From 457d3a3974a3dfe794ea0487055f69c9b419e9bd Mon Sep 17 00:00:00 2001 From: Andrei Fedotov Date: Mon, 12 Aug 2024 15:45:42 +0300 Subject: [PATCH] tetragon: Add Postfix and NotPostfix operators to matchBinaries selector Adding Postifx and NotPostfix operators to matchBinaries selector as it already done for matchArgs selector. Signed-off-by: Andrei Fedotov --- .../crds-yaml/cilium.io_tracingpolicies.yaml | 8 ++++++ .../cilium.io_tracingpoliciesnamespaced.yaml | 8 ++++++ pkg/api/processapi/processapi.go | 7 ++++- .../v1alpha1/cilium.io_tracingpolicies.yaml | 8 ++++++ .../cilium.io_tracingpoliciesnamespaced.yaml | 8 ++++++ pkg/k8s/apis/cilium.io/v1alpha1/types.go | 2 +- pkg/k8s/apis/cilium.io/v1alpha1/version.go | 2 +- pkg/selectors/kernel.go | 27 ++++++++++++++++--- pkg/sensors/exec/procevents/proc_reader.go | 2 +- .../v1alpha1/cilium.io_tracingpolicies.yaml | 8 ++++++ .../cilium.io_tracingpoliciesnamespaced.yaml | 8 ++++++ .../pkg/k8s/apis/cilium.io/v1alpha1/types.go | 2 +- .../k8s/apis/cilium.io/v1alpha1/version.go | 2 +- 13 files changed, 82 insertions(+), 10 deletions(-) diff --git a/install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpolicies.yaml b/install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpolicies.yaml index 8287774126b..0524ff9df29 100644 --- a/install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpolicies.yaml +++ b/install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpolicies.yaml @@ -456,6 +456,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. @@ -1065,6 +1067,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. @@ -1705,6 +1709,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. @@ -2282,6 +2288,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. diff --git a/install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpoliciesnamespaced.yaml b/install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpoliciesnamespaced.yaml index 2578bb937a6..f7aed86615b 100644 --- a/install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpoliciesnamespaced.yaml +++ b/install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpoliciesnamespaced.yaml @@ -456,6 +456,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. @@ -1065,6 +1067,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. @@ -1705,6 +1709,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. @@ -2282,6 +2288,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. diff --git a/pkg/api/processapi/processapi.go b/pkg/api/processapi/processapi.go index 7854630282c..4329efa60f0 100644 --- a/pkg/api/processapi/processapi.go +++ b/pkg/api/processapi/processapi.go @@ -45,6 +45,8 @@ const ( MSG_COMMON_FLAG_USER_STACKTRACE = 0x4 BINARY_PATH_MAX_LEN = 256 + + STRING_POSTFIX_MAX_LENGTH = 128 ) type MsgExec struct { @@ -139,8 +141,11 @@ type MsgCapabilities struct { } type Binary struct { - PathLength int64 + PathLength int32 + Reversed uint32 Path [BINARY_PATH_MAX_LEN]byte + End [STRING_POSTFIX_MAX_LENGTH]byte + End_r [STRING_POSTFIX_MAX_LENGTH]byte MBSet uint64 } diff --git a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml index 8287774126b..0524ff9df29 100644 --- a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml +++ b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml @@ -456,6 +456,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. @@ -1065,6 +1067,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. @@ -1705,6 +1709,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. @@ -2282,6 +2288,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. diff --git a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml index 2578bb937a6..f7aed86615b 100644 --- a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml +++ b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml @@ -456,6 +456,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. @@ -1065,6 +1067,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. @@ -1705,6 +1709,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. @@ -2282,6 +2288,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. diff --git a/pkg/k8s/apis/cilium.io/v1alpha1/types.go b/pkg/k8s/apis/cilium.io/v1alpha1/types.go index 76cb339679c..2c2059684ac 100644 --- a/pkg/k8s/apis/cilium.io/v1alpha1/types.go +++ b/pkg/k8s/apis/cilium.io/v1alpha1/types.go @@ -90,7 +90,7 @@ type KProbeArg struct { } type BinarySelector struct { - // +kubebuilder:validation:Enum=In;NotIn;Prefix;NotPrefix + // +kubebuilder:validation:Enum=In;NotIn;Prefix;NotPrefix;Postfix;NotPostfix // Filter operation. Operator string `json:"operator"` // Value to compare the argument against. diff --git a/pkg/k8s/apis/cilium.io/v1alpha1/version.go b/pkg/k8s/apis/cilium.io/v1alpha1/version.go index 72d1c52eb9d..8d62932e8be 100644 --- a/pkg/k8s/apis/cilium.io/v1alpha1/version.go +++ b/pkg/k8s/apis/cilium.io/v1alpha1/version.go @@ -7,4 +7,4 @@ package v1alpha1 // Used to determine if CRD needs to be updated in cluster // // Developers: Bump patch for each change in the CRD schema. -const CustomResourceDefinitionSchemaVersion = "1.2.3" +const CustomResourceDefinitionSchemaVersion = "1.2.4" diff --git a/pkg/selectors/kernel.go