diff --git a/docs/docs/flags/events.1.md b/docs/docs/flags/events.1.md index f329927ccec8..c00fc4faae2f 100644 --- a/docs/docs/flags/events.1.md +++ b/docs/docs/flags/events.1.md @@ -11,7 +11,7 @@ tracee **\-\-events** - Select which events to trace ## SYNOPSIS -tracee **\-\-events** [ | <[-]event-name1(,set1...)\> | | | |<=|\>=]value\> | |<=|\>=]value\> | ] ... +tracee **\-\-events** [ | <[-]event-name1(,set1...)\> | | | |<=|\>=]value\> | |<=|\>=]value\> | ] ... ## DESCRIPTION @@ -25,7 +25,7 @@ The **\-\-events** flag allows you to select which events to trace by defining f - Event return value: Filter events based on their return value using 'event-name.retval'. The event return value expression follows the syntax of a numerical expression. -- Event context fields: Filter events based on the non-argument fields defined in the trace.Event struct using 'event-name.context.field'. Refer to the json tags in the trace.Event struct located in the types/trace package for the correct field names, and the event filtering section in the documentation for a full list. +- Event scope fields: Filter events based on the non-argument fields defined in the trace.Event struct using 'event-name.scope.field'. Refer to the json tags in the trace.Event struct located in the types/trace package for the correct field names, and the event filtering section in the documentation for a full list. ## FILTER EXPRESSION @@ -40,7 +40,7 @@ Multiple flags are combined with AND logic, while multiple values within a singl Available for: - return value -- context fields +- scope fields NOTE: Expressions containing '<' or '\>' tokens must be escaped! @@ -52,7 +52,7 @@ Available for: - event arguments - return value -- context fields +- scope fields Strings can be compared as a prefix if ending with '\*', or as a suffix if starting with '\*'. @@ -125,11 +125,11 @@ Available only for: - To trace only 'openat' events that have 'processName' equal to 'ls', use the following flag: ```console - --events openat.context.processName=ls + --events openat.scope.processName=ls ``` - To trace only 'security_file_open' events coming from a container, use the following flag: ```console - --events security_file_open.context.container + --events security_file_open.scope.container ``` diff --git a/docs/docs/policies/rules.md b/docs/docs/policies/rules.md index 83abe55cac53..036dafdc30b5 100644 --- a/docs/docs/policies/rules.md +++ b/docs/docs/policies/rules.md @@ -6,7 +6,7 @@ Below are several examples on configuring events in the Tracee Policy. ## Events -Every event that is specified within the `rules` section supports three types of filters: `context`, `arguments` and `return value`. +Every event that is specified within the `rules` section supports three types of filters: `scope`, `arguments` and `return value`. ### Type of Events @@ -64,17 +64,17 @@ spec: event: do_sigaction ``` -## Context filters +## Scope filters -Context is data which is collected along the event. They can be filtered like: +Further refinement of the policy's scope is achievable through the application of scope filters: ```yaml apiVersion: tracee.aquasec.com/v1beta1 kind: Policy metadata: - name: sample-context-filter + name: sample-scope-filter annotations: - description: sample context filter + description: sample scope filter spec: scope: - global @@ -84,7 +84,7 @@ spec: - pid=1000 ``` -The context filters supported are: +The scope filters supported are: #### p, pid, processId diff --git a/docs/man/events.1 b/docs/man/events.1 index ecaf9df2c87c..7fbeac1b0294 100644 --- a/docs/man/events.1 +++ b/docs/man/events.1 @@ -26,8 +26,8 @@ tracee \f[B]--events\f[R] [ | | | |<=|>=]value> | -|<=|>=]value> | -] \&... +|<=|>=]value> | +] \&... .SS DESCRIPTION .PP The \f[B]--events\f[R] flag allows you to select which events to trace @@ -49,8 +49,8 @@ Event return value: Filter events based on their return value using The event return value expression follows the syntax of a numerical expression. .IP \[bu] 2 -Event context fields: Filter events based on the non-argument fields -defined in the trace.Event struct using `event-name.context.field'. +Event scope fields: Filter events based on the non-argument fields +defined in the trace.Event struct using `event-name.scope.field'. Refer to the json tags in the trace.Event struct located in the types/trace package for the