(http://fleegix.org)",license:"Apache-2.0",main:"./lib/ejs.js",repository:{type:"git",url:"git://github.com/mde/ejs.git"},bugs:"https://github.com/mde/ejs/issues",homepage:"https://github.com/mde/ejs",dependencies:{},devDependencies:{browserify:"^13.1.1",eslint:"^4.14.0","git-directory-deploy":"^1.5.1",jake:"^10.3.1",jsdoc:"^3.4.0","lru-cache":"^4.0.1",mocha:"^5.0.5","uglify-js":"^3.3.16"},engines:{node:">=0.10.0"},scripts:{test:"mocha",postinstall:"node --harmony ./postinstall.js"}}},{}]},{},[1])(1)});
diff --git a/cmd/agent/gui/views/private/js/javascript.js b/cmd/agent/gui/views/private/js/javascript.js
index 66d800a586e34..d8c6c9eb25ed6 100644
--- a/cmd/agent/gui/views/private/js/javascript.js
+++ b/cmd/agent/gui/views/private/js/javascript.js
@@ -124,7 +124,7 @@ function checkStatus() {
if (checkStatus.uptime > last_ts) {
$("#restart_status").hide()
}
- checkStatus.uptime = last_ts
+ checkStatus.uptime = last_ts
},function() {
$("#agent_status").html("Not connected
to Agent");
$("#agent_status").css({
@@ -153,28 +153,6 @@ function loadStatus(page) {
sendMessage("agent/status/" + page, "", "post",
function(data, status, xhr){
$("#" + page + "_status").html(DOMPurify.sanitize(data));
-
- // Get the trace-agent status
- sendMessage("agent/getConfig/apm_config.receiver_port", "", "GET",
- function(data, status, xhr) {
- var apmPort = data["apm_config.debug.port"];
- if (apmPort == null) {
- apmPort = "5012";
- }
- var url = "http://127.0.0.1:"+apmPort+"/debug/vars"
- $.ajax({
- url: url,
- type: "GET",
- success: function(data) {
- $("#apmStats > .stat_data").html(ejs.render(apmTemplate, data));
- },
- error: function() {
- $("#apmStats > .stat_data").text("Status: Not running or not on localhost.");
- }
- })
- }, function() {
- $("#apmStats > .stat_data").html("Could not obtain trace-agent port from API.");
- })
},function(){
$("#" + page + "_status").html("An error occurred.");
});
diff --git a/cmd/agent/gui/views/templates/generalStatus.tmpl b/cmd/agent/gui/views/templates/generalStatus.tmpl
index fd993865c4cdc..d60bcc18466cd 100644
--- a/cmd/agent/gui/views/templates/generalStatus.tmpl
+++ b/cmd/agent/gui/views/templates/generalStatus.tmpl
@@ -478,9 +478,61 @@
-
+
APM
- Loading...
+
+ {{- with .apmStats -}}
+ {{- if .error }}
+ Not running or unreachable on localhost:{{.port}}
+ Error: {{.error}}
+ {{- else}}
+ Status: Running
+ Pid: {{.pid}}
+ Uptime: {{.uptime}} seconds
+ Mem alloc: {{humanize .memstats.Alloc}} bytes
+ Hostname: {{.config.Hostname}}
+ Receiver: {{.config.ReceiverHost}}:{{.config.ReceiverPort}}
+ Endpoints:
+
+ {{- range $i, $e := .config.Endpoints}}
+ {{ $e.Host }}
+ {{- end }}
+
+ Receiver (previous minute)
+
+ {{- if eq (len .receiver) 0}}
+ No traces received in the previous minute.
+ {{ else }}
+ {{ range $i, $ts := .receiver }}
+ From {{if $ts.Lang}}{{ $ts.Lang }} {{ $ts.LangVersion }} ({{ $ts.Interpreter }}), client {{ $ts.TracerVersion }}{{else}}unknown clients{{end}}
+
+ Traces received: {{ $ts.TracesReceived }} ({{ humanize $ts.TracesBytes }} bytes)
+ Spans received: {{ $ts.SpansReceived }}
+ {{ with $ts.WarnString }}
+
WARNING: {{ . }}
+ {{ end }}
+
+ {{ end }}
+ {{ end }}
+
+ {{range $key, $value := .ratebyservice_filtered -}}
+ {{- if eq $key "service:,env:" -}}
+ Default priority sampling rate: {{percent $value}}%
+ {{- else}}
+ Priority sampling rate for '{{ $key }}': {{percent $value}}%
+ {{- end}}
+ {{- end }}
+
+ Writer (previous minute)
+
+ Traces: {{.trace_writer.Payloads}} payloads, {{.trace_writer.Traces}} traces, {{.trace_writer.Events}} events, {{humanize .trace_writer.Bytes}} bytes
+ {{- if gt .trace_writer.Errors 0.0}}WARNING: Traces API errors (1 min): {{.trace_writer.Errors}}{{end}}
+ Stats: {{.stats_writer.Payloads}} payloads, {{.stats_writer.StatsBuckets}} stats buckets, {{humanize .stats_writer.Bytes}} bytes
+ {{- if gt .stats_writer.Errors 0.0}}WARNING: Stats API errors (1 min): {{.stats_writer.Errors}}{{end}}
+
+ {{- end }}
+ {{ end }}
+
@@ -532,7 +584,8 @@
{{- end }}
{{ end }}
-
+
+
diff --git a/cmd/agent/gui/views/templates/index.tmpl b/cmd/agent/gui/views/templates/index.tmpl
index 78723c4b4e7b4..daed6e5788e09 100644
--- a/cmd/agent/gui/views/templates/index.tmpl
+++ b/cmd/agent/gui/views/templates/index.tmpl
@@ -8,7 +8,6 @@
-
diff --git a/cmd/agent/subcommands/run/command.go b/cmd/agent/subcommands/run/command.go
index ddadbe3ca875e..4a700fd700cc5 100644
--- a/cmd/agent/subcommands/run/command.go
+++ b/cmd/agent/subcommands/run/command.go
@@ -484,8 +484,8 @@ func startAgent(
configService, err = remoteconfig.NewService()
if err != nil {
log.Errorf("Failed to initialize config management service: %s", err)
- } else if err := configService.Start(context.Background()); err != nil {
- log.Errorf("Failed to start config management service: %s", err)
+ } else {
+ configService.Start(context.Background())
}
if err := rcclient.Start("core-agent"); err != nil {
diff --git a/cmd/agent/subcommands/status/command.go b/cmd/agent/subcommands/status/command.go
index 88b30ee873dc1..a86a5d61e0076 100644
--- a/cmd/agent/subcommands/status/command.go
+++ b/cmd/agent/subcommands/status/command.go
@@ -11,10 +11,8 @@ import (
"encoding/json"
"errors"
"fmt"
- "net/http"
"net/url"
"os"
- "time"
"go.uber.org/fx"
@@ -162,14 +160,6 @@ func requestStatus(config config.Component, cliParams *cliParams) error {
if err != nil {
return err
}
- // attach trace-agent status, if obtainable
- temp := make(map[string]interface{})
- if err := json.Unmarshal(r, &temp); err == nil {
- temp["apmStats"] = getAPMStatus(config)
- if newr, err := json.Marshal(temp); err == nil {
- r = newr
- }
- }
// The rendering is done in the client so that the agent has less work to do
if cliParams.prettyPrintJSON {
@@ -195,30 +185,6 @@ func requestStatus(config config.Component, cliParams *cliParams) error {
return nil
}
-// getAPMStatus returns a set of key/value pairs summarizing the status of the trace-agent.
-// If the status can not be obtained for any reason, the returned map will contain an "error"
-// key with an explanation.
-func getAPMStatus(config config.Component) map[string]interface{} {
- port := config.GetInt("apm_config.debug.port")
- url := fmt.Sprintf("http://localhost:%d/debug/vars", port)
- resp, err := (&http.Client{Timeout: 2 * time.Second}).Get(url)
- if err != nil {
- return map[string]interface{}{
- "port": port,
- "error": err.Error(),
- }
- }
- defer resp.Body.Close()
- status := make(map[string]interface{})
- if err := json.NewDecoder(resp.Body).Decode(&status); err != nil {
- return map[string]interface{}{
- "port": port,
- "error": err.Error(),
- }
- }
- return status
-}
-
func componentStatusCmd(log log.Component, config config.Component, cliParams *cliParams) error {
if len(cliParams.args) != 1 {
return fmt.Errorf("a component name must be specified")
diff --git a/cmd/cluster-agent/api/v1/clusterchecks.go b/cmd/cluster-agent/api/v1/clusterchecks.go
index 9dae02174badd..b26a1387cf119 100644
--- a/cmd/cluster-agent/api/v1/clusterchecks.go
+++ b/cmd/cluster-agent/api/v1/clusterchecks.go
@@ -29,6 +29,7 @@ func installClusterCheckEndpoints(r *mux.Router, sc clusteragent.ServerContext)
r.HandleFunc("/clusterchecks/configs/{identifier}", api.WithTelemetryWrapper("getCheckConfigs", getCheckConfigs(sc))).Methods("GET")
r.HandleFunc("/clusterchecks/rebalance", api.WithTelemetryWrapper("postRebalanceChecks", postRebalanceChecks(sc))).Methods("POST")
r.HandleFunc("/clusterchecks", api.WithTelemetryWrapper("getState", getState(sc))).Methods("GET")
+ r.HandleFunc("/clusterchecks/isolate/check/{identifier}", api.WithTelemetryWrapper("postIsolateCheck", postIsolateCheck(sc))).Methods("POST")
}
// RebalancePostPayload struct is for the JSON messages received from a client POST request
@@ -121,6 +122,26 @@ func postRebalanceChecks(sc clusteragent.ServerContext) func(w http.ResponseWrit
}
}
+// postIsolateCheck requests that a specified check be isolated in a runner
+func postIsolateCheck(sc clusteragent.ServerContext) func(w http.ResponseWriter, r *http.Request) {
+ if sc.ClusterCheckHandler == nil {
+ return clusterChecksDisabledHandler
+ }
+
+ return func(w http.ResponseWriter, r *http.Request) {
+ if sc.ClusterCheckHandler.RejectOrForwardLeaderQuery(w, r) {
+ return
+ }
+
+ vars := mux.Vars(r)
+ isolateCheckID := vars["identifier"]
+
+ response := sc.ClusterCheckHandler.IsolateCheck(isolateCheckID)
+
+ writeJSONResponse(w, response)
+ }
+}
+
// getState is used by the clustercheck config
func getState(sc clusteragent.ServerContext) func(w http.ResponseWriter, r *http.Request) {
if sc.ClusterCheckHandler == nil {
diff --git a/cmd/cluster-agent/subcommands/start/command.go b/cmd/cluster-agent/subcommands/start/command.go
index 873a868d8c239..82661891e3f26 100644
--- a/cmd/cluster-agent/subcommands/start/command.go
+++ b/cmd/cluster-agent/subcommands/start/command.go
@@ -105,6 +105,7 @@ func Commands(globalParams *command.GlobalParams) []*cobra.Command {
collectors.GetCatalog(),
fx.Supply(workloadmeta.Params{
InitHelper: common.GetWorkloadmetaInit(),
+ AgentType: workloadmeta.ClusterAgent,
}), // TODO(components): check what this must be for cluster-agent-cloudfoundry
fx.Supply(context.Background()),
workloadmeta.Module,
@@ -446,9 +447,7 @@ func initializeRemoteConfig(ctx context.Context) (*remote.Client, error) {
return nil, fmt.Errorf("unable to create remote-config service: %w", err)
}
- if err := configService.Start(ctx); err != nil {
- return nil, fmt.Errorf("unable to start remote-config service: %w", err)
- }
+ configService.Start(ctx)
rcClient, err := remote.NewClient("cluster-agent", configService, version.AgentVersion, []data.Product{data.ProductAPMTracing}, time.Second*5)
if err != nil {
diff --git a/cmd/cluster-agent/subcommands/start/compliance.go b/cmd/cluster-agent/subcommands/start/compliance.go
index d4833889c16a0..a6be8344d2225 100644
--- a/cmd/cluster-agent/subcommands/start/compliance.go
+++ b/cmd/cluster-agent/subcommands/start/compliance.go
@@ -83,19 +83,19 @@ func startCompliance(senderManager sender.SenderManager, stopper startstop.Stopp
configDir := coreconfig.Datadog.GetString("compliance_config.dir")
checkInterval := coreconfig.Datadog.GetDuration("compliance_config.check_interval")
- reporter, err := compliance.NewLogReporter(stopper, "compliance-agent", "compliance", runPath, endpoints, ctx)
+ hname, err := hostname.Get(context.TODO())
if err != nil {
return err
}
- runner := runner.NewRunner(senderManager)
- stopper.Add(runner)
-
- hname, err := hostname.Get(context.TODO())
+ reporter, err := compliance.NewLogReporter(hname, stopper, "compliance-agent", "compliance", runPath, endpoints, ctx)
if err != nil {
return err
}
+ runner := runner.NewRunner(senderManager)
+ stopper.Add(runner)
+
agent := compliance.NewAgent(senderManager, compliance.AgentOptions{
ConfigDir: configDir,
Reporter: reporter,
diff --git a/cmd/process-agent/subcommands/status/status.go b/cmd/process-agent/subcommands/status/status.go
index c0e771c44aba3..1def211776ccf 100644
--- a/cmd/process-agent/subcommands/status/status.go
+++ b/cmd/process-agent/subcommands/status/status.go
@@ -139,7 +139,10 @@ func getAndWriteStatus(log log.Component, statusURL string, w io.Writer, options
option(&s)
}
- body, err = json.Marshal(s)
+ status := map[string]interface{}{}
+ status["processAgentStatus"] = s
+
+ body, err = json.Marshal(status)
if err != nil {
writeError(log, w, err)
return
diff --git a/cmd/process-agent/subcommands/status/status_test.go b/cmd/process-agent/subcommands/status/status_test.go
index 6278cb086748e..f5d512fd1577d 100644
--- a/cmd/process-agent/subcommands/status/status_test.go
+++ b/cmd/process-agent/subcommands/status/status_test.go
@@ -42,7 +42,8 @@ func fakeStatusServer(t *testing.T, stats status.Status) *httptest.Server {
func TestStatus(t *testing.T) {
testTime := time.Now()
- expectedStatus := status.Status{
+ statusData := map[string]status.Status{}
+ statusInfo := status.Status{
Date: float64(testTime.UnixNano()),
Core: status.CoreStatus{
Metadata: hostMetadataUtils.Payload{
@@ -51,12 +52,13 @@ func TestStatus(t *testing.T) {
},
Expvars: status.ProcessExpvars{},
}
+ statusData["processAgentStatus"] = statusInfo
- server := fakeStatusServer(t, expectedStatus)
+ server := fakeStatusServer(t, statusInfo)
defer server.Close()
// Build what the expected status should be
- j, err := json.Marshal(expectedStatus)
+ j, err := json.Marshal(statusData)
require.NoError(t, err)
expectedOutput, err := render.FormatProcessAgentStatus(j)
require.NoError(t, err)
diff --git a/cmd/security-agent/subcommands/check/command.go b/cmd/security-agent/subcommands/check/command.go
index f724fde693418..ce00b27fddea6 100644
--- a/cmd/security-agent/subcommands/check/command.go
+++ b/cmd/security-agent/subcommands/check/command.go
@@ -36,6 +36,7 @@ import (
"github.com/DataDog/datadog-agent/pkg/compliance/k8sconfig"
pkgconfig "github.com/DataDog/datadog-agent/pkg/config"
"github.com/DataDog/datadog-agent/pkg/security/common"
+ "github.com/DataDog/datadog-agent/pkg/security/utils"
"github.com/DataDog/datadog-agent/pkg/util/flavor"
"github.com/DataDog/datadog-agent/pkg/util/fxutil"
"github.com/DataDog/datadog-agent/pkg/util/hostname"
@@ -243,7 +244,12 @@ func dumpComplianceEvents(reportFile string, events []*compliance.CheckEvent) er
return nil
}
-func reportComplianceEvents(_ log.Component, config config.Component, events []*compliance.CheckEvent) error {
+func reportComplianceEvents(log log.Component, config config.Component, events []*compliance.CheckEvent) error {
+ hostnameDetected, err := utils.GetHostnameWithContextAndFallback(context.Background())
+ if err != nil {
+ return log.Errorf("Error while getting hostname, exiting: %v", err)
+ }
+
stopper := startstop.NewSerialStopper()
defer stopper.Stop()
runPath := config.GetString("compliance_config.run_path")
@@ -251,7 +257,7 @@ func reportComplianceEvents(_ log.Component, config config.Component, events []*
if err != nil {
return fmt.Errorf("reporter: could not reate log context for compliance: %w", err)
}
- reporter, err := compliance.NewLogReporter(stopper, "compliance-agent", "compliance", runPath, endpoints, context)
+ reporter, err := compliance.NewLogReporter(hostnameDetected, stopper, "compliance-agent", "compliance", runPath, endpoints, context)
if err != nil {
return fmt.Errorf("reporter: could not create: %w", err)
}
diff --git a/cmd/security-agent/subcommands/compliance/command.go b/cmd/security-agent/subcommands/compliance/command.go
index 4136854f1a5a8..080e2638945bd 100644
--- a/cmd/security-agent/subcommands/compliance/command.go
+++ b/cmd/security-agent/subcommands/compliance/command.go
@@ -6,6 +6,7 @@
package compliance
import (
+ "context"
"fmt"
"strings"
@@ -21,6 +22,7 @@ import (
"github.com/DataDog/datadog-agent/comp/core/secrets"
"github.com/DataDog/datadog-agent/pkg/compliance"
"github.com/DataDog/datadog-agent/pkg/security/common"
+ "github.com/DataDog/datadog-agent/pkg/security/utils"
"github.com/DataDog/datadog-agent/pkg/util/fxutil"
"github.com/DataDog/datadog-agent/pkg/util/startstop"
)
@@ -79,7 +81,12 @@ func complianceEventCommand(globalParams *command.GlobalParams) *cobra.Command {
return eventCmd
}
-func eventRun(_ log.Component, config config.Component, _ secrets.Component, eventArgs *cliParams) error {
+func eventRun(log log.Component, config config.Component, eventArgs *cliParams) error {
+ hostnameDetected, err := utils.GetHostnameWithContextAndFallback(context.Background())
+ if err != nil {
+ return log.Errorf("Error while getting hostname, exiting: %v", err)
+ }
+
stopper := startstop.NewSerialStopper()
defer stopper.Stop()
@@ -89,7 +96,7 @@ func eventRun(_ log.Component, config config.Component, _ secrets.Component, eve
}
runPath := config.GetString("compliance_config.run_path")
- reporter, err := compliance.NewLogReporter(stopper, eventArgs.sourceName, eventArgs.sourceType, runPath, endpoints, dstContext)
+ reporter, err := compliance.NewLogReporter(hostnameDetected, stopper, eventArgs.sourceName, eventArgs.sourceType, runPath, endpoints, dstContext)
if err != nil {
return fmt.Errorf("failed to set up compliance log reporter: %w", err)
}
diff --git a/cmd/security-agent/subcommands/compliance/compliance.go b/cmd/security-agent/subcommands/compliance/compliance.go
index 50b5beba0aa77..41e4957f5a981 100644
--- a/cmd/security-agent/subcommands/compliance/compliance.go
+++ b/cmd/security-agent/subcommands/compliance/compliance.go
@@ -44,7 +44,7 @@ func StartCompliance(log log.Component, config config.Component, sysprobeconfig
}
stopper.Add(context)
- reporter, err := compliance.NewLogReporter(stopper, "compliance-agent", "compliance", runPath, endpoints, context)
