-
Notifications
You must be signed in to change notification settings - Fork 326
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
matchBinaries selector rework and add prefix operator #1652
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
✅ Deploy Preview for tetragon ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
2d5242c
to
e2cf3d1
Compare
Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
This new struct will store information about the binary path from the moment we persist the execve information in the execve_map. We tried to reduce at maximum the size of what we store, ending up with 256 bytes instead of the theoretical maximum MAX_PATH 4096 bytes (+ metadata). This will be useful when doing the matchBinary at a later stage and retrieving the information about the process from the execve_map. Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
A new binary_path struct was added BPF side to store a part of the binary path inside the execve_map values (to do comparison at a later stage). Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
This commits introduces changes on the proc reader part, which scans /proc at startup and initialize/fill execve_map with information of processes that were started before tetragon. Also it moves the part that is trimming the p.args if the size of the process information would not fit in the allocated buffer. We were previously doing it in the part that parses /proc, which was too early because in the case of execve_map initialization, it's not needed (and we now need at least 255 bytes of the binary path guaranted), while it's needed for pushing the execve event, where it was moved. We also needed the 'exe' value at execve_map initialization, which was already merged with 'cmdline' early at /proc parsing since it was not necessary previously. Now we merge 'exe' and 'cmdline' on demand at a later stage (again when pushing the execve event). Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
This copies the information to persist in the execve_map. Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
This largely reuse the code as well as the map for the string prefix using the LPM_TRIE. Also add Prefix in valid operator for matchBinaries selectors. Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
This is the maximum for a LPM_TRIE. Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
Notably removes names_map. Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
This cleans up part of the BPF implementation of matchBinaries, the rest will come with the new implementation using part of the old machinery. Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
This code will be reused by the matchBinaries selector parser, this commits move some code into helpers to write in SelectorStringMaps in the selector state. Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
This commits introduces the new "sel_match_binaries_map", that stores the matchBinaries selector options on userspace, to use on BPF side. It adapts the code to parse the selector and to populate the map with the options at progam loading time. Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
This commit introduces a new implementation for matchBinaries, it uses similar machinery to the strings args filter except that it's reading the option of the selector from a dedicated map (notably because matchBinaries can be called very early when it's the only selector present for optimization). Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
Add it in BPF, in the CRD validation and in the selector parser. Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
9a0d77c
to
4c0dc91
Compare
This has been implemented in two times with: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
kind/enhancement
This improves or streamlines existing functionality
release-note/minor
This PR introduces a minor user-visible change
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Selector matchBinaries had this flaw: it could not match processes started before Tetragon. This PR tries to fix that and add a new Prefix operator. The Postfix operator will be a bit more complex and will come in a separate PR.
This PR is not finished, only the prefix operator was added.
In
andNotIn
still do not match processes started before Tetragon.