tracing: allow configuring policy mode via options

Example: ``` apiVersion: cilium.io/v1alpha1 kind: TracingPolicyNamespaced metadata: name: "enforce-test" namespace: "pizza" spec: options: - name: "policy-mode" value: "enforce" kprobes: ... ``` Signed-off-by: Kornilios Kourtis <[email protected]>
cilium · Feb 13, 2025 · f57c7e8 · f57c7e8
1 parent a3aa5df
commit f57c7e8
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 0 deletions.
diff --git a/bpf/lib/policy_conf.h b/bpf/lib/policy_conf.h
@@ -5,6 +5,7 @@
 #ifndef BPF_POLICYCONF_H__
 #define BPF_POLICYCONF_H__
 
+// NB: values should match the ones defined in go (EnforceMode, MonitorMode)
 enum {
 	POLICY_MODE_ENFORCE = 0,
 	POLICY_MODE_MONITOR = 1,

diff --git a/pkg/sensors/tracing/options.go b/pkg/sensors/tracing/options.go
@@ -10,6 +10,7 @@ import (
 	"github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1"
 	"github.com/cilium/tetragon/pkg/logger"
 	"github.com/cilium/tetragon/pkg/option"
+	"github.com/cilium/tetragon/pkg/tracingpolicy"
 )
 
 type OverrideMethod int
@@ -18,6 +19,7 @@ const (
 	keyOverrideMethod = "override-method"
 	valFmodRet        = "fmod-ret"
 	valOverrideReturn = "override-return"
+	keyPolicyMode     = "policy-mode"
 )
 
 const (
@@ -42,6 +44,7 @@ type specOptions struct {
 	DisableKprobeMulti bool
 	DisableUprobeMulti bool
 	OverrideMethod     OverrideMethod
+	policyMode         tracingpolicy.Mode
 }
 
 type opt struct {
@@ -79,6 +82,16 @@ var opts = map[string]opt{
 			return nil
 		},
 	},
+	keyPolicyMode: opt{
+		set: func(str string, options *specOptions) (err error) {
+			mode, err := tracingpolicy.ParseMode(str)
+			if err != nil {
+				return err
+			}
+			options.policyMode = mode
+			return nil
+		},
+	},
 }
 
 func getSpecOptions(specs []v1alpha1.OptionSpec) (*specOptions, error) {

diff --git a/pkg/sensors/tracing/policyhandler.go b/pkg/sensors/tracing/policyhandler.go
@@ -7,6 +7,7 @@ import (
 	"errors"
 	"fmt"
 
+	"github.com/cilium/ebpf"
 	"github.com/cilium/tetragon/pkg/eventhandler"
 	"github.com/cilium/tetragon/pkg/policyfilter"
 	"github.com/cilium/tetragon/pkg/sensors"
@@ -52,12 +53,30 @@ func newPolicyInfo(
 	}, nil
 }
 
+type policyConf struct {
+	mode uint8
+}
+
 func (pi *policyInfo) mapBuilder(name string, prog *program.Program) *program.Map {
 	if _, ok := pi.maps[name]; ok {
 		return program.MapUserPolicy(name, prog)
 	}
 	pi.maps[name] = struct{}{}
 	ret := program.MapBuilderPolicy(name, prog)
+	switch name {
+	case "policy_conf":
+		prog.MapLoad = append(prog.MapLoad, &program.MapLoad{
+			Index: 0,
+			Name:  "policy_conf",
+			Load: func(m *ebpf.Map, pinPathPrefix string, index uint32) error {
+				conf := policyConf{
+					mode: uint8(pi.specOpts.policyMode),
+				}
+				key := uint32(0)
+				return m.Update(key, &conf, ebpf.UpdateAny)
+			},
+		})
+	}
 	return ret
 }