Refactor: Simplify userspace policy filtering

This commit simplifies policy filtering in userspace by: - Replacing the filterableInUserland bitmap with a boolean flag. - Removing the redundant filterInUserland function. - Updating related functions to use the new boolean flag.
aquasecurity · Dec 4, 2024 · e453013 · e453013
1 parent 0ea2e4d
commit e453013
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 16 deletions.
diff --git a/pkg/ebpf/events_pipeline.go b/pkg/ebpf/events_pipeline.go
@@ -305,7 +305,7 @@ func (t *Tracee) matchPolicies(event *trace.Event) uint64 {
 	bitmap := event.MatchedPoliciesKernel
 
 	// Short circuit if there are no policies in userland that need filtering.
-	if !t.policyManager.FilterableInUserland(bitmap) {
+	if !t.policyManager.FilterableInUserland() {
 		event.MatchedPoliciesUser = bitmap // store untouched bitmap to be used in sink stage
 		return bitmap
 	}

diff --git a/pkg/policy/policies.go b/pkg/policy/policies.go
@@ -1,8 +1,6 @@
 package policy
 
 import (
-	"sync/atomic"
-
 	bpf "github.com/aquasecurity/libbpfgo"
 
 	"github.com/aquasecurity/tracee/pkg/events"
@@ -37,7 +35,7 @@ type policies struct {
 	pidFilterMax            uint64
 	uidFilterableInUserland bool
 	pidFilterableInUserland bool
-	filterableInUserland    uint64 // bitmap of policies that must be filtered in userland
+	filterableInUserland    bool
 	containerFiltersEnabled uint64 // bitmap of policies that have at least one container filter type enabled
 }
 
@@ -55,7 +53,7 @@ func NewPolicies() *policies {
 		pidFilterMax:            filters.MaxNotSetUInt,
 		uidFilterableInUserland: false,
 		pidFilterableInUserland: false,
-		filterableInUserland:    0,
+		filterableInUserland:    false,
 		containerFiltersEnabled: 0,
 	}
 }
@@ -83,12 +81,6 @@ func (ps *policies) containerFilterEnabled() bool {
 	return ps.withContainerFilterEnabled() > 0
 }
 
-// filterInUserland returns a bitmap of policies that must be filtered in userland
-// (ArgFilter, RetFilter, ScopeFilter, UIDFilter and PIDFilter).
-func (ps *policies) filterInUserland() uint64 {
-	return atomic.LoadUint64(&ps.filterableInUserland)
-}
-
 // set sets a policy in the policies, given an ID.
 func set(ps *policies, id int, p *Policy) error {
 	p.ID = id

diff --git a/pkg/policy/policies_compute.go b/pkg/policy/policies_compute.go
@@ -119,7 +119,7 @@ func (ps *policies) updateContainerFilterEnabled() {
 // updateUserlandPolicies sets the userlandPolicies list and the filterableInUserland bitmap.
 func (ps *policies) updateUserlandPolicies() {
 	userlandList := []*Policy{}
-	ps.filterableInUserland = 0
+	ps.filterableInUserland = false
 
 	for _, p := range ps.allFromArray() {
 		if p == nil {
@@ -142,9 +142,9 @@ func (ps *policies) updateUserlandPolicies() {
 		if hasUserlandFilters ||
 			(p.UIDFilter.Enabled() && ps.uidFilterableInUserland) ||
 			(p.PIDFilter.Enabled() && ps.pidFilterableInUserland) {
-			// add policy to userland list and set the respective bit
+			// add policy to userland list and set the flag
 			userlandList = append(userlandList, p)
-			utils.SetBit(&ps.filterableInUserland, uint(p.ID))
+			ps.filterableInUserland = true
 		}
 	}
 

diff --git a/pkg/policy/policy_manager.go b/pkg/policy/policy_manager.go
@@ -562,11 +562,11 @@ func (m *Manager) CreateAllIterator() utils.Iterator[*Policy] {
 	return m.ps.createAllIterator()
 }
 
-func (m *Manager) FilterableInUserland(bitmap uint64) bool {
+func (m *Manager) FilterableInUserland() bool {
 	m.mu.RLock()
 	defer m.mu.RUnlock()
 
-	return (bitmap & m.ps.filterInUserland()) != 0
+	return m.ps.filterableInUserland
 }
 
 func (m *Manager) WithContainerFilterEnabled() uint64 {