tetragon: harden actions a bit #3279
Open
+565
−393
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
olsajiri
added
the
release-note/minor
olsajiri
force-pushed
the
pr/olsajiri/harden
branch
3 times, most recently
from
7b664dd to
ab3513b
Compare
mtardy
reviewed
Jan 8, 2025
pkg/sensors/base/base.go
Outdated
Comment on lines
109
to
110
| threads := readFileDefault("/proc/sys/kernel/threads-max", 32768) | ||
| ExecveMap.SetMaxEntries(int(threads)) |
There was a problem hiding this comment.
Why do we need this? It seems it will make the size of the execve_map even larger as threads-max is often well above 32K. This will take significant space while running threads-max threads is pretty rare nop?
There was a problem hiding this comment.
I tried this as mitigation for https://github.com/isovalent/security/issues/88 .. I think we need some combination of this change (with some reasonable size for execve_map) and other ways mentioned in the issue
There was a problem hiding this comment.
ah I see, maybe this is one of the cases where NO_PREALLOC could help so that we can dynamically size to a very large map. But I could see how this can lead to memory issues in the future. That's not an easy problem :/
olsajiri
force-pushed
the
pr/olsajiri/harden
branch
2 times, most recently
from
c64e7e4 to
fcfa0a9
Compare
✅ Deploy Preview for tetragon ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
kkourt
reviewed
Jan 17, 2025
pkg/option/flags.go
Outdated
| @@ -416,4 +419,6 @@ func AddFlags(flags *pflag.FlagSet) { | |||
| flags.Int(KeyEventCacheRetryDelay, defaults.DefaultEventCacheRetryDelay, "Delay in seconds between event cache retries") | |||
|
|
|||
| flags.Bool(KeyCompatibilitySyscall64SizeType, false, "syscall64 type will produce output of type size (compatibility flag, will be removed in v1.4)") | |||
|
|
|||
| flags.String(KeyExecveMapEntries, "", "Set entries for execve_map table (default 32768)") | |||
There was a problem hiding this comment.
Can we have the default from the actual default value here? If we ever change it, the change should be reflected in help.
olsajiri
force-pushed
the
pr/olsajiri/harden
branch
7 times, most recently
from
db51eba to
44fdaa4
Compare
olsajiri
force-pushed
the
pr/olsajiri/harden
branch
from
44fdaa4 to
6922611
Compare
olsajiri
changed the title
olsajiri
force-pushed
the
pr/olsajiri/harden
branch
5 times, most recently
from
b8b9d4e to
bafb514
Compare
olsajiri
force-pushed
the
pr/olsajiri/harden
branch
2 times, most recently
from
c349e11 to
6132585
Compare
Adding new 'unknown' value for flags field in the message Process. It will be used in following changes for process without details. Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Moving d_path into bpf_d_path.h header so it can be easily used in following changes from other places. Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Moving read_exe into process.h header so it can be easily used in following changes from other places. Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Setting flags early in the processing so in following changes the filter tail call can change it (which is executed before current flags setup code). Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Adding new filter logic that triggers when process is not found in execve_map (likely due to exhausted capacity). In this case we currently exit the bpf program and that might leave some crucial actions not executed (like sigkill). We add new event_find_curr_probe call to gather process info in filter context and use it to execute filters. The resulting kprobe event will have minimal process data with 'unknown' flags field. Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Adding test for unknown process kprobe kill. Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Adding test for unknown process tracepoint kill. Signed-off-by: Jiri Olsa <jolsa@kernel.org>
olsajiri
force-pushed
the
pr/olsajiri/harden
branch
from
6132585 to
f6e5835
Compare
|
note the checkpatch fails on container_of macro which is false alarm |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adding new filter logic that triggers when process is not found in
execve_map (likely due to exhausted capacity).
In this case we currently exit the bpf program and that might leave
some crucial actions not executed (like sigkill).
We add new event_find_curr_probe call to gather process info in filter
context and use it to execute filters. The resulting kprobe event will
have minimal process data with 'unknown' flags field.