Djalal Harouni tixxdz

## tetragon_cgroups_hierarchies_fixes.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                tixxdz
                / tetragon_cgroups_hierarchies_fixes.md
            
            
              Last active
              August 29, 2022 21:23
            
              
                Tetragon Cgroupv2 ID and Name fixes
              
          
    Tetragon logs:
Run tetragon standalone then in an other terminal run command id.

Without patch command id on cgroupv2 with only memory and pids controllers

time="2022-08-29T08:49:19+02:00" level=trace msg="process_exec: no container ID due to cgroup name not being a compatible ID, ignoring." cgroup.id=154 cgroup.name=user.slice process.binary=/usr/bin/id process.exec_id=OjQ4OTg5MTU4Mjc3MDY2OjE5MzA1


## gist:534e66734f76c04160adaa1c0c6c9fe3
ime="2022-08-25T09:13:17Z" level=info msg="BPF prog was loaded" label=tracepoint/sys_execve prog=bpf/objs/bpf_execve_event_v53.o
time="2022-08-25T09:13:17Z" level=info msg="Loaded BPF maps and events for sensor successfully" sensor=__main__
time="2022-08-25T09:13:17Z" level=info msg="Cgroup mode detection succeeded" CgroupMode="Unified mode (Cgroupv2)" Cgroupfs=/sys/fs/cgroup
time="2022-08-25T09:13:17Z" level=info msg="Cgroup BPF helpers will run in Cgroupv2 mode or fallback to raw Cgroup on errors" Cgroupfs=/sys/fs/cgroup
time="2022-08-25T09:13:17Z" level=debug msg="Cgroup available controllers" Cgroupfs=/sys/fs/cgroup cgroup.controllers="[cpuset cpu cpuacct freezer]"
time="2022-08-25T09:13:17Z" level=warning msg="Supported cgroup controller 'memory' is not active" Cgroupfs=/sys/fs/cgroup error="controller 'memory' is not active"
time="2022-08-25T09:13:17Z" level=warning msg="Supported cgroup controller 'pids' is not active" Cgroupfs=/sys/fs/cgroup error="controller 'pids' is not active"
time="2022-08-25T09:

## pr_modules_autoload_mode_test.c
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <linux/prctl.h>

#include <sys/prctl.h>
#include <sys/ptrace.h>

enum {

## pr_modules_autoload_mode_test.c
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <linux/prctl.h>

#include <sys/prctl.h>
#include <sys/ptrace.h>

enum {

## may_autoload_module_new.patch
+int may_autoload_module(struct task_struct *task, char *kmod_name,
+                       int require_cap, char *prefix)
+{
+       unsigned int autoload;
+       int module_require_cap = 0;
+
+       if (require_cap > 0) {
+               if (prefix == NULL || *prefix == '\0')
+                       return -EPERM;
+

## kernel_may_autoload_module.patch
-int may_autoload_module(struct task_struct *task, char *kmod_name, int allow_cap)
+int may_autoload_module(struct task_struct *task, char *kmod_name,
+                       int require_cap, char *prefix)
 {
-       unsigned int autoload = max_t(unsigned int, modules_autoload_mode,
-                                     task->modules_autoload_mode);
+       unsigned int autoload;
+       bool module_require_cap = false;

-       if (autoload == MODULES_AUTOLOAD_ALLOWED)

## pr_modules_autoload_mode_test.c
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <linux/prctl.h>

#include <sys/prctl.h>
#include <sys/ptrace.h>

enum {

## pr_modules_autoload.c
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <linux/prctl.h>

#include <sys/prctl.h>
#include <sys/ptrace.h>

extern char **environ;

## modautorestrict_test.c
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <linux/prctl.h>

#include <sys/prctl.h>
#include <sys/ptrace.h>

extern char **environ;

## prctl_set_pidfs_ptrace_fscreds.c
#include <stdio.h>
#include <unistd.h>
#include <linux/prctl.h>

#include <sys/prctl.h>

int main(int argc, const char **argv)
{
	int ret;
	char *args[2];
	ime="2022-08-25T09:13:17Z" level=info msg="BPF prog was loaded" label=tracepoint/sys_execve prog=bpf/objs/bpf_execve_event_v53.o
	time="2022-08-25T09:13:17Z" level=info msg="Loaded BPF maps and events for sensor successfully" sensor=__main__
	time="2022-08-25T09:13:17Z" level=info msg="Cgroup mode detection succeeded" CgroupMode="Unified mode (Cgroupv2)" Cgroupfs=/sys/fs/cgroup
	time="2022-08-25T09:13:17Z" level=info msg="Cgroup BPF helpers will run in Cgroupv2 mode or fallback to raw Cgroup on errors" Cgroupfs=/sys/fs/cgroup
	time="2022-08-25T09:13:17Z" level=debug msg="Cgroup available controllers" Cgroupfs=/sys/fs/cgroup cgroup.controllers="[cpuset cpu cpuacct freezer]"
	time="2022-08-25T09:13:17Z" level=warning msg="Supported cgroup controller 'memory' is not active" Cgroupfs=/sys/fs/cgroup error="controller 'memory' is not active"
	time="2022-08-25T09:13:17Z" level=warning msg="Supported cgroup controller 'pids' is not active" Cgroupfs=/sys/fs/cgroup error="controller 'pids' is not active"
	time="2022-08-25T09:
	#include <errno.h>
	#include <stdio.h>
	#include <stdlib.h>
	#include <unistd.h>
	#include <linux/prctl.h>

	#include <sys/prctl.h>
	#include <sys/ptrace.h>

	enum {
	+int may_autoload_module(struct task_struct task, char kmod_name,
	+ int require_cap, char *prefix)
	+{
	+ unsigned int autoload;
	+ int module_require_cap = 0;
	+
	+ if (require_cap > 0) {
	+ if (prefix == NULL \|\| *prefix == '\0')
	+ return -EPERM;
	+
	-int may_autoload_module(struct task_struct task, char kmod_name, int allow_cap)
	+int may_autoload_module(struct task_struct task, char kmod_name,
	+ int require_cap, char *prefix)
	{
	- unsigned int autoload = max_t(unsigned int, modules_autoload_mode,
	- task->modules_autoload_mode);
	+ unsigned int autoload;
	+ bool module_require_cap = false;

	- if (autoload == MODULES_AUTOLOAD_ALLOWED)