WIP: string data filter from globally to per event

- remove string data filter bitmap fields from config_map which
is globally for all events;
- add string data fitlter bitmap fields to events_map which is
per event.

pkg/ebpf/c/common/context.h

@@ -198,6 +198,7 @@ statfunc int init_program_data(program_data_t *p, void *ctx, u32 event_id)
         if (event_config != NULL) {
             p->event->config.field_types = event_config->field_types;
             p->event->config.submit_for_policies = event_config->submit_for_policies;
+            p->event->config.data_filter = event_config->data_filter;
         }
     }
 

pkg/ebpf/c/common/filtering.h

@@ -346,9 +346,11 @@ statfunc u64 match_scope_filters(program_data_t *p)
 statfunc u64 match_data_filters(program_data_t *p, u8 index)
 {
     policies_config_t *policies_cfg = &p->event->policies_config;
+    // Retrieve the string filter for the current event
+    // TODO: Dynamically determine the filter and type based on policy configuration
+    string_filter_config_t *str_filter = &p->event->config.data_filter.string;
 
-    if (!(policies_cfg->data_filter_exact_enabled || policies_cfg->data_filter_prefix_enabled ||
-          policies_cfg->data_filter_suffix_enabled))
+    if (!(str_filter->exact_enabled || str_filter->prefix_enabled || str_filter->suffix_enabled))
         return policies_cfg->enabled_policies;
 
     u64 res = 0;
@@ -362,7 +364,7 @@ statfunc u64 match_data_filters(program_data_t *p, u8 index)
     u16 version = p->event->context.policies_version;
 
     // Exact match
-    if (policies_cfg->data_filter_exact_enabled) {
+    if (str_filter->exact_enabled) {
         data_filter_key_t *key = get_string_data_filter_buf(DATA_FILTER_BUF1_IDX);
         if (key == NULL)
             return 0;
@@ -373,7 +375,7 @@ statfunc u64 match_data_filters(program_data_t *p, u8 index)
         if (!len)
             return 0;
 
-        u64 match_if_key_missing = policies_cfg->data_filter_exact_match_if_key_missing;
+        u64 match_if_key_missing = str_filter->exact_match_if_key_missing;
         filter_map = get_event_filter_map(&data_filter_exact_version, version, eventid);
         res = equality_filter_matches(match_if_key_missing, filter_map, key);
         explicit_enable_policies |= (res & ~match_if_key_missing);
@@ -382,7 +384,7 @@ statfunc u64 match_data_filters(program_data_t *p, u8 index)
     }
 
     // Prefix match
-    if (policies_cfg->data_filter_prefix_enabled) {
+    if (str_filter->prefix_enabled) {
         data_filter_lpm_key_t *key = get_string_data_filter_lpm_buf(DATA_FILTER_BUF1_IDX);
         if (key == NULL)
             return 0;
@@ -396,7 +398,7 @@ statfunc u64 match_data_filters(program_data_t *p, u8 index)
         // https://docs.kernel.org/bpf/map_lpm_trie.html
         key->prefix_len = len * 8;
 
-        u64 match_if_key_missing = policies_cfg->data_filter_prefix_match_if_key_missing;
+        u64 match_if_key_missing = str_filter->prefix_match_if_key_missing;
         filter_map = get_event_filter_map(&data_filter_prefix_version, version, eventid);
         res = equality_filter_matches(match_if_key_missing, filter_map, key);
         explicit_enable_policies |= (res & ~match_if_key_missing);
@@ -405,7 +407,7 @@ statfunc u64 match_data_filters(program_data_t *p, u8 index)
     }
 
     // Suffix match
-    if (policies_cfg->data_filter_suffix_enabled) {
+    if (str_filter->suffix_enabled) {
         data_filter_lpm_key_t *key = get_string_data_filter_lpm_buf(DATA_FILTER_BUF1_IDX);
 
         if (key == NULL)
@@ -417,7 +419,7 @@ statfunc u64 match_data_filters(program_data_t *p, u8 index)
 
         key->prefix_len = len * 8;
 
