WIP

cilium · May 15, 2023 · b37a0bc · b37a0bc
1 parent 037490f
commit b37a0bc
Show file tree

Hide file tree

Showing 2 changed files with 59 additions and 27 deletions.
diff --git a/pkg/filters/pidSet.go b/pkg/filters/pidSet.go
@@ -20,44 +20,76 @@ import (
 	"github.com/cilium/tetragon/api/v1/tetragon"
 	v1 "github.com/cilium/tetragon/pkg/oldhubble/api/v1"
 	hubbleFilters "github.com/cilium/tetragon/pkg/oldhubble/filters"
+	lru "github.com/hashicorp/golang-lru/v2"
 )
 
-func filterByPidSet(pids []uint32, pidSet map[uint32]bool) hubbleFilters.FilterFunc {
-	return func(ev *v1.Event) bool {
-		process := GetProcess(ev)
-		if process == nil {
-			return false
-		}
-		for _, pid := range pids {
-			if pid == process.Pid.GetValue() {
-				pidSet[pid] = true
-				return true
-			}
-		}
-		parent := GetParent(ev)
-		if parent == nil {
-			return false
-		}
-		if pidSet[parent.Pid.GetValue()] == true {
+type ChildrenCache = lru.Cache[uint32, struct{}]
+
+const (
+	childrenCacheSize = 8192
+)
+
+func checkPidSetMembership(pid uint32, pidSet []uint32, childrenCache *ChildrenCache) bool {
+	// Check the original pidSet. The reason for doing this separately is that we never
+	// want to drop the original pidSet from the LRU. Keeping this separately in a slice
+	// is an easy way to achieve this.
+	for _, p := range pidSet {
+		if pid == p {
 			return true
 		}
-		for _, pid := range pids {
-			if pid == parent.Pid.GetValue() {
-				pidSet[pid] = true
-				return true
-			}
-		}
+	}
+	// Fall back to childrenCache to check children.
+	_, ok := childrenCache.Get(pid)
+	return ok
+}
+
+func eventIsInPidSet(ev *v1.Event, pidSet []uint32, childrenCache *ChildrenCache) bool {
+	process := GetProcess(ev)
+	if process == nil {
 		return false
 	}
+
+	// Check the process against our cache
+	pid := process.Pid.GetValue()
+	if checkPidSetMembership(pid, pidSet, childrenCache) {
+		return true
+	}
+
+	parent := GetParent(ev)
+	if parent == nil {
+		return false
+	}
+
+	// Check the parent against our cache
+	ppid := parent.Pid.GetValue()
+	if checkPidSetMembership(ppid, pidSet, childrenCache) {
+		// Add our own PID to the children cache so that we can match our future children
+		childrenCache.Add(pid, struct{}{})
+		return true
+	}
+
+	// No matches, return false
+	return false
+}
+
+func filterByPidSet(pidSet []uint32, childrenCache *ChildrenCache) hubbleFilters.FilterFunc {
+	return func(ev *v1.Event) bool {
+		return eventIsInPidSet(ev, pidSet, childrenCache)
+	}
 }
 
 type PidSetFilter struct{}
 
 func (f *PidSetFilter) OnBuildFilter(_ context.Context, ff *tetragon.Filter) ([]hubbleFilters.FilterFunc, error) {
-	pidSet := make(map[uint32]bool)
 	var fs []hubbleFilters.FilterFunc
 	if ff.PidSet != nil {
-		fs = append(fs, filterByPidSet(ff.PidSet, pidSet))
+		childrenCache, err := lru.New[uint32, struct{}](childrenCacheSize)
+		if err != nil {
+			return nil, err
+		}
+
+		pidSet := ff.PidSet
+		fs = append(fs, filterByPidSet(pidSet, childrenCache))
 	}
 	return fs, nil
 }
diff --git a/pkg/sensors/test/lseek_test.go b/pkg/sensors/test/lseek_test.go
@@ -40,7 +40,7 @@ func TestSensorLseekLoad(t *testing.T) {
 		ec.NewTestChecker(""),
 	)
 
-	obs, err := observer.GetDefaultObserver(t, ctx, tus.Conf().TetragonLib, observer.WithMyPid())
+	obs, err := observer.GetDefaultObserver(t, ctx, tus.Conf().TetragonLib)
 	if err != nil {
 		t.Fatalf("GetDefaultObserver error: %s", err)
 	}
@@ -69,7 +69,7 @@ func TestSensorLseekEnable(t *testing.T) {
 		ec.NewTestChecker(""),
 	)
 
-	obs, err := observer.GetDefaultObserver(t, ctx, tus.Conf().TetragonLib, observer.WithMyPid())
+	obs, err := observer.GetDefaultObserver(t, ctx, tus.Conf().TetragonLib)
 	if err != nil {
 		t.Fatalf("GetDefaultObserver error: %s", err)
 	}