tetragon: improve systemd deployment detection

When we are running as a systemd service, then tetragon will run under a cgroup '$name.service' so match this. Signed-off-by: Djalal Harouni <[email protected]>
cilium · Jun 20, 2024 · 971f4c8 · 971f4c8
1 parent 69b8cd4
commit 971f4c8
Show file tree

Hide file tree

Showing 2 changed files with 49 additions and 4 deletions.
diff --git a/pkg/cgroups/cgroups.go b/pkg/cgroups/cgroups.go
@@ -57,8 +57,9 @@ const (
 type DeploymentCode int
 
 type deploymentEnv struct {
-	id  DeploymentCode
-	str string
+	id       DeploymentCode
+	str      string
+	endsWith string
 }
 
 const (
@@ -101,7 +102,9 @@ var (
 		{id: DEPLOY_CONTAINER, str: "docker"},
 		{id: DEPLOY_CONTAINER, str: "podman"},
 		{id: DEPLOY_CONTAINER, str: "libpod"},
-		{id: DEPLOY_SD_SERVICE, str: "system.slice"},
+		// If Tetragon is running as a systemd service, its
+		// cgroup path will end with .service
+		{id: DEPLOY_SD_SERVICE, endsWith: ".service"},
 		{id: DEPLOY_SD_USER, str: "user.slice"},
 	}
 
@@ -291,7 +294,10 @@ func setDeploymentMode(cgroupPath string) error {
 
 	// Last go through the deployments
 	for _, d := range deployments {
-		if strings.Contains(cgroupPath, d.str) {
+		if d.str != "" && strings.Contains(cgroupPath, d.str) {
+			deploymentMode = d.id
+			return nil
+		} else if d.endsWith != "" && strings.HasSuffix(cgroupPath, d.endsWith) == true {
 			deploymentMode = d.id
 			return nil
 		}

diff --git a/pkg/sensors/exec/exec_test.go b/pkg/sensors/exec/exec_test.go
@@ -332,6 +332,45 @@ func TestEventExecveWithUsername(t *testing.T) {
 	assert.NoError(t, err)
 }
 
+func TestEventExecveWithUsernameFromProcfs(t *testing.T) {
+	var doneWG, readyWG sync.WaitGroup
+	defer doneWG.Wait()
+
+	ctx, cancel := context.WithTimeout(context.Background(), tus.Conf().CmdWaitTime)
+	defer cancel()
+	option.Config.UsernameMetadata = int(option.USERNAME_METADATA_UNIX)
+	option.Config.HubbleLib = tus.Conf().TetragonLib
+	err := confmap.UpdateTgRuntimeConf(bpf.MapPrefixPath(), os.Getpid())
+	require.NoError(t, err)
+	mode := cgroups.GetDeploymentMode()
+	ns := namespace.GetCurrentNamespace()
+	if (mode != cgroups.DEPLOY_SD_SERVICE && mode != cgroups.DEPLOY_SD_USER) ||
+		!ns.Mnt.IsHost || !ns.User.IsHost {
+		t.Skip()
+	}
+	obs, err := observertesthelper.GetDefaultObserver(t, ctx, tus.Conf().TetragonLib, observertesthelper.WithMyPid())
+	if err != nil {
+		t.Fatalf("Failed to run observer: %s", err)
+	}
+	observertesthelper.LoopEvents(ctx, t, &doneWG, &readyWG, obs)
+	readyWG.Wait()
+
+	rootAccount := ec.NewUserRecordChecker().FromUserRecord(&tetragon.UserRecord{
+		Name: "root",
+	})
+	fmt.Printf(" ****** %v\n", tus.Conf().SelfBinary)
+	procChecker := ec.NewProcessChecker().
+		//WithBinary(sm.Suffix(tus.Conf().SelfBinary)).
+		WithUser(rootAccount)
+
+	execChecker := ec.NewProcessExecChecker("exec").WithProcess(procChecker)
+	exitChecker := ec.NewProcessExitChecker("exit").WithProcess(procChecker)
+	checker := ec.NewUnorderedEventChecker(execChecker, exitChecker)
+
+	err = jsonchecker.JsonTestCheck(t, checker)
+	assert.NoError(t, err)
+}
+
 func TestEventExecveLongPath(t *testing.T) {
 	var doneWG, readyWG sync.WaitGroup
 	defer doneWG.Wait()