From c78b30591644d4b7ab7b68b7ccba978e4f702bc8 Mon Sep 17 00:00:00 2001
From: Paul Buetow <paul@buetow.org>
Date: Fri, 7 Mar 2025 22:39:05 +0200
Subject: more on filters, needs more testing

---
 internal/eventfilter.go | 40 +++++++++++++++++++++++++++-------------
 internal/eventloop.go   | 13 ++++++++++---
 internal/file.go        | 13 +++++++++++++
 3 files changed, 50 insertions(+), 16 deletions(-)

(limited to 'internal')

diff --git a/internal/eventfilter.go b/internal/eventfilter.go
index cedd88d..7edc330 100644
--- a/internal/eventfilter.go
+++ b/internal/eventfilter.go
@@ -5,13 +5,16 @@ import (
 	"fmt"
 	"ior/internal/flags"
 	"ior/internal/generated/types"
+	"strings"
 )
 
 type eventFilter struct {
 	commFilterEnable bool
-	commFilter       [types.MAX_PROGNAME_LENGTH]byte
+	commFilterBytes  [types.MAX_PROGNAME_LENGTH]byte
+	commFilter       string
 	pathFilterEnable bool
-	pathFilter       [types.MAX_FILENAME_LENGTH]byte
+	pathFilterBytes  [types.MAX_FILENAME_LENGTH]byte
+	pathFilter       string
 }
 
 func newEventFilter(flags flags.Flags) *eventFilter {
@@ -22,41 +25,52 @@ func newEventFilter(flags flags.Flags) *eventFilter {
 			panic(fmt.Sprintf("Comm filter's max size is %d", types.MAX_PROGNAME_LENGTH))
 		}
 		ef.commFilterEnable = true
-		copy(ef.commFilter[:], []byte(flags.CommFilter))
+		copy(ef.commFilterBytes[:], []byte(flags.CommFilter))
+		ef.commFilter = flags.CommFilter
 	}
+
 	if flags.PathFilter != "" {
 		if len(flags.PathFilter) > types.MAX_FILENAME_LENGTH {
 			panic(fmt.Sprintf("Path filter's max size is %d", types.MAX_FILENAME_LENGTH))
 		}
 		ef.pathFilterEnable = true
-		copy(ef.pathFilter[:], []byte(flags.PathFilter))
+		copy(ef.pathFilterBytes[:], []byte(flags.PathFilter))
+		ef.pathFilter = flags.PathFilter
 	}
 
 	return &ef
 }
 
+func (ef *eventFilter) eventPair(ev *eventPair) bool {
+	if ef.commFilterEnable && !strings.Contains(ev.comm, ef.commFilter) {
+		return false
+	}
+	if ef.pathFilterEnable && !strings.Contains(ev.file.Name(), ef.pathFilter) {
+		return false
+	}
+	return true
+}
+
 func (ef *eventFilter) openEvent(ev *types.OpenEvent) (*types.OpenEvent, bool) {
-	commFilterPass := true
-	if ef.commFilterEnable {
-		commFilterPass = bytes.Contains(ev.Comm[:], ef.commFilter[:])
+	if ef.commFilterEnable && !bytes.Contains(ev.Comm[:], ef.commFilterBytes[:]) {
+		return ev, false
 	}
-	pathFilterPass := true
-	if ef.pathFilterEnable {
-		pathFilterPass = bytes.Contains(ev.Filename[:], ef.pathFilter[:])
+	if ef.pathFilterEnable && !bytes.Contains(ev.Filename[:], ef.pathFilterBytes[:]) {
+		return ev, false
 	}
-	return ev, commFilterPass && pathFilterPass
+	return ev, true
 }
 
 func (ef *eventFilter) pathEvent(ev *types.PathEvent) (*types.PathEvent, bool) {
 	if ef.pathFilterEnable {
-		return ev, bytes.Contains(ev.Pathname[:], ef.pathFilter[:])
+		return ev, bytes.Contains(ev.Pathname[:], ef.pathFilterBytes[:])
 	}
 	return ev, true
 }
 
