Raw_syscalls: fix selector indices in policies

In some raw_syscalls policies the selector indices are set to the list index of the relevant argument instead of the actual index of the relevant argument. This usually doesn't break anything because these are the actual indices that are used in the config with the BPF programs. There is a potential for error, however, as the code tries to match the selector index number with an argument's index number; on a match it rewrites the selector index with the argument's list index. Therefore if the first argument to a function isn't listed in the args section then an explicit list index in the selectors section could reference the wrong argument. In order to discourage the direct use of list indices, the examples and test code have been changed so the selectors use the arg index and not its list index. Signed-off-by: Kevin Sheldrake <[email protected]>
cilium · Apr 10, 2024 · 179404a · 179404a
1 parent 70a327e
commit 179404a
Show file tree

Hide file tree

Showing 6 changed files with 13 additions and 13 deletions.
diff --git a/examples/tracingpolicy/killer.yaml b/examples/tracingpolicy/killer.yaml
@@ -21,7 +21,7 @@ spec:
       type: "syscall64"
     selectors:
     - matchArgs:
-      - index: 0
+      - index: 4
         operator: "InMap"
         values:
         - "list:dups"

diff --git a/examples/tracingpolicy/list-syscalls-tracepoint.yaml b/examples/tracingpolicy/list-syscalls-tracepoint.yaml
@@ -17,7 +17,7 @@ spec:
       type: "uint64"
     selectors:
     - matchArgs:
-      - index: 0
+      - index: 4
         operator: "InMap"
         values:
         - "list:dups"
diff --git a/pkg/sensors/tracing/enforcer_builder.go b/pkg/sensors/tracing/enforcer_builder.go
@@ -184,7 +184,7 @@ func (ksb *EnforcerSpecBuilder) Build() (*v1alpha1.TracingPolicy, error) {
 				}},
 				Selectors: []v1alpha1.KProbeSelector{{
 					MatchArgs: []v1alpha1.ArgSelector{{
-						Index:    0,
+						Index:    4,
 						Operator: operator,
 						Values:   listNames,
 					}},

diff --git a/pkg/sensors/tracing/enforcer_test.go b/pkg/sensors/tracing/enforcer_test.go
@@ -464,11 +464,11 @@ spec:
       type: "int64"
     selectors:
     - matchArgs:
-      - index: 0
+      - index: 4
         operator: "InMap"
         values:
         - "list:prctl"
-      - index: 1
+      - index: 5
         operator: "Equal"
         values:
         - 0xffff
@@ -506,11 +506,11 @@ spec:
       type: "int64"
     selectors:
     - matchArgs:
-      - index: 0
+      - index: 4
         operator: "InMap"
         values:
         - "list:prctl"
-      - index: 1
+      - index: 5
         operator: "Equal"
         values:
         - 0xfffe

diff --git a/pkg/sensors/tracing/tracepoint_amd64_test.go b/pkg/sensors/tracing/tracepoint_amd64_test.go
@@ -51,9 +51,9 @@ func testListSyscallsDups(t *testing.T, checker *eventchecker.UnorderedEventChec
 	assert.NoError(t, err)
 }
 
-func TestTracepointListSyscallDups(t *testing.T) {
+func TestTracepointListSyscallDupsEqual(t *testing.T) {
 	if !kernels.MinKernelVersion("5.3.0") {
-		t.Skip("TestCopyFd requires at least 5.3.0 version")
+		t.Skip("TestTracepointListSyscallDupsEqual requires at least 5.3.0 version")
 	}
 
 	myPid := observertesthelper.GetMyPid()
@@ -87,11 +87,11 @@ spec:
         values:
         - ` + pidStr + `
       matchArgs:
-      - index: 0
+      - index: 4
         operator: "InMap"
         values:
         - "list:test"
-      - index: 1
+      - index: 5
         operator: "Equal"
         values:
         - 9999

diff --git a/pkg/sensors/tracing/tracepoint_test.go b/pkg/sensors/tracing/tracepoint_test.go
@@ -824,11 +824,11 @@ spec:
         values:
         - ` + pidStr + `
       matchArgs:
-      - index: 0
+      - index: 4
         operator: "InMap"
         values:
         - "list:test"
-      - index: 1
+      - index: 5
         operator: "InMap"
         values:
         - 9910:9920