Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: filter dispatching to signatures #3729

Merged
merged 2 commits into from Dec 19, 2023
Merged

fix: filter dispatching to signatures #3729

merged 2 commits into from Dec 19, 2023

Conversation

NDStrahilevitz
Copy link
Collaborator

1. Explain what the PR does

1840ee1 fix: clean up untraced signatures

2. Explain how to test it

See the linked below issue.

3. Other comments

Fix #3656

@NDStrahilevitz NDStrahilevitz self-assigned this Dec 4, 2023
@rafaeldtinoco
Copy link
Contributor

@josedonizetti I will let you review this one. I would not merge until E2E tests are cleared though.

@rafaeldtinoco rafaeldtinoco removed their request for review December 4, 2023 15:12
@NDStrahilevitz
Copy link
Collaborator Author

@josedonizetti I will let you review this one. I would not merge until E2E tests are cleared though.

Agreed, also want to clear with E2E, but seems like they are currently broken.

@rafaeldtinoco
Copy link
Contributor

Agreed, also want to clear with E2E, but seems like they are currently broken.

That is exactly why I said that. Not because this change.

@NDStrahilevitz
Copy link
Collaborator Author

That is exactly why I said that. Not because this change.

Meant that I want to also specifically pre-run this on the E2E before merging, not just (hopefully) have it green post merge. Anyway we agree :p

@rafaeldtinoco
Copy link
Contributor

That is exactly why I said that. Not because this change.

Meant that I want to also specifically pre-run this on the E2E before merging, not just (hopefully) have it green post merge. Anyway we agree :p

I agree to you agreeing with my agreement. Thanks.

@rafaeldtinoco
Copy link
Contributor

Related to this change ? https://github.com/aquasecurity/tracee/actions/runs/7090197920/job/19296758500?pr=3729#step:4:2873

@NDStrahilevitz
Copy link
Collaborator Author

NDStrahilevitz commented Dec 5, 2023
edited

Related to this change ? https://github.com/aquasecurity/tracee/actions/runs/7090197920/job/19296758500?pr=3729#step:4:2873

Seems possible since I did a small change with event dependencies, I need to check. Didn't bother checking for now since I was occupied with other things and e2es were still red.

@rafaeldtinoco
Copy link
Contributor

Didn't bother checking for now since I was occupied with other things and e2es were still red.

NO rush on my end! Take your time and thanks.

@NDStrahilevitz
fix(sigs): ignore non tracee event selectors
67ceffe 
When creating event definitions for loaded signatures, the code would
attempt to load all selected events from the core definitions. We only
support core event dependencies right now, but when we separate event
groups, the "Source" field is the likely candidate to indicate the
difference.
As such, for now we should only create a dependency if the selector
declares "tracee" as its source.
@NDStrahilevitz NDStrahilevitz changed the title fix: clean up untraced signatures fix: filter dispatching to signatures Dec 13, 2023
rafaeldtinoco
rafaeldtinoco reviewed Dec 14, 2023
View reviewed changes
pkg/signatures/engine/engine.go Outdated
Enabled bool // Enables the signatures engine to run in the events pipeline
SigNameToEventID map[string]int32 // Cache of loaded signature event names to event ids, used to filter in dispatching
// Callback from tracee to determine if event should be dispatched to signature.
// This is done as a callback becaues importing the events package breaks compilation.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It brakes compilation because of tracee-rules, right ?

# github.com/aquasecurity/tracee/cmd/tracee-rules
/usr/lib/go/pkg/tool/linux_amd64/link: running clang failed: exit status 1
/bin/ld: /tmp/go-link-2441279820/000028.o: in function `_cgo_a979db4ce92c_Cfunc_bpf_btf_get_fd_by_id':
/tmp/go-build/btf.cgo2.c:54:(.text+0x12): undefined reference to `bpf_btf_get_fd_by_id'
/bin/ld: /tmp/go-link-2441279820/000030.o: in function `_cgo_a979db4ce92c_Cfunc_perf_buffer__free':
/tmp/go-build/buf-perf.cgo2.c:49:(.text+0x4): undefined reference to `perf_buffer__free'
/bin/ld: /tmp/go-link-2441279820/000030.o: in function `_cgo_a979db4ce92c_Cfunc_perf_buffer__poll':
/tmp/go-build/buf-perf.cgo2.c:67:(.text+0x26): undefined reference to `perf_buffer__poll'
/bin/ld: /tmp/go-link-2441279820/000031.o: in function `_cgo_a979db4ce92c_Cfunc_ring_buffer__free':
/tmp/go-build/buf-ring.cgo2.c:49:(.text+0x4): undefined reference to `ring_buffer__free'
/bin/ld: /tmp/go-link-2441279820/000031.o: in function `_cgo_a979db4ce92c_Cfunc_ring_buffer__poll':
/tmp/go-build/buf-ring.cgo2.c:67:(.text+0x26): undefined reference to `ring_buffer__poll'

Meaning, tracee-rules doesn't link libbpf on its binary. It wouldn't be a problem for single binary, right ? Funny because this change is to fix single-binary.

  • Either way I would improve this comment to mention all that (historically wise).

A callback is a creative way of picking eventStates, but when we consider the "eventStates" and the fact that we will have a policy coordinator (which @josedonizetti is working on I believe), then this is temporary. So, together with the comment I would mention that it should be changed by the policy orchestrator (forgot the name now) and maybe link the issue to it.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you know what the issue id for that is? And i'll expand the comment appropriately and merge.

rafaeldtinoco
rafaeldtinoco reviewed Dec 14, 2023
View reviewed changes
Copy link
Contributor

@rafaeldtinoco rafaeldtinoco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left single comment about next steps IMO, LGTM as a mitigation for the current problem.

rafaeldtinoco
rafaeldtinoco approved these changes Dec 14, 2023
View reviewed changes
Copy link
Contributor

@rafaeldtinoco rafaeldtinoco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM after comment is addressed for next steps.

@NDStrahilevitz
fix(engine): don't dispatch to untraced signatures
e0677e0 
Up to this commit, all signatures would be loaded to the engine even if
tracing them was not requested. This would consume runtime resources,
and potentially cause unexpected logs from signatures which are
supposodely disabled.

Fix this by verifying at the signature engine if events are dispatched
to currently traced signatures (as events). In the future, disabling
events through the gRPC API should trigger a change in the event state
reflected at this filter stage.
@NDStrahilevitz NDStrahilevitz merged commit 6933b98 into aquasecurity:main Dec 19, 2023
30 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rafaeldtinoco rafaeldtinoco rafaeldtinoco approved these changes

@josedonizetti josedonizetti Awaiting requested review from josedonizetti

Assignees

@NDStrahilevitz NDStrahilevitz

Labels
area/ebpf area/signatures area/testing area/UX kind/bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Signatures receive events from pipeline even when are not used
2 participants
@NDStrahilevitz @rafaeldtinoco