correct field names, and the event filtering section in the documentation for a full list. @@ -72,7 +72,7 @@ Available for: .IP \[bu] 2 return value .IP \[bu] 2 -context fields +scope fields .PP NOTE: Expressions containing `<' or `>' tokens must be escaped! .SS STRING EXPRESSION OPERATORS @@ -85,7 +85,7 @@ event arguments .IP \[bu] 2 return value .IP \[bu] 2 -context fields +scope fields .PP Strings can be compared as a prefix if ending with `*', or as a suffix if starting with `*'. @@ -202,7 +202,7 @@ the following flag: .IP .nf \f[C] ---events openat.context.processName=ls +--events openat.scope.processName=ls \f[R] .fi .RE @@ -213,7 +213,7 @@ the following flag: .IP .nf \f[C] ---events security_file_open.context.container +--events security_file_open.scope.container \f[R] .fi .RE diff --git a/pkg/cmd/flags/capture.go b/pkg/cmd/flags/capture.go index 6807a458a23b..ab2b6c0387c4 100644 --- a/pkg/cmd/flags/capture.go +++ b/pkg/cmd/flags/capture.go @@ -126,8 +126,8 @@ func PrepareCapture(captureSlice []string, newBinary bool) (config.CaptureConfig capture.Net.CaptureLength = 96 // default payload } else if strings.HasPrefix(c, "pcap:") { capture.Net.CaptureSingle = false // remove default mode - context := strings.TrimPrefix(c, "pcap:") - fields := strings.Split(context, ",") + scope := strings.TrimPrefix(c, "pcap:") + fields := strings.Split(scope, ",") for _, field := range fields { if field == "single" { capture.Net.CaptureSingle = true @@ -144,33 +144,33 @@ func PrepareCapture(captureSlice []string, newBinary bool) (config.CaptureConfig } capture.Net.CaptureLength = 96 // default payload } else if strings.HasPrefix(c, "pcap-options:") { - context := strings.TrimPrefix(c, "pcap-options:") - context = strings.ToLower(context) // normalize - if context == "none" { + scope := strings.TrimPrefix(c, "pcap-options:") + scope = strings.ToLower(scope) // normalize + if scope == "none" { capture.Net.CaptureFiltered = false // proforma - } else if context == "filtered" { + } else if scope == "filtered" { capture.Net.CaptureFiltered = true } } else if strings.HasPrefix(c, "pcap-snaplen:") { - context := strings.TrimPrefix(c, "pcap-snaplen:") + scope := strings.TrimPrefix(c, "pcap-snaplen:") var amount uint64 var err error - context = strings.ToLower(context) // normalize - if context == "default" { + scope = strings.ToLower(scope) // normalize + if scope == "default" { amount = 96 // default payload - } else if context == "max" { + } else if scope == "max" { amount = (1 << 16) - 1 // max length for IP packets - } else if context == "headers" { + } else if scope == "headers" { amount = 0 // sets headers only length for capturing (default) - } else if strings.HasSuffix(context, "kb") || - strings.HasSuffix(context, "k") { - context = strings.TrimSuffix(context, "kb") - context = strings.TrimSuffix(context, "k") - amount, err = strconv.ParseUint(context, 10, 64) + } else if strings.HasSuffix(scope, "kb") || + strings.HasSuffix(scope, "k") { + scope = strings.TrimSuffix(scope, "kb") + scope = strings.TrimSuffix(scope, "k") + amount, err = strconv.ParseUint(scope, 10, 64) amount *= 1024 // result in bytes - } else if strings.HasSuffix(context, "b") { - context = strings.TrimSuffix(context, "b") - amount, err = strconv.ParseUint(context, 10, 64) + } else if strings.HasSuffix(scope, "b") { + scope = strings.TrimSuffix(scope, "b") + amount, err = strconv.ParseUint(scope, 10, 64) } else { return config.CaptureConfig{}, errfmt.Errorf("could not parse pcap snaplen: missing b or kb ?") } diff --git a/pkg/cmd/flags/event.go b/pkg/cmd/flags/event.go index 11fcd8d438b7..c0ce9115cf99 100644 --- a/pkg/cmd/flags/event.go +++ b/pkg/cmd/flags/event.go @@ -61,7 +61,7 @@ func parseEventFlag(flag string) ([]eventFlag, error) { // if operatorIdx == -1 { // no operator, as a set flag - if strings.Contains(flag, ".") { // "openat.context.container" edge case + if strings.Contains(flag, ".") { // "openat.scope.container" edge case evtParts, err := getEventFilterParts(flag, flag) if err != nil { return []eventFlag{}, errfmt.WrapError(err) diff --git a/pkg/cmd/flags/event_test.go b/pkg/cmd/flags/event_test.go index 368f76d4414b..24b5f34b5cf2 100644 --- a/pkg/cmd/flags/event_test.go +++ b/pkg/cmd/flags/event_test.go @@ -153,18 +153,18 @@ func TestParseEventFlag(t *testing.T) { }, { name: "ValidEventFlag", - eventFlag: "openat.context.userId=0", + eventFlag: "openat.scope.userId=0", expected: []eventFlag{ { - full: "openat.context.userId=0", - eventFilter: "openat.context.userId", + full: "openat.scope.userId=0", + eventFilter: "openat.scope.userId", eventName: "openat", - eventOptionType: "context", + eventOptionType: "scope", eventOptionName: "userId", operator: "=", values: "0", operatorAndValues: "=0", - filter: "context.userId=0", + filter: "scope.userId=0", }, }, expectedError: nil, @@ -207,13 +207,13 @@ func TestParseEventFlag(t *testing.T) { }, { name: "ValidEventFlag", - eventFlag: "open.context.container", + eventFlag: "open.scope.container", expected: []eventFlag{ { - full: "open.context.container", - eventFilter: "open.context.container", + full: "open.scope.container", + eventFilter: "open.scope.container", eventName: "open", - eventOptionType: "context", + eventOptionType: "scope", eventOptionName: "container", operator: "", values: "", diff --git a/pkg/cmd/flags/filter.go b/pkg/cmd/flags/filter.go index 709e1eb8b767..f29aa46dbb0c 100644 --- a/pkg/cmd/flags/filter.go +++ b/pkg/cmd/flags/filter.go @@ -31,7 +31,7 @@ Strings can be compared as a prefix if ending with '*' or as suffix if starting Event return value can be accessed using 'event_name.retval' and provide a way to filter an event by its return value. Event return value expression has the same syntax as a numerical expression. -Event context fields can be accessed using 'event_name.context.field', this can be used to filter an event by the non arguments +Event scope fields can be accessed using 'event_name.scope.field', this can be used to filter an event by the non arguments fields defined in the trace.Event struct. Refer to the json tags in the trace.Event struct located in the types/trace package for the correct field names, and the event filtering section in the documentation for a full list. @@ -81,8 +81,8 @@ Event examples: --events openat.args.pathname='/tmp*' | only trace 'openat' events that have 'pathname' prefixed by /tmp --events openat.args.pathname='*shadow' | only trace 'openat' events that have 'pathname' suffixed by shadow --events openat.args.pathname!=/tmp/1,/bin/ls | don't trace 'openat' events that have 'pathname' equals /tmp/1 or /bin/ls - --events openat.context.processName=ls | only trace 'openat' events that have 'processName' equal to 'ls' - --events security_file_open.context.container | only trace 'security_file_open' events coming from a container + --events openat.scope.processName=ls | only trace 'openat' events that have 'processName' equal to 'ls' + --events security_file_open.scope.container | only trace 'security_file_open' events coming from a container Note: some of the above operators have special meanings in different shells. To 'escape' those operators, please use single quotes, e.g.: 'uid>0', '/tmp*' diff --git a/pkg/cmd/flags/policy.go b/pkg/cmd/flags/policy.go index 7e8a77bd9438..761f75a195e9 100644 --- a/pkg/cmd/flags/policy.go +++ b/pkg/cmd/flags/policy.go @@ -81,13 +81,13 @@ func PrepareFilterMapsFromPolicies(policies []k8s.PolicyInterface) (PolicyScopeM continue } - // at this point we know the filter is an event context filter - // context filters are provided without "context." prefix so we need to add it - evtContextFlags, err := parseEventFlag(fmt.Sprintf("%s.context.%s", r.Event, f)) + // at this point we know the filter is an event scope filter + // scope filters are provided without "scope." prefix so we need to add it + evtScopeFlags, err := parseEventFlag(fmt.Sprintf("%s.scope.%s", r.Event, f)) if err != nil { return nil, nil, errfmt.WrapError(err) } - eventFlags = append(eventFlags, evtContextFlags...) + eventFlags = append(eventFlags, evtScopeFlags...) } } @@ -274,7 +274,7 @@ func CreatePolicies(policyScopeMap PolicyScopeMap, policyEventsMap PolicyEventMa continue } - // at this point, we can assume that event flag is an event option filter (args, retval, context), + // at this point, we can assume that event flag is an event option filter (args, retval, scope), // so, as a sugar, we can add the event name to be filtered eventFilter.Equal = append(eventFilter.Equal, evtFlag.eventName) @@ -289,8 +289,8 @@ func CreatePolicies(policyScopeMap PolicyScopeMap, policyEventsMap PolicyEventMa continue } - if evtFlag.eventOptionType == "context" { - err := p.ContextFilter.Parse(evtFilter, operatorAndValues) + if evtFlag.eventOptionType == "scope" { + err := p.ScopeFilter.Parse(evtFilter, operatorAndValues) if err != nil { return nil, err } diff --git a/pkg/cmd/flags/policy_test.go b/pkg/cmd/flags/policy_test.go index 04917266e7e9..ed2f5edc63fb 100644 --- a/pkg/cmd/flags/policy_test.go +++ b/pkg/cmd/flags/policy_test.go @@ -791,7 +791,7 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { }, }, }, - // context filter + // scope filter { testName: "timestamp filter", policy: v1beta1.PolicyFile{ @@ -816,9 +816,9 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { eventFlags: []eventFlag{ writeEvtFlag, { - full: "write.context.timestamp>1234567890", + full: "write.scope.timestamp>1234567890", eventName: "write", - eventFilter: "write.context.timestamp", + eventFilter: "write.scope.timestamp", operatorAndValues: ">1234567890", }, }, @@ -849,9 +849,9 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { eventFlags: []eventFlag{ writeEvtFlag, { - full: "write.context.processorId>=1234567890", + full: "write.scope.processorId>=1234567890", eventName: "write", - eventFilter: "write.context.processorId", + eventFilter: "write.scope.processorId", operatorAndValues: ">=1234567890", }, }, @@ -882,9 +882,9 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { eventFlags: []eventFlag{ writeEvtFlag, { - full: "write.context.p<=10", + full: "write.scope.p<=10", eventName: "write", - eventFilter: "write.context.p", + eventFilter: "write.scope.p", operatorAndValues: "<=10", }, }, @@ -915,9 +915,9 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { eventFlags: []eventFlag{ writeEvtFlag, { - full: "write.context.pid!=1", + full: "write.scope.pid!=1", eventName: "write", - eventFilter: "write.context.pid", + eventFilter: "write.scope.pid", operatorAndValues: "!=1", }, }, @@ -948,9 +948,9 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { eventFlags: []eventFlag{ writeEvtFlag, { - full: "write.context.processId=1387", + full: "write.scope.processId=1387", eventName: "write", - eventFilter: "write.context.processId", + eventFilter: "write.scope.processId", operatorAndValues: "=1387", }, }, @@ -981,9 +981,9 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { eventFlags: []eventFlag{ writeEvtFlag, { - full: "write.context.tid=1388", + full: "write.scope.tid=1388", eventName: "write", - eventFilter: "write.context.tid", + eventFilter: "write.scope.tid", operatorAndValues: "=1388", }, }, @@ -1014,9 +1014,9 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { eventFlags: []eventFlag{ writeEvtFlag, { - full: "write.context.threadId!=1388", + full: "write.scope.threadId!=1388", eventName: "write", - eventFilter: "write.context.threadId", + eventFilter: "write.scope.threadId", operatorAndValues: "!=1388", }, }, @@ -1047,9 +1047,9 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { eventFlags: []eventFlag{ writeEvtFlag, { - full: "write.context.ppid=1", + full: "write.scope.ppid=1", eventName: "write", - eventFilter: "write.context.ppid", + eventFilter: "write.scope.ppid", operatorAndValues: "=1", }, }, @@ -1080,9 +1080,9 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { eventFlags: []eventFlag{ writeEvtFlag, { - full: "write.context.parentProcessId>1455", + full: "write.scope.parentProcessId>1455", eventName: "write", - eventFilter: "write.context.parentProcessId", + eventFilter: "write.scope.parentProcessId", operatorAndValues: ">1455", }, }, @@ -1113,9 +1113,9 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { eventFlags: []eventFlag{ readEvtFlag, { - full: "read.context.hostTid=2455", + full: "read.scope.hostTid=2455", eventName: "read", - eventFilter: "read.context.hostTid", + eventFilter: "read.scope.hostTid", operatorAndValues: "=2455", }, }, @@ -1146,9 +1146,9 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { eventFlags: []eventFlag{ readEvtFlag, { - full: "read.context.hostThreadId!=2455", + full: "read.scope.hostThreadId!=2455", eventName: "read", - eventFilter: "read.context.hostThreadId", + eventFilter: "read.scope.hostThreadId", operatorAndValues: "!=2455", }, }, @@ -1179,9 +1179,9 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { eventFlags: []eventFlag{ readEvtFlag, { - full: "read.context.hostPid=333", + full: "read.scope.hostPid=333", eventName: "read", - eventFilter: "read.context.hostPid", + eventFilter: "read.scope.hostPid", operatorAndValues: "=333", }, }, @@ -1212,9 +1212,9 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { eventFlags: []eventFlag{ readEvtFlag, { - full: "read.context.hostParentProcessId!