From 4a3623f75bb8abda200ed4a23f13b616039c0bf9 Mon Sep 17 00:00:00 2001
From: willfindlay <will@isovalent.com>
Date: Mon, 24 Jun 2024 15:22:01 -0400
Subject: [PATCH] filters: implement parent binary export filter

Implement a new export filter that can filter over parent binary names
using RE2 regular expressions.

Signed-off-by: willfindlay <will@isovalent.com>
---
 api/v1/README.md                              |  1 +
 api/v1/tetragon/events.pb.go                  | 16 +++++-
 api/v1/tetragon/events.proto                  |  2 +
 .../tetragon/api/v1/tetragon/events.pb.go     | 16 +++++-
 .../tetragon/api/v1/tetragon/events.proto     |  2 +
 docs/content/en/docs/concepts/events.md       |  1 +
 docs/content/en/docs/reference/grpc-api.md    |  1 +
 pkg/filters/binary_regex.go                   | 28 +++++++++--
 pkg/filters/binary_regex_test.go              | 49 +++++++++++++++++++
 pkg/filters/filters.go                        |  1 +
 .../tetragon/api/v1/tetragon/events.pb.go     | 16 +++++-
 .../tetragon/api/v1/tetragon/events.proto     |  2 +
 12 files changed, 125 insertions(+), 10 deletions(-)

diff --git a/api/v1/README.md b/api/v1/README.md
index 12c8d973bf3..03bfd674803 100644
--- a/api/v1/README.md
+++ b/api/v1/README.md
@@ -1254,6 +1254,7 @@ Capability set to filter over. NOTE: you may specify only ONE set here.
 | labels | [string](#string) | repeated | Filter events by pod labels using Kubernetes label selector syntax: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors Note that this filter never matches events without the pod field (i.e. host process events). |
 | policy_names | [string](#string) | repeated | Filter events by tracing policy names |
 | capabilities | [CapFilter](#tetragon-CapFilter) |  | Filter events by Linux process capability |
+| parent_binary_regex | [string](#string) | repeated | Filter parent process&#39; binary using RE2 regular expression syntax. |
 
 
 
diff --git a/api/v1/tetragon/events.pb.go b/api/v1/tetragon/events.pb.go
index f11dc36ba6c..3f68827a3f1 100644
--- a/api/v1/tetragon/events.pb.go
+++ b/api/v1/tetragon/events.pb.go
@@ -227,6 +227,8 @@ type Filter struct {
 	PolicyNames []string `protobuf:"bytes,10,rep,name=policy_names,json=policyNames,proto3" json:"policy_names,omitempty"`
 	// Filter events by Linux process capability
 	Capabilities *CapFilter `protobuf:"bytes,11,opt,name=capabilities,proto3" json:"capabilities,omitempty"`
+	// Filter parent process' binary using RE2 regular expression syntax.
+	ParentBinaryRegex []string `protobuf:"bytes,12,rep,name=parent_binary_regex,json=parentBinaryRegex,proto3" json:"parent_binary_regex,omitempty"`
 }
 
 func (x *Filter) Reset() {
@@ -338,6 +340,13 @@ func (x *Filter) GetCapabilities() *CapFilter {
 	return nil
 }
 
