tracee-ebpf filtering can't filter comm= values with "."

[rafaeldtinoco]

Prerequisites

• [x] This affects latest released version.
• [x] This affects current development tree (origin/HEAD).
• [x] There isn't an issue describing the bug.

Bug description

During the co-re tests development I faced a situation where I wanted to finder a shell script called "trc02.sh" and I couldn't. Trying to filter for "comm=trc*" did not work as well.

Steps to reproduce

[rafaeldtinoco@fujitsu:~/.../ebpf/tracee]$ sudo ./dist/tracee-ebpf --trace comm=trc02.sh
2022/04/14 14:48:55 invalid argument filter format comm=trc02.sh
[rafaeldtinoco@fujitsu:~/.../ebpf/tracee]$ sudo ./dist/tracee-ebpf --trace comm="trc02.sh"
2022/04/14 14:48:57 invalid argument filter format comm=trc02.sh
[rafaeldtinoco@fujitsu:~/.../ebpf/tracee]$ sudo ./dist/tracee-ebpf --trace comm=trc*
TIME             UID    COMM             PID     TID     RET              EVENT                ARGS
<nothing>

If I trace for bash and follow its childs I can see comm as being "trc02.sh":

$ sudo ./dist/tracee-ebpf --trace comm=bash --trace follow
TIME             UID    COMM             PID     TID     RET              EVENT                ARGS
...
14:50:05:268517  1000   trc02.sh         1268752 1268752 0                sched_process_exec   cmdpath: ./trc02.sh, pathname: /usr/bin/bash, argv: [/bin/bash ./trc02.sh], dev: 271581185, inode: 2497707, invoked_from_kernel: 0, ctime: 1635735454403067397, stdin_type: S_IFCHR
...

Context

• Linux version: Ubuntu Impish
• Linux kernel version: 5.13
• Tracee version (or commit id of your tree): de2749f2
• LLVM version: 12
• Golang version: 1.17

Additional Information

N/A

[cdelzotti]

Hello, can I be assigned to this issue ?

[rafaeldtinoco]

@cdelzotti I'll ask @NDStrahilevitz to take a look at this one as this is something he is currently working on (filtering API improvements). He might already even have tackled this in his recent work.

[yanivagman]

Fixed as can be seen by dup #2337