Test and document the limitations of the fields in TracingPolicy

[mtardy]

The documentation on TracingPolicy limitation might be outdated. It would be interesting to update the documentation and add tests case to make sure the limitations are prevented from the agent side instead of failing silently or creating an error on the BPF side.

I see two ways of doing that:

• experimentally, trying to break TracingPolicy and then someone can help to link to the BPF limitation.
• reading the BPF code to retrieve the limits.

Limitations include for example:

• max numbers of selectors
• max PID values for matchPIDs
• max number of matchArgs per selector
• max values for matchBinaries
• etc.

Tasks

Preview Give feedback

1. Perform better user space TracingPolicy limitation validation
2. Faster: annotate the doc to mention it is outdated
3. Better: update the documentation

[kevsecurity]

filter_file_buf() in basic.h limits the number of file matches to MAX_MATCH_FILE_VALUES. This is 8 on kernels >=5.2 and 2 on kernels <5.2.

[kevsecurity]

Postfix file match limited to 50 chars on kernels >=5.2 and 40 on kernels <5.2.

[kevsecurity]

File match equal and prefix limited to 128 chars on kernels >=5.2 and 32 on kernels <5.2.

[kevsecurity]

#1408 will alleviate some of these limitations. e.g. number of matches becomes unbounded; equal and prefix lengths become 128 on all kernels; and postfix length becomes 128 characters on kernels >=5.2 and 96 on kernels <5.2.

[jrfastab]

This is old. File specific issues are refile with up to date info now.

[mtardy]

well, it was the point of this issue because documentation is currently outdated.

[kkourt]

well, it was the point of this issue because documentation is currently outdated.

Let's re-open it then?
Maybe let's start with points where our current docs are outdated

Faster: annotate the doc to mention it is outdated

Doing that would be a great first step!