+func (x *Filter) GetParentBinaryRegex() []string {
+	if x != nil {
+		return x.ParentBinaryRegex
+	}
+	return nil
+}
+
 // Filter over a set of Linux process capabilities. See `message Capabilities`
 // for more info.  WARNING: Multiple sets are ANDed. For example, if the
 // permitted filter matches, but the effective filter does not, the filter will
@@ -1163,7 +1172,7 @@ var file_tetragon_events_proto_rawDesc = []byte{
 	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61,
 	0x6d, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x20, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65,
 	0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x5f,
-	0x6d, 0x61, 0x73, 0x6b, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x9f, 0x03, 0x0a, 0x06, 0x46,
+	0x6d, 0x61, 0x73, 0x6b, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xcf, 0x03, 0x0a, 0x06, 0x46,
 	0x69, 0x6c, 0x74, 0x65, 0x72, 0x12, 0x21, 0x0a, 0x0c, 0x62, 0x69, 0x6e, 0x61, 0x72, 0x79, 0x5f,
 	0x72, 0x65, 0x67, 0x65, 0x78, 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0b, 0x62, 0x69, 0x6e,
 	0x61, 0x72, 0x79, 0x52, 0x65, 0x67, 0x65, 0x78, 0x12, 0x1c, 0x0a, 0x09, 0x6e, 0x61, 0x6d, 0x65,
@@ -1189,7 +1198,10 @@ var file_tetragon_events_proto_rawDesc = []byte{
 	0x6d, 0x65, 0x73, 0x12, 0x37, 0x0a, 0x0c, 0x63, 0x61, 0x70, 0x61, 0x62, 0x69, 0x6c, 0x69, 0x74,
 	0x69, 0x65, 0x73, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x74, 0x65, 0x74, 0x72,
 	0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x43, 0x61, 0x70, 0x46, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x52, 0x0c,
-	0x63, 0x61, 0x70, 0x61, 0x62, 0x69, 0x6c, 0x69, 0x74, 0x69, 0x65, 0x73, 0x22, 0xb1, 0x01, 0x0a,
+	0x63, 0x61, 0x70, 0x61, 0x62, 0x69, 0x6c, 0x69, 0x74, 0x69, 0x65, 0x73, 0x12, 0x2e, 0x0a, 0x13,
+	0x70, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x5f, 0x62, 0x69, 0x6e, 0x61, 0x72, 0x79, 0x5f, 0x72, 0x65,
+	0x67, 0x65, 0x78, 0x18, 0x0c, 0x20, 0x03, 0x28, 0x09, 0x52, 0x11, 0x70, 0x61, 0x72, 0x65, 0x6e,
+	0x74, 0x42, 0x69, 0x6e, 0x61, 0x72, 0x79, 0x52, 0x65, 0x67, 0x65, 0x78, 0x22, 0xb1, 0x01, 0x0a,
 	0x09, 0x43, 0x61, 0x70, 0x46, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x12, 0x34, 0x0a, 0x09, 0x70, 0x65,
 	0x72, 0x6d, 0x69, 0x74, 0x74, 0x65, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e,
 	0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x43, 0x61, 0x70, 0x46, 0x69, 0x6c, 0x74,
diff --git a/api/v1/tetragon/events.proto b/api/v1/tetragon/events.proto
index f2bd554645f..dd9fee11dac 100644
--- a/api/v1/tetragon/events.proto
+++ b/api/v1/tetragon/events.proto
@@ -57,6 +57,8 @@ message Filter {
     repeated string policy_names = 10;
 	// Filter events by Linux process capability
 	CapFilter capabilities = 11;
+    // Filter parent process' binary using RE2 regular expression syntax.
+    repeated string parent_binary_regex = 12;
 }
 
 // Filter over a set of Linux process capabilities. See `message Capabilities`
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.pb.go b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.pb.go
index f11dc36ba6c..3f68827a3f1 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.pb.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.pb.go
@@ -227,6 +227,8 @@ type Filter struct {
 	PolicyNames []string `protobuf:"bytes,10,rep,name=policy_names,json=policyNames,proto3" json:"policy_names,omitempty"`
 	// Filter events by Linux process capability
 	Capabilities *CapFilter `protobuf:"bytes,11,opt,name=capabilities,proto3" json:"capabilities,omitempty"`
+	// Filter parent process' binary using RE2 regular expression syntax.
+	ParentBinaryRegex []string `protobuf:"bytes,12,rep,name=parent_binary_regex,json=parentBinaryRegex,proto3" json:"parent_binary_regex,omitempty"`
 }
 
 func (x *Filter) Reset() {
@@ -338,6 +340,13 @@ func (x *Filter) GetCapabilities() *CapFilter {
 	return nil
 }
 
