From 259cc53d7a410ad25bcaa528dfe332fe3ce231f1 Mon Sep 17 00:00:00 2001 From: Kornilios Kourtis Date: Thu, 13 Feb 2025 15:13:49 +0100 Subject: [PATCH] tracing: allow configuring policy mode via options Example: ``` apiVersion: cilium.io/v1alpha1 kind: TracingPolicyNamespaced metadata: name: "enforce-test" namespace: "pizza" spec: options: - name: "policy-mode" value: "enforce" kprobes: ... ``` Signed-off-by: Kornilios Kourtis --- bpf/lib/policy_conf.h | 1 + pkg/sensors/tracing/options.go | 13 +++++++++++++ pkg/sensors/tracing/policyhandler.go | 16 ++++++++++++++++ pkg/tracingpolicy/mode.go | 26 ++++++++++++++++++++++++++ 4 files changed, 56 insertions(+) create mode 100644 pkg/tracingpolicy/mode.go diff --git a/bpf/lib/policy_conf.h b/bpf/lib/policy_conf.h index bb81c6b94de..5da06bb453b 100644 --- a/bpf/lib/policy_conf.h +++ b/bpf/lib/policy_conf.h @@ -4,6 +4,7 @@ #ifndef BPF_POLICYCONF_H__ #define BPF_POLICYCONF_H__ +// NB: values should match the ones defined in go (EnforceMode, MonitorMode) enum { POLICY_MODE_ENFORCE = 0, POLICY_MODE_MONITOR = 1, diff --git a/pkg/sensors/tracing/options.go b/pkg/sensors/tracing/options.go index e618c41d5d5..01fc4262d0f 100644 --- a/pkg/sensors/tracing/options.go +++ b/pkg/sensors/tracing/options.go @@ -10,6 +10,7 @@ import ( "github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1" "github.com/cilium/tetragon/pkg/logger" "github.com/cilium/tetragon/pkg/option" + "github.com/cilium/tetragon/pkg/tracingpolicy" ) type OverrideMethod int @@ -18,6 +19,7 @@ const ( keyOverrideMethod = "override-method" valFmodRet = "fmod-ret" valOverrideReturn = "override-return" + keyPolicyMode = "policy-mode" ) const ( @@ -42,6 +44,7 @@ type specOptions struct { DisableKprobeMulti bool DisableUprobeMulti bool OverrideMethod OverrideMethod + policyMode tracingpolicy.Mode } type opt struct { @@ -79,6 +82,16 @@ var opts = map[string]opt{ return nil }, }, + keyPolicyMode: opt{ + set: func(str string, options *specOptions) (err error) { + mode, err := tracingpolicy.ParseMode(str) + if err != nil { + return err + } + options.policyMode = mode + return nil + }, + }, } func getSpecOptions(specs []v1alpha1.OptionSpec) (*specOptions, error) { diff --git a/pkg/sensors/tracing/policyhandler.go b/pkg/sensors/tracing/policyhandler.go index 28f3ad06758..70b4c34ac00 100644 --- a/pkg/sensors/tracing/policyhandler.go +++ b/pkg/sensors/tracing/policyhandler.go @@ -7,6 +7,7 @@ import ( "errors" "fmt" + "github.com/cilium/ebpf" "github.com/cilium/tetragon/pkg/eventhandler" "github.com/cilium/tetragon/pkg/policyfilter" "github.com/cilium/tetragon/pkg/sensors" @@ -52,11 +53,26 @@ func newPolicyInfo( }, nil } +type policyConf struct { + mode uint8 +} + func (pi *policyInfo) policyConfMap(prog *program.Program) *program.Map { if pi.policyConf != nil { return program.MapUserFrom(pi.policyConf) } pi.policyConf = program.MapBuilderPolicy("policy_conf", prog) + prog.MapLoad = append(prog.MapLoad, &program.MapLoad{ + Index: 0, + Name: "policy_conf", + Load: func(m *ebpf.Map, pinPathPrefix string, index uint32) error { + conf := policyConf{ + mode: uint8(pi.specOpts.policyMode), + } + key := uint32(0) + return m.Update(key, &conf, ebpf.UpdateAny) + }, + }) return pi.policyConf } diff --git a/pkg/tracingpolicy/mode.go b/pkg/tracingpolicy/mode.go new file mode 100644 index 00000000000..071d37078c5 --- /dev/null +++ b/pkg/tracingpolicy/mode.go @@ -0,0 +1,26 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright Authors of Tetragon + +package tracingpolicy + +import "fmt" + +type Mode uint8 + +const ( + InvalidMode Mode = Mode(^uint8(0)) + // NB: values below should match the ones in bpf/lib/policy_conf.h + EnforceMode Mode = 0 + MonitorMode Mode = 1 +) + +func ParseMode(s string) (Mode, error) { + switch s { + case "enforce": + return EnforceMode, nil + case "monitor": + return MonitorMode, nil + } + + return InvalidMode, fmt.Errorf("invalid mode: %q", s) +}