cgroup tracking

bpf/Makefile

@@ -75,7 +75,7 @@ PROCESS += bpf_generic_kprobe_v61.o bpf_generic_retkprobe_v61.o \
 PROCESS += bpf_generic_lsm_core_v61.o bpf_generic_lsm_output_v61.o \
 	   bpf_generic_lsm_ima_file_v61.o bpf_generic_lsm_ima_bprm_v61.o
 
-CGROUP = bpf_cgroup_mkdir.o bpf_cgroup_rmdir.o bpf_cgroup_release.o
+CGROUP = bpf_cgroup_mkdir.o bpf_cgroup_rmdir.o bpf_cgroup_release.o bpf_cgtracker.o
 BPFTEST = bpf_lseek.o
 
 OBJSDIR         := objs/

bpf/cgroup/bpf_cgtracker.c

@@ -0,0 +1,80 @@
+// SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
+/* Copyright Authors of Tetragon */
+
+#include "vmlinux.h"
+#include "api.h"
+#include "bpf_helpers.h"
+#include "bpf_cgroup.h"
+#include "bpf_tracing.h"
+#include "cgtracker.h"
+
+char _license[] __attribute__((section(("license")), used)) = "GPL";
+#ifdef VMLINUX_KERNEL_VERSION
+int _version __attribute__((section(("version")), used)) =
+	VMLINUX_KERNEL_VERSION;
+#endif
+
+/* new kernel cgroup definition */
+struct cgroup___new {
+	int level;
+	struct cgroup *ancestors[];
+} __attribute__((preserve_access_index));
+
+FUNC_INLINE __u64 cgroup_get_parent_id(struct cgroup *cgrp)
+{
+	struct cgroup___new *cgrp_new = (struct cgroup___new *)cgrp;
+
+	// for newer kernels, we can access use ->ancestors to retrieve the parent
+	if (bpf_core_field_exists(cgrp_new->ancestors)) {
+		int level = get_cgroup_level(cgrp);
+
+		if (level <= 0)
+			return 0;
+		return BPF_CORE_READ(cgrp_new, ancestors[level - 1], kn, id);
+	}
+
+	// otherwise, go over the parent pointer
+	struct cgroup_subsys_state *parent_css = BPF_CORE_READ(cgrp, self.parent);
+
+	if (parent_css) {
+		struct cgroup *parent = container_of(parent_css, struct cgroup, self);
+		__u64 parent_cgid = get_cgroup_id(parent);
+		return parent_cgid;
+	}
+
+	return 0;
+}
+
+__attribute__((section(("raw_tracepoint/cgroup_mkdir")), used)) int
+tg_cgtracker_cgroup_mkdir(struct bpf_raw_tracepoint_args *ctx)
+{
+	struct cgroup *cgrp;
+	__u64 cgid, cgid_parent, *cgid_tracker;
+
+	cgrp = (struct cgroup *)ctx->args[0];
+	cgid = get_cgroup_id(cgrp);
+	if (cgid == 0)
+		return 0;
+	cgid_parent = cgroup_get_parent_id(cgrp);
+	if (cgid_parent == 0)
+		return 0;
+	cgid_tracker = map_lookup_elem(&tg_cgtracker_map, &cgid_parent);
+	if (cgid_tracker)
+		map_update_elem(&tg_cgtracker_map, &cgid, cgid_tracker, BPF_ANY);
+
+	return 0;
+}
+
+__attribute__((section(("raw_tracepoint/cgroup_release")), used)) int
+tg_cgtracker_cgroup_release(struct bpf_raw_tracepoint_args *ctx)
+{
+	struct cgroup *cgrp;
+	__u64 cgid;
+
+	cgrp = (struct cgroup *)ctx->args[0];
+	cgid = get_cgroup_id(cgrp);
+	if (cgid)
+		map_delete_elem(&tg_cgtracker_map, &cgid);
+
+	return 0;
+}

bpf/cgroup/cgtracker.h

@@ -0,0 +1,22 @@
+// SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
+/* Copyright Authors of Cilium */
+
+#ifndef CGTRACKER_H__
+#define CGTRACKER_H__
+
+struct {
+	__uint(type, BPF_MAP_TYPE_HASH);
+	__uint(max_entries, 1);
+	__type(key, __u64); /* cgroup id */
+	__type(value, __u64); /* tracker cgroup id */
+} tg_cgtracker_map SEC(".maps");
+
+FUNC_INLINE __u64 cgrp_get_tracker_id(__u64 cgid)
+{
+	__u64 *ret;
+
+	ret = map_lookup_elem(&tg_cgtracker_map, &cgid);
+	return ret ? *ret : 0;
+}
+
+#endif /* CGTRACKER_H__ */

bpf/include/api.h

@@ -236,7 +236,7 @@ static int BPF_FUNC(fib_lookup, void *ctx, struct bpf_fib_lookup *params, uint32
 /* Current Process Info */
 static uint64_t BPF_FUNC(get_current_task);
 static uint64_t BPF_FUNC(get_current_cgroup_id);
-static uint64_t BPF_FUNC(get_current_ancestor_cgroup_id);
+static uint64_t BPF_FUNC(get_current_ancestor_cgroup_id, int ancestor_level);
 static uint64_t BPF_FUNC(get_current_uid_gid);
 static uint64_t BPF_FUNC(get_current_pid_tgid);
 

bpf/lib/bpf_helpers.h

@@ -99,4 +99,23 @@ FUNC_INLINE void compiler_barrier(void)
 
