can filter for tracepoints

2 files changed, 37 insertions, 21 deletions

diff --git a/internal/flags/flags.go b/internal/flags/flags.go
index 3f07847..fd4f09c 100644
--- a/internal/flags/flags.go
+++ b/internal/flags/flags.go
@@ -3,21 +3,23 @@ package flags
 import (
 	"flag"
 	"fmt"
+	"os"
+	"regexp"
 	"strings"
 
 	bpf "github.com/aquasecurity/libbpfgo"
 )
 
 type Flags struct {
-	PidFilter        int
-	TidFilter        int
-	EventMapSize     int
-	CommFilter       string
-	PathFilter       string
-	PprofEnable      bool
-	FlamegraphEnable bool
-	Duration         int
-	TracepointNames  map[string]struct{}
+	PidFilter           int
+	TidFilter           int
+	EventMapSize        int
+	CommFilter          string
+	PathFilter          string
+	PprofEnable         bool
+	FlamegraphEnable    bool
+	Duration            int
+	TracepointsToAttach []*regexp.Regexp
 }
 
 func New() (flags Flags) {
@@ -32,17 +34,33 @@ func New() (flags Flags) {
 	flag.BoolVar(&flags.PprofEnable, "pprof", false, "Enable profiling")
 	flag.BoolVar(&flags.FlamegraphEnable, "flamegraph", false, "Enable flamegraph builder")
 
-	tracepointNames := flag.String("tracepoints", "", "Comma separated list of tracepoints (empty: trace all)")
+	tracepointNames := flag.String("tracepoints", "", "Comma separated list regexes for tracepoints to load")
 	flag.Parse()
 
-	flags.TracepointNames = make(map[string]struct{}, len(*tracepointNames))
 	for _, name := range strings.Split(*tracepointNames, ",") {
-		flags.TracepointNames[name] = struct{}{}
+		re, err := regexp.Compile(name)
+		if err != nil {
+			fmt.Println("Unable to compile regex", name, ": ", err)
+			os.Exit(2)
+		}
+		flags.TracepointsToAttach = append(flags.TracepointsToAttach, re)
 	}
 
 	return flags
 }
 
+func (flags Flags) AttachTracepoint(tracepointName string) bool {
+	if len(flags.TracepointsToAttach) == 0 {
+		return true
+	}
+	for _, re := range flags.TracepointsToAttach {
+		if re.MatchString(tracepointName) {
+			return true
+		}
+	}
+	return false
+}
+
 func (flags Flags) SetBPF(bpfModule *bpf.Module) error {
 	fmt.Println("Setting PID_FILTER to", flags.PidFilter)
 	if err := bpfModule.InitGlobalVariable("PID_FILTER", uint32(flags.PidFilter)); err != nil {
diff --git a/internal/ior.go b/internal/ior.go
index f9635e5..361c8b6 100644
--- a/internal/ior.go
+++ b/internal/ior.go
@@ -17,27 +17,25 @@ import (
 	bpf "github.com/aquasecurity/libbpfgo"
 )
 
-func attachTracepoints(bpfModule *bpf.Module, tracepointNames map[string]struct{}) error {
-	attachAll := len(tracepointNames) == 0
-
+func attachTracepoints(flags flags.Flags, bpfModule *bpf.Module) error {
 	for _, name := range tracepoints.List {
-		if _, ok := tracepointNames[name]; !ok && !attachAll {
-			// Not attaching tracepoint
+		if !flags.AttachTracepoint(name) {
 			continue
 		}
+		fmt.Println("Attaching tracepoint", name)
 
 		prog, err := bpfModule.GetProgram(fmt.Sprintf("handle_%s", name))
 		if err != nil {
 			return fmt.Errorf("Failed to get BPF program handle_%s: %v", name, err)
 		}
-		fmt.Println("Attached prog handle_" + name)
+		fmt.Println("Attached prog handle_", name)
 
 		if _, err = prog.AttachTracepoint("syscalls", name); err != nil {
 			// OK, older Kernel versions may not have this tracepoint!
-			fmt.Println(fmt.Errorf("Failed to attach to %s tracepoint: %v", name, err))
+			fmt.Printf("Failed to attach to %s tracepoint: %v, kernel version may be too old, skipping", name, err)
 			continue
 		}
-		fmt.Println("Attached tracepoint " + name)
+		fmt.Println("Attached tracepoint ", name)
 	}
 
 	return nil
@@ -62,7 +60,7 @@ func Run(flags flags.Flags) {
 		panic(err)
 	}
 
-	if err := attachTracepoints(bpfModule, flags.TracepointNames); err != nil {
+	if err := attachTracepoints(flags, bpfModule); err != nil {
 		panic(err)
 	}