search

cilium / tetragon

eBPF-based Security Observability and Runtime Enforcement
https://tetragon.io
Apache License 2.0
3.66k stars 369 forks source link

bpf: allow all operations for syscall64 type #2948

Closed kkourt closed 1 month ago

kkourt commented 1 month ago

syscall64 type allows a bit to be set to distinguish between 32- and 64-bit syscalls. Currently, the only operators that work are InMap and NotInMap. This commit extends support for other operations as well: EQ, NEQ, MASK, GT, LT.

Using the MASK operator specifically, allows us to write policies for all 32-bit syscalls.

For example:

apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
  name: syscalls32bit
spec:
  tracepoints:
  - subsystem: raw_syscalls
    event: sys_enter
    args:
    - index: 4
      type: syscall64
    selectors:
    - matchArgs:
      - index: 0
        operator: Mask
        values:
        - "2147483648" # IS_32BIT
bpf: support all operators (including Mask) for the syscall64 type
olsajiri commented 1 month ago

it feels like we expose the implementation detail of syscall64 for 32 bit syscalls, which is perhaps fine unless we want to change it, which might never happen ;-)

also LT,GT,EQ would have to count on the values having the bit set on which seems tricky, I guess it's ok unless we document it, which you didn't, so it's fine ;-)

kkourt commented 1 month ago

it feels like we expose the implementation detail of syscall64 for 32 bit syscalls, which is perhaps fine unless we want to change it, which might never happen ;-)

also LT,GT,EQ would have to count on the values having the bit set on which seems tricky, I guess it's ok unless we document it, which you didn't, so it's fine ;-)

Agreed. I'm not sure if we want to expose the implementation detail of syscall64 but this PR just introduces the mechanism. Once we figure out how we want to properly expose this to users, we can use it. Until then, we can use what is introduced here to experiment. Thanks!