[bug] matchPIDs is using first pid only

[arthur-zhang]

Fixes bug

Description

In the code, the function next_pid_value(index, f, ty) is called multiple times to update the index, but the updated value is not written back to sel->index. This wil cause external callers to be unable to obtain the updated state.

matchPIDs only use first pid

selectors:
- matchPIDs:
  - operator: NotIn
    values:
    - 0
    - 1

__u32 index = sel->index;

index = next_pid_value(index, f, ty);

FUNC_INLINE int next_pid_value(__u32 off, __u32 *f, __u32 ty)
{
	return off + 4;
}

offset use selecttor_filter->index

FUNC_INLINE int
process_filter_pid(struct selector_filter *sf, __u32 *f,
		   struct execve_map_value *enter, struct msg_ns *n,
		   struct msg_capabilities *c)
{
	__u32 sel, off = sf->index;  
	__u64 flags = sf->flags;
	__u64 pid;

	if (flags & PID_SELECTOR_FLAG_NSPID) {
		pid = enter->nspid;
	} else {
		pid = enter->key.pid;
	}

	if (off > 1000)
		sel = 0;
	else {
		__u64 o = (__u64)off;
		o = o / 4;
		asm volatile("%[o] &= 0x3ff;\n"
			     : [o] "+r"(o));
		sel = f[o];
	}
}

release note

Fix selector filter to properly update and assign `sel->index` in `pfilter.h`

[olsajiri]

nice catch, could you please add test for the 2 pids matching spec? thanks

[olsajiri]

could we do directly sel->index = next_pid_value(index, f, ty); ?

[arthur-zhang]

maybe not. If we do that, index is not changed. and sel->index will be 0 and 4(using first two pids), not more pids will be chosen. (I already tested this)

maybe we can remove index variable and use sel->index = next_pid_value(sel->index, f, ty) directly

[arthur-zhang]

nice catch, could you please add test for the 2 pids matching spec? thanks

OK，I will spend some time to figure out how to do that.

[netlify]

✅ Deploy Preview for tetragon ready!

Name	Link
🔨 Latest commit	ac4f9c7
🔍 Latest deploy log	https://app.netlify.com/sites/tetragon/deploys/677ba7bf932f710008795cf9
😎 Deploy Preview	https://deploy-preview-3255--tetragon.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[arthur-zhang]

nice catch, could you please add test for the 2 pids matching spec? thanks

write a simple test for that， please take some time to review it

[mtardy]

Hey thanks for taking the time to write such tests, I just wonder if there was a more straightforward way instead of adding a tests under bpf/tests. It's mostly because those are used for BPF unit tests and that would be maybe better to put the actual testing Go code under pkg/someappropriatepkg so that it gets tested along the other tests. Would you know a good place @olsajiri maybe?

[olsajiri]

hum, I dont mind it there.. it's testing the bpf selector_match function, which seems ok

[olsajiri]

looks good, left some comments
please split the fix and test code in separate commits

[olsajiri]

why not have test_pid_match to return the err and take get it in here,
and you could drop test_result_map map

[olsajiri]

no need for the condition, but please the other comment for runProg

[olsajiri]

extra empty line

[olsajiri]

no need for {} in here