fix

pin and update map only when option is enabled.
check for event_clone flag instead of cleanup process pid

Signed-off-by: Kobrin Ilay <[email protected]>

Author: kobrineli

bpf/lib/process.h

@@ -366,6 +366,10 @@ struct {
 	__type(value, struct binary);
 } binary_heap_map SEC(".maps");
 
+// Parent binaries map is used for saving actual immediate parents
+// for processes to get check them in matchParentBinaries selector.
+// If multiple execs are called in same process without fork, the map
+// stores process binary itself instead of its parent binary.
 struct {
 	__uint(type, BPF_MAP_TYPE_LRU_HASH);
 	__uint(max_entries, 1);

bpf/process/bpf_execve_event.c

@@ -342,6 +342,36 @@ execve_rate(void *ctx __arg_ctx)
 	return 0;
 }
 
+#ifdef __LARGE_BPF_PROG
+volatile const __u8 PARENTS_MAP_ENABLED;
+
+FUNC_INLINE void update_parents_map(struct msg_execve_event *event, struct execve_map_value *curr)
+{
+	if (PARENTS_MAP_ENABLED) {
+		__u32 zero = 0;
+		struct binary *bin = map_lookup_elem(&binary_heap_map, &zero);
+
+		if (bin) {
+			// use current binary as parent binary if exec events is not preceded
+			// by clone, i.e. exec call was invoked in the same process.
+			if (!(event->process.flags & EVENT_CLONE)) {
+				memcpy(bin, &curr->bin, sizeof(curr->bin));
+				map_update_elem(&parent_binaries_map, &curr->key.pid, bin, BPF_ANY);
+			} else {
+				struct execve_map_value *parent = event_find_parent();
+				
+				if (parent)
+					map_update_elem(&parent_binaries_map, &curr->key.pid, &parent->bin, BPF_ANY);
+			}
+		}
+	}
+}
+#else
+FUNC_INLINE void update_parents_map(struct msg_execve_event *event, struct execve_map_value *curr)
+{
+}
+#endif
+
 /**
  * execve_send() sends the collected execve event data.
  *
@@ -415,22 +445,7 @@ execve_send(struct exec_ctx_struct *ctx __arg_ctx)
 		}
 #endif
 
-		__u32 zero = 0;
-		struct binary *bin = map_lookup_elem(&binary_heap_map, &zero);
-
-		if (bin) {
-			// use current binary as parent binary if cleanup pid is equal to current pid,
-			// i.e. exec call was invoked in the same process.
-			if (curr->key.pid == event->cleanup_key.pid) {
-				memcpy(bin, &curr->bin, sizeof(curr->bin));
-				map_update_elem(&parent_binaries_map, &curr->key.pid, bin, BPF_ANY);
-			} else {
-				struct execve_map_value *parent = event_find_parent();
-
-				if (parent)
-					map_update_elem(&parent_binaries_map, &curr->key.pid, &parent->bin, BPF_ANY);
-			}
-		}
+		update_parents_map(event, curr);
 
 		/* zero out previous paths in ->bin */
 		binary_reset(&curr->bin);

bpf/process/pfilter.h

@@ -432,7 +432,7 @@ selector_process_filter(__u32 *f, __u32 index, struct execve_map_value *enter,
 	struct binary *parent_bin = map_lookup_elem(&parent_binaries_map, &enter->key.pid);
 
 	if (parent_bin)
-		/* matchParentBinaries key is in rage [MAX_SELECTORS; MAX_SELECTORS * 2) */
+		/* matchParentBinaries key is in range [MAX_SELECTORS; MAX_SELECTORS * 2) */
 		if (!match_binaries(index + MAX_SELECTORS, enter, parent_bin))
 			return 0;
 

pkg/selectors/kernel.go

@@ -744,30 +744,36 @@ func writeMatchStrings(k *KernelSelectorState, values []string, ty uint32) error
 	return nil
 }
 