+func (x *Filter) GetParentBinaryRegex() []string {
+	if x != nil {
+		return x.ParentBinaryRegex
+	}
+	return nil
+}
+
 // Filter over a set of Linux process capabilities. See `message Capabilities`
 // for more info.  WARNING: Multiple sets are ANDed. For example, if the
 // permitted filter matches, but the effective filter does not, the filter will
@@ -1163,7 +1172,7 @@ var file_tetragon_events_proto_rawDesc = []byte{
 	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61,
 	0x6d, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x20, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65,
 	0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x5f,
-	0x6d, 0x61, 0x73, 0x6b, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x9f, 0x03, 0x0a, 0x06, 0x46,
+	0x6d, 0x61, 0x73, 0x6b, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xcf, 0x03, 0x0a, 0x06, 0x46,
 	0x69, 0x6c, 0x74, 0x65, 0x72, 0x12, 0x21, 0x0a, 0x0c, 0x62, 0x69, 0x6e, 0x61, 0x72, 0x79, 0x5f,
 	0x72, 0x65, 0x67, 0x65, 0x78, 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0b, 0x62, 0x69, 0x6e,
 	0x61, 0x72, 0x79, 0x52, 0x65, 0x67, 0x65, 0x78, 0x12, 0x1c, 0x0a, 0x09, 0x6e, 0x61, 0x6d, 0x65,
@@ -1189,7 +1198,10 @@ var file_tetragon_events_proto_rawDesc = []byte{
 	0x6d, 0x65, 0x73, 0x12, 0x37, 0x0a, 0x0c, 0x63, 0x61, 0x70, 0x61, 0x62, 0x69, 0x6c, 0x69, 0x74,
 	0x69, 0x65, 0x73, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x74, 0x65, 0x74, 0x72,
 	0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x43, 0x61, 0x70, 0x46, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x52, 0x0c,
-	0x63, 0x61, 0x70, 0x61, 0x62, 0x69, 0x6c, 0x69, 0x74, 0x69, 0x65, 0x73, 0x22, 0xb1, 0x01, 0x0a,
+	0x63, 0x61, 0x70, 0x61, 0x62, 0x69, 0x6c, 0x69, 0x74, 0x69, 0x65, 0x73, 0x12, 0x2e, 0x0a, 0x13,
+	0x70, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x5f, 0x62, 0x69, 0x6e, 0x61, 0x72, 0x79, 0x5f, 0x72, 0x65,
+	0x67, 0x65, 0x78, 0x18, 0x0c, 0x20, 0x03, 0x28, 0x09, 0x52, 0x11, 0x70, 0x61, 0x72, 0x65, 0x6e,
+	0x74, 0x42, 0x69, 0x6e, 0x61, 0x72, 0x79, 0x52, 0x65, 0x67, 0x65, 0x78, 0x22, 0xb1, 0x01, 0x0a,
 	0x09, 0x43, 0x61, 0x70, 0x46, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x12, 0x34, 0x0a, 0x09, 0x70, 0x65,
 	0x72, 0x6d, 0x69, 0x74, 0x74, 0x65, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e,
 	0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x43, 0x61, 0x70, 0x46, 0x69, 0x6c, 0x74,
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.proto b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.proto
index f2bd554645f..dd9fee11dac 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.proto
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.proto
@@ -57,6 +57,8 @@ message Filter {
     repeated string policy_names = 10;
 	// Filter events by Linux process capability
 	CapFilter capabilities = 11;
+    // Filter parent process' binary using RE2 regular expression syntax.
+    repeated string parent_binary_regex = 12;
 }
 
 // Filter over a set of Linux process capabilities. See `message Capabilities`
diff --git a/docs/content/en/docs/concepts/events.md b/docs/content/en/docs/concepts/events.md
index 71428cfaee9..fe585ee5cfa 100644
--- a/docs/content/en/docs/concepts/events.md
+++ b/docs/content/en/docs/concepts/events.md
@@ -161,6 +161,7 @@ flags, or environment variables.
 | `labels` | Filter events by pod labels using [Kubernetes label selector syntax](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) Note that this filter never matches events without the pod field (i.e. host process events). |
 | `policy_names` | Filter events by tracing policy names. |
 | `capabilities` | Filter events by Linux process capability. |
+| `parent_binary_regex` | Filter process events by a list of regular expressions of parent process binary names (e.g. `"^/home/kubernetes/bin/kubelet$"`). You can find the full syntax [here](https://github.com/google/re2/wiki/Syntax). | 
 
