Add internal event feature (aquasecurity#1685)

for some events we need the ability to pass information to the user mode. this results in internal events being exported to the user. this commit marks those events as internal and makes them unfiltered and doesn't print them to the user in the --list message.
r21gh · Apr 26, 2022 · f648c0c · f648c0c
1 parent bef3f9a
commit f648c0c
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 4 deletions.
diff --git a/cmd/tracee-ebpf/internal/flags/flags-filter.go b/cmd/tracee-ebpf/internal/flags/flags-filter.go
@@ -145,7 +145,9 @@ func PrepareFilter(filters []string) (tracee.Filter, error) {
 
 	eventsNameToID := make(map[string]int32, len(tracee.EventsDefinitions))
 	for id, event := range tracee.EventsDefinitions {
-		eventsNameToID[event.Name] = id
+		if !event.Internal {
+			eventsNameToID[event.Name] = id
+		}
 	}
 
 	for _, f := range filters {

diff --git a/cmd/tracee-ebpf/main.go b/cmd/tracee-ebpf/main.go
@@ -537,7 +537,7 @@ func printEventGroup(b *strings.Builder, firstEventID, lastEventID int) {
 	for i := firstEventID; i < lastEventID; i++ {
 		index := int32(i)
 		event, ok := tracee.EventsDefinitions[index]
-		if !ok {
+		if !ok || event.Internal {
 			continue
 		}
 		if event.Sets != nil {

diff --git a/cmd/tracee-ebpf/main_test.go b/cmd/tracee-ebpf/main_test.go
@@ -209,6 +209,12 @@ func TestPrepareFilter(t *testing.T) {
 			expectedFilter: tracee.Filter{},
 			expectedError:  errors.New("invalid event to trace: bl*ah"),
 		},
+		{
+			testName:       "internal event selection",
+			filters:        []string{"event=print_syscall_table"},
+			expectedFilter: tracee.Filter{},
+			expectedError:  errors.New("invalid event to trace: print_syscall_table"),
+		},
 		{
 			testName:       "invalid not wildcard",
 			filters:        []string{"event!=bl*ah"},

diff --git a/pkg/ebpf/events_definitions.go b/pkg/ebpf/events_definitions.go
@@ -36,6 +36,7 @@ type dependencies struct {
 type EventDefinition struct {
 	ID32Bit      int32
 	Name         string
+	Internal     bool
 	Probes       []probe
 	Dependencies dependencies
 	Sets         []string
@@ -6297,8 +6298,9 @@ var EventsDefinitions = map[int32]EventDefinition{
 		},
 	},
 	PrintSyscallTableEventID: {
-		ID32Bit: sys32undefined,
-		Name:    "print_syscall_table",
+		ID32Bit:  sys32undefined,
+		Name:     "print_syscall_table",
+		Internal: true,
 		Probes: []probe{
 			{event: "security_file_ioctl", attach: kprobe, fn: "trace_tracee_trigger_event"},
 		},