-        u64 match_if_key_missing = policies_cfg->data_filter_suffix_match_if_key_missing;
+        u64 match_if_key_missing = str_filter->suffix_match_if_key_missing;
         filter_map = get_event_filter_map(&data_filter_suffix_version, version, eventid);
         res = equality_filter_matches(match_if_key_missing, filter_map, key);
         explicit_enable_policies |= (res & ~match_if_key_missing);

pkg/ebpf/c/types.h

@@ -347,14 +347,6 @@ typedef struct policies_config {
     // bitmap with policies that have at least one filter enabled
     u64 enabled_policies;
 
-    // enabled data filters bitmask per filter
-    u64 data_filter_prefix_enabled;
-    u64 data_filter_suffix_enabled;
-    u64 data_filter_exact_enabled;
-    u64 data_filter_prefix_match_if_key_missing;
-    u64 data_filter_suffix_match_if_key_missing;
-    u64 data_filter_exact_match_if_key_missing;
-
     // global min max
     u64 uid_max;
     u64 uid_min;
@@ -371,9 +363,24 @@ typedef struct config_entry {
     policies_config_t policies_config;
 } config_entry_t;
 
+typedef struct string_filter_config {
+    u64 prefix_enabled;
+    u64 suffix_enabled;
+    u64 exact_enabled;
+    u64 prefix_match_if_key_missing;
+    u64 suffix_match_if_key_missing;
+    u64 exact_match_if_key_missing;
+} string_filter_config_t;
+
+typedef struct data_filter_config {
+    string_filter_config_t string;
+    // other types of filters
+} data_filter_config_t;
+
 typedef struct event_config {
     u64 submit_for_policies;
     u64 field_types;
+    data_filter_config_t data_filter;
 } event_config_t;
 
 enum capture_options_e

pkg/policy/ebpf.go

@@ -278,11 +278,18 @@ func (ps *policies) createNewFilterMapsVersion(bpfModule *bpf.Module) error {
 	return nil
 }
 
+type eventConfig struct {
+	submitForPolicies uint64
+	fieldTypes        uint64
+	dataFilter        dataFilterConfig
+}
+
 // createNewEventsMapVersion creates a new version of the events map.
 func (ps *policies) createNewEventsMapVersion(
 	bpfModule *bpf.Module,
 	rules map[events.ID]*eventFlags,
 	eventsFields map[events.ID][]bufferdecoder.ArgType,
+	eventsFilterCfg map[events.ID]stringFilterConfig,
 ) error {
 	polsVersion := ps.version()
 	innerMapName := "events_map"
@@ -303,20 +310,28 @@ func (ps *policies) createNewEventsMapVersion(
 	ps.bpfInnerMaps[innerMapName] = newInnerMap
 
 	for id, ecfg := range rules {
-		eventConfigVal := make([]byte, 16)
-
-		// bitmap of policies that require this event to be submitted
-		binary.LittleEndian.PutUint64(eventConfigVal[0:8], ecfg.policiesSubmit)
+		stringFilter, exist := eventsFilterCfg[id]
+		if !exist {
+			stringFilter = stringFilterConfig{}
+		}
 
 		// encoded event's field types
 		var fieldTypes uint64
 		fields := eventsFields[id]
 		for n, fieldType := range fields {
 			fieldTypes = fieldTypes | (uint64(fieldType) << (8 * n))
 		}
-		binary.LittleEndian.PutUint64(eventConfigVal[8:16], fieldTypes)
 
