Move filtering higher in the chain

stackrox · Oct 4, 2023 · c38d0fa · c38d0fa
1 parent 4a79278
commit c38d0fa
Show file tree

Hide file tree

Showing 7 changed files with 82 additions and 51 deletions.
diff --git a/collector/lib/ProcessSignalFormatter.cpp b/collector/lib/ProcessSignalFormatter.cpp
@@ -232,18 +232,7 @@ bool ProcessSignalFormatter::ValidateProcessDetails(const sinsp_threadinfo* tinf
     return false;
   }
 
-  // exclude runc events
-  if (tinfo->m_exepath == "runc" && tinfo->m_comm == "6") {
-    return false;
-  }
-
-  std::string_view exepath_sv{tinfo->m_exepath};
-  auto marker = exepath_sv.rfind(':');
-  if (marker != std::string_view::npos) {
-    exepath_sv.remove_prefix(marker + 1);
-  }
-
-  return exepath_sv.rfind("/proc/self", 0) != 0;
+  return true;
 }
 
 bool ProcessSignalFormatter::ValidateProcessDetails(sinsp_evt* event) {

diff --git a/collector/lib/ProcessSignalFormatter.h b/collector/lib/ProcessSignalFormatter.h
@@ -1,8 +1,6 @@
 #ifndef _PROCESS_SIGNAL_FORMATTER_H_
 #define _PROCESS_SIGNAL_FORMATTER_H_
 
-#include <gtest/gtest_prod.h>
-
 #include "api/v1/signal.pb.h"
 #include "internalapi/sensor/signal_iservice.pb.h"
 #include "storage/process_indicator.pb.h"
@@ -30,8 +28,6 @@ class ProcessSignalFormatter : public ProtoSignalFormatter<sensor::SignalStreamM
   void GetProcessLineage(sinsp_threadinfo* tinfo, std::vector<LineageInfo>& lineage);
 
  private:
-  FRIEND_TEST(ProcessSignalFormatterTest, ValidateProcessDetails);
-
   Signal* CreateSignal(sinsp_evt* event);
   ProcessSignal* CreateProcessSignal(sinsp_evt* event);
   bool ValidateProcessDetails(const sinsp_threadinfo* tinfo);

diff --git a/collector/lib/Sysdig.h b/collector/lib/Sysdig.h
@@ -22,6 +22,7 @@ struct SysdigStats {
   volatile uint64_t nPreemptions = 0;  // the number of preemptions
 
   // stats gathered in user space
+  volatile uint64_t nFilteredEvents[PPM_EVENT_MAX] = {0};   // events post filtering
   volatile uint64_t nUserspaceEvents[PPM_EVENT_MAX] = {0};  // events processed by userspace
   volatile uint64_t nGRPCSendFailures = 0;                  // number of signals that were not sent on GRPC
 

diff --git a/collector/lib/SysdigService.cpp b/collector/lib/SysdigService.cpp
@@ -23,6 +23,7 @@
 #include "SelfChecks.h"
 #include "TimeUtil.h"
 #include "Utility.h"
+#include "threadinfo.h"
 
 namespace collector {
 
@@ -148,9 +149,39 @@ sinsp_evt* SysdigService::GetNext() {
   userspace_stats_.event_parse_micros[event->get_type()] += (NowMicros() - parse_start);
   ++userspace_stats_.nUserspaceEvents[event->get_type()];
 
+  if (!FilterEvent(event)) {
+    return nullptr;
+  }
+  ++userspace_stats_.nFilteredEvents[event->get_type()];
+
   return event;
 }
 
+bool SysdigService::FilterEvent(sinsp_evt* event) {
+  const auto* tinfo = event->get_thread_info();
+
+  return FilterEvent(tinfo);
+}
+
+bool SysdigService::FilterEvent(const sinsp_threadinfo* tinfo) {
+  if (tinfo == nullptr) {
+    return false;
+  }
+
+  // exclude runc events
+  if (tinfo->m_exepath == "runc" && tinfo->m_comm == "6") {
+    return false;
+  }
+
+  std::string_view exepath_sv{tinfo->m_exepath};
+  auto marker = exepath_sv.rfind(':');
+  if (marker != std::string_view::npos) {
+    exepath_sv.remove_prefix(marker + 1);
+  }
+
+  return exepath_sv.rfind("/proc/self", 0) != 0;
+}
+
 void SysdigService::Start() {
   std::lock_guard<std::mutex> libsinsp_lock(libsinsp_mutex_);
 

diff --git a/collector/lib/SysdigService.h b/collector/lib/SysdigService.h
@@ -7,13 +7,16 @@
 #include <mutex>
 #include <string>
 
