test: add test for kprobes tracing

Signed-off-by: Djalal Harouni <[email protected]>
cilium · Mar 11, 2024 · 0b24d3e · 0b24d3e
1 parent 04e3293
commit 0b24d3e
Showing 1 changed file with 127 additions and 0 deletions.
diff --git a/pkg/sensors/tracing/kprobe_test.go b/pkg/sensors/tracing/kprobe_test.go
@@ -32,6 +32,7 @@ import (
 	"github.com/cilium/tetragon/pkg/jsonchecker"
 	"github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1"
 	"github.com/cilium/tetragon/pkg/kernels"
+	"github.com/cilium/tetragon/pkg/ksyms"
 	"github.com/cilium/tetragon/pkg/logger"
 	bc "github.com/cilium/tetragon/pkg/matchers/bytesmatcher"
 	lc "github.com/cilium/tetragon/pkg/matchers/listmatcher"
@@ -6580,3 +6581,129 @@ spec:
 	err = jsonchecker.JsonTestCheck(t, checker)
 	assert.NoError(t, err)
 }
+
+func TestKprobeTracing(t *testing.T) {
+	var doneWG, readyWG sync.WaitGroup
+	defer doneWG.Wait()
+
+	ctx, cancel := context.WithTimeout(context.Background(), tus.Conf().CmdWaitTime)
+	defer cancel()
+
+	kSymbols, err := ksyms.KernelSymbols()
+	if err != nil {
+		t.Skipf("Skipping test could not fetch kernel symbols: %v", err)
+	}
+
+	arm_kprobe := "arm_kprobe"
+	if kSymbols.IsAvailable(arm_kprobe) == false {
+		// Are we optimized on top of arch ftrace?
+		if kSymbols.IsAvailable("arm_kprobe_ftrace") == true {
+			arm_kprobe = "arm_kprobe_ftrace"
+		} else if kSymbols.IsAvailable("__arm_kprobe") == true {
+			arm_kprobe = "__arm_kprobe"
+		} else if kSymbols.IsAvailable("arch_arm_kprobe") == true {
+			arm_kprobe = "arch_arm_kprobe"
+		} else {
+			t.Skipf("Skipping test could not get appropriate symble for tracing arm kprobes")
+		}
+	}
+
+	disarm_kprobe := "disarm_kprobe"
+	if kSymbols.IsAvailable(disarm_kprobe) == false {
+		// Are we optimized on top of arch ftrace?
+		if kSymbols.IsAvailable("disarm_kprobe_ftrace") == true {
+			disarm_kprobe = "disarm_kprobe_ftrace"
+		} else if kSymbols.IsAvailable("__disarm_kprobe") == true {
+			disarm_kprobe = "__disarm_kprobe"
+		} else if kSymbols.IsAvailable("arch_disarm_kprobe") == true {
+			disarm_kprobe = "arch_disarm_kprobe"
+		} else {
+			t.Skipf("Skipping test could not get appropriate symble for tracing disarm kprobes")
+		}
+	}
+
+	tracingPolicy := `
+apiVersion: cilium.io/v1alpha1
+kind: TracingPolicy
+metadata:
+  name: "kprobes-tracing"
+  annotations:
+    description: "Detects kprobes operations"
+spec:
+  kprobes:
+  - call: ` + arm_kprobe + `
+    syscall: false
+    args:
+    - index: 0
+      type: "kprobe"
+    message: "Enable a kprobe (kernel probe)"
+  - call: ` + disarm_kprobe + `
+    syscall: false
+    args:
+    - index: 0
+      type: "kprobe"
+    message: "Disable a kprobe (kernel probe)"
+`
+
+	createCrdFile(t, tracingPolicy)
+	obs, err := observertesthelper.GetDefaultObserverWithFile(t, ctx, testConfigFile, tus.Conf().TetragonLib, observertesthelper.WithMyPid())
+	if err != nil {
+		t.Fatalf("GetDefaultObserverWithFile error: %s", err)
+	}
+	observertesthelper.LoopEvents(ctx, t, &doneWG, &readyWG, obs)
+	readyWG.Wait()
+
+	kpCheckers1 := ec.NewProcessKprobeChecker("").
+		WithMessage(sm.Full("Enable a kprobe (kernel probe)")).
+		WithFunctionName(sm.Full("arm_kprobe")).
+		WithArgs(ec.NewKprobeArgumentListMatcher().
+			WithValues(
+				ec.NewKprobeArgumentChecker().WithKprobeArg(
+					ec.NewKernelProbeChecker().WithOffset(0).
+						WithSymbol(sm.Full("do_sys_open")),
+				),
+			))
+
+	kpCheckers2 := ec.NewProcessKprobeChecker("").
+		WithMessage(sm.Full("Disable a kprobe (kernel probe)")).
+		WithFunctionName(sm.Full("disarm_kprobe")).
+		WithArgs(ec.NewKprobeArgumentListMatcher().
+			WithValues(
+				ec.NewKprobeArgumentChecker().WithKprobeArg(
+					ec.NewKernelProbeChecker().WithOffset(0).
+						WithSymbol(sm.Full("do_sys_open")),
+				),
+			))
+
+	kprobeEvents, err := os.OpenFile("/sys/kernel/debug/tracing/kprobe_events", os.O_APPEND|os.O_WRONLY, 0640)
+	if err != nil {
+		t.Fatalf("open('/sys/kernel/debug/tracing/kprobe_events'): %v", err)
+	}
+	defer kprobeEvents.Close()
+
+	_, err = kprobeEvents.WriteString("p:tetragonkprobe do_sys_open")
+	if err != nil {
+		t.Fatalf("set Kprobe 'tetragonkprobe' error: %s", err)
+	}
+
+	enableKprobe := []byte("1")
+	err = os.WriteFile("/sys/kernel/debug/tracing/events/kprobes/tetragonkprobe/enable", enableKprobe, 0640)
+	if err != nil {
+		t.Fatalf("enable Kprobe error: %s", err)
+	}
+
+	disableKprobe := []byte("0")
+	err = os.WriteFile("/sys/kernel/debug/tracing/events/kprobes/tetragonkprobe/enable", disableKprobe, 0640)
+	if err != nil {
+		t.Fatalf("disable Kprobe 'tetragonkprobe' error: %s", err)
+	}
+
+	_, err = kprobeEvents.WriteString("-:tetragonkprobe")
+	if err != nil {
+		t.Fatalf("clear Kprobe 'tetragonkprobe' error: %s", err)
+	}
+
+	checker := ec.NewUnorderedEventChecker(kpCheckers1, kpCheckers2)
+	err = jsonchecker.JsonTestCheck(t, checker)
+	assert.NoError(t, err)
+}