=333", + full: "read.scope.hostParentProcessId!=333", eventName: "read", - eventFilter: "read.context.hostParentProcessId", + eventFilter: "read.scope.hostParentProcessId", operatorAndValues: "!=333", }, }, @@ -1245,9 +1245,9 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { eventFlags: []eventFlag{ readEvtFlag, { - full: "read.context.userId=1000", + full: "read.scope.userId=1000", eventName: "read", - eventFilter: "read.context.userId", + eventFilter: "read.scope.userId", operatorAndValues: "=1000", }, }, @@ -1278,9 +1278,9 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { eventFlags: []eventFlag{ readEvtFlag, { - full: "read.context.mntns=4026531840", + full: "read.scope.mntns=4026531840", eventName: "read", - eventFilter: "read.context.mntns", + eventFilter: "read.scope.mntns", operatorAndValues: "=4026531840", }, }, @@ -1311,9 +1311,9 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { eventFlags: []eventFlag{ readEvtFlag, { - full: "read.context.mountNamespace!=4026531840", + full: "read.scope.mountNamespace!=4026531840", eventName: "read", - eventFilter: "read.context.mountNamespace", + eventFilter: "read.scope.mountNamespace", operatorAndValues: "!=4026531840", }, }, @@ -1344,9 +1344,9 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { eventFlags: []eventFlag{ readEvtFlag, { - full: "read.context.pidns=4026531836", + full: "read.scope.pidns=4026531836", eventName: "read", - eventFilter: "read.context.pidns", + eventFilter: "read.scope.pidns", operatorAndValues: "=4026531836", }, }, @@ -1377,9 +1377,9 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { eventFlags: []eventFlag{ readEvtFlag, { - full: "read.context.pidNamespace!=4026531836", + full: "read.scope.pidNamespace!=4026531836", eventName: "read", - eventFilter: "read.context.pidNamespace", + eventFilter: "read.scope.pidNamespace", operatorAndValues: "!=4026531836", }, }, @@ -1410,9 +1410,9 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { eventFlags: []eventFlag{ readEvtFlag, { - full: "read.context.processName=uname", + full: "read.scope.processName=uname", eventName: "read", - eventFilter: "read.context.processName", + eventFilter: "read.scope.processName", operatorAndValues: "=uname", }, }, @@ -1443,9 +1443,9 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { eventFlags: []eventFlag{ readEvtFlag, { - full: "read.context.comm!=uname", + full: "read.scope.comm!=uname", eventName: "read", - eventFilter: "read.context.comm", + eventFilter: "read.scope.comm", operatorAndValues: "!=uname", }, }, @@ -1476,9 +1476,9 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { eventFlags: []eventFlag{ readEvtFlag, { - full: "read.context.hostName=test", + full: "read.scope.hostName=test", eventName: "read", - eventFilter: "read.context.hostName", + eventFilter: "read.scope.hostName", operatorAndValues: "=test", }, }, @@ -1509,9 +1509,9 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { eventFlags: []eventFlag{ readEvtFlag, { - full: "read.context.cgroupId=test", + full: "read.scope.cgroupId=test", eventName: "read", - eventFilter: "read.context.cgroupId", + eventFilter: "read.scope.cgroupId", operatorAndValues: "=test", }, }, @@ -1542,9 +1542,9 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { eventFlags: []eventFlag{ readEvtFlag, { - full: "read.context.host=test", + full: "read.scope.host=test", eventName: "read", - eventFilter: "read.context.host", + eventFilter: "read.scope.host", operatorAndValues: "=test", }, }, @@ -1575,9 +1575,9 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { eventFlags: []eventFlag{ readEvtFlag, { - full: "read.context.container=c", + full: "read.scope.container=c", eventName: "read", - eventFilter: "read.context.container", + eventFilter: "read.scope.container", operatorAndValues: "=c", }, }, @@ -1608,9 +1608,9 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { eventFlags: []eventFlag{ readEvtFlag, { - full: "read.context.containerId=da91bf3df3dc", + full: "read.scope.containerId=da91bf3df3dc", eventName: "read", - eventFilter: "read.context.containerId", + eventFilter: "read.scope.containerId", operatorAndValues: "=da91bf3df3dc", }, }, @@ -1641,9 +1641,9 