Don't print raw_syscall if event exists

aquasecurity · Aug 3, 2020 · 3137927 · 3137927
1 parent 2d4ba36
commit 3137927
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 7 deletions.
diff --git a/tracee/pipeline.go b/tracee/pipeline.go
@@ -88,6 +88,9 @@ func (t *Tracee) processRawEvent(done <-chan struct{}, in <-chan RawEvent) (<-ch
 		defer close(out)
 		defer close(errc)
 		for rawEvent := range in {
+			if !t.shouldProcessEvent(rawEvent) {
+				continue
+			}
 			err := t.processEvent(&rawEvent.Ctx, rawEvent.RawArgs)
 			if err != nil {
 				errc <- err
@@ -110,7 +113,7 @@ func (t *Tracee) prepareEventForPrint(done <-chan struct{}, in <-chan RawEvent)
 		defer close(out)
 		defer close(errc)
 		for rawEvent := range in {
-			if !t.shouldPrintEvent(rawEvent.Ctx.EventID) {
+			if !t.shouldPrintEvent(rawEvent) {
 				continue
 			}
 			err := t.prepareArgsForPrint(&rawEvent.Ctx, rawEvent.RawArgs)

diff --git a/tracee/tracee.go b/tracee/tracee.go
@@ -388,12 +388,6 @@ func boolToUInt32(b bool) uint32 {
 	return uint32(0)
 }
 
-// shouldPrintEvent decides whether or not the given event id should be printed to the output
-func (t *Tracee) shouldPrintEvent(e int32) bool {
-	// Only print events requested by the user
-	return t.eventsToTrace[e]
-}
-
 func copyFileByPath(src, dst string) error {
 	sourceFileStat, err := os.Stat(src)
 	if err != nil {
@@ -424,6 +418,11 @@ func (t *Tracee) handleError(err error) {
 	t.printer.Error(err)
 }
 
+// shouldProcessEvent decides whether or not to drop an event before further processing it
+func (t *Tracee) shouldProcessEvent(e RawEvent) bool {
+	return true
+}
+
 func (t *Tracee) processEvent(ctx *context, args map[argTag]interface{}) error {
 	switch ctx.EventID {
 	case SecurityBprmCheckEventID:
@@ -465,6 +464,33 @@ func (t *Tracee) processEvent(ctx *context, args map[argTag]interface{}) error {
 	return nil
 }
 
+// shouldPrintEvent decides whether or not the given event id should be printed to the output
+func (t *Tracee) shouldPrintEvent(e RawEvent) bool {
+	// Only print events requested by the user
+	if !t.eventsToTrace[e.Ctx.EventID] {
+		return false
+	}
+	switch e.Ctx.EventID {
+	case RawSyscallsEventID:
+		if id, isInt32 := e.RawArgs[TagSyscall].(int32); isInt32 {
+			event, isKnown := EventsIDToEvent[id]
+			if !isKnown {
+				t.handleError(fmt.Errorf("raw_syscalls: unknown syscall id: %d", id))
+				return false
+			}
+			if event.Probes[0].attach != sysCall {
+				t.handleError(fmt.Errorf("raw_syscalls: unknown syscall id: %d", id))
+				return false
+			}
+			if event.Name != "reserved" {
+				// We already monitor this system call by another event
+				return false
+			}
+		}
+	}
+	return true
+}
+
 func (t *Tracee) prepareArgsForPrint(ctx *context, args map[argTag]interface{}) error {
 	switch ctx.EventID {
 	case RawSyscallsEventID, CapCapableEventID: