support more than 64 rules with overflow

Author: yanivagman

pkg/ebpf/c/common/filtering.h

@@ -385,19 +385,19 @@ statfunc bool evaluate_scope_filters(program_data_t *p)
 {
     u64 matched_scope_filters = match_scope_filters(p);
     p->event->context.active_rules &= matched_scope_filters;
-    return p->event->context.active_rules != 0;
+    return p->event->context.active_rules != 0 || p->event->config.has_overflow;
 }
 
 statfunc bool evaluate_data_filters(program_data_t *p, u8 index)
 {
     u64 matched_data_filters = match_data_filters(p, index);
     p->event->context.active_rules &= matched_data_filters;
-    return p->event->context.active_rules != 0;
+    return p->event->context.active_rules != 0 || p->event->config.has_overflow;
 }
 
 statfunc bool rules_matched(event_data_t *event)
 {
-    return event->context.active_rules != 0;
+    return event->context.active_rules != 0 || event->config.has_overflow;
 }
 
 statfunc bool event_is_selected(u32 event_id)

pkg/ebpf/c/types.h

@@ -373,7 +373,8 @@ typedef struct data_filter_config {
 
 typedef struct event_config {
     u16 rules_version;
-    u8 _padding[6];
+    u8 has_overflow;
+    u8 _padding[5];
     u64 submit_for_rules;
     u64 field_types;
     scope_filters_config_t scope_filters;

pkg/ebpf/events_pipeline.go

@@ -275,9 +275,8 @@ func (t *Tracee) decodeEvents(ctx context.Context, sourceChan chan []byte) (<-ch
 			evt.ProcessEntityId = utils.HashTaskID(eCtx.HostPid, normalizedLeaderStartTime)
 			evt.ParentEntityId = utils.HashTaskID(eCtx.HostPpid, normalizedParentStartTime)
 
-			// derived events will match since there exist a dependency rule for them
-			// TODO: verify the case where there are filters in userspace - they shouldn't clear dependency rule bit
-			if t.matchRules(evt) == 0 {
+			// TODO(unrelated): move this to process stage (why did it moved here in the first place?)
+			if !t.matchRules(evt) {
 				_ = t.stats.EventsFiltered.Increment()
 				t.eventsPool.Put(evt)
 				continue
@@ -298,12 +297,16 @@ func (t *Tracee) decodeEvents(ctx context.Context, sourceChan chan []byte) (<-ch
 // not match the event after userland filters are applied. In those cases, the rule bit is cleared
 // (so the event is "filtered" for that rule). This may be called in different stages of the
 // pipeline (decode, derive, engine).
-func (t *Tracee) matchRules(event *trace.Event) uint64 {
+func (t *Tracee) matchRules(event *trace.Event) bool {
 	eventID := events.ID(event.EventID)
 	bitmap := event.MatchedRulesKernel
 
 	// range through each userland filterable rule
 	for _, rule := range t.policyManager.GetUserlandRules(eventID) {
+		if rule.ID > 63 {
+			continue // we currently don't support filtering for rules with ID > 63
+		}
+
 		// Rule ID is the bit offset in the bitmap.
 		bitOffset := uint(rule.ID)
 
@@ -380,7 +383,7 @@ func (t *Tracee) matchRules(event *trace.Event) uint64 {
 
 	event.MatchedRulesUser = bitmap // store filtered bitmap to be used in sink stage
 
-	return bitmap
+	return bitmap > 0 || t.policyManager.HasOverflowRules(eventID)
 }
 
 func parseContextFlags(containerId string, flags uint32) trace.ContextFlags {
@@ -433,7 +436,7 @@ func (t *Tracee) processEvents(ctx context.Context, in <-chan *trace.Event) (
 
 			// Get a bitmap with all rules containing container filters
 			eventId := events.ID(event.EventID)
-			rulesWithContainerFilter := t.policyManager.GetContainerFilteredRulesBitmap(eventId)
+			containerFilteredRules := t.policyManager.GetContainerFilteredRulesBitmap(eventId)
 
 			// Filter out events that don't have a container ID from all the rules that
 			// have container filters. This will guarantee that any of those rules
@@ -444,7 +447,7 @@ func (t *Tracee) processEvents(ctx context.Context, in <-chan *trace.Event) (
 			// enabled, so, in those cases, ignore the event IF the event is not a
 			// cgroup_mkdir or cgroup_rmdir.
 
-			if rulesWithContainerFilter > 0 && event.Container.ID == "" {
+			if len(containerFilteredRules) > 0 && containerFilteredRules[0] > 0 && event.Container.ID == "" {
 				// never skip cgroup_{mkdir,rmdir}: container_{create,remove} events need it
 				if eventId == events.CgroupMkdir || eventId == events.CgroupRmdir {
 					goto sendEvent
@@ -454,8 +457,8 @@ func (t *Tracee) processEvents(ctx context.Context, in <-chan *trace.Event) (
 					"eventId", eventId)
 
 				// remove event from rules with container filters
-				utils.ClearBits(&event.MatchedRulesKernel, rulesWithContainerFilter)
-				utils.ClearBits(&event.MatchedRulesUser, rulesWithContainerFilter)
+				utils.ClearBits(&event.MatchedRulesKernel, containerFilteredRules[0])
+				utils.ClearBits(&event.MatchedRulesUser, containerFilteredRules[0])
 
 				if event.MatchedRulesKernel == 0 {
 					t.eventsPool.Put(event)
@@ -494,6 +497,9 @@ func (t *Tracee) deriveEvents(ctx context.Context, in <-chan *trace.Event) (
 					continue // might happen during initialization (ctrl+c seg faults)
 				}
 
+				// TODO (unrelated): avoid any copy if there are no derivations for the event
+				// This can be done by adding a new function in derive package to check if derived events exist
+
 				// Get a copy of our event before sending it down the pipeline. This is
 				// needed because later modification of the event (in particular of the
 				// matched rules) can affect the derivation and later pipeline logic
@@ -539,7 +545,7 @@ func (t *Tracee) deriveEvents(ctx context.Context, in <-chan *trace.Event) (
 					case events.PrintMemDump:
 					default:
 						// Derived events might need filtering as well
-						if t.matchRules(event) == 0 {
+						if !t.matchRules(event) {
 							_ = t.stats.EventsFiltered.Increment()
 							continue
 						}
@@ -580,8 +586,8 @@ func (t *Tracee) sinkEvents(ctx context.Context, in <-chan *trace.Event) <-chan
 
 			// Only emit events requested by the user and matched by at least one rule.
 			id := events.ID(event.EventID)
-			event.MatchedRulesUser, event.MatchedPolicies = t.policyManager.GetMatchedRulesInfo(id, event.MatchedRulesUser)
-			if event.MatchedRulesUser == 0 {
+			event.MatchedPolicies = t.policyManager.GetMatchedRulesInfo(id, event.MatchedRulesUser)
+			if len(event.MatchedPolicies) == 0 {
 				t.eventsPool.Put(event)
 				continue
 			}

pkg/ebpf/signature_engine.go

@@ -143,7 +143,7 @@ func (t *Tracee) engineEvents(ctx context.Context, in <-chan *trace.Event) (<-ch
 					continue
 				}
 
