Test

Signed-off-by: Anastasios Papagiannis <[email protected]>
cilium · Nov 15, 2024 · d62cd19 · d62cd19
1 parent 93fb03c
commit d62cd19
Show file tree

Hide file tree

Showing 6 changed files with 263 additions and 34 deletions.
diff --git a/bpf/process/policy_filter.h b/bpf/process/policy_filter.h
@@ -8,6 +8,7 @@
 
 #define POLICY_FILTER_MAX_POLICIES   128
 #define POLICY_FILTER_MAX_NAMESPACES 1024
+#define POLICY_FILTER_MAX_CGROUP_IDS 512
 
 struct {
 	__uint(type, BPF_MAP_TYPE_LRU_HASH);
@@ -29,17 +30,39 @@ struct {
 		});
 } policy_filter_maps SEC(".maps");
 
+// This map keeps exactly the same information as policy_filter_maps
+// but keeps the reverse mappings. i.e.
+// policy_filter_maps maps policy_id to cgroup_ids
+// policy_filter_reverse_maps maps cgroup_id to policy_ids
+struct {
+	__uint(type, BPF_MAP_TYPE_HASH_OF_MAPS);
+	__uint(max_entries, POLICY_FILTER_MAX_CGROUP_IDS);
+	__uint(key_size, sizeof(__u64)); /* cgroup id */
+	__array(
+		values, struct {
+			__uint(type, BPF_MAP_TYPE_HASH);
+			__uint(max_entries, POLICY_FILTER_MAX_POLICIES);
+			__type(key, __u32); /* policy id */
+			__type(value, __u8); /* empty  */
+		});
+} policy_filter_reverse_maps SEC(".maps");
+
 // policy_filter_check checks whether the policy applies on the current process.
 // Returns true if it does, false otherwise.
 
 FUNC_INLINE bool policy_filter_check(u32 policy_id)
 {
 	void *policy_map;
-	__u64 cgroupid;
+	__u64 cgroupid = 0;
 
 	if (!policy_id)
 		return true;
 
+	// we just want to make sure that policy_filter_reverse_maps
+	// is part of the object file in order to read the map
+	// spec from the user space
+	map_lookup_elem(&policy_filter_reverse_maps, &cgroupid);
+
 	policy_map = map_lookup_elem(&policy_filter_maps, &policy_id);
 	if (!policy_map)
 		return false;

diff --git a/cmd/tetra/debug/dump.go b/cmd/tetra/debug/dump.go
@@ -181,18 +181,33 @@ func PolicyfilterState(fname string) {
 		return
 	}
 
-	if len(data) == 0 {
+	fmt.Println("--- Direct Map ---")
+
+	if len(data.Direct) == 0 {
 		fmt.Printf("(empty)\n")
-		return
 	}
 
-	for polId, cgIDs := range data {
+	for polId, cgIDs := range data.Direct {
 		ids := make([]string, 0, len(cgIDs))
 		for id := range cgIDs {
 			ids = append(ids, strconv.FormatUint(uint64(id), 10))
 		}
 		fmt.Printf("%d: %s\n", polId, strings.Join(ids, ","))
 	}
+
+	fmt.Println("--- Reverse Map ---")
+
+	if len(data.Reverse) == 0 {
+		fmt.Printf("(empty)\n")
+	}
+
+	for cgIDs, polIds := range data.Reverse {
+		ids := make([]string, 0, len(polIds))
+		for id := range polIds {
+			ids = append(ids, strconv.FormatUint(uint64(id), 10))
+		}
+		fmt.Printf("%d: %s\n", cgIDs, strings.Join(ids, ","))
+	}
 }
 
 func NamespaceState(fname string) error {

diff --git a/cmd/tetra/policyfilter/policyfilter.go b/cmd/tetra/policyfilter/policyfilter.go
@@ -89,6 +89,7 @@ func dumpCmd() *cobra.Command {
 func addCommand() *cobra.Command {
 	var argType string
 	mapFname := filepath.Join(defaults.DefaultMapRoot, defaults.DefaultMapPrefix, policyfilter.MapName)
+	mapRevFname := filepath.Join(defaults.DefaultMapRoot, defaults.DefaultMapPrefix, policyfilter.RevMapName)
 	ret := &cobra.Command{
 		Use:   "add [policy id] [cgroup]",
 		Short: "add policyfilter entry",
@@ -121,6 +122,7 @@ func addCommand() *cobra.Command {
 	flags := ret.Flags()
 	flags.StringVar(&argType, "arg-type", "file", "cgroup type (id,file)")
 	flags.StringVar(&mapFname, "map-fname", mapFname, "policyfilter map filename")
+	flags.StringVar(&mapRevFname, "map-rev-fname", mapRevFname, "policyfilterReverse map filename")
 	return ret
 }