 #### Field Filtering 
 
diff --git a/docs/content/en/docs/reference/grpc-api.md b/docs/content/en/docs/reference/grpc-api.md
index 91c15dda93d..c6fff73fd89 100644
--- a/docs/content/en/docs/reference/grpc-api.md
+++ b/docs/content/en/docs/reference/grpc-api.md
@@ -770,6 +770,7 @@ Capability set to filter over. NOTE: you may specify only ONE set here.
 | labels | [string](#string) | repeated | Filter events by pod labels using Kubernetes label selector syntax: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors Note that this filter never matches events without the pod field (i.e. host process events). |
 | policy_names | [string](#string) | repeated | Filter events by tracing policy names |
 | capabilities | [CapFilter](#tetragon-CapFilter) |  | Filter events by Linux process capability |
+| parent_binary_regex | [string](#string) | repeated | Filter parent process&#39; binary using RE2 regular expression syntax. |
 
 <a name="tetragon-GetEventsRequest"></a>
 
diff --git a/pkg/filters/binary_regex.go b/pkg/filters/binary_regex.go
index 7e39c351d66..a62cf06e7c8 100644
--- a/pkg/filters/binary_regex.go
+++ b/pkg/filters/binary_regex.go
@@ -13,7 +13,7 @@ import (
 	"github.com/cilium/tetragon/api/v1/tetragon"
 )
 
-func filterByBinaryRegex(binaryPatterns []string) (hubbleFilters.FilterFunc, error) {
+func filterByBinaryRegex(binaryPatterns []string, parent bool) (hubbleFilters.FilterFunc, error) {
 	var binaries []*regexp.Regexp
 	for _, pattern := range binaryPatterns {
 		query, err := regexp.Compile(pattern)
@@ -23,7 +23,13 @@ func filterByBinaryRegex(binaryPatterns []string) (hubbleFilters.FilterFunc, err
 		binaries = append(binaries, query)
 	}
 	return func(ev *v1.Event) bool {
-		process := GetProcess(ev)
+		var process *tetragon.Process
+		if parent {
+			process = GetParent(ev)
+
+		} else {
+			process = GetProcess(ev)
+		}
 		if process == nil {
 			return false
 		}
@@ -41,11 +47,25 @@ type BinaryRegexFilter struct{}
 func (f *BinaryRegexFilter) OnBuildFilter(_ context.Context, ff *tetragon.Filter) ([]hubbleFilters.FilterFunc, error) {
 	var fs []hubbleFilters.FilterFunc
 	if ff.BinaryRegex != nil {
-		dnsFilters, err := filterByBinaryRegex(ff.BinaryRegex)
+		filters, err := filterByBinaryRegex(ff.BinaryRegex, false)
+		if err != nil {
+			return nil, err
+		}
+		fs = append(fs, filters)
+	}
+	return fs, nil
+}
+
+type ParentBinaryRegexFilter struct{}
+
+func (f *ParentBinaryRegexFilter) OnBuildFilter(_ context.Context, ff *tetragon.Filter) ([]hubbleFilters.FilterFunc, error) {
+	var fs []hubbleFilters.FilterFunc
+	if ff.ParentBinaryRegex != nil {
+		filters, err := filterByBinaryRegex(ff.ParentBinaryRegex, true)
 		if err != nil {
 			return nil, err
 		}
-		fs = append(fs, dnsFilters)
+		fs = append(fs, filters)
 	}
 	return fs, nil
 }
diff --git a/pkg/filters/binary_regex_test.go b/pkg/filters/binary_regex_test.go
index d0dd40bd818..35a8fc41d80 100644
--- a/pkg/filters/binary_regex_test.go
+++ b/pkg/filters/binary_regex_test.go
@@ -152,3 +152,52 @@ func TestBinaryRegexFilterInvalidEvent(t *testing.T) {
 		Event: &tetragon.GetEventsResponse_ProcessExec{ProcessExec: &tetragon.ProcessExec{Process: nil}},
 	}}))
 }
+
+func TestParentBinaryRegexFilter(t *testing.T) {
+	f := []*tetragon.Filter{{ParentBinaryRegex: []string{"bash", "zsh"}}}
+	fl, err := BuildFilterList(context.Background(), f, []OnBuildFilter{&ParentBinaryRegexFilter{}})
+	assert.NoError(t, err)
+	ev := v1.Event{
+		Event: &tetragon.GetEventsResponse{
+			Event: &tetragon.GetEventsResponse_ProcessExec{
+				ProcessExec: &tetragon.ProcessExec{
+					Process: &tetragon.Process{Binary: "/sbin/iptables"},
+				},
+			},
+		},
+	}
+	assert.False(t, fl.MatchOne(&ev))
+	ev = v1.Event{
+		Event: &tetragon.GetEventsResponse{
+			Event: &tetragon.GetEventsResponse_ProcessExec{
+				ProcessExec: &tetragon.ProcessExec{
+					Parent:  &tetragon.Process{Binary: "/bin/foo"},
+					Process: &tetragon.Process{Binary: "/sbin/iptables"},
+				},
+			},
+		},
+	}
+	assert.False(t, fl.MatchOne(&ev))
+	ev = v1.Event{
+		Event: &tetragon.GetEventsResponse{
+			Event: &tetragon.GetEventsResponse_ProcessExec{
+				ProcessExec: &tetragon.ProcessExec{
+					Parent:  &tetragon.Process{Binary: "/bin/bash"},
+					Process: &tetragon.Process{Binary: "/sbin/iptables"},
+				},
+			},
+		},
+	}
+	assert.True(t, fl.MatchOne(&ev))
+	ev = v1.Event{
+		Event: &tetragon.GetEventsResponse{
+			Event: &tetragon.GetEventsResponse_ProcessExec{
+				ProcessExec: &tetragon.ProcessExec{
+					Parent:  &tetragon.Process{Binary: "/bin/zsh"},
+					Process: &tetragon.Process{Binary: "/sbin/iptables"},
+				},
+			},
+		},
+	}
+	assert.True(t, fl.MatchOne(&ev))
+}
diff --git a/pkg/filters/filters.go b/pkg/filters/filters.go
index 18a481e3824..3659dd8b6e2 100644
--- a/pkg/filters/filters.go
+++ b/pkg/filters/filters.go
@@ -84,6 +84,7 @@ func BuildFilterList(ctx context.Context, ff []*tetragon.Filter, filterFuncs []O
 // Filters is the list of default filters
 var Filters = []OnBuildFilter{
 	&BinaryRegexFilter{},
+	&ParentBinaryRegexFilter{},
 	&HealthCheckFilter{},
 	&NamespaceFilter{},
 	&PidFilter{},
diff --git a/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.pb.go b/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.pb.go
index f11dc36ba6c..3f68827a3f1 100644
--- a/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.pb.go
+++ b/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.pb.go
@@ -227,6 +227,8 @@ type Filter struct {
 	PolicyNames []string `protobuf:"bytes,10,rep,name=policy_names,json=policyNames,proto3" json:"policy_names,omitempty"`
 	// Filter events by Linux process capability
 	Capabilities *CapFilter `protobuf:"bytes,11,opt,name=capabilities,proto3" json:"capabilities,omitempty"`
+	// Filter parent process' binary using RE2 regular expression syntax.
+	ParentBinaryRegex []string `protobuf:"bytes,12,rep,name=parent_binary_regex,json=parentBinaryRegex,proto3" json:"parent_binary_regex,omitempty"`
 }
 
 func (x *Filter) Reset() {
@@ -338,6 +340,13 @@ func (x *Filter) GetCapabilities() *CapFilter {
 	return nil
 }
 
