Skip to content

Commit

Permalink
chore: remove bpf map macros (aquasecurity#3735)
Browse files Browse the repository at this point in the history 
Define the bpf maps manually, instead of using the macros.

Context: aquasecurity#3731

It also does some renaming and changes filter comments.
  • Loading branch information
@geyslan
geyslan authored Jan 17, 2024
1 parent f3fa64f commit 7ce9956
Show file tree
Hide file tree
Showing 5 changed files with 673 additions and 183 deletions.
22 changes: 11 additions & 11 deletions pkg/ebpf/c/capture_filtering.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -80,40 +80,40 @@ statfunc bool filter_file_type(void *ctx,
io_data_t io_data,
off_t start_pos)
{
bool has_type_filter = false;
bool has_file_type = false;
bool type_filter_match = false;

file_type_filter_t *type_filter = bpf_map_lookup_elem(filter_map, &map_idx);
file_type_t *ftype = bpf_map_lookup_elem(filter_map, &map_idx);
// Filter should be always initialized
if (unlikely(type_filter == NULL)) {
if (unlikely(ftype == NULL)) {
tracee_log(ctx, BPF_LOG_LVL_WARN, BPF_LOG_ID_MAP_LOOKUP_ELEM, 0);
return false;
}

// Do check only if there is a filter
if (*type_filter != 0 && *type_filter & FILTER_FILE_TYPE_MASK) {
has_type_filter = true;
if (*ftype != 0 && *ftype & FILTER_FILE_TYPE_MASK) {
has_file_type = true;
int imode_mode = get_inode_mode_from_file(file);
if (*type_filter & FILTER_PIPE_FILES) {
if (*ftype & FILTER_PIPE_FILES) {
struct pipe_inode_info *pipe = get_file_pipe_info(file);
if (pipe != NULL) {
type_filter_match = true;
goto exit;
}
}
if (*type_filter & FILTER_SOCKET_FILES) {
if (*ftype & FILTER_SOCKET_FILES) {
if (imode_mode & S_IFSOCK) {
type_filter_match = true;
goto exit;
}
}
if (*type_filter & FILTER_NORMAL_FILES) {
if (*ftype & FILTER_NORMAL_FILES) {
if (imode_mode & S_IFREG) {
type_filter_match = true;
goto exit;
}
}
if (*type_filter & FILTER_ELF_FILES) {
if (*ftype & FILTER_ELF_FILES) {
file_id_t file_id = get_file_id(file);
file_id.ctime = 0;
if (start_pos == 0) {
Expand All @@ -140,7 +140,7 @@ statfunc bool filter_file_type(void *ctx,
}

exit:
return (has_type_filter && !type_filter_match);
return (has_file_type && !type_filter_match);
}

// Return if the file does not match any given file FD filters in the filter map (so it should be
Expand All @@ -150,7 +150,7 @@ statfunc bool filter_file_fd(void *ctx, void *filter_map, size_t map_idx, struct
bool has_fds_filter = false;
bool fds_filter_match = false;

file_type_filter_t *fds_filter = bpf_map_lookup_elem(filter_map, &map_idx);
file_type_t *fds_filter = bpf_map_lookup_elem(filter_map, &map_idx);
// Filter should be always initialized
if (unlikely(fds_filter == NULL)) {
tracee_log(ctx, BPF_LOG_LVL_WARN, BPF_LOG_ID_MAP_LOOKUP_ELEM, 0);
Expand Down
32 changes: 16 additions & 16 deletions pkg/ebpf/c/common/filtering.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,9 +52,9 @@ statfunc u64 should_submit(u32, event_data_t *);
// FUNCTIONS

// get_filter_map returns the filter map for the given version and outer map
statfunc void *get_filter_map(void *outer_map, u16 pols_version)
statfunc void *get_filter_map(void *outer_map, u16 version)
{
return bpf_map_lookup_elem(outer_map, &pols_version);
return bpf_map_lookup_elem(outer_map, &version);
}

statfunc u64
Expand Down Expand Up @@ -206,7 +206,7 @@ statfunc u64 compute_scopes(program_data_t *p)
}

//
// unversioned filters
// boolean filters (not using versioned maps)
//

// TODO: Create a filter map for each boolean filter (versioning it) #3805
Expand Down Expand Up @@ -237,14 +237,14 @@ statfunc u64 compute_scopes(program_data_t *p)
}

//
// versioned filters
// equality filters (using versioned maps)
//

u16 pols_version = p->event->context.policies_version;
u16 version = p->event->context.policies_version;
void *filter_map = NULL;

if (p->config->pid_filter_enabled_scopes) {
filter_map = get_filter_map(&pid_filter_version, pols_version);
filter_map = get_filter_map(&pid_filter_version, version);
u64 filter_out_scopes = p->config->pid_filter_out_scopes;
u64 mask = ~p->config->pid_filter_enabled_scopes;
u64 max = p->config->pid_max;
Expand All @@ -258,7 +258,7 @@ statfunc u64 compute_scopes(program_data_t *p)
}

if (p->config->uid_filter_enabled_scopes) {
filter_map = get_filter_map(&uid_filter_version, pols_version);
filter_map = get_filter_map(&uid_filter_version, version);
u64 filter_out_scopes = p->config->uid_filter_out_scopes;
u64 mask = ~p->config->uid_filter_enabled_scopes;
u64 max = p->config->uid_max;
Expand All @@ -268,53 +268,53 @@ statfunc u64 compute_scopes(program_data_t *p)
}

if (p->config->mnt_ns_filter_enabled_scopes) {
filter_map = get_filter_map(&mnt_ns_filter_version, pols_version);
filter_map = get_filter_map(&mnt_ns_filter_version, version);
u64 filter_out_scopes = p->config->mnt_ns_filter_out_scopes;
u64 mask = ~p->config->mnt_ns_filter_enabled_scopes;
u64 mnt_id = context->mnt_id;
res &= equality_filter_matches(filter_out_scopes, filter_map, &mnt_id) | mask;
}

if (p->config->pid_ns_filter_enabled_scopes) {
filter_map = get_filter_map(&pid_ns_filter_version, pols_version);
filter_map = get_filter_map(&pid_ns_filter_version, version);
u64 filter_out_scopes = p->config->pid_ns_filter_out_scopes;
u64 mask = ~p->config->pid_ns_filter_enabled_scopes;
u64 pid_id = context->pid_id;
res &= equality_filter_matches(filter_out_scopes, filter_map, &pid_id) | mask;
}

if (p->config->uts_ns_filter_enabled_scopes) {
filter_map = get_filter_map(&uts_ns_filter_version, pols_version);
filter_map = get_filter_map(&uts_ns_filter_version, version);
u64 filter_out_scopes = p->config->uts_ns_filter_out_scopes;
u64 mask = ~p->config->uts_ns_filter_enabled_scopes;
res &= equality_filter_matches(filter_out_scopes, filter_map, &context->uts_name) | mask;
}

if (p->config->comm_filter_enabled_scopes) {
filter_map = get_filter_map(&comm_filter_version, pols_version);
filter_map = get_filter_map(&comm_filter_version, version);
u64 filter_out_scopes = p->config->comm_filter_out_scopes;
u64 mask = ~p->config->comm_filter_enabled_scopes;
res &= equality_filter_matches(filter_out_scopes, filter_map, &context->comm) | mask;
}

if (p->config->cgroup_id_filter_enabled_scopes) {
filter_map = get_filter_map(&cgroup_id_filter_version, pols_version);
filter_map = get_filter_map(&cgroup_id_filter_version, version);
u64 filter_out_scopes = p->config->cgroup_id_filter_out_scopes;
u64 mask = ~p->config->cgroup_id_filter_enabled_scopes;
u32 cgroup_id_lsb = context->cgroup_id;
res &= equality_filter_matches(filter_out_scopes, filter_map, &cgroup_id_lsb) | mask;
}

if (p->config->proc_tree_filter_enabled_scopes) {
filter_map = get_filter_map(&process_tree_map_version, pols_version);
filter_map = get_filter_map(&process_tree_map_version, version);
u64 filter_out_scopes = p->config->proc_tree_filter_out_scopes;
u64 mask = ~p->config->proc_tree_filter_enabled_scopes;
u32 host_pid = context->host_pid;
res &= equality_filter_matches(filter_out_scopes, filter_map, &host_pid) | mask;
}

if (p->config->bin_path_filter_enabled_scopes) {
filter_map = get_filter_map(&binary_filter_version, pols_version);
filter_map = get_filter_map(&binary_filter_version, version);
u64 filter_out_scopes = p->config->bin_path_filter_out_scopes;
u64 mask = ~p->config->bin_path_filter_enabled_scopes;
res &= binary_filter_matches(filter_out_scopes, filter_map, proc_info) | mask;
Expand Down Expand Up @@ -348,8 +348,8 @@ statfunc u64 should_trace(program_data_t *p)

statfunc u64 should_submit(u32 event_id, event_data_t *event)
{
u16 pols_version = event->context.policies_version;
void *inner_events_map = bpf_map_lookup_elem(&events_map_version, &pols_version);
u16 version = event->context.policies_version;
void *inner_events_map = bpf_map_lookup_elem(&events_map_version, &version);
if (inner_events_map == NULL)
return 0;

Expand Down
Loading

0 comments on commit 7ce9956

Please sign in to comment.