feat: extend string data filtering to LSM related events #4590
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rscampos
force-pushed
the
data_filter_in_kernel_phase2_lsm
branch
5 times, most recently
from
d9b223e to
4b175f1
Compare
rscampos
force-pushed
the
data_filter_in_kernel_phase2_lsm
branch
from
cacfb19 to
da57dc6
Compare
rscampos
changed the title
rscampos
force-pushed
the
data_filter_in_kernel_phase2_lsm
branch
2 times, most recently
from
1ebaa4e to
d79bf0d
Compare
rscampos
force-pushed
the
data_filter_in_kernel_phase2_lsm
branch
5 times, most recently
from
8e812f8 to
28517c5
Compare
rscampos
force-pushed
the
data_filter_in_kernel_phase2_lsm
branch
from
28517c5 to
650b6b9
Compare
There was a problem hiding this comment.
I think the PR would benefit from integrating the kernel filtering setting into the event definition. On the rest I trust @geyslan's review.
| @@ -61,6 +72,35 @@ func NewDataFilter() *DataFilter { | |||
| } | |||
| } | |||
|
|
|||
| // list of events and field names allowed to have in-kernel filter | |||
| var allowedKernelField = map[events.ID]string{ | |||
There was a problem hiding this comment.
Wouldn't this fit in the event definition?
There was a problem hiding this comment.
Good point @NDStrahilevitz ...I've created this just to have a simple way to enable data filtering for events that have string filters in this phase. The next phase (phase 3) will implement filtering for other types of events. So, the idea is to remove this temporary table and use the event definition as you mentioned. However, to reach this step, I'll need to design a solution to accommodate all types of string filters.
- Allow any field name in the in-kernel string filter. - Currently, only one string-type field name is supported. - Future support for multiple field names is planned. - Start with LSM related events.
- Only for LSM related events.
rscampos
force-pushed
the
data_filter_in_kernel_phase2_lsm
branch
from
650b6b9 to
cdc67a6
Compare
- Add external scripts to be triggered in order to test data filter related to events that uses LSM.
- Since we have added integration tests and the default Go test timeout is 10 minutes, we need to increase it otherwise it get panic.
rscampos
force-pushed
the
data_filter_in_kernel_phase2_lsm
branch
from
cdc67a6 to
1591fd0
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
1. Explain what the PR does
1591fd0 chore: install deps
3eae8ff fix: increase timeout for go test
8e8ec5f test: external triggers for integration
6e2f4f1 feat(ebpf): extend string data filtering for LSM events
5a22b36 feat: allow different field names
3eae8ff fix: increase timeout for go test
8e8ec5f test: external triggers for integration
6e2f4f1 feat(ebpf): extend string data filtering for LSM events
5a22b36 feat: allow different field names
2. Explain how to test it
3. Other comments
This PR focuses only on LSM hooks and the related tests. Some tests were added to the integration test suite with external C program triggers.
part of #4432
pathname5pathname1(already present)pathname3path6map_name9pathname4file_name7pathname4linkpath3pathname2(already present)pathname5old_path3name9pathname8pathname5comm: event: data: trace event security_file_open set in multiple policies using multiple filter typescomm: event: data: trace event security_mmap_file using multiple filter typesevent: data: trace event security_inode_symlink, security_inode_rename and security_inode_unlink using data filterevent: data: trace event security_kernel_read_file and security_kernel_post_read_file using data filtercomm: event: data: trace event shared_object_loaded, security_file_mprotect and security_bprm_check using data filterevent: data: trace event security_sb_mount using data filterevent: data: trace event security_inode_mknod using data filterevent: data: trace event security_path_notify using data filterevent: data: trace event security_bpf_prog and security_bpf_map using data filter