security_inode_create Load Failure ：operation not permitted

[panzhenyu12]

What happened?

1. I add struct dentry like this pull base on the latest main branch, then build success, install success.
2. Add TracingPolicy:

apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
  name: "file-tamper-inode"
spec:
  kprobes:
  - call: "security_inode_create"
    syscall: false
    return: true
    args:
    - index: 0
      type: "nop"
    - index: 1
      type: "dentry" 
    - index: 2
      type: "int"
    returnArg:
      index: 0
      type: "int"
    returnArgAction: "Post"
    selectors:
    - matchArgs:      
      - index: 1
        operator: "Prefix"
        values:
        - "/root/test"           
      matchActions:
      - action: Override
        argError: -1

3. show error Error: failed to add tracing policy: rpc error: code = Unknown desc = sensor generic_kprobe from collection file-tamper-inode failed to load: failed prog /usr/local/lib/tetragon/bpf/bpf_generic_kprobe_v511.o kern_version 331672 loadInstance: pinning link '/sys/fs/bpf/tetragon/file-tamper-inode/generic_kprobe/security_inode_create/link' failed: operation not permitted
   But another func security_inode_mkdir works well.

Tetragon Version

Base on the latest main branch and https://github.com/cilium/tetragon/pull/2741 build.

Kernel Version

Linux 5.15.0-113-generic

Kubernetes Version

No response

Bugtool

time="2025-01-07T15:24:09+08:00" level=info msg="saving init info"
time="2025-01-07T15:24:09+08:00" level=info msg="retrieving lib directory" libDir=/usr/local/lib/tetragon/bpf/
time="2025-01-07T15:24:09+08:00" level=warning msg="not an object file, ignoring" path=/usr/local/lib/tetragon/bpf/
time="2025-01-07T15:24:12+08:00" level=warning msg="no btf filename in tetragon config, attempting to fall back to /sys/kernel/btf/vmlinux"
time="2025-01-07T15:24:12+08:00" level=info msg="btf file added" btfFname=/sys/kernel/btf/vmlinux
time="2025-01-07T15:24:13+08:00" level=info msg="tetragon log file added" exportFname=/var/log/tetragon/tetragon.log
time="2025-01-07T15:24:13+08:00" level=info msg="executed command" cmd=/usr/bin/dmesg dstFname=dmesg.out ret=0
time="2025-01-07T15:24:13+08:00" level=info msg="executed command" cmd="/usr/sbin/tc filter show dev lo ingress" dstFname=tc-info.lo.ingress ret=0
time="2025-01-07T15:24:13+08:00" level=info msg="executed command" cmd="/usr/sbin/tc filter show dev lo egress" dstFname=tc-info.lo.egress ret=0
time="2025-01-07T15:24:13+08:00" level=info msg="executed command" cmd="/usr/sbin/tc filter show dev eth0 ingress" dstFname=tc-info.eth0.ingress ret=0
time="2025-01-07T15:24:13+08:00" level=info msg="executed command" cmd="/usr/sbin/tc filter show dev eth0 egress" dstFname=tc-info.eth0.egress ret=0
time="2025-01-07T15:24:13+08:00" level=info msg="executed command" cmd="/usr/sbin/tc filter show dev docker0 ingress" dstFname=tc-info.docker0.ingress ret=0
time="2025-01-07T15:24:13+08:00" level=info msg="executed command" cmd="/usr/sbin/tc filter show dev docker0 egress" dstFname=tc-info.docker0.egress ret=0
time="2025-01-07T15:24:13+08:00" level=info msg="executed command" cmd="/usr/local/lib/tetragon/bpftool map show -j" dstFname=bpftool-maps.json ret=0
time="2025-01-07T15:24:13+08:00" level=info msg="executed command" cmd="/usr/local/lib/tetragon/bpftool prog show -j" dstFname=bpftool-progs.json ret=0
time="2025-01-07T15:24:13+08:00" level=info msg="executed command" cmd="/usr/local/lib/tetragon/bpftool cgroup tree -j" dstFname=bpftool-cgroups.json ret=0
time="2025-01-07T15:24:13+08:00" level=info msg="Skipping gops dump info as daemon is running without gops, use --gops-address to enable gops"
time="2025-01-07T15:24:13+08:00" level=warning msg="failed to open policyfilter map" error="no such file or directory"
time="2025-01-07T15:24:13+08:00" level=info msg="dumped tracing policies in tracing-policies.json"
time="2025-01-07T15:24:13+08:00" level=info msg="executed command" cmd="/usr/bin/pmap -x 237264" dstFname=pmap.out ret=0
time="2025-01-07T15:24:13+08:00" level=info msg="cgroup file added" file=memory.current
time="2025-01-07T15:24:13+08:00" level=info msg="cgroup file added" file=memory.stat
time="2025-01-07T15:24:13+08:00" level=info msg="BPF maps checks added" file=debugmaps.json
time="2025-01-07T15:24:13+08:00" level=info msg="executed command" cmd="/usr/bin/cat /sys/kernel/tracing/trace" dstFname=trace ret=0tetragon-bugtool.tar.gz

Relevant log output

Anything else?

my code repo

[olsajiri]

hi, thanks for the report.. I reproduced that even without your dentry change.. checking on the fix now

[olsajiri]

hi, thanks for the report.. I reproduced that even without your dentry change.. checking on the fix now

instead of dentry I put nop which bypassed the arg filtering and override security_inode_create,
which did not allow to create the link pin and tetragon failed.. perhaps the dentry change is not
working properly and the filter is passing for everything

also.. for some reason I thought the dentry #2741 change already made it in,
not sure why it's not merged yet unless I'm missing something

[panzhenyu12]

hi, thanks for the report.. I reproduced that even without your dentry change.. checking on the fix now

instead of dentry I put nop which bypassed the arg filtering and override security_inode_create, which did not allow to create the link pin and tetragon failed.. perhaps the dentry change is not working properly and the filter is passing for everything

also.. for some reason I thought the dentry #2741 change already made it in, not sure why it's not merged yet unless I'm missing something

Thanks! do you think the issue lies with the filter? If I change the matchArgs index to 0, the TracingPolicy can load properly. However, when it’s set to dentry, it doesn’t work. If the issue is indeed bypassing arg filtering, why would changing the index have any effect?

security_inode_mkdir loads properly, recognizes dentry, and filters and overrides it without issues. This seems a bit odd, so I’m not entirely sure if it’s a problem with the dentry code or with Tetragon itself.

is there a plan to merge dentry into the main branch anytime soon? I think dentry could be quite useful in certain scenarios. Thanks again!

[olsajiri]

Thanks! do you think the issue lies with the filter? If I change the matchArgs index to 0, the TracingPolicy can load properly. However, when it’s set to dentry, it doesn’t work. If the issue is indeed bypassing arg filtering, why would changing the index have any effect?

I think the filter passed and security_inode_create was triggered by tetragon process when it was trying to pin the link

security_inode_mkdir loads properly, recognizes dentry, and filters and overrides it without issues. This seems a bit odd, so I’m not entirely sure if it’s a problem with the dentry code or with Tetragon itself.

dir structure is done by the time we load the program, so this one does not cause the issue

is there a plan to merge dentry into the main branch anytime soon? I think dentry could be quite useful in certain scenarios. Thanks again!

check #2741 (comment)