tetragon/windows: Support Windows create and exit process - sensor changes

This PR lists sensor side changes to support CreateProcess and ExitProcess events.
The program loader needs to load the entire collection of native Windows ebps program image using cilium/ebpf library.
The specs for a native Windows bpf program is not available as it is not in ELF format
This changes the order in which maps are loaded - collection is loaded first which loads maps and programs automatically.

Signed-off-by: Anadi Anadi<[email protected]>

Author: ExceptionalHandler

pkg/sensors/base/base.go

@@ -155,33 +155,6 @@ func GetTetragonConfMap() *program.Map {
 	return TetragonConfMap
 }
 
-func GetDefaultPrograms() []*program.Program {
-	progs := []*program.Program{
-		Exit,
-		Fork,
-		Execve,
-		ExecveBprmCommit,
-	}
-	return progs
-}
-
-func GetDefaultMaps() []*program.Map {
-	maps := []*program.Map{
-		ExecveMap,
-		ExecveJoinMap,
-		ExecveStats,
-		ExecveJoinMapStats,
-		ExecveTailCallsMap,
-		TCPMonMap,
-		TetragonConfMap,
-		StatsMap,
-		MatchBinariesSetMap,
-		ErrMetricsMap,
-	}
-	return maps
-
-}
-
 func initBaseSensor() *sensors.Sensor {
 	sensor := sensors.Sensor{
 		Name: basePolicy,

pkg/sensors/base/base_linux.go

@@ -0,0 +1,35 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright Authors of Tetragon
+
+package base
+
+import (
+	"github.com/cilium/tetragon/pkg/sensors/program"
+)
+
+func GetDefaultPrograms() []*program.Program {
+	progs := []*program.Program{
+		Exit,
+		Fork,
+		Execve,
+		ExecveBprmCommit,
+	}
+	return progs
+}
+
+func GetDefaultMaps() []*program.Map {
+	maps := []*program.Map{
+		ExecveMap,
+		ExecveJoinMap,
+		ExecveStats,
+		ExecveJoinMapStats,
+		ExecveTailCallsMap,
+		TCPMonMap,
+		TetragonConfMap,
+		StatsMap,
+		MatchBinariesSetMap,
+		ErrMetricsMap,
+	}
+	return maps
+
+}

pkg/sensors/base/base_windows.go

@@ -0,0 +1,39 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright Authors of Tetragon
+
+package base
+
+import (
+	"github.com/cilium/tetragon/pkg/sensors/program"
+)
+
+var (
+	CreateProcess = program.Builder(
+		"process_monitor.sys",
+		"process",
+		"ProcessMonitor",
+		"process::program",
+		"windows",
+	).SetPolicy(basePolicy)
+
+	ProcessRingBufMap = program.MapBuilder("process_ringbuf", CreateProcess)
+	ProcessPidMap     = program.MapBuilder("process_map", CreateProcess)
+	ProcessCmdMap     = program.MapBuilder("command_map", CreateProcess)
+)
+
+func GetDefaultPrograms() []*program.Program {
+	progs := []*program.Program{
+		CreateProcess,
+	}
+	return progs
+}
+
+func GetDefaultMaps() []*program.Map {
+	maps := []*program.Map{
+		ProcessRingBufMap,
+		ProcessCmdMap,
+		ProcessPidMap,
+	}
+	return maps
+
+}

pkg/sensors/config/confmap/confmap.go

@@ -11,12 +11,12 @@ import (
 	"github.com/cilium/ebpf"
 	"github.com/cilium/tetragon/pkg/cgroups"
 	"github.com/cilium/tetragon/pkg/config"
+	"github.com/cilium/tetragon/pkg/constants"
 	"github.com/cilium/tetragon/pkg/logger"
 	"github.com/cilium/tetragon/pkg/option"
 	"github.com/cilium/tetragon/pkg/sensors/base"
 	"github.com/cilium/tetragon/pkg/sensors/program"
 	"github.com/sirupsen/logrus"
-	"golang.org/x/sys/unix"
 )
 
 const (
@@ -122,7 +122,7 @@ func UpdateTgRuntimeConf(mapDir string, nspid int) error {
 		return err
 	}
 