+ reporter, err := compliance.NewLogReporter(hostname, stopper, "compliance-agent", "compliance", runPath, endpoints, context)
if err != nil {
return nil, err
}
diff --git a/cmd/security-agent/subcommands/runtime/command.go b/cmd/security-agent/subcommands/runtime/command.go
index f9c03236a28f2..3b01f562c4c1e 100644
--- a/cmd/security-agent/subcommands/runtime/command.go
+++ b/cmd/security-agent/subcommands/runtime/command.go
@@ -646,7 +646,7 @@ func StartRuntimeSecurity(log log.Component, config config.Component, hostname s
stopper.Add(ctx)
runPath := config.GetString("runtime_security_config.run_path")
- reporter, err := reporter.NewCWSReporter(runPath, stopper, endpoints, ctx)
+ reporter, err := reporter.NewCWSReporter(hostname, runPath, stopper, endpoints, ctx)
if err != nil {
return nil, err
}
diff --git a/cmd/security-agent/subcommands/start/command.go b/cmd/security-agent/subcommands/start/command.go
index 8f357ac4b438e..9f3e261dfbdb6 100644
--- a/cmd/security-agent/subcommands/start/command.go
+++ b/cmd/security-agent/subcommands/start/command.go
@@ -52,7 +52,6 @@ import (
"github.com/DataDog/datadog-agent/pkg/tagger/remote"
"github.com/DataDog/datadog-agent/pkg/util"
"github.com/DataDog/datadog-agent/pkg/util/fxutil"
- "github.com/DataDog/datadog-agent/pkg/util/hostname"
"github.com/DataDog/datadog-agent/pkg/util/profiling"
"github.com/DataDog/datadog-agent/pkg/util/startstop"
"github.com/DataDog/datadog-agent/pkg/version"
@@ -244,15 +243,10 @@ func RunAgent(ctx context.Context, log log.Component, config config.Component, s
}
}()
- hostnameDetected, err := utils.GetHostnameWithContext(ctx)
+ hostnameDetected, err := utils.GetHostnameWithContextAndFallback(ctx)
if err != nil {
- log.Warnf("Could not resolve hostname from core-agent: %v", err)
- hostnameDetected, err = hostname.Get(ctx)
- if err != nil {
- return log.Errorf("Error while getting hostname, exiting: %v", err)
- }
+ return log.Errorf("Error while getting hostname, exiting: %v", err)
}
- log.Infof("Hostname is: %s", hostnameDetected)
demultiplexer.AddAgentStartupTelemetry(fmt.Sprintf("%s - Datadog Security Agent", version.AgentVersion))
stopper = startstop.NewSerialStopper()
diff --git a/cmd/system-probe/config/adjust_security.go b/cmd/system-probe/config/adjust_security.go
index b884ddeead6f4..6f4a2ed611fb0 100644
--- a/cmd/system-probe/config/adjust_security.go
+++ b/cmd/system-probe/config/adjust_security.go
@@ -18,6 +18,16 @@ func adjustSecurity(cfg config.Config) {
return time.Duration(cfg.GetInt(secNS("activity_dump.cgroup_dump_timeout"))) * time.Minute
})
+ deprecateCustom(
+ cfg,
+ secNS("runtime_security_config.security_profile.anomaly_detection.auto_suppression.enabled"),
+ secNS("runtime_security_config.security_profile.auto_suppression.enabled"),
+ func(cfg config.Config) interface{} {
+ // convert old auto suppression parameter to the new one
+ return cfg.GetBool(secNS("runtime_security_config.security_profile.anomaly_detection.auto_suppression.enabled"))
+ },
+ )
+
if cfg.GetBool(secNS("enabled")) {
// if runtime is enabled then we force fim
cfg.Set(secNS("fim_enabled"), true, model.SourceAgentRuntime)
diff --git a/cmd/trace-agent/config/remote/config.go b/cmd/trace-agent/config/remote/config.go
index 315e879f5fcbe..9f6e61854abfc 100644
--- a/cmd/trace-agent/config/remote/config.go
+++ b/cmd/trace-agent/config/remote/config.go
@@ -22,6 +22,8 @@ import (
"github.com/DataDog/datadog-agent/pkg/trace/metrics/timing"
"github.com/DataDog/datadog-agent/pkg/trace/traceutil"
"github.com/DataDog/datadog-agent/pkg/util/log"
+ "google.golang.org/grpc/codes"
+ "google.golang.org/grpc/status"
)
var bufferPool = sync.Pool{
@@ -74,7 +76,14 @@ func ConfigHandler(r *api.HTTPReceiver, client remote.ConfigUpdater, cfg *config
}
cfg, err := client.ClientGetConfigs(req.Context(), &configsRequest)
if err != nil {
- statusCode = http.StatusInternalServerError
+ if e, ok := status.FromError(err); ok {
+ switch e.Code() {
+ case codes.Unimplemented, codes.NotFound:
+ statusCode = http.StatusNotFound
+ }
+ } else {
+ statusCode = http.StatusInternalServerError
+ }
http.Error(w, err.Error(), statusCode)
return
}
diff --git a/cmd/trace-agent/config/remote/config_test.go b/cmd/trace-agent/config/remote/config_test.go
index 4e56731211994..6c605bea2989b 100644
--- a/cmd/trace-agent/config/remote/config_test.go
+++ b/cmd/trace-agent/config/remote/config_test.go
@@ -22,6 +22,9 @@ import (
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/mock"
+
+ "google.golang.org/grpc/codes"
+ "google.golang.org/grpc/status"
)
func TestConfigEndpoint(t *testing.T) {
@@ -153,6 +156,26 @@ func TestUpstreamRequest(t *testing.T) {
}
}
+func TestForwardErrors(t *testing.T) {
+ assert := assert.New(t)
+ grpc := agentGRPCConfigFetcher{}
+ rcv := api.NewHTTPReceiver(config.New(), sampler.NewDynamicConfig(), make(chan *api.Payload, 5000), nil, telemetry.NewNoopCollector())
+
+ grpc.On("ClientGetConfigs", mock.Anything, mock.Anything, mock.Anything).
+ Return(nil, status.Error(codes.Unimplemented, "not implemented"))
+
+ mux := http.NewServeMux()
+ mux.Handle("/v0.7/config", ConfigHandler(rcv, &grpc, &config.AgentConfig{}))
+ server := httptest.NewServer(mux)
+
+ req, _ := http.NewRequest("POST", server.URL+"/v0.7/config", strings.NewReader(`{"client":{"id":"test_client","is_tracer":true,"client_tracer":{"service":"test","tags":["foo:bar"]}}}`))
+ req.Header.Set("Datadog-Container-ID", "cid")
+ r, err := http.DefaultClient.Do(req)
+ assert.NoError(err)
+ assert.Equal(404, r.StatusCode)
+ r.Body.Close()
+}
+
type agentGRPCConfigFetcher struct {
pbgo.AgentSecureClient
mock.Mock
@@ -160,5 +183,9 @@ type agentGRPCConfigFetcher struct {
func (a *agentGRPCConfigFetcher) ClientGetConfigs(ctx context.Context, in *pbgo.ClientGetConfigsRequest) (*pbgo.ClientGetConfigsResponse, error) {
args := a.Called(ctx, in)
- return args.Get(0).(*pbgo.ClientGetConfigsResponse), args.Error(1)
+ var maybeResponse *pbgo.ClientGetConfigsResponse
+ if args.Get(0) != nil {
+ maybeResponse = args.Get(0).(*pbgo.ClientGetConfigsResponse)
+ }
+ return maybeResponse, args.Error(1)
}
diff --git a/comp/README.md b/comp/README.md
index ee0bf5e663b1e..e83c32b54ed0a 100644
--- a/comp/README.md
+++ b/comp/README.md
@@ -4,171 +4,171 @@
This file lists all components defined in this repository, with their package summary.
Click the links for more documentation.
-## [comp/aggregator](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/aggregator) (Component Bundle)
+## [comp/aggregator](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/aggregator) (Component Bundle)
*Datadog Team*: agent-shared-components
Package aggregator implements the "aggregator" bundle,
-### [comp/aggregator/demultiplexer](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/aggregator/demultiplexer)
+### [comp/aggregator/demultiplexer](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/aggregator/demultiplexer)
Package demultiplexer defines the aggregator demultiplexer
-### [comp/aggregator/diagnosesendermanager](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/aggregator/diagnosesendermanager)
+### [comp/aggregator/diagnosesendermanager](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/aggregator/diagnosesendermanager)
Package diagnosesendermanager defines the sender manager for the local diagnose check
-## [comp/checks](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/checks) (Component Bundle)
+## [comp/checks](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/checks) (Component Bundle)
*Datadog Team*: agent-shared-components
Package checks implements the "checks" bundle, for all of the component based agent checks
-### [comp/checks/agentcrashdetect](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/checks/agentcrashdetect)
+### [comp/checks/agentcrashdetect](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/checks/agentcrashdetect)
*Datadog Team*: windows-kernel-integrations
Package agentcrashdetect ... /* TODO: detailed doc comment for the component */
-### [comp/checks/winregistry](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/checks/winregistry)
+### [comp/checks/winregistry](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/checks/winregistry)
*Datadog Team*: windows-agent
Package winregistry implements the Windows Registry check
-## [comp/core](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/core) (Component Bundle)
+## [comp/core](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/core) (Component Bundle)
*Datadog Team*: agent-shared-components
Package core implements the "core" bundle, providing services common to all
agent flavors and binaries.
-### [comp/core/config](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/core/config)
+### [comp/core/config](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/core/config)
Package config implements a component to handle agent configuration. This
component temporarily wraps pkg/config.
-### [comp/core/flare](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/core/flare)
+### [comp/core/flare](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/core/flare)
Package flare implements a component to generate flares from the agent.
-### [comp/core/hostname](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/core/hostname)
+### [comp/core/hostname](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/core/hostname)
Package hostname exposes hostname.Get() as a component.
-### [comp/core/log](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/core/log)
+### [comp/core/log](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/core/log)
Package log implements a component to handle logging internal to the agent.
-### [comp/core/secrets](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/core/secrets)
+### [comp/core/secrets](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/core/secrets)
Package secrets decodes secret values by invoking the configured executable command
-### [comp/core/sysprobeconfig](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/core/sysprobeconfig)
+### [comp/core/sysprobeconfig](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/core/sysprobeconfig)
*Datadog Team*: ebpf-platform
Package sysprobeconfig implements a component to handle system-probe configuration. This
component temporarily wraps pkg/config.
-### [comp/core/telemetry](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/core/telemetry)
+### [comp/core/telemetry](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/core/telemetry)
Package telemetry implements a component for all agent telemetry.
