chore: inject deps manager into policy manager

It makes the access to event flags be done through the policy manager, which is responsible for setting up the dependencies manager. This also: - Turn the event flags access thread-safe. - Renames manager and config types. - Fix t.eventSignatures[eventId] logic, now accessible via policy manager IsRequiredBySignature(), since the former was only flagging the event as signature, but not as required by one.
geyslan · Sep 17, 2024 · d5b1952 · d5b1952
1 parent e664596
commit d5b1952
Show file tree

Hide file tree

Showing 16 changed files with 627 additions and 385 deletions.
diff --git a/pkg/ebpf/events_pipeline.go b/pkg/ebpf/events_pipeline.go
@@ -268,9 +268,9 @@ func (t *Tracee) decodeEvents(ctx context.Context, sourceChan chan []byte) (<-ch
 			// thus the need to continue with those within the pipeline.
 			if t.matchPolicies(evt) == 0 {
 				_, hasDerivation := t.eventDerivations[eventId]
-				_, hasSignature := t.eventSignatures[eventId]
+				reqBySig := t.policyManager.IsRequiredBySignature(eventId)
 
-				if !hasDerivation && !hasSignature {
+				if !hasDerivation && !reqBySig {
 					_ = t.stats.EventsFiltered.Increment()
 					t.eventsPool.Put(evt)
 					continue
@@ -598,7 +598,7 @@ func (t *Tracee) sinkEvents(ctx context.Context, in <-chan *trace.Event) <-chan
 
 			// Only emit events requested by the user and matched by at least one policy.
 			id := events.ID(event.EventID)
-			event.MatchedPoliciesUser &= t.eventsState[id].Emit
+			event.MatchedPoliciesUser = t.policyManager.MatchEvent(id, event.MatchedPoliciesUser)
 			if event.MatchedPoliciesUser == 0 {
 				t.eventsPool.Put(event)
 				continue

diff --git a/pkg/ebpf/hidden_kernel_module.go b/pkg/ebpf/hidden_kernel_module.go
@@ -28,7 +28,7 @@ func (t *Tracee) lkmSeekerRoutine(ctx gocontext.Context) {
 	logger.Debugw("Starting lkmSeekerRoutine goroutine")
 	defer logger.Debugw("Stopped lkmSeekerRoutine goroutine")
 
-	if t.eventsState[events.HiddenKernelModule].Emit == 0 {
+	if !t.policyManager.IsEventToEmit(events.HiddenKernelModule) {
 		return
 	}
 

diff --git a/pkg/ebpf/hooked_syscall_table.go b/pkg/ebpf/hooked_syscall_table.go
@@ -25,7 +25,7 @@ func (t *Tracee) hookedSyscallTableRoutine(ctx gocontext.Context) {
 	logger.Debugw("Starting hookedSyscallTable goroutine")
 	defer logger.Debugw("Stopped hookedSyscallTable goroutine")
 
-	if t.eventsState[events.HookedSyscall].Submit == 0 {
+	if !t.policyManager.IsEventToSubmit(events.HookedSyscall) {
 		return
 	}
 

diff --git a/pkg/ebpf/ksymbols.go b/pkg/ebpf/ksymbols.go
@@ -36,7 +36,7 @@ func (t *Tracee) UpdateKallsyms() error {
 
 	var allReqSymbols []string
 
-	for evtID := range t.eventsState {
+	for _, evtID := range t.policyManager.EventsSelected() {
 		for _, symDep := range evtDefSymDeps(evtID) {
 			allReqSymbols = append(allReqSymbols, symDep.GetSymbolName())
 		}

diff --git a/pkg/ebpf/processor_funcs.go b/pkg/ebpf/processor_funcs.go
@@ -215,11 +215,11 @@ func (t *Tracee) processSchedProcessExec(event *trace.Event) error {
 // processDoFinitModule handles a do_finit_module event and triggers other hooking detection logic.
 func (t *Tracee) processDoInitModule(event *trace.Event) error {
 	// Check if related events are being traced.
-	_, okSyscalls := t.eventsState[events.HookedSyscall]
-	_, okSeqOps := t.eventsState[events.HookedSeqOps]
-	_, okProcFops := t.eventsState[events.HookedProcFops]
-	_, okMemDump := t.eventsState[events.PrintMemDump]
-	_, okFtrace := t.eventsState[events.FtraceHook]
+	okSyscalls := t.policyManager.IsEventSelected(events.HookedSyscall)
+	okSeqOps := t.policyManager.IsEventSelected(events.HookedSeqOps)
+	okProcFops := t.policyManager.IsEventSelected(events.HookedProcFops)
+	okMemDump := t.policyManager.IsEventSelected(events.PrintMemDump)
+	okFtrace := t.policyManager.IsEventSelected(events.FtraceHook)
 
 	if !okSyscalls && !okSeqOps && !okProcFops && !okMemDump && !okFtrace {
 		return nil

diff --git a/pkg/ebpf/signature_engine.go b/pkg/ebpf/signature_engine.go
@@ -29,8 +29,7 @@ func (t *Tracee) engineEvents(ctx context.Context, in <-chan *trace.Event) (<-ch
 
 	// Share event states (by reference)
 	t.config.EngineConfig.ShouldDispatchEvent = func(eventIdInt32 int32) bool {
-		_, ok := t.eventsState[events.ID(eventIdInt32)]
-		return ok
+		return t.policyManager.IsEventSelected(events.ID(eventIdInt32))
 	}
 
 	sigEngine, err := engine.NewEngine(t.config.EngineConfig, source, engineOutput)
@@ -62,7 +61,7 @@ func (t *Tracee) engineEvents(ctx context.Context, in <-chan *trace.Event) (<-ch
 		id := events.ID(event.EventID)
 
 		// if the event is marked as submit, we pass it to the engine
-		if t.eventsState[id].Submit > 0 {
+		if t.policyManager.IsEventToSubmit(id) {
 			err := t.parseArguments(event)
 			if err != nil {
 				t.handleError(err)