-
Notifications
You must be signed in to change notification settings - Fork 409
/
Copy pathbinary_regex.go
99 lines (87 loc) · 2.42 KB
/
binary_regex.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
// SPDX-License-Identifier: Apache-2.0
// Copyright Authors of Cilium
package filters
import (
"context"
"fmt"
"regexp"
v1 "github.com/cilium/cilium/pkg/hubble/api/v1"
hubbleFilters "github.com/cilium/cilium/pkg/hubble/filters"
"github.com/cilium/tetragon/api/v1/tetragon"
)
const (
processBinary = iota
parentBinary
ancestorBinary
)
func filterByBinaryRegex(binaryPatterns []string, level int) (hubbleFilters.FilterFunc, error) {
var binaries []*regexp.Regexp
for _, pattern := range binaryPatterns {
query, err := regexp.Compile(pattern)
if err != nil {
return nil, fmt.Errorf("failed to compile regexp: %w", err)
}
binaries = append(binaries, query)
}
return func(ev *v1.Event) bool {
var processes []*tetragon.Process
switch level {
case processBinary:
processes = append(processes, GetProcess(ev))
case parentBinary:
processes = append(processes, GetParent(ev))
case ancestorBinary:
processes = GetAncestors(ev)
}
if len(processes) == 0 || processes[0] == nil {
return false
}
for _, process := range processes {
for _, binary := range binaries {
if binary.MatchString(process.Binary) {
return true
}
}
}
return false
}, nil
}
type BinaryRegexFilter struct{}
func (f *BinaryRegexFilter) OnBuildFilter(_ context.Context, ff *tetragon.Filter) ([]hubbleFilters.FilterFunc, error) {
var fs []hubbleFilters.FilterFunc
if ff.BinaryRegex != nil {
filters, err := filterByBinaryRegex(ff.BinaryRegex, processBinary)
if err != nil {
return nil, err
}
fs = append(fs, filters)
}
return fs, nil
}
type ParentBinaryRegexFilter struct{}
func (f *ParentBinaryRegexFilter) OnBuildFilter(_ context.Context, ff *tetragon.Filter) ([]hubbleFilters.FilterFunc, error) {
var fs []hubbleFilters.FilterFunc
if ff.ParentBinaryRegex != nil {
filters, err := filterByBinaryRegex(ff.ParentBinaryRegex, parentBinary)
if err != nil {
return nil, err
}
fs = append(fs, filters)
}
return fs, nil
}
type AncestorBinaryRegexFilter struct{}
func (f *AncestorBinaryRegexFilter) OnBuildFilter(_ context.Context, ff *tetragon.Filter) ([]hubbleFilters.FilterFunc, error) {
var fs []hubbleFilters.FilterFunc
if ff.AncestorBinaryRegex != nil {
if err := CheckAncestorsEnabled(ff.EventSet); err != nil {
return nil, err
}
filters, err := filterByBinaryRegex(ff.AncestorBinaryRegex, ancestorBinary)
if err != nil {
return nil, err
}
fs = append(fs, filters)
}
return fs, nil
}