Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(filters): handle syscall arg #3893

Merged
merged 1 commit into from
Apr 1, 2024
Merged

fix(filters): handle syscall arg #3893

merged 1 commit into from
Apr 1, 2024

Conversation

geyslan
Copy link
Member

@geyslan geyslan commented Feb 22, 2024
edited
Loading

Close: #3891

1. Explain what the PR does

8995e8d fix(filters): handle syscall arg

Handle syscall arg either by its name or its number for the events
SysEnter and SysExit.

E.g.:

  - sys_enter.args.syscall=open
  - sys_enter.args.syscall=2

It uses a handler function to be passed to the filter constructor.

This also adds unit tests for Filter().

2. Explain how to test it

sudo ./dist/tracee -e sys_enter.args.syscall=bpf

Trigger some bpf syscall.

3. Other comments

@geyslan geyslan self-assigned this Feb 22, 2024
@geyslan geyslan force-pushed the the-one-with-syscall-arg-filter branch from a9a3f53 to 3115934 Compare February 22, 2024 13:53
josedonizetti
josedonizetti reviewed Feb 22, 2024
View reviewed changes
Copy link
Contributor

@josedonizetti josedonizetti left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As this is a specific case, can we add a test? https://github.com/aquasecurity/tracee/blob/main/pkg/filters/args_test.go

@geyslan geyslan force-pushed the the-one-with-syscall-arg-filter branch from 0c1b76b to 3d57ddd Compare February 23, 2024 12:02
NDStrahilevitz
NDStrahilevitz previously requested changes Feb 25, 2024
View reviewed changes
pkg/filters/args.go Show resolved Hide resolved
NDStrahilevitz
NDStrahilevitz reviewed Feb 25, 2024
View reviewed changes
pkg/filters/args.go Outdated Show resolved Hide resolved
AlonZivony
AlonZivony reviewed Feb 29, 2024
View reviewed changes
pkg/filters/args.go Outdated Show resolved Hide resolved
@geyslan geyslan force-pushed the the-one-with-syscall-arg-filter branch 2 times, most recently from 8148632 to 8995e8d Compare March 1, 2024 13:05
@aqua-ci

This comment was marked as spam.

Sign in to view
@geyslan geyslan force-pushed the the-one-with-syscall-arg-filter branch from 8995e8d to 4180c90 Compare March 1, 2024 17:56
@geyslan
fix(filters): handle syscall arg
d8035bf 
Handle syscall arg either by its name or its number for the events
SysEnter and SysExit.

E.g.:

  - sys_enter.args.syscall=open
  - sys_enter.args.syscall=2

It uses a handler function to be passed to the filter constructor.

This also adds unit tests for Filter().
@geyslan geyslan force-pushed the the-one-with-syscall-arg-filter branch from 4180c90 to d8035bf Compare March 1, 2024 17:57
@yanivagman yanivagman self-requested a review March 4, 2024 15:08
@aquasecurity aquasecurity deleted a comment from aqua-ci Mar 5, 2024
@aquasecurity aquasecurity deleted a comment from aqua-ci Mar 5, 2024
yanivagman
yanivagman approved these changes Mar 31, 2024
View reviewed changes
Copy link
Collaborator

@yanivagman yanivagman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@geyslan geyslan merged commit daffd22 into aquasecurity:main Apr 1, 2024
32 checks passed
@geyslan geyslan deleted the the-one-with-syscall-arg-filter branch June 28, 2024 18:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@NDStrahilevitz NDStrahilevitz NDStrahilevitz left review comments

@AlonZivony AlonZivony AlonZivony left review comments

@yanivagman yanivagman yanivagman approved these changes

@josedonizetti josedonizetti Awaiting requested review from josedonizetti

Assignees

@geyslan geyslan

Labels
area/filtering area/testing kind/bug milestone/v0.21.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Cannot filter on sys_enter.args.syscall
6 participants
@geyslan @aqua-ci @josedonizetti @yanivagman @NDStrahilevitz @AlonZivony