tetragon: Add tests for multiple symbol instances in kprobes

Make sure we fail when having multiple symbol instances in kprobe multi mode and that we work properly in NON kprobe multi mode. Signed-off-by: Jiri Olsa <jolsa@kernel.org>
cilium · Nov 19, 2024 · 696cba8 · 696cba8
1 parent 7b68085
commit 696cba8
Show file tree

Hide file tree

Showing 2 changed files with 87 additions and 0 deletions.
diff --git a/pkg/sensors/tracing/kprobe_test.go b/pkg/sensors/tracing/kprobe_test.go
@@ -7034,3 +7034,67 @@ spec:
 	err = jsonchecker.JsonTestCheck(t, checker)
 	assert.NoError(t, err)
 }
+
+func TestKprobeMultiSymbolInstancesOk(t *testing.T) {
+	var doneWG, readyWG sync.WaitGroup
+	defer doneWG.Wait()
+
+	ctx, cancel := context.WithTimeout(context.Background(), tus.Conf().CmdWaitTime)
+	defer cancel()
+
+	hook := `apiVersion: cilium.io/v1alpha1
+kind: TracingPolicy
+metadata:
+  name: "multiple-symbols"
+spec:
+  options:
+    - name: "disable-kprobe-multi"
+      value: "1"
+  kprobes:
+  - call: sys_prctl
+    args:
+    - index: 0
+      type: int64
+    selectors:
+    - matchArgs:
+      - index: 0
+        operator: Equal
+        values:
+        - "9999"
+    syscall: true
+    tags: [ "prctl_9999" ]
+  - call: sys_prctl
+    args:
+    - index: 0
+      type: int64
+    selectors:
+    - matchArgs:
+      - index: 0
+        operator: Equal
+        values:
+        - "8888"
+    syscall: true
+    tags: [ "prctl_8888" ]
+`
+	createCrdFile(t, hook)
+
+	obs, err := observertesthelper.GetDefaultObserverWithFile(t, ctx, testConfigFile, tus.Conf().TetragonLib)
+	if err != nil {
+		t.Fatalf("GetDefaultObserverWithFile error: %s", err)
+	}
+	observertesthelper.LoopEvents(ctx, t, &doneWG, &readyWG, obs)
+	readyWG.Wait()
+
+	syscall.Syscall(syscall.SYS_PRCTL, 8888, 0, 0)
+	syscall.Syscall(syscall.SYS_PRCTL, 9999, 0, 0)
+
+	kp_8888 := ec.NewProcessKprobeChecker("").
+		WithTags(ec.NewStringListMatcher().WithValues(sm.Full("prctl_8888")))
+	kp_9999 := ec.NewProcessKprobeChecker("").
+		WithTags(ec.NewStringListMatcher().WithValues(sm.Full("prctl_9999")))
+
+	checker := ec.NewUnorderedEventChecker(kp_8888, kp_9999)
+
+	err = jsonchecker.JsonTestCheck(t, checker)
+	assert.NoError(t, err)
+}
diff --git a/pkg/sensors/tracing/kprobe_validation_test.go b/pkg/sensors/tracing/kprobe_validation_test.go
@@ -6,6 +6,7 @@ package tracing
 import (
 	"testing"
 
+	"github.com/cilium/tetragon/pkg/bpf"
 	"github.com/cilium/tetragon/pkg/kernels"
 	"github.com/cilium/tetragon/pkg/sensors"
 	"github.com/cilium/tetragon/pkg/tracingpolicy"
@@ -361,3 +362,25 @@ spec:
 	_, err = tracingpolicy.FromYAML(crd3)
 	assert.NoError(t, err)
 }
+
+func TestKprobeMultiSymbolInstancesFail(t *testing.T) {
+	if !bpf.HasKprobeMulti() {
+		t.Skip("Test requires kprobe multi")
+	}
+
+	crd := `
+apiVersion: cilium.io/v1alpha1
+kind: TracingPolicy
+metadata:
+  name: "multiple-symbols"
+spec:
+  kprobes:
+  - call: sys_prctl
+    syscall: true
+  - call: sys_prctl
+    syscall: true
+`
+
+	err := checkCrd(t, crd)
+	assert.Error(t, err)
+}