-### [comp/core/workloadmeta](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/core/workloadmeta)
+### [comp/core/workloadmeta](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/core/workloadmeta)
*Datadog Team*: container-integrations
Package workloadmeta provides the workloadmeta component for the Datadog Agent
-## [comp/dogstatsd](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/dogstatsd) (Component Bundle)
+## [comp/dogstatsd](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/dogstatsd) (Component Bundle)
*Datadog Team*: agent-metrics-logs
-### [comp/dogstatsd/replay](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/dogstatsd/replay)
+### [comp/dogstatsd/replay](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/dogstatsd/replay)
Package server implements a component to run the dogstatsd capture/replay
-### [comp/dogstatsd/server](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/dogstatsd/server)
+### [comp/dogstatsd/server](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/dogstatsd/server)
Package server implements a component to run the dogstatsd server
-### [comp/dogstatsd/serverDebug](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/dogstatsd/serverDebug)
+### [comp/dogstatsd/serverDebug](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/dogstatsd/serverDebug)
Package serverdebug implements a component to run the dogstatsd server debug
-### [comp/dogstatsd/statsd](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/dogstatsd/statsd)
+### [comp/dogstatsd/statsd](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/dogstatsd/statsd)
*Datadog Team*: agent-shared-components
Package statsd implements a component to get a statsd client.
-## [comp/forwarder](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/forwarder) (Component Bundle)
+## [comp/forwarder](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/forwarder) (Component Bundle)
*Datadog Team*: agent-shared-components
Package forwarder implements the "forwarder" bundle
-### [comp/forwarder/defaultforwarder](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/forwarder/defaultforwarder)
+### [comp/forwarder/defaultforwarder](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/forwarder/defaultforwarder)
Package defaultForwarder implements a component to send payloads to the backend
-### [comp/forwarder/orchestrator](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/forwarder/orchestrator)
+### [comp/forwarder/orchestrator](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/forwarder/orchestrator)
*Datadog Team*: agent-metrics-logs
Package orchestrator implements the orchestrator forwarder component.
-## [comp/languagedetection](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/languagedetection) (Component Bundle)
+## [comp/languagedetection](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/languagedetection) (Component Bundle)
*Datadog Team*: container-integrations
Package languagedetection implements the "languagedetection" bundle
-### [comp/languagedetection/client](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/languagedetection/client)
+### [comp/languagedetection/client](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/languagedetection/client)
Package client implements a component to send process metadata to the Cluster-Agent
-## [comp/logs](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/logs) (Component Bundle)
+## [comp/logs](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/logs) (Component Bundle)
*Datadog Team*: agent-metrics-logs
-### [comp/logs/agent](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/logs/agent)
+### [comp/logs/agent](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/logs/agent)
Package agent contains logs agent component.
-## [comp/metadata](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/metadata) (Component Bundle)
+## [comp/metadata](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/metadata) (Component Bundle)
*Datadog Team*: agent-shared-components
Package metadata implements the "metadata" bundle, providing services and support for all the metadata payload sent
by the Agent.
-### [comp/metadata/host](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/metadata/host)
+### [comp/metadata/host](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/metadata/host)
Package host implements a component to generate the 'host' metadata payload (also known as "v5").
-### [comp/metadata/inventoryagent](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/metadata/inventoryagent)
+### [comp/metadata/inventoryagent](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/metadata/inventoryagent)
Package inventoryagent implements a component to generate the 'datadog_agent' metadata payload for inventory.
-### [comp/metadata/inventoryhost](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/metadata/inventoryhost)
+### [comp/metadata/inventoryhost](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/metadata/inventoryhost)
Package inventoryhost exposes the interface for the component to generate the 'host_metadata' metadata payload for inventory.
-### [comp/metadata/resources](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/metadata/resources)
+### [comp/metadata/resources](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/metadata/resources)
Package resources implements a component to generate the 'resources' metadata payload.
-### [comp/metadata/runner](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/metadata/runner)
+### [comp/metadata/runner](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/metadata/runner)
Package runner implements a component to generate metadata payload at the right interval.
-## [comp/ndmtmp](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/ndmtmp) (Component Bundle)
+## [comp/ndmtmp](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/ndmtmp) (Component Bundle)
*Datadog Team*: network-device-monitoring
@@ -176,133 +176,133 @@ Package ndmtmp implements the "ndmtmp" bundle, which exposes the default
sender.Sender and the event platform forwarder. This is a temporary module
intended for ndm internal use until these pieces are properly componentized.
-### [comp/ndmtmp/forwarder](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/ndmtmp/forwarder)
+### [comp/ndmtmp/forwarder](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/ndmtmp/forwarder)
Package forwarder exposes the event platform forwarder for netflow.
-## [comp/netflow](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/netflow) (Component Bundle)
+## [comp/netflow](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/netflow) (Component Bundle)
*Datadog Team*: network-device-monitoring
Package netflow implements the "netflow" bundle, which listens for netflow
packets, processes them, and forwards relevant data to the backend.
-### [comp/netflow/config](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/netflow/config)
+### [comp/netflow/config](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/netflow/config)
Package config exposes the netflow configuration as a component.
-### [comp/netflow/server](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/netflow/server)
+### [comp/netflow/server](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/netflow/server)
Package server implements a component that runs the netflow server.
When running, it listens for network traffic according to configured
listeners and aggregates traffic data to send to the backend.
It does not expose any public methods.
-## [comp/otelcol](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/otelcol) (Component Bundle)
+## [comp/otelcol](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/otelcol) (Component Bundle)
*Datadog Team*: opentelemetry
Package otelcol contains the OTLP ingest bundle pipeline to be included
into the agent components.
-### [comp/otelcol/collector](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/otelcol/collector)
+### [comp/otelcol/collector](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/otelcol/collector)
Package collector implements the OpenTelemetry Collector component.
-## [comp/process](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/process) (Component Bundle)
+## [comp/process](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/process) (Component Bundle)
*Datadog Team*: processes
Package process implements the "process" bundle, providing components for the Process Agent
-### [comp/process/apiserver](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/process/apiserver)
+### [comp/process/apiserver](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/process/apiserver)
Package apiserver initializes the api server that powers many subcommands.
-### [comp/process/connectionscheck](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/process/connectionscheck)
+### [comp/process/connectionscheck](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/process/connectionscheck)
Package connectionscheck implements a component to handle Connections data collection in the Process Agent.
-### [comp/process/containercheck](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/process/containercheck)
+### [comp/process/containercheck](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/process/containercheck)
Package containercheck implements a component to handle Container data collection in the Process Agent.
-### [comp/process/expvars](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/process/expvars)
+### [comp/process/expvars](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/process/expvars)
Package expvars initializes the expvar server of the process agent.
-### [comp/process/forwarders](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/process/forwarders)
+### [comp/process/forwarders](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/process/forwarders)
Package forwarders implements a component to provide forwarders used by the process agent.
-### [comp/process/hostinfo](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/process/hostinfo)
+### [comp/process/hostinfo](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/process/hostinfo)
Package hostinfo wraps the hostinfo inside a component. This is useful because it is relied on by other components.
-### [comp/process/podcheck](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/process/podcheck)
+### [comp/process/podcheck](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/process/podcheck)
Package podcheck implements a component to handle Kubernetes data collection in the Process Agent.
-### [comp/process/processcheck](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/process/processcheck)
+### [comp/process/processcheck](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/process/processcheck)
Package processcheck implements a component to handle Process data collection in the Process Agent.
-### [comp/process/processdiscoverycheck](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/process/processdiscoverycheck)
+### [comp/process/processdiscoverycheck](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/process/processdiscoverycheck)
Package processdiscoverycheck implements a component to handle Process Discovery data collection in the Process Agent for customers who do not pay for live processes.
-### [comp/process/processeventscheck](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/process/processeventscheck)
+### [comp/process/processeventscheck](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/process/processeventscheck)
Package processeventscheck implements a component to handle Process Events data collection in the Process Agent.
-### [comp/process/profiler](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/process/profiler)
+### [comp/process/profiler](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/process/profiler)
Package profiler implements a component to handle starting and stopping the internal profiler.
-### [comp/process/rtcontainercheck](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/process/rtcontainercheck)
+### [comp/process/rtcontainercheck](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/process/rtcontainercheck)
Package rtcontainercheck implements a component to handle realtime Container data collection in the Process Agent.
-### [comp/process/runner](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/process/runner)
+### [comp/process/runner](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/process/runner)
Package runner implements a component to run data collection checks in the Process Agent.
-### [comp/process/submitter](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/process/submitter)
+### [comp/process/submitter](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/process/submitter)
Package submitter implements a component to submit collected data in the Process Agent to
supported Datadog intakes.
-## [comp/remote-config](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/remote-config) (Component Bundle)
+## [comp/remote-config](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/remote-config) (Component Bundle)
*Datadog Team*: remote-config
-### [comp/remote-config/rcclient](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/remote-config/rcclient)
+### [comp/remote-config/rcclient](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/remote-config/rcclient)
-## [comp/systray](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/systray) (Component Bundle)
+## [comp/systray](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/systray) (Component Bundle)
*Datadog Team*: windows-agent
Package systray implements the Datadog Agent Manager System Tray
-### [comp/systray/systray](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/systray/systray)
+### [comp/systray/systray](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/systray/systray)
Package systray provides a component for the system tray application
-## [comp/trace](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/trace) (Component Bundle)
+## [comp/trace](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/trace) (Component Bundle)
*Datadog Team*: agent-apm
Package trace implements the "trace" bundle, providing components for the Trace Agent
-### [comp/trace/agent](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/trace/agent)
+### [comp/trace/agent](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/trace/agent)
-### [comp/trace/config](https://pkg.go.dev/github.com/DataDog/dd-agent-comp-experiments/comp/trace/config)
+### [comp/trace/config](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/trace/config)
Package config implements a component to handle trace-agent configuration. This
component temporarily wraps pkg/trace/config.