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { eventFlags: []eventFlag{ readEvtFlag, { - full: "read.context.containerImage=tracee:latest", + full: "read.scope.containerImage=tracee:latest", eventName: "read", - eventFilter: "read.context.containerImage", + eventFilter: "read.scope.containerImage", operatorAndValues: "=tracee:latest", }, }, @@ -1674,9 +1674,9 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { eventFlags: []eventFlag{ readEvtFlag, { - full: "read.context.containerName=tracee", + full: "read.scope.containerName=tracee", eventName: "read", - eventFilter: "read.context.containerName", + eventFilter: "read.scope.containerName", operatorAndValues: "=tracee", }, }, @@ -1707,9 +1707,9 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { eventFlags: []eventFlag{ readEvtFlag, { - full: "read.context.podName=daemonset/tracee", + full: "read.scope.podName=daemonset/tracee", eventName: "read", - eventFilter: "read.context.podName", + eventFilter: "read.scope.podName", operatorAndValues: "=daemonset/tracee", }, }, @@ -1740,9 +1740,9 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { eventFlags: []eventFlag{ readEvtFlag, { - full: "read.context.podNamespace=production", + full: "read.scope.podNamespace=production", eventName: "read", - eventFilter: "read.context.podNamespace", + eventFilter: "read.scope.podNamespace", operatorAndValues: "=production", }, }, @@ -1773,9 +1773,9 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) { eventFlags: []eventFlag{ readEvtFlag, { - full: "read.context.podUid=poduid", + full: "read.scope.podUid=poduid", eventName: "read", - eventFilter: "read.context.podUid", + eventFilter: "read.scope.podUid", operatorAndValues: "=poduid", }, }, @@ -1851,19 +1851,19 @@ func TestCreatePolicies(t *testing.T) { expectPolicyErr: InvalidFilterFlagFormat("open.bla=5"), }, { - testName: "invalid context filter 1", - evtFlags: []string{"open.context"}, - expectPolicyErr: filters.InvalidExpression("open.context"), + testName: "invalid scope filter 1", + evtFlags: []string{"open.scope"}, + expectPolicyErr: filters.InvalidExpression("open.scope"), }, { - testName: "invalid context filter 2", - evtFlags: []string{"bla.context.processName=ls"}, + testName: "invalid scope filter 2", + evtFlags: []string{"bla.scope.processName=ls"}, expectPolicyErr: filters.InvalidEventName("bla"), }, { - testName: "invalid context filter 3", - evtFlags: []string{"openat.context.procName=ls"}, - expectPolicyErr: filters.InvalidContextField("procName"), + testName: "invalid scope filter 3", + evtFlags: []string{"openat.scope.procName=ls"}, + expectPolicyErr: filters.InvalidScopeField("procName"), }, { testName: "invalid filter", diff --git a/pkg/ebpf/events_pipeline.go b/pkg/ebpf/events_pipeline.go index b593aca870e2..c57d12194f3e 100644 --- a/pkg/ebpf/events_pipeline.go +++ b/pkg/ebpf/events_pipeline.go @@ -325,8 +325,8 @@ func (t *Tracee) matchPolicies(event *trace.Event) uint64 { // Do the userland filtering // - // 1. event context filters - if !p.ContextFilter.Filter(*event) { + // 1. event scope filters + if !p.ScopeFilter.Filter(*event) { utils.ClearBit(&bitmap, bitOffset) continue } diff --git a/pkg/filters/errors.go b/pkg/filters/errors.go index e54270c8de23..43ced93908d4 100644 --- a/pkg/filters/errors.go +++ b/pkg/filters/errors.go @@ -28,8 +28,8 @@ func InvalidEventArgument(argument string) error { return fmt.Errorf("invalid filter event argument: %s", argument) } -func InvalidContextField(field string) error { - return fmt.Errorf("invalid event context field: %s", field) +func InvalidScopeField(field string) error { + return fmt.Errorf("invalid event scope field: %s", field) } func FailedToRetreiveHostNS() error { diff --git a/pkg/filters/context.go b/pkg/filters/scope.go similarity index 92% rename from pkg/filters/context.go rename to pkg/filters/scope.go index d61e6a5e0c40..b7cddfc305f2 100644 --- a/pkg/filters/context.go +++ b/pkg/filters/scope.go @@ -9,40 +9,40 @@ import ( "github.com/aquasecurity/tracee/types/trace" ) -type ContextFilter struct { +type ScopeFilter struct { filters map[events.ID]*eventCtxFilter enabled bool } -// Compile-time check to ensure that ContextFilter implements the Cloner interface -var _ utils.Cloner[*ContextFilter] = &ContextFilter{} +// Compile-time check to ensure that ScopeFilter implements the Cloner interface +var _ utils.Cloner[*ScopeFilter] = &ScopeFilter{} -func NewContextFilter() *ContextFilter { - return &ContextFilter{ +func NewScopeFilter() *ScopeFilter { + return &ScopeFilter{ filters: make(map[events.ID]*eventCtxFilter), enabled: false, } } -func (filter *ContextFilter) Enable() { +func (filter *ScopeFilter) Enable() { filter.enabled = true for _, f := range filter.filters { f.Enable() } } -func (filter *ContextFilter) Disable() { +func (filter *ScopeFilter) Disable() { filter.enabled = false for _, f := range filter.filters { f.Disable() } } -func (filter *ContextFilter) Enabled() bool { +func (filter *ScopeFilter) Enabled() bool { return filter.enabled } -func (filter *ContextFilter) Filter(event trace.Event) bool { +func (filter *ScopeFilter) Filter(event trace.Event) bool { if !filter.Enabled() { return true } @@ -55,12 +55,12 @@ func (filter *ContextFilter) Filter(event trace.Event) bool { return true } -func (filter *ContextFilter) Parse(filterName string, operatorAndValues string) error { +func (filter *ScopeFilter) Parse(filterName string, operatorAndValues string) error { parts := strings.Split(filterName, ".") if len(parts) != 3 { return InvalidExpression(filterName + operatorAndValues) } - if parts[1] != "context" { + if parts[1] != "scope" { return InvalidExpression(filterName + operatorAndValues) } @@ -227,7 +227,7 @@ func (f *eventCtxFilter) Parse(field string, operatorAndValues string) error { case "cgroupId": filter := f.cgroupIDFilter return filter.Parse(operatorAndValues) - // we reserve host for negating "container" context + // we reserve host for negating "container" scope case "host": filter := f.containerFilter filter.Enable() @@ -237,7 +237,7 @@ func (f *eventCtxFilter) Parse(field string, operatorAndValues string) error { filter.Enable() return filter.add(true, Equal) // TODO: change this and below container filters to the format - // eventname.context.container.id and so on... + // eventname.scope.container.id and so on... case "containerId": filter := f.containerIDFilter return addContainer[*StringFilter](f, filter, operatorAndValues) @@ -251,7 +251,7 @@ func (f *eventCtxFilter) Parse(field string, operatorAndValues string) error { filter := f.containerNameFilter return addContainer[*StringFilter](f, filter, operatorAndValues) // TODO: change this and below pod filters to the format - // eventname.context.kubernetes.podName and so on... + // eventname.scope.kubernetes.podName and so on... case "podName": filter := f.podNameFilter return addContainer[*StringFilter](f, filter, operatorAndValues) @@ -268,7 +268,7 @@ func (f *eventCtxFilter) Parse(field string, operatorAndValues string) error { filter := f.syscallFilter return filter.Parse(operatorAndValues) } - return InvalidContextField(field) + return InvalidScopeField(field) } func addContainer[T any](f *eventCtxFilter, filter Filter[T], operatorAndValues string) error { @@ -319,12 +319,12 @@ func (f *eventCtxFilter) Clone() *eventCtxFilter { return n } -func (filter *ContextFilter) Clone() *ContextFilter { +func (filter *ScopeFilter) Clone() *ScopeFilter { if filter == nil { return nil } - n := NewContextFilter() + n := NewScopeFilter() for k, v := range filter.filters { n.filters[k] = v.Clone() diff --git a/pkg/filters/context_test.go b/pkg/filters/scope_test.go similarity index 79% rename from pkg/filters/context_test.go rename to pkg/filters/scope_test.go index 4491c6485482..f6efcc7d0529 100644 --- a/pkg/filters/context_test.go +++ b/pkg/filters/scope_test.go @@ -9,17 +9,17 @@ import ( "github.com/aquasecurity/tracee/pkg/filters/sets" ) -func TestContextFilterClone(t *testing.T) { +func TestScopeFilterClone(t *testing.T) { t.Parallel() - filter := NewContextFilter() - err := filter.Parse("openat.context.processorId", "=0") + filter := NewScopeFilter() + err := filter.Parse("openat.scope.processorId", "=0") require.NoError(t, err) copy := filter.Clone() opt1 := cmp.AllowUnexported( - ContextFilter{}, + ScopeFilter{}, eventCtxFilter{}, IntFilter[int64]{}, UIntFilter[uint64]{}, @@ -34,7 +34,7 @@ func TestContextFilterClone(t *testing.T) { } // ensure that changes to the copy do not affect the original - err = copy.Parse("openat.context.pid", "=1") + err = copy.Parse("openat.scope.pid", "=1") require.NoError(t, err) if cmp.Equal(filter, copy, opt1) { t.Errorf("Changes to copied filter affected the original") diff --git