cilium · ExceptionalHandler · Apr 7, 2025 · Apr 2, 2025
@@ -155,33 +155,6 @@ func GetTetragonConfMap() *program.Map {
 	return TetragonConfMap
 }
 
-func GetDefaultPrograms() []*program.Program {
-	progs := []*program.Program{
-		Exit,
-		Fork,
-		Execve,
-		ExecveBprmCommit,
-	}
-	return progs
-}
-
-func GetDefaultMaps() []*program.Map {
-	maps := []*program.Map{
-		ExecveMap,
-		ExecveJoinMap,
-		ExecveStats,
-		ExecveJoinMapStats,
-		ExecveTailCallsMap,
-		TCPMonMap,
-		TetragonConfMap,
-		StatsMap,
-		MatchBinariesSetMap,
-		ErrMetricsMap,
-	}
-	return maps
-
-}
-
 func initBaseSensor() *sensors.Sensor {
 	sensor := sensors.Sensor{
 		Name: basePolicy,

@@ -0,0 +1,35 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright Authors of Tetragon
+
+package base
+
+import (
+	"github.com/cilium/tetragon/pkg/sensors/program"
+)
+
+func GetDefaultPrograms() []*program.Program {
+	progs := []*program.Program{
+		Exit,
+		Fork,
+		Execve,
+		ExecveBprmCommit,
+	}
+	return progs
+}
+
+func GetDefaultMaps() []*program.Map {
+	maps := []*program.Map{
+		ExecveMap,
+		ExecveJoinMap,
+		ExecveStats,
+		ExecveJoinMapStats,
+		ExecveTailCallsMap,
+		TCPMonMap,
+		TetragonConfMap,
+		StatsMap,
+		MatchBinariesSetMap,
+		ErrMetricsMap,
+	}
+	return maps
+
+}
@@ -0,0 +1,39 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright Authors of Tetragon
+
+package base
+
+import (
+	"github.com/cilium/tetragon/pkg/sensors/program"
+)
+
+var (
+	CreateProcess = program.Builder(
+		"process_monitor.sys",
+		"process",
+		"ProcessMonitor",
+		"process::program",
+		"windows",
+	).SetPolicy(basePolicy)
+
+	ProcessRingBufMap = program.MapBuilder("process_ringbuf", CreateProcess)
+	ProcessPidMap     = program.MapBuilder("process_map", CreateProcess)
+	ProcessCmdMap     = program.MapBuilder("command_map", CreateProcess)
+)
+
+func GetDefaultPrograms() []*program.Program {
+	progs := []*program.Program{
+		CreateProcess,
+	}
+	return progs
+}
+
+func GetDefaultMaps() []*program.Map {
+	maps := []*program.Map{
+		ProcessRingBufMap,
+		ProcessCmdMap,
+		ProcessPidMap,
+	}
+	return maps
+
+}
@@ -11,12 +11,12 @@ import (
 	"github.com/cilium/ebpf"
 	"github.com/cilium/tetragon/pkg/cgroups"
 	"github.com/cilium/tetragon/pkg/config"
+	"github.com/cilium/tetragon/pkg/constants"
 	"github.com/cilium/tetragon/pkg/logger"
 	"github.com/cilium/tetragon/pkg/option"
 	"github.com/cilium/tetragon/pkg/sensors/base"
 	"github.com/cilium/tetragon/pkg/sensors/program"
 	"github.com/sirupsen/logrus"
-	"golang.org/x/sys/unix"
 )
 
 const (
@@ -122,7 +122,7 @@ func UpdateTgRuntimeConf(mapDir string, nspid int) error {
 		return err
 	}
 
-	if v.CgrpFsMagic == unix.CGROUP2_SUPER_MAGIC {
+	if v.CgrpFsMagic == constants.CGROUP2_SUPER_MAGIC {
 		log.WithFields(logrus.Fields{
 			"confmap-update":     configMapName,
 			"deployment.mode":    deployMode.String(),

@@ -10,6 +10,7 @@ import (
 	"path/filepath"
 	"strings"
 
+	"github.com/cilium/tetragon/pkg/kernels"
 	"github.com/cilium/tetragon/pkg/logger"
 	"github.com/cilium/tetragon/pkg/option"
 	"github.com/cilium/tetragon/pkg/sensors/program"
@@ -102,6 +103,92 @@ func (s *Sensor) removeDirs() {
 	os.Remove(filepath.Join(s.BpfDir, s.policyDir()))
 }
 
+// Load loads the sensor, by loading all the BPF programs and maps.
+func (s *Sensor) Load(bpfDir string) (err error) {
+	if s == nil {
+		return nil
+	}
+
+	if s.Destroyed {
+		return fmt.Errorf("sensor %s has been previously destroyed, please recreate it before loading", s.Name)
+	}
+
+	logger.GetLogger().WithField("metadata", getCachedBTFFile()).Info("BTF file: using metadata file")
+	if _, err = observerMinReqs(); err != nil {
+		return fmt.Errorf("tetragon, aborting minimum requirements not met: %w", err)
+	}
+
+	var (
+		loadedMaps  []*program.Map
+		loadedProgs []*program.Program
+	)
+
+	s.createDirs(bpfDir)
+	defer func() {
+		if err != nil {
+			for _, m := range loadedMaps {
+				m.Unload(true)
+			}
+			for _, p := range loadedProgs {
+				unloadProgram(p, true)
+			}
+			s.removeDirs()
+		}
+	}()
+
+	l := logger.GetLogger()
+
+	l.WithField("name", s.Name).Info("Loading sensor")
+	if s.Loaded {
+		return fmt.Errorf("loading sensor %s failed: sensor already loaded", s.Name)
+	}
+
+	_, verStr, _ := kernels.GetKernelVersion(option.Config.KernelVersion, option.Config.ProcFS)
+	l.Infof("Loading kernel version %s", verStr)
+
+	if err = s.FindPrograms(); err != nil {
+		return fmt.Errorf("tetragon, aborting could not find BPF programs: %w", err)
+	}
+	if loadedMaps, err = s.preLoadMaps(bpfDir, loadedMaps); err != nil {
+		return err
+	}
+	for _, p := range s.Progs {
+		if p.LoadState.IsLoaded() {
+			l.WithField("prog", p.Name).Info("BPF prog is already loaded, incrementing reference count")
+			p.LoadState.RefInc()
+			continue
+		}
+
+		if err = observerLoadInstance(bpfDir, p, s.Maps); err != nil {
+			return err
+		}
+		p.LoadState.RefInc()
+		loadedProgs = append(loadedProgs, p)
+		l.WithField("prog", p.Name).WithField("label", p.Label).Debugf("BPF prog was loaded")
+	}
+
+	// Add the *loaded* programs and maps, so they can be unloaded later
+	progsAdd(s.Progs)
+	AllMaps = append(AllMaps, s.Maps...)
+
+	if s.PostLoadHook != nil {
+		if err := s.PostLoadHook(); err != nil {
+			logger.GetLogger().WithError(err).WithField("sensor", s.Name).Warn("Post load hook failed")
+		}
+	}
+
+	// cleanup the BTF once we have loaded all sensor's program
+	flushKernelSpec()
+
+	l.WithFields(logrus.Fields{
+		"sensor": s.Name,
+		"maps":   loadedMaps,
+		"progs":  loadedProgs,
+	}).Infof("Loaded BPF maps and events for sensor successfully")
+	s.Loaded = true
+	return nil
+}
+
 func (s *Sensor) Unload(unpin bool) error {
 	logger.GetLogger().Infof("Unloading sensor %s", s.Name)
 	if !s.Loaded {

@@ -17,97 +17,6 @@ import (
 	"github.com/sirupsen/logrus"
 )
 
-// Load loads the sensor, by loading all the BPF programs and maps.
-func (s *Sensor) Load(bpfDir string) (err error) {
-	if s == nil {
-		return nil
-	}
-
-	if s.Destroyed {
-		return fmt.Errorf("sensor %s has been previously destroyed, please recreate it before loading", s.Name)
-	}
-
-	logger.GetLogger().WithField("metadata", cachedbtf.GetCachedBTFFile()).Info("BTF file: using metadata file")
-	if _, err = observerMinReqs(); err != nil {
-		return fmt.Errorf("tetragon, aborting minimum requirements not met: %w", err)
-	}
-
-	var (
-		loadedMaps  []*program.Map
-		loadedProgs []*program.Program
-	)
-
-	s.createDirs(bpfDir)
-	defer func() {
-		if err != nil {
-			for _, m := range loadedMaps {
-				m.Unload(true)
-			}
-			for _, p := range loadedProgs {
-				unloadProgram(p, true)
-			}
-			s.removeDirs()
-		}
-	}()
-
-	l := logger.GetLogger()
-
-	l.WithField("name", s.Name).Info("Loading sensor")
-	if s.Loaded {
-		return fmt.Errorf("loading sensor %s failed: sensor already loaded", s.Name)
-	}
-
-	_, verStr, _ := kernels.GetKernelVersion(option.Config.KernelVersion, option.Config.ProcFS)
-	l.Infof("Loading kernel version %s", verStr)
-
-	if err = s.FindPrograms(); err != nil {
-		return fmt.Errorf("tetragon, aborting could not find BPF programs: %w", err)
-	}
-
-	for _, m := range s.Maps {
-		if err = s.loadMap(bpfDir, m); err != nil {
-			return fmt.Errorf("tetragon, aborting could not load sensor BPF maps: %w", err)
-		}
-		loadedMaps = append(loadedMaps, m)
-	}
-
-	for _, p := range s.Progs {
-		if p.LoadState.IsLoaded() {
-			l.WithField("prog", p.Name).Info("BPF prog is already loaded, incrementing reference count")
-			p.LoadState.RefInc()
-			continue
-		}
-
-		if err = observerLoadInstance(bpfDir, p, s.Maps); err != nil {
-			return err
-		}
-		p.LoadState.RefInc()
-		loadedProgs = append(loadedProgs, p)
-		l.WithField("prog", p.Name).WithField("label", p.Label).Debugf("BPF prog was loaded")
-	}
-
-	// Add the *loaded* programs and maps, so they can be unloaded later
-	progsAdd(s.Progs)
-	AllMaps = append(AllMaps, s.Maps...)
-
-	if s.PostLoadHook != nil {
-		if err := s.PostLoadHook(); err != nil {
-			logger.GetLogger().WithError(err).WithField("sensor", s.Name).Warn("Post load hook failed")
-		}
-	}
-
-	// cleanup the BTF once we have loaded all sensor's program
-	btf.FlushKernelSpec()
-
-	l.WithFields(logrus.Fields{
-		"sensor": s.Name,
-		"maps":   loadedMaps,
-		"progs":  loadedProgs,
-	}).Infof("Loaded BPF maps and events for sensor successfully")
-	s.Loaded = true
-	return nil
-}
-
 func (s *Sensor) setMapPinPath(m *program.Map) {
 	policy := s.policyDir()
 	switch m.Type {
@@ -122,6 +31,16 @@ func (s *Sensor) setMapPinPath(m *program.Map) {
 	}
 }
 
+func (s *Sensor) preLoadMaps(bpfDir string, loadedMaps []*program.Map) ([]*program.Map, error) {
+	for _, m := range s.Maps {
+		if err := s.loadMap(bpfDir, m); err != nil {
+			return loadedMaps, fmt.Errorf("tetragon, aborting could not load sensor BPF maps: %w", err)
+		}
+		loadedMaps = append(loadedMaps, m)
+	}
+	return loadedMaps, nil
+}
+
 // loadMap loads BPF map in the sensor.
 func (s *Sensor) loadMap(bpfDir string, m *program.Map) error {
 	l := logger.GetLogger()
@@ -282,3 +201,11 @@ func observerMinReqs() (bool, error) {
 	}
 	return true, nil
 }
+
+func flushKernelSpec() {
+	btf.FlushKernelSpec()
+}
+
+func getCachedBTFFile() string {
+	return cachedbtf.GetCachedBTFFile()
+}