Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

tetragon: clone namespace improvements #2695

Merged
merged 2 commits into from
Jul 19, 2024
Merged

tetragon: clone namespace improvements #2695

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1d00c05
bpf: store thread leader namespaces at fork and reduce false positives
tixxdz Jul 18, 2024
e1d8818
test:clone: test: more namespace checks
tixxdz Jul 18, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 6 additions & 5 deletions bpf/process/bpf_fork.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,6 @@ BPF_KPROBE(event_wake_up_new_task, struct task_struct *task)
{
struct execve_map_value *curr, *parent;
struct msg_clone_event msg;
struct msg_capabilities caps;
u64 msg_size = sizeof(struct msg_clone_event);
struct msg_k8s kube;
u32 tgid = 0;
Expand Down Expand Up @@ -65,10 +64,12 @@ BPF_KPROBE(event_wake_up_new_task, struct task_struct *task)
* before the execve hook point if they changed or not.
* This needs to be converted later to credentials.
*/
get_current_subj_caps(&caps, task);
curr->caps.permitted = caps.permitted;
curr->caps.effective = caps.effective;
curr->caps.inheritable = caps.inheritable;
Comment on lines -69 to -71
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unrelated to that PR, but these assignments seems to be redundant as we did get_current_subj_caps? And this is the reason that you removed those now, right?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This just minor optimization, since old code was reading in new var caps then copying back to curr->caps.$field, see next line in the patch, now we read directly into curr->caps , so just saved some cycles.

get_current_subj_caps(&curr->caps, task);

/* Store the thread leader namespaces so we can check later
* before the execve hook point if they changed or not.
*/
get_namespaces(&curr->ns, task);

/* Setup the msg_clone_event and sent to the user. */
msg.common.op = MSG_OP_CLONE;
Expand Down
11 changes: 8 additions & 3 deletions pkg/sensors/tracing/kprobe_threads_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ import (
sm "github.com/cilium/tetragon/pkg/matchers/stringmatcher"
"github.com/cilium/tetragon/pkg/observer/observertesthelper"
"github.com/cilium/tetragon/pkg/reader/caps"
"github.com/cilium/tetragon/pkg/reader/namespace"
"github.com/cilium/tetragon/pkg/testutils"
tus "github.com/cilium/tetragon/pkg/testutils/sensors"
"github.com/stretchr/testify/assert"
Expand Down Expand Up @@ -92,12 +93,14 @@ spec:
cti.AssertPidsTids(t)

myCaps := ec.NewCapabilitiesChecker().FromCapabilities(caps.GetCurrentCapabilities())
myNs := ec.NewNamespacesChecker().FromNamespaces(namespace.GetCurrentNamespace())

parentCheck := ec.NewProcessChecker().
WithBinary(sm.Suffix("threads-tester")).
WithPid(cti.ParentPid).
WithTid(cti.ParentTid).
WithCap(myCaps)
WithCap(myCaps).
WithNs(myNs)

execCheck := ec.NewProcessExecChecker("").
WithProcess(parentCheck)
Expand All @@ -109,7 +112,8 @@ spec:
WithBinary(sm.Suffix("threads-tester")).
WithPid(cti.Child1Pid).
WithTid(cti.Child1Tid).
WithCap(myCaps)
WithCap(myCaps).
WithNs(myNs)

child1KpChecker := ec.NewProcessKprobeChecker("").
WithProcess(child1Checker).WithParent(parentCheck)
Expand All @@ -118,7 +122,8 @@ spec:
WithBinary(sm.Suffix("threads-tester")).
WithPid(cti.Thread1Pid).
WithTid(cti.Thread1Tid).
WithCap(myCaps)
WithCap(myCaps).
WithNs(myNs)

thread1KpChecker := ec.NewProcessKprobeChecker("").
WithProcess(thread1Checker).WithParent(parentCheck)
Expand Down
Loading