Skip to content

Commit

Permalink
tetragon: Setup entries for enforcer map dynamically
Browse files Browse the repository at this point in the history 
We need enforcer map only when enforcer is configured, so making
the map entries by default 1 and resizing it when it's needed.

Signed-off-by: Jiri Olsa <jolsa@kernel.org>
  • Loading branch information
@olsajiri
olsajiri committed Jun 26, 2024
1 parent 2455cde commit dc9d05e
Show file tree
Hide file tree
Showing 4 changed files with 22 additions and 4 deletions.
2 changes: 1 addition & 1 deletion bpf/process/bpf_enforcer.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ struct enforcer_data {

struct {
__uint(type, BPF_MAP_TYPE_HASH);
__uint(max_entries, 32768);
__uint(max_entries, 1);
__type(key, __u64);
__type(value, struct enforcer_data);
} enforcer_data SEC(".maps");
Expand Down
2 changes: 2 additions & 0 deletions pkg/sensors/tracing/enforcer.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -316,6 +316,8 @@ func (kp *enforcerPolicy) createEnforcerSensor(
}

enforcerDataMap := enforcerMap(policyName, progs...)
enforcerDataMap.SetMaxEntries(enforcerMapMaxEntries)

maps = append(maps, enforcerDataMap)

if ok := kp.enforcerAdd(name, kh); !ok {
Expand Down
15 changes: 13 additions & 2 deletions pkg/sensors/tracing/generickprobe.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,7 @@ const (
stackTraceMapMaxEntries = 32768
ratelimitMapMaxEntries = 32768
fdInstallMapMaxEntries = 32000
enforcerMapMaxEntries = 32768
)

func kprobeCharBufErrorToString(e int32) string {
Expand Down Expand Up @@ -364,6 +365,9 @@ func createMultiKprobeSensor(sensorPath, policyName string, multiIDs []idtable.E
}

enforcerDataMap := enforcerMap(policyName, load)
if has.enforcer {
enforcerDataMap.SetMaxEntries(enforcerMapMaxEntries)
}
maps = append(maps, enforcerDataMap)

filterMap.SetMaxEntries(len(multiIDs))
Expand Down Expand Up @@ -555,13 +559,17 @@ type hasMaps struct {
stackTrace bool
rateLimit bool
fdInstall bool
enforcer bool
}

func hasMapsSetup(spec *v1alpha1.TracingPolicySpec) hasMaps {
has := hasMaps{}
for _, kprobe := range spec.KProbes {
if selectorsHaveFDInstall(kprobe.Selectors) {
has.fdInstall = true
has.fdInstall = has.fdInstall || selectorsHaveFDInstall(kprobe.Selectors)
has.enforcer = has.enforcer || len(spec.Enforcers) != 0

// check for early break
if has.fdInstall && has.enforcer {
break
}
}
Expand Down Expand Up @@ -953,6 +961,9 @@ func createKprobeSensorFromEntry(kprobeEntry *genericKprobe, sensorPath string,
}

enforcerDataMap := enforcerMap(kprobeEntry.policyName, load)
if has.enforcer {
enforcerDataMap.SetMaxEntries(enforcerMapMaxEntries)
}
maps = append(maps, enforcerDataMap)

if kprobeEntry.loadArgs.retprobe {
Expand Down
7 changes: 6 additions & 1 deletion pkg/sensors/tracing/generictracepoint.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -387,7 +387,9 @@ func createGenericTracepointSensor(
progName = "bpf_generic_tracepoint_v53.o"
}

has := hasMaps{}
has := hasMaps{
enforcer: len(spec.Enforcers) != 0,
}

maps := []*program.Map{}
progs := make([]*program.Program, 0, len(tracepoints))
Expand Down Expand Up @@ -495,6 +497,9 @@ func createGenericTracepointSensor(
maps = append(maps, matchBinariesPaths)

enforcerDataMap := enforcerMap(policyName, prog0)
if has.enforcer {
enforcerDataMap.SetMaxEntries(enforcerMapMaxEntries)
}
maps = append(maps, enforcerDataMap)

selMatchBinariesMap := program.MapBuilderPin("tg_mb_sel_opts", sensors.PathJoin(pinPath, "tg_mb_sel_opts"), prog0)
Expand Down

0 comments on commit dc9d05e

Please sign in to comment.