Skip to content

Commit

Permalink
tetragon: Add Postfix and NotPostfix operators to matchBinaries selector
Browse files Browse the repository at this point in the history 
Adding Postifx and NotPostfix operators to matchBinaries selector as it
already done for matchArgs selector.

Signed-off-by: Andrei Fedotov <anfedotoff@yandex-team.ru>
  • Loading branch information
@anfedotoff
anfedotoff committed Jul 19, 2024
1 parent 7054fda commit 524b3a8
Show file tree
Hide file tree
Showing 10 changed files with 62 additions and 7 deletions.
6 changes: 6 additions & 0 deletions install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpolicies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -451,6 +451,8 @@ spec:
- NotIn
- Prefix
- NotPrefix
- Postfix
- NotPostfix
type: string
values:
description: Value to compare the argument against.
Expand Down Expand Up @@ -1690,6 +1692,8 @@ spec:
- NotIn
- Prefix
- NotPrefix
- Postfix
- NotPostfix
type: string
values:
description: Value to compare the argument against.
Expand Down Expand Up @@ -2262,6 +2266,8 @@ spec:
- NotIn
- Prefix
- NotPrefix
- Postfix
- NotPostfix
type: string
values:
description: Value to compare the argument against.
Expand Down
6 changes: 6 additions & 0 deletions install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpoliciesnamespaced.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -451,6 +451,8 @@ spec:
- NotIn
- Prefix
- NotPrefix
- Postfix
- NotPostfix
type: string
values:
description: Value to compare the argument against.
Expand Down Expand Up @@ -1690,6 +1692,8 @@ spec:
- NotIn
- Prefix
- NotPrefix
- Postfix
- NotPostfix
type: string
values:
description: Value to compare the argument against.
Expand Down Expand Up @@ -2262,6 +2266,8 @@ spec:
- NotIn
- Prefix
- NotPrefix
- Postfix
- NotPostfix
type: string
values:
description: Value to compare the argument against.
Expand Down
6 changes: 6 additions & 0 deletions pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -451,6 +451,8 @@ spec:
- NotIn
- Prefix
- NotPrefix
- Postfix
- NotPostfix
type: string
values:
description: Value to compare the argument against.
Expand Down Expand Up @@ -1690,6 +1692,8 @@ spec:
- NotIn
- Prefix
- NotPrefix
- Postfix
- NotPostfix
type: string
values:
description: Value to compare the argument against.
Expand Down Expand Up @@ -2262,6 +2266,8 @@ spec:
- NotIn
- Prefix
- NotPrefix
- Postfix
- NotPostfix
type: string
values:
description: Value to compare the argument against.
Expand Down
6 changes: 6 additions & 0 deletions pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -451,6 +451,8 @@ spec:
- NotIn
- Prefix
- NotPrefix
- Postfix
- NotPostfix
type: string
values:
description: Value to compare the argument against.
Expand Down Expand Up @@ -1690,6 +1692,8 @@ spec:
- NotIn
- Prefix
- NotPrefix
- Postfix
- NotPostfix
type: string
values:
description: Value to compare the argument against.
Expand Down Expand Up @@ -2262,6 +2266,8 @@ spec:
- NotIn
- Prefix
- NotPrefix
- Postfix
- NotPostfix
type: string
values:
description: Value to compare the argument against.
Expand Down
2 changes: 1 addition & 1 deletion pkg/k8s/apis/cilium.io/v1alpha1/types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,7 @@ type KProbeArg struct {
}

type BinarySelector struct {
// +kubebuilder:validation:Enum=In;NotIn;Prefix;NotPrefix
// +kubebuilder:validation:Enum=In;NotIn;Prefix;NotPrefix;Postfix;NotPostfix
// Filter operation.
Operator string `json:"operator"`
// Value to compare the argument against.
Expand Down
2 changes: 1 addition & 1 deletion pkg/k8s/apis/cilium.io/v1alpha1/version.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,4 +7,4 @@ package v1alpha1
// Used to determine if CRD needs to be updated in cluster
//
// Developers: Bump patch for each change in the CRD schema.
const CustomResourceDefinitionSchemaVersion = "1.2.1"
const CustomResourceDefinitionSchemaVersion = "1.2.2"
27 changes: 23 additions & 4 deletions pkg/selectors/kernel.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -711,7 +711,7 @@ func writePrefixStrings(k *KernelSelectorState, values []string) error {
return nil
}

func writePostfixStrings(k *KernelSelectorState, values []string, ty uint32) error {
func writePostfix(k *KernelSelectorState, values []string, ty uint32, selector string) (uint32, error) {
mid, m := k.newStringPostfixMap()
for _, v := range values {
var value []byte
Expand All @@ -724,7 +724,7 @@ func writePostfixStrings(k *KernelSelectorState, values []string, ty uint32) err
// Due to the constraints of the reverse copy in BPF, we will not be able to match a postfix
// longer than 127 characters, so throw an error if the user specified one.
if size >= StringPostfixMaxLength {
return fmt.Errorf("MatchArgs value %s invalid: string is longer than %d characters", v, StringPostfixMaxLength-1)
return 0, fmt.Errorf("%s value %s invalid: string is longer than %d characters", selector, v, StringPostfixMaxLength-1)
}
val := KernelLPMTrieStringPostfix{prefixLen: size * 8} // postfix is in bits, but size is in bytes
// Copy postfix in reverse order, so that it can be used in LPM map
Expand All @@ -733,7 +733,18 @@ func writePostfixStrings(k *KernelSelectorState, values []string, ty uint32) err
}
m[val] = struct{}{}
}
// write the map id into the selector
return mid, nil
}

func writePostfixBinaries(k *KernelSelectorState, values []string) (uint32, error) {
return writePostfix(k, values, gt.GenericCharBuffer, "MatchBinaries")
}

func writePostfixStrings(k *KernelSelectorState, values []string, ty uint32) error {
mid, err := writePostfix(k, values, ty, "MatchArgs")
if err != nil {
return err
}
WriteSelectorUint32(&k.data, mid)
return nil
}
Expand Down Expand Up @@ -1198,8 +1209,16 @@ func ParseMatchBinary(k *KernelSelectorState, b *v1alpha1.BinarySelector, selIdx
if err != nil {
return fmt.Errorf("failed to write the prefix operator for the matchBinaries selector: %w", err)
}
case SelectorOpPostfix, SelectorOpNotPostfix:
if !kernels.EnableLargeProgs() {
return fmt.Errorf("matchBinary error: \"Postfix\" and \"NotPostfix\" operators need large BPF progs (kernel>5.3)")
}
sel.MapID, err = writePostfixBinaries(k, b.Values)
if err != nil {
return fmt.Errorf("failed to write the prefix operator for the matchBinaries selector: %w", err)
}
default:
return fmt.Errorf("matchBinary error: Only \"In\", \"NotIn\", \"Prefix\" and \"NotPrefix\" operators are supported")
return fmt.Errorf("matchBinary error: Only \"In\", \"NotIn\", \"Prefix\", \"NotPrefix\", \"Postfix\" and \"NotPostfix\" operators are supported")
}

k.AddMatchBinaries(selIdx, sel)
Expand Down
6 changes: 6 additions & 0 deletions ...ilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 6 additions & 0 deletions ...agon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit 524b3a8

Please sign in to comment.