-func writePrefix(k *KernelSelectorState, values []string) (uint32, error) {
+func writePrefix(k *KernelSelectorState, values []string, selector string) (uint32, error) {
 	mid, m := k.newStringPrefixMap()
 	for _, v := range values {
 		value, size := ArgSelectorValue(v)
 		if size > StringPrefixMaxLength {
-			return 0, fmt.Errorf("value %s invalid: string is longer than %d characters", v, StringPrefixMaxLength)
+			return 0, fmt.Errorf("%s value %s invalid: string is longer than %d characters", selector, v, StringPrefixMaxLength)
 		}
 		val := KernelLPMTrieStringPrefix{prefixLen: size * 8} // prefix is in bits, but size is in bytes
 		copy(val.data[:], value)
 		m[val] = struct{}{}
 	}
 	return mid, nil
+	// write the map id into the selector
+
+}
+
+func writePrefixBinaries(k *KernelSelectorState, values []string) (uint32, error) {
+	return writePrefix(k, values, "MatchBinaries")
 }
 
 func writePrefixStrings(k *KernelSelectorState, values []string) error {
-	mid, err := writePrefix(k, values)
+	mid, err := writePrefix(k, values, "MatchArgs")
 	if err != nil {
 		return err
 	}
 	WriteSelectorUint32(&k.data, mid)
 	return nil
 }
 
-func writePostfix(k *KernelSelectorState, values []string, ty uint32) (uint32, error) {
+func writePostfix(k *KernelSelectorState, values []string, ty uint32, selector string) (uint32, error) {
 	mid, m := k.newStringPostfixMap()
 	for _, v := range values {
 		var value []byte
@@ -780,7 +786,7 @@ func writePostfix(k *KernelSelectorState, values []string, ty uint32) (uint32, e
 		// Due to the constraints of the reverse copy in BPF, we will not be able to match a postfix
 		// longer than 127 characters, so throw an error if the user specified one.
 		if size >= StringPostfixMaxLength {
-			return 0, fmt.Errorf("value %s invalid: string is longer than %d characters", v, StringPostfixMaxLength-1)
+			return 0, fmt.Errorf("%s value %s invalid: string is longer than %d characters", selector, v, StringPostfixMaxLength-1)
 		}
 		val := KernelLPMTrieStringPostfix{prefixLen: size * 8} // postfix is in bits, but size is in bytes
 		// Copy postfix in reverse order, so that it can be used in LPM map
@@ -792,8 +798,12 @@ func writePostfix(k *KernelSelectorState, values []string, ty uint32) (uint32, e
 	return mid, nil
 }
 
+func writePostfixBinaries(k *KernelSelectorState, values []string) (uint32, error) {
+	return writePostfix(k, values, gt.GenericCharBuffer, "MatchBinaries")
+}
+
 func writePostfixStrings(k *KernelSelectorState, values []string, ty uint32) error {
-	mid, err := writePostfix(k, values, ty)
+	mid, err := writePostfix(k, values, ty, "MatchArgs")
 	if err != nil {
 		return err
 	}
@@ -1427,15 +1437,15 @@ func ParseMatchBinary(k *KernelSelectorState, b *v1alpha1.BinarySelector, selIdx
 		if !config.EnableLargeProgs() {
 			return fmt.Errorf("%s error: \"Prefix\" and \"NotPrefix\" operators need large BPF progs (kernel>5.3)", selectorType)
 		}
-		sel.MapID, err = writePrefix(k, b.Values)
+		sel.MapID, err = writePrefixBinaries(k, b.Values)
 		if err != nil {
 			return fmt.Errorf("failed to write the prefix operator for the %s selector: %w", selectorType, err)
 		}
 	case SelectorOpPostfix, SelectorOpNotPostfix:
 		if !config.EnableLargeProgs() {
 			return fmt.Errorf("%s error: \"Postfix\" and \"NotPostfix\" operators need large BPF progs (kernel>5.3)", selectorType)
 		}
-		sel.MapID, err = writePostfix(k, b.Values, gt.GenericCharBuffer)
+		sel.MapID, err = writePostfixBinaries(k, b.Values)
 		if err != nil {
 			return fmt.Errorf("failed to write the prefix operator for the %s selector: %w", selectorType, err)
 		}

pkg/sensors/base/base.go

@@ -161,6 +161,10 @@ func setupSensor() {
 		Execve.RewriteConstants["ENV_VARS_ENABLED"] = uint8(1)
 	}
 
+	if option.Config.ParentsMapEnabled {
+		Execve.RewriteConstants["PARENTS_MAP_ENABLED"] = uint8(1)
+	}
+
 	if option.Config.ParentsMapEnabled {
 		entries = GetExecveEntries(option.Config.ParentsMapEntries, option.Config.ParentsMapSize)
 		ParentBinariesMap.SetMaxEntries(entries)

pkg/sensors/base/base_linux.go

@@ -30,14 +30,18 @@ func GetDefaultMaps() []*program.Map {
 		ExecveJoinMapStats,
 		ExecveTailCallsMap,
 		ExecveMapUpdateData,
-		ParentBinariesMap,
 		TCPMonMap,
 		TetragonConfMap,
 		StatsMap,
 		MatchBinariesSetMap,
 		MatchBinariesGenMap,
 		ErrMetricsMap,
 	}
+
+	if option.Config.ParentsMapEnabled {
+		maps = append(maps, ParentBinariesMap)
+	}
+
 	// The BPF ring buffer is available from v5.8, but rather than add another set of
 	// kernel-version-specific objects, let's set the gate at v5.11 as we already have
 	// objects for that version number.

