diff --git a/cmd/tetra/commands_linux.go b/cmd/tetra/commands_linux.go index e770689b5d2..388603b8854 100644 --- a/cmd/tetra/commands_linux.go +++ b/cmd/tetra/commands_linux.go @@ -6,6 +6,7 @@ package main import ( "github.com/cilium/tetragon/cmd/tetra/bugtool" "github.com/cilium/tetragon/cmd/tetra/dump" + "github.com/cilium/tetragon/cmd/tetra/policyfilter" "github.com/cilium/tetragon/cmd/tetra/tracingpolicy" "github.com/spf13/cobra" ) @@ -15,4 +16,5 @@ func addCommands(rootCmd *cobra.Command) { rootCmd.AddCommand(bugtool.New()) rootCmd.AddCommand(tracingpolicy.New()) rootCmd.AddCommand(dump.New()) + rootCmd.AddCommand(policyfilter.New()) } diff --git a/cmd/tetra/dump/dump.go b/cmd/tetra/dump/dump.go index 21e54117200..ca444e1746c 100644 --- a/cmd/tetra/dump/dump.go +++ b/cmd/tetra/dump/dump.go @@ -60,7 +60,7 @@ func policyfilterCmd() *cobra.Command { Short: "dump policyfilter state", Args: cobra.ExactArgs(0), Run: func(cmd *cobra.Command, _ []string) { - dumpPolicyfilterState(mapFname) + PolicyfilterState(mapFname) }, } @@ -101,12 +101,13 @@ func dumpExecveMap(fname string) { } } -func dumpPolicyfilterState(fname string) { +func PolicyfilterState(fname string) { m, err := policyfilter.OpenMap(fname) if err != nil { logger.GetLogger().WithError(err).Fatal("Failed to open policyfilter map") return } + defer m.Close() data, err := m.Dump() if err != nil { diff --git a/cmd/tetra/policyfilter/policyfilter.go b/cmd/tetra/policyfilter/policyfilter.go new file mode 100644 index 00000000000..970dee28e44 --- /dev/null +++ b/cmd/tetra/policyfilter/policyfilter.go @@ -0,0 +1,101 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright Authors of Tetragon + +package policyfilter + +import ( + "path/filepath" + "strconv" + + "github.com/cilium/tetragon/cmd/tetra/dump" + "github.com/cilium/tetragon/pkg/cgroups" + "github.com/cilium/tetragon/pkg/defaults" + "github.com/cilium/tetragon/pkg/logger" + "github.com/cilium/tetragon/pkg/policyfilter" + "github.com/spf13/cobra" +) + +func New() *cobra.Command { + ret := &cobra.Command{ + Use: "policyfilter", + Short: "manage policyfilter map (only for debugging)", + Hidden: true, + SilenceUsage: true, + } + + ret.AddCommand( + dumpCmd(), + addCommand(), + ) + + return ret +} + +func dumpCmd() *cobra.Command { + mapFname := filepath.Join(defaults.DefaultMapRoot, defaults.DefaultMapPrefix, policyfilter.MapName) + ret := &cobra.Command{ + Use: "dump", + Short: "dump policyfilter state", + Args: cobra.ExactArgs(0), + Run: func(cmd *cobra.Command, _ []string) { + dump.PolicyfilterState(mapFname) + }, + } + + flags := ret.Flags() + flags.StringVar(&mapFname, "map-fname", mapFname, "policyfilter map filename") + return ret +} + +func addCommand() *cobra.Command { + var argType string + mapFname := filepath.Join(defaults.DefaultMapRoot, defaults.DefaultMapPrefix, policyfilter.MapName) + ret := &cobra.Command{ + Use: "add [policy id] [cgroup]", + Short: "add policyfilter entry", + Args: cobra.ExactArgs(2), + Run: func(cmd *cobra.Command, args []string) { + x, err := strconv.ParseUint(args[0], 10, 32) + if err != nil { + logger.GetLogger().WithError(err).Fatal("Failed to parse policy id") + } + polID := policyfilter.PolicyID(x) + + var cgID uint64 + switch argType { + case "file": + cgID, err = cgroups.GetCgroupIdFromPath(args[1]) + case "id": + cgID, err = strconv.ParseUint(args[1], 10, 32) + default: + logger.GetLogger().WithField("type", argType).WithError(err).Fatal("Unknown type") + } + + if err != nil { + logger.GetLogger().WithError(err).Fatal("Failed to parse cgroup") + } + + addCgroup(mapFname, polID, policyfilter.CgroupID(cgID)) + }, + } + + flags := ret.Flags() + flags.StringVar(&argType, "arg-type", "file", "cgroup type (id,file)") + flags.StringVar(&mapFname, "map-fname", mapFname, "policyfilter map filename") + return ret +} + +func addCgroup(fname string, polID policyfilter.PolicyID, cgID policyfilter.CgroupID) { + m, err := policyfilter.OpenMap(fname) + if err != nil { + logger.GetLogger().WithError(err).Fatal("Failed to open policyfilter map") + return + } + defer m.Close() + + err = m.AddCgroup(polID, cgID) + if err != nil { + logger.GetLogger().WithError(err).Fatal("Failed to add cgroup id") + } + +} diff --git a/pkg/policyfilter/map.go b/pkg/policyfilter/map.go index 26c207b6360..99bffc8ba37 100644 --- a/pkg/policyfilter/map.go +++ b/pkg/policyfilter/map.go @@ -222,3 +222,24 @@ func OpenMap(fname string) (PfMap, error) { func (m PfMap) Dump() (map[PolicyID]map[CgroupID]struct{}, error) { return m.readAll() } + +func (m PfMap) AddCgroup(polID PolicyID, cgID CgroupID) error { + var innerID uint32 + + if err := m.Lookup(&polID, &innerID); err != nil { + return fmt.Errorf("failed to lookup policy id %d: %w", polID, err) + } + + inMap, err := ebpf.NewMapFromID(ebpf.MapID(innerID)) + if err != nil { + return fmt.Errorf("error opening inner map: %w", err) + } + defer inMap.Close() + + val := uint8(0) + if err := inMap.Update(&cgID, &val, ebpf.UpdateAny); err != nil { + return fmt.Errorf("error updating inner map: %w", err) + } + + return nil +}