Skip to content

Commit dc946f7

Browse files
NDStrahilevitzNDStrahilevitz
authored
filters: separate into new package (#1992)
1 parent 8ee9e0a commit dc946f7

File tree

14 files changed

+1026
-960
lines changed

14 files changed

+1026
-960
lines changed

cmd/tracee-ebpf/internal/flags/flags-filter.go

Lines changed: 29 additions & 28 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@ import (
66

77
tracee "github.com/aquasecurity/tracee/pkg/ebpf"
88
"github.com/aquasecurity/tracee/pkg/events"
9+
"github.com/aquasecurity/tracee/pkg/filters"
910
)
1011

1112
// MaxBpfStrFilterSize value should match MAX_STR_FILTER_SIZE defined in BPF code
@@ -81,58 +82,58 @@ To 'escape' those operators, please use single quotes, e.g.: 'uid>0'
8182
`
8283
}
8384

84-
func PrepareFilter(filters []string) (tracee.Filter, error) {
85+
func PrepareFilter(filtersArr []string) (tracee.Filter, error) {
8586
filter := tracee.Filter{
86-
UIDFilter: &tracee.UintFilter{
87+
UIDFilter: &filters.UIntFilter{
8788
Equal: []uint64{},
8889
NotEqual: []uint64{},
89-
Less: tracee.LessNotSetUint,
90-
Greater: tracee.GreaterNotSetUint,
90+
Less: filters.LessNotSetUint,
91+
Greater: filters.GreaterNotSetUint,
9192
Is32Bit: true,
9293
},
93-
PIDFilter: &tracee.UintFilter{
94+
PIDFilter: &filters.UIntFilter{
9495
Equal: []uint64{},
9596
NotEqual: []uint64{},
96-
Less: tracee.LessNotSetUint,
97-
Greater: tracee.GreaterNotSetUint,
97+
Less: filters.LessNotSetUint,
98+
Greater: filters.GreaterNotSetUint,
9899
Is32Bit: true,
99100
},
100-
NewPidFilter: &tracee.BoolFilter{},
101-
MntNSFilter: &tracee.UintFilter{
101+
NewPidFilter: &filters.BoolFilter{},
102+
MntNSFilter: &filters.UIntFilter{
102103
Equal: []uint64{},
103104
NotEqual: []uint64{},
104-
Less: tracee.LessNotSetUint,
105-
Greater: tracee.GreaterNotSetUint,
105+
Less: filters.LessNotSetUint,
106+
Greater: filters.GreaterNotSetUint,
106107
},
107-
PidNSFilter: &tracee.UintFilter{
108+
PidNSFilter: &filters.UIntFilter{
108109
Equal: []uint64{},
109110
NotEqual: []uint64{},
110-
Less: tracee.LessNotSetUint,
111-
Greater: tracee.GreaterNotSetUint,
111+
Less: filters.LessNotSetUint,
112+
Greater: filters.GreaterNotSetUint,
112113
},
113-
UTSFilter: &tracee.StringFilter{
114+
UTSFilter: &filters.StringFilter{
114115
Equal: []string{},
115116
NotEqual: []string{},
116117
Size: MaxBpfStrFilterSize,
117118
},
118-
CommFilter: &tracee.StringFilter{
119+
CommFilter: &filters.StringFilter{
119120
Equal: []string{},
120121
NotEqual: []string{},
121122
Size: MaxBpfStrFilterSize,
122123
},
123-
ContFilter: &tracee.BoolFilter{},
124-
NewContFilter: &tracee.BoolFilter{},
125-
ContIDFilter: &tracee.ContIDFilter{
124+
ContFilter: &filters.BoolFilter{},
125+
NewContFilter: &filters.BoolFilter{},
126+
ContIDFilter: &filters.ContIDFilter{
126127
Equal: []string{},
127128
NotEqual: []string{},
128129
},
129-
RetFilter: &tracee.RetFilter{
130-
Filters: make(map[events.ID]tracee.IntFilter),
130+
RetFilter: &filters.RetFilter{
131+
Filters: make(map[events.ID]filters.IntFilter),
131132
},
132-
ArgFilter: &tracee.ArgFilter{
133-
Filters: make(map[events.ID]map[string]tracee.ArgFilterVal),
133+
ArgFilter: &filters.ArgFilter{
134+
Filters: make(map[events.ID]map[string]filters.ArgFilterVal),
134135
},
135-
ProcessTreeFilter: &tracee.ProcessTreeFilter{
136+
ProcessTreeFilter: &filters.ProcessTreeFilter{
136137
PIDs: make(map[uint32]bool),
137138
},
138139
EventsToTrace: []events.ID{},
@@ -141,8 +142,8 @@ func PrepareFilter(filters []string) (tracee.Filter, error) {
141142
},
142143
}
143144

144-
eventFilter := &tracee.StringFilter{Equal: []string{}, NotEqual: []string{}}
145-
setFilter := &tracee.StringFilter{Equal: []string{}, NotEqual: []string{}}
145+
eventFilter := &filters.StringFilter{Equal: []string{}, NotEqual: []string{}}
146+
setFilter := &filters.StringFilter{Equal: []string{}, NotEqual: []string{}}
146147

147148
eventsNameToID := events.Definitions.NamesToIDs()
148149
// remove internal events since they shouldn't be accesible by users
@@ -152,7 +153,7 @@ func PrepareFilter(filters []string) (tracee.Filter, error) {
152153
}
153154
}
154155

155-
for _, f := range filters {
156+
for _, f := range filtersArr {
156157
filterName := f
157158
operatorAndValues := ""
158159
operatorIndex := strings.IndexAny(f, "=!<>")
@@ -314,7 +315,7 @@ func PrepareFilter(filters []string) (tracee.Filter, error) {
314315
return filter, nil
315316
}
316317

317-
func prepareEventsToTrace(eventFilter *tracee.StringFilter, setFilter *tracee.StringFilter, eventsNameToID map[string]events.ID) ([]events.ID, error) {
318+
func prepareEventsToTrace(eventFilter *filters.StringFilter, setFilter *filters.StringFilter, eventsNameToID map[string]events.ID) ([]events.ID, error) {
318319
eventFilter.Enabled = true
319320
eventsToTrace := eventFilter.Equal
320321
excludeEvents := eventFilter.NotEqual

0 commit comments

Comments
 (0)