filters: add filter constructors

NDStrahilevitz · NDStrahilevitz · commit 98666e1e7cde · 2022-10-11T18:26:25.000+03:00
diff --git a/cmd/tracee-ebpf/flags/filter.go b/cmd/tracee-ebpf/flags/filter.go
@@ -9,9 +9,6 @@ import (
 	"github.com/aquasecurity/tracee/pkg/filters"
 )
 
-// MaxBpfStrFilterSize value should match MAX_STR_FILTER_SIZE defined in BPF code
-const MaxBpfStrFilterSize = 16
-
 func FilterHelp() string {
 	return `Select which events to trace by defining trace expressions that operate on events or process metadata.
 Only events that match all trace expressions will be traced (trace flags are ANDed).
@@ -85,66 +82,27 @@ To 'escape' those operators, please use single quotes, e.g.: 'uid>0'
 
 func PrepareFilter(filtersArr []string) (tracee.Filter, error) {
 	filter := tracee.Filter{
-		UIDFilter: &filters.UIntFilter{
-			Equal:    []uint64{},
-			NotEqual: []uint64{},
-			Less:     filters.LessNotSetUint,
-			Greater:  filters.GreaterNotSetUint,
-			Is32Bit:  true,
-		},
-		PIDFilter: &filters.UIntFilter{
-			Equal:    []uint64{},
-			NotEqual: []uint64{},
-			Less:     filters.LessNotSetUint,
-			Greater:  filters.GreaterNotSetUint,
-			Is32Bit:  true,
-		},
-		NewPidFilter: &filters.BoolFilter{},
-		MntNSFilter: &filters.UIntFilter{
-			Equal:    []uint64{},
-			NotEqual: []uint64{},
-			Less:     filters.LessNotSetUint,
-			Greater:  filters.GreaterNotSetUint,
-		},
-		PidNSFilter: &filters.UIntFilter{
-			Equal:    []uint64{},
-			NotEqual: []uint64{},
-			Less:     filters.LessNotSetUint,
-			Greater:  filters.GreaterNotSetUint,
-		},
-		UTSFilter: &filters.StringFilter{
-			Equal:    []string{},
-			NotEqual: []string{},
-			Size:     MaxBpfStrFilterSize,
-		},
-		CommFilter: &filters.StringFilter{
-			Equal:    []string{},
-			NotEqual: []string{},
-			Size:     MaxBpfStrFilterSize,
-		},
-		ContFilter:    &filters.BoolFilter{},
-		NewContFilter: &filters.BoolFilter{},
-		ContIDFilter: &filters.ContIDFilter{
-			Equal:    []string{},
-			NotEqual: []string{},
-		},
-		RetFilter: &filters.RetFilter{
-			Filters: make(map[events.ID]filters.IntFilter),
-		},
-		ArgFilter: &filters.ArgFilter{
-			Filters: make(map[events.ID]map[string]filters.StringFilter),
-		},
-		ProcessTreeFilter: &filters.ProcessTreeFilter{
-			PIDs: make(map[uint32]bool),
-		},
-		EventsToTrace: []events.ID{},
+		UIDFilter:         filters.NewUInt32Filter(),
+		PIDFilter:         filters.NewUInt32Filter(),
+		NewPidFilter:      filters.NewBoolFilter(),
+		MntNSFilter:       filters.NewUIntFilter(),
+		PidNSFilter:       filters.NewUIntFilter(),
+		UTSFilter:         filters.NewStringFilter(),
+		CommFilter:        filters.NewStringFilter(),
+		ContFilter:        filters.NewBoolFilter(),
+		NewContFilter:     filters.NewBoolFilter(),
+		ContIDFilter:      filters.NewContainerFilter("cgroup_id_filter"),
+		RetFilter:         filters.NewRetFilter(),
+		ArgFilter:         filters.NewArgFilter(),
+		ProcessTreeFilter: filters.NewProcessTreeFilter(),
+		EventsToTrace:     []events.ID{},
 		NetFilter: &tracee.NetIfaces{
 			Ifaces: []string{},
 		},
 	}
 
-	eventFilter := &filters.StringFilter{Equal: []string{}, NotEqual: []string{}}
-	setFilter := &filters.StringFilter{Equal: []string{}, NotEqual: []string{}}
+	eventFilter := filters.NewStringFilter()
+	setFilter := filters.NewStringFilter()
 
 	eventsNameToID := events.Definitions.NamesToIDs()
 	// remove internal events since they shouldn't be accesible by users
diff --git a/pkg/ebpf/filters.go b/pkg/ebpf/filters.go
@@ -20,7 +20,7 @@ type Filter struct {
 	CommFilter        *filters.StringFilter
 	ContFilter        *filters.BoolFilter
 	NewContFilter     *filters.BoolFilter
-	ContIDFilter      *filters.ContIDFilter
+	ContIDFilter      *filters.ContainerFilter
 	RetFilter         *filters.RetFilter
 	ArgFilter         *filters.ArgFilter
 	ProcessTreeFilter *filters.ProcessTreeFilter
diff --git a/pkg/ebpf/tracee.go b/pkg/ebpf/tracee.go
@@ -825,7 +825,7 @@ func (t *Tracee) populateBPFMaps() error {
 	errmap["pid_ns_filter"] = t.config.Filter.PidNSFilter.InitBPF(t.bpfModule, "pid_ns_filter")
 	errmap["uts_ns_filter"] = t.config.Filter.UTSFilter.InitBPF(t.bpfModule, "uts_ns_filter")
 	errmap["comm_filter"] = t.config.Filter.CommFilter.InitBPF(t.bpfModule, "comm_filter")
-	errmap["cont_id_filter"] = t.config.Filter.ContIDFilter.InitBPF(t.bpfModule, t.containers, "cgroup_id_filter")
+	errmap["cont_id_filter"] = t.config.Filter.ContIDFilter.InitBPF(t.bpfModule, t.containers)
 
 	for k, v := range errmap {
 		if v != nil {
diff --git a/pkg/filters/args.go b/pkg/filters/args.go
@@ -8,10 +8,17 @@ import (
 )
 
 type ArgFilter struct {
-	Filters map[events.ID]map[string]StringFilter // key to the first map is event id, and to the second map the argument name
+	Filters map[events.ID]map[string]*StringFilter // key to the first map is event id, and to the second map the argument name
 	Enabled bool
 }
 
+func NewArgFilter() *ArgFilter {
+	return &ArgFilter{
+		Filters: map[events.ID]map[string]*StringFilter{},
+		Enabled: false,
+	}
+}
+
 func (filter *ArgFilter) Parse(filterName string, operatorAndValues string, eventsNameToID map[string]events.ID) error {
 	filter.Enabled = true
 	// Event argument filter has the following format: "event.argname=argval"
@@ -59,11 +66,11 @@ func (filter *ArgFilter) Parse(filterName string, operatorAndValues string, even
 	}
 
 	if _, ok := filter.Filters[id]; !ok {
-		filter.Filters[id] = make(map[string]StringFilter)
+		filter.Filters[id] = map[string]*StringFilter{}
 	}
 
 	if _, ok := filter.Filters[id][argName]; !ok {
-		filter.Filters[id][argName] = StringFilter{}
+		filter.Filters[id][argName] = &StringFilter{}
 	}
 
 	val := filter.Filters[id][argName]
diff --git a/pkg/filters/bool.go b/pkg/filters/bool.go
@@ -5,6 +5,10 @@ type BoolFilter struct {
 	Enabled bool
 }
 
+func NewBoolFilter() *BoolFilter {
+	return &BoolFilter{}
+}
+
 func (filter *BoolFilter) Parse(value string) error {
 	filter.Enabled = true
 	filter.Value = false
diff --git a/pkg/filters/containers.go b/pkg/filters/containers.go
@@ -8,13 +8,23 @@ import (
 	"github.com/aquasecurity/tracee/pkg/containers"
 )
 
-type ContIDFilter struct {
-	Equal    []string
-	NotEqual []string
-	Enabled  bool
+type ContainerFilter struct {
+	Equal      []string
+	NotEqual   []string
+	Enabled    bool
+	bpfMapName string
 }
 
-func (filter *ContIDFilter) Parse(operatorAndValues string) error {
+func NewContainerFilter(mapName string) *ContainerFilter {
+	return &ContainerFilter{
+		Equal:      []string{},
+		NotEqual:   []string{},
+		Enabled:    false,
+		bpfMapName: mapName,
+	}
+}
+
+func (filter *ContainerFilter) Parse(operatorAndValues string) error {
 	filter.Enabled = true
 
 	strFilter := &StringFilter{
@@ -34,15 +44,15 @@ func (filter *ContIDFilter) Parse(operatorAndValues string) error {
 	return nil
 }
 