-	if v.CgrpFsMagic == unix.CGROUP2_SUPER_MAGIC {
+	if v.CgrpFsMagic == constants.CGROUP2_SUPER_MAGIC {
 		log.WithFields(logrus.Fields{
 			"confmap-update":     configMapName,
 			"deployment.mode":    deployMode.String(),

pkg/sensors/load.go

@@ -10,6 +10,7 @@ import (
 	"path/filepath"
 	"strings"
 
+	"github.com/cilium/tetragon/pkg/kernels"
 	"github.com/cilium/tetragon/pkg/logger"
 	"github.com/cilium/tetragon/pkg/option"
 	"github.com/cilium/tetragon/pkg/sensors/program"
@@ -102,6 +103,92 @@ func (s *Sensor) removeDirs() {
 	os.Remove(filepath.Join(s.BpfDir, s.policyDir()))
 }
 
+// Load loads the sensor, by loading all the BPF programs and maps.
+func (s *Sensor) Load(bpfDir string) (err error) {
+	if s == nil {
+		return nil
+	}
+
+	if s.Destroyed {
+		return fmt.Errorf("sensor %s has been previously destroyed, please recreate it before loading", s.Name)
+	}
+
+	logger.GetLogger().WithField("metadata", getCachedBTFFile()).Info("BTF file: using metadata file")
+	if _, err = observerMinReqs(); err != nil {
+		return fmt.Errorf("tetragon, aborting minimum requirements not met: %w", err)
+	}
+
+	var (
+		loadedMaps  []*program.Map
+		loadedProgs []*program.Program
+	)
+
+	s.createDirs(bpfDir)
+	defer func() {
+		if err != nil {
+			for _, m := range loadedMaps {
+				m.Unload(true)
+			}
+			for _, p := range loadedProgs {
+				unloadProgram(p, true)
+			}
+			s.removeDirs()
+		}
+	}()
+
+	l := logger.GetLogger()
+
+	l.WithField("name", s.Name).Info("Loading sensor")
+	if s.Loaded {
+		return fmt.Errorf("loading sensor %s failed: sensor already loaded", s.Name)
+	}
+
+	_, verStr, _ := kernels.GetKernelVersion(option.Config.KernelVersion, option.Config.ProcFS)
+	l.Infof("Loading kernel version %s", verStr)
+
+	if err = s.FindPrograms(); err != nil {
+		return fmt.Errorf("tetragon, aborting could not find BPF programs: %w", err)
+	}
+	if loadedMaps, err = s.preLoadMaps(bpfDir, loadedMaps); err != nil {
+		return err
+	}
+	for _, p := range s.Progs {
+		if p.LoadState.IsLoaded() {
+			l.WithField("prog", p.Name).Info("BPF prog is already loaded, incrementing reference count")
+			p.LoadState.RefInc()
+			continue
+		}
+
+		if err = observerLoadInstance(bpfDir, p, s.Maps); err != nil {
+			return err
+		}
+		p.LoadState.RefInc()
+		loadedProgs = append(loadedProgs, p)
+		l.WithField("prog", p.Name).WithField("label", p.Label).Debugf("BPF prog was loaded")
+	}
+
+	// Add the *loaded* programs and maps, so they can be unloaded later
+	progsAdd(s.Progs)
+	AllMaps = append(AllMaps, s.Maps...)
+
+	if s.PostLoadHook != nil {
+		if err := s.PostLoadHook(); err != nil {
+			logger.GetLogger().WithError(err).WithField("sensor", s.Name).Warn("Post load hook failed")
+		}
+	}
+
+	// cleanup the BTF once we have loaded all sensor's program
+	flushKernelSpec()
+
+	l.WithFields(logrus.Fields{
+		"sensor": s.Name,
+		"maps":   loadedMaps,
+		"progs":  loadedProgs,
+	}).Infof("Loaded BPF maps and events for sensor successfully")
+	s.Loaded = true
+	return nil
+}
+
 func (s *Sensor) Unload(unpin bool) error {
 	logger.GetLogger().Infof("Unloading sensor %s", s.Name)
 	if !s.Loaded {

pkg/sensors/load_linux.go

@@ -17,97 +17,6 @@ import (
 	"github.com/sirupsen/logrus"
 )
 
-// Load loads the sensor, by loading all the BPF programs and maps.
-func (s *Sensor) Load(bpfDir string) (err error) {
-	if s == nil {
-		return nil
-	}
-
-	if s.Destroyed {
-		return fmt.Errorf("sensor %s has been previously destroyed, please recreate it before loading", s.Name)
-	}
-
-	logger.GetLogger().WithField("metadata", cachedbtf.GetCachedBTFFile()).Info("BTF file: using metadata file")
-	if _, err = observerMinReqs(); err != nil {
-		return fmt.Errorf("tetragon, aborting minimum requirements not met: %w", err)
-	}
-
-	var (
-		loadedMaps  []*program.Map
-		loadedProgs []*program.Program
-	)
-
-	s.createDirs(bpfDir)
-	defer func() {
-		if err != nil {
-			for _, m := range loadedMaps {
-				m.Unload(true)
-			}
-			for _, p := range loadedProgs {
-				unloadProgram(p, true)
-			}
-			s.removeDirs()
-		}
-	}()
-
-	l := logger.GetLogger()
-
-	l.WithField("name", s.Name).Info("Loading sensor")
-	if s.Loaded {
-		return fmt.Errorf("loading sensor %s failed: sensor already loaded", s.Name)
-	}
-
-	_, verStr, _ := kernels.GetKernelVersion(option.Config.KernelVersion, option.Config.ProcFS)
-	l.Infof("Loading kernel version %s", verStr)
-
-	if err = s.FindPrograms(); err != nil {
-		return fmt.Errorf("tetragon, aborting could not find BPF programs: %w", err)
-	}
-
-	for _, m := range s.Maps {
-		if err = s.loadMap(bpfDir, m); err != nil {
-			return fmt.Errorf("tetragon, aborting could not load sensor BPF maps: %w", err)
-		}
-		loadedMaps = append(loadedMaps, m)
-	}
-
-	for _, p := range s.Progs {
-		if p.LoadState.IsLoaded() {
-			l.WithField("prog", p.Name).Info("BPF prog is already loaded, incrementing reference count")
-			p.LoadState.RefInc()
-			continue
-		}
-
-		if err = observerLoadInstance(bpfDir, p, s.Maps); err != nil {
-			return err
-		}
-		p.LoadState.RefInc()
-		loadedProgs = append(loadedProgs, p)
-		l.WithField("prog", p.Name).WithField("label", p.Label).Debugf("BPF prog was loaded")
-	}
-
-	// Add the *loaded* programs and maps, so they can be unloaded later
-	progsAdd(s.Progs)
-	AllMaps = append(AllMaps, s.Maps...)
-
-	if s.PostLoadHook != nil {
-		if err := s.PostLoadHook(); err != nil {
-			logger.GetLogger().WithError(err).WithField("sensor", s.Name).Warn("Post load hook failed")
-		}
-	}
-
-	// cleanup the BTF once we have loaded all sensor's program
-	btf.FlushKernelSpec()
-
-	l.WithFields(logrus.Fields{
-		"sensor": s.Name,
-		"maps":   loadedMaps,
-		"progs":  loadedProgs,
-	}).Infof("Loaded BPF maps and events for sensor successfully")
-	s.Loaded = true
-	return nil
-}
-
 func (s *Sensor) setMapPinPath(m *program.Map) {
 	policy := s.policyDir()
 	switch m.Type {
@@ -122,6 +31,16 @@ func (s *Sensor) setMapPinPath(m *program.Map) {
 	}
 }
 
+func (s *Sensor) preLoadMaps(bpfDir string, loadedMaps []*program.Map) ([]*program.Map, error) {
+	for _, m := range s.Maps {
+		if err := s.loadMap(bpfDir, m); err != nil {
+			return loadedMaps, fmt.Errorf("tetragon, aborting could not load sensor BPF maps: %w", err)
+		}
+		loadedMaps = append(loadedMaps, m)
+	}
+	return loadedMaps, nil
+}
+
 // loadMap loads BPF map in the sensor.
 func (s *Sensor) loadMap(bpfDir string, m *program.Map) error {
 	l := logger.GetLogger()
@@ -282,3 +201,11 @@ func observerMinReqs() (bool, error) {
 	}
 	return true, nil
 }
+
+func flushKernelSpec() {
+	btf.FlushKernelSpec()
+}
+
+func getCachedBTFFile() string {
+	return cachedbtf.GetCachedBTFFile()
+}