diff --git a/comp/checks/agentcrashdetect/agentcrashdetectimpl/agentcrashdetect.go b/comp/checks/agentcrashdetect/agentcrashdetectimpl/agentcrashdetect.go
index 3a848f7a94710..aefdf616edc96 100644
--- a/comp/checks/agentcrashdetect/agentcrashdetectimpl/agentcrashdetect.go
+++ b/comp/checks/agentcrashdetect/agentcrashdetectimpl/agentcrashdetect.go
@@ -13,26 +13,23 @@ import (
"fmt"
"strings"
- "github.com/DataDog/datadog-agent/pkg/aggregator/sender"
"go.uber.org/fx"
+ "golang.org/x/sys/windows/registry"
+ yaml "gopkg.in/yaml.v2"
+ "github.com/DataDog/datadog-agent/comp/checks/agentcrashdetect"
+ compsysconfig "github.com/DataDog/datadog-agent/comp/core/sysprobeconfig"
+ comptraceconfig "github.com/DataDog/datadog-agent/comp/trace/config"
+ "github.com/DataDog/datadog-agent/pkg/aggregator/sender"
"github.com/DataDog/datadog-agent/pkg/autodiscovery/integration"
-
"github.com/DataDog/datadog-agent/pkg/collector/check"
core "github.com/DataDog/datadog-agent/pkg/collector/corechecks"
"github.com/DataDog/datadog-agent/pkg/collector/corechecks/system/wincrashdetect/probe"
-
- "github.com/DataDog/datadog-agent/comp/checks/agentcrashdetect"
- compsysconfig "github.com/DataDog/datadog-agent/comp/core/sysprobeconfig"
- comptraceconfig "github.com/DataDog/datadog-agent/comp/trace/config"
-
"github.com/DataDog/datadog-agent/pkg/internaltelemetry"
traceconfig "github.com/DataDog/datadog-agent/pkg/trace/config"
+ "github.com/DataDog/datadog-agent/pkg/util/crashreport"
"github.com/DataDog/datadog-agent/pkg/util/fxutil"
"github.com/DataDog/datadog-agent/pkg/util/log"
- "github.com/DataDog/datadog-agent/pkg/util/winutil/crashreport"
- "golang.org/x/sys/windows/registry"
- yaml "gopkg.in/yaml.v2"
)
const (
diff --git a/comp/checks/bundle_test.go b/comp/checks/bundle_test.go
index 8e5b5c8d7b52c..b4441761ec286 100644
--- a/comp/checks/bundle_test.go
+++ b/comp/checks/bundle_test.go
@@ -12,8 +12,8 @@ import (
"github.com/DataDog/datadog-agent/comp/core"
comptraceconfig "github.com/DataDog/datadog-agent/comp/trace/config"
+ "github.com/DataDog/datadog-agent/pkg/util/crashreport"
"github.com/DataDog/datadog-agent/pkg/util/fxutil"
- "github.com/DataDog/datadog-agent/pkg/util/winutil/crashreport"
"go.uber.org/fx"
)
diff --git a/comp/checks/winregistry/impl/integration_logs_registry_delegate.go b/comp/checks/winregistry/impl/integration_logs_registry_delegate.go
index 79070f092e3d1..ab0e868dc28c0 100644
--- a/comp/checks/winregistry/impl/integration_logs_registry_delegate.go
+++ b/comp/checks/winregistry/impl/integration_logs_registry_delegate.go
@@ -30,16 +30,16 @@ const (
// logEvent struct defines the extra attributes that are sent along with the log message
type logEvent struct {
- keyPath string `yaml:"key_path"`
- eventType string `yaml:"event_type"`
+ KeyPath string `yaml:"key_path"`
+ EventType string `yaml:"event_type"`
// process_id, process_name and thread_id will be coming in a future version.
}
type valueChangedLogEvent struct {
logEvent
- oldValue interface{} `yaml:"old_value"`
- newValue interface{} `yaml:"new_value"`
+ OldValue interface{} `yaml:"old_value"`
+ NewValue interface{} `yaml:"new_value"`
}
func (i *integrationLogsRegistryDelegate) sendLog(status string, payload message.BasicStructuredContent) {
@@ -83,10 +83,10 @@ func (i *integrationLogsRegistryDelegate) processValue(valueName, originalVal st
log = fmt.Sprintf("value %s = '%v'", keyName, val)
}
i.sendLog("info", getPayload[valueChangedLogEvent](log, func(e *valueChangedLogEvent) {
- e.keyPath = keyName
- e.eventType = eventType
- e.oldValue = nil
- e.newValue = val
+ e.KeyPath = keyName
+ e.EventType = eventType
+ e.OldValue = nil
+ e.NewValue = val
}))
i.valueMap[keyName] = val
} else if cachedVal != val {
@@ -97,10 +97,10 @@ func (i *integrationLogsRegistryDelegate) processValue(valueName, originalVal st
log = fmt.Sprintf("value %s changed from '%v' to '%v'", keyName, cachedVal, val)
}
i.sendLog("info", getPayload[valueChangedLogEvent](log, func(e *valueChangedLogEvent) {
- e.keyPath = keyName
- e.eventType = eventType
- e.oldValue = cachedVal
- e.newValue = val
+ e.KeyPath = keyName
+ e.EventType = eventType
+ e.OldValue = cachedVal
+ e.NewValue = val
}))
i.valueMap[keyName] = val
}
@@ -123,10 +123,10 @@ func (i *integrationLogsRegistryDelegate) onMissing(valueName string, regKeyCfg
cachedVal, ok := i.valueMap[keyName]
if ok {
i.sendLog("info", getPayload[valueChangedLogEvent](fmt.Sprintf("value %s ('%v') was deleted", keyName, cachedVal), func(e *valueChangedLogEvent) {
- e.keyPath = keyName
- e.eventType = keyDeleted
- e.oldValue = cachedVal
- e.newValue = nil
+ e.KeyPath = keyName
+ e.EventType = keyDeleted
+ e.OldValue = cachedVal
+ e.NewValue = nil
}))
delete(i.valueMap, keyName)
}
diff --git a/comp/core/flare/types/go.mod b/comp/core/flare/types/go.mod
new file mode 100644
index 0000000000000..815937c4a8444
--- /dev/null
+++ b/comp/core/flare/types/go.mod
@@ -0,0 +1,13 @@
+module github.com/DataDog/datadog-agent/comp/core/flare/types
+
+go 1.20
+
+require go.uber.org/fx v1.18.2
+
+require (
+ go.uber.org/atomic v1.7.0 // indirect
+ go.uber.org/dig v1.17.0 // indirect
+ go.uber.org/multierr v1.6.0 // indirect
+ go.uber.org/zap v1.23.0 // indirect
+ golang.org/x/sys v0.0.0-20220412211240-33da011f77ad // indirect
+)
diff --git a/comp/core/flare/types/go.sum b/comp/core/flare/types/go.sum
new file mode 100644
index 0000000000000..9342228bdb644
--- /dev/null
+++ b/comp/core/flare/types/go.sum
@@ -0,0 +1,24 @@
+github.com/benbjohnson/clock v1.3.0 h1:ip6w0uFQkncKQ979AypyG0ER7mqUSBdKLOgAle/AT8A=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk=
+go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw=
+go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
+go.uber.org/dig v1.17.0 h1:5Chju+tUvcC+N7N6EV08BJz41UZuO3BmHcN4A287ZLI=
+go.uber.org/dig v1.17.0/go.mod h1:rTxpf7l5I0eBTlE6/9RL+lDybC7WFwY2QH55ZSjy1mU=
+go.uber.org/fx v1.18.2 h1:bUNI6oShr+OVFQeU8cDNbnN7VFsu+SsjHzUF51V/GAU=
+go.uber.org/fx v1.18.2/go.mod h1:g0V1KMQ66zIRk8bLu3Ea5Jt2w/cHlOIp4wdRsgh0JaY=
+go.uber.org/goleak v1.1.11 h1:wy28qYRKZgnJTxGxvye5/wgWr1EKjmUDGYox5mGlRlI=
+go.uber.org/multierr v1.6.0 h1:y6IPFStTAIT5Ytl7/XYmHvzXQ7S3g/IeZW9hyZ5thw4=
+go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
+go.uber.org/zap v1.23.0 h1:OjGQ5KQDEUawVHxNwQgPpiypGHOxo2mNZsOqTak4fFY=
+go.uber.org/zap v1.23.0/go.mod h1:D+nX8jyLsMHMYrln8A0rJjFt/T/9/bGgIhAqxv5URuY=
+golang.org/x/sys v0.0.0-20220412211240-33da011f77ad h1:ntjMns5wyP/fN65tdBD4g8J5w8n015+iIIs9rtjXkY0=
+golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
diff --git a/comp/core/secrets/component.go b/comp/core/secrets/component.go
index f0c1dc81e3985..8e021e3659bb0 100644
--- a/comp/core/secrets/component.go
+++ b/comp/core/secrets/component.go
@@ -18,6 +18,9 @@ type Component interface {
Configure(command string, arguments []string, timeout, maxSize int, groupExecPerm, removeLinebreak bool)
// Get debug information and write it to the parameter
GetDebugInfo(w io.Writer)
- // Decrypt the given handle and return the corresponding secret value
- Decrypt(data []byte, origin string) ([]byte, error)
+ // Resolve resolves the secrets in the given yaml data by replacing secrets handles by their corresponding secret value
+ Resolve(data []byte, origin string) ([]byte, error)
+ // ResolveWithCallback resolves the secrets in the given yaml data calling the callback with the YAML path of
+ // the secret handle and its value
+ ResolveWithCallback(data []byte, origin string, callback ResolveCallback) error
}
diff --git a/comp/core/secrets/go.mod b/comp/core/secrets/go.mod
new file mode 100644
index 0000000000000..0f6270f0348f3
--- /dev/null
+++ b/comp/core/secrets/go.mod
@@ -0,0 +1,59 @@
+module github.com/DataDog/datadog-agent/comp/core/secrets
+
+go 1.20
+
+replace (
+ github.com/DataDog/datadog-agent/comp/core/flare/types => ../flare/types
+ github.com/DataDog/datadog-agent/pkg/telemetry => ../../../pkg/telemetry
+ github.com/DataDog/datadog-agent/pkg/util/fxutil => ../../../pkg/util/fxutil
+ github.com/DataDog/datadog-agent/pkg/util/log => ../../../pkg/util/log
+ github.com/DataDog/datadog-agent/pkg/util/scrubber => ../../../pkg/util/scrubber
+ github.com/DataDog/datadog-agent/pkg/util/winutil => ../../../pkg/util/winutil
+
+)
+
+require (
+ github.com/DataDog/datadog-agent/comp/core/flare/types v0.0.0-00010101000000-000000000000
+ github.com/DataDog/datadog-agent/pkg/telemetry v0.0.0-00010101000000-000000000000
+ github.com/DataDog/datadog-agent/pkg/util/fxutil v0.50.0-rc.4
+ github.com/DataDog/datadog-agent/pkg/util/log v0.0.0-00010101000000-000000000000
+ github.com/DataDog/datadog-agent/pkg/util/scrubber v0.50.0-rc.4
+ github.com/DataDog/datadog-agent/pkg/util/winutil v0.0.0-00010101000000-000000000000
+ github.com/stretchr/testify v1.8.4
