Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

String matching: match long strings #1806

Merged
merged 3 commits into from
Nov 29, 2023

Conversation

kevsecurity
Copy link
Contributor

@kevsecurity kevsecurity commented Nov 27, 2023

The current implementation ignore prefix and postfix matching on strings that are longer than the prefix max or postfix max (accordingly).

These patches modify the logic to handle strings that are longer than these maximums by restricting the string to the maximum permitted by the LPM TRIE maps – from the beginning for prefix and from the end for postfix.

Fixes prefix and postfix matching for strings longer than the prefix or postfix maximum length

Copy link

netlify bot commented Nov 27, 2023

Deploy Preview for tetragon ready!

Name Link
🔨 Latest commit a8361d4
🔍 Latest deploy log https://app.netlify.com/sites/tetragon/deploys/6564b3d1c20e3b0008ad3687
😎 Deploy Preview https://deploy-preview-1806--tetragon.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@kevsecurity kevsecurity added the release-note/bug This PR fixes an issue in a previous release of Tetragon. label Nov 27, 2023
@kevsecurity kevsecurity force-pushed the pr/kevsecurity/fix-prefix-for-long-strings branch from a8361d4 to 2d96730 Compare November 27, 2023 17:43
kkourt
kkourt previously requested changes Nov 28, 2023
Copy link
Contributor

@kkourt kkourt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, the code changes look good to me, but can you also add some tests for these specific cases?

bpf/process/types/basic.h Show resolved Hide resolved
@kkourt kkourt added the needs-backport/1.0 This PR needs backporting to 1.0 label Nov 28, 2023
@kkourt
Copy link
Contributor

kkourt commented Nov 28, 2023

Also, I believe we need to backport this to 1.0. I've added a label.

Prefix matching is done by looking up the provided string in the LPM
TRIE string prefix map (for strings and file paths). Currently, we don't
look up strings that are longer than the prefix map can hold. This is a
bug, because we could still look up the beginning substring (to the max
the map allows) and if it matches, then the full string would also match
(if the map size permitted it).

This commit detects strings that are longer than the map allows and
instead of not matching, it looks up the longest beginning substring
that the map allows instead. This will allow prefix matching to be used
on all strings and not just the ones short enough to fit into the prefix
map.

Signed-off-by: Kevin Sheldrake <[email protected]>
Postfix matching is done by reversing all the postfixes and storing them
in a LPM TRIE map, and then reversing the string to match on and looking
it up in the map. If the string to match is longer than the postfix max
length then the string would not be matched, leading to long strings not
being subject to the match logic.

This commit modifies the look up to handle strings longer than the
postfix max length. It fixes the length to copy to the postfix max
length and supplies an offset from where to start copying. The offset is
calculated as the difference between the original length and the capped
length.

Signed-off-by: Kevin Sheldrake <[email protected]>
Add tests for very long (>256 chars) paths for prefix and postfix
selectors.

Signed-off-by: Kevin Sheldrake <[email protected]>
@kevsecurity kevsecurity force-pushed the pr/kevsecurity/fix-prefix-for-long-strings branch from 2d96730 to 71604ee Compare November 28, 2023 15:05
@kevsecurity kevsecurity requested a review from kkourt November 28, 2023 15:07
Copy link
Member

@tpapagian tpapagian left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

@kevsecurity kevsecurity merged commit 3e244b1 into main Nov 29, 2023
31 checks passed
@kevsecurity kevsecurity deleted the pr/kevsecurity/fix-prefix-for-long-strings branch November 29, 2023 16:21
@kevsecurity kevsecurity removed the needs-backport/1.0 This PR needs backporting to 1.0 label Jan 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
release-note/bug This PR fixes an issue in a previous release of Tetragon.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants