tetragon: Add support to use tracing program for single kprobe

Signed-off-by: Jiri Olsa <[email protected]>

Author: olsajiri

bpf/process/generic_calls.h

@@ -664,6 +664,37 @@ generic_process_event_and_setup(struct pt_regs *ctx, struct bpf_map_def *tailcal
 		retprobe_map_set(e->func_id, e->retprobe_id, e->common.ktime, 1);
 #endif
 
+#ifdef GENERIC_FENTRY
+	struct bpf_raw_tracepoint_args *raw_args = (struct bpf_raw_tracepoint_args *)ctx;
+
+	if (config->syscall) {
+		struct pt_regs *_ctx = (struct pt_regs *) BPF_CORE_READ(raw_args, args[0]);
+
+		if (!_ctx)
+			return 0;
+		e->a0 = PT_REGS_PARM1_CORE_SYSCALL(_ctx);
+		e->a1 = PT_REGS_PARM2_CORE_SYSCALL(_ctx);
+		e->a2 = PT_REGS_PARM3_CORE_SYSCALL(_ctx);
+		e->a3 = PT_REGS_PARM4_CORE_SYSCALL(_ctx);
+		e->a4 = PT_REGS_PARM5_CORE_SYSCALL(_ctx);
+	} else {
+		e->a0 = BPF_CORE_READ(raw_args, args[0]);
+		e->a1 = BPF_CORE_READ(raw_args, args[1]);
+		e->a2 = BPF_CORE_READ(raw_args, args[2]);
+		e->a3 = BPF_CORE_READ(raw_args, args[3]);
+		e->a4 = BPF_CORE_READ(raw_args, args[4]);
+	}
+
+	generic_process_init(e, MSG_OP_GENERIC_KPROBE, config);
+
+	e->retprobe_id = retprobe_map_get_key(ctx);
+
+	/* If return arg is needed mark retprobe */
+	ty = config->argreturn;
+	if (ty > 0)
+		retprobe_map_set(e->func_id, e->retprobe_id, e->common.ktime, 1);
+#endif
+
 #ifdef GENERIC_LSM
 	struct bpf_raw_tracepoint_args *raw_args = (struct bpf_raw_tracepoint_args *)ctx;
 

pkg/config/config_linux.go

@@ -74,6 +74,19 @@ func GenericKprobeObjs(multi bool) (string, string) {
 	return "bpf_generic_kprobe.o", "bpf_generic_retkprobe.o"
 }
 
+func GenericTracingObjs() (string, string) {
+	if EnableV612Progs() {
+		return "bpf_generic_fentry_v612.o", "bpf_generic_fexit_v612.o"
+	} else if EnableV61Progs() {
+		return "bpf_generic_fentry_v61.o", "bpf_generic_fexit_v61.o"
+	} else if kernels.MinKernelVersion("5.11") {
+		return "bpf_generic_fentry_v511.o", "bpf_generic_fexit_v511.o"
+	} else if EnableLargeProgs() {
+		return "bpf_generic_fentry_v53.o", "bpf_generic_fexit_v53.o"
+	}
+	return "bpf_generic_fentry.o", "bpf_generic_fexit.o"
+}
+
 func GenericUprobeObjs(multi bool) string {
 	if multi {
 		if EnableV612Progs() {

pkg/sensors/program/loader_linux.go

@@ -378,6 +378,19 @@ func MultiUprobeAttach(load *Program, bpfDir string) AttachFunc {
 	}
 }
 
+func TracingOpen(load *Program) OpenFunc {
+	return func(coll *ebpf.CollectionSpec) error {
+		data, ok := load.AttachData.(*TracingAttachData)
+		if !ok {
+			return nil
+		}
+		for _, spec := range coll.Programs {
+			spec.AttachTo = data.AttachTo
+		}
+		return nil
+	}
+}
+
 func TracingAttach(load *Program, bpfDir string) AttachFunc {
 	return func(_ *ebpf.Collection, _ *ebpf.CollectionSpec,
 		prog *ebpf.Program, spec *ebpf.ProgramSpec) (unloader.Unloader, error) {
@@ -632,6 +645,7 @@ func LoadFmodRetProgram(bpfDir string, load *Program, maps []*Map, progName stri
 func LoadTracingProgram(bpfDir string, load *Program, maps []*Map, verbose int) error {
 	opts := &LoadOpts{
 		Attach: TracingAttach(load, bpfDir),
+		Open:   TracingOpen(load),
 		Maps:   maps,
 	}
 	return loadProgram(bpfDir, load, opts, verbose)

pkg/sensors/program/program.go

@@ -73,6 +73,10 @@ type MapLoad struct {
 	Load func(m *ebpf.Map, pinPathPrefix string) error
 }
 
+type TracingAttachData struct {
+	AttachTo string
+}
+
 type MultiKprobeAttachData struct {
 	Symbols   []string
 	Cookies   []uint64

pkg/sensors/tracing/generickprobe.go

@@ -945,15 +945,42 @@ func createKprobeSensorFromEntry(polInfo *policyInfo, kprobeEntry *genericKprobe
 		pinProg = fmt.Sprintf("%s:%d", kprobeEntry.funcName, kprobeEntry.instance)
 	}
 
-	load := program.Builder(
-		path.Join(option.Config.HubbleLib, loadProgName),
-		kprobeEntry.funcName,
-		"kprobe/generic_kprobe",
-		pinProg,
-		"generic_kprobe").
-		SetLoaderData(kprobeEntry.tableId).
-		SetPolicy(kprobeEntry.policyName)
+	var load *program.Program
+
+	if kprobeEntry.hasOverride {
+		load = program.Builder(
+			path.Join(option.Config.HubbleLib, loadProgName),
+			kprobeEntry.funcName,
+			"kprobe/generic_kprobe",
+			pinProg,
+			"generic_kprobe")
+
+		tailCalls := program.MapBuilderProgram("kprobe_calls", load)
+		maps = append(maps, tailCalls)
+
+	} else {
+		data := &program.TracingAttachData{
+			AttachTo: kprobeEntry.funcName,
+		}
+
+		loadProgName, loadProgRetName = config.GenericTracingObjs()
+
+		load = program.Builder(
+			path.Join(option.Config.HubbleLib, loadProgName),
+			kprobeEntry.funcName,
+			"fentry/generic_fentry",
+			pinProg,
+			"generic_kprobe").
+			SetAttachData(data)
+
+		tailCalls := program.MapBuilderProgram("fentry_calls", load)
+		maps = append(maps, tailCalls)
+	}
+
+	load.SetPolicy(kprobeEntry.policyName)
+	load.SetLoaderData(kprobeEntry.tableId)
 	load.Override = kprobeEntry.hasOverride
+
 	if load.Override {
 		load.OverrideFmodRet = isSecurityFunc && bpf.HasModifyReturn()
 	}
@@ -968,9 +995,6 @@ func createKprobeSensorFromEntry(polInfo *policyInfo, kprobeEntry *genericKprobe
 	configMap := program.MapBuilderProgram("config_map", load)
 	maps = append(maps, configMap)
 
-	tailCalls := program.MapBuilderProgram("kprobe_calls", load)
-	maps = append(maps, tailCalls)
-
 	filterMap := program.MapBuilderProgram("filter_map", load)
 	maps = append(maps, filterMap)
 
@@ -1041,15 +1065,42 @@ func createKprobeSensorFromEntry(polInfo *policyInfo, kprobeEntry *genericKprobe
 		if kprobeEntry.instance != 0 {
 			pinRetProg = sensors.PathJoin(fmt.Sprintf("%s_return:%d", kprobeEntry.funcName, kprobeEntry.instance))
 		}
-		loadret := program.Builder(
-			path.Join(option.Config.HubbleLib, loadProgRetName),
-			kprobeEntry.funcName,
-			"kprobe/generic_retkprobe",
-			pinRetProg,
-			"generic_kprobe").
-			SetRetProbe(true).
-			SetLoaderData(kprobeEntry.tableId).
-			SetPolicy(kprobeEntry.policyName)
+
+		var loadret *program.Program
+
+		if kprobeEntry.hasOverride {
+			loadret = program.Builder(
+				path.Join(option.Config.HubbleLib, loadProgRetName),
+				kprobeEntry.funcName,
+				"kprobe/generic_retkprobe",
+				pinRetProg,
+				"generic_kprobe")
+
+			tailCalls := program.MapBuilderProgram("retkprobe_calls", loadret)
+			maps = append(maps, tailCalls)
+		} else {
+			data := &program.TracingAttachData{
+				AttachTo: kprobeEntry.funcName,
+			}
+
+			loadProgName, loadProgRetName = config.GenericTracingObjs()
+
+			loadret = program.Builder(
+				path.Join(option.Config.HubbleLib, loadProgRetName),
+				kprobeEntry.funcName,
+				"fexit/generic_fexit",
+				pinRetProg,
+				"generic_kprobe").
+				SetAttachData(data)
+
+			tailCalls := program.MapBuilderProgram("fexit_calls", loadret)
+			maps = append(maps, tailCalls)
+		}
+
+		loadret.SetRetProbe(true)
+		loadret.SetLoaderData(kprobeEntry.tableId)
+		loadret.SetPolicy(kprobeEntry.policyName)
+
 		progs = append(progs, loadret)
 
 		retProbe := program.MapBuilderSensor("retprobe_map", loadret)
@@ -1058,9 +1109,6 @@ func createKprobeSensorFromEntry(polInfo *policyInfo, kprobeEntry *genericKprobe
 		retConfigMap := program.MapBuilderProgram("config_map", loadret)
 		maps = append(maps, retConfigMap)
 
-		tailCalls := program.MapBuilderProgram("retkprobe_calls", loadret)
-		maps = append(maps, tailCalls)
-
 		filterMap := program.MapBuilderProgram("filter_map", loadret)
 		maps = append(maps, filterMap)
 
@@ -1134,10 +1182,14 @@ func loadSingleKprobeSensor(id idtable.EntryID, bpfDir string, load *program.Pro
 	}
 	load.MapLoad = append(load.MapLoad, config)
 
-	if err := program.LoadKprobeProgram(bpfDir, load, maps, verbose); err == nil {
-		logger.GetLogger().Info(fmt.Sprintf("Loaded generic kprobe program: %s -> %s", load.Name, load.Attach))
+	if load.Label == "fentry/generic_fentry" || load.Label == "fexit/generic_fexit" {
+		if err = program.LoadTracingProgram(bpfDir, load, maps, verbose); err == nil {
+			logger.GetLogger().Info(fmt.Sprintf("Loaded generic fentry program: %s -> %s", load.Name, load.Attach))
+		}
 	} else {
-		return err
+		if err = program.LoadKprobeProgram(bpfDir, load, maps, verbose); err == nil {
+			logger.GetLogger().Info(fmt.Sprintf("Loaded generic kprobe program: %s -> %s", load.Name, load.Attach))
+		}
 	}
 
 	return err