filters: implement container_id filter

Implement a container_id filter, primarily to support its use in docker-based unit
testing.

Signed-off-by: William Findlay <[email protected]>

api/v1/tetragon/events.proto

@@ -66,6 +66,9 @@ message Filter {
     // Filter by process.parent.arguments field using RE2 regular expression syntax:
     // https://github.com/google/re2/wiki/Syntax
     repeated string parent_arguments_regex = 14;
+    // Filter by the container ID in the process.docker field. Matches a string
+    // prefix to emulate the behaviour of docker CLI.
+    repeated string container_id = 15;
 }
 
 // Filter over a set of Linux process capabilities. See `message Capabilities`

cmd/tetra/getevents/getevents.go

@@ -65,7 +65,7 @@ var GetFilter = func() *tetragon.Filter {
 	// out because empty allowlist does not match anything.
 	filter := tetragon.Filter{}
 	if len(Options.Processes) > 0 {
-		filter.BinaryRegex = Options.Processes
+		filter.Docker = Options.Processes
 	}
 	if len(Options.Namespaces) > 0 {
 		filter.Namespace = Options.Namespaces

pkg/exporter/exporter_test.go

@@ -90,7 +90,7 @@ func TestExporter_Send(t *testing.T) {
 	numRecords := 2
 	results := newArrayWriter(numRecords)
 	encoder := encoder.NewProtojsonEncoder(results)
-	request := tetragon.GetEventsRequest{DenyList: []*tetragon.Filter{{BinaryRegex: []string{"b"}}}}
+	request := tetragon.GetEventsRequest{DenyList: []*tetragon.Filter{{Docker: []string{"b"}}}}
 	exporter := NewExporter(ctx, &request, grpcServer, encoder, results, nil)
 	assert.NoError(t, exporter.Start(), "exporter must start without errors")
 	eventNotifier.NotifyListener(nil, &tetragon.GetEventsResponse{

pkg/filters/binary_regex_test.go

@@ -13,7 +13,7 @@ import (
 )
 
 func TestBinaryRegexFilterBasic(t *testing.T) {
-	f := []*tetragon.Filter{{BinaryRegex: []string{"iptable", "systemd"}}}
+	f := []*tetragon.Filter{{Docker: []string{"iptable", "systemd"}}}
 	fl, err := BuildFilterList(context.Background(), f, []OnBuildFilter{&BinaryRegexFilter{}})
 	assert.NoError(t, err)
 	ev := v1.Event{
@@ -75,7 +75,7 @@ func TestBinaryRegexFilterBasic(t *testing.T) {
 }
 
 func TestBinaryRegexFilterAdvanced(t *testing.T) {
-	f := []*tetragon.Filter{{BinaryRegex: []string{"/usr/sbin/.*", "^/usr/lib/systemd/systemd$"}}}
+	f := []*tetragon.Filter{{Docker: []string{"/usr/sbin/.*", "^/usr/lib/systemd/systemd$"}}}
 	fl, err := BuildFilterList(context.Background(), f, []OnBuildFilter{&BinaryRegexFilter{}})
 	assert.NoError(t, err)
 	ev := v1.Event{
@@ -129,13 +129,13 @@ func TestBinaryRegexFilterAdvanced(t *testing.T) {
 }
 
 func TestBinaryRegexFilterInvalidRegex(t *testing.T) {
-	f := []*tetragon.Filter{{BinaryRegex: []string{"*"}}}
+	f := []*tetragon.Filter{{Docker: []string{"*"}}}
 	_, err := BuildFilterList(context.Background(), f, []OnBuildFilter{&BinaryRegexFilter{}})
 	assert.Error(t, err)
 }
 
 func TestBinaryRegexFilterInvalidEvent(t *testing.T) {
-	f := []*tetragon.Filter{{BinaryRegex: []string{".*"}}}
+	f := []*tetragon.Filter{{Docker: []string{".*"}}}
 	fl, err := BuildFilterList(context.Background(), f, []OnBuildFilter{&BinaryRegexFilter{}})
 	assert.NoError(t, err)
 	assert.False(t, fl.MatchOne(nil))

pkg/filters/docker.go

@@ -0,0 +1,42 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright Authors of Cilium
+
+package filters
+
+import (
+	"context"
+	"strings"
+
+	v1 "github.com/cilium/cilium/pkg/hubble/api/v1"
+	hubbleFilters "github.com/cilium/cilium/pkg/hubble/filters"
+	"github.com/cilium/tetragon/api/v1/tetragon"
+)
+
+func filterByContainerID(ids []string) (hubbleFilters.FilterFunc, error) {
+	return func(ev *v1.Event) bool {
+		process := GetProcess(ev)
+		if process == nil {
+			return false
+		}
+		for _, id := range ids {
+			if strings.HasPrefix(process.Docker, id) {
+				return true
+			}
+		}
+		return false
+	}, nil
+}
+
+type ContainerIDFilter struct{}
+
+func (f *ContainerIDFilter) OnBuildFilter(_ context.Context, ff *tetragon.Filter) ([]hubbleFilters.FilterFunc, error) {
+	var fs []hubbleFilters.FilterFunc
+	if ff.ContainerId != nil {
+		filters, err := filterByContainerID(ff.ContainerId)
+		if err != nil {
+			return nil, err
+		}
+		fs = append(fs, filters)
+	}
+	return fs, nil
+}

pkg/filters/filters.go

@@ -96,6 +96,7 @@ var Filters = []OnBuildFilter{
 	&PodRegexFilter{},
 	&PolicyNamesFilter{},
 	&CapsFilter{},
+	&ContainerIDFilter{},
 }
 
 func GetProcess(event *v1.Event) *tetragon.Process {

pkg/filters/filters_test.go

@@ -40,8 +40,8 @@ func TestParseFilterList(t *testing.T) {
 		[]*tetragon.Filter{
 			{Namespace: []string{"kube-system", ""}},
 			{HealthCheck: &wrapperspb.BoolValue{Value: true}},
-			{BinaryRegex: []string{"kube.*", "iptables"}},
-			{BinaryRegex: []string{"/usr/sbin/.*"}, Namespace: []string{"default"}},
+			{Docker: []string{"kube.*", "iptables"}},
+			{Docker: []string{"/usr/sbin/.*"}, Namespace: []string{"default"}},
 			{PidSet: []uint32{1}},
 			{EventSet: []tetragon.EventType{tetragon.EventType_PROCESS_EXEC, tetragon.EventType_PROCESS_EXIT, tetragon.EventType_PROCESS_KPROBE, tetragon.EventType_PROCESS_TRACEPOINT}},
 			{ArgumentsRegex: []string{"^--version$", "^-a -b -c$"}},