-				if t.matchRules(event) == 0 {
+				if !t.matchRules(event) {
 					_ = t.stats.EventsFiltered.Increment()
 					continue
 				}

pkg/ebpf/tracee.go

@@ -1611,7 +1611,8 @@ func (t *Tracee) invokeInitEvents(out chan *trace.Event) {
 	setMatchedRules := func(event *trace.Event, matchedRules uint64) {
 		event.RulesVersion = 1 // version will be removed soon
 		event.MatchedRulesKernel = matchedRules
-		event.MatchedRulesUser, event.MatchedPolicies = t.policyManager.GetMatchedRulesInfo(events.ID(event.EventID), matchedRules)
+		event.MatchedRulesUser = matchedRules
+		event.MatchedPolicies = t.policyManager.GetMatchedRulesInfo(events.ID(event.EventID), matchedRules)
 	}
 
 	rulesMatch := func(id events.ID) uint64 {

pkg/policy/ebpf.go

@@ -119,13 +119,28 @@ func (pm *PolicyManager) updateBPF(
 	return nil
 }
 
+// eBPF data filter only supports first 64 rules for each key.
+type stringFilterConfigBPF struct {
+	prefixEnabled           uint64
+	suffixEnabled           uint64
+	exactEnabled            uint64
+	prefixMatchIfKeyMissing uint64
+	suffixMatchIfKeyMissing uint64
+	exactMatchIfKeyMissing  uint64
+}
+
+type dataFilterConfigBPF struct {
+	string stringFilterConfigBPF
+}
+
 type eventConfig struct {
 	rulesVersion   uint16
-	padding        [6]uint8 // free for further use
+	hasOverflow    uint8
+	padding        [5]uint8 // free for further use
 	submitForRules uint64
 	fieldTypes     uint64
 	scopeFilters   scopeFiltersConfig
-	dataFilter     dataFilterConfig
+	dataFilter     dataFilterConfigBPF
 }
 
 // updateEventsConfigMap updates the events config map with the given events fields and filter config.
@@ -145,6 +160,27 @@ func (pm *PolicyManager) updateEventsConfigMap(
 			filterConfig = dataFilterConfig{}
 		}
 
+		// Extract the first bitmap from each field of stringFilterConfig
+		dataFilterCfg := dataFilterConfigBPF{}
+		if len(filterConfig.string.prefixEnabled) > 0 {
+			dataFilterCfg.string.prefixEnabled = filterConfig.string.prefixEnabled[0]
+		}
+		if len(filterConfig.string.suffixEnabled) > 0 {
+			dataFilterCfg.string.suffixEnabled = filterConfig.string.suffixEnabled[0]
+		}
+		if len(filterConfig.string.exactEnabled) > 0 {
+			dataFilterCfg.string.exactEnabled = filterConfig.string.exactEnabled[0]
+		}
+		if len(filterConfig.string.prefixMatchIfKeyMissing) > 0 {
+			dataFilterCfg.string.prefixMatchIfKeyMissing = filterConfig.string.prefixMatchIfKeyMissing[0]
+		}
+		if len(filterConfig.string.suffixMatchIfKeyMissing) > 0 {
+			dataFilterCfg.string.suffixMatchIfKeyMissing = filterConfig.string.suffixMatchIfKeyMissing[0]
+		}
+		if len(filterConfig.string.exactMatchIfKeyMissing) > 0 {
+			dataFilterCfg.string.exactMatchIfKeyMissing = filterConfig.string.exactMatchIfKeyMissing[0]
+		}
+
 		// encoded event's field types
 		var fieldTypes uint64
 		fields := eventsFields[id]
@@ -154,16 +190,25 @@ func (pm *PolicyManager) updateEventsConfigMap(
 
 		// Create submit bitmap based on rules count - n least significant bits set to 1
 		submitForRules := uint64(0)
-		if ecfg.rulesCount > 0 {
+		if ecfg.rulesCount >= 64 {
+			submitForRules = ^uint64(0) // All bits set to 1
+		} else if ecfg.rulesCount > 0 {
 			submitForRules = (uint64(1) << ecfg.rulesCount) - 1
 		}
 
