initial tracepoint filter

2 files changed, 20 insertions, 3 deletions

diff --git a/internal/flags/flags.go b/internal/flags/flags.go
index 4d375fc..3f07847 100644
--- a/internal/flags/flags.go
+++ b/internal/flags/flags.go
@@ -3,11 +3,11 @@ package flags
 import (
 	"flag"
 	"fmt"
+	"strings"
 
 	bpf "github.com/aquasecurity/libbpfgo"
 )
 
-// TODO: Filter by syscall (tracepoint names)
 type Flags struct {
 	PidFilter        int
 	TidFilter        int
@@ -17,6 +17,7 @@ type Flags struct {
 	PprofEnable      bool
 	FlamegraphEnable bool
 	Duration         int
+	TracepointNames  map[string]struct{}
 }
 
 func New() (flags Flags) {
@@ -24,12 +25,21 @@ func New() (flags Flags) {
 	flag.IntVar(&flags.TidFilter, "tid", -1, "Filter for thread ID")
 	flag.IntVar(&flags.EventMapSize, "mapSize", 4096*16, "BPF FD event ring buffer map size")
 	flag.IntVar(&flags.Duration, "duration", 60, "Probe duration in seconds")
+
 	flag.StringVar(&flags.CommFilter, "comm", "", "Command to filter for")
 	flag.StringVar(&flags.PathFilter, "path", "", "Path to filter for")
+
 	flag.BoolVar(&flags.PprofEnable, "pprof", false, "Enable profiling")
 	flag.BoolVar(&flags.FlamegraphEnable, "flamegraph", false, "Enable flamegraph builder")
+
+	tracepointNames := flag.String("tracepoints", "", "Comma separated list of tracepoints (empty: trace all)")
 	flag.Parse()
 
+	flags.TracepointNames = make(map[string]struct{}, len(*tracepointNames))
+	for _, name := range strings.Split(*tracepointNames, ",") {
+		flags.TracepointNames[name] = struct{}{}
+	}
+
 	return flags
 }
 
diff --git a/internal/ior.go b/internal/ior.go
index 51ce2d1..f9635e5 100644
--- a/internal/ior.go
+++ b/internal/ior.go
@@ -17,8 +17,15 @@ import (
 	bpf "github.com/aquasecurity/libbpfgo"
 )
 
-func attachTracepoints(bpfModule *bpf.Module) error {
+func attachTracepoints(bpfModule *bpf.Module, tracepointNames map[string]struct{}) error {
+	attachAll := len(tracepointNames) == 0
+
 	for _, name := range tracepoints.List {
+		if _, ok := tracepointNames[name]; !ok && !attachAll {
+			// Not attaching tracepoint
+			continue
+		}
+
 		prog, err := bpfModule.GetProgram(fmt.Sprintf("handle_%s", name))
 		if err != nil {
 			return fmt.Errorf("Failed to get BPF program handle_%s: %v", name, err)
@@ -55,7 +62,7 @@ func Run(flags flags.Flags) {
 		panic(err)
 	}
 
-	if err := attachTracepoints(bpfModule); err != nil {
+	if err := attachTracepoints(bpfModule, flags.TracepointNames); err != nil {
 		panic(err)
 	}