Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

matchArgs: Add Not{Equal, Prefix, Postfix} in fd, file, path types #1325

Merged
merged 3 commits into from
Aug 10, 2023
Merged

matchArgs: Add Not{Equal, Prefix, Postfix} in fd, file, path types #1325

merged 3 commits into from
Aug 10, 2023

Conversation

tpapagian
Copy link
Member

FIXES: #1310

@tpapagian tpapagian force-pushed the pr/apapag/fix_issue_1310 branch 5 times, most recently from b0fb0fe to 76c6990 Compare August 7, 2023 16:39
@tpapagian tpapagian marked this pull request as ready for review August 7, 2023 17:17
@tpapagian tpapagian requested a review from a team as a code owner August 7, 2023 17:17
kkourt
kkourt reviewed Aug 8, 2023
View reviewed changes
Copy link
Contributor

@kkourt kkourt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! I have some comments.

The behaviour changes a bit when having multiple values. For operators Equal, Prefix, and Postfix the
previous example will match when:
[(arg OP val1) OR (arg OP val2) OR (arg OP val3)]

For operators NotEqual, NotPrefix, and NotPostfix the previous example will match when:
[(arg OP val1) AND (arg OP val2) AND (arg OP val3)]

I think the right way to think of Not* operators is:

Equal: (arg == val1) || (arg == val2) || (arg == val3)
NotEqual: NOT(Equal)
=> NOT( (arg == val1) || (arg == val2) || (arg == val3) )
=> (arg != val1) && (arg != val2) && (arg != val3)

So the behavior doesn't really change.

bpf/process/types/basic.h Show resolved Hide resolved
bpf/process/types/basic.h Outdated Show resolved Hide resolved
@tpapagian
matchArgs: Add Not{Equal, Prefix, Postfix} in fd, file, path types
5a77154 
This commit adds support fot NotEqual, NotPrefix, and NotPostfix operators in generic kprobes.
These work for fd, file, and path argument types.

An example is:
    selectors:
    - matchArgs:
      - index: 0
        operator: "Prefix"
        values:
        - "/home/"
      - index: 0
        operator: "NotPrefix"
        values:
        - "/home/anotherfolder/"

Which matches when the argument has prefix "/home/" and does not has prefix "/home/anotherfolder/".
This can help limits the paths that we monitor.

    - matchArgs:
      - index: 0
        operator: "OP"
        values:
        - "val1"
        - "val2"
        - "val3"

The behaviour changes a bit when having multiple values. For operators Equal, Prefix, and Postfix the
previous example will match when:
[(arg OP val1) OR (arg OP val2) OR (arg OP val3)]

For operators NotEqual, NotPrefix, and NotPostfix the previous example will match when:
[(arg OP val1) AND (arg OP val2) AND (arg OP val3)]

FIXES: #1310

Signed-off-by: Anastasios Papagiannis <tasos.papagiannnis@gmail.com>
@tpapagian
tracing: Add a test to demonstrate the use of Prefix and NotPrefix
2a734ec 
Signed-off-by: Anastasios Papagiannis <tasos.papagiannnis@gmail.com>
@tpapagian
crd: Add NotPrefix and NotPostfix operators
c1698dc 
Signed-off-by: Anastasios Papagiannis <tasos.papagiannnis@gmail.com>
@kkourt kkourt merged commit 265f7ad into main Aug 10, 2023
25 checks passed
@kkourt kkourt deleted the pr/apapag/fix_issue_1310 branch August 10, 2023 12:53
@tixxdz
Copy link
Member

tixxdz commented Aug 10, 2023

This broken main, how did it pass tests?

@tixxdz
Copy link
Member

tixxdz commented Aug 10, 2023

ah the kprobe_test doesn't have the observer package since it was moved so the tests need to rebase and use the new observerhelper package

tpapagian added a commit that referenced this pull request Aug 10, 2023
@tpapagian
Fix TestKprobeMatchArgsNonPrefix test
8b16486 
We didn't rebase #1325 after
merging
822e2da
so this makes TestKprobeMatchArgsNonPrefix introduced in that PR to
broke builds in main branch.

This patch fixes that issue.

Signed-off-by: Anastasios Papagiannis <tasos.papagiannnis@gmail.com>
@tpapagian tpapagian mentioned this pull request Aug 10, 2023
Merged
@tpapagian
Copy link
Member Author

ah the kprobe_test doesn't have the observer package since it was moved so the tests need to rebase and use the new observerhelper package

Fix: #1347

tpapagian added a commit that referenced this pull request Aug 10, 2023
@tpapagian
Fix TestKprobeMatchArgsNonPrefix test
d3af315 
We didn't rebase #1325 after
merging
822e2da
so this makes TestKprobeMatchArgsNonPrefix introduced in that PR to
broke builds in main branch.

This patch fixes that issue.

Signed-off-by: Anastasios Papagiannis <tasos.papagiannnis@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kkourt kkourt kkourt approved these changes

@jrfastab jrfastab jrfastab approved these changes

@kevsecurity kevsecurity Awaiting requested review from kevsecurity kevsecurity is a code owner automatically assigned from cilium/tetragon

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add the "NotPrefix" and "NotPostfix" Operators to suitable Selector Types
4 participants
@tpapagian @tixxdz @kkourt @jrfastab