-func (filter *ContIDFilter) InitBPF(bpfModule *bpf.Module, conts *containers.Containers, filterMapName string) error {
+func (filter *ContainerFilter) InitBPF(bpfModule *bpf.Module, conts *containers.Containers) error {
 	if !filter.Enabled {
 		return nil
 	}
 
 	filterEqualU32 := uint32(filterEqual) // const need local var for bpfMap.Update()
 	filterNotEqualU32 := uint32(filterNotEqual)
 
-	filterMap, err := bpfModule.GetMap(filterMapName)
+	filterMap, err := bpfModule.GetMap(filter.bpfMapName)
 	if err != nil {
 		return err
 	}
@@ -75,7 +85,7 @@ func (filter *ContIDFilter) InitBPF(bpfModule *bpf.Module, conts *containers.Con
 	return nil
 }
 
-func (filter *ContIDFilter) FilterOut() bool {
+func (filter *ContainerFilter) FilterOut() bool {
 	if len(filter.Equal) > 0 && len(filter.NotEqual) == 0 {
 		return false
 	} else {
diff --git a/pkg/filters/int.go b/pkg/filters/int.go
@@ -16,6 +16,25 @@ type IntFilter struct {
 	Enabled  bool
 }
 
+func NewIntFilter() *IntFilter {
+	return newIntFilter(false)
+}
+
+func NewInt32Filter() *IntFilter {
+	return newIntFilter(true)
+}
+
+func newIntFilter(is32Bit bool) *IntFilter {
+	return &IntFilter{
+		Equal:    []int64{},
+		NotEqual: []int64{},
+		Greater:  GreaterNotSetInt,
+		Less:     LessNotSetInt,
+		Is32Bit:  is32Bit,
+		Enabled:  false,
+	}
+}
+
 func (filter *IntFilter) Parse(operatorAndValues string) error {
 	filter.Enabled = true
 	if len(operatorAndValues) < 2 {
diff --git a/pkg/filters/processtree.go b/pkg/filters/processtree.go
@@ -17,6 +17,13 @@ type ProcessTreeFilter struct {
 	Enabled bool
 }
 
+func NewProcessTreeFilter() *ProcessTreeFilter {
+	return &ProcessTreeFilter{
+		PIDs:    map[uint32]bool{},
+		Enabled: false,
+	}
+}
+
 func (filter *ProcessTreeFilter) Parse(operatorAndValues string) error {
 	filter.Enabled = true
 
diff --git a/pkg/filters/retval.go b/pkg/filters/retval.go
@@ -8,10 +8,17 @@ import (
 )
 
 type RetFilter struct {
-	Filters map[events.ID]IntFilter
+	Filters map[events.ID]*IntFilter
 	Enabled bool
 }
 
+func NewRetFilter() *RetFilter {
+	return &RetFilter{
+		Filters: map[events.ID]*IntFilter{},
+		Enabled: false,
+	}
+}
+
 func (filter *RetFilter) Parse(filterName string, operatorAndValues string, eventsNameToID map[string]events.ID) error {
 	filter.Enabled = true
 	// Ret filter has the following format: "event.ret=val"
@@ -28,7 +35,7 @@ func (filter *RetFilter) Parse(filterName string, operatorAndValues string, even
 	}
 
 	if _, ok := filter.Filters[id]; !ok {
-		filter.Filters[id] = IntFilter{
+		filter.Filters[id] = &IntFilter{
 			Equal:    []int64{},
 			NotEqual: []int64{},
 			Less:     LessNotSetInt,
@@ -39,7 +46,7 @@ func (filter *RetFilter) Parse(filterName string, operatorAndValues string, even
 	intFilter := filter.Filters[id]
 
 	// Treat operatorAndValues as an int filter to avoid code duplication
-	err := (&intFilter).Parse(operatorAndValues)
+	err := intFilter.Parse(operatorAndValues)
 	if err != nil {
 		return err
 	}
diff --git a/pkg/filters/string.go b/pkg/filters/string.go
@@ -11,10 +11,17 @@ import (
 type StringFilter struct {
 	Equal    []string
 	NotEqual []string
-	Size     uint
 	Enabled  bool
 }
 
+func NewStringFilter() *StringFilter {
+	return &StringFilter{
+		Equal:    []string{},
+		NotEqual: []string{},
+		Enabled:  false,
+	}
+}
+
 func (filter *StringFilter) Parse(operatorAndValues string) error {
 	filter.Enabled = true
 	if len(operatorAndValues) < 2 {
@@ -48,6 +55,9 @@ func (filter *StringFilter) Parse(operatorAndValues string) error {
 }
 
 func (filter *StringFilter) InitBPF(bpfModule *bpf.Module, filterMapName string) error {
+	// MaxBpfStrFilterSize value should match MAX_STR_FILTER_SIZE defined in BPF code
+	const maxBpfStrFilterSize = 16
+
 	if !filter.Enabled {
 		return nil
 	}
@@ -62,14 +72,14 @@ func (filter *StringFilter) InitBPF(bpfModule *bpf.Module, filterMapName string)
 		return err
 	}
 	for i := 0; i < len(filter.Equal); i++ {
-		filterEqualBytes := make([]byte, filter.Size)
+		filterEqualBytes := make([]byte, maxBpfStrFilterSize)
 		copy(filterEqualBytes, filter.Equal[i])
 		if err = filterMap.Update(unsafe.Pointer(&filterEqualBytes[0]), unsafe.Pointer(&filterEqualU32)); err != nil {
 			return err
 		}
 	}
 	for i := 0; i < len(filter.NotEqual); i++ {
-		filterNotEqualBytes := make([]byte, filter.Size)
+		filterNotEqualBytes := make([]byte, maxBpfStrFilterSize)
 		copy(filterNotEqualBytes, filter.NotEqual[i])
 		if err = filterMap.Update(unsafe.Pointer(&filterNotEqualBytes[0]), unsafe.Pointer(&filterNotEqualU32)); err != nil {
 			return err
diff --git a/pkg/filters/uint.go b/pkg/filters/uint.go
@@ -19,6 +19,25 @@ type UIntFilter struct {
 	Enabled  bool
 }
 
+func NewUIntFilter() *UIntFilter {
+	return newUIntFilter(false)
+}
+
+func NewUInt32Filter() *UIntFilter {
+	return newUIntFilter(true)
+}
+
+func newUIntFilter(is32Bit bool) *UIntFilter {
+	return &UIntFilter{
+		Equal:    []uint64{},
+		NotEqual: []uint64{},
+		Greater:  GreaterNotSetUint,
+		Less:     LessNotSetUint,
+		Is32Bit:  is32Bit,
+		Enabled:  false,
+	}
+}
+
 func (filter *UIntFilter) Parse(operatorAndValues string) error {
 	filter.Enabled = true
 	if len(operatorAndValues) < 2 {

Original file line number	Diff line number	Diff line change
`@@ -8,10 +8,17 @@ import (`
`8`	`8`	`)`
`9`	`9`
`10`	`10`	`type ArgFilter struct {`
`11`		`- Filters map[events.ID]map[string]StringFilter // key to the first map is event id, and to the second map the argument name`
	`11`	`+ Filters map[events.ID]map[string]*StringFilter // key to the first map is event id, and to the second map the argument name`
`12`	`12`	`Enabled bool`
`13`	`13`	`}`
`14`	`14`
	`15`	`+func NewArgFilter() *ArgFilter {`
	`16`	`+ return &ArgFilter{`
	`17`	`+ Filters: map[events.ID]map[string]*StringFilter{},`
	`18`	`+ Enabled: false,`
	`19`	`+ }`
	`20`	`+}`
	`21`	`+`
`15`	`22`	`func (filter *ArgFilter) Parse(filterName string, operatorAndValues string, eventsNameToID map[string]events.ID) error {`
`16`	`23`	`filter.Enabled = true`
`17`	`24`	`// Event argument filter has the following format: "event.argname=argval"`
`@@ -59,11 +66,11 @@ func (filter *ArgFilter) Parse(filterName string, operatorAndValues string, even`
`59`	`66`	`}`
`60`	`67`
`61`	`68`	`if _, ok := filter.Filters[id]; !ok {`
`62`		`- filter.Filters[id] = make(map[string]StringFilter)`
	`69`	`+ filter.Filters[id] = map[string]*StringFilter{}`
`63`	`70`	`}`
`64`	`71`
`65`	`72`	`if _, ok := filter.Filters[id][argName]; !ok {`
`66`		`- filter.Filters[id][argName] = StringFilter{}`
	`73`	`+ filter.Filters[id][argName] = &StringFilter{}`
`67`	`74`	`}`
`68`	`75`
`69`	`76`	`val := filter.Filters[id][argName]`