rename scopes related to policies #2845

geyslan · 2023-03-10T18:20:08Z

1. Explain what the PR does

commit a0fdbb6

go.mod: bump types

commit c774757

user: rename scope references to policy

This continues the renaming of scope to policy, in user land.

commit b3611d7

bpf: rename fields related to policies

event_context_t, net_task_context_t:
  matched_scopes -> matched_policies

This also renames other parts that are related to policies.

2. Explain how to test it

3. Other comments

This is part of:

Tracee Policies #2665

yanivagman · 2023-03-11T10:01:26Z

Making this change also requires changes in userspace, i.e Context of bufferdecoder and Event matchedScopes

geyslan · 2023-03-13T12:37:52Z

Making this change also requires changes in userspace, i.e Context of bufferdecoder and Event matchedScopes

I was leaving the user land changes to one single PR, since we'll have to bump types and so. Let me check it again. 👍🏻

geyslan · 2023-03-13T18:26:51Z

The checks will fail as we have a change in types pkg. After this is merged, we need to bump the go.mod.

rafaeldtinoco · 2023-03-13T19:15:47Z

Please rebase to HEAD before trying tests again. The rate limit issue with docker hub has been fixed.

pkg/cmd/flags/filter.go

yanivagman · 2023-03-14T15:51:32Z

pkg/cmd/flags/filter.go

-  -f 42:event=sched_process_exec -f 42:binary=/usr/bin/ls      | trace in scope 42 sched_process_exec event from /usr/bin/ls binary
+  -f 42:event=sched_process_exec -f 42:binary=/usr/bin/ls      | trace in policy 42 sched_process_exec event from /usr/bin/ls binary

-  -f 3:event=openat -f 3:comm=id -f 9:event=close -f 9:comm=ls - trace in scope 3 only openat event from id command
+  -f 3:event=openat -f 3:comm=id -f 9:event=close -f 9:comm=ls - trace in policy 3 only openat event from id command
                                                               | and
-                                                               - trace in scope 9 only close event from ls command
+                                                               - trace in policy 9 only close event from ls command

-  -f 6:event=openat -f 6:comm=id -f 7:event=close -f 7:comm=id - trace in scope 6 only openat event from id command
+  -f 6:event=openat -f 6:comm=id -f 7:event=close -f 7:comm=id - trace in policy 6 only openat event from id command
                                                               | and
-                                                               _ trace in scope 7 only close event from id command
+                                                               _ trace in policy 7 only close event from id command

-  -f 3:event=openat -f 3:comm=id -f 9:event=close              - trace in scope 3 only openat event from id command
+  -f 3:event=openat -f 3:comm=id -f 9:event=close              - trace in policy 3 only openat event from id command
                                                               | and
-                                                               - trace in scope 9 only close event from all
+                                                               - trace in policy 9 only close event from all


We're going to remove all of that from the CLI soon, right?

Definitely. Just renaming it accordingly. Once we receive the policies being loaded, this CLI will be removed, as that part of documentation.

yanivagman · 2023-03-14T16:05:33Z

pkg/cmd/flags/filter.go

@@ -121,31 +121,31 @@ type filterFlag struct {
 	full              string
 	filterName        string
 	operatorAndValues string
-	scopeIdx          int
+	policyIdx         int


and this will be removed as well (and all following changes to filterFlag)?

We need to think since it's part of the infrastructure and not exposed. It should be the part or not of the policy name mapping. We'll see.

@yanivagman why should we remove the index?

@yanivagman why should we remove the index?

Since this struct is the parsed filter flag, and we are going to remove multiscopes from CLI

But we are using it for policies. Policies are parsed and generate an []filterFlag

So at least we better rename this struct and not call it filterFlag.

Sure. Can this struct rename take place in the next PR (policies)? So this can enter to unlock the next ones.

Sure. This should probably be part of the removal of multiscopes from the CLI

geyslan · 2023-03-15T12:43:12Z

The checks will fail as we have a change in types pkg. After this is merged, we need to bump the go.mod.