+ go.uber.org/fx v1.18.2
+ golang.org/x/sys v0.14.0
+ gopkg.in/yaml.v2 v2.4.0
+)
+
+require (
+ github.com/DataDog/datadog-agent/comp/core/telemetry v0.50.0-rc.4 // indirect
+ github.com/beorn7/perks v1.0.1 // indirect
+ github.com/cespare/xxhash/v2 v2.2.0 // indirect
+ github.com/cihub/seelog v0.0.0-20170130134532-f561c5e57575 // indirect
+ github.com/davecgh/go-spew v1.1.1 // indirect
+ github.com/fsnotify/fsnotify v1.7.0 // indirect
+ github.com/go-logr/logr v1.3.0 // indirect
+ github.com/go-logr/stdr v1.2.2 // indirect
+ github.com/golang/protobuf v1.5.3 // indirect
+ github.com/inconshreveable/mousetrap v1.1.0 // indirect
+ github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
+ github.com/pmezard/go-difflib v1.0.0 // indirect
+ github.com/prometheus/client_golang v1.17.0 // indirect
+ github.com/prometheus/client_model v0.5.0 // indirect
+ github.com/prometheus/common v0.44.0 // indirect
+ github.com/prometheus/procfs v0.11.1 // indirect
+ github.com/spf13/cobra v1.7.0 // indirect
+ github.com/spf13/pflag v1.0.5 // indirect
+ go.opentelemetry.io/otel v1.20.0 // indirect
+ go.opentelemetry.io/otel/exporters/prometheus v0.42.0 // indirect
+ go.opentelemetry.io/otel/metric v1.20.0 // indirect
+ go.opentelemetry.io/otel/sdk v1.20.0 // indirect
+ go.opentelemetry.io/otel/sdk/metric v1.20.0 // indirect
+ go.opentelemetry.io/otel/trace v1.20.0 // indirect
+ go.uber.org/atomic v1.11.0 // indirect
+ go.uber.org/dig v1.17.0 // indirect
+ go.uber.org/multierr v1.6.0 // indirect
+ go.uber.org/zap v1.23.0 // indirect
+ google.golang.org/protobuf v1.31.0 // indirect
+ gopkg.in/yaml.v3 v3.0.1 // indirect
+)
diff --git a/comp/core/secrets/go.sum b/comp/core/secrets/go.sum
new file mode 100644
index 0000000000000..c367cfa710928
--- /dev/null
+++ b/comp/core/secrets/go.sum
@@ -0,0 +1,91 @@
+github.com/DataDog/datadog-agent/comp/core/telemetry v0.50.0-rc.4 h1:otuQe2x+WAgN78POmUSlOq0MRJkoLRlyGR5Fn3H55fI=
+github.com/DataDog/datadog-agent/comp/core/telemetry v0.50.0-rc.4/go.mod h1:fqxtze7NiJ+jQnLCT/F38ewDy8yVGraReiJNZRtQNVM=
+github.com/benbjohnson/clock v1.3.0 h1:ip6w0uFQkncKQ979AypyG0ER7mqUSBdKLOgAle/AT8A=
+github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
+github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
+github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
+github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/cihub/seelog v0.0.0-20170130134532-f561c5e57575 h1:kHaBemcxl8o/pQ5VM1c8PVE1PubbNx3mjUr09OqWGCs=
+github.com/cihub/seelog v0.0.0-20170130134532-f561c5e57575/go.mod h1:9d6lWj8KzO/fd/NrVaLscBKmPigpZpn5YawRPw+e3Yo=
+github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
+github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
+github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/go-logr/logr v1.3.0 h1:2y3SDp0ZXuc6/cjLSZ+Q3ir+QB9T/iG5yYRXqsagWSY=
+github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
+github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
+github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
+github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
+github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
+github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo=
+github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
+github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/prometheus/client_golang v1.17.0 h1:rl2sfwZMtSthVU752MqfjQozy7blglC+1SOtjMAMh+Q=
+github.com/prometheus/client_golang v1.17.0/go.mod h1:VeL+gMmOAxkS2IqfCq0ZmHSL+LjWfWDUmp1mBz9JgUY=
+github.com/prometheus/client_model v0.5.0 h1:VQw1hfvPvk3Uv6Qf29VrPF32JB6rtbgI6cYPYQjL0Qw=
+github.com/prometheus/client_model v0.5.0/go.mod h1:dTiFglRmd66nLR9Pv9f0mZi7B7fk5Pm3gvsjB5tr+kI=
+github.com/prometheus/common v0.44.0 h1:+5BrQJwiBB9xsMygAB3TNvpQKOwlkc25LbISbrdOOfY=
+github.com/prometheus/common v0.44.0/go.mod h1:ofAIvZbQ1e/nugmZGz4/qCb9Ap1VoSTIO7x0VV9VvuY=
+github.com/prometheus/procfs v0.11.1 h1:xRC8Iq1yyca5ypa9n1EZnWZkt7dwcoRPQwX/5gwaUuI=
+github.com/prometheus/procfs v0.11.1/go.mod h1:eesXgaPo1q7lBpVMoMy0ZOFTth9hBn4W/y0/p/ScXhY=
+github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
+github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I=
+github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0=
+github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
+github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+go.opentelemetry.io/otel v1.20.0 h1:vsb/ggIY+hUjD/zCAQHpzTmndPqv/ml2ArbsbfBYTAc=
+go.opentelemetry.io/otel v1.20.0/go.mod h1:oUIGj3D77RwJdM6PPZImDpSZGDvkD9fhesHny69JFrs=
+go.opentelemetry.io/otel/exporters/prometheus v0.42.0 h1:jwV9iQdvp38fxXi8ZC+lNpxjK16MRcZlpDYvbuO1FiA=
+go.opentelemetry.io/otel/exporters/prometheus v0.42.0/go.mod h1:f3bYiqNqhoPxkvI2LrXqQVC546K7BuRDL/kKuxkujhA=
+go.opentelemetry.io/otel/metric v1.20.0 h1:ZlrO8Hu9+GAhnepmRGhSU7/VkpjrNowxRN9GyKR4wzA=
+go.opentelemetry.io/otel/metric v1.20.0/go.mod h1:90DRw3nfK4D7Sm/75yQ00gTJxtkBxX+wu6YaNymbpVM=
+go.opentelemetry.io/otel/sdk v1.20.0 h1:5Jf6imeFZlZtKv9Qbo6qt2ZkmWtdWx/wzcCbNUlAWGM=
+go.opentelemetry.io/otel/sdk v1.20.0/go.mod h1:rmkSx1cZCm/tn16iWDn1GQbLtsW/LvsdEEFzCSRM6V0=
+go.opentelemetry.io/otel/sdk/metric v1.20.0 h1:5eD40l/H2CqdKmbSV7iht2KMK0faAIL2pVYzJOWobGk=
+go.opentelemetry.io/otel/sdk/metric v1.20.0/go.mod h1:AGvpC+YF/jblITiafMTYgvRBUiwi9hZf0EYE2E5XlS8=
+go.opentelemetry.io/otel/trace v1.20.0 h1:+yxVAPZPbQhbC3OfAkeIVTky6iTFpcr4SiY9om7mXSQ=
+go.opentelemetry.io/otel/trace v1.20.0/go.mod h1:HJSK7F/hA5RlzpZ0zKDCHCDHm556LCDtKaAo6JmBFUU=
+go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
+go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
+go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
+go.uber.org/dig v1.17.0 h1:5Chju+tUvcC+N7N6EV08BJz41UZuO3BmHcN4A287ZLI=
+go.uber.org/dig v1.17.0/go.mod h1:rTxpf7l5I0eBTlE6/9RL+lDybC7WFwY2QH55ZSjy1mU=
+go.uber.org/fx v1.18.2 h1:bUNI6oShr+OVFQeU8cDNbnN7VFsu+SsjHzUF51V/GAU=
+go.uber.org/fx v1.18.2/go.mod h1:g0V1KMQ66zIRk8bLu3Ea5Jt2w/cHlOIp4wdRsgh0JaY=
+go.uber.org/goleak v1.1.11 h1:wy28qYRKZgnJTxGxvye5/wgWr1EKjmUDGYox5mGlRlI=
+go.uber.org/multierr v1.6.0 h1:y6IPFStTAIT5Ytl7/XYmHvzXQ7S3g/IeZW9hyZ5thw4=
+go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
+go.uber.org/zap v1.23.0 h1:OjGQ5KQDEUawVHxNwQgPpiypGHOxo2mNZsOqTak4fFY=
+go.uber.org/zap v1.23.0/go.mod h1:D+nX8jyLsMHMYrln8A0rJjFt/T/9/bGgIhAqxv5URuY=
+golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.14.0 h1:Vz7Qs629MkJkGyHxUlRHizWJRG2j8fbQKjELVSNhy7Q=
+golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
+google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
+google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
+google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
+gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
diff --git a/comp/core/secrets/secretsimpl/fetch_secret.go b/comp/core/secrets/secretsimpl/fetch_secret.go
index c3841608be909..e140ad29534d9 100644
--- a/comp/core/secrets/secretsimpl/fetch_secret.go
+++ b/comp/core/secrets/secretsimpl/fetch_secret.go
@@ -133,11 +133,11 @@ func (r *secretResolver) fetchSecret(secretsHandle []string) (map[string]string,
for _, sec := range secretsHandle {
v, ok := secrets[sec]
if !ok {
- return nil, fmt.Errorf("secret handle '%s' was not decrypted by the secret_backend_command", sec)
+ return nil, fmt.Errorf("secret handle '%s' was not resolved by the secret_backend_command", sec)
}
if v.ErrorMsg != "" {
- return nil, fmt.Errorf("an error occurred while decrypting '%s': %s", sec, v.ErrorMsg)
+ return nil, fmt.Errorf("an error occurred while resolving '%s': %s", sec, v.ErrorMsg)
}
if r.removeTrailingLinebreak {
@@ -145,7 +145,7 @@ func (r *secretResolver) fetchSecret(secretsHandle []string) (map[string]string,
}
if v.Value == "" {
- return nil, fmt.Errorf("decrypted secret for '%s' is empty", sec)
+ return nil, fmt.Errorf("resolved secret for '%s' is empty", sec)
}
// add it to the cache
diff --git a/comp/core/secrets/secretsimpl/fetch_secret_test.go b/comp/core/secrets/secretsimpl/fetch_secret_test.go
index 15f0ba5ae21bd..0212fd64d5af0 100644
--- a/comp/core/secrets/secretsimpl/fetch_secret_test.go
+++ b/comp/core/secrets/secretsimpl/fetch_secret_test.go
@@ -11,11 +11,14 @@ import (
"os"
"os/exec"
"runtime"
+ "runtime/pprof"
"testing"
+ "time"
- "github.com/DataDog/datadog-agent/comp/core/secrets"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
+
+ "github.com/DataDog/datadog-agent/comp/core/secrets"
)
var (
@@ -81,6 +84,35 @@ func TestLimitBuffer(t *testing.T) {
}
func TestExecCommandError(t *testing.T) {
+ // TODO: remove once the issue is resolved
+ //
+ // This test has an issue on Windows where it can block entirely and timeout after 4 minutes
+ // (while the go test timeout is 3 minutes), and in that case it doesn't print stack traces.
