selectors: add matchParents selector

This adds matchParents selector for granular parents
filtering in kprobes, tracepoints and lsm hooks.

In some cases we need not only to filter events by
current binary path, but also by parent binary path.
For instance, consider there is python script, which inside
calls a system call, which we want to hook. If some system
processes are executing this script, we don't want to report such
cases, so we might want to add selectors for parent binary, rather than
for current binary, which in case of python script is always python.

matchParents selectors, which works exactly in the same way except of
followChildren option (which is currently will not be supported),
will help to solve this problem.

Signed-off-by: Kobrin Ilay <[email protected]>

Author: kobrineli

bpf/process/generic_calls.h

@@ -1227,7 +1227,7 @@ FUNC_INLINE int generic_retkprobe(void *ctx, struct bpf_map_def *calls, unsigned
 FUNC_INLINE int generic_process_filter(void)
 {
 	int selectors, pass, zero = 0;
-	struct execve_map_value *enter;
+	struct execve_map_value *enter, *parent;
 	struct msg_generic_kprobe *msg;
 	struct msg_execve_key *current;
 	struct msg_selector_data *sel;
@@ -1246,6 +1246,11 @@ FUNC_INLINE int generic_process_filter(void)
 		msg->common.flags |= MSG_COMMON_FLAG_PROCESS_NOT_FOUND;
 	}
 
+	parent = event_find_parent();
+	if (!parent) {
+		return PFILTER_PARENT_NOT_FOUND;
+	}
+
 	f = map_lookup_elem(&filter_map, &msg->idx);
 	if (!f)
 		return PFILTER_ERROR;
@@ -1267,7 +1272,7 @@ FUNC_INLINE int generic_process_filter(void)
 	if (selectors <= sel->curr)
 		return process_filter_done(sel, enter, current);
 
-	pass = selector_process_filter(f, sel->curr, enter, msg);
+	pass = selector_process_filter(f, sel->curr, enter, parent, msg);
 	if (pass) {
 		/* Verify lost that msg is not null here so recheck */
 		int curr = sel->curr;

bpf/process/pfilter.h

@@ -81,6 +81,7 @@ enum {
 	PFILTER_ACCEPT = 1, // filter check passed
 	PFILTER_REJECT = 0, // filter check failed
 	PFILTER_CURR_NOT_FOUND = 0, // event_find_curr() failed
+	PFILTER_PARENT_NOT_FOUND = 0, // event_find_parent() failed
 };
 
 FUNC_INLINE int
@@ -413,7 +414,7 @@ struct nc_filter {
 
 FUNC_INLINE int
 selector_process_filter(__u32 *f, __u32 index, struct execve_map_value *enter,
-			struct msg_generic_kprobe *msg)
+			struct execve_map_value *parent, struct msg_generic_kprobe *msg)
 {
 	int res = PFILTER_ACCEPT;
 	struct pid_filter *pid;
@@ -425,10 +426,13 @@ selector_process_filter(__u32 *f, __u32 index, struct execve_map_value *enter,
 	__u32 len;
 	__u64 i;
 
-	/* Do binary filter first for selector index */
+	/* Do binary and parent filter first for selector index */
 	if (!match_binaries(index, enter))
 		return 0;
 
+	if (!match_parents(index, parent))
+		return 0;
+
 	/* Find selector offset byte index */
 	index *= 4;
 	index += 4;

bpf/process/types/basic.h

@@ -1588,10 +1588,29 @@ struct {
 		});
 } tg_mb_paths SEC(".maps");
 
-FUNC_INLINE int match_binaries(__u32 selidx, struct execve_map_value *current)
-{
+// This map is used by the matchParents selectors to retrieve their options
+struct {
+	__uint(type, BPF_MAP_TYPE_ARRAY);
+	__uint(max_entries, MAX_SELECTORS);
+	__type(key, __u32); /* selector id */
+	__type(value, struct match_binaries_sel_opts);
+} tg_mp_sel_opts SEC(".maps");
+
+struct {
+	__uint(type, BPF_MAP_TYPE_ARRAY_OF_MAPS);
+	__uint(max_entries, MAX_SELECTORS); // only one matchParents per selector
+	__type(key, __u32);
+	__array(
+		values, struct {
+			__uint(type, BPF_MAP_TYPE_HASH);
+			__uint(max_entries, 1);
+			__type(key, __u8[MATCH_BINARIES_PATH_MAX_LENGTH]);
+			__type(value, __u8);
+		});
+} tg_mp_paths SEC(".maps");
+
+FUNC_INLINE int __match_binaries(struct execve_map_value *current, struct match_binaries_sel_opts *selector_options, void *path_map) {
 	bool match = 0;
-	void *path_map;
 	__u8 *found_key;
 #ifdef __LARGE_BPF_PROG
 	struct string_prefix_lpm_trie prefix_key;
@@ -1600,12 +1619,8 @@ FUNC_INLINE int match_binaries(__u32 selidx, struct execve_map_value *current)
 
 	int zero = 0;
 #endif /* __LARGE_BPF_PROG */
-
-	struct match_binaries_sel_opts *selector_options;
-
-	// retrieve the selector_options for the matchBinaries, if it's NULL it
-	// means there is not matchBinaries in this selector.
-	selector_options = map_lookup_elem(&tg_mb_sel_opts, &selidx);
+	
+	// If selector_options is NULL, then there is no matchBinaries/matchParents in this selector.
 	if (selector_options) {
 		if (selector_options->op == op_filter_none)
 			return 1; // matchBinaries selector is empty <=> match
@@ -1631,7 +1646,6 @@ FUNC_INLINE int match_binaries(__u32 selidx, struct execve_map_value *current)
 				break;
 			}
 