Please, after approval, don't merge this before I remove this temp e71c43d commit.

geyslan · 2023-03-15T21:31:52Z

types/trace/trace.go

@@ -37,7 +37,7 @@ type Event struct {
 	PodSandbox          bool         `json:"podSandbox"`
 	EventID             int          `json:"eventId,string"`
 	EventName           string       `json:"eventName"`
-	MatchedScopes       uint64       `json:"matchedScopes"`
+	MatchedPolicies     uint64       `json:"matchedPolicies"`


@yanivagman a question for a next PR:

Does it make sense to expose in Event type a field like MatchedPoliciesNames []string?

Yes.
Actually, the bitmap won't make sense anymore if we remove multiscopes and only leave policies.
In that case, we can have MatchedPolicies []string

Right. After this merge, I'm going to tackle the ID<=>Name on top of #2873.

yanivagman

LGTM

go.mod

event_context_t, net_task_context_t: matched_scopes -> matched_policies This also renames other parts that are related to policies.

This continues the renaming of scope to policy, in user land.

aqua-ci · 2023-03-16T13:46:25Z

[ERROR]
GitHub self-host runner 'github-self-hosted_ami-0f23165db12015479_2845-4437586167_x64c' failed with connecting to GitHub.
Please cancel workflow and wait until infrastructure team investigation.

aqua-ci · 2023-03-16T13:46:28Z

[ERROR]
GitHub self-host runner 'github-self-hosted_ami-0f23165db12015479_2845-4437586167_x64' failed with connecting to GitHub.
Please cancel workflow and wait until infrastructure team investigation.

geyslan added kind/chore milestone/v0.13.0 labels Mar 10, 2023

geyslan self-assigned this Mar 10, 2023

geyslan mentioned this pull request Mar 10, 2023

Tracee Policies #2665

Closed

10 tasks

geyslan force-pushed the 2665-rename-bpf-side branch from ae4950a to bd5206e Compare March 13, 2023 15:54

geyslan changed the title ~~bpf: rename fields related to policies~~ bpf: rename scopes related to policies Mar 13, 2023

geyslan force-pushed the 2665-rename-bpf-side branch 5 times, most recently from 4d79a1c to 659b515 Compare March 13, 2023 18:21

geyslan force-pushed the 2665-rename-bpf-side branch from 659b515 to 25965e3 Compare March 14, 2023 13:26

geyslan changed the title ~~bpf: rename scopes related to policies~~ rename scopes related to policies Mar 14, 2023

yanivagman reviewed Mar 14, 2023

View reviewed changes

rafaeldtinoco linked an issue Mar 14, 2023 that may be closed by this pull request

Tracee Policies #2665

Closed

10 tasks

josedonizetti removed a link to an issue Mar 15, 2023

Tracee Policies #2665

Closed

10 tasks

geyslan force-pushed the 2665-rename-bpf-side branch from 25965e3 to d72bbb9 Compare March 15, 2023 12:30

geyslan commented Mar 15, 2023

View reviewed changes

geyslan requested a review from NDStrahilevitz March 16, 2023 11:02

yaniv 9E81 agman approved these changes Mar 16, 2023

View reviewed changes

NDStrahilevitz reviewed Mar 16, 2023

View reviewed changes

go.mod Outdated Show resolved Hide resolved

geyslan mentioned this pull request Mar 16, 2023

types: matchedScopes -> matchedPolicies #2881

Merged

geyslan added 3 commits March 16, 2023 10:12

bpf: rename fields related to policies

b3611d7

event_context_t, net_task_context_t: matched_scopes -> matched_policies This also renames other parts that are related to policies.

user: rename scope references to policy

c774757

This continues the renaming of scope to policy, in user land.

go.mod: bump types

a0fdbb6

geyslan force-pushed the 2665-rename-bpf-side branch from e71c43d to a0fdbb6 Compare March 16, 2023 13:29

github-actions bot added area/build area/ebpf area/events area/filtering area/flags area/testing area/UX labels Mar 16, 2023

geyslan merged commit 74460e6 into aquasecurity:main Mar 16, 2023

geyslan deleted the 2665-rename-bpf-side branch May 29, 2023 22:20

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

rename scopes related to policies #2845

rename scopes related to policies #2845

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

rename scopes related to policies #2845

rename scopes related to policies #2845

Uh oh!

Conversation

Uh oh!

1. Explain what the PR does

2. Explain how to test it

3. Other comments

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!