+ //
+ // As a workaround, we explicitly write routine stack traces in an artifact if the test
+ // is not finished after 2 minutes.
+ if _, ok := os.LookupEnv("CI_PIPELINE_ID"); ok && runtime.GOOS == "windows" {
+ done := make(chan struct{}, 1)
+ defer func() {
+ done <- struct{}{}
+ }()
+ go func() {
+ select {
+ case <-done:
+ case <-time.After(2 * time.Minute):
+ // files junit-*.tgz are automatically considered as artifacts
+ file, err := os.OpenFile(`C:\mnt\junit-TestExecCommandError.tgz`, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644)
+ if err != nil {
+ fmt.Fprintf(os.Stderr, "could not write stack traces: %v", err)
+ return
+ }
+ defer file.Close()
+ fmt.Fprintf(file, "test will timeout, printing goroutine stack traces:\n")
+ pprof.Lookup("goroutine").WriteTo(file, 2)
+ }
+ }()
+ }
+
inputPayload := "{\"version\": \"" + secrets.PayloadVersion + "\" , \"secrets\": [\"sec1\", \"sec2\"]}"
t.Run("Empty secretBackendCommand", func(t *testing.T) {
@@ -169,7 +201,7 @@ func TestFetchSecretMissingSecret(t *testing.T) {
resolver.commandHookFunc = func(string) ([]byte, error) { return []byte("{}"), nil }
_, err := resolver.fetchSecret(secrets)
assert.NotNil(t, err)
- assert.Equal(t, "secret handle 'handle1' was not decrypted by the secret_backend_command", err.Error())
+ assert.Equal(t, "secret handle 'handle1' was not resolved by the secret_backend_command", err.Error())
}
func TestFetchSecretErrorForHandle(t *testing.T) {
@@ -179,7 +211,7 @@ func TestFetchSecretErrorForHandle(t *testing.T) {
}
_, err := resolver.fetchSecret([]string{"handle1"})
assert.NotNil(t, err)
- assert.Equal(t, "an error occurred while decrypting 'handle1': some error", err.Error())
+ assert.Equal(t, "an error occurred while resolving 'handle1': some error", err.Error())
}
func TestFetchSecretEmptyValue(t *testing.T) {
@@ -189,14 +221,14 @@ func TestFetchSecretEmptyValue(t *testing.T) {
}
_, err := resolver.fetchSecret([]string{"handle1"})
assert.NotNil(t, err)
- assert.Equal(t, "decrypted secret for 'handle1' is empty", err.Error())
+ assert.Equal(t, "resolved secret for 'handle1' is empty", err.Error())
resolver.commandHookFunc = func(string) ([]byte, error) {
return []byte("{\"handle1\":{\"value\": \"\"}}"), nil
}
_, err = resolver.fetchSecret([]string{"handle1"})
assert.NotNil(t, err)
- assert.Equal(t, "decrypted secret for 'handle1' is empty", err.Error())
+ assert.Equal(t, "resolved secret for 'handle1' is empty", err.Error())
}
func TestFetchSecret(t *testing.T) {
diff --git a/comp/core/secrets/secretsimpl/info.tmpl b/comp/core/secrets/secretsimpl/info.tmpl
index 2c56659e88806..53f30f3ce3851 100644
--- a/comp/core/secrets/secretsimpl/info.tmpl
+++ b/comp/core/secrets/secretsimpl/info.tmpl
@@ -10,8 +10,8 @@ Permissions Detail:
{{- end }}
=== Secrets stats ===
-Number of secrets decrypted: {{ len .Handles }}
-Secrets handle decrypted:
+Number of secrets resolved: {{ len .Handles }}
+Secrets handle resolved:
{{ range $handle, $places := .Handles }}
- '{{ $handle }}':
{{- range $place := $places }}
diff --git a/comp/core/secrets/secretsimpl/info_nix_test.go b/comp/core/secrets/secretsimpl/info_nix_test.go
index 7deb57ef2be47..1b170077d15a7 100644
--- a/comp/core/secrets/secretsimpl/info_nix_test.go
+++ b/comp/core/secrets/secretsimpl/info_nix_test.go
@@ -77,9 +77,9 @@ func TestDebugInfo(t *testing.T) {
return res, nil
}
- _, err := resolver.Decrypt(testConf, "test")
+ _, err := resolver.Resolve(testConf, "test")
require.NoError(t, err)
- _, err = resolver.Decrypt(testConfInfo, "test2")
+ _, err = resolver.Resolve(testConfInfo, "test2")
require.NoError(t, err)
var buffer bytes.Buffer
@@ -95,8 +95,8 @@ Owner: ` + currentUser + `
Group: ` + currentGroup + `
=== Secrets stats ===
-Number of secrets decrypted: 3
-Secrets handle decrypted:
+Number of secrets resolved: 3
+Secrets handle resolved:
- 'pass1':
used in 'test' configuration in entry 'instances/password'
@@ -121,9 +121,9 @@ func TestDebugInfoError(t *testing.T) {
return res, nil
}
- _, err := resolver.Decrypt(testConf, "test")
+ _, err := resolver.Resolve(testConf, "test")
require.NoError(t, err)
- _, err = resolver.Decrypt(testConfInfo, "test2")
+ _, err = resolver.Resolve(testConfInfo, "test2")
require.NoError(t, err)
var buffer bytes.Buffer
@@ -137,8 +137,8 @@ Permissions Detail:
Could not stat some_command: no such file or directory
=== Secrets stats ===
-Number of secrets decrypted: 3
-Secrets handle decrypted:
+Number of secrets resolved: 3
+Secrets handle resolved:
- 'pass1':
used in 'test' configuration in entry 'instances/password'
diff --git a/comp/core/secrets/secretsimpl/secrets.go b/comp/core/secrets/secretsimpl/secrets.go
index 787e050b7ec14..2f436c380186f 100644
--- a/comp/core/secrets/secretsimpl/secrets.go
+++ b/comp/core/secrets/secretsimpl/secrets.go
@@ -186,75 +186,6 @@ func (r *secretResolver) Configure(command string, arguments []string, timeout,
}
}
-type walkerCallback func([]string, string) (string, error)
-
-func walkSlice(data []interface{}, yamlPath []string, callback walkerCallback) error {
- for idx, k := range data {
- switch v := k.(type) {
- case string:
- newValue, err := callback(yamlPath, v)
- if err != nil {
- return err
- }
- data[idx] = newValue
- case map[interface{}]interface{}:
- if err := walkHash(v, yamlPath, callback); err != nil {
- return err
- }
- case []interface{}:
- if err := walkSlice(v, yamlPath, callback); err != nil {
- return err
- }
- }
- }
- return nil
-}
-
-func walkHash(data map[interface{}]interface{}, yamlPath []string, callback walkerCallback) error {
- for k := range data {
- path := yamlPath
- if newkey, ok := k.(string); ok {
- path = append(path, newkey)
- }
-
- switch v := data[k].(type) {
- case string:
- newValue, err := callback(path, v)
- if err != nil {
- return err
- }
- data[k] = newValue
- case map[interface{}]interface{}:
- if err := walkHash(v, path, callback); err != nil {
- return err
- }
- case []interface{}:
- if err := walkSlice(v, path, callback); err != nil {
- return err
- }
- }
- }
- return nil
-}
-
-// walk will go through loaded yaml and call callback on every strings allowing
-// the callback to overwrite the string value
-func walk(data *interface{}, yamlPath []string, callback walkerCallback) error {
- switch v := (*data).(type) {
- case string:
- newValue, err := callback(yamlPath, v)
- if err != nil {
- return err
- }
- *data = newValue
- case map[interface{}]interface{}:
- return walkHash(v, yamlPath, callback)
- case []interface{}:
- return walkSlice(v, yamlPath, callback)
- }
- return nil
-}
-
func isEnc(str string) (bool, string) {
// trimming space and tabs
str = strings.Trim(str, " ")
@@ -264,9 +195,20 @@ func isEnc(str string) (bool, string) {
return false, ""
}
-// Decrypt replaces all encrypted secrets in data by executing
-// "secret_backend_command" once if all secrets aren't present in the cache.
-func (r *secretResolver) Decrypt(data []byte, origin string) ([]byte, error) {
+// Resolve replaces all encrypted secrets in data by executing "secret_backend_command" once if all secrets aren't
+// present in the cache.
