kprobe: support 38+ override on lsm funcs

holyspectral · holyspectral · commit 589ab67f0ea2 · 2025-11-19T15:21:46.000-05:00
1. Allow policies to share override programs as long as they share the
same attached functions.  This includes both programs based on kprobe
and fmod_ret.

2. The pinned path of ebpf programs and maps are moved to below
locations:

/bpffs/tetragon/__override__
/bpffs/tetragon/__override__/kprobe
/bpffs/tetragon/__override__/kprobe/__x64_sys_symlinkat
/bpffs/tetragon/__override__/kprobe/__x64_sys_symlinkat/link_override
/bpffs/tetragon/__override__/kprobe/__x64_sys_symlinkat/prog_override
/bpffs/tetragon/__override__/kprobe/__x64_sys_execve
/bpffs/tetragon/__override__/kprobe/__x64_sys_execve/link_override
/bpffs/tetragon/__override__/kprobe/__x64_sys_execve/prog_override
/bpffs/tetragon/__override__/override_tasks
/bpffs/tetragon/__override__/fmod_ret
/bpffs/tetragon/__override__/fmod_ret/security_bprm_creds_for_exec
/bpffs/tetragon/__override__/fmod_ret/security_bprm_creds_for_exec/prog

Signed-off-by: Sam Wang (holyspectral) &lt;sam.wang@suse.com&gt;
diff --git a/pkg/sensors/load.go b/pkg/sensors/load.go
@@ -65,8 +65,10 @@ func (s *Sensor) policyDir() string {
 
 func (s *Sensor) createDirs(bpfDir string) {
 	for _, p := range s.Progs {
-		// setup sensor based program pin path
-		p.PinPath = filepath.Join(s.policyDir(), s.Name, p.PinName)
+		// setup sensor based program pin path if it's not specified
+		if p.PinPath == "" {
+			p.PinPath = filepath.Join(s.policyDir(), s.Name, p.PinName)
+		}
 		// and make the path
 		if err := os.MkdirAll(filepath.Join(bpfDir, p.PinPath), os.ModeDir); err != nil {
 			logger.GetLogger().Warn("Failed to create program dir",
diff --git a/pkg/sensors/load_linux.go b/pkg/sensors/load_linux.go
@@ -19,6 +19,10 @@ import (
 )
 
 func (s *Sensor) setMapPinPath(m *program.Map) {
+	if m.PinPath != "" {
+		// Use the specified one when m.PinPath is already available.
+		return
+	}
 	policy := s.policyDir()
 	switch m.Type {
 	case program.MapTypeGlobal:
diff --git a/pkg/sensors/tracing/generickprobe.go b/pkg/sensors/tracing/generickprobe.go
@@ -53,12 +53,32 @@ type observerKprobeSensor struct {
 	name string
 }
 
+type fmodRetProgram struct {
+	name string
+}
+
+type kprobeOverrideProgram struct {
+	name string
+}
+
 func init() {
 	kprobe := &observerKprobeSensor{
 		name: "kprobe sensor",
 	}
+
+	fmodRet := &fmodRetProgram{
+		name: "fmod_ret program",
+	}
+
+	kprobeOverrideProgram := &kprobeOverrideProgram{
+		name: "kprobe_override program",
+	}
+
 	sensors.RegisterProbeType("generic_kprobe", kprobe)
 	observer.RegisterEventHandlerAtInit(ops.MSG_OP_GENERIC_KPROBE, handleGenericKprobe)
+
+	sensors.RegisterProbeType("generic_fmod_ret", fmodRet)
+	sensors.RegisterProbeType("generic_kprobe_override", kprobeOverrideProgram)
 }
 
 type kprobeSelectors struct {
@@ -344,11 +364,23 @@ func createMultiKprobeSensor(polInfo *policyInfo, multiIDs []idtable.EntryID, ha
 	filterMap.SetMaxEntries(len(multiIDs))
 	configMap.SetMaxEntries(len(multiIDs))
 
-	overrideTasksMap := program.MapBuilderProgram("override_tasks", load)
 	if has.override {
-		overrideTasksMap.SetMaxEntries(overrideMapMaxEntries)
+		for _, id := range multiIDs {
+			gk, err := genericKprobeTableGet(id)
+			if err != nil {
+				return nil, nil, err
+			}
+			gk.data = &genericKprobeData{}
+
+			progs, maps = createKProbeOverrideProgramFromEntry(load, gk.funcName, progs, maps)
+		}
+	} else {
+		overrideTasksMap := program.MapBuilderProgram("override_tasks", load)
+		if has.override {
+			overrideTasksMap.SetMaxEntries(overrideMapMaxEntries)
+		}
+		maps = append(maps, overrideTasksMap)
 	}
-	maps = append(maps, overrideTasksMap)
 
 	maps = append(maps, polInfo.policyConfMap(load), polInfo.policyStatsMap(load))
 
