Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[CWS] remove hash burst config, since we always have burst = 1 #31633

Merged
merged 1 commit into from
Dec 2, 2024
Merged

[CWS] remove hash burst config, since we always have burst = 1 #31633

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion pkg/config/setup/system_probe_cws.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,7 +114,6 @@ func initCWSSystemProbeConfig(cfg pkgconfigmodel.Config) {
cfg.BindEnvAndSetDefault("runtime_security_config.hash_resolver.event_types", []string{"exec", "open"})
cfg.BindEnvAndSetDefault("runtime_security_config.hash_resolver.max_file_size", (1<<20)*10) // 10 MB
cfg.BindEnvAndSetDefault("runtime_security_config.hash_resolver.max_hash_rate", 500)
cfg.BindEnvAndSetDefault("runtime_security_config.hash_resolver.max_hash_burst", 1000)
cfg.BindEnvAndSetDefault("runtime_security_config.hash_resolver.hash_algorithms", []string{"sha1", "sha256", "ssdeep"})
cfg.BindEnvAndSetDefault("runtime_security_config.hash_resolver.cache_size", 500)
cfg.BindEnvAndSetDefault("runtime_security_config.hash_resolver.replace", map[string]string{})
Expand Down
3 changes: 0 additions & 3 deletions pkg/security/config/config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -215,8 +215,6 @@ type RuntimeSecurityConfig struct {
HashResolverMaxFileSize int64
// HashResolverMaxHashRate defines the rate at which the hash resolver may compute hashes
HashResolverMaxHashRate int
// HashResolverMaxHashBurst defines the burst of files for which the hash resolver may compute a hash
HashResolverMaxHashBurst int
// HashResolverHashAlgorithms defines the hashes that hash resolver needs to compute
HashResolverHashAlgorithms []model.HashAlgorithm
// HashResolverEventTypes defines the list of event which files may be hashed
Expand Down Expand Up @@ -407,7 +405,6 @@ func NewRuntimeSecurityConfig() (*RuntimeSecurityConfig, error) {
HashResolverEventTypes: parseEventTypeStringSlice(pkgconfigsetup.SystemProbe().GetStringSlice("runtime_security_config.hash_resolver.event_types")),
HashResolverMaxFileSize: pkgconfigsetup.SystemProbe().GetInt64("runtime_security_config.hash_resolver.max_file_size"),
HashResolverHashAlgorithms: parseHashAlgorithmStringSlice(pkgconfigsetup.SystemProbe().GetStringSlice("runtime_security_config.hash_resolver.hash_algorithms")),
HashResolverMaxHashBurst: pkgconfigsetup.SystemProbe().GetInt("runtime_security_config.hash_resolver.max_hash_burst"),
HashResolverMaxHashRate: pkgconfigsetup.SystemProbe().GetInt("runtime_security_config.hash_resolver.max_hash_rate"),
HashResolverCacheSize: pkgconfigsetup.SystemProbe().GetInt("runtime_security_config.hash_resolver.cache_size"),
HashResolverReplace: pkgconfigsetup.SystemProbe().GetStringMapString("runtime_security_config.hash_resolver.replace"),
Expand Down
8 changes: 7 additions & 1 deletion pkg/security/resolvers/hash/resolver_linux.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -126,6 +126,12 @@ func NewResolver(c *config.RuntimeSecurityConfig, statsdClient statsd.ClientInte
}
}

burst := 1
// if the rate limiter is disabled, set the burst to 0
if c.HashResolverMaxHashRate == 0 {
burst = 0
}

r := &Resolver{
opts: ResolverOpts{
Enabled: true,
Expand All @@ -135,7 +141,7 @@ func NewResolver(c *config.RuntimeSecurityConfig, statsdClient statsd.ClientInte
},
cgroupResolver: cgroupResolver,
statsdClient: statsdClient,
limiter: rate.NewLimiter(rate.Limit(c.HashResolverMaxHashRate), c.HashResolverMaxHashBurst),
limiter: rate.NewLimiter(rate.Limit(c.HashResolverMaxHashRate), burst),
cache: cache,
hashCount: make(map[model.EventType]map[model.HashAlgorithm]*atomic.Uint64),
hashMiss: make(map[model.EventType]map[model.HashState]*atomic.Uint64),
Expand Down
8 changes: 0 additions & 8 deletions pkg/security/resolvers/hash/resolver_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,6 @@ func TestResolver_ComputeHashes(t *testing.T) {
HashResolverEventTypes: []model.EventType{model.ExecEventType},
HashResolverHashAlgorithms: []model.HashAlgorithm{model.SHA1, model.SHA256, model.MD5},
HashResolverMaxHashRate: 1,
HashResolverMaxHashBurst: 1,
HashResolverMaxFileSize: 1 << 20,
},
args: args{
Expand Down Expand Up @@ -89,7 +88,6 @@ func TestResolver_ComputeHashes(t *testing.T) {
HashResolverEventTypes: []model.EventType{model.FileOpenEventType},
HashResolverHashAlgorithms: []model.HashAlgorithm{model.SHA1, model.SHA256, model.MD5},
HashResolverMaxHashRate: 1,
HashResolverMaxHashBurst: 1,
HashResolverMaxFileSize: 1 << 20,
},
args: args{
Expand Down Expand Up @@ -122,7 +120,6 @@ func TestResolver_ComputeHashes(t *testing.T) {
HashResolverEventTypes: []model.EventType{model.ExecEventType},
HashResolverHashAlgorithms: []model.HashAlgorithm{model.SHA1, model.SHA256, model.MD5},
HashResolverMaxHashRate: 1,
HashResolverMaxHashBurst: 1,
HashResolverMaxFileSize: 1 << 10,
},
args: args{
Expand Down Expand Up @@ -159,7 +156,6 @@ func TestResolver_ComputeHashes(t *testing.T) {
HashResolverEventTypes: []model.EventType{model.ExecEventType},
HashResolverHashAlgorithms: []model.HashAlgorithm{model.SHA1, model.SHA256, model.MD5},
HashResolverMaxHashRate: 1,
HashResolverMaxHashBurst: 1,
HashResolverMaxFileSize: 1 << 10,
},
args: args{
Expand Down Expand Up @@ -192,7 +188,6 @@ func TestResolver_ComputeHashes(t *testing.T) {
HashResolverEventTypes: []model.EventType{model.ExecEventType},
HashResolverHashAlgorithms: []model.HashAlgorithm{model.SHA1, model.SHA256, model.MD5},
HashResolverMaxHashRate: 0,
HashResolverMaxHashBurst: 0,
HashResolverMaxFileSize: 1 << 10,
},
args: args{
Expand Down Expand Up @@ -307,7 +302,6 @@ func BenchmarkHashFunctions(b *testing.B) {
HashResolverEventTypes: []model.EventType{model.ExecEventType},
HashResolverHashAlgorithms: []model.HashAlgorithm{model.SHA1},
HashResolverMaxHashRate: math.MaxInt,
HashResolverMaxHashBurst: math.MaxInt,
HashResolverMaxFileSize: math.MaxInt64,
},
fileSizes: []fileCase{
Expand Down Expand Up @@ -364,7 +358,6 @@ func BenchmarkHashFunctions(b *testing.B) {
HashResolverEventTypes: []model.EventType{model.ExecEventType},
HashResolverHashAlgorithms: []model.HashAlgorithm{model.SHA256},
HashResolverMaxHashRate: math.MaxInt,
HashResolverMaxHashBurst: math.MaxInt,
HashResolverMaxFileSize: math.MaxInt64,
},
fileSizes: []fileCase{
Expand Down Expand Up @@ -421,7 +414,6 @@ func BenchmarkHashFunctions(b *testing.B) {
HashResolverEventTypes: []model.EventType{model.ExecEventType},
HashResolverHashAlgorithms: []model.HashAlgorithm{model.MD5},
HashResolverMaxHashRate: math.MaxInt,
HashResolverMaxHashBurst: math.MaxInt,
HashResolverMaxFileSize: math.MaxInt64,
},
fileSizes: []fileCase{
Expand Down
Loading