tetragon: add support for substring operators#4393
Conversation
olsajiri
force-pushed
the
pr/olsajiri/substring
branch
2 times, most recently
from
f00dc92 to
3a44fed
Compare
✅ Deploy Preview for tetragon ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
olsajiri
force-pushed
the
pr/olsajiri/substring
branch
3 times, most recently
from
3a56bab to
5325dd0
Compare
olsajiri
force-pushed
the
pr/olsajiri/substring
branch
4 times, most recently
from
e2f69d8 to
d618baf
Compare
olsajiri
added
the
release-note/minor
olsajiri
force-pushed
the
pr/olsajiri/substring
branch
2 times, most recently
from
c4a1da0 to
08b325c
Compare
olsajiri
changed the title
| // a pointer to the map. The rest of the argument code might do | ||
| // some arithmetics on it which would fail for pointer, but it's | ||
| // always using probe_read, so it's safe. | ||
| probe_read(&arg, sizeof(arg), &arg); |
There was a problem hiding this comment.
Not a problem: just surprised probe_read can have @arg as source and dest! I will borrow this myself.
| return m.Update(uint32(0), selector.Buffer(), ebpf.UpdateAny) | ||
| }, | ||
| }) | ||
| mapLoad = append(mapLoad, selectorsMaploads(selector, 0)...) |
There was a problem hiding this comment.
This will cause the selector maps to be included in a program.Program's MapLoad. A collectionLoader's maps is populated by a CollectionSpec's maps. CollectionSpec's maps are determined by the elf file.
Maps found in a program.Program's MapLoad will be loaded if they are also found in the ebpf.Collection's Maps. ebpf.Collection Maps is populated by collectionLoader's maps. So, just adding this is enough to load the maps.
However, when we create the sensor, we are not including the selector maps in the sensors.Sensor's Maps member. As such, we are not doing the max entry logic, like how we do for kprobes. See here and here for how I was thinking about handling this.
What do you think? My WIP does not prevent duplicates of the "filter_map" program.MapLoad like yours does. Also, there isn't an exact match between maps taken care of in selectorsMaploads vs my filterMaps function, but despite these shortcomings, it demonstrates the idea.
There was a problem hiding this comment.
so kprobe has that HasSelector condition for selector maps.. are you suggestion something similar for uprobe?
why do you keep the filter_map load in b8d7d4c ? it's part of selectorsMaploads right?
There was a problem hiding this comment.
why do you keep the filter_map load in b8d7d4c ? it's part of selectorsMaploads right?
Yes, that's a problem with my WIP. I agree that I shouldn't do that. I would fix that if we decided the overall approach makes sense.
so kprobe has that HasSelector condition for selector maps.. are you suggestion something similar for uprobe?
Yes, that seems like a good way to conditionally load the selector maps based on whether they are needed.
But what I'm really getting at here is that we are loading the maps without configuring the max entries. So, I think we need to address that. It looks like the logic of loading selector maps would be the same across all hook point types. So, I'm proposing that we create a unified way to do this.
We already have selectorsMaploads, a unified way for creating program.MapLoad. I think we should have the equivalent for generating program.Map. Then all hook types could reuse the same code for generating both program.MapLoad and program.Map for selector maps.
There was a problem hiding this comment.
right, that sounds good.. let's see how it looks like wrt that each sensor needs slightly different maps, but I think it would be good to have something like that
| func writeMatchSubString(k *KernelSelectorState, values []string) error { | ||
| for _, v := range values { | ||
| id := len(k.subStrs) | ||
| if id >= SubstringMapEntries-1 { |
There was a problem hiding this comment.
I think this is off by one.
I think it should instead be: if id >= SubstringMapEntries
Consider the following example. SubstringMapEntries is 100. It's used to set the max number of entries in the map. So the number of subStrs should not exceed 100.
If we want to add exactly 100 subStrs, on the last iteration, id will be 99.
99 >= (100 - 1), is true, so we return error. But we could add that last entry without going over the map's capacity.
olsajiri
force-pushed
the
pr/olsajiri/substring
branch
5 times, most recently
from
319e3db to
1d3388f
Compare
|
I changed the code to use core instead of the CONFIG variables, it's simpler |
| if id >= SubstringMapEntries { | ||
| return fmt.Errorf("substring error: Only %d substrings allowed", SubstringMapEntries) | ||
| } | ||
| if len(v) >= 100 { |
There was a problem hiding this comment.
Please add a constant for this, ideally with a comment pointing to the corresponding BPF value.
| for _, a := range slices.Concat(s.MatchArgs, s.MatchData, s.MatchReturnArgs) { | ||
| argOp, err := SelectorOp(a.Operator) | ||
| if err != nil { | ||
| return false |
There was a problem hiding this comment.
Shouldn't we continue looking at the other selectors instead of returning here?
There was a problem hiding this comment.
that means the selector operator is wrong and the selector should already fail or we fail shortly.. so I think there's no point to continue
There was a problem hiding this comment.
OK, in that case, shouldn't we return an error?
|
|
||
| if has.substring { | ||
| substringMap := program.MapBuilderSensor("substring_map", load) | ||
| substringMap.SetMaxEntries(selectors.SubstringMapEntries) |
There was a problem hiding this comment.
Can't we just size this to the number of entries in the selector?
There was a problem hiding this comment.
true, will change, thanks
olsajiri
force-pushed
the
pr/olsajiri/substring
branch
2 times, most recently
from
a20078d to
0934840
Compare
…lector
Adding support for SubString/IgnCase operators for matchArg selector,
to be used on top of strings like:
data:
- index: 0
type: "string"
source: "pt_regs"
resolve: "rdi"
selectors:
- matchData:
- index: 0
operator: "SubString"
values:
- "_3_"
The SubString matches exact string, SubStringIgnCase matches
string regardless the case.
Signed-off-by: Jiri Olsa <jolsa@kernel.org>
$ make generate codegen $ make -C docs tracing-policy-docs Plus CustomResourceDefinitionSchemaVersion update. Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Adding several tests for substring match on preloaded string. Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Adding several tests for substring match on preloaded string that results with overladed regs. Signed-off-by: Jiri Olsa <jolsa@kernel.org>
olsajiri
force-pushed
the
pr/olsajiri/substring
branch
from
0934840 to
c82a8b7
Compare
|
note the ci failure is just syntax false alarm |
4 participants
Adding support for SubString/IgnCase operators for matchArg selector, to be used on top of strings like:
The SubString matches exact string, SubStringIgnCase matches string regardless the case.
On top of #4489