 func (ef *eventFilter) nameEvent(ev *types.NameEvent) (*types.NameEvent, bool) {
 	if ef.pathFilterEnable {
-		return ev, bytes.Contains(ev.Oldname[:], ef.pathFilter[:]) || bytes.Contains(ev.Newname[:], ef.pathFilter[:])
+		return ev, bytes.Contains(ev.Oldname[:], ef.pathFilterBytes[:]) || bytes.Contains(ev.Newname[:], ef.pathFilterBytes[:])
 	}
 	return ev, true
 }
diff --git a/internal/eventloop.go b/internal/eventloop.go
index 8569004..4f0f7ca 100644
--- a/internal/eventloop.go
+++ b/internal/eventloop.go
@@ -5,6 +5,7 @@ import "C"
 import (
 	"fmt"
 	"os"
+	"path/filepath"
 
 	"ior/internal/flags"
 	. "ior/internal/generated/types"
@@ -48,7 +49,6 @@ func (e *eventLoop) run(rawCh <-chan []byte) {
 	fmt.Println("Good bye")
 }
 
-// Deserialise raw byte stream from BPF ringbuffer.
 func (e *eventLoop) events(rawCh <-chan []byte) <-chan *eventPair {
 	ch := make(chan *eventPair)
 
@@ -131,7 +131,6 @@ func (e *eventLoop) syscallExit(exitEv event, ch chan<- *eventPair) {
 			e.files[fd] = file
 		}
 		ev.file = file
-
 		e.comms[openEv.Tid] = string(openEv.Comm[:])
 
 	case *NameEvent:
@@ -158,9 +157,16 @@ func (e *eventLoop) syscallExit(exitEv event, ch chan<- *eventPair) {
 			ev.file = newFdFileWithPid(fd, ev.enterEv.(*FdEvent).Pid)
 		}
 		ev.comm = e.comm(ev.enterEv.GetTid())
-
+		if !e.filter.eventPair(ev) {
+			ev.recycle()
+			return
+		}
 	case *NullEvent:
 		ev.comm = e.comm(ev.enterEv.GetTid())
+		if !e.filter.eventPair(ev) {
+			ev.recycle()
+			return
+		}
 
 	default:
 		panic(fmt.Sprintf("unknown type: %v", v))
@@ -177,6 +183,7 @@ func (e *eventLoop) comm(tid uint32) string {
 		return comm
 	}
 	if linkName, err := os.Readlink(fmt.Sprintf("/proc/%d/exe", tid)); err == nil {
+		linkName = filepath.Base(linkName)
 		e.comms[tid] = linkName
 		return linkName
 	}
diff --git a/internal/file.go b/internal/file.go
index efb570b..fe519ba 100644
--- a/internal/file.go
+++ b/internal/file.go
@@ -9,6 +9,7 @@ import (
 
 type file interface {
 	String() string
+	Name() string
 }
 
 type fdFile struct {
@@ -27,6 +28,10 @@ func newFdFileWithPid(fd int32, pid uint32) fdFile {
 	return fdFile{fd, "?"}
 }
 
+func (f fdFile) Name() string {
+	return f.name
+}
+
 func (f fdFile) String() string {
 	var sb strings.Builder
 
@@ -46,6 +51,10 @@ type oldnameNewnameFile struct {
 	oldname, newname string
 }
 
+func (f oldnameNewnameFile) Name() string {
+	return f.newname
+}
+
 func (f oldnameNewnameFile) String() string {
 	var sb strings.Builder
 
@@ -61,6 +70,10 @@ type pathnameFile struct {
 	pathname string
 }
 
+func (f pathnameFile) Name() string {
+	return f.pathname
+}
+
 func (f pathnameFile) String() string {
 	var sb strings.Builder
 
-- 
cgit v1.2.3