kprobe: support 38+ override on lsm funcs

1. Allow kprobe to use shared override programs.
2. The pinned path of ebpf programs and maps will be as below:

/bpffs/tetragon/__override__
/bpffs/tetragon/__override__/kprobe
/bpffs/tetragon/__override__/kprobe/__x64_sys_symlinkat
/bpffs/tetragon/__override__/kprobe/__x64_sys_symlinkat/link_override
/bpffs/tetragon/__override__/kprobe/__x64_sys_symlinkat/prog_override
/bpffs/tetragon/__override__/kprobe/__x64_sys_execve
/bpffs/tetragon/__override__/kprobe/__x64_sys_execve/link_override
/bpffs/tetragon/__override__/kprobe/__x64_sys_execve/prog_override
/bpffs/tetragon/__override__/override_tasks
/bpffs/tetragon/__override__/fmod_ret
/bpffs/tetragon/__override__/fmod_ret/security_bprm_creds_for_exec
/bpffs/tetragon/__override__/fmod_ret/security_bprm_creds_for_exec/prog

3. Make sure that unused override programs are cleaned up via
   unloaderOverride().

4. Move bpf functions regarding overrides into another object file.

Signed-off-by: Sam Wang (holyspectral) <[email protected]>

Author: holyspectral

bpf/Makefile

@@ -44,7 +44,7 @@ PROCESS += bpf_execve_event_v310.o bpf_exit_v310.o bpf_fork_v310.o
 PROCESS += bpf_execve_event.o bpf_fork.o bpf_exit.o bpf_execve_bprm_commit_creds.o
 # generic probes
 PROCESS += bpf_generic_kprobe.o bpf_generic_retkprobe.o bpf_generic_tracepoint.o \
-	   bpf_generic_uprobe.o bpf_generic_rawtp.o bpf_generic_usdt.o
+	   bpf_generic_uprobe.o bpf_generic_rawtp.o bpf_generic_usdt.o bpf_generic_override.o
 
 # lsm
 PROCESS += bpf_generic_lsm_core.o bpf_generic_lsm_output.o

bpf/process/bpf_generic_kprobe.c

@@ -48,11 +48,9 @@ struct {
 
 #ifdef __MULTI_KPROBE
 #define MAIN	 "kprobe.multi/generic_kprobe"
-#define OVERRIDE "kprobe.multi/generic_kprobe_override"
 #define COMMON	 "kprobe.multi"
 #else
 #define MAIN	 "kprobe/generic_kprobe"
-#define OVERRIDE "kprobe/generic_kprobe_override"
 #define COMMON	 "kprobe"
 #endif
 
@@ -139,35 +137,3 @@ generic_kprobe_path(void *ctx)
 	return generic_path(ctx, (struct bpf_map_def *)&kprobe_calls);
 }
 #endif
-
-__attribute__((section(OVERRIDE), used)) int
-generic_kprobe_override(void *ctx)
-{
-	__u64 id = get_current_pid_tgid();
-	__s32 *error;
-
-	error = map_lookup_elem(&override_tasks, &id);
-	if (!error)
-		return 0;
-
-	override_return(ctx, *error);
-	map_delete_elem(&override_tasks, &id);
-	return 0;
-}
-
-/* Putting security_task_prctl in here to pass contrib/verify/verify.sh test,
- * in normal run the function is set by tetragon dynamically.
- */
-__attribute__((section("fmod_ret/security_task_prctl"), used)) long
-generic_fmodret_override(void *ctx)
-{
-	__u64 id = get_current_pid_tgid();
-	__s32 *error;
-
-	error = map_lookup_elem(&override_tasks, &id);
-	if (!error)
-		return 0;
-
-	map_delete_elem(&override_tasks, &id);
-	return (long)*error;
-}

bpf/process/bpf_generic_lsm_output.c

@@ -14,8 +14,6 @@
 #include "bpf_task.h"
 #include "retprobe_map.h"
 #include "types/basic.h"
-#include "generic_maps.h"
-
 #include "generic_maps.h"
 #include "generic_calls.h"
 