b/pkg/selectors/kernel.go index a4eb84ef385..105118c7baa 100644 --- a/pkg/selectors/kernel.go +++ b/pkg/selectors/kernel.go @@ -712,7 +712,7 @@ func writePrefixStrings(k *KernelSelectorState, values []string) error { return nil } -func writePostfixStrings(k *KernelSelectorState, values []string, ty uint32) error { +func writePostfix(k *KernelSelectorState, values []string, ty uint32, selector string) (uint32, error) { mid, m := k.newStringPostfixMap() for _, v := range values { var value []byte @@ -725,7 +725,7 @@ func writePostfixStrings(k *KernelSelectorState, values []string, ty uint32) err // Due to the constraints of the reverse copy in BPF, we will not be able to match a postfix // longer than 127 characters, so throw an error if the user specified one. if size >= StringPostfixMaxLength { - return fmt.Errorf("MatchArgs value %s invalid: string is longer than %d characters", v, StringPostfixMaxLength-1) + return 0, fmt.Errorf("%s value %s invalid: string is longer than %d characters", selector, v, StringPostfixMaxLength-1) } val := KernelLPMTrieStringPostfix{prefixLen: size * 8} // postfix is in bits, but size is in bytes // Copy postfix in reverse order, so that it can be used in LPM map @@ -734,7 +734,18 @@ func writePostfixStrings(k *KernelSelectorState, values []string, ty uint32) err } m[val] = struct{}{} } - // write the map id into the selector + return mid, nil +} + +func writePostfixBinaries(k *KernelSelectorState, values []string) (uint32, error) { + return writePostfix(k, values, gt.GenericCharBuffer, "MatchBinaries") +} + +func writePostfixStrings(k *KernelSelectorState, values []string, ty uint32) error { + mid, err := writePostfix(k, values, ty, "MatchArgs") + if err != nil { + return err + } WriteSelectorUint32(&k.data, mid) return nil } @@ -1209,8 +1220,16 @@ func ParseMatchBinary(k *KernelSelectorState, b *v1alpha1.BinarySelector, selIdx if err != nil { return fmt.Errorf("failed to write the prefix operator for the matchBinaries selector: %w", err) } + case SelectorOpPostfix, SelectorOpNotPostfix: + if !kernels.EnableLargeProgs() { + return fmt.Errorf("matchBinary error: \"Postfix\" and \"NotPostfix\" operators need large BPF progs (kernel>5.3)") + } + sel.MapID, err = writePostfixBinaries(k, b.Values) + if err != nil { + return fmt.Errorf("failed to write the prefix operator for the matchBinaries selector: %w", err) + } default: - return fmt.Errorf("matchBinary error: Only \"In\", \"NotIn\", \"Prefix\" and \"NotPrefix\" operators are supported") + return fmt.Errorf("matchBinary error: Only \"In\", \"NotIn\", \"Prefix\", \"NotPrefix\", \"Postfix\" and \"NotPostfix\" operators are supported") } k.AddMatchBinaries(selIdx, sel) diff --git a/pkg/sensors/exec/procevents/proc_reader.go b/pkg/sensors/exec/procevents/proc_reader.go index 5ce33b8f45a..ecd5951a244 100644 --- a/pkg/sensors/exec/procevents/proc_reader.go +++ b/pkg/sensors/exec/procevents/proc_reader.go @@ -350,7 +350,7 @@ func writeExecveMap(procs []procs) { v.Namespaces.CgroupInum = p.cgroup_ns v.Namespaces.UserInum = p.user_ns pathLength := copy(v.Binary.Path[:], p.exe) - v.Binary.PathLength = int64(pathLength) + v.Binary.PathLength = int32(pathLength) err := m.Put(k, v) if err != nil { diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml index 8287774126b..0524ff9df29 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml @@ -456,6 +456,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. @@ -1065,6 +1067,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. @@ -1705,6 +1709,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. @@ -2282,6 +2288,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml index 2578bb937a6..f7aed86615b 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml @@ -456,6 +456,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. @@ -1065,6 +1067,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. @@ -1705,6 +1709,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. @@ -2282,6 +2288,8 @@ spec: - NotIn - Prefix - NotPrefix + - Postfix + - NotPostfix type: string values: description: Value to compare the argument against. diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go index 76cb339679c..2c2059684ac 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go @@ -90,7 +90,7 @@ type KProbeArg struct { } type BinarySelector struct { - // +kubebuilder:validation:Enum=In;NotIn;Prefix;NotPrefix + // +kubebuilder:validation:Enum=In;NotIn;Prefix;NotPrefix;Postfix;NotPostfix // Filter operation. Operator string `json:"operator"` // Value to compare the argument against. diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/version.go b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/version.go index 72d1c52eb9d..8d62932e8be 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/version.go +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/version.go @@ -7,4 +7,4 @@ package v1alpha1 // Used to determine if CRD needs to be updated in cluster // // Developers: Bump patch for each change in the CRD schema. -const CustomResourceDefinitionSchemaVersion = "1.2.3" +const CustomResourceDefinitionSchemaVersion = "1.2.4"