+		// Set hasOverflow flag
+		var overflowFlag uint8
+		if ecfg.hasOverflow {
+			overflowFlag = 1
+		}
+
 		eventConfig := eventConfig{
 			rulesVersion:   ecfg.rulesVersion,
+			hasOverflow:    overflowFlag,
 			submitForRules: submitForRules,
 			fieldTypes:     fieldTypes,
 			scopeFilters:   pm.computeScopeFiltersConfig(id),
-			dataFilter:     filterConfig,
+			dataFilter:     dataFilterCfg,
 		}
 
 		err := eventsConfigMap.Update(unsafe.Pointer(&id), unsafe.Pointer(&eventConfig))
@@ -218,8 +263,8 @@ func (pm *PolicyManager) computeScopeFiltersConfig(eventID events.ID) scopeFilte
 
 	// Loop through rules for this event
 	for _, rule := range eventRules.Rules {
-		if rule.Policy == nil {
-			continue // Skip dependency rules that have no policy
+		if rule.Policy == nil || rule.ID >= 64 {
+			continue
 		}
 
 		offset := rule.ID // Use rule ID (0-63) for bitmap position
@@ -301,7 +346,7 @@ func (pm *PolicyManager) computeScopeFiltersConfig(eventID events.ID) scopeFilte
 // updateUIntFilterBPF updates the BPF maps for the given uint filter map.
 func (pm *PolicyManager) updateUIntFilterBPF(
 	bpfModule *bpf.Module,
-	filterMap map[filterVersionKey]map[uint64]ruleBitmap,
+	filterMap map[filterVersionKey]map[uint64][]ruleBitmap,
 	innerMapName string,
 	outerMapName string,
 ) error {
@@ -318,7 +363,15 @@ func (pm *PolicyManager) updateUIntFilterBPF(
 				vKey.Version, vKey.EventID, err)
 		}
 
-		for key, bitmap := range innerMap {
+		for key, bitmaps := range innerMap {
+			// Check if there are bitmaps for this key
+			if len(bitmaps) == 0 {
+				continue
+			}
+
+			// Update only the first bitmap (first 64 rules)
+			bitmap := bitmaps[0]
+
 			// Convert the uint64 key to []byte
 			keyBytes := make([]byte, 4)
 			binary.LittleEndian.PutUint32(keyBytes, uint32(key))
@@ -343,7 +396,7 @@ func (pm *PolicyManager) updateUIntFilterBPF(
 // updateStringFilterBPF updates the BPF maps for the given string filter map.
 func (pm *PolicyManager) updateStringFilterBPF(
 	bpfModule *bpf.Module,
-	filterMap map[filterVersionKey]map[string]ruleBitmap,
+	filterMap map[filterVersionKey]map[string][]ruleBitmap,
 	innerMapName string,
 	outerMapName string,
 ) error {
@@ -360,7 +413,15 @@ func (pm *PolicyManager) updateStringFilterBPF(
 				vKey.Version, vKey.EventID, err)
 		}
 
-		for key, bitmap := range innerMap {
+		for key, bitmaps := range innerMap {
+			// Check if there are bitmaps for this key
+			if len(bitmaps) == 0 {
+				continue
+			}
+
+			// Update only the first bitmap (first 64 rules)
+			bitmap := bitmaps[0]
+
 			byteStr := make([]byte, maxBpfStrFilterSize)
 			copy(byteStr, key)
 			keyPointer := unsafe.Pointer(&byteStr[0])
@@ -383,7 +444,7 @@ func (pm *PolicyManager) updateStringFilterBPF(
 // updateBinaryFilterBPF updates the BPF maps for the given binary filter map.
 func (pm *PolicyManager) updateBinaryFilterBPF(
 	bpfModule *bpf.Module,
-	filterMap map[filterVersionKey]map[filters.NSBinary]ruleBitmap,
+	filterMap map[filterVersionKey]map[filters.NSBinary][]ruleBitmap,
 	innerMapName string,
 	outerMapName string,
 ) error {
@@ -400,7 +461,15 @@ func (pm *PolicyManager) updateBinaryFilterBPF(
 				vKey.Version, vKey.EventID, err)
 		}
 
