tracee icon indicating copy to clipboard operation
tracee copied to clipboard
verified publisher icon aquasecurity

Move event scope filter into the kernel

Open yanivagman opened this issue 2 years ago • 10 comments

Event scope filter is currently running in userspace, but it should be straight forward to move it into the kernel since we can use the same logic we use today to compute our scopes in the kernel. This can be done by having new bpf maps like the current existing filters maps, with the difference that the key will be now composed of the event id and the field we are looking for. A potential problem to this move can be instruction limit, and to solve this we might need to add another tail call.

yanivagman avatar Feb 03 '23 06:02 yanivagman

There's another challenge here: some context fields are only enriched in userspace (particularly container ones) so we would need to add a cgroup id map for them.

NDStrahilevitz avatar Feb 05 '23 11:02 NDStrahilevitz

to keep the scope of this issue manageable, let's start with just the easy ones, and we can open a new issue for the complex ones later

itaysk avatar Feb 05 '23 13:02 itaysk

to keep the scope of this issue manageable, let's start with just the easy ones, and we can open a new issue for the complex ones later

There's some issues with doing it that way: Consider the case where a user sets --trace event1.context.image=redis:latest --trace event1.context.comm=ls. Since comm was easy to migrate but image wasn't we only migrated comm to kernel. Now let's say an event passes the kernel comm filter, we now need to flag it for further checking in userland for the image context filter.

NDStrahilevitz avatar Feb 07 '23 09:02 NDStrahilevitz

to keep the scope of this issue manageable, let's start with just the easy ones, and we can open a new issue for the complex ones later

There's some issues with doing it that way: Consider the case where a user sets --trace event1.context.image=redis:latest --trace event1.context.comm=ls. Since comm was easy to migrate but image wasn't we only migrated comm to kernel. Now let's say an event passes the kernel comm filter, we now need to flag it for further checking in userland for the image context filter.

Why is it a problem? We simply run all userspace filters for the given event like we do today

yanivagman avatar Feb 07 '23 11:02 yanivagman

Just that it would add complexity by splitting the same filters action between the kernel and user space instead of keeping it in only one of them. Since this is v0.14.0 targeted we can add an issue targeting v0.13.0 to add maps for container enriched fields.

NDStrahilevitz avatar Feb 07 '23 11:02 NDStrahilevitz

Just that it would add complexity by splitting the same filters action between the kernel and user space instead of keeping it in only one of them. Since this is v0.14.0 targeted we can add an issue targeting v0.13.0 to add maps for container enriched fields.

But these are different filters, not the same

yanivagman avatar Feb 07 '23 11:02 yanivagman

Just that it would add complexity by splitting the same filters action between the kernel and user space instead of keeping it in only one of them. Since this is v0.14.0 targeted we can add an issue targeting v0.13.0 to add maps for container enriched fields.

But these are different filters, not the same

They are all part of the ContextFilter struct. Anyway if we don't move it all together we will need to add some context flag for that (to complete filtering in user space if needed).

NDStrahilevitz avatar Feb 07 '23 11:02 NDStrahilevitz

Depends on the implementation. Let's discuss this offline.

yanivagman avatar Feb 07 '23 11:02 yanivagman

@geyslan keeping an eye.

geyslan avatar Jun 08 '23 14:06 geyslan