new: monitor only mode

[FedeDP]

Description

Today, we default at enforce even for policies that do not support any enforcement.
Introduce a monitor_only mode (that is userspace-only) that:

• stores monitor in ebpf map during startup to avoid falsely reporting enforce
• denies further update to policy mode since the policy does not support enforcement

Example output:

$ ./tetra tracingpolicy list
ID   NAME              STATE     FILTERID   NAMESPACE   SENSORS          KERNELMEMORY   MODE           NPOST   NENFORCE   NMONITOR
1    read-etc-passwd   enabled   0          (global)    generic_kprobe   1.87 MB        monitor_only   0       0          0

$ ./tetra tracingpolicy set-mode read-etc-passwd enforce
Error: failed set mode to "enforce" tracing policy: rpc error: code = Unknown desc = setMode called in a collection that does not support enforcement mode

Changelog

new: monitor only mode

[netlify]

✅ Deploy Preview for tetragon ready!

Name	Link
🔨 Latest commit	4f01264
🔍 Latest deploy log	https://app.netlify.com/projects/tetragon/deploys/69134355fe211700084692ae
😎 Deploy Preview	https://deploy-preview-4316--tetragon.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[kkourt]

Thanks!

Left some comments, but LGTM.

[kkourt]

1 read-etc-passwd enabled 0 (global) generic_kprobe 1.87 MB monitor 0 0 0

One more comment: can we have monitor_only in the list?

[FedeDP]

One more comment: can we have monitor_only in the list?

Well, right now the mode we see there is the one seen by bpf.
I'd avoid having something like:

func (c *collection) mode() tetragon.TracingPolicyMode {
	if c.tracingpolicy == nil || c.state != EnabledState {
		return tetragon.TracingPolicyMode_TP_MODE_UNKNOWN
	}
	if !c.allowModeUpdate {
		return tetragon.TracingPolicyMode_TP_MODE_MONITOR_ONLY
	}

	mode, err := policyconf.PolicyMode(c.tracingpolicy)

because:

• we'd need to add TracingPolicyMode_TP_MODE_MONITOR_ONLY to our grpc api
• we are no more exposing the real bpf value
• i'd prefer to keep the allowModeUpdate information bit private

Do you think that, from an UX perspective, is it that bad not to expose TracingPolicyMode_TP_MODE_MONITOR_ONLY ?

[kkourt]

One more comment: can we have monitor_only in the list?

Well, right now the mode we see there is the one seen by bpf. I'd avoid having something like:

func (c *collection) mode() tetragon.TracingPolicyMode {
	if c.tracingpolicy == nil || c.state != EnabledState {
		return tetragon.TracingPolicyMode_TP_MODE_UNKNOWN
	}
	if !c.allowModeUpdate {
		return tetragon.TracingPolicyMode_TP_MODE_MONITOR_ONLY
	}

	mode, err := policyconf.PolicyMode(c.tracingpolicy)

because:

* we'd need to add `TracingPolicyMode_TP_MODE_MONITOR_ONLY` to our grpc api

* we are no more exposing the real bpf value

* i'd prefer to keep the `allowModeUpdate` information bit private

Do you think that, from an UX perspective, is it that bad not to expose TracingPolicyMode_TP_MODE_MONITOR_ONLY ?

I would say exposing MONITOR_ONY is good to have (but not too bad if we don't do it).
If we do it, however, I would also read the bpf value and check that things make sense.
That is, if bpf is in enforcement mode but userspace is in monitor_only, then something is probably wrong.

[FedeDP]

If we do it, however, I would also read the bpf value and check that things make sense.
That is, if bpf is in enforcement mode but userspace is in monitor_only, then something is probably wrong.

Well i like this use of the new flag. I think it makes sense then, to have this check! Let me update the PR :)

[FedeDP]

Pushed the changes @kkourt !

Also, updated PR description with an updated output from tetra tracingpolicy list.

[FedeDP]

Windows static checks CI is having some problems tracked here: #4330
We can skip it i guess.

[kkourt]

Thanks!

Please find some comments below.

[kkourt]

Can you please add some information in the commit message for new(pkg/policyconf): introduce MonitorOnlyMode. on what is MonitorOnly mode and what is the motivation? I know it seems obvious now, but providing context is helpful both for people without the context we have now and also for our future selves.

Similarly for the other commits. Note that "why" we are doing something is equally (if not more) important that what. Usually, the what can be figured out by looking at the code, but the why is not so easy.

[FedeDP]

I force-pushed the reworded commits; feel free to tell me if there's anything else that you feel like should be improved :)

[kkourt]

Suggestion: How about we keep the mode here? That is, monitor, monitor_only, enforce.

[FedeDP]

I think that using the ebpf map as source of truth is a good thing; i'd avoid storing that info bit in userspace.

[FedeDP]

If we want the mode to be everywhere, we should really push it down to ebpf; lots of ugliness in this PR would go away then.

[kkourt]

comment: I wonder if we could return something else here if the mode is not monitor mode, but I don't have any good ideas. We can leave it as is and revisit as needed.

[FedeDP]

I agree, don't really know what else to return :)