Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Path prefix search #660

Merged
merged 2 commits into from
Sep 27, 2016
Merged

Path prefix search #660

merged 2 commits into from
Sep 27, 2016

Commits on Sep 27, 2016

  1. Add ability to test a path against many prefixes 

    Add a data structure that allows testing a path aka /var/log/messages
against a set of path prefixes (/usr, /bin, /var/log, ...).

Thinking ahead to use in libsinsp, the search structure uses pointer +
length pairs instead of strings, meaning that it does not copy any data,
only refers to it. This way the structure doesn't copy filtercheck
values.

In order to share the idea of a pair of pointer + length between this
structure and the unordered_set used by "in (...)" set membership tests,
move the hashing and equality function from filterchecks to a standalone
header filter_value.h and use it for the unordered_map.

The paths are held in a tree-like structure. At each level, an unordered
map has the path components for that level and a sub-tree of paths for
that root.

The tree can change if new search paths are prefixes of any of the
current paths (the sub-tree for the longer path is replaced by the
prefix). If a new search path is a suffix of any existing path no change
is made, as it is already covered by the prefix.

Matching involves splitting off the first directory component and
testing it against the values at that level. If a match is found, it
recursively calls match for the subtree.
    @mstemm
    mstemm committed Sep 27, 2016
    Configuration menu
    Copy the full SHA
    31892ab View commit details
    Browse the repository at this point in the history

  2. Add pmatch operator, using prefix_search struct. 

    Remove the definitions of filter_value_member_t/hash function/equality
function from filterchecks.h, renaming it to filter_value_t along the
way.

Add an operator CO_PMATCH/"pmatch" which takes a set of values like
CO_IN does, but requires that the left hand side of the comparison is a
PT_CHARBUF. When filter values are added, they are added to the new
path_prefix_search object m_val_storages_paths.

in ::flt_compare, when the operator is CO_PMATCH, test the value against
m_val_storages_paths.

As a result, you can run sysdig using a command line like:

sudo ./userspace/sysdig/sysdig "evt.type=open and fd.directory
pmatch (/var, /usr)"

and see all the file opens for files below either /var or /usr.
    @mstemm
    mstemm committed Sep 27, 2016
    Configuration menu
    Copy the full SHA
    d9ace04 View commit details
    Browse the repository at this point in the history