pkg/sensors/tracing/generickprobe.go

@@ -711,7 +711,9 @@ func createGenericKprobeSensor(
 		maps = append(maps, program.MapUserFrom(base.RingBufEvents))
 	}
 
-	maps = append(maps, program.MapUserFrom(base.ParentBinariesMap))
+	if option.Config.ParentsMapEnabled {
+		maps = append(maps, program.MapUserFrom(base.ParentBinariesMap))
+	}
 
 	return &sensors.Sensor{
 		Name:      name,

pkg/sensors/tracing/genericlsm.go

@@ -15,16 +15,17 @@ import (
 
 	"github.com/cilium/ebpf"
 
+	"github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1"
+
 	"github.com/cilium/tetragon/pkg/api/ops"
-	processapi "github.com/cilium/tetragon/pkg/api/processapi"
+	"github.com/cilium/tetragon/pkg/api/processapi"
 	api "github.com/cilium/tetragon/pkg/api/tracingapi"
 	"github.com/cilium/tetragon/pkg/bpf"
 	"github.com/cilium/tetragon/pkg/cgtracker"
 	"github.com/cilium/tetragon/pkg/config"
 	gt "github.com/cilium/tetragon/pkg/generictypes"
 	"github.com/cilium/tetragon/pkg/grpc/tracing"
 	"github.com/cilium/tetragon/pkg/idtable"
-	"github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1"
 	"github.com/cilium/tetragon/pkg/kernels"
 	"github.com/cilium/tetragon/pkg/logger"
 	"github.com/cilium/tetragon/pkg/logger/logfields"
@@ -378,7 +379,9 @@ func createGenericLsmSensor(
 		maps = append(maps, program.MapUserFrom(base.RingBufEvents))
 	}
 
-	maps = append(maps, program.MapUserFrom(base.ParentBinariesMap))
+	if option.Config.ParentsMapEnabled {
+		maps = append(maps, program.MapUserFrom(base.ParentBinariesMap))
+	}
 
 	return &sensors.Sensor{
 		Name:  name,

pkg/sensors/tracing/generictracepoint.go

@@ -632,7 +632,9 @@ func createGenericTracepointSensor(
 		maps = append(maps, program.MapUserFrom(base.RingBufEvents))
 	}
 
-	maps = append(maps, program.MapUserFrom(base.ParentBinariesMap))
+	if option.Config.ParentsMapEnabled {
+		maps = append(maps, program.MapUserFrom(base.ParentBinariesMap))
+	}
 
 	ret.Progs = progs
 	ret.Maps = maps

pkg/sensors/tracing/genericuprobe.go

@@ -20,6 +20,8 @@ import (
 	"github.com/cilium/tetragon/pkg/asm"
 	"github.com/cilium/tetragon/pkg/metrics/kprobemetrics"
 
+	"github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1"
+
 	"github.com/cilium/tetragon/pkg/api/ops"
 	"github.com/cilium/tetragon/pkg/api/processapi"
 	api "github.com/cilium/tetragon/pkg/api/tracingapi"
@@ -29,7 +31,6 @@ import (
 	gt "github.com/cilium/tetragon/pkg/generictypes"
 	"github.com/cilium/tetragon/pkg/grpc/tracing"
 	"github.com/cilium/tetragon/pkg/idtable"
-	"github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1"
 	"github.com/cilium/tetragon/pkg/logger"
 	"github.com/cilium/tetragon/pkg/logger/logfields"
 	"github.com/cilium/tetragon/pkg/observer"
@@ -444,7 +445,9 @@ func createGenericUprobeSensor(
 		maps = append(maps, program.MapUserFrom(base.RingBufEvents))
 	}
 
-	maps = append(maps, program.MapUserFrom(base.ParentBinariesMap))
+	if option.Config.ParentsMapEnabled {
+		maps = append(maps, program.MapUserFrom(base.ParentBinariesMap))
+	}
 
 	return &sensors.Sensor{
 		Name:      name,