 #define SEC(name) __attribute__((section(name), used))
 
+/*
+ * Helper macros to manipulate data structures
+ */
+
+/* offsetof() definition that uses __builtin_offset() might not preserve field
+ * offset CO-RE relocation properly, so force-redefine offsetof() using
+ * old-school approach which works with CO-RE correctly
+ */
+#undef offsetof
+#define offsetof(type, member) ((unsigned long)&((type *)0)->member)
+
+/* redefined container_of() to ensure we use the above offsetof() macro */
+#undef container_of
+#define container_of(ptr, type, member)                      \
+	({                                                   \
+		void *__mptr = (void *)(ptr);                \
+		((type *)(__mptr - offsetof(type, member))); \
+	})
+
 #endif //__BPF_HELPERS_

bpf/lib/process.h

@@ -266,6 +266,7 @@ struct msg_ns {
 
 struct msg_k8s {
 	__u64 cgrpid;
+	__u64 cgrp_tracker_id;
 	char docker_id[DOCKER_ID_LENGTH];
 }; // All fields aligned so no 'packed' attribute.
 

bpf/process/bpf_process_event.h

@@ -8,6 +8,7 @@
 
 #include "bpf_cgroup.h"
 #include "bpf_cred.h"
+#include "cgroup/cgtracker.h"
 
 #define ENAMETOOLONG 36 /* File name too long */
 
@@ -536,16 +537,6 @@ __event_get_current_cgroup_name(struct cgroup *cgrp, struct msg_k8s *kube)
 {
 	const char *name;
 
-	/* TODO: check if we have Tetragon cgroup configuration and that the
-	 *     tracking cgroup ID is set. If so then query the bpf map for
-	 *     the corresponding tracking cgroup name.
-	 */
-
-	/* TODO: we gather current cgroup context, switch to tracker see above,
-	 *    and if that fails for any reason or if we don't have the cgroup name
-	 *    of tracker, then we can continue with current context.
-	 */
-
 	name = get_cgroup_name(cgrp);
 	if (name)
 		probe_read_str(kube->docker_id, KN_NAME_LENGTH, name);
@@ -587,7 +578,9 @@ __event_get_cgroup_info(struct task_struct *task, struct msg_k8s *kube)
 
 	/* Collect event cgroup ID */
 	kube->cgrpid = __tg_get_current_cgroup_id(cgrp, cgrpfs_magic);
-	if (!kube->cgrpid)
+	if (kube->cgrpid)
+		kube->cgrp_tracker_id = cgrp_get_tracker_id(kube->cgrpid);
+	else
 		flags |= EVENT_ERROR_CGROUP_ID;
 
 	/* Get the cgroup name of this event. */

cmd/tetra/cgtracker/cgtracker.go

@@ -0,0 +1,90 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright Authors of Tetragon
+
+package cgtracker
+
+import (
+	"fmt"
+	"log"
+	"path/filepath"
+
+	"github.com/cilium/tetragon/pkg/cgidarg"
+	"github.com/cilium/tetragon/pkg/cgtracker"
+	"github.com/cilium/tetragon/pkg/defaults"
+	"github.com/spf13/cobra"
+)
+
+func New() *cobra.Command {
+	ret := &cobra.Command{
+		Use:          "cgtracker",
+		Short:        "manage cgtracker map (only for debugging)",
+		Hidden:       true,
+		SilenceUsage: true,
+	}
+
+	ret.AddCommand(
+		dumpCmd(),
+		addCommand(),
+	)
+
+	return ret
+}
+
+func dumpCmd() *cobra.Command {
+	mapFname := filepath.Join(defaults.DefaultMapRoot, defaults.DefaultMapPrefix, cgtracker.MapName)
+	ret := &cobra.Command{
+		Use:   "dump",
+		Short: "dump cgtracker map state",
+		Args:  cobra.ExactArgs(0),
+		RunE: func(_ *cobra.Command, _ []string) error {
+			m, err := cgtracker.OpenMap(mapFname)
+			if err != nil {
+				log.Fatal(err)
+			}
+			defer m.Close()
+
+			vals, err := m.Dump()
+			if err != nil {
+				return err
+			}
+			for tracker, tracked := range vals {
+				fmt.Printf("%d: %v\n", tracker, tracked)
+			}
+			return nil
+		},
+	}
+
+	flags := ret.Flags()
+	flags.StringVar(&mapFname, "map-fname", mapFname, "cgtracker map filename")
+	return ret
+}
+
+func addCommand() *cobra.Command {
+	mapFname := filepath.Join(defaults.DefaultMapRoot, defaults.DefaultMapPrefix, cgtracker.MapName)
+	ret := &cobra.Command{
+		Use:   "add cg_tracked cg_tracker",
+		Short: "add cgtracker entry",
+		Args:  cobra.ExactArgs(2),
+		RunE: func(_ *cobra.Command, args []string) error {
+			tracked, err := cgidarg.Parse(args[0])
+			if err != nil {
+				return err
+			}
+			tracker, err := cgidarg.Parse(args[1])
+			if err != nil {
+				return err
+			}
+			m, err := cgtracker.OpenMap(mapFname)
+			if err != nil {
+				return err
+			}
+			defer m.Close()
+			return m.Add(tracked, tracker)
+
+		},
+	}
+
+	flags := ret.Flags()
+	flags.StringVar(&mapFname, "map-fname", mapFname, "cgtracker map filename")
+	return ret
+}

