feat(uprobes): add Go string parsing and inline modification

[dwindsor]

Fixes #4827

Description

With the pclntab changes being merged, we now can write policies that target stripped Go binaries. The problem is, pclntab doesn't contain function signature metadata, only function location data (offset + size).

This series adds support for the go_string type and the clearGoString action to Override in TracingPolicy. It requires a fairly complicated descent into the Go ABI internals, but I think the ABI has been stable enough for a while (since 1.18) to make this safe. Basically, since we have the function start location from pclntab, we just need to be able to isolate go string parameters, which are stored as a ([word][u32]) tuple (data_ptr+len). The new Go ABI (ABIInternal) is register based, with predictable slot assignments for types that haven't changed since 1.18. We go:generate the ABI slot mapping at build time, so no hard-coding.

The following figure illustrates how Go datatypes map to register slots on Go 1.18+ (ABIInternal):

 With this, we can use 7384893 (bpf: Allow uprobe program to change context registers) to add the clearGoString action to go_string parameters that contain suspicious (i.e. SQL injection, environment var leak, malicious AI prompt) strings.  We don't return early here, we just make the string inert by clearing it, allowing the application to handle cleanup etc. It's difficult to return from non-LSM functions (lsm gives a lot of guarantees - locks held, refcounts guaranteed, etc).

Changelog

[netlify]

✅ Deploy Preview for tetragon ready!

Name	Link
🔨 Latest commit	34d38ec
🔍 Latest deploy log	https://app.netlify.com/projects/tetragon/deploys/6a01ee76108bde000863ca76
😎 Deploy Preview	https://deploy-preview-4817--tetragon.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[dwindsor]

vmtests CI failing due to a verifier error on < 6.12, will fix:

❌ pkg.sensors.tracing.TestUprobeGoStringArg

[dwindsor]

vmtests failing on kernels that don't have bpf_copy_from_user_str

424: (85) call unknown#233685214
invalid func unknown#233685214

Gating go_string support on the presence of bpf_copy_from_user_str.

[dwindsor]

Thank you for the review @olsajiri! Comments mostly all addressed, a few I have questions on.

CI should be fine, just missing a pr label. Windows CI failing, unrelated:

Looking for regex: \{\"process_exec\"\:\{\"process\"\:\{\"exec_id\"\:\".{16,30}\"\,.{0,1}\"pid\"\:5772\,.{0,1}\"uid\"\:[0-9]{0,9}\,.{0,1}\"binary\"\:\"C:\\\\Windows\\\\system32\\\\notepad.exe\"
Get-Content: D:\a\_temp\f4d56df1-39bf-46f4-8c85-7f80bf400926.ps1:39
Line |
  39 |  $jsonContent = Get-Content -Path $jsonFilePath
     |                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Cannot find path 'C:\Program Files\Tetragon\events.json' because it does not exist.
Error: Process completed with exit code 1.

[olsajiri]

please squash this with the commit that adds this test

[dwindsor]

done

[olsajiri]

probe_read_user does not allow faults and the point of preload is that we allow faults,
I think we need to use copy_from_user_task instead

[dwindsor]

Thanks! copy_from_user_task does appear to allow faults (it runs with .might_sleep = true). Updated to use that.

[olsajiri]

this kfunc seems unrelated to the go_string preload

[dwindsor]

Yes, this is strange because the go_string preload indeed doesn't call bpf_copy_from_user_str, yet without this, vmtests fail in CI on kernels that are missing copy_from_user_str. I haven't quite figured out why that is the case yet. See this above comment: #4817 (comment)

[olsajiri]

what if there's more symbols in the uprobe spec? I think we should fail the spec in such case

[dwindsor]

Good point. Updated to reject if the # of arguments isn't exactly 1.

[olsajiri]

could this be called later underIsStrippedPureGoBinary condition?

        if symbols != 0 && f.IsStrippedPureGoBinary() {
                tbl, err := f.Pclntab()
                if err != nil {
                        return nil, fmt.Errorf("failed to parse pclntab: %w", err)
                }

                -> in here

[dwindsor]

Not without the side effect of removing ABI validation on non-stripped binaries. It would be nice if this worked transparently for both cases.

[olsajiri]

curious.. looks like in here we should return 0, warn or error?

[dwindsor]

Yes, you're right. This is a leftover hack from when I was trying to get this working with non-stdlib types.

Returning error now when an unknown type is encountered. We don't want to generate a slot table that's based on guessed slot counts.

Added a unit test to explicitly test for this condition: slot generation for an unknown type.

[olsajiri]

this seems worse to me.. I can't find your previous version, but I think now this is more complicated, sorry..

how about we leave user to configure action.ClearGoString and we validate that user did not provide argsRegs and then we populate argsRegs with the needed register assignment?

[dwindsor]

That's fine, I have no strong opinion on how the action gets translated to registers, I just would rather not allow the user to populate regs whenever it can be fixed up behind the scenes. We'll find a way that works =).

[dwindsor]

Hmm, but aren't we already doing that?

We validate that they didn't provide argRegs:

if len(argRegs) > 0 {
	return errors.New("parseMatchAction: clearGoString cannot be combined with argRegs")
}

Immediately after we populate argRegs using uprobeGoStringClearRegs. I might be missing something you were thinking about though?

[olsajiri]

yes, but I think it's better to do it in uprobe code without theuprobeGoStringClearRegs callback ... just prepare argRegs in uprobe sensor code

[dwindsor]

Ahh I see. Moved the args fixup code to expandClearGoStringActions and call that in addUprobe after elf.SafeOpenFile.

[olsajiri]

it's bit of a shortcut now, but I guess full arch split can wait when we get another arch support

[dwindsor]

Yeah other arch support will be tiny PRs compared to this.

The reason this PR is so massive is that it adds the Go ABI slot generation code and updates CRDs. I didn't want to add that in a separate PR without a user, hence we have it here in this PR with the most useful (in my opinion) type to write policies against (strings).

[olsajiri]

nit, no need for this to be global

[olsajiri]

I dont understand this change.. no nee dto move this right?

[olsajiri]

I think we need to add go_string_type to type_to_min_size

[olsajiri]

I think this looks better now, but should it also check there is actualy argument with go_string in the spec? otherwise the ValidateGoABI won't be called later on

[olsajiri]

I think we expect (__u32) -1 as error.. anything else is interpreted as depth error during resolve (getArgStatus)

[olsajiri]

is this needed? I get clean build without it

[olsajiri]

this seems to break make codegen:

...
go generate ./pkg/sensors/tracing/...
2026/05/14 09:35:16 write pkg/sensors/tracing/goabi_slots_gen.go: open pkg/sensors/tracing/goabi_slots_gen.go: no such file or directory
exit status 1