Skip to content

feat(libsinsp): support list modifiers for string operators (oneof/anyof/allof)#2984

Merged
poiana merged 28 commits into
falcosecurity:masterfrom
therealbobo:therealbobo-extend-list-operators
May 7, 2026
Merged

feat(libsinsp): support list modifiers for string operators (oneof/anyof/allof)#2984
poiana merged 28 commits into
falcosecurity:masterfrom
therealbobo:therealbobo-extend-list-operators

Conversation

@therealbobo

@therealbobo therealbobo commented May 4, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind test

/kind feature

/kind sync

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area API-version

/area build

/area CI

/area drivers

/area driver-kmod

/area driver-modern-bpf

/area libscap-engine-kmod

/area libscap-engine-modern-bpf

/area libscap-engine-nodriver

/area libscap-engine-noop

/area libscap-engine-source-plugin

/area libscap-engine-savefile

/area libscap

/area libpman

/area libsinsp

/area tests

/area proposals

Does this PR require a change in the driver versions?

/version driver-API-version-major

/version driver-API-version-minor

/version driver-API-version-patch

/version driver-SCHEMA-version-major

/version driver-SCHEMA-version-minor

/version driver-SCHEMA-version-patch

What this PR does / why we need it:

Which issue(s) this PR fixes:

Fixes #2983

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

feat(libsinsp): support list modifiers for string operators (oneof/anyof/allof)

@poiana poiana added release-note-none kind/test PRs increasing the test coverage without fixing any failing test dco-signoff: yes kind/feature New feature or request labels May 4, 2026
@poiana poiana requested review from hbrueckner and terror96 May 4, 2026 09:47
@therealbobo therealbobo marked this pull request as draft May 4, 2026 09:55
@ekoops ekoops added this to the 0.25.0 milestone May 4, 2026
@therealbobo therealbobo force-pushed the therealbobo-extend-list-operators branch from 96327f0 to b132c91 Compare May 4, 2026 10:29
@codecov

codecov Bot commented May 4, 2026
edited
Loading

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 92.40246% with 74 lines in your changes missing coverage. Please review.
✅ Project coverage is 75.77%. Comparing base (1a0177c) to head (36b96f5).
⚠️ Report is 1 commits behind head on master.

Files with missing lines Patch % Lines
userspace/libsinsp/filter_compare.cpp 69.56% 35 Missing ⚠️
userspace/libsinsp/sinsp_filtercheck_fd.cpp 56.41% 17 Missing ⚠️
userspace/libsinsp/test/filter_compiler.ut.cpp 97.83% 7 Missing ⚠️
userspace/libsinsp/sinsp_filtercheck.cpp 94.11% 5 Missing ⚠️
userspace/libsinsp/sinsp_filtercheck_thread.cpp 16.66% 5 Missing ⚠️
userspace/libsinsp/filter/parser.cpp 95.65% 3 Missing ⚠️
userspace/libsinsp/filter.cpp 90.00% 1 Missing ⚠️
userspace/libsinsp/sinsp_filtercheck_event.cpp 50.00% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #2984      +/-   ##
==========================================
+ Coverage   75.21%   75.77%   +0.56%     
==========================================
  Files         297      299       +2     
  Lines       32330    33096     +766     
  Branches     5116     5148      +32     
==========================================
+ Hits        24316    25080     +764     
- Misses       8014     8016       +2
Flag Coverage Δ
libsinsp 75.77% <92.40%> (+0.56%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@therealbobo therealbobo marked this pull request as ready for review May 4, 2026 10:56
@therealbobo therealbobo marked this pull request as draft May 4, 2026 11:03
@therealbobo therealbobo force-pushed the therealbobo-extend-list-operators branch 2 times, most recently from 3ab9a7c to b7b1139 Compare May 4, 2026 13:03
@therealbobo therealbobo marked this pull request as ready for review May 4, 2026 13:35
@github-actions

github-actions Bot commented May 4, 2026
edited
Loading

Copy link
Copy Markdown

Perf diff from master - unit tests

    22.08%    -10.35%  [.] std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_add_ref_lock_nothrow()
     5.78%     +7.42%  [.] std::__shared_count<(__gnu_cxx::_Lock_policy)2>::_M_get_use_count() const
    13.01%     +2.45%  [.] std::__shared_ptr<sinsp_threadinfo, (__gnu_cxx::_Lock_policy)2>::__shared_ptr(std::__weak_ptr<sinsp_threadinfo, (__gnu_cxx::_Lock_policy)2> const&, std::nothrow_t)
     8.38%     +1.48%  [.] sinsp_threadinfo::update_main_fdtable()
     8.80%     -1.15%  [.] sinsp_threadinfo::get_fd_table()
    10.76%     +0.27%  [.] sinsp_threadinfo::get_main_thread()
     3.82%     -0.23%  [.] sinsp_thread_manager::create_thread_dependencies(std::shared_ptr<sinsp_threadinfo> const&)
     0.46%     +0.21%  [.] sinsp_thread_manager::clear()
     4.95%     -0.14%  [.] thread_group_info::get_first_thread() const
     6.83%     +0.11%  [.] std::__shared_count<(__gnu_cxx::_Lock_policy)2>::__shared_count(std::__weak_count<(__gnu_cxx::_Lock_policy)2> const&, std::nothrow_t)

Heap diff from master - unit tests

peak heap memory consumption: -13.03K
peak RSS (including heaptrack overhead): 0B
total memory leaked: 0B

Heap diff from master - scap file

peak heap memory consumption: -2.16K
peak RSS (including heaptrack overhead): 0B
total memory leaked: 0B

