) WithOverrideReturn() *KillerSpecBuilder { +func (ksb *EnforcerSpecBuilder) WithOverrideReturn() *EnforcerSpecBuilder { ksb.overrideMethod = valOverrideReturn return ksb } -func (ksb *KillerSpecBuilder) WithFmodRet() *KillerSpecBuilder { +func (ksb *EnforcerSpecBuilder) WithFmodRet() *EnforcerSpecBuilder { ksb.overrideMethod = valFmodRet return ksb } -func (ksb *KillerSpecBuilder) WithDefaultOverride() *KillerSpecBuilder { +func (ksb *EnforcerSpecBuilder) WithDefaultOverride() *EnforcerSpecBuilder { ksb.overrideMethod = "" return ksb } -func (ksb *KillerSpecBuilder) MustBuild() *v1alpha1.TracingPolicy { +func (ksb *EnforcerSpecBuilder) MustBuild() *v1alpha1.TracingPolicy { spec, err := ksb.Build() if err != nil { log.Fatalf("MustBuild failed with %v", err) @@ -86,7 +86,7 @@ func (ksb *KillerSpecBuilder) MustBuild() *v1alpha1.TracingPolicy { return spec } -func (ksb *KillerSpecBuilder) MustYAML() string { +func (ksb *EnforcerSpecBuilder) MustYAML() string { tp, err := ksb.Build() if err != nil { log.Fatalf("MustYAML: build failed with %v", err) @@ -99,11 +99,11 @@ func (ksb *KillerSpecBuilder) MustYAML() string { return string(b) } -func (ksb *KillerSpecBuilder) Build() (*v1alpha1.TracingPolicy, error) { +func (ksb *EnforcerSpecBuilder) Build() (*v1alpha1.TracingPolicy, error) { var listNames []string var lists []v1alpha1.ListSpec - var killers []v1alpha1.EnforcerSpec + var enforcers []v1alpha1.EnforcerSpec var matchBinaries []v1alpha1.BinarySelector var options []v1alpha1.OptionSpec @@ -123,15 +123,15 @@ func (ksb *KillerSpecBuilder) Build() (*v1alpha1.TracingPolicy, error) { Pattern: nil, Validated: false, }) - killers = append(killers, v1alpha1.EnforcerSpec{ + enforcers = append(enforcers, v1alpha1.EnforcerSpec{ Calls: []string{listName}, }) } - actions := []v1alpha1.ActionSelector{{Action: "NotifyKiller"}} + actions := []v1alpha1.ActionSelector{{Action: "NotifyEnforcer"}} act := &actions[0] if ksb.kill == nil && ksb.override == nil { - return nil, fmt.Errorf("need either override or kill to notify killer") + return nil, fmt.Errorf("need either override or kill to notify enforcer") } if ksb.kill != nil { act.ArgSig = *ksb.kill @@ -192,7 +192,7 @@ func (ksb *KillerSpecBuilder) Build() (*v1alpha1.TracingPolicy, error) { MatchBinaries: matchBinaries, }}, }}, - Enforcers: killers, + Enforcers: enforcers, Options: options, }, }, nil diff --git a/pkg/sensors/tracing/killer_test.go b/pkg/sensors/tracing/killer_test.go index dd9ebb554ab..1b7943ce75f 100644 --- a/pkg/sensors/tracing/killer_test.go +++ b/pkg/sensors/tracing/killer_test.go @@ -32,16 +32,16 @@ import ( "golang.org/x/sys/unix" ) -func testKillerCheckSkip(t *testing.T) { +func testEnforcerCheckSkip(t *testing.T) { if !bpf.HasSignalHelper() { - t.Skip("skipping killer test, bpf_send_signal helper not available") + t.Skip("skipping enforcer test, bpf_send_signal helper not available") } if !bpf.HasOverrideHelper() && !bpf.HasModifyReturnSyscall() { t.Skip("skipping test, neither bpf_override_return nor fmod_ret for syscalls is available") } } -func testKiller(t *testing.T, configHook string, +func testEnforcer(t *testing.T, configHook string, test string, test2 string, checker *eventchecker.UnorderedEventChecker, checkerFunc func(err error, rc int)) { @@ -80,12 +80,12 @@ func testKiller(t *testing.T, configHook string, assert.NoError(t, err) } -func TestKillerOverride(t *testing.T) { - testKillerCheckSkip(t) +func TestEnforcerOverride(t *testing.T) { + testEnforcerCheckSkip(t) test := testutils.RepoRootPath("contrib/tester-progs/getcpu") - builder := func() *KillerSpecBuilder { - return NewKillerSpecBuilder("killer-override"). + builder := func() *EnforcerSpecBuilder { + return NewEnforcerSpecBuilder("enforcer-override"). WithSyscallList("sys_getcpu"). WithMatchBinaries(test). WithOverrideValue(-17) // EEXIST @@ -117,12 +117,12 @@ func TestKillerOverride(t *testing.T) { t.Skip("no multi-kprobe support") } yaml := builder().WithOverrideReturn().WithMultiKprobe().MustYAML() - testKiller(t, yaml, test, "", checker, checkerFunc) + testEnforcer(t, yaml, test, "", checker, checkerFunc) }) t.Run("kprobe (no multi)", func(t *testing.T) { yaml := builder().WithOverrideReturn().WithoutMultiKprobe().MustYAML() - testKiller(t, yaml, test, "", checker, checkerFunc) + testEnforcer(t, yaml, test, "", checker, checkerFunc) }) }) t.Run("fmod_ret", func(t *testing.T) { @@ -130,14 +130,14 @@ func TestKillerOverride(t *testing.T) { t.Skip("fmod_ret not supported") } yaml := builder().WithFmodRet().MustYAML() - testKiller(t, yaml, test, "", checker, checkerFunc) + testEnforcer(t, yaml, test, "", checker, checkerFunc) }) } -func TestKillerSignal(t *testing.T) { - testKillerCheckSkip(t) +func TestEnforcerSignal(t *testing.T) { + testEnforcerCheckSkip(t) - test := testutils.RepoRootPath("contrib/tester-progs/killer-tester") + test := testutils.RepoRootPath("contrib/tester-progs/enforcer-tester") tpChecker := ec.NewProcessTracepointChecker(""). WithArgs(ec.NewKprobeArgumentListMatcher(). @@ -155,8 +155,8 @@ func TestKillerSignal(t *testing.T) { } } - builder := func() *KillerSpecBuilder { - return NewKillerSpecBuilder("killer-signal"). + builder := func() *EnforcerSpecBuilder { + return NewEnforcerSpecBuilder("enforcer-signal"). WithSyscallList("sys_prctl"). WithMatchBinaries(test). WithOverrideValue(-17). // EEXIST @@ -172,18 +172,18 @@ func TestKillerSignal(t *testing.T) { } yaml := builder().WithMultiKprobe().MustYAML() - testKiller(t, yaml, test, "", checker, checkerFunc) + testEnforcer(t, yaml, test, "", checker, checkerFunc) }) t.Run("kprobe (no multi)", func(t *testing.T) { yaml := builder().WithoutMultiKprobe().MustYAML() - testKiller(t, yaml, test, "", checker, checkerFunc) + testEnforcer(t, yaml, test, "", checker, checkerFunc) }) } -func TestKillerMultiNotSupported(t *testing.T) { - yaml := NewKillerSpecBuilder("killer-multi"). +func TestEnforcerMultiNotSupported(t *testing.T) { + yaml := NewEnforcerSpecBuilder("enforcer-multi"). WithSyscallList("sys_prctl"). WithSyscallList("sys_dup"). WithOverrideValue(-17). // EEXIST @@ -244,25 +244,25 @@ func testSecurity(t *testing.T, tracingPolicy, tempFile string) { // in this case direct pwrite syscall. // Standard Sigkill action kills executed from sys_pwrite probe kills the // process, but only after the pwrite syscall is executed. -// Now we can mitigate that by attaching killer to security_file_permission +// Now we can mitigate that by attaching enforcer to security_file_permission // function and override its return value to prevent the pwrite syscall // execution. // // The testing spec below: // - attaches probe to pwrite -// - attaches killer to security_file_permission +// - attaches enforcer to security_file_permission // - executes SigKill action for attempted pwrite to specific file -// - executes NotifyEnforcer action to instruct killer to override the +// - executes NotifyEnforcer action to instruct enforcer to override the // security_file_permission return value with -1 // - tests that no data got written to the monitored file -func TestKillerSecuritySigKill(t *testing.T) { +func TestEnforcerSecuritySigKill(t *testing.T) { if !bpf.HasSignalHelper() { - t.Skip("skipping killer test, bpf_send_signal helper not available") + t.Skip("skipping enforcer test, bpf_send_signal helper not available") } if !bpf.HasModifyReturn() { - t.Skip("skipping killer test, fmod_ret is not available") + t.Skip("skipping enforcer test, fmod_ret is not available") } if !kernels.EnableLargeProgs() { @@ -280,7 +280,7 @@ spec: options: - name: "override-method" value: "fmod-ret" - killers: + enforcers: - calls: - "security_file_permission" kprobes: @@ -332,24 +332,24 @@ spec: } // Testing the ability to kill the process before it executes the syscall, -// in similar way as in TestKillerSecuritySigKill test. +// in similar way as in TestEnforcerSecuritySigKill test. // The only difference is we use the NotifyEnforcer to send the signal instead // of using SigKill action. // // The testing spec below: // - attaches probe to pwrite -// - attaches killer to security_file_permission -// - executes NotifyEnforcer to instruct killer to send sigkill to current process +// - attaches enforcer to security_file_permission +// - executes NotifyEnforcer to instruct enforcer to send sigkill to current process // and override the security_file_permission return value with -1 // - tests that no data got written to the monitored file -func TestKillerSecurityNotifyEnforcer(t *testing.T) { +func