Add a reverse policy filter mapping

This patch introduces an eBPF map that maps cgroupIds to policyIds. This is handled from the user-space in a similar way to policy_filter_maps. This can be used on later PRs to quickly indentify policies that match a spoecific container or optimize tracing policies. Signed-off-by: Anastasios Papagiannis <[email protected]>
cilium · Dec 13, 2024 · 0607f97 · 0607f97
1 parent 8f28090
commit 0607f97
Show file tree

Hide file tree

Showing 5 changed files with 343 additions and 52 deletions.
diff --git a/bpf/process/policy_filter.h b/bpf/process/policy_filter.h
@@ -9,6 +9,7 @@
 
 #define POLICY_FILTER_MAX_POLICIES   128
 #define POLICY_FILTER_MAX_NAMESPACES 1024
+#define POLICY_FILTER_MAX_CGROUP_IDS 32768 /* same as polMapSize in policyfilter/state.go */
 
 struct {
 	__uint(type, BPF_MAP_TYPE_LRU_HASH);
@@ -30,6 +31,23 @@ struct {
 		});
 } policy_filter_maps SEC(".maps");
 
+// This map keeps exactly the same information as policy_filter_maps
+// but keeps the reverse mappings. i.e.
+// policy_filter_maps maps policy_id to cgroup_ids
+// policy_filter_reverse_maps maps cgroup_id to policy_ids
+struct {
+	__uint(type, BPF_MAP_TYPE_HASH_OF_MAPS);
+	__uint(max_entries, POLICY_FILTER_MAX_CGROUP_IDS);
+	__uint(key_size, sizeof(__u64)); /* cgroup id */
+	__array(
+		values, struct {
+			__uint(type, BPF_MAP_TYPE_HASH);
+			__uint(max_entries, POLICY_FILTER_MAX_POLICIES);
+			__type(key, __u32); /* policy id */
+			__type(value, __u8); /* empty  */
+		});
+} policy_filter_reverse_maps SEC(".maps");
+
 // policy_filter_check checks whether the policy applies on the current process.
 // Returns true if it does, false otherwise.
 

diff --git a/cmd/tetra/debug/dump.go b/cmd/tetra/debug/dump.go
@@ -186,18 +186,33 @@ func PolicyfilterState(fname string) {
 		return
 	}
 
-	if len(data) == 0 {
+	fmt.Println("--- Direct Map ---")
+
+	if len(data.Direct) == 0 {
 		fmt.Printf("(empty)\n")
-		return
 	}
 
-	for polId, cgIDs := range data {
+	for polId, cgIDs := range data.Direct {
 		ids := make([]string, 0, len(cgIDs))
 		for id := range cgIDs {
 			ids = append(ids, strconv.FormatUint(uint64(id), 10))
 		}
 		fmt.Printf("%d: %s\n", polId, strings.Join(ids, ","))
 	}
+
+	fmt.Println("--- Reverse Map ---")
+
+	if len(data.Reverse) == 0 {
+		fmt.Printf("(empty)\n")
+	}
+
+	for cgIDs, polIds := range data.Reverse {
+		ids := make([]string, 0, len(polIds))
+		for id := range polIds {
+			ids = append(ids, strconv.FormatUint(uint64(id), 10))
+		}
+		fmt.Printf("%d: %s\n", cgIDs, strings.Join(ids, ","))
+	}
 }
 
 func NamespaceState(fname string) error {