feat: allow different field names

- possible to any field name in in-kernel string filter; - currently only one field name (string type) is allowed for in-kernel filter; - Possibily of using multiples field names in future.
aquasecurity · Jan 31, 2025 · fcc9950 · fcc9950
1 parent f5c6f79
commit fcc9950
Showing 1 changed file with 54 additions and 33 deletions.
diff --git a/pkg/filters/data.go b/pkg/filters/data.go
@@ -44,6 +44,17 @@ func (kdf *KernelDataFilter) IsKernelFilterEnabled(field string) bool {
 	return false
 }
 
+// getKernelFieldName return only one field name with in-kernel filter
+// TODO: need to retrieve all possible field names (and not only one)
+func (kdf *KernelDataFilter) getKernelFieldName() string {
+	var key string
+	for k := range kdf.kernelFilters {
+		key = k
+		break
+	}
+	return key
+}
+
 type DataFilter struct {
 	filters          map[string]Filter[*StringFilter]
 	kernelDataFilter *KernelDataFilter
@@ -61,6 +72,43 @@ func NewDataFilter() *DataFilter {
 	}
 }
 
+// list of events and field names allowed to have in-kernel filter
+var allowedKernelField = map[events.ID]string{
+	// LSM hooks
+	events.SecurityFileOpen:       "pathname",
+	events.SecurityMmapFile:       "pathname",
+	events.SecurityBprmCheck:      "pathname",
+	events.SecurityKernelReadFile: "pathname",
+	events.SecurityPostReadFile:   "pathname",
+	events.SecurityFileMprotect:   "pathname",
+	events.SecurityPathNotify:     "pathname",
+	events.SecurityInodeUnlink:    "pathname",
+	events.SecuritySbMount:        "path",
+	events.SecurityBPFMap:         "map_name",
+	// Syscalls
+	events.Execve:   "pathname",
+	events.Execveat: "pathname",
+	// Others
+	events.ModuleLoad:         "pathname",
+	events.InotifyWatch:       "pathname",
+	events.DoTruncate:         "pathname",
+	events.MagicWrite:         "pathname",
+	events.VfsUtimes:          "pathname",
+	events.LoadElfPhdrs:       "pathname",
+	events.CallUsermodeHelper: "pathname",
+	events.ChmodCommon:        "pathname",
+	events.DoMmap:             "pathname",
+}
+
+// checkAvailabilityKernelFilter check if event ID and field name are allowed to be an kernel filter
+func (f *DataFilter) checkAvailabilityKernelFilter(event events.ID, field string) bool {
+	if selectedField := allowedKernelField[event]; selectedField != field {
+		return false
+	}
+
+	return true
+}
+
 func (f *DataFilter) Equalities() (StringFilterEqualities, error) {
 	if !f.Enabled() {
 		return StringFilterEqualities{
@@ -73,8 +121,9 @@ func (f *DataFilter) Equalities() (StringFilterEqualities, error) {
 		}, nil
 	}
 
-	// selected data name
-	dataField := "dev_name"
+	// get the field name for in-kernel filter
+	// TODO: only one allowed at the moment (more to come)
+	dataField := f.kernelDataFilter.getKernelFieldName()
 
 	fieldName, ok := f.filters[dataField]
 	if !ok {
@@ -166,34 +215,10 @@ func (f *DataFilter) Parse(id events.ID, fieldName string, operatorAndValues str
 	// valueHandler is passed to the filter constructor to allow for custom value handling
 	// before the filter is applied
 	valueHandler := func(val string) (string, error) {
-		switch id {
-		case
-			// field "dev_name"
-			events.SecuritySbMount,
-			// LSM hooks
-			events.SecurityFileOpen,
-			events.SecurityMmapFile,
-			events.SecurityBprmCheck,
-			events.SecurityKernelReadFile,
-			events.SecurityPostReadFile,
-			events.SecurityFileMprotect,
-			events.SecurityPathNotify,
-			events.SecurityInodeUnlink,
-			// Syscalls
-			events.Execve,
-			events.Execveat,
-			// Others
-			events.ModuleLoad,
-			events.InotifyWatch,
-			events.DoTruncate,
-			events.MagicWrite,
-			events.VfsUtimes,
-			events.LoadElfPhdrs,
-			events.CallUsermodeHelper,
-			events.ChmodCommon,
-			events.DoMmap:
+		if f.checkAvailabilityKernelFilter(id, fieldName) {
 			return f.processKernelFilter(val, fieldName)
-
+		}
+		switch id {
 		case events.SysEnter,
 			events.SysExit,
 			events.SuspiciousSyscallSource,
@@ -302,10 +327,6 @@ func (f *DataFilter) checkKernelFilterRestrictions(val string) error {
 // enableKernelFilterArg activates a kernel filter for the specified data field.
 // This function currently supports enabling filters for the "pathname" field only.
 func (f *DataFilter) enableKernelFilterArg(fieldName string) {
-	if fieldName != "dev_name" {
-		return
-	}
-
 	filter, ok := f.filters[fieldName]
 	if !ok {
 		return