a/pkg/policy/policies.go b/pkg/policy/policies.go index 3cd0744b1b9f..8c89392365e2 100644 --- a/pkg/policy/policies.go +++ b/pkg/policy/policies.go @@ -95,7 +95,7 @@ func (ps *Policies) ContainerFilterEnabled() bool { } // FilterableInUserland returns a bitmap of policies that must be filtered in userland -// (ArgFilter, RetFilter, ContextFilter, UIDFilter and PIDFilter). +// (ArgFilter, RetFilter, ScopeFilter, UIDFilter and PIDFilter). func (ps *Policies) FilterableInUserland() uint64 { return atomic.LoadUint64(&ps.filterableInUserland) } diff --git a/pkg/policy/policies_compute.go b/pkg/policy/policies_compute.go index 89e2fa31a741..13af7d6aa995 100644 --- a/pkg/policy/policies_compute.go +++ b/pkg/policy/policies_compute.go @@ -16,12 +16,12 @@ func (ps *Policies) compute() { } // calculateGlobalMinMax sets the global min and max, to be checked in kernel, -// of the Minimum and Maximum enabled filters only if context filter types +// of the Minimum and Maximum enabled filters only if scope filter types // (e.g. BPFUIDFilter) from all policies have both Minimum and Maximum values set. // // Policies userland filter flags are also set (e.g. uidFilterableInUserland). // -// The context filter types relevant for this function are just UIDFilter and +// The scope filter types relevant for this function are just UIDFilter and // PIDFilter. func (ps *Policies) calculateGlobalMinMax() { var ( @@ -128,7 +128,7 @@ func (ps *Policies) updateUserlandPolicies() { if p.ArgFilter.Enabled() || p.RetFilter.Enabled() || - p.ContextFilter.Enabled() || + p.ScopeFilter.Enabled() || (p.UIDFilter.Enabled() && ps.uidFilterableInUserland) || (p.PIDFilter.Enabled() && ps.pidFilterableInUserland) { // add policy to userland list and set the respective bit diff --git a/pkg/policy/policies_iterator.go b/pkg/policy/policies_iterator.go index fcbbb0282f38..245e8a2abf62 100644 --- a/pkg/policy/policies_iterator.go +++ b/pkg/policy/policies_iterator.go @@ -26,7 +26,7 @@ func (i *PoliciesIterator) Next() *Policy { } // CreateUserlandIterator returns a new iterator for a reduced list of policies -// which must be filtered in userland (ArgFilter, RetFilter, ContextFilter, +// which must be filtered in userland (ArgFilter, RetFilter, ScopeFilter, // UIDFilter and PIDFilter). func (ps *Policies) CreateUserlandIterator() utils.Iterator[*Policy] { return &PoliciesIterator{ diff --git a/pkg/policy/policies_test.go b/pkg/policy/policies_test.go index e2b767296f7f..89e7d154ebe8 100644 --- a/pkg/policy/policies_test.go +++ b/pkg/policy/policies_test.go @@ -50,7 +50,7 @@ func TestPoliciesClone(t *testing.T) { filters.BoolFilter{}, filters.RetFilter{}, filters.ArgFilter{}, - filters.ContextFilter{}, + filters.ScopeFilter{}, filters.ProcessTreeFilter{}, filters.BinaryFilter{}, sets.PrefixSet{}, diff --git a/pkg/policy/policy.go b/pkg/policy/policy.go index 3e21bf8880a0..703030e2f011 100644 --- a/pkg/policy/policy.go +++ b/pkg/policy/policy.go @@ -24,7 +24,7 @@ type Policy struct { ContIDFilter *filters.StringFilter RetFilter *filters.RetFilter ArgFilter *filters.ArgFilter - ContextFilter *filters.ContextFilter + ScopeFilter *filters.ScopeFilter ProcessTreeFilter *filters.ProcessTreeFilter BinaryFilter *filters.BinaryFilter Follow bool @@ -50,7 +50,7 @@ func NewPolicy() *Policy { ContIDFilter: filters.NewStringFilter(nil), RetFilter: filters.NewRetFilter(), ArgFilter: filters.NewArgFilter(), - ContextFilter: filters.NewContextFilter(), + ScopeFilter: filters.NewScopeFilter(), ProcessTreeFilter: filters.NewProcessTreeFilter(), BinaryFilter: filters.NewBinaryFilter(), Follow: false, @@ -86,7 +86,7 @@ func (p *Policy) Clone() *Policy { n.ContIDFilter = p.ContIDFilter.Clone() n.RetFilter = p.RetFilter.Clone() n.ArgFilter = p.ArgFilter.Clone() - n.ContextFilter = p.ContextFilter.Clone() + n.ScopeFilter = p.ScopeFilter.Clone() n.ProcessTreeFilter = p.ProcessTreeFilter.Clone() n.BinaryFilter = p.BinaryFilter.Clone() n.Follow = p.Follow diff --git a/pkg/policy/policy_test.go b/pkg/policy/policy_test.go index 21b3aee31bdc..5d66de446119 100644 --- a/pkg/policy/policy_test.go +++ b/pkg/policy/policy_test.go @@ -25,7 +25,7 @@ func TestPolicyClone(t *testing.T) { filters.BoolFilter{}, filters.RetFilter{}, filters.ArgFilter{}, - filters.ContextFilter{}, + filters.ScopeFilter{}, filters.ProcessTreeFilter{}, filters.BinaryFilter{}, sets.PrefixSet{},