aquasecurity · geyslan · Mar 28, 2023 · Mar 24, 2023 · Mar 24, 2023 · Mar 28, 2023
diff --git a/pkg/cmd/flags/errors.go b/pkg/cmd/flags/errors.go
@@ -19,3 +19,15 @@ func InvalidEventExcludeError(event string) error {
 func InvalidFilterOptionError(expr string) error {
 	return fmt.Errorf("invalid filter option specified (%s), use '--filter help' for more info", expr)
 }
+
+func InvalidFlagEmpty() error {
+	return fmt.Errorf("empty flag")
+}
+
+func InvalidFlagOperator(expression string) error {
+	return fmt.Errorf("invalid flag operator: %s", expression)
+}
+
+func InvalidFlagValue(expression string) error {
+	return fmt.Errorf("invalid flag value: %s", expression)
+}
diff --git a/pkg/cmd/flags/filter.go b/pkg/cmd/flags/filter.go
@@ -87,29 +87,6 @@ Examples:
   --filter security_file_open.context.container                 | only trace 'security_file_open' events coming from a container
   --filter comm=bash --filter follow                            | trace all events that originated from bash or from one of the processes spawned by bash
 
-Filters can also be configured within up to 64 policies.
-Events that match all filter expressions within a single policy will be filtered.
-To find out which policies an event is related to, read the bitmask in one of these ways:
-
-- using '-o format:json', matchedPolicies JSON field (in decimal)
-- using '-o format:table-verbose', POLICIES column (in hexadecimal)
-
-Examples:
-
-  -f 42:event=sched_process_exec -f 42:binary=/usr/bin/ls      | trace in policy 42 sched_process_exec event from /usr/bin/ls binary
-
-  -f 3:event=openat -f 3:comm=id -f 9:event=close -f 9:comm=ls - trace in policy 3 only openat event from id command
-                                                               | and
-                                                               - trace in policy 9 only close event from ls command
-
-  -f 6:event=openat -f 6:comm=id -f 7:event=close -f 7:comm=id - trace in policy 6 only openat event from id command
-                                                               | and
-                                                               _ trace in policy 7 only close event from id command
-
-  -f 3:event=openat -f 3:comm=id -f 9:event=close              - trace in policy 3 only openat event from id command
-                                                               | and
-                                                               - trace in policy 9 only close event from all
-
 Note: some of the above operators have special meanings in different shells.
 To 'escape' those operators, please use single quotes, e.g.: 'uid>0', '/tmp*'
 `

diff --git a/pkg/cmd/flags/filter_map.go b/pkg/cmd/flags/filter_map.go
@@ -1,12 +1,9 @@
 package flags
 
 import (
-	"fmt"
-	"strconv"
 	"strings"
 
-	"github.com/aquasecurity/tracee/pkg/filters"
-	"github.com/aquasecurity/tracee/pkg/policy"
+	"github.com/aquasecurity/tracee/pkg/errfmt"
 )
 
 // FilterMap holds pre-parsed filter flag fields
@@ -22,90 +19,58 @@ type filterFlag struct {
 	policyName string
 }
 
+// parseFilterFlag parses a filter flag and returns a filterFlag struct with
+// pre-parsed fields, or an error if the flag is invalid.
+// policyIdx and policyName are always set to 0 and "" respectively, since this
+// function is used for parsing cli filter flags only.
+// For policy workloads, see PrepareFilterMapFromPolicies.
 func parseFilterFlag(flag string) (*filterFlag, error) {
-	var (
-		policyID          int // stores the parsed policy index, not its flag position
-		filterName        string
-		operatorAndValues string
+	if len(flag) == 0 {
+		return nil, errfmt.WrapError(InvalidFlagEmpty())
+	}
 
-		policyEndIdx     int // stores ':' flag index (end of the policy value)
-		filterNameIdx    int
-		filterNameEndIdx int
-		operatorIdx      int
-		err              error
-	)
+	operatorIdx := strings.IndexAny(flag, "=!<>")
 
-	policyEndIdx = strings.Index(flag, ":")
-	operatorIdx = strings.IndexAny(flag, "=!<>")
+	if operatorIdx == -1 || // no operator, as a set flag
+		(operatorIdx == 0 && flag[0] == '!') { // negation, as an unset flag
 
-	if policyEndIdx == -1 && operatorIdx == -1 {
 		return &filterFlag{
 			full:              flag,
 			filterName:        flag,
 			operatorAndValues: "",
-			policyIdx:         policyID,
+			policyIdx:         0,
+			policyName:        "",
 		}, nil
 	}
 
-	if operatorIdx != -1 {
-		operatorAndValues = flag[operatorIdx:]
-		filterNameEndIdx = operatorIdx
-	} else {
-		operatorIdx = len(flag) - 1
-		filterNameEndIdx = len(flag)
-	}
-
-	// check operators
-	if len(operatorAndValues) == 1 ||
-		operatorAndValues == "!=" ||
-		operatorAndValues == "<=" ||
-		operatorAndValues == ">=" {
+	filterName := flag[:operatorIdx]
+	operatorAndValues := flag[operatorIdx:]
 
-		return nil, filters.InvalidExpression(flag)
+	operatorEndIdx := strings.LastIndexAny(operatorAndValues, "=!<>")
+	operator := operatorAndValues[:operatorEndIdx+1]
+	switch operator {
+	case "=", "!=", "<", "<=", ">", ">=":
+		// valid operators
+	default:
+		return nil, errfmt.WrapError(InvalidFlagOperator(flag))
 	}
 
-	if policyEndIdx != -1 && policyEndIdx < operatorIdx {
-		// parse its ID
-		policyID, err = strconv.Atoi(flag[:policyEndIdx])
-		if err != nil {
-			return nil, filters.InvalidPolicy(fmt.Sprintf("%s - %s", flag, err))
-		}
-
-		// now consider it as a policy index
-		policyID--
-		if policyID < 0 || policyID > policy.MaxPolicies-1 {
-			return nil, filters.InvalidPolicy(fmt.Sprintf("%s - policies must be between 1 and %d", flag, policy.MaxPolicies))
-		}
-
-		filterNameIdx = policyEndIdx + 1
+	value := operatorAndValues[operatorEndIdx+1:]
+	if len(value) == 0 {
+		return nil, errfmt.WrapError(InvalidFlagValue(flag))
 	}
 
-	if len(operatorAndValues) >= 2 &&
-		operatorAndValues[0] == '!' &&
-		operatorAndValues[1] != '=' {
-
-		filterName = flag[filterNameIdx:]
-		if strings.HasSuffix(filterName, "follow") ||
-			strings.HasSuffix(filterName, "container") {
+	if strings.HasPrefix(value, " ") || strings.HasPrefix(value, "\t") ||
+		strings.HasSuffix(value, " ") || strings.HasSuffix(value, "\t") {
 
-			return &filterFlag{
-				full:              flag,
-				filterName:        filterName,
-				operatorAndValues: "",
-				policyIdx:         policyID,
-			}, nil
-		}
-
-		return nil, filters.InvalidExpression(flag)
+		return nil, errfmt.WrapError(InvalidFlagValue(flag))
 	}
 
-	// parse filter name
-	filterName = flag[filterNameIdx:filterNameEndIdx]
-
 	return &filterFlag{
 		full:              flag,
 		filterName:        filterName,
 		operatorAndValues: operatorAndValues,
-		policyIdx:         policyID,
+		policyIdx:         0,
+		policyName:        "",
 	}, nil
 }