Benchmarks diff from master

Comparing gbench_data.json to /root/actions-runner/_work/libs/libs/build/gbench_data.json
Benchmark                                                                               Time             CPU      Time Old      Time New       CPU Old       CPU New
--------------------------------------------------------------------------------------------------------------------------------------------------------------------
BM_sinsp_split_mean                                                                  +0.0093         +0.0095           239           241           239           241
BM_sinsp_split_median                                                                +0.0090         +0.0092           239           241           238           241
BM_sinsp_split_stddev                                                                +1.4918         +1.4305             1             1             1             1
BM_sinsp_split_cv                                                                    +1.4688         +1.4077             0             0             0             0
BM_sinsp_concatenate_paths_relative_path_mean                                        +0.1791         +0.1793            74            87            74            87
BM_sinsp_concatenate_paths_relative_path_median                                      +0.1864         +0.1868            73            87            73            87
BM_sinsp_concatenate_paths_relative_path_stddev                                      -0.3559         -0.3552             1             1             1             1
BM_sinsp_concatenate_paths_relative_path_cv                                          -0.4537         -0.4532             0             0             0             0
BM_sinsp_concatenate_paths_empty_path_mean                                           +0.0465         +0.0465            43            45            43            45
BM_sinsp_concatenate_paths_empty_path_median                                         +0.0907         +0.0908            42            46            42            46
BM_sinsp_concatenate_paths_empty_path_stddev                                         +0.3252         +0.3295             1             2             1             2
BM_sinsp_concatenate_paths_empty_path_cv                                             +0.2663         +0.2705             0             0             0             0
BM_sinsp_concatenate_paths_absolute_path_mean                                        +0.0308         +0.0309            80            83            80            83
BM_sinsp_concatenate_paths_absolute_path_median                                      +0.0243         +0.0246            81            83            81            83
BM_sinsp_concatenate_paths_absolute_path_stddev                                      -0.6214         -0.6218             1             0             1             0
BM_sinsp_concatenate_paths_absolute_path_cv                                          -0.6327         -0.6332             0             0             0             0
BM_sinsp_sanitize_string_fast_path_ascii_short_mean                                  +0.1451         +0.1455            16            19            16            19
BM_sinsp_sanitize_string_fast_path_ascii_short_median                                +0.1456         +0.1458            16            19            16            19
BM_sinsp_sanitize_string_fast_path_ascii_short_stddev                                -0.6706         -0.6845             0             0             0             0
BM_sinsp_sanitize_string_fast_path_ascii_short_cv                                    -0.7124         -0.7245             0             0             0             0
BM_sinsp_sanitize_string_fast_path_ascii_long_mean                                   -0.0059         -0.0057           166           165           166           165
BM_sinsp_sanitize_string_fast_path_ascii_long_median                                 -0.0055         -0.0051           166           165           166           165
BM_sinsp_sanitize_string_fast_path_ascii_long_stddev                                 +1.1835         +1.2769             0             0             0             0
BM_sinsp_sanitize_string_fast_path_ascii_long_cv                                     +1.1964         +1.2898             0             0             0             0
BM_sinsp_sanitize_string_fast_path_multibyte_short_mean                              -0.0549         -0.0549            15            14            14            14
BM_sinsp_sanitize_string_fast_path_multibyte_short_median                            -0.0608         -0.0609            15            14            14            14
BM_sinsp_sanitize_string_fast_path_multibyte_short_stddev                           +37.9115        +52.1976             0             0             0             0
BM_sinsp_sanitize_string_fast_path_multibyte_short_cv                               +40.1739        +55.2888             0             0             0             0
BM_sinsp_sanitize_string_fast_path_multibyte_long_mean                               -0.0361         -0.0361          5073          4889          5070          4887
BM_sinsp_sanitize_string_fast_path_multibyte_long_median                             -0.0387         -0.0390          5064          4868          5063          4865
BM_sinsp_sanitize_string_fast_path_multibyte_long_stddev                             +2.9495         +3.0565            20            80            20            80
BM_sinsp_sanitize_string_fast_path_multibyte_long_cv                                 +3.0976         +3.2083             0             0             0             0
BM_sinsp_sanitize_string_fast_path_mixed_long_mean                                   +0.0025         +0.0026          2003          2008          2002          2008
BM_sinsp_sanitize_string_fast_path_mixed_long_median                                 +0.0066         +0.0068          1992          2005          1991          2005
BM_sinsp_sanitize_string_fast_path_mixed_long_stddev                                 -0.7661         -0.7668            34             8            35             8
BM_sinsp_sanitize_string_fast_path_mixed_long_cv                                     -0.7667         -0.7674             0             0             0             0
BM_sinsp_sanitize_string_slow_path_c1_controls_long_alloc_mean                       -0.0119         -0.0117          6220          6146          6217          6144
BM_sinsp_sanitize_string_slow_path_c1_controls_long_alloc_median                     -0.0003         -0.0000          6147          6145          6143          6143
BM_sinsp_sanitize_string_slow_path_c1_controls_long_alloc_stddev                     -0.9631         -0.9637           125             5           125             5
BM_sinsp_sanitize_string_slow_path_c1_controls_long_alloc_cv                         -0.9626         -0.9633             0             0             0             0
BM_sinsp_sanitize_string_slow_path_c1_controls_long_noalloc_mean                     -0.0017         -0.0015          6030          6020          6027          6018
BM_sinsp_sanitize_string_slow_path_c1_controls_long_noalloc_median                   -0.0058         -0.0059          6055          6020          6053          6018
BM_sinsp_sanitize_string_slow_path_c1_controls_long_noalloc_stddev                   -0.9956         -0.9951           288             1           288             1
BM_sinsp_sanitize_string_slow_path_c1_controls_long_noalloc_cv                       -0.9956         -0.9951             0             0             0             0
BM_sinsp_sanitize_string_slow_path_sparse_invalid_long_alloc_mean                    -0.0490         -0.0491           339           323           339           323
BM_sinsp_sanitize_string_slow_path_sparse_invalid_long_alloc_median                  -0.0494         -0.0494           339           323           339           323
BM_sinsp_sanitize_string_slow_path_sparse_invalid_long_alloc_stddev                  -0.8354         -0.8306             3             0             3             0
BM_sinsp_sanitize_string_slow_path_sparse_invalid_long_alloc_cv                      -0.8269         -0.8219             0             0             0             0
BM_sinsp_sanitize_string_slow_path_sparse_invalid_long_noalloc_mean                  -0.1266         -0.1266           248           217           248           217
BM_sinsp_sanitize_string_slow_path_sparse_invalid_long_noalloc_median                -0.1259         -0.1259           248           217           248           217
BM_sinsp_sanitize_string_slow_path_sparse_invalid_long_noalloc_stddev                -0.0334         -0.0358             1             1             1             1
BM_sinsp_sanitize_string_slow_path_sparse_invalid_long_noalloc_cv                    +0.1067         +0.1039             0             0             0             0
BM_sinsp_sanitize_string_slow_path_all_invalid_long_alloc_mean                       -0.0489         -0.0489         13085         12445         13081         12441
BM_sinsp_sanitize_string_slow_path_all_invalid_long_alloc_median                     -0.0494         -0.0497         13095         12448         13092         12441
BM_sinsp_sanitize_string_slow_path_all_invalid_long_alloc_stddev                     -0.7178         -0.7408            20             6            21             5
BM_sinsp_sanitize_string_slow_path_all_invalid_long_alloc_cv                         -0.7032         -0.7275             0             0             0             0
BM_sinsp_sanitize_string_slow_path_all_invalid_long_noalloc_mean                     -0.0084         -0.0082         11887         11788         11882         11784
BM_sinsp_sanitize_string_slow_path_all_invalid_long_noalloc_median                   -0.0001         +0.0001         11635         11633         11627         11629
BM_sinsp_sanitize_string_slow_path_all_invalid_long_noalloc_stddev                   -0.4729         -0.4732           509           268           509           268
BM_sinsp_sanitize_string_slow_path_all_invalid_long_noalloc_cv                       -0.4685         -0.4688             0             0             0             0

