add matchBinary NotPrefix operator

Add it in BPF, in the CRD validation and in the selector parser.

Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>

bpf/process/types/basic.h

@@ -1496,6 +1496,7 @@ static inline __attribute__((always_inline)) int match_binaries(__u32 selidx)
 			match = do_filter_char_buf_equal(selector_options->mapidx, execve->binary_path.path, execve->binary_path.path_length);
 			break;
 		case op_filter_str_prefix:
+		case op_filter_str_notprefix:
 			match = match_binaries_prefix(selidx, execve);
 			break;
 		}

pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml

@@ -350,6 +350,7 @@ spec:
                                   - In
                                   - NotIn
                                   - Prefix
+                                  - NotPrefix
                                   type: string
                                 values:
                                   description: Value to compare the argument against.
@@ -899,6 +900,7 @@ spec:
                                   - In
                                   - NotIn
                                   - Prefix
+                                  - NotPrefix
                                   type: string
                                 values:
                                   description: Value to compare the argument against.
@@ -1273,6 +1275,7 @@ spec:
                                   - In
                                   - NotIn
                                   - Prefix
+                                  - NotPrefix
                                   type: string
                                 values:
                                   description: Value to compare the argument against.

pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml

@@ -350,6 +350,7 @@ spec:
                                   - In
                                   - NotIn
                                   - Prefix
+                                  - NotPrefix
                                   type: string
                                 values:
                                   description: Value to compare the argument against.
@@ -899,6 +900,7 @@ spec:
                                   - In
                                   - NotIn
                                   - Prefix
+                                  - NotPrefix
                                   type: string
                                 values:
                                   description: Value to compare the argument against.
@@ -1273,6 +1275,7 @@ spec:
                                   - In
                                   - NotIn
                                   - Prefix
+                                  - NotPrefix
                                   type: string
                                 values:
                                   description: Value to compare the argument against.

pkg/k8s/apis/cilium.io/v1alpha1/types.go

@@ -81,7 +81,7 @@ type KProbeArg struct {
 }
 
 type BinarySelector struct {
-	// +kubebuilder:validation:Enum=In;NotIn;Prefix
+	// +kubebuilder:validation:Enum=In;NotIn;Prefix;NotPrefix
 	// Filter operation.
 	Operator string `json:"operator"`
 	// Value to compare the argument against.

pkg/selectors/kernel.go

@@ -1176,7 +1176,7 @@ func ParseMatchBinary(k *KernelSelectorState, b *v1alpha1.BinarySelector, selIdx
 	sel.Op = op
 
 	switch op {
-	case SelectorOpPrefix:
+	case SelectorOpPrefix, SelectorOpNotPrefix:
 		writePrefixBinaries(k, b.Values)
 	case SelectorOpIn, SelectorOpNotIn:
 		maps := NewStringMaps()
@@ -1194,7 +1194,7 @@ func ParseMatchBinary(k *KernelSelectorState, b *v1alpha1.BinarySelector, selIdx
 		mapDetails := k.insertStringMaps(maps)
 		copy(sel.Mapidx[:], mapDetails[:])
 	default:
-		return fmt.Errorf("matchBinary error: Only \"In\", \"NotIn\" and \"Prefix\" operators are supported")
+		return fmt.Errorf("matchBinary error: Only \"In\", \"NotIn\", \"Prefix\" and \"NotPrefix\" operators are supported")
 	}
 
 	k.AddMatchBinaries(selIdx, sel)