filters: implement in_init_tree filter

Implement a new export filter for the process.in_init_tree field.

Signed-off-by: William Findlay <[email protected]>

api/v1/tetragon/events.proto

@@ -69,6 +69,11 @@ message Filter {
     // Filter by the container ID in the process.docker field using RE2 regular expression syntax:
     // https://github.com/google/re2/wiki/Syntax
     repeated string container_id = 15;
+    // Filter containerized processes based on whether they are descendants of
+    // the container's init process. This can be used, for example, to watch
+    // for processes injected into a container via docker exec, kubectl exec, or
+    // similar mechanisms.
+    google.protobuf.BoolValue in_init_tree = 16;
 }
 
 // Filter over a set of Linux process capabilities. See `message Capabilities`

pkg/filters/container.go

@@ -50,3 +50,25 @@ func (f *ContainerIDFilter) OnBuildFilter(_ context.Context, ff *tetragon.Filter
 	}
 	return fs, nil
 }
+
+func filterByInInitTree(inInitTree bool) hubbleFilters.FilterFunc {
+	return func(ev *v1.Event) bool {
+		process := GetProcess(ev)
+		// We want to be safe and assume false if process.InInitTree is missing somehow
+		inInitTreeVal := false
+		if process.InInitTree != nil {
+			inInitTreeVal = process.InInitTree.Value
+		}
+		return inInitTreeVal == inInitTree
+	}
+}
+
+type InInitTreeFilter struct{}
+
+func (f *InInitTreeFilter) OnBuildFilter(_ context.Context, ff *tetragon.Filter) ([]hubbleFilters.FilterFunc, error) {
+	var fs []hubbleFilters.FilterFunc
+	if ff.InInitTree != nil {
+		fs = append(fs, filterByInInitTree(ff.InInitTree.Value))
+	}
+	return fs, nil
+}

pkg/filters/container_test.go

@@ -0,0 +1,68 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright Authors of Tetragon
+
+package filters
+
+import (
+	"context"
+	"testing"
+
+	v1 "github.com/cilium/cilium/pkg/hubble/api/v1"
+	"github.com/cilium/tetragon/api/v1/tetragon"
+	"github.com/stretchr/testify/assert"
+	"google.golang.org/protobuf/types/known/wrapperspb"
+)
+
+func TestContainerID(t *testing.T) {
+	f := []*tetragon.Filter{{ContainerId: []string{
+		"^2f00a73446e0",
+	}}}
+	fl, err := BuildFilterList(context.Background(), f, []OnBuildFilter{&ContainerIDFilter{}})
+	assert.NoError(t, err)
+	process := tetragon.Process{Docker: "2f00a73446e0"}
+	ev := v1.Event{
+		Event: &tetragon.GetEventsResponse{
+			Event: &tetragon.GetEventsResponse_ProcessExec{
+				ProcessExec: &tetragon.ProcessExec{
+					Process: &process,
+				},
+			},
+		},
+	}
+	assert.True(t, fl.MatchOne(&ev))
+	process.Docker = "foo"
+	assert.False(t, fl.MatchOne(&ev))
+}
+
+func TestInInitTree(t *testing.T) {
+	f := []*tetragon.Filter{{InInitTree: &wrapperspb.BoolValue{Value: true}}}
+	fl, err := BuildFilterList(context.Background(), f, []OnBuildFilter{&InInitTreeFilter{}})
+	assert.NoError(t, err)
+	process := tetragon.Process{}
+	ev := v1.Event{
+		Event: &tetragon.GetEventsResponse{
+			Event: &tetragon.GetEventsResponse_ProcessExec{
+				ProcessExec: &tetragon.ProcessExec{
+					Process: &process,
+				},
+			},
+		},
+	}
+	process.InInitTree = &wrapperspb.BoolValue{Value: true}
+	assert.True(t, fl.MatchOne(&ev))
+	process.InInitTree = &wrapperspb.BoolValue{Value: false}
+	assert.False(t, fl.MatchOne(&ev))
+	process.InInitTree = nil
+	assert.False(t, fl.MatchOne(&ev))
+
+	f = []*tetragon.Filter{{InInitTree: &wrapperspb.BoolValue{Value: false}}}
+	fl, err = BuildFilterList(context.Background(), f, []OnBuildFilter{&InInitTreeFilter{}})
+	assert.NoError(t, err)
+
+	process.InInitTree = &wrapperspb.BoolValue{Value: true}
+	assert.False(t, fl.MatchOne(&ev))
+	process.InInitTree = &wrapperspb.BoolValue{Value: false}
+	assert.True(t, fl.MatchOne(&ev))
+	process.InInitTree = nil
+	assert.True(t, fl.MatchOne(&ev))
+}

pkg/filters/filters.go

@@ -97,6 +97,7 @@ var Filters = []OnBuildFilter{
 	&PolicyNamesFilter{},
 	&CapsFilter{},
 	&ContainerIDFilter{},
+	&InInitTreeFilter{},
 }
 
 func GetProcess(event *v1.Event) *tetragon.Process {