Skip to content

Commit

Permalink
ebpf: fix string filter
Browse files Browse the repository at this point in the history 
Fix aquasecurity#1595
  • Loading branch information
@yanivagman
yanivagman committed Mar 28, 2022
1 parent 01a118d commit 5a0887d
Show file tree
Hide file tree
Showing 3 changed files with 40 additions and 2 deletions.
5 changes: 5 additions & 0 deletions cmd/tracee-ebpf/internal/flags/flags-filter.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,9 @@ import (
tracee "github.com/aquasecurity/tracee/pkg/ebpf"
)

// MaxBpfStrFilterSize value should match MAX_STR_FILTER_SIZE defined in BPF code
const MaxBpfStrFilterSize = 16

func FilterHelp() string {
return `Select which events to trace by defining trace expressions that operate on events or process metadata.
Only events that match all trace expressions will be traced (trace flags are ANDed).
Expand Down Expand Up @@ -105,10 +108,12 @@ func PrepareFilter(filters []string) (tracee.Filter, error) {
UTSFilter: &tracee.StringFilter{
Equal: []string{},
NotEqual: []string{},
Size: MaxBpfStrFilterSize,
},
CommFilter: &tracee.StringFilter{
Equal: []string{},
NotEqual: []string{},
Size: MaxBpfStrFilterSize,
},
ContFilter: &tracee.BoolFilter{},
NewContFilter: &tracee.BoolFilter{},
Expand Down
30 changes: 30 additions & 0 deletions cmd/tracee-ebpf/main_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -256,10 +256,12 @@ func TestPrepareFilter(t *testing.T) {
CommFilter: &tracee.StringFilter{
Equal: []string{},
NotEqual: []string{},
Size: flags.MaxBpfStrFilterSize,
},
UTSFilter: &tracee.StringFilter{
Equal: []string{},
NotEqual: []string{},
Size: flags.MaxBpfStrFilterSize,
},
ContFilter: &tracee.BoolFilter{},
NewContFilter: &tracee.BoolFilter{},
Expand Down Expand Up @@ -307,10 +309,12 @@ func TestPrepareFilter(t *testing.T) {
CommFilter: &tracee.StringFilter{
Equal: []string{},
NotEqual: []string{},
Size: flags.MaxBpfStrFilterSize,
},
UTSFilter: &tracee.StringFilter{
Equal: []string{},
NotEqual: []string{},
Size: flags.MaxBpfStrFilterSize,
},
ContFilter: &tracee.BoolFilter{},
NewContFilter: &tracee.BoolFilter{},
Expand Down Expand Up @@ -358,10 +362,12 @@ func TestPrepareFilter(t *testing.T) {
CommFilter: &tracee.StringFilter{
Equal: []string{},
NotEqual: []string{},
Size: flags.MaxBpfStrFilterSize,
},
UTSFilter: &tracee.StringFilter{
Equal: []string{},
NotEqual: []string{},
Size: flags.MaxBpfStrFilterSize,
},
ContFilter: &tracee.BoolFilter{},
NewContFilter: &tracee.BoolFilter{},
Expand Down Expand Up @@ -409,10 +415,12 @@ func TestPrepareFilter(t *testing.T) {
CommFilter: &tracee.StringFilter{
Equal: []string{},
NotEqual: []string{},
Size: flags.MaxBpfStrFilterSize,
},
UTSFilter: &tracee.StringFilter{
Equal: []string{},
NotEqual: []string{},
Size: flags.MaxBpfStrFilterSize,
},
ContFilter: &tracee.BoolFilter{},
NewContFilter: &tracee.BoolFilter{},
Expand Down Expand Up @@ -459,11 +467,13 @@ func TestPrepareFilter(t *testing.T) {
CommFilter: &tracee.StringFilter{
Equal: []string{"ls"},
NotEqual: []string{},
Size: flags.MaxBpfStrFilterSize,
Enabled: true,
},
UTSFilter: &tracee.StringFilter{
Equal: []string{},
NotEqual: []string{},
Size: flags.MaxBpfStrFilterSize,
},
ContFilter: &tracee.BoolFilter{},
NewContFilter: &tracee.BoolFilter{},
Expand Down Expand Up @@ -510,10 +520,12 @@ func TestPrepareFilter(t *testing.T) {
CommFilter: &tracee.StringFilter{
Equal: []string{},
NotEqual: []string{},
Size: flags.MaxBpfStrFilterSize,
},
UTSFilter: &tracee.StringFilter{
Equal: []string{},
NotEqual: []string{"deadbeaf"},
Size: flags.MaxBpfStrFilterSize,
Enabled: true,
},
ContFilter: &tracee.BoolFilter{},
Expand Down Expand Up @@ -562,10 +574,12 @@ func TestPrepareFilter(t *testing.T) {
CommFilter: &tracee.StringFilter{
Equal: []string{},
NotEqual: []string{},
Size: flags.MaxBpfStrFilterSize,
},
UTSFilter: &tracee.StringFilter{
Equal: []string{},
NotEqual: []string{},
Size: flags.MaxBpfStrFilterSize,
},
ContFilter: &tracee.BoolFilter{},
NewContFilter: &tracee.BoolFilter{},