bpf/process/bpf_generic_override.c

@@ -0,0 +1,42 @@
+// SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
+/* Copyright Authors of Cilium */
+
+#include "vmlinux.h"
+#include "api.h"
+#include "bpf_helpers.h"
+#include "generic.h"
+#include "bpf_override_maps.h"
+
+char _license[] __attribute__((section("license"), used)) = "Dual BSD/GPL";
+
+__attribute__((section("kprobe/generic_kprobe_override"), used)) int
+generic_kprobe_override(void *ctx)
+{
+	__u64 id = get_current_pid_tgid();
+	__s32 *error;
+
+	error = map_lookup_elem(&override_tasks, &id);
+	if (!error)
+		return 0;
+
+	override_return(ctx, *error);
+	map_delete_elem(&override_tasks, &id);
+	return 0;
+}
+
+/* Putting security_task_prctl in here to pass contrib/verify/verify.sh test,
+ * in normal run the function is set by tetragon dynamically.
+ */
+__attribute__((section("fmod_ret/security_task_prctl"), used)) long
+generic_fmodret_override(void *ctx)
+{
+	__u64 id = get_current_pid_tgid();
+	__s32 *error;
+
+	error = map_lookup_elem(&override_tasks, &id);
+	if (!error)
+		return 0;
+
+	map_delete_elem(&override_tasks, &id);
+	return (long)*error;
+}

bpf/process/bpf_override_maps.h

@@ -0,0 +1,16 @@
+// SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
+/* Copyright Authors of Cilium */
+
+#ifndef _BPF_OVERRIDE_MAPS__
+#define _BPF_OVERRIDE_MAPS__
+
+#include "lib/data_msg.h"
+
+struct {
+	__uint(type, BPF_MAP_TYPE_HASH);
+	__uint(max_entries, 1); // will be resized by agent when needed
+	__type(key, __u64);
+	__type(value, __s32);
+} override_tasks SEC(".maps");
+
+#endif

bpf/process/generic_calls.h

@@ -13,6 +13,7 @@
 #include "policy_stats.h"
 #include "generic_path.h"
 #include "bpf_ktime.h"
+#include "bpf_override_maps.h"
 
 #define MAX_TOTAL 9000
 

bpf/process/generic_maps.h

@@ -13,13 +13,6 @@ struct {
 	__type(value, struct msg_generic_kprobe);
 } process_call_heap SEC(".maps");
 
-struct {
-	__uint(type, BPF_MAP_TYPE_HASH);
-	__uint(max_entries, 1); // will be resized by agent when needed
-	__type(key, __u64);
-	__type(value, __s32);
-} override_tasks SEC(".maps");
-
 #ifdef __LARGE_BPF_PROG
 #if defined(GENERIC_TRACEPOINT) || defined(GENERIC_UPROBE)
 #define data_heap_ptr 0

pkg/sensors/load.go

@@ -65,8 +65,10 @@ func (s *Sensor) policyDir() string {
 
 func (s *Sensor) createDirs(bpfDir string) {
 	for _, p := range s.Progs {
-		// setup sensor based program pin path
-		p.PinPath = filepath.Join(s.policyDir(), s.Name, p.PinName)
+		// setup sensor based program pin path if it's not specified
+		if p.PinPath == "" {
+			p.PinPath = filepath.Join(s.policyDir(), s.Name, p.PinName)
+		}
 		// and make the path
 		if err := os.MkdirAll(filepath.Join(bpfDir, p.PinPath), os.ModeDir); err != nil {
 			logger.GetLogger().Warn("Failed to create program dir",

pkg/sensors/load_linux.go

@@ -19,6 +19,10 @@ import (
 )
 
 func (s *Sensor) setMapPinPath(m *program.Map) {
+	if m.PinPath != "" {
+		// Use the specified one when m.PinPath is already available.
+		return
+	}
 	policy := s.policyDir()
 	switch m.Type {
 	case program.MapTypeGlobal: