Skip to content

[WIP] feat: extend string data filtering for other events #4470

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

[WIP] feat: extend string data filtering for other events #4470

wants to merge 3 commits into from

Conversation

rscampos
Copy link
Collaborator

@rscampos rscampos commented Jan 7, 2025
edited
Loading

1. Explain what the PR does

a964fc9 wip
41b8fa0 feat: extend string data filtering for other events
f8f0af6 feat: allow different field names

f8f0af6 feat: allow different field names

- Allow any field name in the in-kernel string filter.
- Currently, only one string-type field name is supported.
- Future support for multiple field names is planned.

2. Explain how to test it

3. Other comments

part of #4432

The LSM events with in-kernel filter will be handled in the PR #4590.
Others events with in-kernel filter (string filter):

Event String Name Type Manually Tested
✅ sched_process_exec pathname other Yes
✅ vfs_write pathname other Yes
✅ vfs_writev pathname other Yes
✅ vfs_read pathname other Yes
✅ vfs_readv pathname other Yes
✅ mem_prot_alert pathname other Yes
✅ magic_write pathname other Yes
✅ __kernel_write pathname other Yes
✅ call_usermodehelper pathname other Yes
✅ load_elf_phdrs pathname other Yes
✅ do_mmap pathname other Yes
✅ vfs_utimes pathname other Yes
✅ do_truncate pathname other Yes
✅ inotify_watch pathname other Yes
✅ module_load pathname other Yes
✅ chmod_common pathname other Yes
✅ device_add name other Yes
✅ do_init_module name other Yes
✅ module_free name other Yes
✅ proc_create name other Yes
✅ register_chrdev char_device_name other Yes
✅ debugfs_create_file file_name other Yes
✅ debugfs_create_dir name other Yes
✅ cgroup_mkdir cgroup_path other Yes
✅ cgroup_rmdir cgroup_path other Yes
✅ cgroup_attach_task cgroup_path other Yes
✅ bpf_attach prog_name other Yes
✅ kprobe_attach symbol_name other Yes
✅ task_rename old_name other Yes
✅ file_modification file_path other Yes
✅ set_fs_pwd resolved_path other Yes
✅ sched_switch prev_comm other Yes
☑️ hidden_inodes hidden_process other No
☑️ dirty_pipe_splice in_file_path other No

Fully working with the triggers
☑️ Working with caveats
hidden_inodes - data filter is working but the event need to be fixed (#4588) since don't act as expected.
dirty_pipe_splice - data filter is working but the trigger is not fully working yet

@rscampos rscampos self-assigned this Jan 7, 2025
@rscampos rscampos force-pushed the data_filter_in_kernel_phase2 branch 3 times, most recently from 890848a to d939aa8 Compare January 8, 2025 22:14
@rscampos rscampos force-pushed the data_filter_in_kernel_phase2 branch 7 times, most recently from a964fc9 to af7f3c3 Compare February 6, 2025 20:57
@rscampos rscampos force-pushed the data_filter_in_kernel_phase2 branch 4 times, most recently from 291d9c3 to 216438b Compare February 10, 2025 22:24
@rscampos
feat: allow different field names
3766bd7 
- Allow any field name in the in-kernel string filter.
- Currently, only one string-type field name is supported.
- Future support for multiple field names is planned.
@rscampos
feat: extend string data filtering for other events
0b3e523
@rscampos
wip
7264e21
@rscampos rscampos force-pushed the data_filter_in_kernel_phase2 branch from 216438b to 7264e21 Compare February 13, 2025 19:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

At least 1 approving review is required to merge this pull request.

Assignees

@rscampos rscampos

Labels
area/ebpf area/filtering
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@rscampos