Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Backports/v1.0/string match fixes #1819

Merged
merged 5 commits into from
Dec 4, 2023

Conversation

kevsecurity
Copy link
Contributor

Increase prefix matches to 256 characters (fix regression).
Check prefix and postfix on strings longer than the prefix and postfix maximums (bug fix).
Add mappings for sock and skb types (bug fix).

See commits.

Increase prefix matches to 256 characters (fix regression).
Check prefix and postfix on strings longer than the prefix and postfix maximums (bug fix).
Add mappings for sock and skb types (bug fix).

The file prefix limit was originally 256 characters. When the code was
converted to use LMP TRIE maps, the limit was set to 128 characters.

This commit changes the prefix limit from 128 to 256 characters.

[Upstream commit: 3a6d3209]

Signed-off-by: Kevin Sheldrake <[email protected]>
Kprobe arguments of type "sock" and "skb" are valid but fail BTF
validation because the function prototypes report "struct sock *" and
"struct sk_buff *" types.

This commit adds validation to remove warnings that these types in the
policy don't match the types in the function prototypes.

[Upstream commit: 6be17e98]

Signed-off-by: Kevin Sheldrake <[email protected]>
Prefix matching is done by looking up the provided string in the LPM
TRIE string prefix map (for strings and file paths). Currently, we don't
look up strings that are longer than the prefix map can hold. This is a
bug, because we could still look up the beginning substring (to the max
the map allows) and if it matches, then the full string would also match
(if the map size permitted it).

This commit detects strings that are longer than the map allows and
instead of not matching, it looks up the longest beginning substring
that the map allows instead. This will allow prefix matching to be used
on all strings and not just the ones short enough to fit into the prefix
map.

[Upstream commit: 9a5e74dc]

Signed-off-by: Kevin Sheldrake <[email protected]>
Postfix matching is done by reversing all the postfixes and storing them
in a LPM TRIE map, and then reversing the string to match on and looking
it up in the map. If the string to match is longer than the postfix max
length then the string would not be matched, leading to long strings not
being subject to the match logic.

This commit modifies the look up to handle strings longer than the
postfix max length. It fixes the length to copy to the postfix max
length and supplies an offset from where to start copying. The offset is
calculated as the difference between the original length and the capped
length.

[Upstream commit: 7d2a344a]

Signed-off-by: Kevin Sheldrake <[email protected]>
Add tests for very long (>256 chars) paths for prefix and postfix
selectors.

[Upstream commit: cf7aceb8]

Signed-off-by: Kevin Sheldrake <[email protected]>
@kevsecurity kevsecurity requested a review from a team as a code owner November 30, 2023 17:39
@kevsecurity kevsecurity requested review from olsajiri and removed request for a team November 30, 2023 17:39
@kevsecurity kevsecurity added the release-note/bug This PR fixes an issue in a previous release of Tetragon. label Nov 30, 2023
@kevsecurity kevsecurity merged commit 6285eef into v1.0 Dec 4, 2023
28 of 29 checks passed
@kevsecurity kevsecurity deleted the backports/v1.0/kevsecurity/string-match-fixes branch December 4, 2023 15:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
release-note/bug This PR fixes an issue in a previous release of Tetragon.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants