-
Notifications
You must be signed in to change notification settings - Fork 323
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
bugfix: matchBinaries in multiple selectors
Using the following tracing policy: kprobes: - call: "fd_install" syscall: false args: - index: 0 type: int - index: 1 type: "file" selectors: - matchBinaries: - operator: "In" values: - "/usr/bin/cat" matchArgs: - index: 1 operator: "Equal" values: - "/etc/passwd" - matchBinaries: - operator: "In" values: - "/usr/bin/tail" matchArgs: - index: 1 operator: "Equal" values: - "/etc/shadow" we expect to get events if: [ binary == /usr/bin/cat AND arg1 == /etc/passwd ] OR [ binary == /usr/bin/tail AND arg1 == /etc/shadow ] Using the previous tracing policy and running: /usr/bin/cat /etc/passwd && /usr/bin/cat /etc/shadow && /usr/bin/tail /etc/passwd && /usr/bin/tail /etc/shadow We get events for all of these. The issue is that in #686 we use a single map for all matchBinaries selectors. That makes the previous tracing policy to behave as: [ (binary == /usr/bin/cat OR binary == /usr/bin/tail) AND arg1 == /etc/passwd ] OR [ (binary == /usr/bin/cat OR binary == /usr/bin/tail) AND arg1 == /etc/shadow ] This patch fixes that issues. We move from a BPF_MAP_TYPE_HASH to a BPF_MAP_TYPE_HASH_OF_MAPS. We index the outter map based on selector ID and the inner map is exactly the same as the one we used in #686. Based on the previous tracing policy, the user side will generate the names_map and sel_names_map. names_map is shared among all selectors that have matchBinaries. Each distinct binary name will appear in the names_map with a unique value per entry (> 0). The contents of the names_map for the previous tracing policy will be: names_map["/usr/bin/cat"] = 1 names_map["/usr/bin/tail"] = 2 Whenever we have an execve event, we check the execve binary name and if is that inside names_map, we set execve_map_value->binary to the value of that entry. If we cannot find that entry inside names_map, we set execve_map_value->binary equals to 0 which means that this binary name is nowhere in all matchBinaries. Based in that we also generate the sel_names_map. This is a BPF_MAP_TYPE_HASH_OF_MAPS map where we index in the outter map using the selector ID and we index in the inner map using the execve_map_value->binary. If that exists, then matchBinary will be matched. The contents of the sel_names_map based on the previous tracing policy will be: sel_names_map[0 /* sel_index */ ] = { hash_map[1 /* value of cat in names_map */] = 1 /* always 1 for now */ } sel_names_map[1 /* sel_index */ ] = { hash_map[2 /* value of tail in names_map */] = 1 /* always 1 for now */ } Finally, if sel_names_map[sel_idx] is NULL this means that the specific selector does not container a matchBinaries action. If sel_names_map[sel_idx].hash_map[idx] is NULL this means that we don't care about the specific binary. Signed-off-by: Anastasios Papagiannis <tasos.papagiannnis@gmail.com>
- Loading branch information
Showing
5 changed files
with
144 additions
and
88 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters