filters: implement parent binary export filter

[upstream commit: 11bb4ba]
[backporter's note: opted to use same field number as later versions for compatibility]

Implement a new export filter that can filter over parent binary names
using RE2 regular expressions.

Signed-off-by: willfindlay <will@isovalent.com>

api/v1/README.md

@@ -1090,6 +1090,7 @@ AggregationOptions defines configuration options for aggregating events.
 | pod_regex | [string](#string) | repeated | Filter by process.pod.name field using RE2 regular expression syntax: https://github.com/google/re2/wiki/Syntax |
 | arguments_regex | [string](#string) | repeated | Filter by process.arguments field using RE2 regular expression syntax: https://github.com/google/re2/wiki/Syntax |
 | labels | [string](#string) | repeated | Filter events by pod labels using Kubernetes label selector syntax: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors Note that this filter never matches events without the pod field (i.e. host process events). |
+| parent_binary_regex | [string](#string) | repeated | Filter parent process' binary using RE2 regular expression syntax. |
 
 
 

api/v1/tetragon/events.proto

@@ -51,6 +51,8 @@ message Filter {
     // Note that this filter never matches events without the pod field (i.e.
     // host process events).
     repeated string labels = 9;
+    // Filter parent process' binary using RE2 regular expression syntax.
+    repeated string parent_binary_regex = 12;
 }
 
 message RedactionFilter {

docs/content/en/docs/concepts/events.md

@@ -160,6 +160,7 @@ flags, or environment variables.
 | `pod_regex` | Filter by pod name using a list of regular expressions. You can find the full syntax [here](https://github.com/google/re2/wiki/Syntax). | 
 | `arguments_regex` | Filter by pod name using a list of regular expressions. You can find the full syntax [here](https://github.com/google/re2/wiki/Syntax). | 
 | `labels` | Filter events by pod labels using [Kubernetes label selector syntax](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) Note that this filter never matches events without the pod field (i.e. host process events). | 
+| `parent_binary_regex` | Filter process events by a list of regular expressions of parent process binary names (e.g. `"^/home/kubernetes/bin/kubelet$"`). You can find the full syntax [here](https://github.com/google/re2/wiki/Syntax). | 
 
 #### Field Filtering 
 

docs/content/en/docs/reference/grpc-api.md

@@ -665,6 +665,7 @@ AggregationOptions defines configuration options for aggregating events.
 | pod_regex | [string](#string) | repeated | Filter by process.pod.name field using RE2 regular expression syntax: https://github.com/google/re2/wiki/Syntax |
 | arguments_regex | [string](#string) | repeated | Filter by process.arguments field using RE2 regular expression syntax: https://github.com/google/re2/wiki/Syntax |
 | labels | [string](#string) | repeated | Filter events by pod labels using Kubernetes label selector syntax: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors Note that this filter never matches events without the pod field (i.e. host process events). |
+| parent_binary_regex | [string](#string) | repeated | Filter parent process' binary using RE2 regular expression syntax. |
 
 <a name="tetragon-GetEventsRequest"></a>
 

pkg/filters/binary_regex.go

@@ -13,7 +13,7 @@ import (
 	hubbleFilters "github.com/cilium/tetragon/pkg/oldhubble/filters"
 )
 