-			path_map = map_lookup_elem(&tg_mb_paths, &selidx);
 			if (!path_map)
 				return 0;
 			found_key = map_lookup_elem(path_map, current->bin.path);
@@ -1679,10 +1693,26 @@ FUNC_INLINE int match_binaries(__u32 selidx, struct execve_map_value *current)
 		return is_not_operator(selector_options->op) ? !match : match;
 	}
 
-	// no matchBinaries selector <=> match
+	// no selector <=> match
 	return 1;
 }
 
+FUNC_INLINE int match_binaries(__u32 selidx, struct execve_map_value *current)
+{
+	struct match_binaries_sel_opts *selector_options = map_lookup_elem(&tg_mb_sel_opts, &selidx);
+	void *path_map = map_lookup_elem(&tg_mb_paths, &selidx);
+
+	return __match_binaries(current, selector_options, path_map);
+}
+
+FUNC_INLINE int match_parents(__u32 selidx, struct execve_map_value *parent)
+{
+	struct match_binaries_sel_opts *selector_options = map_lookup_elem(&tg_mp_sel_opts, &selidx);
+	void *path_map = map_lookup_elem(&tg_mp_paths, &selidx);
+
+	return __match_binaries(parent, selector_options, path_map);
+}
+
 FUNC_INLINE char *
 get_arg(struct msg_generic_kprobe *e, __u32 index)
 {

install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpolicies.yaml

@@ -874,6 +874,30 @@ spec:
                               - values
                               type: object
                             type: array
+                          matchParents:
+                            description: A list of process parent exec name filters.
+                            items:
+                              properties:
+                                operator:
+                                  description: Filter operation.
+                                  enum:
+                                  - In
+                                  - NotIn
+                                  - Prefix
+                                  - NotPrefix
+                                  - Postfix
+                                  - NotPostfix
+                                  type: string
+                                values:
+                                  description: Value to compare the argument against.
+                                  items:
+                                    type: string
+                                  type: array
+                              required:
+                              - operator
+                              - values
+                              type: object
+                            type: array
                           matchReturnActions:
                             description: A list of actions to execute when MatchReturnArgs
                               selector matches
@@ -1626,6 +1650,30 @@ spec:
                               - values
                               type: object
                             type: array
+                          matchParents:
+                            description: A list of process parent exec name filters.
+                            items:
+                              properties:
+                                operator:
+                                  description: Filter operation.
+                                  enum:
+                                  - In
+                                  - NotIn
+                                  - Prefix
+                                  - NotPrefix
+                                  - Postfix
+                                  - NotPostfix
+                                  type: string
+                                values:
+                                  description: Value to compare the argument against.
+                                  items:
+                                    type: string
+                                  type: array
+                              required:
+                              - operator
+                              - values
+                              type: object
+                            type: array
                           matchReturnActions:
                             description: A list of actions to execute when MatchReturnArgs
                               selector matches
@@ -2414,6 +2462,30 @@ spec:
                               - values
                               type: object
                             type: array
+                          matchParents:
+                            description: A list of process parent exec name filters.
+                            items:
+                              properties:
+                                operator:
+                                  description: Filter operation.
+                                  enum:
+                                  - In
+                                  - NotIn
+                                  - Prefix
+                                  - NotPrefix
+                                  - Postfix
+                                  - NotPostfix
+                                  type: string
+                                values:
+                                  description: Value to compare the argument against.
+                                  items:
+                                    type: string
+                                  type: array
+                              required:
+                              - operator
+                              - values
+                              type: object
+                            type: array
                           matchReturnActions:
                             description: A list of actions to execute when MatchReturnArgs
                               selector matches
@@ -3152,6 +3224,30 @@ spec:
                               - values
                               type: object
                             type: array
+                          matchParents:
+                            description: A list of process parent exec name filters.
+                            items:
+                              properties:
+                                operator:
+                                  description: Filter operation.
+                                  enum:
+                                  - In
+                                  - NotIn
+                                  - Prefix
+                                  - NotPrefix
+                                  - Postfix
+                                  - NotPostfix
+                                  type: string
+                                values:
+                                  description: Value to compare the argument against.
+                                  items:
+                                    type: string
+                                  type: array
+                              required:
+                              - operator
+                              - values
+                              type: object
+                            type: array
                           matchReturnActions:
                             description: A list of actions to execute when MatchReturnArgs
                               selector matches
@@ -3882,6 +3978,30 @@ spec:
                               - values
                               type: object
                             type: array
+                          matchParents:
+                            description: A list of process parent exec name filters.
+                            items:
+                              properties:
+                                operator:
+                                  description: Filter operation.
+                                  enum:
+                                  - In
+                                  - NotIn
+                                  - Prefix
+                                  - NotPrefix
+                                  - Postfix
+                                  - NotPostfix
+                                  type: string
+                                values:
+                                  description: Value to compare the argument against.
+                                  items:
+                                    type: string
+                                  type: array
+                              required:
+                              - operator
+                              - values
+                              type: object
+                            type: array
                           matchReturnActions:
                             description: A list of actions to execute when MatchReturnArgs
                               selector matches