+func (x *Filter) GetParentBinaryRegex() []string {
+	if x != nil {
+		return x.ParentBinaryRegex
+	}
+	return nil
+}
+
 // Filter over a set of Linux process capabilities. See `message Capabilities`
 // for more info.  WARNING: Multiple sets are ANDed. For example, if the
 // permitted filter matches, but the effective filter does not, the filter will
@@ -1163,7 +1172,7 @@ var file_tetragon_events_proto_rawDesc = []byte{
 	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61,
 	0x6d, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x20, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65,
 	0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x5f,
-	0x6d, 0x61, 0x73, 0x6b, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x9f, 0x03, 0x0a, 0x06, 0x46,
+	0x6d, 0x61, 0x73, 0x6b, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xcf, 0x03, 0x0a, 0x06, 0x46,
 	0x69, 0x6c, 0x74, 0x65, 0x72, 0x12, 0x21, 0x0a, 0x0c, 0x62, 0x69, 0x6e, 0x61, 0x72, 0x79, 0x5f,
 	0x72, 0x65, 0x67, 0x65, 0x78, 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0b, 0x62, 0x69, 0x6e,
 	0x61, 0x72, 0x79, 0x52, 0x65, 0x67, 0x65, 0x78, 0x12, 0x1c, 0x0a, 0x09, 0x6e, 0x61, 0x6d, 0x65,
@@ -1189,7 +1198,10 @@ var file_tetragon_events_proto_rawDesc = []byte{
 	0x6d, 0x65, 0x73, 0x12, 0x37, 0x0a, 0x0c, 0x63, 0x61, 0x70, 0x61, 0x62, 0x69, 0x6c, 0x69, 0x74,
 	0x69, 0x65, 0x73, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x74, 0x65, 0x74, 0x72,
 	0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x43, 0x61, 0x70, 0x46, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x52, 0x0c,
-	0x63, 0x61, 0x70, 0x61, 0x62, 0x69, 0x6c, 0x69, 0x74, 0x69, 0x65, 0x73, 0x22, 0xb1, 0x01, 0x0a,
+	0x63, 0x61, 0x70, 0x61, 0x62, 0x69, 0x6c, 0x69, 0x74, 0x69, 0x65, 0x73, 0x12, 0x2e, 0x0a, 0x13,
+	0x70, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x5f, 0x62, 0x69, 0x6e, 0x61, 0x72, 0x79, 0x5f, 0x72, 0x65,
+	0x67, 0x65, 0x78, 0x18, 0x0c, 0x20, 0x03, 0x28, 0x09, 0x52, 0x11, 0x70, 0x61, 0x72, 0x65, 0x6e,
+	0x74, 0x42, 0x69, 0x6e, 0x61, 0x72, 0x79, 0x52, 0x65, 0x67, 0x65, 0x78, 0x22, 0xb1, 0x01, 0x0a,
 	0x09, 0x43, 0x61, 0x70, 0x46, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x12, 0x34, 0x0a, 0x09, 0x70, 0x65,
 	0x72, 0x6d, 0x69, 0x74, 0x74, 0x65, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e,
 	0x74, 0x65, 0x74, 0x72, 0x61, 0x67, 0x6f, 0x6e, 0x2e, 0x43, 0x61, 0x70, 0x46, 0x69, 0x6c, 0x74,
diff --git a/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.proto b/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.proto
index f2bd554645f..dd9fee11dac 100644
--- a/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.proto
+++ b/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.proto
@@ -57,6 +57,8 @@ message Filter {
     repeated string policy_names = 10;
 	// Filter events by Linux process capability
 	CapFilter capabilities = 11;
+    // Filter parent process' binary using RE2 regular expression syntax.
+    repeated string parent_binary_regex = 12;
 }
 
 // Filter over a set of Linux process capabilities. See `message Capabilities`