-func filterByBinaryRegex(binaryPatterns []string) (hubbleFilters.FilterFunc, error) {
+func filterByBinaryRegex(binaryPatterns []string, parent bool) (hubbleFilters.FilterFunc, error) {
 	var binaries []*regexp.Regexp
 	for _, pattern := range binaryPatterns {
 		query, err := regexp.Compile(pattern)
@@ -23,7 +23,13 @@ func filterByBinaryRegex(binaryPatterns []string) (hubbleFilters.FilterFunc, err
 		binaries = append(binaries, query)
 	}
 	return func(ev *v1.Event) bool {
-		process := GetProcess(ev)
+		var process *tetragon.Process
+		if parent {
+			process = GetParent(ev)
+
+		} else {
+			process = GetProcess(ev)
+		}
 		if process == nil {
 			return false
 		}
@@ -41,11 +47,25 @@ type BinaryRegexFilter struct{}
 func (f *BinaryRegexFilter) OnBuildFilter(_ context.Context, ff *tetragon.Filter) ([]hubbleFilters.FilterFunc, error) {
 	var fs []hubbleFilters.FilterFunc
 	if ff.BinaryRegex != nil {
-		dnsFilters, err := filterByBinaryRegex(ff.BinaryRegex)
+		filters, err := filterByBinaryRegex(ff.BinaryRegex, false)
+		if err != nil {
+			return nil, err
+		}
+		fs = append(fs, filters)
+	}
+	return fs, nil
+}
+
+type ParentBinaryRegexFilter struct{}
+
+func (f *ParentBinaryRegexFilter) OnBuildFilter(_ context.Context, ff *tetragon.Filter) ([]hubbleFilters.FilterFunc, error) {
+	var fs []hubbleFilters.FilterFunc
+	if ff.ParentBinaryRegex != nil {
+		filters, err := filterByBinaryRegex(ff.ParentBinaryRegex, true)
 		if err != nil {
 			return nil, err
 		}
-		fs = append(fs, dnsFilters)
+		fs = append(fs, filters)
 	}
 	return fs, nil
 }

pkg/filters/binary_regex_test.go

@@ -152,3 +152,52 @@ func TestBinaryRegexFilterInvalidEvent(t *testing.T) {
 		Event: &tetragon.GetEventsResponse_ProcessExec{ProcessExec: &tetragon.ProcessExec{Process: nil}},
 	}}))
 }
+
+func TestParentBinaryRegexFilter(t *testing.T) {
+	f := []*tetragon.Filter{{ParentBinaryRegex: []string{"bash", "zsh"}}}
+	fl, err := BuildFilterList(context.Background(), f, []OnBuildFilter{&ParentBinaryRegexFilter{}})
+	assert.NoError(t, err)
+	ev := v1.Event{
+		Event: &tetragon.GetEventsResponse{
+			Event: &tetragon.GetEventsResponse_ProcessExec{
+				ProcessExec: &tetragon.ProcessExec{
+					Process: &tetragon.Process{Binary: "/sbin/iptables"},
+				},
+			},
+		},
+	}
+	assert.False(t, fl.MatchOne(&ev))
+	ev = v1.Event{
+		Event: &tetragon.GetEventsResponse{
+			Event: &tetragon.GetEventsResponse_ProcessExec{
+				ProcessExec: &tetragon.ProcessExec{
+					Parent:  &tetragon.Process{Binary: "/bin/foo"},
+					Process: &tetragon.Process{Binary: "/sbin/iptables"},
+				},
+			},
+		},
+	}
+	assert.False(t, fl.MatchOne(&ev))
+	ev = v1.Event{
+		Event: &tetragon.GetEventsResponse{
+			Event: &tetragon.GetEventsResponse_ProcessExec{
+				ProcessExec: &tetragon.ProcessExec{
+					Parent:  &tetragon.Process{Binary: "/bin/bash"},
+					Process: &tetragon.Process{Binary: "/sbin/iptables"},
+				},
+			},
+		},
+	}
+	assert.True(t, fl.MatchOne(&ev))
+	ev = v1.Event{
+		Event: &tetragon.GetEventsResponse{
+			Event: &tetragon.GetEventsResponse_ProcessExec{
+				ProcessExec: &tetragon.ProcessExec{
+					Parent:  &tetragon.Process{Binary: "/bin/zsh"},
+					Process: &tetragon.Process{Binary: "/sbin/iptables"},
+				},
+			},
+		},
+	}
+	assert.True(t, fl.MatchOne(&ev))
+}

pkg/filters/filters.go

@@ -84,6 +84,7 @@ func BuildFilterList(ctx context.Context, ff []*tetragon.Filter, filterFuncs []O
 // Filters is the list of default filters
 var Filters = []OnBuildFilter{
 	&BinaryRegexFilter{},
+	&ParentBinaryRegexFilter{},
 	&HealthCheckFilter{},
 	&NamespaceFilter{},
 	&PidFilter{},