Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[bug] matchPIDs is using first pid only #3255

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

arthur-zhang
Copy link
Contributor

@arthur-zhang arthur-zhang commented Dec 24, 2024

Fixes bug

Description

In the code, the function next_pid_value(index, f, ty) is called multiple times to update the index, but the updated value is not written back to sel->index. This wil cause external callers to be unable to obtain the updated state.

matchPIDs only use first pid

selectors:
- matchPIDs:
  - operator: NotIn
    values:
    - 0
    - 1
__u32 index = sel->index;

index = next_pid_value(index, f, ty);

FUNC_INLINE int next_pid_value(__u32 off, __u32 *f, __u32 ty)
{
	return off + 4;
}

offset use selecttor_filter->index

FUNC_INLINE int
process_filter_pid(struct selector_filter *sf, __u32 *f,
		   struct execve_map_value *enter, struct msg_ns *n,
		   struct msg_capabilities *c)
{
	__u32 sel, off = sf->index;  
	__u64 flags = sf->flags;
	__u64 pid;

	if (flags & PID_SELECTOR_FLAG_NSPID) {
		pid = enter->nspid;
	} else {
		pid = enter->key.pid;
	}

	if (off > 1000)
		sel = 0;
	else {
		__u64 o = (__u64)off;
		o = o / 4;
		asm volatile("%[o] &= 0x3ff;\n"
			     : [o] "+r"(o));
		sel = f[o];
	}
}

release note

Fix selector filter to properly update and assign `sel->index` in `pfilter.h`

@arthur-zhang arthur-zhang requested a review from a team as a code owner December 24, 2024 04:00
@arthur-zhang arthur-zhang changed the title fix: update selector_filter index assignment to use sel->index [bug] matchPIDs is using first pid only Dec 24, 2024
Copy link
Contributor

@olsajiri olsajiri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice catch, could you please add test for the 2 pids matching spec? thanks

@@ -342,15 +342,19 @@ selector_match(__u32 *f, struct selector_filter *sel,
four:
res4 = process_filter(sel, f, enter, &msg->ns, &msg->caps);
index = next_pid_value(index, f, ty);
sel->index = index;
three:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could we do directly sel->index = next_pid_value(index, f, ty); ?

Copy link
Contributor Author

@arthur-zhang arthur-zhang Dec 26, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe not. If we do that, index is not changed. and sel->index will be 0 and 4(using first two pids), not more pids will be chosen. (I already tested this)

maybe we can remove index variable and use sel->index = next_pid_value(sel->index, f, ty) directly

@arthur-zhang
Copy link
Contributor Author

nice catch, could you please add test for the 2 pids matching spec? thanks

OK,I will spend some time to figure out how to do that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants