filters: implement parent_arguments_regex

Add a filter that matches the process.parent.arguments field using the same regex syntax
as the binary_regex filter. Equivalent to arguments_regex but for the parent process.

Signed-off-by: William Findlay <[email protected]>

api/v1/tetragon/events.proto

@@ -61,6 +61,9 @@ message Filter {
 	CapFilter capabilities = 11;
     // Filter parent process' binary using RE2 regular expression syntax.
     repeated string parent_binary_regex = 12;
+    // Filter by process.parent.arguments field using RE2 regular expression syntax:
+    // https://github.com/google/re2/wiki/Syntax
+    repeated string parent_arguments_regex = 14;
 }
 
 // Filter over a set of Linux process capabilities. See `message Capabilities`

docs/content/en/docs/concepts/events.md

@@ -157,11 +157,12 @@ flags, or environment variables.
 | `pid` | Filter by process PID. | 
 | `pid_set` | Like `pid` but also includes processes that are descendants of the listed PIDs. | 
 | `pod_regex` | Filter by pod name using a list of regular expressions. You can find the full syntax [here](https://github.com/google/re2/wiki/Syntax). | 
-| `arguments_regex` | Filter by pod name using a list of regular expressions. You can find the full syntax [here](https://github.com/google/re2/wiki/Syntax). | 
+| `arguments_regex` | Filter by process arguments using a list of regular expressions. You can find the full syntax [here](https://github.com/google/re2/wiki/Syntax). | 
 | `labels` | Filter events by pod labels using [Kubernetes label selector syntax](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) Note that this filter never matches events without the pod field (i.e. host process events). |
 | `policy_names` | Filter events by tracing policy names. |
 | `capabilities` | Filter events by Linux process capability. |
 | `parent_binary_regex` | Filter process events by a list of regular expressions of parent process binary names (e.g. `"^/home/kubernetes/bin/kubelet$"`). You can find the full syntax [here](https://github.com/google/re2/wiki/Syntax). | 
+| `parent_arguments_regex` | Filter by parent process arguments using a list of regular expressions. You can find the full syntax [here](https://github.com/google/re2/wiki/Syntax). | 
 
 #### Field Filtering 
 

pkg/filters/arguments_regex.go

@@ -13,7 +13,7 @@ import (
 	"github.com/cilium/tetragon/api/v1/tetragon"
 )
 
-func filterByArgumentsRegex(argumentsPatterns []string) (hubbleFilters.FilterFunc, error) {
+func filterByArgumentsRegex(argumentsPatterns []string, parent bool) (hubbleFilters.FilterFunc, error) {
 	var argsRegexList []*regexp.Regexp
 	for _, pattern := range argumentsPatterns {
 		query, err := regexp.Compile(pattern)
@@ -23,7 +23,12 @@ func filterByArgumentsRegex(argumentsPatterns []string) (hubbleFilters.FilterFun
 		argsRegexList = append(argsRegexList, query)
 	}
 	return func(ev *hubbleV1.Event) bool {
-		process := GetProcess(ev)
+		var process *tetragon.Process
+		if parent {
+			process = GetParent(ev)
+		} else {
+			process = GetProcess(ev)
+		}
 		if process == nil {
 			return false
 		}
@@ -41,7 +46,21 @@ type ArgumentsRegexFilter struct{}
 func (f *ArgumentsRegexFilter) OnBuildFilter(_ context.Context, ff *tetragon.Filter) ([]hubbleFilters.FilterFunc, error) {
 	var fs []hubbleFilters.FilterFunc
 	if ff.ArgumentsRegex != nil {
-		argumentsFilters, err := filterByArgumentsRegex(ff.ArgumentsRegex)
+		argumentsFilters, err := filterByArgumentsRegex(ff.ArgumentsRegex, false)
+		if err != nil {
+			return nil, err
+		}
+		fs = append(fs, argumentsFilters)
+	}
+	return fs, nil
+}
+
+type ParentArgumentsRegexFilter struct{}
+
+func (f *ParentArgumentsRegexFilter) OnBuildFilter(_ context.Context, ff *tetragon.Filter) ([]hubbleFilters.FilterFunc, error) {
+	var fs []hubbleFilters.FilterFunc
+	if ff.ParentArgumentsRegex != nil {
+		argumentsFilters, err := filterByArgumentsRegex(ff.ParentArgumentsRegex, true)
 		if err != nil {
 			return nil, err
 		}

pkg/filters/arguments_regex_test.go

@@ -39,6 +39,30 @@ func TestArgumentsRegexFilterBasic(t *testing.T) {
 	assert.False(t, fl.MatchOne(&ev))
 }
 
+func TestParentArgumentsRegexFilter(t *testing.T) {
+	f := []*tetragon.Filter{{ParentArgumentsRegex: []string{
+		"^foo$",
+		"^--bar \\d+$",
+	}}}
+	fl, err := BuildFilterList(context.Background(), f, []OnBuildFilter{&ParentArgumentsRegexFilter{}})
+	assert.NoError(t, err)
+	process := tetragon.Process{Arguments: "foo"}
+	ev := v1.Event{
+		Event: &tetragon.GetEventsResponse{
+			Event: &tetragon.GetEventsResponse_ProcessExec{
+				ProcessExec: &tetragon.ProcessExec{
+					Parent: &process,
+				},
+			},
+		},
+	}
+	assert.True(t, fl.MatchOne(&ev))
+	process.Arguments = "--bar 12"
+	assert.True(t, fl.MatchOne(&ev))
+	process.Arguments = "--no-match"
+	assert.False(t, fl.MatchOne(&ev))
+}
+
 func TestArgumentsRegexFilterInvalidRegex(t *testing.T) {
 	f := []*tetragon.Filter{{ArgumentsRegex: []string{"*"}}}
 	_, err := BuildFilterList(context.Background(), f, []OnBuildFilter{&ArgumentsRegexFilter{}})

pkg/filters/filters.go

@@ -91,6 +91,7 @@ var Filters = []OnBuildFilter{
 	&PidSetFilter{},
 	&EventTypeFilter{},
 	&ArgumentsRegexFilter{},
+	&ParentArgumentsRegexFilter{},
 	&LabelsFilter{},
 	&PodRegexFilter{},
 	&PolicyNamesFilter{},