Skip to content

Commit

Permalink
[CWS-3560] [CSM] Fix Raw packet TC classifier handle (#30994)
Browse files Browse the repository at this point in the history
  • Loading branch information
@Gui774ume
Gui774ume authored Nov 12, 2024
1 parent 4a23a8c commit 02825dd
Show file tree
Hide file tree
Showing 6 changed files with 49 additions and 21 deletions.
1 change: 1 addition & 0 deletions pkg/config/setup/system_probe.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -367,6 +367,7 @@ func InitSystemProbeConfig(cfg pkgconfigmodel.Config) {
eventMonitorBindEnvAndSetDefault(cfg, join(evNS, "network.lazy_interface_prefixes"), []string{})
eventMonitorBindEnvAndSetDefault(cfg, join(evNS, "network.classifier_priority"), 10)
eventMonitorBindEnvAndSetDefault(cfg, join(evNS, "network.classifier_handle"), 0)
eventMonitorBindEnvAndSetDefault(cfg, join(evNS, "network.raw_classifier_handle"), 0)
eventMonitorBindEnvAndSetDefault(cfg, join(evNS, "event_stream.use_ring_buffer"), true)
eventMonitorBindEnvAndSetDefault(cfg, join(evNS, "event_stream.use_fentry"), false)
eventMonitorBindEnvAndSetDefault(cfg, join(evNS, "event_stream.use_fentry_amd64"), false)
Expand Down
2 changes: 1 addition & 1 deletion pkg/security/ebpf/probes/all.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,7 @@ func AllProbes(fentry bool) []*manager.Probe {
allProbes = append(allProbes, getSpliceProbes(fentry)...)
allProbes = append(allProbes, getFlowProbes()...)
allProbes = append(allProbes, getNetDeviceProbes()...)
allProbes = append(allProbes, GetTCProbes(true)...)
allProbes = append(allProbes, GetTCProbes(true, true)...)
allProbes = append(allProbes, getBindProbes(fentry)...)
allProbes = append(allProbes, getConnectProbes(fentry)...)
allProbes = append(allProbes, getSyscallMonitorProbes()...)
Expand Down
32 changes: 19 additions & 13 deletions pkg/security/ebpf/probes/tc.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ import (
)

// GetTCProbes returns the list of TCProbes
func GetTCProbes(withNetworkIngress bool) []*manager.Probe {
func GetTCProbes(withNetworkIngress bool, withRawPacket bool) []*manager.Probe {
out := []*manager.Probe{
{
ProbeIdentificationPair: manager.ProbeIdentificationPair{
Expand All @@ -27,15 +27,18 @@ func GetTCProbes(withNetworkIngress bool) []*manager.Probe {
TCFilterProtocol: unix.ETH_P_ALL,
KeepProgramSpec: true,
},
{
}

if withRawPacket {
out = append(out, &manager.Probe{
ProbeIdentificationPair: manager.ProbeIdentificationPair{
UID: SecurityAgentUID,
EBPFFuncName: "classifier_raw_packet_egress",
},
NetworkDirection: manager.Egress,
TCFilterProtocol: unix.ETH_P_ALL,
KeepProgramSpec: true,
},
})
}

if withNetworkIngress {
Expand All @@ -48,15 +51,18 @@ func GetTCProbes(withNetworkIngress bool) []*manager.Probe {
TCFilterProtocol: unix.ETH_P_ALL,
KeepProgramSpec: true,
})
out = append(out, &manager.Probe{
ProbeIdentificationPair: manager.ProbeIdentificationPair{
UID: SecurityAgentUID,
EBPFFuncName: "classifier_raw_packet_ingress",
},
NetworkDirection: manager.Ingress,
TCFilterProtocol: unix.ETH_P_ALL,
KeepProgramSpec: true,
})

if withRawPacket {
out = append(out, &manager.Probe{
ProbeIdentificationPair: manager.ProbeIdentificationPair{
UID: SecurityAgentUID,
EBPFFuncName: "classifier_raw_packet_ingress",
},
NetworkDirection: manager.Ingress,
TCFilterProtocol: unix.ETH_P_ALL,
KeepProgramSpec: true,
})
}
}

return out
Expand Down Expand Up @@ -94,7 +100,7 @@ func GetAllTCProgramFunctions() []string {
"classifier_raw_packet",
}

for _, tcProbe := range GetTCProbes(true) {
for _, tcProbe := range GetTCProbes(true, true) {
output = append(output, tcProbe.EBPFFuncName)
}

Expand Down
16 changes: 16 additions & 0 deletions pkg/security/probe/config/config.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,9 @@ type Config struct {
// NetworkClassifierHandle defines the handle at which CWS should insert its TC classifiers.
NetworkClassifierHandle uint16

// RawNetworkClassifierHandle defines the handle at which CWS should insert its Raw TC classifiers.
RawNetworkClassifierHandle uint16