@therealbobo therealbobo force-pushed the therealbobo-extend-list-operators branch 2 times, most recently from 469f636 to 2163952 Compare May 4, 2026 16:13
terror96
terror96 reviewed May 5, 2026
View reviewed changes
Comment thread userspace/libsinsp/filter_compare.cpp
therealbobo added 2 commits May 5, 2026 08:44
@therealbobo
feat(libsinsp): add string comparator modifiers to the parser
3628659 
Add StrOperatorModifier production to the BNF grammar and update
parser.h with the full StrOperator list. Add lex_str_op_modifier()
and wire the modifier token into parse_condition() so that
  proc.name startswith oneof (a, b, c)
parses as a StrOperator + modifier + ListValue.

Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
@therealbobo
feat(libsinsp): add comprator to filter_compare
5d143f6 
Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
therealbobo added 9 commits May 5, 2026 08:45
@therealbobo
bench(libsinsp): add last_match scenario to filter_modifiers benchmark
f733a3d 
Adds make_terms_last / make_regex_terms_last helpers that produce an
N-element list where only the final term matches proc.name = "svc-last".
Both modifier and chained variants must iterate every term before the
hit — O(N) comparisons with a successful result — which is the true
worst-case for a matching event, distinct from no_match (returns false)
and first_match (short-circuits on the first term).

Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
@therealbobo
fix(libsinsp): use CO_EQ for equality-only types in compare_rhs_with_mod
29c5844 
Certain types (PT_IPV4NET, PT_IPV6NET, PT_IPNET, PT_SOCKADDR,
PT_SOCKTUPLE, PT_FDLIST, PT_SIGSET) only support equality-based
comparison in flt_compare. compare_rhs already handles this for
CO_IN and CO_INTERSECTS by forcing CO_EQ; apply the same logic in
compare_rhs_with_mod via a dedicated elem_cmp selector so modifier
evaluation uses the correct comparison operator for these types.

Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
@therealbobo
fix(libsinsp): reject non-equality operators with modifier for IP/net…
994a21c 
… types

IP address and network filter fields only support equality-based
comparison (CO_EQ / CO_NE). Extend flt_is_comparable to reject
modifier + non-equality operator combinations for PT_IPV4ADDR,
PT_IPV4NET, PT_IPV6ADDR, PT_IPV6NET, PT_IPADDR, and PT_IPNET at
filter compilation time, so invalid expressions like
`fd.ip contains anyof (...)` are caught early with a clear error.

The check is gated on cmp.mod != none, so existing filter expressions
without a modifier are not affected.

Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
@therealbobo
refactor(libsinsp): simplify compare_rhs_with_mod lambdas
81eb818 
Extract a rhs_elem_matches primitive that centralises the per-element
dispatch (CO_REGEX vs flt_compare, CO_NE always uses CO_EQ). in_rhs
and all_rhs then become straightforward loops over n_rhs elements with
a single early-return pattern, eliminating duplicated operator checks
and the scattered CO_NE inversion logic.

Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
@therealbobo
refactor(libsinsp): deduplicate list parsing in parser
510d5db 
Extract try_parse_list_expr() from the identical ( ... ) blocks in
parse_list_value() and parse_list_value_or_transformer(). Both
callers now delegate to the shared helper and only differ in their
fallback paths.

Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
@therealbobo
refactor(libsinsp): rename cmpop_mod enum values to CMPOP_MOD_ prefix
25cfe5c 
Rename none/oneof/anyof/allof to CMPOP_MOD_NONE/ONEOF/ANYOF/ALLOF to
follow the same naming convention as cmpop (CO_EQ, CO_NE, etc.) and
avoid polluting the enclosing namespace with bare lowercase names.

Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
@therealbobo
refactor(libsinsp): extract lambdas in compare_rhs_with_mod to privat…
14e925c 
…e methods

Replace the three local lambdas with named private member functions:
matches_rhs_elem, matches_any_rhs, matches_all_rhs.

Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
@therealbobo
refactor(libsinsp): drop default_re2_deleter, use std::make_unique fo…
669e113 
…r RE2

Include <re2/re2.h> directly in sinsp_filtercheck.h instead of forward-
declaring, which allows using std::unique_ptr<re2::RE2> without a custom
deleter. Replace the manual new + unique_ptr constructor with make_unique.

Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
@therealbobo
test(libsinsp): add pmatch+modifier parser rejection test
43b3251 
pmatch is a list operator and cannot be combined with oneof/anyof/allof
modifiers; add it alongside the existing in/intersects rejection cases.

Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
@therealbobo therealbobo force-pushed the therealbobo-extend-list-operators branch from 2163952 to 43b3251 Compare May 5, 2026 11:43
@therealbobo
refactor(libsinsp): replace try_lex_modifier_op with appropriate pred…
1897b64 
…icates

Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
@therealbobo therealbobo force-pushed the therealbobo-extend-list-operators branch from a15239a to 1897b64 Compare May 5, 2026 15:56
therealbobo added 4 commits May 5, 2026 16:46
@therealbobo
test(libsinsp): cover word-based operators and greedy prefix in modif…
bab95bc 
…ier rejection tests

Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
@therealbobo
perf(libsinsp): use hash-set lookup for == oneof/anyof/allof RHS matc…
6e965c6 
…hing

Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
@therealbobo
cleanup(libsinsp): make matches_rhs_* more readable
24dd04d 
Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
@therealbobo
fix(libsinsp): properly check if a list_value follows
36b96f5 
Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
@therealbobo therealbobo force-pushed the therealbobo-extend-list-operators branch from 05fcaa6 to 36b96f5 Compare May 6, 2026 12:59
ekoops
ekoops approved these changes May 7, 2026
View reviewed changes

@ekoops ekoops left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@poiana poiana added the lgtm label May 7, 2026
@poiana

poiana commented May 7, 2026

Copy link
Copy Markdown
Contributor

LGTM label has been added.

DetailsGit tree hash: 79596dd2c35b6f2cc2f083a4359922a2636f854d

@github-project-automation github-project-automation Bot moved this from Todo to In progress in Falco Roadmap May 7, 2026
@poiana

poiana commented May 7, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ekoops, leogr, therealbobo

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:
  • OWNERS [ekoops,leogr,therealbobo]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@poiana poiana merged commit 409fe2e into falcosecurity:master May 7, 2026
67 of 69 checks passed
@github-project-automation github-project-automation Bot moved this from In progress to Done in Falco Roadmap May 7, 2026
@BrewTestBot BrewTestBot mentioned this pull request May 12, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@terror96 terror96 terror96 left review comments

@leogr leogr leogr approved these changes

@ekoops ekoops ekoops approved these changes

@hbrueckner hbrueckner Awaiting requested review from hbrueckner

Assignees

@leogr leogr

@ekoops ekoops

Labels

approved area/libsinsp dco-signoff: yes kind/feature New feature or request kind/test PRs increasing the test coverage without fixing any failing test lgtm release-note size/XXL

Projects

Falco Roadmap
Status: Done

Milestone

0.25.0

Development

Successfully merging this pull request may close these issues.

feat(libsinsp): support list modifiers for string operators (oneof/anyof/allof)

5 participants

@therealbobo @poiana @leogr @terror96 @ekoops