filters: split into bpf filters

NDStrahilevitz · NDStrahilevitz · commit 6697e6850deb · 2022-10-11T18:26:25.000+03:00
diff --git a/cmd/tracee-ebpf/flags/filter.go b/cmd/tracee-ebpf/flags/filter.go
@@ -82,19 +82,19 @@ To 'escape' those operators, please use single quotes, e.g.: 'uid>0'
 
 func PrepareFilter(filtersArr []string) (tracee.Filter, error) {
 	filter := tracee.Filter{
-		UIDFilter:         filters.NewUInt32Filter(),
-		PIDFilter:         filters.NewUInt32Filter(),
+		UIDFilter:         filters.NewBPFUInt32Filter(tracee.UIDFilterMap),
+		PIDFilter:         filters.NewBPFUInt32Filter(tracee.PIDFilterMap),
 		NewPidFilter:      filters.NewBoolFilter(),
-		MntNSFilter:       filters.NewUIntFilter(),
-		PidNSFilter:       filters.NewUIntFilter(),
-		UTSFilter:         filters.NewStringFilter(),
-		CommFilter:        filters.NewStringFilter(),
+		MntNSFilter:       filters.NewBPFUIntFilter(tracee.MntNSFilterMap),
+		PidNSFilter:       filters.NewBPFUIntFilter(tracee.PidNSFilterMap),
+		UTSFilter:         filters.NewBPFStringFilter(tracee.UTSFilterMap),
+		CommFilter:        filters.NewBPFStringFilter(tracee.CommFilterMap),
 		ContFilter:        filters.NewBoolFilter(),
 		NewContFilter:     filters.NewBoolFilter(),
-		ContIDFilter:      filters.NewContainerFilter("cgroup_id_filter"),
+		ContIDFilter:      filters.NewContainerFilter(tracee.CgroupIdFilterMap),
 		RetFilter:         filters.NewRetFilter(),
 		ArgFilter:         filters.NewArgFilter(),
-		ProcessTreeFilter: filters.NewProcessTreeFilter(),
+		ProcessTreeFilter: filters.NewProcessTreeFilter(tracee.ProcessTreeFilterMap),
 		EventsToTrace:     []events.ID{},
 		NetFilter: &tracee.NetIfaces{
 			Ifaces: []string{},
diff --git a/pkg/ebpf/filters.go b/pkg/ebpf/filters.go
@@ -9,15 +9,27 @@ import (
 	"github.com/aquasecurity/tracee/pkg/filters"
 )
 
+const (
+	UIDFilterMap         = "uid_filter"
+	PIDFilterMap         = "pid_filter"
+	MntNSFilterMap       = "mnt_ns_filter"
+	PidNSFilterMap       = "pid_ns_filter"
+	UTSFilterMap         = "uts_ns_filter"
+	CommFilterMap        = "comm_filter"
+	ProcessTreeFilterMap = "process_tree_map"
+	CgroupIdFilterMap    = "cgroup_id_filter"
+	ContIdFilter         = "cont_id_filter"
+)
+
 type Filter struct {
 	EventsToTrace     []events.ID
-	UIDFilter         *filters.UIntFilter
-	PIDFilter         *filters.UIntFilter
+	UIDFilter         *filters.BPFUIntFilter
+	PIDFilter         *filters.BPFUIntFilter
 	NewPidFilter      *filters.BoolFilter
-	MntNSFilter       *filters.UIntFilter
-	PidNSFilter       *filters.UIntFilter
-	UTSFilter         *filters.StringFilter
-	CommFilter        *filters.StringFilter
+	MntNSFilter       *filters.BPFUIntFilter
+	PidNSFilter       *filters.BPFUIntFilter
+	UTSFilter         *filters.BPFStringFilter
+	CommFilter        *filters.BPFStringFilter
 	ContFilter        *filters.BoolFilter
 	NewContFilter     *filters.BoolFilter
 	ContIDFilter      *filters.ContainerFilter
diff --git a/pkg/ebpf/tracee.go b/pkg/ebpf/tracee.go
@@ -819,13 +819,13 @@ func (t *Tracee) populateBPFMaps() error {
 	}
 
