tetragon

1
// SPDX-License-Identifier: Apache-2.0
2
// Copyright Authors of Cilium
3

4
package filters
5

6
import (
7
	"context"
8
	"encoding/json"
9
	"fmt"
10
	"io"
11
	"strings"
12

13
	v1 "github.com/cilium/cilium/pkg/hubble/api/v1"
14
	hubbleFilters "github.com/cilium/cilium/pkg/hubble/filters"
15
	"github.com/cilium/tetragon/api/v1/tetragon"
16
	"github.com/cilium/tetragon/api/v1/tetragon/codegen/helpers"
17
)
18

19
// ParseFilterList parses a list of process filters in JSON format into protobuf messages.
20
func ParseFilterList(filters string, enablePidSetFilters bool) ([]*tetragon.Filter, error) {
21
	if filters == "" {
22
		return nil, nil
23
	}
24
	dec := json.NewDecoder(strings.NewReader(filters))
25
	var results []*tetragon.Filter
26
	for {
27
		var result tetragon.Filter
28
		if err := dec.Decode(&result); err != nil {
29
			if err == io.EOF {
30
				break
31
			}
32
			return nil, err
33
		}
34
		if len(result.PidSet) != 0 && !enablePidSetFilters {
35
			return nil, fmt.Errorf("pidSet filters use a best-effort approach for tracking PIDs and are intended for testing/development, not for production (pass the --enable-pid-set-filter to ignore)")
36
		}
37
		results = append(results, &result)
38
	}
39
	return results, nil
40
}
41

42
// OnBuildFilter is invoked while building a flow filter
43
type OnBuildFilter interface {
44
	OnBuildFilter(context.Context, *tetragon.Filter) ([]hubbleFilters.FilterFunc, error)
45
}
46

47
// OnBuildFilterFunc implements OnBuildFilter for a single function
48
type OnBuildFilterFunc func(context.Context, *tetragon.Filter) ([]hubbleFilters.FilterFunc, error)
49

50
// OnBuildFilter is invoked while building a flow filter
51
func (f OnBuildFilterFunc) OnBuildFilter(ctx context.Context, tetragonFilter *tetragon.Filter) ([]hubbleFilters.FilterFunc, error) {
52
	return f(ctx, tetragonFilter)
53
}
54

55
func BuildFilter(ctx context.Context, ff *tetragon.Filter, filterFuncs []OnBuildFilter) (hubbleFilters.FilterFuncs, error) {
56
	var fs []hubbleFilters.FilterFunc
57
	for _, f := range filterFuncs {
58
		fl, err := f.OnBuildFilter(ctx, ff)
59
		if err != nil {
60
			return nil, err
61
		}
62
		if fl != nil {
63
			fs = append(fs, fl...)
64
		}
65
	}
66
	return fs, nil
67
}
68

69
func BuildFilterList(ctx context.Context, ff []*tetragon.Filter, filterFuncs []OnBuildFilter) (hubbleFilters.FilterFuncs, error) {
70
	filterList := make([]hubbleFilters.FilterFunc, 0, len(ff))
71
	for _, flowFilter := range ff {
72
		tf, err := BuildFilter(ctx, flowFilter, filterFuncs)
73
		if err != nil {
74
			return nil, err
75
		}
76
		filterFunc := func(ev *v1.Event) bool {
77
			return tf.MatchAll(ev)
78
		}
79
		filterList = append(filterList, filterFunc)
80
	}
81
	return filterList, nil
82
}
83

84
// Filters is the list of default filters
85
var Filters = []OnBuildFilter{
86
	&BinaryRegexFilter{},
87
	&ParentBinaryRegexFilter{},
88
	&HealthCheckFilter{},
89
	&NamespaceFilter{},
90
	&PidFilter{},
91
	&PidSetFilter{},
92
	&EventTypeFilter{},
93
	&ArgumentsRegexFilter{},
94
	&LabelsFilter{},
95
	&PodRegexFilter{},
96
	&PolicyNamesFilter{},
97
	&CapsFilter{},
98
}
99

100
func GetProcess(event *v1.Event) *tetragon.Process {
101
	if event == nil {
102
		return nil
103
	}
104
	response, ok := event.Event.(*tetragon.GetEventsResponse)
105
	if !ok {
106
		return nil
107
	}
108
	return helpers.ResponseGetProcess(response)
109
}
110

111
func GetParent(event *v1.Event) *tetragon.Process {
112
	if event == nil {
113
		return nil
114
	}
115
	response, ok := event.Event.(*tetragon.GetEventsResponse)
116
	if !ok {
117
		return nil
118
	}
119
	return helpers.ResponseGetParent(response)
120
}
121

122
func GetPolicyName(event *v1.Event) string {
123
	if event == nil {
124
		return ""
125
	}
126
	response, ok := event.Event.(*tetragon.GetEventsResponse)
127
	if !ok {
128
		return ""
129
	}
130
	return helpers.ResponseGetProcessKprobe(response).GetPolicyName()
131
}
132