TestEnforcerSecurityNotifyEnforcer(t *testing.T) { if !bpf.HasSignalHelper() { - t.Skip("skipping killer test, bpf_send_signal helper not available") + t.Skip("skipping enforcer test, bpf_send_signal helper not available") } if !bpf.HasModifyReturn() { - t.Skip("skipping killer test, fmod_ret is not available") + t.Skip("skipping enforcer test, fmod_ret is not available") } if !kernels.EnableLargeProgs() { @@ -367,7 +367,7 @@ spec: options: - name: "override-method" value: "fmod-ret" - killers: + enforcers: - calls: - "security_file_permission" kprobes: @@ -419,39 +419,39 @@ spec: } // This test loads 2 policies: -// - first set standard killer tracepoint setup on sys_prctl +// - first set standard enforcer tracepoint setup on sys_prctl // with first argument value 0xffff -// - second set standard killer tracepoint setup on sys_prctl +// - second set standard enforcer tracepoint setup on sys_prctl // with first argument value 0xfffe // then make sure both policies catch and kill. -func TestKillerMulti(t *testing.T) { +func TestEnforcerMulti(t *testing.T) { if !bpf.HasSignalHelper() { - t.Skip("skipping killer test, bpf_send_signal helper not available") + t.Skip("skipping enforcer test, bpf_send_signal helper not available") } if !bpf.HasModifyReturn() { - t.Skip("skipping killer test, fmod_ret is not available") + t.Skip("skipping enforcer test, fmod_ret is not available") } if !kernels.EnableLargeProgs() { t.Skip("Older kernels do not support matchArgs for more than one arguments") } - testBin := testutils.RepoRootPath("contrib/tester-progs/killer-tester") + testBin := testutils.RepoRootPath("contrib/tester-progs/enforcer-tester") policyYAML1 := ` apiVersion: cilium.io/v1alpha1 kind: TracingPolicy metadata: - name: "killer-prctl-1" + name: "enforcer-prctl-1" spec: lists: - name: "prctl" type: "syscalls" values: - "sys_prctl" - killers: + enforcers: - calls: - "list:prctl" tracepoints: @@ -486,14 +486,14 @@ spec: apiVersion: cilium.io/v1alpha1 kind: TracingPolicy metadata: - name: "killer-prctl-2" + name: "enforcer-prctl-2" spec: lists: - name: "prctl" type: "syscalls" values: - "sys_prctl" - killers: + enforcers: - calls: - "list:prctl" tracepoints: @@ -541,13 +541,13 @@ spec: option.Config.HubbleLib = tus.Conf().TetragonLib tus.LoadSensor(t, base.GetInitialSensor()) - sensor1, err := gKillerPolicy.PolicyHandler(policy1, policyfilter.NoFilterID) + sensor1, err := gEnforcerPolicy.PolicyHandler(policy1, policyfilter.NoFilterID) assert.NoError(t, err) sensor2, err := policyHandler{}.PolicyHandler(policy1, policyfilter.NoFilterID) assert.NoError(t, err) - sensor3, err := gKillerPolicy.PolicyHandler(policy2, policyfilter.NoFilterID) + sensor3, err := gEnforcerPolicy.PolicyHandler(policy2, policyfilter.NoFilterID) assert.NoError(t, err) sensor4, err := policyHandler{}.PolicyHandler(policy2, policyfilter.NoFilterID) @@ -561,7 +561,7 @@ spec: t.Logf("All policies loaded\n") - // 'killer-tester 0xffff' should be killed by policy 1 + // 'enforcer-tester 0xffff' should be killed by policy 1 cmd := exec.Command(testBin, "0xffff") err = cmd.Run() @@ -569,7 +569,7 @@ spec: t.Fatalf("Wrong error '%v' expected 'killed'", err) } - // 'killer-tester 0xfffe' should be killed by policy 2 + // 'enforcer-tester 0xfffe' should be killed by policy 2 cmd = exec.Command(testBin, "0xfffe") err = cmd.Run() @@ -577,7 +577,7 @@ spec: t.Fatalf("Wrong error '%v' expected 'killed'", err) } - // 'killer-tester 0xfffd' should NOT get killed + // 'enforcer-tester 0xfffd' should NOT get killed cmd = exec.Command(testBin, "0xfffd") err = cmd.Run() @@ -591,7 +591,7 @@ spec: t.Logf("Unloaded policy 1\n") - // 'killer-tester 0xffff' should NOT get killed now + // 'enforcer-tester 0xffff' should NOT get killed now cmd = exec.Command(testBin, "0xffff") err = cmd.Run() @@ -599,7 +599,7 @@ spec: t.Fatalf("Wrong error '%v' expected 'exit status 22'", err) } - // 'killer-tester 0xfffe' should be killed by policy 2 + // 'enforcer-tester 0xfffe' should be killed by policy 2 cmd = exec.Command(testBin, "0xfffe") err = cmd.Run() @@ -613,7 +613,7 @@ spec: t.Logf("Unloaded policy 2\n") - // 'killer-tester 0xfffe' should NOT get killed now + // 'enforcer-tester 0xfffe' should NOT get killed now cmd = exec.Command(testBin, "0xfffe") err = cmd.Run()