tetragon: fix report the kprobe symbol

Signed-off-by: Djalal Harouni <tixxdz@gmail.com>
cilium · Jan 5, 2024 · aa3904b · aa3904b
1 parent 76797d5
commit aa3904b
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 8 deletions.
diff --git a/bpf/process/types/basic.h b/bpf/process/types/basic.h
@@ -608,15 +608,16 @@ copy_kernel_module(char *args, unsigned long arg)
 static inline __attribute__((always_inline)) long
 copy_kprobe(char *args, unsigned long arg)
 {
+	const char *symbol;
 	const struct kprobe *p = (struct kprobe *)arg;
 	struct msg_kprobe *info = (struct msg_kprobe *)args;
 
 	memset(info, 0, sizeof(struct msg_kprobe));
 
-	if (probe_read_str(&info->symbol, KSYM_NAME_LEN - 1, p->symbol_name) < 0)
-		return 0;
-
+	BPF_CORE_READ_INTO(&info->addr, p, addr);
 	BPF_CORE_READ_INTO(&info->offset, p, offset);
+	BPF_CORE_READ_INTO(&symbol, p, symbol_name);
+	probe_read_str(&info->symbol, KSYM_NAME_LEN - 1, symbol);
 
 	return sizeof(struct msg_kprobe);
 }

diff --git a/pkg/api/tracingapi/client_kprobe.go b/pkg/api/tracingapi/client_kprobe.go
@@ -404,13 +404,15 @@ func (m MsgGenericKprobeArgPerfEvent) IsReturnArg() bool {
 }
 
 type MsgGenericKprobeType struct {
+	Addr   uint64
 	Offset uint32
 	Pad    uint32
 	Symbol [KSYM_NAME_LEN]byte
 }
 
 type MsgGenericKprobeArgType struct {
 	Index  uint64
+	Addr   uint64
 	Offset uint32
 	Symbol string
 	Label  string

diff --git a/pkg/grpc/tracing/tracing.go b/pkg/grpc/tracing/tracing.go
@@ -256,6 +256,13 @@ func GetProcessKprobe(event *MsgGenericKprobeUnix) *tetragon.ProcessKprobe {
 			}
 			a.Arg = &tetragon.KprobeArgument_ModuleArg{ModuleArg: mArg}
 			a.Label = e.Label
+		case api.MsgGenericKprobeArgType:
+			pArg := &tetragon.KernelProbe{
+				Symbol: e.Symbol,
+				Offset: &wrapperspb.UInt32Value{Value: e.Offset},
+			}
+			a.Arg = &tetragon.KprobeArgument_KprobeArg{KprobeArg: pArg}
+			a.Label = e.Label
 		default:
 			logger.GetLogger().WithField("arg", e).Warnf("unexpected type: %T", e)
 		}

diff --git a/pkg/sensors/tracing/generickprobe.go b/pkg/sensors/tracing/generickprobe.go
@@ -29,6 +29,7 @@ import (
 	"github.com/cilium/tetragon/pkg/idtable"
 	"github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1"
 	"github.com/cilium/tetragon/pkg/kernels"
+	"github.com/cilium/tetragon/pkg/ksyms"
 	"github.com/cilium/tetragon/pkg/logger"
 	"github.com/cilium/tetragon/pkg/metrics/kprobemetrics"
 	"github.com/cilium/tetragon/pkg/observer"
@@ -1587,12 +1588,26 @@ func handleMsgGenericKprobe(m *api.MsgGenericKprobe, gk *genericKprobe, r *bytes
 			err := binary.Read(r, binary.LittleEndian, &output)
 			if err != nil {
 				logger.GetLogger().WithError(err).Warnf("kprobe type error")
-			} else if output.Symbol[0] != 0x00 {
-				i := bytes.IndexByte(output.Symbol[:api.KSYM_NAME_LEN], 0)
-				if i == -1 {
-					i = api.KSYM_NAME_LEN
+			} else if output.Addr != 0 {
+				if output.Symbol[0] != 0x00 {
+					i := bytes.IndexByte(output.Symbol[:api.KSYM_NAME_LEN], 0)
+					if i == -1 {
+						i = api.KSYM_NAME_LEN
+					}
+					arg.Symbol = string(output.Symbol[:i])
+				} else {
+					kernelSymbols, err := ksyms.KernelSymbols()
+					if err != nil {
+						logger.GetLogger().WithError(err).Warn("kprobe_arg: failed to read kernel symbols")
+					} else {
+						symOff, err := kernelSymbols.GetFnOffset(output.Addr)
+						if err != nil {
+							logger.GetLogger().Warn("kprobe_arg: failed to retrieve symbol and offset")
+						} else {
+							arg.Symbol = symOff.SymName
+						}
+					}
 				}
-				arg.Symbol = string(output.Symbol[:i])
 				arg.Offset = output.Offset
 			}
 			arg.Label = a.label