tetragon: harden actions a bit #3279
Draft
+710
−468
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
olsajiri
added
the
release-note/minor
olsajiri
force-pushed
the
pr/olsajiri/harden
branch
3 times, most recently
from
7b664dd to
ab3513b
Compare
mtardy
reviewed
Jan 8, 2025
pkg/sensors/base/base.go
Outdated
Comment on lines
109
to
110
| threads := readFileDefault("/proc/sys/kernel/threads-max", 32768) | ||
| ExecveMap.SetMaxEntries(int(threads)) |
There was a problem hiding this comment.
Why do we need this? It seems it will make the size of the execve_map even larger as threads-max is often well above 32K. This will take significant space while running threads-max threads is pretty rare nop?
There was a problem hiding this comment.
I tried this as mitigation for https://github.com/isovalent/security/issues/88 .. I think we need some combination of this change (with some reasonable size for execve_map) and other ways mentioned in the issue
There was a problem hiding this comment.
ah I see, maybe this is one of the cases where NO_PREALLOC could help so that we can dynamically size to a very large map. But I could see how this can lead to memory issues in the future. That's not an easy problem :/
olsajiri
force-pushed
the
pr/olsajiri/harden
branch
2 times, most recently
from
c64e7e4 to
fcfa0a9
Compare
✅ Deploy Preview for tetragon ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
kkourt
reviewed
Jan 17, 2025
pkg/option/flags.go
Outdated
| @@ -416,4 +419,6 @@ func AddFlags(flags *pflag.FlagSet) { | |||
| flags.Int(KeyEventCacheRetryDelay, defaults.DefaultEventCacheRetryDelay, "Delay in seconds between event cache retries") | |||
|
|
|||
| flags.Bool(KeyCompatibilitySyscall64SizeType, false, "syscall64 type will produce output of type size (compatibility flag, will be removed in v1.4)") | |||
|
|
|||
| flags.String(KeyExecveMapEntries, "", "Set entries for execve_map table (default 32768)") | |||
There was a problem hiding this comment.
Can we have the default from the actual default value here? If we ever change it, the change should be reflected in help.
olsajiri
force-pushed
the
pr/olsajiri/harden
branch
7 times, most recently
from
db51eba to
44fdaa4
Compare
Adding Maps array to loader LoadOpts object as additional source of user maps for loader maps resolving. This will allow program loader to use user maps pinned to another program and will ease up maps sharing for sensors in following changes. At the moment for simplicity we will pass all the sensors maps, so we filter out user maps before using the array. Signed-off-by: Jiri Olsa <[email protected]>
Passing sensors maps to program loader so the loader has access to all sensor maps. Signed-off-by: Jiri Olsa <[email protected]>
Now that the loader can access all sensor maps we no longer need to pin user maps to programs. Also for static maps we can add new program.MapUserFrom interface where it's enough just to pass map pointer to create its user map. Signed-off-by: Jiri Olsa <[email protected]>
Adding owner info when printing map object, like:
Map{Name:m1 PinPath:m1 Owner: false}
Signed-off-by: Jiri Olsa <[email protected]>
Adding support to allow to setup execve_map max entries, so we can control the size of this map. Signed-off-by: Jiri Olsa <[email protected]>
Adding execve-map-entries option to setup entries of execve_map map. Signed-off-by: Jiri Olsa <[email protected]>
Signed-off-by: Jiri Olsa <[email protected]>
Signed-off-by: Jiri Olsa <[email protected]>
so filter tail call can change it Signed-off-by: Jiri Olsa <[email protected]>
olsajiri
force-pushed
the
pr/olsajiri/harden
branch
from
44fdaa4 to
6922611
Compare
olsajiri
changed the title
Signed-off-by: Jiri Olsa <[email protected]>
olsajiri
force-pushed
the
pr/olsajiri/harden
branch
from
6922611 to
03e3299
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
when execve_map is full, create local process record in kprobe context and use it
to do the filter and execute actions
on user space side such process is tracked as 'unknown'