-
Notifications
You must be signed in to change notification settings - Fork 378
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[bug] matchPIDs is using first pid only #3255
Conversation
2360997
to
14ca790
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nice catch, could you please add test for the 2 pids matching spec? thanks
@@ -342,15 +342,19 @@ selector_match(__u32 *f, struct selector_filter *sel, | |||
four: | |||
res4 = process_filter(sel, f, enter, &msg->ns, &msg->caps); | |||
index = next_pid_value(index, f, ty); | |||
sel->index = index; | |||
three: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
could we do directly sel->index = next_pid_value(index, f, ty);
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe not. If we do that, index is not changed. and sel->index will be 0 and 4(using first two pids), not more pids will be chosen. (I already tested this)
maybe we can remove index variable and use sel->index = next_pid_value(sel->index, f, ty)
directly
OK,I will spend some time to figure out how to do that. |
✅ Deploy Preview for tetragon ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey thanks for taking the time to write such tests, I just wonder if there was a more straightforward way instead of adding a tests under bpf/tests
. It's mostly because those are used for BPF unit tests and that would be maybe better to put the actual testing Go code under pkg/someappropriatepkg
so that it gets tested along the other tests. Would you know a good place @olsajiri maybe?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hum, I dont mind it there.. it's testing the bpf selector_match function, which seems ok
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looks good, left some comments
please split the fix and test code in separate commits
bpf/tests/pid_match_test.go
Outdated
return fmt.Errorf("failed to update execve map: %w", err) | ||
} | ||
_, err = ctx.prog.Run(&ebpf.RunOptions{}) | ||
return err |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why not have test_pid_match to return the err and take get it in here,
and you could drop test_result_map map
bpf/tests/pid_match_test.c
Outdated
res = selector_match(f, &sel, enter, NULL, &process_filter_pid); | ||
|
||
err = map_update_elem(&test_result_map, &zero, &res, BPF_ANY); | ||
if (err) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
no need for the condition, but please the other comment for runProg
bpf/tests/pid_match_test.c
Outdated
struct execve_map_value *enter; | ||
|
||
f = map_lookup_elem(&test_filter_map, &zero); | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
extra empty line
f = map_lookup_elem(&test_filter_map, &zero); | ||
|
||
if (!f) { | ||
return 0; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
no need for {} in here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
added some more comments, but looks good overall, please add missing changelogs
bpf/tests/pid_match_test.go
Outdated
coll *ebpf.Collection | ||
prog *ebpf.Program | ||
execvMap *ebpf.Map | ||
t *testing.T |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
AFAICS there's no need to store t
in testContext
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
refracted.
bpf/tests/pid_match_test.c
Outdated
#include "process/retprobe_map.h" | ||
|
||
#include "process/types/basic.h" | ||
#include "process/generic_calls.h" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I dont think this include is needed and AFAICS will cause compilation fail now
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it is due to pfilter.h, it relies on
struct execve_map_value
declare in lib/process.hop_filter_in
process/types/operations.hINDEX_MASK
inprocess/types/basic.h
to make in compile, i added those headers. It compiles currently.
Any ideas to fix this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this does it for me
diff --git a/bpf/tests/pid_match_test.c b/bpf/tests/pid_match_test.c
index 1411d4a5351f..0af78469f7d8 100644
--- a/bpf/tests/pid_match_test.c
+++ b/bpf/tests/pid_match_test.c
@@ -10,7 +10,6 @@
#include "process/retprobe_map.h"
#include "process/types/basic.h"
-#include "process/generic_calls.h"
#include "process/pfilter.h"
char _license[] __attribute__((section("license"), used)) = "Dual BSD/GPL";
ac8dd65
to
9fd9574
Compare
This fixes an issue where PID filtering would not work correctly due to lost state updates. The selector filter now properly maintains its internal index state across multiple invocations. Signed-off-by: arthur-zhang <[email protected]>
Add unit test for bpf function selector_match in pid match filter. Signed-off-by: arthur-zhang <[email protected]>
Fixes bug
Description
In the code, the function next_pid_value(index, f, ty) is called multiple times to update the index, but the updated value is not written back to sel->index. This wil cause external callers to be unable to obtain the updated state.
matchPIDs only use first pid
offset use selecttor_filter->index
Changelog