feat: Add support for wildcard event suffixes

aquasecurity · Mar 21, 2021 · 7bac7f5 · 7bac7f5
1 parent 9753401
commit 7bac7f5
Show file tree

Hide file tree

Showing 2 changed files with 180 additions and 8 deletions.
diff --git a/tracee-ebpf/main.go b/tracee-ebpf/main.go
@@ -327,6 +327,8 @@ Examples:
   --trace 'pid>0' --trace 'pid<1000'                           | only trace events from pids between 0 and 1000
   --trace 'u>0' --trace u!=1000                                | only trace events from uids greater than 0 but not 1000
   --trace event=execve,open                                    | only trace execve and open events
+  --trace event=open*                                          | only trace events prefixed by "open"
+  --trace event!=open*,dup*                                    | don't trace events prefixed by "open" or "dup"
   --trace set=fs                                               | trace all file-system related events
   --trace s=fs --trace e!=open,openat                          | trace all file-system related events, but not open(at)
   --trace uts!=ab356bc4dd554                                   | don't trace events from uts name ab356bc4dd554
@@ -798,23 +800,55 @@ func prepareEventsToTrace(eventFilter *tracee.StringFilter, setFilter *tracee.St
 		}
 	}
 	for _, name := range excludeEvents {
-		id, ok := eventsNameToID[name]
-		if !ok {
-			return nil, fmt.Errorf("invalid event to exclude: %s", name)
+		// Handle event prefixes with wildcards
+		if strings.HasSuffix(name, "*") {
+			found := false
+			prefix := name[:len(name)-1]
+			for event, id := range eventsNameToID {
+				if strings.HasPrefix(event, prefix) {
+					isExcluded[id] = true
+					found = true
+				}
+			}
+			if !found {
+				return nil, fmt.Errorf("invalid event to exclude: %s", name)
+			}
+		} else {
+			id, ok := eventsNameToID[name]
+			if !ok {
+				return nil, fmt.Errorf("invalid event to exclude: %s", name)
+			}
+			isExcluded[id] = true
 		}
-		isExcluded[id] = true
 	}
 	if len(eventsToTrace) == 0 && len(setsToTrace) == 0 {
 		setsToTrace = append(setsToTrace, "default")
 	}
 
 	res = make([]int32, 0, len(tracee.EventsIDToEvent))
 	for _, name := range eventsToTrace {
-		id, ok := eventsNameToID[name]
-		if !ok {
-			return nil, fmt.Errorf("invalid event to trace: %s", name)
+		// Handle event prefixes with wildcards
+		if strings.HasSuffix(name, "*") {
+			var ids []int32
+			found := false
+			prefix := name[:len(name)-1]
+			for event, id := range eventsNameToID {
+				if strings.HasPrefix(event, prefix) {
+					ids = append(ids, id)
+					found = true
+				}
+			}
+			if !found {
+				return nil, fmt.Errorf("invalid event to trace: %s", name)
+			}
+			res = append(res, ids...)
+		} else {
+			id, ok := eventsNameToID[name]
+			if !ok {
+				return nil, fmt.Errorf("invalid event to trace: %s", name)
+			}
+			res = append(res, id)
 		}
-		res = append(res, id)
 	}
 	for _, set := range setsToTrace {
 		setEvents, ok := setsToEvents[set]