 	errmap := make(map[string]error, 0)
-	errmap["uid_filter"] = t.config.Filter.UIDFilter.InitBPF(t.bpfModule, "uid_filter")
-	errmap["pid_filter"] = t.config.Filter.PIDFilter.InitBPF(t.bpfModule, "pid_filter")
-	errmap["mnt_ns_filter"] = t.config.Filter.MntNSFilter.InitBPF(t.bpfModule, "mnt_ns_filter")
-	errmap["pid_ns_filter"] = t.config.Filter.PidNSFilter.InitBPF(t.bpfModule, "pid_ns_filter")
-	errmap["uts_ns_filter"] = t.config.Filter.UTSFilter.InitBPF(t.bpfModule, "uts_ns_filter")
-	errmap["comm_filter"] = t.config.Filter.CommFilter.InitBPF(t.bpfModule, "comm_filter")
-	errmap["cont_id_filter"] = t.config.Filter.ContIDFilter.InitBPF(t.bpfModule, t.containers)
+	errmap[UIDFilterMap] = t.config.Filter.UIDFilter.InitBPF(t.bpfModule)
+	errmap[PIDFilterMap] = t.config.Filter.PIDFilter.InitBPF(t.bpfModule)
+	errmap[MntNSFilterMap] = t.config.Filter.MntNSFilter.InitBPF(t.bpfModule)
+	errmap[PidNSFilterMap] = t.config.Filter.PidNSFilter.InitBPF(t.bpfModule)
+	errmap[UTSFilterMap] = t.config.Filter.UTSFilter.InitBPF(t.bpfModule)
+	errmap[CommFilterMap] = t.config.Filter.CommFilter.InitBPF(t.bpfModule)
+	errmap[ContIdFilter] = t.config.Filter.ContIDFilter.InitBPF(t.bpfModule, t.containers)
 
 	for k, v := range errmap {
 		if v != nil {
diff --git a/pkg/filters/containers.go b/pkg/filters/containers.go
@@ -9,41 +9,15 @@ import (
 )
 
 type ContainerFilter struct {
-	Equal      []string
-	NotEqual   []string
-	Enabled    bool
-	bpfMapName string
+	*BPFStringFilter
 }
 
 func NewContainerFilter(mapName string) *ContainerFilter {
 	return &ContainerFilter{
-		Equal:      []string{},
-		NotEqual:   []string{},
-		Enabled:    false,
-		bpfMapName: mapName,
+		BPFStringFilter: NewBPFStringFilter(mapName),
 	}
 }
 
-func (filter *ContainerFilter) Parse(operatorAndValues string) error {
-	filter.Enabled = true
-
-	strFilter := &StringFilter{
-		Equal:    []string{},
-		NotEqual: []string{},
-	}
-
-	// Treat operatorAndValues as a string filter to avoid code duplication
-	err := strFilter.Parse(operatorAndValues)
-	if err != nil {
-		return err
-	}
-
-	filter.Equal = strFilter.Equal
-	filter.NotEqual = strFilter.NotEqual
-
-	return nil
-}
-
 func (filter *ContainerFilter) InitBPF(bpfModule *bpf.Module, conts *containers.Containers) error {
 	if !filter.Enabled {
 		return nil
@@ -52,7 +26,7 @@ func (filter *ContainerFilter) InitBPF(bpfModule *bpf.Module, conts *containers.
 	filterEqualU32 := uint32(filterEqual) // const need local var for bpfMap.Update()
 	filterNotEqualU32 := uint32(filterNotEqual)
 
-	filterMap, err := bpfModule.GetMap(filter.bpfMapName)
+	filterMap, err := bpfModule.GetMap(filter.mapName)
 	if err != nil {
 		return err
 	}
@@ -84,11 +58,3 @@ func (filter *ContainerFilter) InitBPF(bpfModule *bpf.Module, conts *containers.
 
 	return nil
 }
-
-func (filter *ContainerFilter) FilterOut() bool {
-	if len(filter.Equal) > 0 && len(filter.NotEqual) == 0 {
-		return false
-	} else {
-		return true
-	}
-}
diff --git a/pkg/filters/processtree.go b/pkg/filters/processtree.go
@@ -15,12 +15,14 @@ import (
 type ProcessTreeFilter struct {
 	PIDs    map[uint32]bool // PIDs is a map where k=pid and v represents whether it and its descendents should be traced or not
 	Enabled bool
+	mapName string
 }
 
-func NewProcessTreeFilter() *ProcessTreeFilter {
+func NewProcessTreeFilter(mapName string) *ProcessTreeFilter {
 	return &ProcessTreeFilter{
 		PIDs:    map[uint32]bool{},
 		Enabled: false,
+		mapName: mapName,
 	}
 }
 
@@ -66,7 +68,7 @@ func (filter *ProcessTreeFilter) Set(bpfModule *bpf.Module) error {
 		return nil
 	}
 