Expand Down Expand Up @@ -613,10 +627,12 @@ func TestPrepareFilter(t *testing.T) {
CommFilter: &tracee.StringFilter{
Equal: []string{},
NotEqual: []string{},
Size: flags.MaxBpfStrFilterSize,
},
UTSFilter: &tracee.StringFilter{
Equal: []string{},
NotEqual: []string{},
Size: flags.MaxBpfStrFilterSize,
},
ContFilter: &tracee.BoolFilter{},
NewContFilter: &tracee.BoolFilter{},
Expand Down Expand Up @@ -663,10 +679,12 @@ func TestPrepareFilter(t *testing.T) {
CommFilter: &tracee.StringFilter{
Equal: []string{},
NotEqual: []string{},
Size: flags.MaxBpfStrFilterSize,
},
UTSFilter: &tracee.StringFilter{
Equal: []string{},
NotEqual: []string{},
Size: flags.MaxBpfStrFilterSize,
},
ContFilter: &tracee.BoolFilter{
Value: true,
Expand Down Expand Up @@ -716,10 +734,12 @@ func TestPrepareFilter(t *testing.T) {
CommFilter: &tracee.StringFilter{
Equal: []string{},
NotEqual: []string{},
Size: flags.MaxBpfStrFilterSize,
},
UTSFilter: &tracee.StringFilter{
Equal: []string{},
NotEqual: []string{},
Size: flags.MaxBpfStrFilterSize,
},
ContFilter: &tracee.BoolFilter{},
NewContFilter: &tracee.BoolFilter{
Expand Down Expand Up @@ -769,10 +789,12 @@ func TestPrepareFilter(t *testing.T) {
CommFilter: &tracee.StringFilter{
Equal: []string{},
NotEqual: []string{},
Size: flags.MaxBpfStrFilterSize,
},
UTSFilter: &tracee.StringFilter{
Equal: []string{},
NotEqual: []string{},
Size: flags.MaxBpfStrFilterSize,
},
ContFilter: &tracee.BoolFilter{},
NewContFilter: &tracee.BoolFilter{},
Expand Down Expand Up @@ -827,10 +849,12 @@ func TestPrepareFilter(t *testing.T) {
CommFilter: &tracee.StringFilter{
Equal: []string{},
NotEqual: []string{},
Size: flags.MaxBpfStrFilterSize,
},
UTSFilter: &tracee.StringFilter{
Equal: []string{},
NotEqual: []string{},
Size: flags.MaxBpfStrFilterSize,
},
ContFilter: &tracee.BoolFilter{},
NewContFilter: &tracee.BoolFilter{},
Expand Down Expand Up @@ -891,11 +915,13 @@ func TestPrepareFilter(t *testing.T) {
CommFilter: &tracee.StringFilter{
Equal: []string{},
NotEqual: []string{},
Size: flags.MaxBpfStrFilterSize,
Enabled: false,
},
UTSFilter: &tracee.StringFilter{
Equal: []string{},
NotEqual: []string{},
Size: flags.MaxBpfStrFilterSize,
Enabled: false,
},
ContFilter: &tracee.BoolFilter{},
Expand Down Expand Up @@ -948,11 +974,13 @@ func TestPrepareFilter(t *testing.T) {
CommFilter: &tracee.StringFilter{
Equal: []string{},
NotEqual: []string{},
Size: flags.MaxBpfStrFilterSize,
Enabled: false,
},
UTSFilter: &tracee.StringFilter{
Equal: []string{},
NotEqual: []string{},
Size: flags.MaxBpfStrFilterSize,
Enabled: false,
},
ContFilter: &tracee.BoolFilter{},
Expand Down Expand Up @@ -1004,11 +1032,13 @@ func TestPrepareFilter(t *testing.T) {
CommFilter: &tracee.StringFilter{
Equal: []string{"ps"},
NotEqual: []string{},
Size: flags.MaxBpfStrFilterSize,
Enabled: true,
},
UTSFilter: &tracee.StringFilter{
Equal: []string{},
NotEqual: []string{"abc"},
Size: flags.MaxBpfStrFilterSize,
Enabled: true,
},
ContFilter: &tracee.BoolFilter{},
Expand Down
7 changes: 5 additions & 2 deletions pkg/ebpf/filters.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -239,6 +239,7 @@ func (filter *IntFilter) Parse(operatorAndValues string) error {
type StringFilter struct {
Equal []string
NotEqual []string
Size uint
Enabled bool
}

Expand Down Expand Up @@ -289,13 +290,15 @@ func (filter *StringFilter) Set(bpfModule *bpf.Module, filterMapName string) err
return err
}
for i := 0; i < len(filter.Equal); i++ {
filterEqualBytes := []byte(filter.Equal[i])
filterEqualBytes := make([]byte, filter.Size)
copy(filterEqualBytes, filter.Equal[i])
if err = filterMap.Update(unsafe.Pointer(&filterEqualBytes[0]), unsafe.Pointer(&filterEqualU32)); err != nil {
return err
}
}
for i := 0; i < len(filter.NotEqual); i++ {
filterNotEqualBytes := []byte(filter.NotEqual[i])
filterNotEqualBytes := make([]byte, filter.Size)
copy(filterNotEqualBytes, filter.NotEqual[i])
if err = filterMap.Update(unsafe.Pointer(&filterNotEqualBytes[0]), unsafe.Pointer(&filterNotEqualU32)); err != nil {
return err
}
Expand Down

0 comments on commit 5a0887d

Please sign in to comment.