use my debug image

deploy/operator.yaml

@@ -3253,7 +3253,7 @@ metadata:
   name: security-profiles-operator
   namespace: security-profiles-operator
 spec:
-  replicas: 3
+  replicas: 1
   selector:
     matchLabels:
       app: security-profiles-operator
@@ -3291,7 +3291,7 @@ spec:
               fieldPath: spec.nodeName
         - name: KUBELET_DIR
           value: /var/lib/kubelet
-        image: gcr.io/k8s-staging-sp-operator/security-profiles-operator:latest
+        image: ghcr.io/mhils/security-profiles-operator:latest
         imagePullPolicy: Always
         name: security-profiles-operator
         resources:

internal/pkg/daemon/bpfrecorder/bpf/recorder.bpf.c

@@ -2,6 +2,7 @@
 
 #include <linux/limits.h>
 
+#include "bpf_d_path_tetragon.h"
 #include "bpf_d_path_cursed.h"
 #include <asm-generic/errno.h>
 #include <bpf/bpf_core_read.h>
@@ -59,8 +60,8 @@ char LICENSE[] SEC("license") = "Dual BSD/GPL";
 #endif
 
 // toggle this for additional debug output
-#define trace_hook(...)
-// #define trace_hook(...) bpf_printk(__VA_ARGS__)
+// #define trace_hook(...)
+#define trace_hook(...) bpf_printk(__VA_ARGS__)
 
 // Keep track of all mount namespaces that should be (temporarily) excluded from
 // recording. When running in Kubernetes, we generally ignore the host mntns.
@@ -231,8 +232,17 @@ static __always_inline void debug_path_d(struct path * filename,
     }
     bpf_d_path_cursed(filename, event2->data, sizeof(event2->data));
 
-    bpf_printk("debug_path_d mntns=%u comm=%s\n bpf_d_path=%s\n cursd_path=%s",
-               mntns, comm, event->data, event2->data);
+    int size = 0, flags = 0;
+    char * tetra = d_path_local(filename, &size, &flags);
+    if (!tetra) {
+        bpf_ringbuf_discard(event, 0);
+        bpf_ringbuf_discard(event2, 0);
+        bpf_printk("tetra failed");
+        return;
+    }
+
+    bpf_printk("debug_path_d mntns=%u comm=%s\n bpf_d_path=%s\n cursd_path=%s\n tetra_path=%s",
+               mntns, comm, event->data, event2->data, tetra);
     bpf_ringbuf_discard(event, 0);
     bpf_ringbuf_discard(event2, 0);
 }
@@ -262,7 +272,8 @@ static __always_inline int register_fs_event(struct path * filename,
                      pid == _file_event_pid;
     bool flags_are_subset = (flags | _file_event_flags) == _file_event_flags;
     if (same_file && flags_are_subset) {
-        trace_hook("register_file_event skipped");
+        // very noisy
+        // trace_hook("register_file_event skipped");
         return 0;
     }
 
@@ -334,7 +345,8 @@ static __always_inline int register_file_event(struct file * file, u64 flags)
 SEC("lsm/file_open")
 int BPF_PROG(file_open, struct file * file)
 {
-    trace_hook("file_open");
+    // very noisy
+    // trace_hook("file_open");
     u64 flags = 0;
     if (file->f_mode & FMODE_READ) {
         flags |= FLAG_READ;
@@ -351,7 +363,8 @@ int BPF_PROG(file_open, struct file * file)
 SEC("lsm/file_lock")
 int BPF_PROG(file_lock, struct file * file)
 {
-    trace_hook("file_lock");
+    // very noisy
+    // trace_hook("file_lock");
     return register_file_event(file, FLAG_WRITE);
 }
 
@@ -410,7 +423,9 @@ SEC("lsm/path_unlink")
 int BPF_PROG(path_unlink, struct path * dir, struct dentry * dentry)
 {
     trace_hook("path_unlink");
+    debug_path_d(dir, false);
     struct path path = make_path(dentry, dir);
+    debug_path_d(&path, false);
     return register_fs_event(&path, 0, FLAG_READ | FLAG_WRITE, true);
 }
 
@@ -485,7 +500,8 @@ int sys_enter_prctl(struct trace_event_raw_sys_enter * ctx)
     u32 mntns = get_mntns();
     if (!mntns)
         return 0;
-    trace_hook("sys_enter_prctl");
+    // noisy
+    // trace_hook("sys_enter_prctl");
 
     // Handle runc init.
     //
@@ -506,6 +522,27 @@ int sys_enter_prctl(struct trace_event_raw_sys_enter * ctx)
     return 0;
 }
 
+SEC("tracepoint/syscalls/sys_enter_unlink")
+int sys_enter_unlink(struct trace_event_raw_sys_enter * ctx)
+{
+    u32 mntns = get_mntns();
+    if (!mntns)
+        return 0;
+    trace_hook("sys_enter_unlink %s", ctx->args[0]);
+    return 0;
+}
+
+
+SEC("tracepoint/syscalls/sys_enter_unlinkat")
+int sys_enter_unlinkat(struct trace_event_raw_sys_enter * ctx)
+{
+    u32 mntns = get_mntns();
+    if (!mntns)
+        return 0;
+    trace_hook("sys_enter_unlinkat %s", ctx->args[1]);
+    return 0;
+}
+
 SEC("tracepoint/sched/sched_process_exec")
 int sched_process_exec(struct trace_event_raw_sched_process_exec * ctx)
 {

internal/pkg/daemon/bpfrecorder/bpfrecorder.go

@@ -464,11 +464,13 @@ func (b *BpfRecorder) Load() (err error) {
 		return fmt.Errorf("load bpf module: %w", err)
 	}
 	b.module = module
+	b.logger.Info("Loading done. Program collections..")
 	programs, err := newProgramCollection(b, b.logger, module, baseHooks)
 	if err != nil {
 		return err
 	}
 	b.bpfPrograms = programs
+	b.logger.Info("AppArmor.Load() %v %v", b.AppArmor, b.bpfPrograms)
 	if b.AppArmor != nil {
 		if err := b.AppArmor.Load(b); err != nil {
 			// Only log an error here, if Apparmor cannot be loaded. This is because it is
@@ -953,6 +955,7 @@ func (b *BpfRecorder) WaitForPidExit(ctx context.Context, pid uint32) error {
 }
 
 func BPFLSMEnabled() bool {
+	return true
 	contents, err := os.ReadFile("/sys/kernel/security/lsm")
 	if err != nil {
 		return false

internal/pkg/daemon/bpfrecorder/bpfrecorder_apparmor.go

@@ -51,6 +51,8 @@ var appArmorHooks = []string{
 	"path_mknod",
 	"path_unlink",
 	"bprm_check_security",
+	"sys_enter_unlink",
+	"sys_enter_unlinkat",
 	"sys_enter_socket",
 	"cap_capable",
 }