-	processTreeBPFMap, err := bpfModule.GetMap("process_tree_map")
+	processTreeBPFMap, err := bpfModule.GetMap(filter.mapName)
 	if err != nil {
 		return fmt.Errorf("could not find bpf process_tree_map: %v", err)
 	}
diff --git a/pkg/filters/string.go b/pkg/filters/string.go
@@ -54,7 +54,19 @@ func (filter *StringFilter) Parse(operatorAndValues string) error {
 	return nil
 }
 
-func (filter *StringFilter) InitBPF(bpfModule *bpf.Module, filterMapName string) error {
+type BPFStringFilter struct {
+	StringFilter
+	mapName string
+}
+
+func NewBPFStringFilter(mapName string) *BPFStringFilter {
+	return &BPFStringFilter{
+		StringFilter: *NewStringFilter(),
+		mapName:      mapName,
+	}
+}
+
+func (filter *BPFStringFilter) InitBPF(bpfModule *bpf.Module) error {
 	// MaxBpfStrFilterSize value should match MAX_STR_FILTER_SIZE defined in BPF code
 	const maxBpfStrFilterSize = 16
 
@@ -67,7 +79,7 @@ func (filter *StringFilter) InitBPF(bpfModule *bpf.Module, filterMapName string)
 
 	// 1. uts_ns_filter     string[MAX_STR_FILTER_SIZE], u32    // filter events by uts namespace name
 	// 2. comm_filter       string[MAX_STR_FILTER_SIZE], u32    // filter events by command name
-	filterMap, err := bpfModule.GetMap(filterMapName)
+	filterMap, err := bpfModule.GetMap(filter.mapName)
 	if err != nil {
 		return err
 	}
diff --git a/pkg/filters/uint.go b/pkg/filters/uint.go
@@ -85,7 +85,26 @@ func (filter *UIntFilter) Parse(operatorAndValues string) error {
 	return nil
 }
 
-func (filter *UIntFilter) InitBPF(bpfModule *bpf.Module, filterMapName string) error {
+type BPFUIntFilter struct {
+	UIntFilter
+	mapName string
+}
+
+func NewBPFUIntFilter(mapName string) *BPFUIntFilter {
+	return &BPFUIntFilter{
+		UIntFilter: *NewUIntFilter(),
+		mapName:    mapName,
+	}
+}
+
+func NewBPFUInt32Filter(mapName string) *BPFUIntFilter {
+	return &BPFUIntFilter{
+		UIntFilter: *NewUInt32Filter(),
+		mapName:    mapName,
+	}
+}
+
+func (filter *BPFUIntFilter) InitBPF(bpfModule *bpf.Module) error {
 	if !filter.Enabled {
 		return nil
 	}
@@ -98,7 +117,7 @@ func (filter *UIntFilter) InitBPF(bpfModule *bpf.Module, filterMapName string) e
 	// 2. pid_filter        u32, u32
 	// 3. mnt_ns_filter     u64, u32
 	// 4. pid_ns_filter     u64, u32
-	equalityFilter, err := bpfModule.GetMap(filterMapName)
+	equalityFilter, err := bpfModule.GetMap(filter.mapName)
 	if err != nil {
 		return err
 	}

Original file line number	Diff line number	Diff line change
`@@ -15,12 +15,14 @@ import (`
`15`	`15`	`type ProcessTreeFilter struct {`
`16`	`16`	`PIDs map[uint32]bool // PIDs is a map where k=pid and v represents whether it and its descendents should be traced or not`
`17`	`17`	`Enabled bool`
	`18`	`+ mapName string`
`18`	`19`	`}`
`19`	`20`
`20`		`-func NewProcessTreeFilter() *ProcessTreeFilter {`
	`21`	`+func NewProcessTreeFilter(mapName string) *ProcessTreeFilter {`
`21`	`22`	`return &ProcessTreeFilter{`
`22`	`23`	`PIDs: map[uint32]bool{},`
`23`	`24`	`Enabled: false,`
	`25`	`+ mapName: mapName,`
`24`	`26`	`}`
`25`	`27`	`}`
`26`	`28`
`@@ -66,7 +68,7 @@ func (filter ProcessTreeFilter) Set(bpfModule bpf.Module) error {`
`66`	`68`	`return nil`
`67`	`69`	`}`
`68`	`70`
`69`		`- processTreeBPFMap, err := bpfModule.GetMap("process_tree_map")`
	`71`	`+ processTreeBPFMap, err := bpfModule.GetMap(filter.mapName)`
`70`	`72`	`if err != nil {`
`71`	`73`	`return fmt.Errorf("could not find bpf process_tree_map: %v", err)`
`72`	`74`	`}`