Skip to content
This repository was archived by the owner on Nov 19, 2021. It is now read-only.

A cleaner API for filtering. #10

Merged
merged 5 commits into from
Feb 4, 2021
Merged

A cleaner API for filtering. #10

merged 5 commits into from
Feb 4, 2021

Conversation

ycamper
Copy link
Contributor

@ycamper ycamper commented Feb 3, 2021
edited
Loading

Swapped out old kernel-filtering logic for a newer version that is a wee-bit more flexible and uses less branching than the previous.

The golang frontend has a cleaner usage (read: more verbose and not annoying)

	filter := kernel.NewFilter(probe.Module())
	if err := filter.AddRule(
		kernel.NewFilterRuleN(
			kernel.FilterRuleSetModeSyscall(),
			kernel.FilterRuleSetSyscall("execve"),
			kernel.FilterRuleSetPidNamespace(4026531836),
			kernel.FilterRuleSetSampleRate(10),
			kernel.FilterRuleSetActionAllow())); err != nil {
		log.Fatal(err)
	}
	if err := filter.Enable(); err != nil {
		log.Fatal(err)
	}
        fmt.Println(filter.GetRunning())

When the log-level is greater than or equal to debug, various statistics and rule-dumps will be emitted to stderr like so:

DEBUG  [2021-02-04T12:35:20-05:00] allocated-metric-nodes: 193                  
DEBUG  [2021-02-04T12:35:20-05:00] {flags=FILTER_MODE_METRICS|FILTER_TYPE_PID_NS, pid-namespace=31337, thread-id=0, syscall=ALL, sample-rate=0, current-sample-count=0, hits=0, action=ACTION_ALLOW} 
DEBUG  [2021-02-04T12:35:20-05:00] {flags=FILTER_MODE_SYSCALL|FILTER_TYPE_PID_NS|FILTER_TYPE_SYSCALL, pid-namespace=4026534223, thread-id=0, syscall=sys_bind, sample-rate=0, current-sample-count=0, hits=0, action=ACTION_ALLOW} 
DEBUG  [2021-02-04T12:35:20-05:00] {flags=FILTER_MODE_SYSCALL|FILTER_TYPE_PID_NS|FILTER_TYPE_SYSCALL, pid-namespace=4026534223, thread-id=0, syscall=sys_setsockopt, sample-rate=0, current-sample-count=0, hits=263, action=ACTION_ALLOW} 
DEBUG  [2021-02-04T12:35:20-05:00] {flags=FILTER_MODE_SYSCALL|FILTER_TYPE_PID_NS|FILTER_TYPE_SYSCALL, pid-namespace=4026534223, thread-id=0, syscall=sys_getsockopt, sample-rate=0, current-sample-count=0, hits=27, action=ACTION_ALLOW} 
DEBUG  [2021-02-04T12:35:20-05:00] {flags=FILTER_MODE_SYSCALL|FILTER_TYPE_PID_NS|FILTER_TYPE_SYSCALL, pid-namespace=4026534223, thread-id=0, syscall=sys_getsockname, sample-rate=0, current-sample-count=0, hits=59, action=ACTION_ALLOW} 
DEBUG  [2021-02-04T12:35:20-05:00] {flags=FILTER_MODE_METRICS|FILTER_TYPE_PID_NS, pid-namespace=4026533690, thread-id=0, syscall=ALL, sample-rate=0, current-sample-count=0, hits=66017, action=ACTION_ALLOW} 
DEBUG  [2021-02-04T12:35:20-05:00] {flags=FILTER_MODE_METRICS|FILTER_TYPE_PID_NS, pid-namespace=4026534223, thread-id=0, syscall=ALL, sample-rate=0, current-sample-count=0, hits=12106, action=ACTION_ALLOW} 
DEBUG  [2021-02-04T12:35:20-05:00] {flags=FILTER_MODE_METRICS|FILTER_TYPE_PID_NS, pid-namespace=4026534108, thread-id=0, syscall=ALL, sample-rate=0, current-sample-count=0, hits=2148, action=ACTION_ALLOW} 
DEBUG  [2021-02-04T12:35:20-05:00] {flags=FILTER_MODE_METRICS|FILTER_TYPE_PID_NS, pid-namespace=4026534221, thread-id=0, syscall=ALL, sample-rate=0, current-sample-count=0, hits=3968, action=ACTION_ALLOW}

This gives the user insight into the raw filters and allocated metric nodes as seen by the kernel every few seconds.

@ycamper ycamper requested a review from ktravis February 3, 2021 21:59
@ycamper ycamper marked this pull request as ready for review February 3, 2021 23:42
@ycamper ycamper changed the title better filtering logic! more info to come. A cleaner API for filtering. Feb 3, 2021
ktravis
ktravis previously approved these changes Feb 4, 2021
View reviewed changes
@ycamper ycamper merged commit 4658a5b into criticalstack:main Feb 4, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@ktravis ktravis ktravis left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ycamper @ktravis