cilium
policies with the same symbols are broken
Policies that use the same symbols do not currently work. Here's an example:
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: "multiple-symbols"
spec:
kprobes:
- call: __x64_sys_prctl
args:
- index: 0
type: int64
selectors:
- matchArgs:
- index: 0
operator: Equal
values:
- "3"
syscall: true
tags:
- pr_get_dumpable
- call: __x64_sys_prctl
args:
- index: 0
type: int64
selectors:
- matchArgs:
- index: 0
operator: Equal
values:
- "7"
syscall: true
tags:
- pr_get_keepcaps
When using multi-kprobes, using this policy leads to the following error:
level=fatal msg="Failed to start tetragon" error="failed to get sensors from parser policy: sensor generic_kprobe from collection auditd-policy failed to load: failed prog /home/kkourt/src/hubble-fgs/bpf/objs/bpf_multi_kprobe_v61.o kern_version 394509 loadInstance: attaching 'generic_kprobe_event' failed: couldn't find one or more symbols: file does not exist"
Disabling multi-kprobes, only part of the policy is applied (typically the one that is defined last). The reason for this seems to be that when using the new bpffs hierarchy (https://github.com/cilium/tetragon/pull/2128), the two calls will end up in the same directory, using the same maps.
Note that in 1.2 this works as expected, because we use different maps for each different hook. e.g.,
gkp-sensor-1-gkp-0-argfilter_maps
gkp-sensor-1-gkp-1-argfilter_maps
@olsajiri can you PTAL?
When we are not using multi-kprobes, I think it would make sense to add an id to the call in the directory, so that we can separate the two.