@@ -983,6 +1015,38 @@ func addKprobe(funcName string, instance int, f *v1alpha1.KProbeSpec, in *addKpr
 	return kprobeEntry.tableId, nil
 }
 
+func createKProbeOverrideProgramFromEntry(load *program.Program, attachFunc string, progs []*program.Program, maps []*program.Map) ([]*program.Program, []*program.Map) {
+	// setup kprobe override program and its input
+	kprobeOverrideProg, kprobeOverrideMap := getOverrideProg(OverrideTypeKProbe, attachFunc)
+	progs = append(progs, kprobeOverrideProg)
+	maps = append(maps, kprobeOverrideMap)
+
+	// setup the output of kprobe
+	overrideTasksMap := program.MapBuilder("override_tasks", load)
+	overrideTasksMap.PinPath = kprobeOverrideMap.PinPath
+	overrideTasksMap.SetMaxEntries(overrideMapMaxEntries)
+
+	maps = append(maps, overrideTasksMap)
+
+	return progs, maps
+}
+
+func createFmodRetOverrideProgramFromEntry(load *program.Program, attachFunc string, progs []*program.Program, maps []*program.Map) ([]*program.Program, []*program.Map) {
+	// setup fmodret program and its input
+	fmodRetProg, fmodRetMap := getOverrideProg(OverrideTypeFmodRet, attachFunc)
+	progs = append(progs, fmodRetProg)
+	maps = append(maps, fmodRetMap)
+
+	// setup the output of kprobe
+	overrideTasksMap := program.MapBuilder("override_tasks", load)
+	overrideTasksMap.PinPath = fmodRetMap.PinPath
+	overrideTasksMap.SetMaxEntries(overrideMapMaxEntries)
+
+	maps = append(maps, overrideTasksMap)
+
+	return progs, maps
+}
+
 func createKprobeSensorFromEntry(polInfo *policyInfo, kprobeEntry *genericKprobe,
 	progs []*program.Program, maps []*program.Map, has hasMaps) ([]*program.Program, []*program.Map) {
 
@@ -1080,11 +1144,16 @@ func createKprobeSensorFromEntry(polInfo *policyInfo, kprobeEntry *genericKprobe
 		maps = append(maps, program.MapUser(cgtracker.MapName, load))
 	}
 
-	overrideTasksMap := program.MapBuilderProgram("override_tasks", load)
-	if has.override {
-		overrideTasksMap.SetMaxEntries(overrideMapMaxEntries)
+	if load.Override {
+		if load.OverrideFmodRet {
+			progs, maps = createFmodRetOverrideProgramFromEntry(load, kprobeEntry.funcName, progs, maps)
+		} else {
+			progs, maps = createKProbeOverrideProgramFromEntry(load, kprobeEntry.funcName, progs, maps)
+		}
+	} else {
+		overrideTasksMap := program.MapBuilderProgram("override_tasks", load)
+		maps = append(maps, overrideTasksMap)
 	}
-	maps = append(maps, overrideTasksMap)
 
 	maps = append(maps, polInfo.policyConfMap(load), polInfo.policyStatsMap(load))
 
@@ -1241,6 +1310,38 @@ func loadMultiKprobeSensor(ids []idtable.EntryID, bpfDir string, load *program.P
 	return nil
 }
 
