cilium · olsajiri · Aug 11, 2025 · Aug 12, 2025 · Sep 3, 2025 · Sep 8, 2025
@@ -503,6 +503,8 @@ enum KprobeAction {
   KPROBE_ACTION_NOTIFYENFORCER = 13;
   // CleanupEnforcerNotification action cleanups any state left by NotifyEnforcer
   KPROBE_ACTION_CLEANUPENFORCERNOTIFICATION = 14;
+  // Set action sets first USDT argument
+  KPROBE_ACTION_SET = 15;
 }
 
 message ProcessKprobe {

@@ -115,6 +115,7 @@ static int BPF_FUNC(probe_read, void *dst, uint32_t size, const void *src);
 static int BPF_FUNC(probe_read_str, void *dst, int size, const void *src);
 static int BPF_FUNC(probe_read_kernel, void *dst, uint32_t size, const void *src);
 static int BPF_FUNC(probe_read_user, void *dst, uint32_t size, const void *src);
+static int BPF_FUNC(probe_write_user, void *dst, const void *src, uint32_t len);
 
 /* Time access */
 static uint64_t BPF_FUNC(ktime_get_ns);

@@ -9,6 +9,7 @@
 #define MSG_COMMON_FLAG_USER_STACKTRACE	  BIT(2)
 #define MSG_COMMON_FLAG_IMA_HASH	  BIT(3)
 #define MSG_COMMON_FLAG_PROCESS_NOT_FOUND BIT(4)
+#define MSG_COMMON_FLAG_ACTION_FAILED	  BIT(5)
 
 /* Msg Layout */
 struct msg_common {

@@ -750,9 +750,50 @@ do_override_action(__s32 error)
 #define do_override_action(error)
 #endif
 
+#if defined GENERIC_USDT
+FUNC_INLINE void
+do_set_action(void *ctx, struct msg_generic_kprobe *e, __u32 arg_idx, __u32 arg_value)
+{
+	struct config_usdt_arg *arg;
+	struct event_config *config;
+	unsigned long val, off;
+	int err = -1;
+
+	config = map_lookup_elem(&config_map, &e->idx);
+	if (!config)
+		return;
+
+	arg_idx &= 7;
+	arg = &config->usdt_arg[arg_idx];
+
+	switch (arg->type) {
+	case USDT_ARG_TYPE_NONE:
+	case USDT_ARG_TYPE_CONST:
+	case USDT_ARG_TYPE_REG:
+		break;
+	case USDT_ARG_TYPE_REG_DEREF:
+		off = arg->reg_off & 0xfff;
+		err = probe_read_kernel(&val, sizeof(val), (void *)ctx + off);
+		if (err)
+			return;
+#if __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__
+		arg_value <<= arg->shift;
+#endif
+		err = probe_write_user((void *)val + arg->val_off, &arg_value, sizeof(arg_value));
+		break;
+	}
+
+	if (err)
+		e->common.flags |= MSG_COMMON_FLAG_ACTION_FAILED;
+}
+#else
+#define do_set_action(ctx, idx, arg_idx, arg_value)
+#endif
+
 FUNC_LOCAL __u32
 do_action(void *ctx, __u32 i, struct selector_action *actions, bool *post, bool enforce_mode)
 {
+	__u32 index __maybe_unused, value __maybe_unused;
 	int signal __maybe_unused = FGS_SIGKILL;
 	int action = actions->act[i];
 	struct msg_generic_kprobe *e;
@@ -849,6 +890,10 @@ do_action(void *ctx, __u32 i, struct selector_action *actions, bool *post, bool
 		break;
 	case ACTION_CLEANUP_ENFORCER_NOTIFICATION:
 		do_enforcer_cleanup();
+	case ACTION_SET:
+		index = actions->act[++i];
+		value = actions->act[++i];
+		do_set_action(ctx, e, index, value);
 	default:
 		break;
 	}

@@ -121,6 +121,7 @@ enum {
 	ACTION_UNTRACKSOCK = 11,
 	ACTION_NOTIFY_ENFORCER = 12,
 	ACTION_CLEANUP_ENFORCER_NOTIFICATION = 13,
+	ACTION_SET = 14,
 };
 
 enum {
@@ -180,8 +181,9 @@ struct extract_arg_data {
 	unsigned long *arg;
 };
 
-#define MAX_BTF_ARG_DEPTH    10
-#define EVENT_CONFIG_MAX_ARG 5
+#define MAX_BTF_ARG_DEPTH	  10
+#define EVENT_CONFIG_MAX_ARG	  5
+#define EVENT_CONFIG_MAX_USDT_ARG 8
 
 struct event_config {
 	__u32 func_id;
@@ -204,7 +206,7 @@ struct event_config {
 	__u32 flags;
 	__u32 pad;
 	struct config_btf_arg btf_arg[EVENT_CONFIG_MAX_ARG][MAX_BTF_ARG_DEPTH];
-	struct config_usdt_arg usdt_arg[EVENT_CONFIG_MAX_ARG];
+	struct config_usdt_arg usdt_arg[EVENT_CONFIG_MAX_USDT_ARG];
 } __attribute__((packed));
 
 #define MAX_ARGS_SIZE	 80

@@ -30,3 +30,4 @@ pause
 forks
 follow_children_1
 usdt
+usdt-override
@@ -31,7 +31,8 @@ PROGS = sigkill-tester \
 	forks \
 	capabilities-gained \
 	follow_children_1 \
-	usdt
+	usdt \
+	usdt-override
 
 
 all: $(PROGS)
@@ -87,6 +88,10 @@ capabilities-gained: capabilities-gained.c
 usdt: usdt.c
 	$(GCC) -Wall $< -o $@
 
+usdt-override: usdt-override.c
+	$(GCC) -Wall $< -O2 -o $@
+	strip $@
+
 # NB: compile the 32 bit version of enforcer-tester statically so that we don't
 # need additional libraries in the VMs
 enforcer-tester-32: enforcer-tester.c

@@ -0,0 +1,18 @@
+//go:build ignore
+#include <stdlib.h>
+#include "usdt.h"
+
+int main(int argc, char **argv)
+{
+	volatile int return_val = 0;
+	int arg_1, arg_2;
+
+	if (argc != 3)
+		return -1;
+
+	arg_1 = atoi(argv[1]);
+	arg_2 = atoi(argv[2]);
+
+	USDT(tetragon, test, return_val, arg_1, arg_2);
+	return return_val;
+}
-Original file line number
+Diff line change
@@ Expand Up / @@ -30,3 +30,4 @@ pause @@
     forks
     follow_children_1
     usdt
+    usdt-override