Add tests for the previous patch

Signed-off-by: Anastasios Papagiannis <anastasios.papagiannis@isovalent.com>

Author: tpapagian

.codex

@@ -0,0 +1,48 @@
+apiVersion: cilium.io/v1alpha1
+kind: TracingPolicy
+metadata:
+  name: "protection-policy-cve-2022-0847"
+spec:
+  kprobes:
+  - call: "sys_splice"
+    syscall: true
+    selectors:
+    # host segment: binaries that are allowed to call splice on the host
+    - matchBinaries:
+      - operator: "In"
+        values:
+        - "systemd"
+        - "qemu"
+        - "smbd"
+        - "samba"
+      matchWorkloads:
+      - hostSelector: {}
+        posSelector: null # or ~
+      matchActions:
+      - action: NoPost
+    # haproxy pod on the network namespace: binaries that are allowed to call splice on that pod
+    - matchBinaries:
+      - operator: "In"
+        values:
+        - "haproxy"
+      matchWorkloads:
+      - podSelector:
+          matchExpressions:
+          - key: "k8s:io.kubernetes.pod.namespace"
+            operator: In
+            values:
+            - network 
+          - key: "app"
+            operator: In
+            values:
+            - haproxy
+        hostSelector: null # or ~
+      matchActions:
+      - action: NoPost
+    # block splice from all other binaries
+    - matchWorkloads:
+      - podSelector: {}
+        hostSelector: {}
+      matchActions:
+      - action: Override
+        argError: -1

b.yaml

@@ -0,0 +1,60 @@
+diff --git a/pkg/labels/labels.go b/pkg/labels/labels.go
+index 6a64a54a6..6f47cd317 100644
+--- a/pkg/labels/labels.go
++++ b/pkg/labels/labels.go
+@@ -51,11 +51,13 @@ func (s *selectorOp) match(labels Labels) bool {
+ 	}
+ }
+ 
+-type Selector []selectorOp
++type SelectorWithValues struct {
++	ops []selectorOp
++}
+ 
+-func (s Selector) Match(labels Labels) bool {
+-	for i := range s {
+-		if !s[i].match(labels) {
++func (s SelectorWithValues) Match(labels Labels) bool {
++	for i := range s.ops {
++		if !s.ops[i].match(labels) {
+ 			return false
+ 		}
+ 	}
+@@ -63,10 +65,26 @@ func (s Selector) Match(labels Labels) bool {
+ 	return true
+ }
+ 
++type Selector interface {
++	Match(labels Labels) bool
++}
++
++type SelectorForAll struct {
++	matchAll bool
++}
++
++func (s SelectorForAll) Match(labels Labels) bool {
++	return s.matchAll
++}
++
+ func SelectorFromLabelSelector(ls *slimv1.LabelSelector) (Selector, error) {
+ 	if ls == nil {
+-		return []selectorOp{}, nil
++		return SelectorForAll{matchAll: false}, nil
++	}
++	if ls != nil && (len(ls.MatchLabels)+len(ls.MatchExpressions) == 0) {
++		return SelectorForAll{matchAll: true}, nil
+ 	}
++	// now we have ls != nil and len(ls.MatchLabels)+len(ls.MatchExpressions) > 0
+ 	ret := make([]selectorOp, 0, len(ls.MatchLabels)+len(ls.MatchExpressions))
+ 	for key, val := range ls.MatchLabels {
+ 		ret = append(ret, selectorOp{
+@@ -97,7 +115,7 @@ func SelectorFromLabelSelector(ls *slimv1.LabelSelector) (Selector, error) {
+ 		})
+ 	}
+ 
+-	return ret, nil
++	return SelectorWithValues{ops: ret}, nil
+ }
+ 
+ // Cmp checks if the labels are different. Returns true if they are.
+

contrib/tester-progs/pclntab-stripped

@@ -11,7 +11,7 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
-func requirePfmEqualTo(t *testing.T, m PfMap, val map[uint64][]uint64) {
+func buildExpectedPfMap(val map[uint64][]uint64) (map[PolicyID]map[CgroupID]struct{}, map[CgroupID]map[PolicyID]struct{}) {
 
 	checkVals := map[PolicyID]map[CgroupID]struct{}{}
 	for k, ids := range val {
@@ -31,6 +31,33 @@ func requirePfmEqualTo(t *testing.T, m PfMap, val map[uint64][]uint64) {
 		}
 	}
 
