Add LSM dynamic parameter extraction in genericlsm.go

This commit update `addLsm` function to use the parameters `ExtractParam` and `OverwriteType` in order to look for the child members in BTF structure. It does a basic split on `ExtractParam` and to obtain the path from the argument to the required data. Then, the array is gave to `btf.FindNextBTFType` to find the offsets to the data. The output is stored in EventConfig to keep the normal behaviour For example, if the arg 0 is `struct linux_binprm` and ExtractParam is set to `file.f_path.dentry.d_name.name`, the output will give an array of all the offsets from there parents as such [{ offset: 96, is_pointer: 0 }, { offset: 152, is_pointer: 1 }, ...] Signed-off-by: Tristan d'Audibert <[email protected]>
cilium · Nov 20, 2024 · ce33ec7 · ce33ec7
1 parent e2d3204
commit ce33ec7
Showing 1 changed file with 31 additions and 0 deletions.
diff --git a/pkg/sensors/tracing/genericlsm.go b/pkg/sensors/tracing/genericlsm.go
@@ -16,6 +16,7 @@ import (
 	processapi "github.com/cilium/tetragon/pkg/api/processapi"
 	api "github.com/cilium/tetragon/pkg/api/tracingapi"
 	"github.com/cilium/tetragon/pkg/bpf"
+	"github.com/cilium/tetragon/pkg/btf"
 	gt "github.com/cilium/tetragon/pkg/generictypes"
 	"github.com/cilium/tetragon/pkg/grpc/tracing"
 	"github.com/cilium/tetragon/pkg/idtable"
@@ -209,6 +210,7 @@ type addLsmIn struct {
 func addLsm(f *v1alpha1.LsmHookSpec, in *addLsmIn) (id idtable.EntryID, err error) {
 	var argSigPrinters []argPrinter
 	var argsBTFSet [api.MaxArgsSupported]bool
+	var allArgsBtfChilds [api.EventConfigMaxArgs][api.MaxBtfArgChildDepth]api.ConfigBtfArgChild
 
 	errFn := func(err error) (idtable.EntryID, error) {
 		return idtable.UninitializedEntryID, err
@@ -239,6 +241,34 @@ func addLsm(f *v1alpha1.LsmHookSpec, in *addLsmIn) (id idtable.EntryID, err erro
 		if argType == gt.GenericInvalidType {
 			return errFn(fmt.Errorf("Arg(%d) type '%s' unsupported", j, a.Type))
 		}
+
+		if a.ExtractParam != "" && j < api.EventConfigMaxArgs {
+			allArgsBtfChilds[j] = [api.MaxBtfArgChildDepth]api.ConfigBtfArgChild{}
+			spec, err := btf.NewBTF()
+			if err != nil {
+				return errFn(fmt.Errorf("Unable to load BTF file"))
+			}
+
+			partialPath := strings.Split(a.ExtractParam, ".")
+			if len(partialPath) > api.MaxBtfArgChildDepth {
+				return errFn(fmt.Errorf("Exausted research in BTF for type %s. The maximum depth allowed is %d", a.Type, api.MaxBtfArgChildDepth))
+			}
+
+			rootType, err := spec.AnyTypeByName(a.Type)
+			if err != nil {
+				return errFn(fmt.Errorf("Type %s has not been found in BTF", a.Type))
+			}
+			lastChild, err := btf.FindNextBTFType(&allArgsBtfChilds[j], rootType, &partialPath, 0)
+			if err != nil {
+				return errFn(err)
+			}
+			if a.OverwriteType != "" {
+				argType = gt.GenericTypeFromString(a.OverwriteType)
+			} else {
+				argType = gt.GenericTypeFromBTF(*lastChild)
+			}
+		}
+
 		if a.MaxData {
 			if argType != gt.GenericCharBuffer {
 				logger.GetLogger().Warnf("maxData flag is ignored (supported for char_buf type)")
@@ -263,6 +293,7 @@ func addLsm(f *v1alpha1.LsmHookSpec, in *addLsmIn) (id idtable.EntryID, err erro
 		argSigPrinters = append(argSigPrinters, argP)
 	}
 
+	config.BtfArgChild = allArgsBtfChilds
 	config.ArgReturn = int32(0)
 	config.ArgReturnCopy = int32(0)