-		for key, bitmap := range innerMap {
+		for key, bitmaps := range innerMap {
+			// Check if there are bitmaps for this key
+			if len(bitmaps) == 0 {
+				continue
+			}
+
+			// Update only the first bitmap (first 64 rules)
+			bitmap := bitmaps[0]
+
 			if len(key.Path) > maxBpfBinPathSize {
 				return filters.InvalidValue(key.Path)
 			}
@@ -434,7 +503,7 @@ func (pm *PolicyManager) updateBinaryFilterBPF(
 // updateStringDataFilterLPMBPF updates the BPF maps for the given kernel data LPM filter map.
 func (pm *PolicyManager) updateStringDataFilterLPMBPF(
 	bpfModule *bpf.Module,
-	filterMap map[filterVersionKey]map[string]ruleBitmap,
+	filterMap map[filterVersionKey]map[string][]ruleBitmap,
 	innerMapName string,
 	outerMapName string,
 ) error {
@@ -451,7 +520,15 @@ func (pm *PolicyManager) updateStringDataFilterLPMBPF(
 				vKey.Version, vKey.EventID, err)
 		}
 
-		for key, bitmap := range innerMap {
+		for key, bitmaps := range innerMap {
+			// Check if there are bitmaps for this key
+			if len(bitmaps) == 0 {
+				continue
+			}
+
+			// Update only the first bitmap (first 64 rules)
+			bitmap := bitmaps[0]
+
 			// Ensure the string length is within the maximum allowed limit,
 			// excluding the NULL terminator.
 			if len(key) > maxBpfDataFilterStrSize-1 {
@@ -484,7 +561,7 @@ func (pm *PolicyManager) updateStringDataFilterLPMBPF(
 // updateStringDataFilterBPF updates the BPF maps for the given kernel data filter map.
 func (pm *PolicyManager) updateStringDataFilterBPF(
 	bpfModule *bpf.Module,
-	filterMap map[filterVersionKey]map[string]ruleBitmap,
+	filterMap map[filterVersionKey]map[string][]ruleBitmap,
 	innerMapName string,
 	outerMapName string,
 ) error {
@@ -501,7 +578,15 @@ func (pm *PolicyManager) updateStringDataFilterBPF(
 				vKey.Version, vKey.EventID, err)
 		}
 
-		for key, bitmap := range innerMap {
+		for key, bitmaps := range innerMap {
+			// Check if there are bitmaps for this key
+			if len(bitmaps) == 0 {
+				continue
+			}
+
+			// Update only the first bitmap (first 64 rules)
+			bitmap := bitmaps[0]
+
 			// Ensure the string length is within the maximum allowed limit,
 			// excluding the NULL terminator
 			if len(key) > maxBpfDataFilterStrSize-1 {
@@ -636,7 +721,7 @@ type procInfo struct {
 // populateProcInfoMap populates the ProcInfoMap with the binaries to track.
 // TODO: Should ProcInfoMap be cleared when a Policies new version is created?
 // Or should it be versioned too?
-func populateProcInfoMap(bpfModule *bpf.Module, filterMap map[filterVersionKey]map[filters.NSBinary]ruleBitmap) error {
+func populateProcInfoMap(bpfModule *bpf.Module, filterMap map[filterVersionKey]map[filters.NSBinary][]ruleBitmap) error {
 	procInfoMap, err := bpfModule.GetMap(ProcInfoMap)
 	if err != nil {
 		return errfmt.WrapError(err)

pkg/policy/errors.go

@@ -32,10 +32,6 @@ func PolicyNotFoundByNameError(name string) error {
 	return &policyError{msg: fmt.Sprintf("policy [%s] not found", name)}
 }
 
-func TooManyRulesForEventError(eventName string) error {
-	return &policyError{msg: fmt.Sprintf("too many rules for event %s", eventName)}
-}
-
 func SelectEventError(eventName string) error {
 	return &policyError{msg: fmt.Sprintf("failed to select event %s", eventName)}
 }