policy counters

bpf/lib/policy_stats.h

@@ -0,0 +1,32 @@
+// SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
+/* Copyright Authors of Tetragon */
+
+#ifndef BPF_POLICYSTATS_H__
+#define BPF_POLICYSTATS_H__
+
+#include "policy_conf.h"
+
+enum policy_actions {
+	POLICY_INVALID_ACT_ = 0,
+	POLICY_POST = 1, /* policy posted an event */
+	POLICY_SIGNAL = 2, /* policy sent a signal */
+	POLICY_MONITOR_SIGNAL = 3, /* policy did not sent a signal because it was in monitor mode */
+	POLICY_OVERRIDE = 4, /* policy overrode a return value */
+	POLICY_MONITOR_OVERRIDE = 5, /* policy did not overrode a return value because it was in monitor mode */
+	POLICY_NOTIFY_ENFORCER = 6, /* policy notified the enforcer */
+	POLICY_MONITOR_NOTIFY_ENFORCER = 7, /* policy did not notify the enforcer because it was in monitor mode */
+	POLICY_NACTIONS_,
+};
+
+struct policy_stats {
+	u64 act_cnt[POLICY_NACTIONS_];
+};
+
+struct {
+	__uint(type, BPF_MAP_TYPE_ARRAY);
+	__uint(max_entries, 1);
+	__type(key, __u32);
+	__type(value, struct policy_stats);
+} policy_stats SEC(".maps");
+
+#endif /* BPF_POLICYSTATS_H__ */

bpf/lib/process.h

@@ -10,6 +10,7 @@
 #include "bpf_d_path.h"
 #include "../process/string_maps.h"
 #include "api.h"
+#include "policy_stats.h"
 
 /* Applying 'packed' attribute to structs causes clang to write to the
  * members byte-by-byte, as offsets may not be aligned. This is bad for
@@ -602,10 +603,18 @@ FUNC_INLINE void
 perf_event_output_metric(void *ctx, u8 msg_op, void *map, u64 flags, void *data, u64 size)
 {
 	long err;
+	u32 zero = 0;
+	struct policy_stats *pstats;
 
 	err = perf_event_output(ctx, map, flags, data, size);
-	if (err < 0)
+	if (err < 0) {
 		perf_event_output_update_error_metric(msg_op, err);
+		return;
+	}
+
+	pstats = map_lookup_elem(&policy_stats, &zero);
+	if (pstats)
+		lock_add(&pstats->act_cnt[POLICY_POST], 1);
 }
 
 /**

bpf/process/generic_calls.h

@@ -10,6 +10,7 @@
 #include "types/basic.h"
 #include "vmlinux.h"
 #include "policy_conf.h"
+#include "policy_stats.h"
 #include "generic_path.h"
 #include "bpf_ktime.h"
 
@@ -753,11 +754,14 @@ do_action(void *ctx, __u32 i, struct selector_action *actions, bool *post, bool
 	int argi __maybe_unused;
 	int err = 0;
 	int zero = 0;
+	struct policy_stats *pstats;
+	u32 polacct;
 
 	e = map_lookup_elem(&process_call_heap, &zero);
 	if (!e)
 		return 0;
 
+	polacct = POLICY_INVALID_ACT_;
 	switch (action) {
 	case ACTION_NOPOST:
 		*post = false;
@@ -812,13 +816,21 @@ do_action(void *ctx, __u32 i, struct selector_action *actions, bool *post, bool
 	case ACTION_SIGNAL:
 		signal = actions->act[++i];
 	case ACTION_SIGKILL:
-		if (enforce_mode)
+		if (enforce_mode) {
 			do_action_signal(signal);
+			polacct = POLICY_SIGNAL;
+		} else {
+			polacct = POLICY_MONITOR_SIGNAL;
+		}
 		break;
 	case ACTION_OVERRIDE:
 		error = actions->act[++i];
-		if (enforce_mode)
+		if (enforce_mode) {
 			do_override_action(error);
+			polacct = POLICY_OVERRIDE;
+		} else {
+			polacct = POLICY_MONITOR_OVERRIDE;
+		}
 		break;
 	case ACTION_GETURL:
 	case ACTION_DNSLOOKUP:
@@ -834,14 +846,25 @@ do_action(void *ctx, __u32 i, struct selector_action *actions, bool *post, bool
 		error = actions->act[++i];
 		signal = actions->act[++i];
 		argi = actions->act[++i];
-		if (enforce_mode)
+		if (enforce_mode) {
 			do_action_notify_enforcer(e, error, signal, argi);
+			polacct = POLICY_NOTIFY_ENFORCER;
+		} else {
+			polacct = POLICY_MONITOR_NOTIFY_ENFORCER;
+		}
 		break;
 	case ACTION_CLEANUP_ENFORCER_NOTIFICATION:
 		do_enforcer_cleanup();
 	default:
 		break;
 	}
+
+	if (polacct != POLICY_INVALID_ACT_) {
+		pstats = map_lookup_elem(&policy_stats, &zero);
+		if (pstats)
+			lock_add(&pstats->act_cnt[polacct], 1);
+	}
+
 	if (!err) {
 		e->action = action;
 		return ++i;