// ProcessConsumerEnabled defines if the process-agent wants to receive kernel events
ProcessConsumerEnabled bool

Expand Down Expand Up @@ -173,6 +176,7 @@ func NewConfig() (*Config, error) {
NetworkLazyInterfacePrefixes: getStringSlice("network.lazy_interface_prefixes"),
NetworkClassifierPriority: uint16(getInt("network.classifier_priority")),
NetworkClassifierHandle: uint16(getInt("network.classifier_handle")),
RawNetworkClassifierHandle: uint16(getInt("network.raw_classifier_handle")),
EventStreamUseRingBuffer: getBool("event_stream.use_ring_buffer"),
EventStreamBufferSize: getInt("event_stream.buffer_size"),
EventStreamUseFentry: getEventStreamFentryValue(),
Expand Down Expand Up @@ -208,6 +212,18 @@ func (c *Config) sanitize() error {
c.MapDentryResolutionEnabled = true
}

if c.NetworkRawPacketEnabled {
if c.RawNetworkClassifierHandle != c.NetworkClassifierHandle {
if c.NetworkClassifierHandle*c.RawNetworkClassifierHandle == 0 {
return fmt.Errorf("none or both of network.classifier_handle and network.raw_classifier_handle must be provided: got classifier_handle:%d raw_classifier_handle:%d", c.NetworkClassifierHandle, c.RawNetworkClassifierHandle)
}
} else {
if c.NetworkClassifierHandle*c.RawNetworkClassifierHandle != 0 {
return fmt.Errorf("network.classifier_handle and network.raw_classifier_handle can't be equal and not null: got classifier_handle:%d raw_classifier_handle:%d", c.NetworkClassifierHandle, c.RawNetworkClassifierHandle)
}
}
}

// not enable at the system-probe level, disable for cws as well
if !c.Config.EnableRuntimeCompiler {
c.RuntimeCompilationEnabled = false
Expand Down
6 changes: 5 additions & 1 deletion pkg/security/resolvers/netns/resolver.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -163,7 +163,9 @@ func (nn *NetworkNamespace) dequeueNetworkDevices(tcResolver *tc.Resolver, manag
}()

for _, queuedDevice := range nn.networkDevicesQueue {
_ = tcResolver.SetupNewTCClassifierWithNetNSHandle(queuedDevice, handle, manager)
if err = tcResolver.SetupNewTCClassifierWithNetNSHandle(queuedDevice, handle, manager); err != nil {
seclog.Errorf("error setting up new tc classifier on queued device: %v", err)
}
}
nn.flushNetworkDevicesQueue()
}
Expand Down Expand Up @@ -346,6 +348,8 @@ func (nr *Resolver) snapshotNetworkDevices(netns *NetworkNamespace) int {
if !nr.IsLazyDeletionInterface(device.Name) && attrs.HardwareAddr.String() != "" {
attachedDeviceCountNoLazyDeletion++
}
} else {
seclog.Errorf("error setting up new tc classifier on snapshot: %v", err)
}
}

Expand Down
13 changes: 7 additions & 6 deletions pkg/security/resolvers/tc/resolver.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -94,11 +94,7 @@ func (tcr *Resolver) SetupNewTCClassifierWithNetNSHandle(device model.NetDevice,
defer tcr.Unlock()

var combinedErr multierror.Error
for _, tcProbe := range probes.GetTCProbes(tcr.config.NetworkIngressEnabled) {
if !tcr.config.NetworkRawPacketEnabled && slices.Contains(probes.RawPacketTCProgram, tcProbe.EBPFFuncName) {
continue
}

for _, tcProbe := range probes.GetTCProbes(tcr.config.NetworkIngressEnabled, tcr.config.NetworkRawPacketEnabled) {
// make sure we're not overriding an existing network probe
progKey := ProgramKey{
UID: tcProbe.UID,
Expand All @@ -120,7 +116,12 @@ func (tcr *Resolver) SetupNewTCClassifierWithNetNSHandle(device model.NetDevice,
newProbe.IfIndexNetnsID = device.NetNS
newProbe.KeepProgramSpec = false
newProbe.TCFilterPrio = tcr.config.NetworkClassifierPriority
newProbe.TCFilterHandle = netlink.MakeHandle(0, tcr.config.NetworkClassifierHandle)

if slices.Contains(probes.RawPacketTCProgram, tcProbe.EBPFFuncName) {
newProbe.TCFilterHandle = netlink.MakeHandle(0, tcr.config.RawNetworkClassifierHandle)
} else {
newProbe.TCFilterHandle = netlink.MakeHandle(0, tcr.config.NetworkClassifierHandle)
}

netnsEditor := []manager.ConstantEditor{
{
Expand Down

0 comments on commit 02825dd

Please sign in to comment.