cmd/tetra/commands_linux.go

@@ -5,6 +5,7 @@ package main
 
 import (
 	"github.com/cilium/tetragon/cmd/tetra/bugtool"
+	"github.com/cilium/tetragon/cmd/tetra/cgtracker"
 	"github.com/cilium/tetragon/cmd/tetra/cri"
 	"github.com/cilium/tetragon/cmd/tetra/debug"
 	"github.com/cilium/tetragon/cmd/tetra/loglevel"
@@ -24,4 +25,5 @@ func addCommands(rootCmd *cobra.Command) {
 	rootCmd.AddCommand(probe.New())
 	rootCmd.AddCommand(loglevel.New())
 	rootCmd.AddCommand(cri.New())
+	rootCmd.AddCommand(cgtracker.New())
 }

contrib/tester-progs/.gitignore

@@ -24,3 +24,4 @@ change-capabilities
 direct-write-tester
 user-stacktrace
 pause
+/test-helper

contrib/tester-progs/Makefile

@@ -25,6 +25,7 @@ PROGS = sigkill-tester \
 	direct-write-tester \
 	change-capabilities \
 	user-stacktrace \
+	test-helper \
 	pause
 
 
@@ -98,6 +99,9 @@ getcpu-i386: FORCE
 user-stacktrace: FORCE
 	go build -o user-stacktrace ./go/user-stacktrace
 
+test-helper: FORCE
+	go build -o test-helper ./go/test-helper
+
 .PHONY: clean
 clean:
 	rm -f $(PROGS)

contrib/tester-progs/go/test-helper/main.go

@@ -0,0 +1,12 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright Authors of Tetragon
+
+package main
+
+import (
+	"github.com/cilium/tetragon/pkg/testutils/progs"
+)
+
+func main() {
+	progs.TestHelperMain()
+}

operator/podinfo/podinfo_controller.go

@@ -9,7 +9,7 @@ import (
 	"reflect"
 
 	ciliumiov1alpha1 "github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1"
-	"github.com/cilium/tetragon/pkg/process"
+	"github.com/cilium/tetragon/pkg/podhelpers"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -100,7 +100,7 @@ func equal(pod *corev1.Pod, podInfo *ciliumiov1alpha1.PodInfo) bool {
 		Controller:         &controller,
 		BlockOwnerDeletion: &blockOwnerDeletion,
 	}
-	workloadObject, workloadType := process.GetWorkloadMetaFromPod(pod)
+	workloadObject, workloadType := podhelpers.GetWorkloadMetaFromPod(pod)
 	return pod.Name == podInfo.Name &&
 		pod.Namespace == podInfo.Namespace &&
 		pod.Status.PodIP == podInfo.Status.PodIP &&
@@ -129,7 +129,7 @@ func generatePodInfo(pod *corev1.Pod) *ciliumiov1alpha1.PodInfo {
 	for _, podIP := range pod.Status.PodIPs {
 		podIPs = append(podIPs, ciliumiov1alpha1.PodIP{IP: podIP.IP})
 	}
-	workloadObject, workloadType := process.GetWorkloadMetaFromPod(pod)
+	workloadObject, workloadType := podhelpers.GetWorkloadMetaFromPod(pod)
 	controller := true
 	blockOwnerDeletion := true
 	return &ciliumiov1alpha1.PodInfo{

operator/podinfo/podinfo_controller_test.go

@@ -12,7 +12,7 @@ import (
 	"testing"
 
 	ciliumv1alpha1 "github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1"
-	"github.com/cilium/tetragon/pkg/process"
+	"github.com/cilium/tetragon/pkg/podhelpers"
 	"github.com/stretchr/testify/assert"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
@@ -121,7 +121,7 @@ func TestGeneratePod(t *testing.T) {
 		for _, podIP := range pod.Status.PodIPs {
 			podIPs = append(podIPs, ciliumv1alpha1.PodIP{IP: podIP.IP})
 		}
-		workloadObject, workloadType := process.GetWorkloadMetaFromPod(pod)
+		workloadObject, workloadType := podhelpers.GetWorkloadMetaFromPod(pod)
 		expectedPodInfo := &ciliumv1alpha1.PodInfo{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:        pod.Name,