diff --git a/tracee-ebpf/main_test.go b/tracee-ebpf/main_test.go
@@ -191,6 +191,30 @@ func TestPrepareFilter(t *testing.T) {
 			expectedFilter: tracee.Filter{},
 			expectedError:  errors.New("invalid retval filter format open.retvall"),
 		},
+		{
+			testName:       "invalid wildcard",
+			filters:        []string{"event=blah*"},
+			expectedFilter: tracee.Filter{},
+			expectedError:  errors.New("invalid event to trace: blah*"),
+		},
+		{
+			testName:       "invalid wildcard 2",
+			filters:        []string{"event=bl*ah"},
+			expectedFilter: tracee.Filter{},
+			expectedError:  errors.New("invalid event to trace: bl*ah"),
+		},
+		{
+			testName:       "invalid not wildcard",
+			filters:        []string{"event!=bl*ah"},
+			expectedFilter: tracee.Filter{},
+			expectedError:  errors.New("invalid event to exclude: bl*ah"),
+		},
+		{
+			testName:       "invalid not wildcard 2",
+			filters:        []string{"event!=bl*ah"},
+			expectedFilter: tracee.Filter{},
+			expectedError:  errors.New("invalid event to exclude: bl*ah"),
+		},
 		{
 			testName: "uid=0",
 			filters:  []string{"uid=0"},
@@ -828,6 +852,120 @@ func TestPrepareFilter(t *testing.T) {
 			},
 			expectedError: nil,
 		},
+		{
+			testName: "wildcard filter",
+			filters:  []string{"event=open*"},
+			expectedFilter: tracee.Filter{
+				EventsToTrace: []int32{2, 257},
+				UIDFilter: &tracee.UintFilter{
+					Equal:    []uint64{},
+					NotEqual: []uint64{},
+					Less:     tracee.LessNotSetUint,
+					Greater:  tracee.GreaterNotSetUint,
+					Is32Bit:  true,
+					Enabled:  false,
+				},
+				PIDFilter: &tracee.UintFilter{
+					Equal:    []uint64{},
+					NotEqual: []uint64{},
+					Less:     tracee.LessNotSetUint,
+					Greater:  tracee.GreaterNotSetUint,
+					Is32Bit:  true,
+					Enabled:  false,
+				},
+				NewPidFilter: &tracee.BoolFilter{},
+				MntNSFilter: &tracee.UintFilter{
+					Equal:    []uint64{},
+					NotEqual: []uint64{},
+					Less:     tracee.LessNotSetUint,
+					Greater:  tracee.GreaterNotSetUint,
+					Enabled:  false,
+				},
+				PidNSFilter: &tracee.UintFilter{
+					Equal:    []uint64{},
+					NotEqual: []uint64{},
+					Less:     tracee.LessNotSetUint,
+					Greater:  tracee.GreaterNotSetUint,
+					Enabled:  false,
+				},
+				CommFilter: &tracee.StringFilter{
+					Equal:    []string{},
+					NotEqual: []string{},
+					Enabled:  false,
+				},
+				UTSFilter: &tracee.StringFilter{
+					Equal:    []string{},
+					NotEqual: []string{},
+					Enabled:  false,
+				},
+				ContFilter:    &tracee.BoolFilter{},
+				NewContFilter: &tracee.BoolFilter{},
+				ArgFilter: &tracee.ArgFilter{
+					Filters: map[int32]map[string]tracee.ArgFilterVal{},
+				},
+				RetFilter: &tracee.RetFilter{
+					Filters: map[int32]tracee.IntFilter{},
+				},
+			},
+			expectedError: nil,
+		},
+		{
+			testName: "wildcard not filter",
+			filters:  []string{"event!=*"},
+			expectedFilter: tracee.Filter{
+				EventsToTrace: []int32{},
+				UIDFilter: &tracee.UintFilter{
+					Equal:    []uint64{},
+					NotEqual: []uint64{},
+					Less:     tracee.LessNotSetUint,
+					Greater:  tracee.GreaterNotSetUint,
+					Is32Bit:  true,
+					Enabled:  false,
+				},
+				PIDFilter: &tracee.UintFilter{
+					Equal:    []uint64{},
+					NotEqual: []uint64{},
+					Less:     tracee.LessNotSetUint,
+					Greater:  tracee.GreaterNotSetUint,
+					Is32Bit:  true,
+					Enabled:  false,
+				},
+				NewPidFilter: &tracee.BoolFilter{},
+				MntNSFilter: &tracee.UintFilter{
+					Equal:    []uint64{},
+					NotEqual: []uint64{},
+					Less:     tracee.LessNotSetUint,
+					Greater:  tracee.GreaterNotSetUint,
+					Enabled:  false,
+				},
+				PidNSFilter: &tracee.UintFilter{
+					Equal:    []uint64{},
+					NotEqual: []uint64{},
+					Less:     tracee.LessNotSetUint,
+					Greater:  tracee.GreaterNotSetUint,
+					Enabled:  false,
+				},
+				CommFilter: &tracee.StringFilter{
+					Equal:    []string{},
+					NotEqual: []string{},
+					Enabled:  false,
+				},
+				UTSFilter: &tracee.StringFilter{
+					Equal:    []string{},
+					NotEqual: []string{},
+					Enabled:  false,
+				},
+				ContFilter:    &tracee.BoolFilter{},
+				NewContFilter: &tracee.BoolFilter{},
+				ArgFilter: &tracee.ArgFilter{
+					Filters: map[int32]map[string]tracee.ArgFilterVal{},
+				},
+				RetFilter: &tracee.RetFilter{
+					Filters: map[int32]tracee.IntFilter{},
+				},
+			},
+			expectedError: nil,
+		},
 		{
 			testName: "multiple filters",
 			filters:  []string{"uid<1", "mntns=5", "pidns!=3", "pid!=10", "comm=ps", "uts!=abc"},