+#include <gtest/gtest_prod.h>
+
 #include "libsinsp/sinsp.h"
 
 #include "Control.h"
 #include "DriverCandidates.h"
 #include "SignalHandler.h"
 #include "SignalServiceClient.h"
 #include "Sysdig.h"
+#include "threadinfo.h"
 
 namespace collector {
 
@@ -42,6 +45,8 @@ class SysdigService : public Sysdig {
   void GetProcessInformation(uint64_t pid, ProcessInfoCallbackRef callback);
 
  private:
+  FRIEND_TEST(SysdigServiceTest, FilterEvent);
+
   struct SignalHandlerEntry {
     std::unique_ptr<SignalHandler> handler;
     std::bitset<PPM_EVENT_MAX> event_filter;
@@ -55,6 +60,8 @@ class SysdigService : public Sysdig {
   };
 
   sinsp_evt* GetNext();
+  static bool FilterEvent(sinsp_evt* event);
+  static bool FilterEvent(const sinsp_threadinfo* tinfo);
 
   bool SendExistingProcesses(SignalHandler* handler);
 

diff --git a/collector/test/ProcessSignalFormatterTest.cpp b/collector/test/ProcessSignalFormatterTest.cpp
@@ -616,39 +616,4 @@ TEST(ProcessSignalFormatterTest, Rox3377ProcessLineageWithNoVPidTest) {
 
 }  // namespace
 
-TEST(ProcessSignalFormatterTest, ValidateProcessDetails) {
-  std::unique_ptr<sinsp> inspector(new sinsp());
-  ProcessSignalFormatter psf(inspector.get());
-
-  sinsp_threadinfo regular_process(inspector.get());
-  regular_process.m_exepath = "/bin/busybox";
-  regular_process.m_comm = "sleep";
-
-  sinsp_threadinfo runc_process(inspector.get());
-  runc_process.m_exepath = "runc";
-  runc_process.m_comm = "6";
-
-  sinsp_threadinfo proc_self_process(inspector.get());
-  proc_self_process.m_exepath = "/proc/self/exe";
-  proc_self_process.m_comm = "runc";
-
-  sinsp_threadinfo memfd_process(inspector.get());
-  memfd_process.m_exepath = "memfd:runc_cloned:/proc/self/exe";
-  memfd_process.m_comm = "6";
-
-  struct test_t {
-    const sinsp_threadinfo& tinfo;
-    bool expected;
-  };
-  std::vector<test_t> tests{
-      {regular_process, true},
-      {runc_process, false},
-      {proc_self_process, false},
-      {memfd_process, false},
-  };
-
-  for (const auto& t : tests) {
-    ASSERT_EQ(psf.ValidateProcessDetails(&t.tinfo), t.expected);
-  }
-}
 }  // namespace collector
diff --git a/collector/test/SysdigServiceTest.cpp b/collector/test/SysdigServiceTest.cpp
@@ -0,0 +1,42 @@
+#include "SysdigService.h"
+#include "gmock/gmock.h"
+#include "gtest/gtest.h"
+
+namespace collector {
+
+TEST(SysdigServiceTest, FilterEvent) {
+  std::unique_ptr<sinsp> inspector(new sinsp());
+
+  sinsp_threadinfo regular_process(inspector.get());
+  regular_process.m_exepath = "/bin/busybox";
+  regular_process.m_comm = "sleep";
+
+  sinsp_threadinfo runc_process(inspector.get());
+  runc_process.m_exepath = "runc";
+  runc_process.m_comm = "6";
+
+  sinsp_threadinfo proc_self_process(inspector.get());
+  proc_self_process.m_exepath = "/proc/self/exe";
+  proc_self_process.m_comm = "runc";
+
+  sinsp_threadinfo memfd_process(inspector.get());
+  memfd_process.m_exepath = "memfd:runc_cloned:/proc/self/exe";
+  memfd_process.m_comm = "6";
+
+  struct test_t {
+    const sinsp_threadinfo* tinfo;
+    bool expected;
+  };
+  std::vector<test_t> tests{
+      {&regular_process, true},
+      {&runc_process, false},
+      {&proc_self_process, false},
+      {&memfd_process, false},
+  };
+
+  for (const auto& t : tests) {
+    ASSERT_EQ(SysdigService::FilterEvent(t.tinfo), t.expected);
+  }
+}
+
+}  // namespace collector