+	return checkVals, checkCgroupVals
+}
+
+func stripAllPodsPolicy(val PfMapDump) PfMapDump {
+	delete(val.Policy, AllPodsPolicyID)
+	for cgID, policyIDs := range val.Cgroup {
+		delete(policyIDs, AllPodsPolicyID)
+		if len(policyIDs) == 0 {
+			delete(val.Cgroup, cgID)
+		}
+	}
+	return val
+}
+
+func requirePfmEqualTo(t *testing.T, m PfMap, val map[uint64][]uint64) {
+	checkVals, checkCgroupVals := buildExpectedPfMap(val)
+
+	mapVals, err := m.readAll()
+	require.NoError(t, err)
+	mapVals = stripAllPodsPolicy(mapVals)
+	require.Equal(t, checkVals, mapVals.Policy)
+	require.Equal(t, checkCgroupVals, mapVals.Cgroup)
+}
+
+func requirePfmEqualToIncludingAllPods(t *testing.T, m PfMap, val map[uint64][]uint64) {
+	checkVals, checkCgroupVals := buildExpectedPfMap(val)
+
 	mapVals, err := m.readAll()
 	require.NoError(t, err)
 	require.Equal(t, checkVals, mapVals.Policy)

contrib/tester-progs/pclntab-unstripped

@@ -104,3 +104,85 @@ func TestState(t *testing.T) {
 	require.Empty(t, s.policies)
 	require.Empty(t, s.pods)
 }
+
+// New
+func TestStateAllPodsPolicyEntry(t *testing.T) {
+	s, err := New(true)
+	if err != nil {
+		t.Skipf("failed to inialize policy filter state: %s", err)
+	}
+	defer s.Close()
+
+	requirePfmEqualToIncludingAllPods(t, s.pfMap, map[uint64][]uint64{
+		uint64(AllPodsPolicyID): {},
+	})
+
+	pod1 := PodID(uuid.New())
+	cgid1 := CgroupID(4001)
+	err = s.AddPodContainer(pod1, "ns1", "wl1", "kind1", nil, "cont1", cgid1, podhelpers.ContainerInfo{Name: "main1", Repo: "repo1"})
+	require.NoError(t, err)
+
+	pod2 := PodID(uuid.New())
+	cgid2 := CgroupID(4002)
+	err = s.AddPodContainer(pod2, "ns2", "wl2", "kind2", nil, "cont2", cgid2, podhelpers.ContainerInfo{Name: "main2", Repo: "repo2"})
+	require.NoError(t, err)
+
+	requirePfmEqualToIncludingAllPods(t, s.pfMap, map[uint64][]uint64{
+		uint64(AllPodsPolicyID): {4001, 4002},
+	})
+
+	err = s.AddPolicy(PolicyID(1), "ns2", nil, nil, nil)
+	require.NoError(t, err)
+	requirePfmEqualToIncludingAllPods(t, s.pfMap, map[uint64][]uint64{
+		1:                       {4002},
+		uint64(AllPodsPolicyID): {4001, 4002},
+	})
+
+	err = s.DelPolicy(PolicyID(1))
+	require.NoError(t, err)
+	requirePfmEqualToIncludingAllPods(t, s.pfMap, map[uint64][]uint64{
+		uint64(AllPodsPolicyID): {4001, 4002},
+	})
+
+	err = s.DelPodContainer(pod1, "cont1")
+	require.NoError(t, err)
+	requirePfmEqualToIncludingAllPods(t, s.pfMap, map[uint64][]uint64{
+		uint64(AllPodsPolicyID): {4002},
+	})
+
+	err = s.DelPod(pod2)
+	require.NoError(t, err)
+	requirePfmEqualToIncludingAllPods(t, s.pfMap, map[uint64][]uint64{
+		uint64(AllPodsPolicyID): {},
+	})
+}
+
+func TestStateAllPodsPolicyEntryWithoutCgroupMap(t *testing.T) {
+	s, err := New(false)
+	if err != nil {
+		t.Skipf("failed to inialize policy filter state: %s", err)
+	}
+	defer s.Close()
+
+	pod := PodID(uuid.New())
+	cgid := CgroupID(5001)
+	err = s.AddPodContainer(pod, "ns1", "wl1", "kind1", nil, "cont1", cgid, podhelpers.ContainerInfo{Name: "main1", Repo: "repo1"})
+	require.NoError(t, err)
+
+	dump, err := s.pfMap.readAll()
+	require.NoError(t, err)
+	require.Equal(t, map[PolicyID]map[CgroupID]struct{}{
+		AllPodsPolicyID: {cgid: {}},
+	}, dump.Policy)
+	require.Nil(t, dump.Cgroup)
+
+	err = s.DelPodContainer(pod, "cont1")
+	require.NoError(t, err)
+
+	dump, err = s.pfMap.readAll()
+	require.NoError(t, err)
+	require.Equal(t, map[PolicyID]map[CgroupID]struct{}{
+		AllPodsPolicyID: {},
+	}, dump.Policy)
+	require.Nil(t, dump.Cgroup)
+}

new_approach.diff

@@ -0,0 +1,142 @@
+apiVersion: cilium.io/v1alpha1
+kind: TracingPolicy
+metadata:
+  name: "protection-policy-cve-2022-0847"
+spec:
+  kprobes:
+  - call: "sys_splice"
+    syscall: true
+
+
+
+
+
+
+
+
+Notes:
+1. containerSelector -> matches only on Pod containers -- not arbitrary containers
+2. podSelector and containerSelector are ANDed
+
+Now:
+  `containerSelector: null` and `containerSelector: {}` are the same and match everything
+  `podSelector: null` and `podSelector: {}` are the same and match everything
+  everything starts with null as default
+
+
+
+# Kornilios
+# nil -> matches nothing
+# {} -> matches everything
+# absence -> same as {}
+
+
+
+# Anastasios
+# nil -> matches nothing
+# {} -> matches everything
+# absence -> same as nil
+# Special case -> all nil no filtering
+
+workload is either host or pod
+
+hostSelector (host workloads) vs nodeSelector (apply everything or nothing in the node)
+
+
+spec:
+  podSelector: {}
+  * AND * 
+  containerSelector: {}
+  * OR *
+  hostSelector: {} # empty + full for now
+  nodeSelector: {} # k8s (i.e. staging or dev) + info (https://github.com/cilium/tetragon/tree/main/pkg/tetragoninfo) --> TODO create issue
+
+spec:
+  kprobes:
+
+
+
+# not valid -- cannot match all containers without any pods
+spec:
+  podSelector: ~
+  containerSelector: {}
+  hostSelector: ~
+
+# not valid -- cannot match all pods without any containers
+spec:
+  podSelector: {}
+  containerSelector: ~
+  hostSelector: ~
+
+# valid -- match all containers inside all pods
+spec:
+  podSelector: {}
+  containerSelector: {}
+  hostSelector: ~
+
+# valid -- match all containers inside any pod with `name: ubuntu`
+spec:
+  podSelector: {}
+  containerSelector:
+    matchExpressions:
+    - key: "name"
+      operator: In
+      values:
+      - ubuntu
+  hostSelector: ~
+
+# valid -- match containers with `name: ubuntu` inside pod with `namespace: network`
+spec:
+  podSelector:
+    matchExpressions:
+    - key: "k8s:io.kubernetes.pod.namespace"
+      operator: In
+      values:
+      - network 
+  containerSelector:
+    matchExpressions:
+    - key: "name"
+      operator: In
+      values:
+      - ubuntu
+  hostSelector: ~
+
+# valid -- match all containers inside pod with `namespace: network`
+spec:
+  podSelector:
+    matchExpressions:
+    - key: "k8s:io.kubernetes.pod.namespace"
+      operator: In
+      values:
+      - network 
+  containerSelector: {}
+  hostSelector: ~
+
+# valid -- only host
+spec:
+  podSelector: ~
+  containerSelector: ~
+  hostSelector: {}
+
+# valid -- special case to match everything (i.e. this is the same as if all of these are absense)
+spec:
+  podSelector: {}
+  containerSelector: {}
+  hostSelector: {}
+
+# not valid -- no process can be both in the network namespace AND in host 
+spec:
+  podSelector:
+    matchExpressions:
+    - key: "k8s:io.kubernetes.pod.namespace"
+      operator: In
+      values:
+      - network
+  containerSelector: {}
+  hostSelector: {}
+
+## From Slack
+
+# valid -- will match only host
+spec:
+  podSelector: nil