tetragon

1
// SPDX-License-Identifier: Apache-2.0
2
// Copyright Authors of Cilium
3

4
package filters
5

6
import (
7
	"context"
8
	"path"
9

10
	v1 "github.com/cilium/cilium/pkg/hubble/api/v1"
11
	hubbleFilters "github.com/cilium/cilium/pkg/hubble/filters"
12
	"github.com/cilium/tetragon/api/v1/tetragon"
13
	shell "github.com/kballard/go-shellquote"
14
)
15

16
func MaybeExecProbe(binary string, args string, execProbe []string) bool {
17
	// If the exec probe is empty for whatever reason, return false.
18
	if len(execProbe) == 0 {
19
		return false
20
	}
21
	argList, err := shell.Split(args)
22
	if err != nil {
23
		return false
24
	}
25

26
	// Exec will append a script name to argument list if a sh/bash script is executed with a shebang,
27
	// so we need to remove the first argument so that we can compare it to execProbe.
28
	// e.g.
29
	// "binary": "/health/ping_liveness_local.sh",
30
	// "arguments": "/health/ping_liveness_local.sh 5"
31
	// concatenated together will be ["/health/ping_liveness_local.sh", "/health/ping_liveness_local.sh", "5"],
32
	// but execProbe will have only ["/health/ping_liveness_local.sh", "5"].
33
	if execProbe[0] == binary && len(argList) > 0 && argList[0] == binary {
34
		argList = argList[1:]
35
	}
36

37
	processCommand := append([]string{binary}, argList...)
38
	if len(execProbe) != len(processCommand) {
39
		return false
40
	}
41

42
	if path.IsAbs(execProbe[0]) {
43
		// exec probe path is absolute. Compare the full paths.
44
		if processCommand[0] != execProbe[0] {
45
			return false
46
		}
47
	} else {
48
		// exec probe path is relative. Only compare the basenames.
49
		if path.Base(processCommand[0]) != path.Base(execProbe[0]) {
50
			return false
51
		}
52
	}
53
	for i := 1; i < len(execProbe); i++ {
54
		if execProbe[i] != processCommand[i] {
55
			return false
56
		}
57
	}
58
	return true
59
}
60

61
func canBeHealthCheck(process *tetragon.Process) bool {
62
	return process != nil && process.Pod != nil && process.Pod.Container != nil && process.Pod.Container.MaybeExecProbe
63
}
64

65
func filterByHealthCheck(healthCheck bool) hubbleFilters.FilterFunc {
66
	return func(ev *v1.Event) bool {
67
		process := GetProcess(ev)
68
		parent := GetParent(ev)
69
		if healthCheck {
70
			return canBeHealthCheck(process) || canBeHealthCheck(parent)
71
		}
72
		return !canBeHealthCheck(process) && !canBeHealthCheck(parent)
73
	}
74
}
75

76
type HealthCheckFilter struct{}
77

78
func (f *HealthCheckFilter) OnBuildFilter(_ context.Context, ff *tetragon.Filter) ([]hubbleFilters.FilterFunc, error) {
79
	var fs []hubbleFilters.FilterFunc
80
	if ff.HealthCheck != nil {
81
		fs = append(fs, filterByHealthCheck(ff.HealthCheck.Value))
82
	}
83
	return fs, nil
84
}
85