diff --git a/bpf/process/types/basic.h b/bpf/process/types/basic.h index 3c234768e5f..acb78562a2f 100644 --- a/bpf/process/types/basic.h +++ b/bpf/process/types/basic.h @@ -1777,7 +1777,7 @@ struct fdinstall_value { struct { __uint(type, BPF_MAP_TYPE_LRU_HASH); - __uint(max_entries, 32000); + __uint(max_entries, 1); // will be resized by agent when needed __type(key, struct fdinstall_key); __type(value, struct fdinstall_value); } fdinstall_map SEC(".maps"); diff --git a/pkg/sensors/tracing/generickprobe.go b/pkg/sensors/tracing/generickprobe.go index 8a625b5cf41..2d208f72e80 100644 --- a/pkg/sensors/tracing/generickprobe.go +++ b/pkg/sensors/tracing/generickprobe.go @@ -62,6 +62,7 @@ const ( // much kernel memory when enabled. stackTraceMapMaxEntries = 32768 ratelimitMapMaxEntries = 32768 + fdInstallMapMaxEntries = 32000 ) func kprobeCharBufErrorToString(e int32) string { @@ -271,7 +272,7 @@ func filterMaps(load *program.Program, pinPath string, kprobeEntry *genericKprob return maps } -func createMultiKprobeSensor(sensorPath, policyName string, multiIDs []idtable.EntryID) ([]*program.Program, []*program.Map, error) { +func createMultiKprobeSensor(sensorPath, policyName string, multiIDs []idtable.EntryID, enableFDInstall bool) ([]*program.Program, []*program.Map, error) { var multiRetIDs []idtable.EntryID var progs []*program.Program var maps []*program.Map @@ -315,6 +316,9 @@ func createMultiKprobeSensor(sensorPath, policyName string, multiIDs []idtable.E progs = append(progs, load) fdinstall := program.MapBuilderPin("fdinstall_map", sensors.PathJoin(sensorPath, "fdinstall_map"), load) + if enableFDInstall { + fdinstall.SetMaxEntries(fdInstallMapMaxEntries) + } maps = append(maps, fdinstall) configMap := program.MapBuilderPin("config_map", sensors.PathJoin(pinPath, "config_map"), load) @@ -392,6 +396,9 @@ func createMultiKprobeSensor(sensorPath, policyName string, multiIDs []idtable.E maps = append(maps, callHeap) fdinstall := program.MapBuilderPin("fdinstall_map", sensors.PathJoin(sensorPath, "fdinstall_map"), loadret) + if enableFDInstall { + fdinstall.SetMaxEntries(fdInstallMapMaxEntries) + } maps = append(maps, fdinstall) socktrack := program.MapBuilderPin("socktrack_map", sensors.PathJoin(sensorPath, "socktrack_map"), loadret) @@ -578,6 +585,16 @@ func createGenericKprobeSensor( selMaps = &selectors.KernelSelectorMaps{} } + // detect at the policy level if one kprobe uses the fdinstall feature since + // the map is shared amongst all kprobes + oneKprobeHasFDInstall := false + for _, kprobe := range kprobes { + if selectorsHaveFDInstall(kprobe.Selectors) { + oneKprobeHasFDInstall = true + break + } + } + in := addKprobeIn{ useMulti: useMulti, sensorPath: name, @@ -606,9 +623,9 @@ func createGenericKprobeSensor( } if useMulti { - progs, maps, err = createMultiKprobeSensor(in.sensorPath, in.policyName, ids) + progs, maps, err = createMultiKprobeSensor(in.sensorPath, in.policyName, ids, oneKprobeHasFDInstall) } else { - progs, maps, err = createSingleKprobeSensor(in.sensorPath, ids) + progs, maps, err = createSingleKprobeSensor(in.sensorPath, ids, oneKprobeHasFDInstall) } if err != nil { @@ -646,6 +663,10 @@ func addKprobe(funcName string, f *v1alpha1.KProbeSpec, in *addKprobeIn) (id idt return idtable.UninitializedEntryID, err } + if f == nil { + return errFn(errors.New("error adding kprobe, the kprobe spec is nil")) + } + config := &api.EventConfig{} config.PolicyID = uint32(in.policyID) if len(f.ReturnArgAction) > 0 { @@ -781,13 +802,6 @@ func addKprobe(funcName string, f *v1alpha1.KProbeSpec, in *addKprobeIn) (id idt config.Syscall = 0 } - hasStackTrace := false - for _, selector := range f.Selectors { - for _, matchAction := range selector.MatchActions { - hasStackTrace = matchAction.KernelStackTrace || matchAction.UserStackTrace - } - } - // create a new entry on the table, and pass its id to BPF-side // so that we can do the matching at event-generation time kprobeEntry := genericKprobe{ @@ -806,7 +820,7 @@ func addKprobe(funcName string, f *v1alpha1.KProbeSpec, in *addKprobeIn) (id idt customHandler: in.customHandler, message: msgField, tags: tagsField, - hasStackTrace: hasStackTrace, + hasStackTrace: selectorsHaveStackTrace(f.Selectors), hasRatelimit: selectorsHaveRateLimit(f.Selectors), } @@ -848,7 +862,7 @@ func addKprobe(funcName string, f *v1alpha1.KProbeSpec, in *addKprobeIn) (id idt } func createKprobeSensorFromEntry(kprobeEntry *genericKprobe, sensorPath string, - progs []*program.Program, maps []*program.Map) ([]*program.Program, []*program.Map) { + progs []*program.Program, maps []*program.Map, enableFDInstall bool) ([]*program.Program, []*program.Map) { loadProgName, loadProgRetName := kernels.GenericKprobeObjs() isSecurityFunc := strings.HasPrefix(kprobeEntry.funcName, "security_") @@ -870,6 +884,9 @@ func createKprobeSensorFromEntry(kprobeEntry *genericKprobe, sensorPath string, progs = append(progs, load) fdinstall := program.MapBuilderPin("fdinstall_map", sensors.PathJoin(sensorPath, "fdinstall_map"), load) + if enableFDInstall { + fdinstall.SetMaxEntries(fdInstallMapMaxEntries) + } maps = append(maps, fdinstall) configMap := program.MapBuilderPin("config_map", sensors.PathJoin(pinPath, "config_map"), load) @@ -961,6 +978,9 @@ func createKprobeSensorFromEntry(kprobeEntry *genericKprobe, sensorPath string, maps = append(maps, callHeap) fdinstall := program.MapBuilderPin("fdinstall_map", sensors.PathJoin(sensorPath, "fdinstall_map"), loadret) + if enableFDInstall { + fdinstall.SetMaxEntries(fdInstallMapMaxEntries) + } maps = append(maps, fdinstall) if kernels.EnableLargeProgs() { @@ -974,7 +994,7 @@ func createKprobeSensorFromEntry(kprobeEntry *genericKprobe, sensorPath string, return progs, maps } -func createSingleKprobeSensor(sensorPath string, ids []idtable.EntryID) ([]*program.Program, []*program.Map, error) { +func createSingleKprobeSensor(sensorPath string, ids []idtable.EntryID, enableFDInstall bool) ([]*program.Program, []*program.Map, error) { var progs []*program.Program var maps []*program.Map @@ -984,7 +1004,7 @@ func createSingleKprobeSensor(sensorPath string, ids []idtable.EntryID) ([]*prog return nil, nil, err } gk.data = &genericKprobeData{} - progs, maps = createKprobeSensorFromEntry(gk, sensorPath, progs, maps) + progs, maps = createKprobeSensorFromEntry(gk, sensorPath, progs, maps, enableFDInstall) } return progs, maps, nil @@ -1312,3 +1332,27 @@ func selectorsHaveRateLimit(selectors []v1alpha1.KProbeSelector) bool { } return false } + +func selectorsHaveStackTrace(selectors []v1alpha1.KProbeSelector) bool { + for _, selector := range selectors { + for _, matchAction := range selector.MatchActions { + if matchAction.KernelStackTrace || matchAction.UserStackTrace { + return true + } + } + } + return false +} + +func selectorsHaveFDInstall(sel []v1alpha1.KProbeSelector) bool { + for _, selector := range sel { + for _, matchAction := range selector.MatchActions { + if a := selectors.ActionTypeFromString(matchAction.Action); a == selectors.ActionTypeFollowFd || + a == selectors.ActionTypeUnfollowFd || + a == selectors.ActionTypeCopyFd { + return true + } + } + } + return false +} diff --git a/pkg/sensors/tracing/generictracepoint.go b/pkg/sensors/tracing/generictracepoint.go index 2dcd72a9759..fd8a8f79a7b 100644 --- a/pkg/sensors/tracing/generictracepoint.go +++ b/pkg/sensors/tracing/generictracepoint.go @@ -312,6 +312,10 @@ func createGenericTracepoint( policyName string, customHandler eventhandler.Handler, ) (*genericTracepoint, error) { + if conf == nil { + return nil, errors.New("failed creating generic tracepoint, conf is nil") + } + tp := tracepoint.Tracepoint{ Subsys: conf.Subsystem, Event: conf.Event, @@ -405,6 +409,9 @@ func createGenericTracepointSensor( progs = append(progs, prog0) fdinstall := program.MapBuilderPin("fdinstall_map", sensors.PathJoin(pinPath, "fdinstall_map"), prog0) + if selectorsHaveFDInstall(tp.Spec.Selectors) { + fdinstall.SetMaxEntries(fdInstallMapMaxEntries) + } maps = append(maps, fdinstall) tailCalls := program.MapBuilderPin("tp_calls", sensors.PathJoin(pinPath, "tp_calls"), prog0)