Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(ebpf): kernel data filter combine bitmap #4468

Merged
merged 2 commits into from
Jan 8, 2025
Merged

fix(ebpf): kernel data filter combine bitmap #4468

merged 2 commits into from
Jan 8, 2025

Conversation

rscampos
Copy link
Collaborator

@rscampos rscampos commented Jan 6, 2025
edited
Loading

1. Explain what the PR does

3e7df50 test(filters): kernel data filter
d66134b fix(ebpf): kernel data filter combine bitmap

3e7df50 test(filters): kernel data filter

Add two different test cases:
- test1: policy1 without in-kernel filter and policy2 with in-kernel
  filter;
- test2: policy1 with two filters (one in-kernel filter and other non
  in-kernel filter) and policy2 with in-kernel filter;

d66134b fix(ebpf): kernel data filter combine bitmap

- Issue: The final bitmap (res) only contains the enabled bit for
the policy that was matched during the kernel data filter logic.
- Solution: After completing the filter logic, combine the bitmap
for policies without filters to ensure they are correctly enabled
in the final result.

2. Explain how to test it

Start Tracee with the following two policies:

sudo ./dist/tracee -p sfo-01.yaml -p sfo-02.yaml
TIME             UID    COMM             PID     TID     RET              EVENT                     ARGS
12:18:40:780375  1000   more             442654  442654  0                security_file_open        pathname: /sys/devices/virtual/dmi/id/bios_date, flags: O_RDONLY|O_NOFOLLOW, dev: 25, inode: 1995, ctime: 1736186855386691414, syscall_pathname: /sys/class/dmi/id/bios_dat

Access the following file:

more /sys/class/dmi/id/bios_date
Mon, 21 Oct 2024 04:03:58

policies.zip

3. Other comments

A bug was identified and reported by @OriGlassman in the new kernel data filter.

  1. Scenario: There are two policies with security_file_open:
    • Policy 1: Uses security_file_open without a filter.
    • Policy 2: Uses security_file_open with pathname filter (which uses in-kernel filter).
  2. Problem: The final bitmap (res) only contains the enabled bit for the policy that was matched during the kernel data filter logic.
    • Example: The resulting bitmap is 10, meaning only Policy 2 is enabled.
    • However, the correct result should be 11, where Policy 1 is also enabled because it does not use a filter.
  3. Root Cause:
    • In Tracee, the scope logic (match_scope_filters) works because it initializes all bits to 1 and disables them as needed throughout the code.
    • However, when dealing with the in-kernel filter, we need to use an OR operation between different types of string filters. This requires starting the bitmap with 0 and enabling bits during the filter logic.
    • Unfortunately, this approach only enables policies with in-kernel filters, omitting policies without filters (e.g., Policy 1).
  4. Solution:
    After completing the filter logic, combine the bitmap for policies without filters to ensure they are correctly enabled in the final result.

@rscampos rscampos self-assigned this Jan 6, 2025
@rscampos rscampos marked this pull request as draft January 6, 2025 23:18
@rscampos rscampos force-pushed the fix_combine_bitmap_kernel_filter branch from e532dfb to 74bdace Compare January 7, 2025 14:46
@rscampos
fix(ebpf): kernel data filter combine bitmap
d66134b 
- Issue: The final bitmap (res) only contains the enabled bit for
the policy that was matched during the kernel data filter logic.
- Solution: After completing the filter logic, combine the bitmap
for policies without filters to ensure they are correctly enabled
in the final result.
@rscampos rscampos force-pushed the fix_combine_bitmap_kernel_filter branch from 74bdace to 3e7df50 Compare January 7, 2025 18:09
@rscampos rscampos marked this pull request as ready for review January 7, 2025 18:10
@rscampos
test(filters): kernel data filter
22fa7ba 
Add two different test cases:
- test1: policy1 without in-kernel filter and policy2 with in-kernel
  filter;
- test2: policy1 with two filters (one in-kernel filter and other non
  in-kernel filter) and policy2 with in-kernel filter;
@rscampos rscampos force-pushed the fix_combine_bitmap_kernel_filter branch from 3e7df50 to 22fa7ba Compare January 7, 2025 18:16
@rscampos rscampos requested a review from yanivagman January 7, 2025 19:20
yanivagman
yanivagman approved these changes Jan 7, 2025
View reviewed changes
Copy link
Collaborator

@yanivagman yanivagman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@rscampos
Copy link
Collaborator Author

rscampos commented Jan 8, 2025

/fast-forward

@github-actions github-actions bot merged commit 22fa7ba into aquasecurity:main Jan 8, 2025
38 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@geyslan geyslan geyslan left review comments

@yanivagman yanivagman yanivagman approved these changes

Assignees

@rscampos rscampos

Labels
area/ebpf area/testing
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rscampos @geyslan @yanivagman