Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Prefix and NotPrefix operators to matchBinaries #1732

Merged
merged 6 commits into from
Dec 1, 2023
Merged

Add Prefix and NotPrefix operators to matchBinaries #1732

merged 6 commits into from
Dec 1, 2023

Conversation

mtardy
Copy link
Member

@mtardy mtardy commented Nov 9, 2023
edited

This PR goes on top of #1731. It fixes #1278.

The implementation is pretty trivial thanks to the work that was already done with prefix on matchArgs and the changes of the #1731.

@mtardy mtardy added kind/enhancement This improves or streamlines existing functionality area/bpf This is related to BPF code release-note/minor This PR introduces a minor user-visible change labels Nov 9, 2023
@netlify Netlify
Copy link

netlify bot commented Nov 9, 2023
edited

Deploy Preview for tetragon ready!

Name Link
🔨 Latest commit 8323121
🔍 Latest deploy log https://app.netlify.com/sites/tetragon/deploys/6565b99024334e0007c3bbd6
😎 Deploy Preview https://deploy-preview-1732--tetragon.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@mtardy mtardy force-pushed the pr/mtardy/match-binaries-prefix branch 2 times, most recently from 00a4dda to 4fc0539 Compare November 15, 2023 12:44
@mtardy mtardy marked this pull request as ready for review November 15, 2023 13:31
@mtardy mtardy requested a review from a team as a code owner November 15, 2023 13:31
@mtardy mtardy requested a review from olsajiri November 15, 2023 13:31
@mtardy mtardy marked this pull request as draft November 15, 2023 13:31
@mtardy
Copy link
Member Author

mtardy commented Nov 15, 2023
edited

cc @tpapagian @kkourt (I pinged you since you reviewed the previous one, it might be easier to read this one)

This is not 100% done (still in draft) because I still need to make it work with 4.19 but if you have some time to take a look 👀 while I'm on PTO (basically end of this week and next week) it would be lovely.

For 4.19 to work, maybe we can reduce the max size of the prefix STRING_PREFIX_MAX_LENGTH 256, which might fix the E2BIG, or just not propose the Prefix and NotPrefix feature completely for <5.4.

@mtardy mtardy requested review from kkourt and tpapagian and removed request for olsajiri November 15, 2023 13:32
@mtardy mtardy force-pushed the pr/mtardy/match-binaries-prefix branch from 4fc0539 to 8323121 Compare November 28, 2023 09:57
@mtardy mtardy marked this pull request as ready for review November 28, 2023 14:05
@mtardy
Copy link
Member Author

mtardy commented Nov 28, 2023
edited

So I've disabled matchBianries Prefix for kernel < 5.3, d92ee0c. Now everything pass.

@mtardy
pkg/k8s: add Prefix and NotPrefix to BinarySelector operators
302baa2 
Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
@mtardy
pkg/selectors: add userspace implementation of prefix
240ba55 
Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
@mtardy
bpf: add matchBinaries Prefix operator implementation
af9bb43 
This is reusing the LPM_TRIE map from the matchArgs on string for
prefixes.

Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
@mtardy
tests: add tests for the Prefix/NotPrefix matchBinaries operators
6759a11 
It uses classical testing and also add perfring tests to make sure
events filtered are indeed missing.

Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
@mtardy
tests: add a test for Prefix use in matchBinaries and matchArgs
7b385cb 
New matchBinaries prefix operator reuse the LPM_TRIE map and some of the
code of the matchArgs string/path prefix operator. This test checks that
those two still work together.

Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
@mtardy
bpf: enable matchBinaries prefix only for large progs kernels
89a0720 
Programs where already at the limit for the size of progs for 4.19
kernels, this disables the Prefix/NotPrefix feature for <5.3.0.

Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
@mtardy mtardy force-pushed the pr/mtardy/match-binaries-prefix branch from d92ee0c to 89a0720 Compare November 28, 2023 16:34
@mtardy
Copy link
Member Author

mtardy commented Nov 28, 2023

cc @kevsecurity

I bumped the CRD version, used probe_read instead probe_read_str in the prefix_key.data construction, and removed commit 608a1ab that was renaming op_filter_str_prefix to op_filter_prefix.

kevsecurity
kevsecurity approved these changes Nov 28, 2023
View reviewed changes
Copy link
Contributor

@kevsecurity kevsecurity left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

tpapagian
tpapagian approved these changes Nov 29, 2023
View reviewed changes
Copy link
Member

@tpapagian tpapagian left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

@mtardy mtardy merged commit ef1278e into main Dec 1, 2023
30 checks passed
@mtardy mtardy deleted the pr/mtardy/match-binaries-prefix branch December 1, 2023 13:56
@mtardy mtardy mentioned this pull request Dec 4, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tpapagian tpapagian tpapagian approved these changes

@kevsecurity kevsecurity kevsecurity approved these changes

@kkourt kkourt Awaiting requested review from kkourt

Assignees
No one assigned
Labels
area/bpf This is related to BPF code kind/enhancement This improves or streamlines existing functionality release-note/minor This PR introduces a minor user-visible change
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add the "Prefix" operator for the "matchBinaries" selector
3 participants
@mtardy @tpapagian @kevsecurity