-		err := newInnerMap.Update(unsafe.Pointer(&id), unsafe.Pointer(&eventConfigVal[0]))
+		eventConfig := eventConfig{
+			// bitmap of policies that require this event to be submitted
+			submitForPolicies: ecfg.policiesSubmit,
+			fieldTypes:        fieldTypes,
+			dataFilter: dataFilterConfig{
+				string: stringFilter,
+			},
+		}
+
+		err := newInnerMap.Update(unsafe.Pointer(&id), unsafe.Pointer(&eventConfig))
 		if err != nil {
 			return errfmt.WrapError(err)
 		}
@@ -662,13 +677,6 @@ func (ps *policies) updateBPF(
 	createNewMaps bool,
 	updateProcTree bool,
 ) (*PoliciesConfig, error) {
-	if createNewMaps {
-		// Create new events map version
-		if err := ps.createNewEventsMapVersion(bpfModule, rules, eventsFields); err != nil {
-			return nil, errfmt.WrapError(err)
-		}
-	}
-
 	fEqs := &filtersEqualities{
 		uidEqualities:        make(map[uint64]equality),
 		pidEqualities:        make(map[uint64]equality),
@@ -683,15 +691,22 @@ func (ps *policies) updateBPF(
 		binaryEqualities:     make(map[filters.NSBinary]equality),
 	}
 
+	fEvtCfg := make(map[events.ID]stringFilterConfig)
+
 	if err := ps.computeFilterEqualities(fEqs, cts); err != nil {
 		return nil, errfmt.WrapError(err)
 	}
 
-	if err := ps.computeDataFilterEqualities(fEqs); err != nil {
+	if err := ps.computeDataFilterEqualities(fEqs, fEvtCfg); err != nil {
 		return nil, errfmt.WrapError(err)
 	}
 
 	if createNewMaps {
+		// Create new events map version
+		if err := ps.createNewEventsMapVersion(bpfModule, rules, eventsFields, fEvtCfg); err != nil {
+			return nil, errfmt.WrapError(err)
+		}
+
 		// Create new filter maps version
 		if err := ps.createNewFilterMapsVersion(bpfModule); err != nil {
 			return nil, errfmt.WrapError(err)
@@ -835,13 +850,6 @@ type PoliciesConfig struct {
 
 	EnabledPolicies uint64
 
-	DataFilterPrefixEnabled           uint64
-	DataFilterSuffixEnabled           uint64
-	DataFilterExactEnabled            uint64
-	DataFilterPrefixMatchIfKeyMissing uint64
-	DataFilterSuffixMatchIfKeyMissing uint64
-	DataFilterExactMatchIfKeyMissing  uint64
-
 	UidMax uint64
 	UidMin uint64
 	PidMax uint64
@@ -908,15 +916,6 @@ func (ps *policies) computePoliciesConfig() *PoliciesConfig {
 		if p.Follow {
 			cfg.FollowFilterEnabled |= 1 << offset
 		}
-		if ps.kernellandPolicyMatchStates[offset].EnabledDataExactMatch() {
-			cfg.DataFilterExactEnabled |= 1 << offset
-		}
-		if ps.kernellandPolicyMatchStates[offset].EnabledDataPrefixMatch() {
-			cfg.DataFilterPrefixEnabled |= 1 << offset
-		}
-		if ps.kernellandPolicyMatchStates[offset].EnabledDataSuffixMatch() {
-			cfg.DataFilterSuffixEnabled |= 1 << offset
-		}
 		// bitmap indicating whether to match a rule if the key is missing from its filter map
 		if p.UIDFilter.MatchIfKeyMissing() {
 			cfg.UIDFilterMatchIfKeyMissing |= 1 << offset
@@ -954,15 +953,6 @@ func (ps *policies) computePoliciesConfig() *PoliciesConfig {
 		if p.BinaryFilter.MatchIfKeyMissing() {
 			cfg.BinPathFilterMatchIfKeyMissing |= 1 << offset
 		}
-		if ps.kernellandPolicyMatchStates[offset].MatchIfKeyMissingDataExactMatch() {
-			cfg.DataFilterExactMatchIfKeyMissing |= 1 << offset
-		}
-		if ps.kernellandPolicyMatchStates[offset].MatchIfKeyMissingDataPrefixMatch() {
-			cfg.DataFilterPrefixMatchIfKeyMissing |= 1 << offset
-		}
-		if ps.kernellandPolicyMatchStates[offset].MatchIfKeyMissingDataSuffixMatch() {
-			cfg.DataFilterSuffixMatchIfKeyMissing |= 1 << offset
-		}
 		cfg.EnabledPolicies |= 1 << offset
 	}