fix(filters): handle syscall arg

Handle syscall arg when set as a syscall name (string). E.g.: sys_enter.args.syscall=bpf
aquasecurity · Feb 22, 2024 · a9a3f53 · a9a3f53
1 parent 5cb5760
commit a9a3f53
Showing 1 changed file with 14 additions and 3 deletions.
diff --git a/pkg/filters/args.go b/pkg/filters/args.go
@@ -2,10 +2,12 @@ package filters
 
 import (
 	"fmt"
+	"strconv"
 	"strings"
 
 	"github.com/aquasecurity/tracee/pkg/errfmt"
 	"github.com/aquasecurity/tracee/pkg/events"
+	"github.com/aquasecurity/tracee/pkg/logger"
 	"github.com/aquasecurity/tracee/pkg/utils"
 	"github.com/aquasecurity/tracee/types/trace"
 )
@@ -45,6 +47,7 @@ func (filter *ArgFilter) Filter(eventID events.ID, args []trace.Argument) bool {
 	for argName, filter := range filter.filters[eventID] {
 		found := false
 		var argVal interface{}
+
 		for _, arg := range args {
 			if arg.Name == argName {
 				found = true
@@ -55,10 +58,18 @@ func (filter *ArgFilter) Filter(eventID events.ID, args []trace.Argument) bool {
 		if !found {
 			return false
 		}
-		// TODO: use type assertion instead of string conversion
-		if argName != "syscall" {
-			argVal = fmt.Sprint(argVal)
+
+		argVal = fmt.Sprint(argVal)
+		if argName == "syscall" {
+			syscallID, err := strconv.Atoi(argVal.(string))
+			if err != nil {
+				logger.Errorw("failed to convert syscall id to int", "syscall", argVal, "error", err)
+				return false
+			}
+
+			argVal = events.Core.GetDefinitionByID(events.ID(syscallID)).GetName()
 		}
+
 		res := filter.Filter(argVal)
 		if !res {
 			return false