Data filter in kernel

[rscampos]

1. Explain what the PR does

3717704 Tracee data filter equalities
0edc416 eBPF data filter (user-space)
48cc10b Enable data filter in eBPF program
f435287 eBPF data filter (kernel-space)
6ca82e6 Enable BPF_F_NO_PREALLOC for LPM TRIE

3717704 Tracee data filter equalities

- method equalities created for data filter;
- disable data filter (only pathname) for selected events.

0edc416 eBPF data filter (user-space)

- eBPF map definition for prefix, postfix and exactly match;
- create updateDataFilterLPMBPF and updateDataFilterBPF to populate eBPF
  maps;
- config map fields for prefix, postfix and exactly.

48cc10b Enable data filter in eBPF program

- how to enable data filter in the eBPF program using the function
evaluate_data_filters.

f435287 eBPF data filter (kernel-space)

- function load_str_from_buf created to retrieve str value based on index;
- function reverse_string created to revert the pathname in order to enable postfix;
- function evaluate_data_filters/match_data_filters created to apply: prefix, postfix and exactly match;
- eBPF maps for prefix, postfix and exactly. eBPF map for hold temporary LPM TRI key;
- add fields in config_map for prefix, postfix and exactly match.

2. Explain how to test it

The method for defining data filters in Tracee remains the same. However, for the security_file_open and magic_write events, if the pathname is used as a filter, the event is now filtered at the eBPF data plane, preventing it from being sent to user space for filtering.

Prefix:
Tracee:

sudo ./dist/tracee -e security_file_open.data.pathname=/etc/hosts*

Cmd:

cat /etc/hosts.allow
cat /etc/hosts.deny

Exactly:
Tracee:

sudo ./dist/tracee -e security_file_open.data.pathname=/etc/netconfig

Cmd:

cat /etc/netconfig

Postfix:
Tracee:

sudo ./dist/tracee -e security_file_open.data.pathname=*config

Cmd:

cat /etc/netconfig

3. Other comments

Next steps:

1. Evaluate and combine all three types of string-based filters simultaneously. Currently, they work separately but not together.
2. Improve the way we define (in user-space) which events should have an in-kernel filter enabled. Some parts of the logic I added were just for a PoC, so this needs to be reworked.
3. Currently, we explicitly define the index in evaluate_data_filters to retrieve the pathname for string-based filtering. This works for now, but it would be better to dynamically retrieve the index based on the event ID.

[geyslan]

This is just a first pass (skimming) review.

Tested and working with:

sudo ./dist/tracee -e security_file_open.data.pathname=/etc/passwd
sudo ./dist/tracee -e security_file_open.data.pathname='/etc/passwd*'
sudo ./dist/tracee -e security_file_open.data.pathname='*passwd-'

Amazing, @rscampos! 👏🏼

[geyslan]

Perhaps this could be placed in the helpers pkg?

[geyslan]

Shouldn't this be?

Suggested change

	cfg.EnabledDataFilters |= 1 << offset
	cfg.EnabledDataFilters |= (ExactlyEnabledDataFilters | PrefixEnabledDataFilters | cfg.PostfixEnabledDataFilters) & (1 << offset)

[geyslan]

There's duplicate logic in here from EnableKernel().

[geyslan]

What do you think of checking a kernelFilter flag instead (it could be set on Parse)?

[geyslan]

We can easily use the happy path here.

[geyslan]

Suggested change

	u32 eventid;
	u32 event_id;

nit: I know that there's still some eventid, but it would be nice to standardise them as well.

[geyslan]

Suggested change

	u32 prefixlen;
	u32 prefix_len;

[geyslan]

We've already discussed about this. Just registering for possible improvements of the save_*to*_buf API.

I believe that save_str_to_buf(), for instance, could return the offset that it saved the string with a simple change. So that info should be propagated in the scrap buffers to be reused further as an argument to load_str_from_buf() and other helpers alike.