+func loadGenericFmodRetProgram(bpfDir string, load *program.Program, maps []*program.Map, verbose int) error {
+	if load.LoadState.IsLoaded() {
+		logger.GetLogger().Info(fmt.Sprintf("The generic fmodify return program on %s has been loaded", load.Attach))
+		return nil
+	}
+
+	logger.GetLogger().Info("loading generic fmod ret program", "prog", load)
+
+	unload := func(_ bool) error {
+		deleteOverrideProg(OverrideTypeFmodRet, load.Attach)
+		return nil
+	}
+
+	return program.LoadFmodRetProgram(bpfDir, load, maps, "generic_fmodret_override", verbose, unload)
+}
+
+func loadGenericKProbeOverrideProgram(bpfDir string, load *program.Program, maps []*program.Map, verbose int) error {
+	if load.LoadState.IsLoaded() {
+		logger.GetLogger().Info(fmt.Sprintf("The generic kprobe override program on %s has been loaded", load.Attach))
+		return nil
+	}
+
+	logger.GetLogger().Info("loading generic kprobe override program", "prog", load)
+
+	unload := func(_ bool) error {
+		deleteOverrideProg(OverrideTypeKProbe, load.Attach)
+		return nil
+	}
+
+	return program.LoadKProbeOverrideProgram(bpfDir, load, maps, "generic_kprobe_override", verbose, unload)
+}
+
 func loadGenericKprobeSensor(bpfDir string, load *program.Program, maps []*program.Map, verbose int) error {
 	if id, ok := load.LoaderData.(idtable.EntryID); ok {
 		return loadSingleKprobeSensor(id, bpfDir, load, maps, verbose)
@@ -1468,3 +1569,11 @@ func retprobeMerge(prev pendingEvent, curr pendingEvent) *tracing.MsgGenericKpro
 func (k *observerKprobeSensor) LoadProbe(args sensors.LoadProbeArgs) error {
 	return loadGenericKprobeSensor(args.BPFDir, args.Load, args.Maps, args.Verbose)
 }
+
+func (k *fmodRetProgram) LoadProbe(args sensors.LoadProbeArgs) error {
+	return loadGenericFmodRetProgram(args.BPFDir, args.Load, args.Maps, args.Verbose)
+}
+
+func (k *kprobeOverrideProgram) LoadProbe(args sensors.LoadProbeArgs) error {
+	return loadGenericKProbeOverrideProgram(args.BPFDir, args.Load, args.Maps, args.Verbose)
+}
diff --git a/pkg/sensors/tracing/genericoverride.go b/pkg/sensors/tracing/genericoverride.go
@@ -0,0 +1,102 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright Authors of Tetragon
+
+package tracing
+
+import (
+	"path"
+
+	"github.com/cilium/tetragon/pkg/logger"
+	"github.com/cilium/tetragon/pkg/sensors/program"
+)
+
+type OverrideType string
+
+const (
+	OverrideTypeKProbe  = "kprobe"
+	OverrideTypeFmodRet = "fmod_ret"
+)
+
+var overrideProgMap map[string]*program.Program
+
+func getOverrideProgMapKey(overrideType OverrideType, attachFunc string) string {
+	return string(overrideType) + attachFunc
+}
+
+func createFmodRetOverrideProg(attachFunc string) *program.Program {
+	overrideProg := program.Builder(
+		"bpf_generic_override.o",
+		attachFunc,
+		"fmod_ret/security_task_prctl",
+		"fmod_ret/"+attachFunc,
+		"generic_fmod_ret")
+
+	overrideProg.PinPath = path.Join("__override__", "fmod_ret", attachFunc)
+
+	overrideTasksMap := program.MapBuilder("override_tasks", overrideProg)
+	overrideTasksMap.PinPath = path.Join("__override__", "override_tasks")
+	overrideTasksMap.SetMaxEntries(overrideMapMaxEntries)
+
+	return overrideProg
+}
+
+func createKProbeOverrideProg(attachFunc string) *program.Program {
+	overrideProg := program.Builder(
+		"bpf_generic_override.o",
+		attachFunc,
+		"kprobe/generic_kprobe_override",
+		"kprobe/"+attachFunc,
+		"generic_kprobe_override")
+
+	overrideProg.PinPath = path.Join("__override__", "kprobe", attachFunc)
+
+	overrideTasksMap := program.MapBuilder("override_tasks", overrideProg)
+	overrideTasksMap.PinPath = path.Join("__override__", "override_tasks")
+	overrideTasksMap.SetMaxEntries(overrideMapMaxEntries)
+
+	return overrideProg
+}
+
+func getOverrideProg(overrideType OverrideType, attachFunc string) (*program.Program, *program.Map) {
+	var overrideProg *program.Program
+	var ok bool
+
+	if overrideProgMap == nil {
+		overrideProgMap = make(map[string]*program.Program)
+	}
+
+	key := getOverrideProgMapKey(overrideType, attachFunc)
+
+	if overrideProg, ok = overrideProgMap[key]; !ok {
+
+		switch overrideType {
+		case OverrideTypeKProbe:
+			overrideProg = createKProbeOverrideProg(attachFunc)
+		case OverrideTypeFmodRet:
+			overrideProg = createFmodRetOverrideProg(attachFunc)
+		}
+
+		overrideProgMap[key] = overrideProg
+	}
+
+	logger.GetLogger().Info("Getting a new override prog", "prog", overrideProg, "map", overrideProg.PinMap["override_tasks"])
+
+	return overrideProg, overrideProg.PinMap["override_tasks"]
+}
+
+func deleteOverrideProg(overrideType OverrideType, attachFunc string) {
+	var prog *program.Program
+	var ok bool
+
+	key := getOverrideProgMapKey(overrideType, attachFunc)
+
+	if overrideProgMap == nil {
+		return
+	}
+	if prog, ok = overrideProgMap[key]; !ok {
+		return
+	}
+	if !prog.LoadState.IsLoaded() {
+		delete(overrideProgMap, key)
+	}
+}
