bpf: Add postfix/notpostfix operator for matching binaries

Adding postfix/notpostfix cases to match_binaries function allows to support postfix operator in matchBinaries selector. Signed-off-by: Andrei Fedotov <anfedotoff@yandex-team.ru>
cilium · Jul 18, 2024 · cd3bbdf · cd3bbdf
1 parent 2ece34d
commit cd3bbdf
Showing 1 changed file with 19 additions and 4 deletions.
diff --git a/bpf/process/types/basic.h b/bpf/process/types/basic.h
@@ -826,9 +826,6 @@ filter_char_buf_prefix(struct selector_arg_filter *filter, char *arg_str, uint a
 	return !!pass;
 }
 
-// Define a mask for the maximum path length on Linux.
-#define PATH_MASK (4096 - 1)
-
 FUNC_INLINE void copy_reverse(__u8 *dest, uint len, __u8 *src, uint offset)
 {
 	uint i;
@@ -848,7 +845,7 @@ FUNC_INLINE void copy_reverse(__u8 *dest, uint len, __u8 *src, uint offset)
 	// Alternative (prettier) fixes resulted in a confused verifier
 	// unfortunately.
 	for (i = 0; i < (STRING_POSTFIX_MAX_MATCH_LENGTH - 1); i++) {
-		dest[i & STRING_POSTFIX_MAX_MASK] = src[(len + offset - 1 - i) & PATH_MASK];
+		dest[i & STRING_POSTFIX_MAX_MASK] = src[(len + offset - 1 - i) & (BINARY_PATH_MAX_LEN - 1)];
 		if (len + offset == (i + 1))
 			return;
 	}
@@ -1554,6 +1551,9 @@ FUNC_INLINE int match_binaries(__u32 selidx)
 	__u8 *found_key;
 #ifdef __LARGE_BPF_PROG
 	struct string_prefix_lpm_trie prefix_key;
+	struct string_postfix_lpm_trie* postfix_key;
+	uint postfix_len = 0;
+	int zero = 0;
 	long ret;
 #endif /* __LARGE_BPF_PROG */
 
@@ -1599,6 +1599,21 @@ FUNC_INLINE int match_binaries(__u32 selidx)
 				return 0;
 			found_key = map_lookup_elem(path_map, &prefix_key);
 			break;
+		case op_filter_str_postfix:
+		case op_filter_str_notpostfix:
+			postfix_len = current->bin.path_length;
+			path_map = map_lookup_elem(&string_postfix_maps, &selector_options->map_id);
+			if (!path_map || !postfix_len)
+				return 0;
+			if (postfix_len >= STRING_POSTFIX_MAX_MATCH_LENGTH)
+				postfix_len = STRING_POSTFIX_MAX_MATCH_LENGTH - 1;
+			postfix_key = (struct string_postfix_lpm_trie *)map_lookup_elem(&string_postfix_maps_heap, &zero);
+			if (!postfix_key)
+				return 0;
+			postfix_key->prefixlen = postfix_len * 8; // prefixlen is in bits
+			copy_reverse(postfix_key->data, postfix_len, (__u8 *)current->bin.path, current->bin.path_length - postfix_len);
+			found_key = map_lookup_elem(path_map, postfix_key);
+			break;
 #endif /* __LARGE_BPF_PROG */
 		default:
 			// should not happen