Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[bug] matchPIDs is using first pid only #3255

Merged
merged 2 commits into from
Jan 9, 2025
Merged

Conversation

arthur-zhang
Copy link
Contributor

@arthur-zhang arthur-zhang commented Dec 24, 2024

Fixes bug

Description

In the code, the function next_pid_value(index, f, ty) is called multiple times to update the index, but the updated value is not written back to sel->index. This wil cause external callers to be unable to obtain the updated state.

matchPIDs only use first pid

selectors:
- matchPIDs:
  - operator: NotIn
    values:
    - 0
    - 1
__u32 index = sel->index;

index = next_pid_value(index, f, ty);

FUNC_INLINE int next_pid_value(__u32 off, __u32 *f, __u32 ty)
{
	return off + 4;
}

offset use selecttor_filter->index

FUNC_INLINE int
process_filter_pid(struct selector_filter *sf, __u32 *f,
		   struct execve_map_value *enter, struct msg_ns *n,
		   struct msg_capabilities *c)
{
	__u32 sel, off = sf->index;  
	__u64 flags = sf->flags;
	__u64 pid;

	if (flags & PID_SELECTOR_FLAG_NSPID) {
		pid = enter->nspid;
	} else {
		pid = enter->key.pid;
	}

	if (off > 1000)
		sel = 0;
	else {
		__u64 o = (__u64)off;
		o = o / 4;
		asm volatile("%[o] &= 0x3ff;\n"
			     : [o] "+r"(o));
		sel = f[o];
	}
}

Changelog

Fix selector filter to properly update and assign `sel->index` in `pfilter.h`

@arthur-zhang arthur-zhang requested a review from a team as a code owner December 24, 2024 04:00
@arthur-zhang arthur-zhang changed the title fix: update selector_filter index assignment to use sel->index [bug] matchPIDs is using first pid only Dec 24, 2024
@arthur-zhang arthur-zhang force-pushed the dev3 branch 2 times, most recently from 2360997 to 14ca790 Compare December 24, 2024 07:04
Copy link
Contributor

@olsajiri olsajiri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice catch, could you please add test for the 2 pids matching spec? thanks

@@ -342,15 +342,19 @@ selector_match(__u32 *f, struct selector_filter *sel,
four:
res4 = process_filter(sel, f, enter, &msg->ns, &msg->caps);
index = next_pid_value(index, f, ty);
sel->index = index;
three:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could we do directly sel->index = next_pid_value(index, f, ty); ?

Copy link
Contributor Author

@arthur-zhang arthur-zhang Dec 26, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe not. If we do that, index is not changed. and sel->index will be 0 and 4(using first two pids), not more pids will be chosen. (I already tested this)

maybe we can remove index variable and use sel->index = next_pid_value(sel->index, f, ty) directly

@arthur-zhang
Copy link
Contributor Author

nice catch, could you please add test for the 2 pids matching spec? thanks

OK,I will spend some time to figure out how to do that.

Copy link

netlify bot commented Jan 6, 2025

Deploy Preview for tetragon ready!

Name Link
🔨 Latest commit ac4f9c7
🔍 Latest deploy log https://app.netlify.com/sites/tetragon/deploys/677ba7bf932f710008795cf9
😎 Deploy Preview https://deploy-preview-3255--tetragon.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@arthur-zhang
Copy link
Contributor Author

arthur-zhang commented Jan 6, 2025

nice catch, could you please add test for the 2 pids matching spec? thanks

write a simple test for that, please take some time to review it

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey thanks for taking the time to write such tests, I just wonder if there was a more straightforward way instead of adding a tests under bpf/tests. It's mostly because those are used for BPF unit tests and that would be maybe better to put the actual testing Go code under pkg/someappropriatepkg so that it gets tested along the other tests. Would you know a good place @olsajiri maybe?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hum, I dont mind it there.. it's testing the bpf selector_match function, which seems ok

Copy link
Contributor

@olsajiri olsajiri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good, left some comments
please split the fix and test code in separate commits

return fmt.Errorf("failed to update execve map: %w", err)
}
_, err = ctx.prog.Run(&ebpf.RunOptions{})
return err
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why not have test_pid_match to return the err and take get it in here,
and you could drop test_result_map map

res = selector_match(f, &sel, enter, NULL, &process_filter_pid);

err = map_update_elem(&test_result_map, &zero, &res, BPF_ANY);
if (err) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no need for the condition, but please the other comment for runProg

struct execve_map_value *enter;

f = map_lookup_elem(&test_filter_map, &zero);

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

extra empty line

f = map_lookup_elem(&test_filter_map, &zero);

if (!f) {
return 0;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no need for {} in here

@olsajiri olsajiri added the release-note/minor This PR introduces a minor user-visible change label Jan 8, 2025
Copy link
Contributor

@olsajiri olsajiri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added some more comments, but looks good overall, please add missing changelogs

coll *ebpf.Collection
prog *ebpf.Program
execvMap *ebpf.Map
t *testing.T
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AFAICS there's no need to store t in testContext

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

refracted.

#include "process/retprobe_map.h"

#include "process/types/basic.h"
#include "process/generic_calls.h"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I dont think this include is needed and AFAICS will cause compilation fail now

Copy link
Contributor Author

@arthur-zhang arthur-zhang Jan 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it is due to pfilter.h, it relies on

  • struct execve_map_value declare in lib/process.h
  • op_filter_in process/types/operations.h
  • INDEX_MASK in process/types/basic.h

to make in compile, i added those headers. It compiles currently.

Any ideas to fix this?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this does it for me

diff --git a/bpf/tests/pid_match_test.c b/bpf/tests/pid_match_test.c
index 1411d4a5351f..0af78469f7d8 100644
--- a/bpf/tests/pid_match_test.c
+++ b/bpf/tests/pid_match_test.c
@@ -10,7 +10,6 @@
 #include "process/retprobe_map.h"
 
 #include "process/types/basic.h"
-#include "process/generic_calls.h"
 #include "process/pfilter.h"
 
 char _license[] __attribute__((section("license"), used)) = "Dual BSD/GPL";

@arthur-zhang arthur-zhang force-pushed the dev3 branch 2 times, most recently from ac8dd65 to 9fd9574 Compare January 9, 2025 14:09
@arthur-zhang arthur-zhang requested a review from olsajiri January 9, 2025 14:10
This fixes an issue where PID filtering would not work correctly due to lost state updates. The selector filter now properly maintains its internal index state across multiple invocations.

Signed-off-by: arthur-zhang <[email protected]>
Add unit test for bpf function selector_match in pid match filter.

Signed-off-by: arthur-zhang <[email protected]>
@olsajiri olsajiri merged commit 7889df0 into cilium:main Jan 9, 2025
41 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
release-note/minor This PR introduces a minor user-visible change
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants