search

falcosecurity / libs

libsinsp, libscap, the kernel module driver, and the eBPF driver sources
https://falcosecurity.github.io/libs/
Apache License 2.0
226 stars 163 forks source link

New transformer: `basename()` #1927

Closed leogr closed 2 months ago

leogr commented 3 months ago

Motivation

The basename() transformer will make it easier for rule authors to write concise and effective rules, particularly for fields returning a full path by extracting the base name from a field returning a full path.

Note that this is particularly useful in conjunction with proc.exepath which provides the resolved symlink path eventually, since proc.exe can't provide the resolved path because it, by convention, equals to argv[0].

Feature

Introduce the basename(<path>) transformer that works similarly to the basename util.

This transformer returns the base name of a given <path> (i.e. a string) as an argument.

Alternatives

No compelling alternatives. For the record, some discarded solutions:

  1. changing proc.exe (breaking change + inconsistency)
  2. adding new fields (eg. proc.exepath.basename) comes with too many cons:
    • redundant with fields modifiers (ie. basename())
    • would require similar fields for proc.pexepath and proc.aexepath, increasing complexity
    • the solution is not reusable

Additional context

cc @darryk10 @loresuso

loresuso commented 3 months ago

I fully support this feature request!

Just the first thing that comes to mind, introducing basename would also probably conflict with fd.filename, that is basename(fd.name) would be totally the same thing as fd.filename. We would probably need a deprecation plan for that field or other similar ones if any.

leogr commented 3 months ago

fd.filename. We would probably need a deprecation plan for that field or other similar ones if any.

Totally :+1:

LucaGuerra commented 3 months ago

/assign