tetragon: Add killer sensor #1205
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
✅ Deploy Preview for tetragon ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
olsajiri
force-pushed
the
killer
branch
3 times, most recently
from
c13973c to
21daede
Compare
olsajiri
force-pushed
the
killer
branch
5 times, most recently
from
b27c59f to
69718d7
Compare
olsajiri
force-pushed
the
killer
branch
2 times, most recently
from
967b56c to
8bf3a4e
Compare
olsajiri
added
the
release-note/minor
olsajiri
force-pushed
the
killer
branch
7 times, most recently
from
7b67b6d to
2725b32
Compare
olsajiri
force-pushed
the
killer
branch
4 times, most recently
from
1c0e273 to
edc5374
Compare
olsajiri
force-pushed
the
killer
branch
7 times, most recently
from
ec97b4c to
bf75c17
Compare
olsajiri
force-pushed
the
killer
branch
2 times, most recently
from
dd6bd1c to
82a64dc
Compare
kkourt
approved these changes
Oct 9, 2023
| @@ -576,6 +576,9 @@ spec: | |||
| - generated_syscalls | |||
| - generated_ftrace | |||
| type: string | |||
| validated: | |||
| description: List was validated | |||
| type: boolean | |||
There was a problem hiding this comment.
So from what I can tell, this option means that no validation will be performed.
Maybe ignore-validation is a better name?
There was a problem hiding this comment.
it's there to ensure the validation goes through just once, so it gets validated,
sets the flag so another sensor won't run it again, I'll update changelog with that, sry
There was a problem hiding this comment.
is there a way we could avoid implementation things to be visible/editable from the UI (the yaml)?
this is typically that could go into the status of the resource instead of the spec.
| @@ -315,3 +315,8 @@ type PodInfoList struct { | |||
| metav1.ListMeta `json:"metadata,omitempty"` | |||
| Items []PodInfo `json:"items"` | |||
| } | |||
|
|
|||
| type KillerSpec struct { | |||
| // syscalls to kill | |||
There was a problem hiding this comment.
How about description: syscalls where killer is executed in?
AFAIU, these are the syscalls where we will load the killer and do the check on whether to "kill" the process or not.
api/v1/tetragon/tetragon.proto
Outdated
| @@ -433,6 +433,8 @@ message ProcessTracepoint { | |||
| // Arguments definition of the observed tracepoint. | |||
| // TODO: once we implement all we want, rename KprobeArgument to GenericArgument | |||
| repeated KprobeArgument args = 6; | |||
| // Action performed when the kprobe matched. | |||
| @@ -897,6 +898,95 @@ broken. | |||
|
|
|||
| Socket tracking is only available on kernel >=5.3. | |||
|
|
|||
| ### Notify Killer action | |||
|
|
|||
| The `NotifyKiller` action notifies the killer program to kill or override syscall. | |||
There was a problem hiding this comment.
Suggested change
| The `NotifyKiller` action notifies the killer program to kill or override syscall. | |
| The `NotifyKiller` action notifies the killer program to kill or override a syscall. |
| The `NotifyKiller` action notifies the killer program to kill or override syscall. | ||
|
|
||
| The specs needs to have `killer` program definition, that instructs tetragon to load | ||
| `killer` program and attach it to specified syscalls. |
There was a problem hiding this comment.
Suggested change
| `killer` program and attach it to specified syscalls. | |
| the `killer` program and attach it to specified syscalls. |
mtardy
approved these changes
Oct 11, 2023
Comment on lines
929
to
930
| If pecified the argError will be passed to `bpf_override_return` helper to override the syscall return value. | ||
| If pecified the argSig will be passed to `bpf_send_signal` helper to override the syscall return value. |
There was a problem hiding this comment.
Suggested change
| If pecified the argError will be passed to `bpf_override_return` helper to override the syscall return value. | |
| If pecified the argSig will be passed to `bpf_send_signal` helper to override the syscall return value. | |
| If specified the argError will be passed to `bpf_override_return` helper to override the syscall return value. | |
| If specified the argSig will be passed to `bpf_send_signal` helper to override the syscall return value. |
Comment on lines
966
to
1057
| Note the `NotifyKiller` with killer program is meant to be used only on kernel versions | ||
| with no support for fast attach of multiple kprobes (`kprobe_multi` link). |
There was a problem hiding this comment.
Would it be possible to move that to the very beginning, after the "The NotifyKiller action notifies the killer program to kill or override syscall." sentence? Also, could we have a little more details on the why of this feature? Why this is interesting and maybe useful for the reader?
There was a problem hiding this comment.
ok, I'll add some description at the beginning, thanks
Adding Validated field to ListSpec to ensure the validation goes through just once, so it gets validated, sets the flag so another sensor won't run it again. Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Adding preValidateLists function that iterates all the lists and validates them. Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Passing symbol argument to kprobeAttach so we can use it in followich changes with different symbols. Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Adding LoadKprobeProgramAttachMany function that loads kprobe program and attaches it to symbols provided in array of strings. Note the program gets loaded just once. Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Add possibility to define killer in the schema like:
killers:
- syscalls:
- "sys_dup"
"sys.."
Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Adding killer sensor that attaches to defined syscalls and overrides them or/and kill the process. Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Adding bpf_killer bpf program that allows to (when attached to syscall) override syscall or kill current process. Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Adding support to notify killer program attached to syscalls
with another action spec, like:
matchActions:
- action: "NotifyKiller"
argError: -1
argSig: 9
It's possible to specify error for override and signal number
to kill the current process with.
Signed-off-by: Jiri Olsa <jolsa@kernel.org>
So we can use it through kubectl. Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Adding example killer policy that setups sys_enter raw syscalls and add filter for sys_dup and sys_dup2 syscalls plus match for /usr/bin/bash binary and kill it through killer. Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Adding action field to tracepoint event, so it's available in the event in case the action is triggered. Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Catching up with kprobe/tracepoint event action enum definitions. Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Adding test for killer sensor and testing both killing application matching the selector and overriding syscall that matches the selector. Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Signed-off-by: Jiri Olsa <jolsa@kernel.org>
kkourt
added
release-note/major
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
adding support to have fast way (when multi kprobe link is not available)
of attaching killer/override program to multiple syscalls
details in: https://github.com/olsajiri/tetragon/blob/killer/docs/content/en/docs/concepts/tracing-policy/selectors.md#notify-killer-action