search

cilium / tetragon

eBPF-based Security Observability and Runtime Enforcement
https://tetragon.io
Apache License 2.0
3.57k stars 352 forks source link

policies with the same symbols are broken #2947

Open kkourt opened 1 week ago

kkourt commented 1 week ago

Policies that use the same symbols do not currently work. Here's an example:

apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
  name: "multiple-symbols"
spec:
  kprobes:
  - call: __x64_sys_prctl
    args:
    - index: 0
      type: int64
    selectors:
    - matchArgs:
      - index: 0
        operator: Equal
        values:
        - "3"
    syscall: true
    tags:
    - pr_get_dumpable
  - call: __x64_sys_prctl
    args:
    - index: 0
      type: int64
    selectors:
    - matchArgs:
      - index: 0
        operator: Equal
        values:
        - "7"
    syscall: true
    tags:
    - pr_get_keepcaps

When using multi-kprobes, using this policy leads to the following error:

level=fatal msg="Failed to start tetragon" error="failed to get sensors from parser policy: sensor generic_kprobe from collection auditd-policy failed to load: failed prog /home/kkourt/src/hubble-fgs/bpf/objs/bpf_multi_kprobe_v61.o kern_version 394509 loadInstance: attaching 'generic_kprobe_event' failed: couldn't find one or more symbols: file does not exist"

Disabling multi-kprobes, only part of the policy is applied (typically the one that is defined last). The reason for this seems to be that when using the new bpffs hierarchy (https://github.com/cilium/tetragon/pull/2128), the two calls will end up in the same directory, using the same maps.

Note that in 1.2 this works as expected, because we use different maps for each different hook. e.g., 

gkp-sensor-1-gkp-0-argfilter_maps
gkp-sensor-1-gkp-1-argfilter_maps
kkourt commented 1 week ago

@olsajiri can you PTAL?

When we are not using multi-kprobes, I think it would make sense to add an id to the call in the directory, so that we can separate the two.