Skip to content

fix: cgroup filtering for TC hook and GoTLS uprobe#979

Merged
cfc4n merged 1 commit intomasterfrom
copilot/research-gotls-ebpf-program
Apr 12, 2026
Merged

fix: cgroup filtering for TC hook and GoTLS uprobe#979
cfc4n merged 1 commit intomasterfrom
copilot/research-gotls-ebpf-program

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 8, 2026

Two independent bugs prevented cgroup filtering (--cgroup_path) from working correctly: GoTLS uprobe ignored all filters entirely, and TC's cgroup check used bpf_get_current_cgroup_id() in softirq context — which returns the cgroup of whatever process happens to be scheduled on that CPU, not the packet sender's cgroup.

kern/ecapture.h — split filter_rejects into two layers

  • filter_rejects_base(pid, uid) — PID/UID only; safe to call from any BPF program type
  • filter_rejects(pid, uid) — calls base then adds bpf_get_current_cgroup_id(); valid only in uprobe/kprobe context where execution context == traced process

kern/tc.h — correct cgroup filtering in TC path

  • Add u64 cgroup_id to net_ctx_t
  • Record bpf_get_current_cgroup_id() in trace_sendmsg() kprobe (semantically correct context) alongside PID/UID
  • In capture_packets(), replace filter_rejects(net_ctx->pid, net_ctx->uid) with filter_rejects_base + direct net_ctx->cgroup_id comparison:
if (filter_rejects_base(net_ctx->pid, net_ctx->uid)) return TC_ACT_OK;
if (target_cgroup_id != 0 && net_ctx->cgroup_id != target_cgroup_id) return TC_ACT_OK;

kern/gotls_kern.c — add missing filter guards to GoTLS uprobe

gotls_write, gotls_read, and gotls_mastersecret were the only probe entry points not calling passes_filter(ctx), causing them to capture all processes regardless of --pid/--uid/--cgroup_path. Added the standard guard at the top of each.


Open with Devin

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 8, 2026

✅ E2E Test Results: PASSED

Test Run: #24137964017

Tests Executed:

  • TLS/OpenSSL Module (curl → github.com)
  • GnuTLS Module (wget/curl → github.com)
  • GoTLS Module (Go client → github.com)
  • ecaptureQ Module (WebSocket event streaming)

✅ All e2e tests passed successfully! The TLS capture functionality is working correctly.


Automated e2e test results for commit ac01c29

@cfc4n cfc4n marked this pull request as ready for review April 8, 2026 15:57
Copilot AI review requested due to automatic review settings April 8, 2026 15:57
@dosubot dosubot Bot added size:M This PR changes 30-99 lines, ignoring generated files. fix bug fix PR labels Apr 8, 2026
@cfc4n
Copy link
Copy Markdown
Member

cfc4n commented Apr 8, 2026

@skylar2826 试试这个PR的产物 解决了 #977

Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes cgroup-based filtering (--cgroup_path) regressions across TC packet capture and GoTLS uprobes by separating “safe in any context” PID/UID filtering from “process-context-only” cgroup filtering, and ensuring GoTLS probes apply the standard filter guard.

Changes:

  • Split filter logic into filter_rejects_base(pid, uid) and filter_rejects(pid, uid) (adds cgroup check via bpf_get_current_cgroup_id() only where context is reliable).
  • Correct TC cgroup filtering by recording cgroup_id in the tcp_sendmsg/udp_sendmsg kprobe context and comparing it in the TC classifier.
  • Add missing passes_filter(ctx) guards to GoTLS probe entrypoints (gotls_write, gotls_read, gotls_mastersecret).

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
kern/ecapture.h Introduces filter_rejects_base and redefines filter_rejects to keep cgroup checks out of TC-safe paths.
kern/tc.h Stores per-flow cgroup_id at sendmsg time and uses it for TC filtering instead of bpf_get_current_cgroup_id() in softirq/TC context.
kern/gotls_kern.c Ensures GoTLS probes respect PID/UID/cgroup filters by adding passes_filter(ctx) guards.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread kern/tc.h
Copy link
Copy Markdown

@devin-ai-integration devin-ai-integration Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 4 additional findings.

Open in Devin Review

@cfc4n cfc4n merged commit 41751bc into master Apr 12, 2026
16 checks passed
@cfc4n cfc4n deleted the copilot/research-gotls-ebpf-program branch April 12, 2026 02:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

fix bug fix PR size:M This PR changes 30-99 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants