killer sensor: support fmod_ret

Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com>
cilium · Jan 9, 2024 · a1ce54f · a1ce54f
1 parent ebdf8b8
commit a1ce54f
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 16 deletions.
diff --git a/pkg/sensors/tracing/killer.go b/pkg/sensors/tracing/killer.go
@@ -80,10 +80,18 @@ func loadMultiKillerSensor(bpfDir, mapDir string, load *program.Program, verbose
 }
 
 func (k *killerSensor) LoadProbe(args sensors.LoadProbeArgs) error {
+	if args.Load.Label == "kprobe.multi/killer" {
+		return loadMultiKillerSensor(args.BPFDir, args.MapDir, args.Load, args.Verbose)
+	}
 	if args.Load.Label == "kprobe/killer" {
 		return loadSingleKillerSensor(args.BPFDir, args.MapDir, args.Load, args.Verbose)
 	}
-	return loadMultiKillerSensor(args.BPFDir, args.MapDir, args.Load, args.Verbose)
+
+	if strings.HasPrefix(args.Load.Label, "fmod_ret/") {
+		return program.LoadTracingProgram(args.BPFDir, args.MapDir, args.Load, args.Verbose)
+	}
+
+	return fmt.Errorf("killer loader: unknown label: %s", args.Load.Label)
 }
 
 func unloadKiller() error {
@@ -152,29 +160,42 @@ func createKillerSensor(
 		useMulti = !option.Config.DisableKprobeMulti && bpf.HasKprobeMulti()
 	}
 
-	attach := fmt.Sprintf("%d syscalls: %s", len(syscallsSyms), syscallsSyms)
 	prog := sensors.PathJoin(name, "killer_kprobe")
-
-	if useMulti {
+	if bpf.HasOverrideHelper() {
+		attach := fmt.Sprintf("%d syscalls: %s", len(syscallsSyms), syscallsSyms)
+		label := "kprobe/killer"
+		prog := "bpf_killer.o"
+		if useMulti {
+			label = "kprobe.multi/killer"
+			prog = "bpf_multi_killer.o"
+		}
 		load = program.Builder(
-			path.Join(option.Config.HubbleLib, "bpf_multi_killer.o"),
+			path.Join(option.Config.HubbleLib, prog),
 			attach,
-			"kprobe.multi/killer",
+			label,
 			prog,
 			"killer")
-
+		progs = append(progs, load)
+		killerDataMap := program.MapBuilderPin("killer_data", "killer_data", load)
+		maps = append(maps, killerDataMap)
+	} else if bpf.HasModifyReturn() {
+		// for fmod_ret, we need one program per syscall
+		for _, syscallSym := range syscallsSyms {
+			load = program.Builder(
+				path.Join(option.Config.HubbleLib, "bpf_fmodret_killer.o"),
+				fmt.Sprintf("fmod_ret/%s", syscallSym),
+				"fmod_ret/security_task_prctl",
+				prog,
+				"killer")
+			progs = append(progs, load)
+			killerDataMap := program.MapBuilderPin("killer_data", "killer_data", load)
+			maps = append(maps, killerDataMap)
+		}
 	} else {
-		load = program.Builder(
-			path.Join(option.Config.HubbleLib, "bpf_killer.o"),
-			attach,
-			"kprobe/killer",
-			prog,
-			"killer")
+		return nil, fmt.Errorf("no override helper or override support: cannot load killer")
 	}
 
 	killerDataMap := program.MapBuilderPin("killer_data", "killer_data", load)
-
-	progs = append(progs, load)
 	maps = append(maps, killerDataMap)
 
 	return &sensors.Sensor{

diff --git a/pkg/sensors/tracing/killer_test.go b/pkg/sensors/tracing/killer_test.go
@@ -63,7 +63,7 @@ func testKiller(t *testing.T, configHook string,
 }
 
 func TestKillerOverride(t *testing.T) {
-	if !bpf.HasOverrideHelper() {
+	if !bpf.HasOverrideHelper() && !bpf.HasModifyReturn() {
 		t.Skip("skipping killer test, bpf_override_return helper not available")
 	}
 	if !bpf.HasSignalHelper() {