tests:filters: Add test for ancestor binary export filter

Add TestAncestorBinaryRegexFilter test to pkg/filters to ensure that new ancestor binary export filter works as expected. Signed-off-by: t0x01 <[email protected]>
cilium · Feb 5, 2025 · 74cf752 · 74cf752
1 parent 6f7d352
commit 74cf752
Show file tree

Hide file tree

Showing 2 changed files with 87 additions and 0 deletions.
diff --git a/pkg/filters/binary_regex_test.go b/pkg/filters/binary_regex_test.go
@@ -201,3 +201,89 @@ func TestParentBinaryRegexFilter(t *testing.T) {
 	}
 	assert.True(t, fl.MatchOne(&ev))
 }
+
+func TestAncestorBinaryRegexFilter(t *testing.T) {
+	f := []*tetragon.Filter{{
+		EventSet:            []tetragon.EventType{tetragon.EventType_PROCESS_EXEC, tetragon.EventType_PROCESS_EXIT},
+		AncestorBinaryRegex: []string{"bash", "zsh"},
+	}}
+	fl, err := BuildFilterList(context.Background(), f, []OnBuildFilter{&AncestorBinaryRegexFilter{}})
+	assert.NoError(t, err)
+	ev := v1.Event{
+		Event: &tetragon.GetEventsResponse{
+			Event: &tetragon.GetEventsResponse_ProcessExec{
+				ProcessExec: &tetragon.ProcessExec{
+					Process: &tetragon.Process{Binary: "/sbin/iptables"},
+				},
+			},
+		},
+	}
+	assert.False(t, fl.MatchOne(&ev))
+	ev = v1.Event{
+		Event: &tetragon.GetEventsResponse{
+			Event: &tetragon.GetEventsResponse_ProcessExec{
+				ProcessExec: &tetragon.ProcessExec{
+					Parent:  &tetragon.Process{Binary: "/bin/foo"},
+					Process: &tetragon.Process{Binary: "/sbin/bash"},
+				},
+			},
+		},
+	}
+	assert.False(t, fl.MatchOne(&ev))
+	ev = v1.Event{
+		Event: &tetragon.GetEventsResponse{
+			Event: &tetragon.GetEventsResponse_ProcessExec{
+				ProcessExec: &tetragon.ProcessExec{
+					Parent:  &tetragon.Process{Binary: "/bin/bash"},
+					Process: &tetragon.Process{Binary: "/sbin/iptables"},
+				},
+			},
+		},
+	}
+	assert.False(t, fl.MatchOne(&ev))
+	ev = v1.Event{
+		Event: &tetragon.GetEventsResponse{
+			Event: &tetragon.GetEventsResponse_ProcessExec{
+				ProcessExec: &tetragon.ProcessExec{
+					Parent:  &tetragon.Process{Binary: "/bin/bash"},
+					Process: &tetragon.Process{Binary: "/sbin/iptables"},
+					Ancestors: []*tetragon.Process{
+						&tetragon.Process{Binary: "/bin/foo"},
+						&tetragon.Process{Binary: "/bin/bar"},
+					},
+				},
+			},
+		},
+	}
+	assert.False(t, fl.MatchOne(&ev))
+	ev = v1.Event{
+		Event: &tetragon.GetEventsResponse{
+			Event: &tetragon.GetEventsResponse_ProcessExec{
+				ProcessExec: &tetragon.ProcessExec{
+					Parent:  &tetragon.Process{Binary: "/bin/sh"},
+					Process: &tetragon.Process{Binary: "/sbin/iptables"},
+					Ancestors: []*tetragon.Process{
+						&tetragon.Process{Binary: "/bin/foo"},
+						&tetragon.Process{Binary: "/bin/bash"},
+					},
+				},
+			},
+		},
+	}
+	assert.True(t, fl.MatchOne(&ev))
+	ev = v1.Event{
+		Event: &tetragon.GetEventsResponse{
+			Event: &tetragon.GetEventsResponse_ProcessExec{
+				ProcessExec: &tetragon.ProcessExec{
+					Parent:  &tetragon.Process{Binary: "/bin/sh"},
+					Process: &tetragon.Process{Binary: "/sbin/iptables"},
+					Ancestors: []*tetragon.Process{
+						&tetragon.Process{Binary: "/bin/zsh"},
+						&tetragon.Process{Binary: "/bin/foo"},
+					},
+				},
+			},
+		},
+	}
+	assert.True(t, fl.MatchOne(&ev))
+}
diff --git a/pkg/filters/filters_test.go b/pkg/filters/filters_test.go
@@ -20,6 +20,7 @@ import (
 func TestMain(m *testing.M) {
 	// Needed for cap filters
 	option.Config.EnableProcessCred = true
+	option.Config.EnableProcessAncestors = true
 
 	code := m.Run()
 	os.Exit(code)