+func (r *secretResolver) Resolve(data []byte, origin string) ([]byte, error) {
+ return r.resolve(data, origin, nil)
+}
+
+// ResolveWithCallback resolves the secrets in the given yaml data calling the callback with the YAML path of
+// the secret handle and its value
+func (r *secretResolver) ResolveWithCallback(data []byte, origin string, cb secrets.ResolveCallback) error {
+ _, err := r.resolve(data, origin, cb)
+ return err
+}
+
+func (r *secretResolver) resolve(data []byte, origin string, notifyCb secrets.ResolveCallback) ([]byte, error) {
if !r.enabled {
log.Infof("Agent secrets is disabled by caller")
return nil, nil
@@ -284,11 +226,10 @@ func (r *secretResolver) Decrypt(data []byte, origin string) ([]byte, error) {
// First we collect all new handles in the config
newHandles := []string{}
haveSecret := false
- err = walk(
- &config,
- nil,
- func(yamlPath []string, str string) (string, error) {
- if ok, handle := isEnc(str); ok {
+
+ w := &walker{
+ resolver: func(yamlPath []string, value string) (string, error) {
+ if ok, handle := isEnc(value); ok {
haveSecret = true
// Check if we already know this secret
if secret, ok := r.cache[handle]; ok {
@@ -298,10 +239,14 @@ func (r *secretResolver) Decrypt(data []byte, origin string) ([]byte, error) {
return secret, nil
}
newHandles = append(newHandles, handle)
+ return value, nil
}
- return str, nil
- })
- if err != nil {
+ return value, nil
+ },
+ notifier: notifyCb,
+ }
+
+ if err := w.walk(&config); err != nil {
return nil, err
}
@@ -324,25 +269,24 @@ func (r *secretResolver) Decrypt(data []byte, origin string) ([]byte, error) {
return nil, err
}
- // Replace all new encrypted secrets in the config
- err = walk(
- &config,
- nil,
- func(yamlPath []string, str string) (string, error) {
- if ok, handle := isEnc(str); ok {
- if secret, ok := secrets[handle]; ok {
- log.Debugf("Secret '%s' was retrieved from executable", handle)
- // keep track of place where a handle was found
- r.registerSecretOrigin(handle, origin, yamlPath)
- return secret, nil
- }
- // This should never happen since fetchSecret will return an error
- // if not every handles have been fetched.
- return str, fmt.Errorf("unknown secret '%s'", handle)
+ w.resolver = func(yamlPath []string, value string) (string, error) {
+ if ok, handle := isEnc(value); ok {
+ if secret, ok := secrets[handle]; ok {
+ log.Debugf("Secret '%s' was successfully resolved", handle)
+ // keep track of place where a handle was found
+ r.registerSecretOrigin(handle, origin, yamlPath)
+ return secret, nil
}
- return str, nil
- })
- if err != nil {
+
+ // This should never happen since fetchSecret will return an error if not every handle have
+ // been fetched.
+ return "", fmt.Errorf("unknown secret '%s'", handle)
+ }
+ return value, nil
+ }
+
+ // Replace all newly resolved secrets in the config
+ if err := w.walk(&config); err != nil {
return nil, err
}
}
diff --git a/comp/core/secrets/secretsimpl/secrets_mock.go b/comp/core/secrets/secretsimpl/secrets_mock.go
index 45bf33d9d276a..cfa456e6bef4e 100644
--- a/comp/core/secrets/secretsimpl/secrets_mock.go
+++ b/comp/core/secrets/secretsimpl/secrets_mock.go
@@ -16,9 +16,15 @@ import (
"go.uber.org/fx"
)
+type callbackArgs struct {
+ yamlPath []string
+ value any
+}
+
// MockSecretResolver is a mock of the secret Component useful for testing
type MockSecretResolver struct {
- resolve map[string]string
+ resolve map[string]string
+ callbacks []callbackArgs
}
var _ secrets.Component = (*MockSecretResolver)(nil)
@@ -29,13 +35,19 @@ func (m *MockSecretResolver) Configure(_ string, _ []string, _, _ int, _, _ bool
// GetDebugInfo is not implemented
func (m *MockSecretResolver) GetDebugInfo(_ io.Writer) {}
-// Inject adds data to be decrypted, by returning the value for the given key
+// Inject adds data to be resolved, by returning the value for the given key
func (m *MockSecretResolver) Inject(key, value string) {
m.resolve[key] = value
}
-// Decrypt returns the secret value based upon the injected data
-func (m *MockSecretResolver) Decrypt(data []byte, _ string) ([]byte, error) {
+// InjectCallback adds to the list of callbacks that will be used to mock ResolveWithCallback. Each injected callback
+// will equal a call to the callback givent to 'ResolveWithCallback'
+func (m *MockSecretResolver) InjectCallback(yamlPath []string, value any) {
+ m.callbacks = append(m.callbacks, callbackArgs{yamlPath: yamlPath, value: value})
+}
+
+// Resolve returns the secret value based upon the injected data
+func (m *MockSecretResolver) Resolve(data []byte, _ string) ([]byte, error) {
re := regexp.MustCompile(`ENC\[(.*?)\]`)
result := re.ReplaceAllStringFunc(string(data), func(in string) string {
key := in[4 : len(in)-1]
@@ -44,6 +56,14 @@ func (m *MockSecretResolver) Decrypt(data []byte, _ string) ([]byte, error) {
return []byte(result), nil
}
+// ResolveWithCallback mocks the ResolveWithCallback method of the secrets Component
+func (m *MockSecretResolver) ResolveWithCallback(_ []byte, _ string, cb secrets.ResolveCallback) error {
+ for _, call := range m.callbacks {
+ cb(call.yamlPath, call.value)
+ }
+ return nil
+}
+
// NewMockSecretResolver constructs a MockSecretResolver
func NewMockSecretResolver() *MockSecretResolver {
return &MockSecretResolver{resolve: make(map[string]string)}
diff --git a/comp/core/secrets/secretsimpl/secrets_test.go b/comp/core/secrets/secretsimpl/secrets_test.go
index 81e37cd7cd829..56ef9557c73de 100644
--- a/comp/core/secrets/secretsimpl/secrets_test.go
+++ b/comp/core/secrets/secretsimpl/secrets_test.go
@@ -8,11 +8,11 @@ package secretsimpl
import (
"fmt"
"sort"
+ "strings"
"testing"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
- yaml "gopkg.in/yaml.v2"
)
var (
@@ -52,7 +52,7 @@ instances:
user: test2
`)
- testConfDecrypted = `instances:
+ testConfResolveed = `instances:
- password: password1
user: test
- password: password2
@@ -80,7 +80,7 @@ keys_with_dash_string_value:
foo: "-"
`)
- testConfDecryptedDash = `keys_with_dash_string_value:
+ testConfResolveedDash = `keys_with_dash_string_value:
foo: '-'
some_encoded_password: password1
`
@@ -97,7 +97,7 @@ some_encoded_password: password1
some_encoded_password: ENC[pass1]
`)
- testConfDecryptedMultiline = `some_encoded_password: |
+ testConfResolveedMultiline = `some_encoded_password: |
password1
`
testConfMultilineOrigin = handleToContext{
@@ -115,7 +115,7 @@ some:
data: ENC[pass1]
`)
- testConfDecryptedNested = `some:
+ testConfResolveedNested = `some:
encoded:
data: password1
`
@@ -127,6 +127,35 @@ some:
},
},
}
+
+ testConfNestedMultiple = []byte(`---
+top_level: ENC[pass1]
+some:
+ second_level: ENC[pass2]
+ encoded:
+ third_level: ENC[pass3]
+`)
+
+ testConfNestedOriginMultiple = handleToContext{
+ "pass1": []secretContext{
+ {
+ origin: "test",
+ yamlPath: "top_level",
+ },
+ },
+ "pass2": []secretContext{
+ {
+ origin: "test",
+ yamlPath: "some/second_level",
+ },
+ },
+ "pass3": []secretContext{
+ {
+ origin: "test",
+ yamlPath: "some/encoded/third_level",
+ },
+ },
+ }
)
func TestIsEnc(t *testing.T) {
@@ -157,77 +186,19 @@ func TestIsEnc(t *testing.T) {
assert.Equal(t, "test", secret)
}
-func TestWalkerError(t *testing.T) {
- var config interface{}
- err := yaml.Unmarshal(testYamlHash, &config)
- require.NoError(t, err)
-
- err = walk(&config, nil, func([]string, string) (string, error) {
- return "", fmt.Errorf("some error")
- })
- assert.NotNil(t, err)
-}
-
-func TestWalkerSimple(t *testing.T) {
- var config interface{}
- err := yaml.Unmarshal([]byte("test"), &config)
- require.NoError(t, err)
-
- stringsCollected := []string{}
- err = walk(&config, nil, func(_ []string, str string) (string, error) {
- stringsCollected = append(stringsCollected, str)
- return str + "_verified", nil
- })
- require.NoError(t, err)
-
- assert.Equal(t, []string{"test"}, stringsCollected)
-
- updatedConf, err := yaml.Marshal(config)
- require.NoError(t, err)
- assert.Equal(t, string("test_verified\n"), string(updatedConf))
-}
-
-func TestWalkerComplex(t *testing.T) {
- var config interface{}
- err := yaml.Unmarshal(testYamlHash, &config)
- require.NoError(t, err)
-
- stringsCollected := []string{}
- err = walk(&config, nil, func(_ []string, str string) (string, error) {
- stringsCollected = append(stringsCollected, str)
- return str + "_verified", nil
- })
- require.NoError(t, err)
-
- sort.Strings(stringsCollected)
- assert.Equal(t, []string{
- "1",
- "2",
- "test1",
- "test2",
- "test3",
- "test4",
- "test5",
- }, stringsCollected)
-
- updatedConf, err := yaml.Marshal(config)
- require.NoError(t, err)
- assert.Equal(t, string(testYamlHashUpdated), string(updatedConf))
-}
-
-func TestDecryptNoCommand(t *testing.T) {
+func TestResolveNoCommand(t *testing.T) {
resolver := newEnabledSecretResolver()
resolver.fetchHookFunc = func(secrets []string) (map[string]string, error) {
return nil, fmt.Errorf("some error")
}
// since we didn't set any command this should return without any error
- resConf, err := resolver.Decrypt(testConf, "test")
+ resConf, err := resolver.Resolve(testConf, "test")
require.NoError(t, err)
assert.Equal(t, testConf, resConf)
}
-func TestDecryptSecretError(t *testing.T) {
+func TestResolveSecretError(t *testing.T) {
resolver := newEnabledSecretResolver()
resolver.backendCommand = "some_command"
@@ -235,15 +206,15 @@ func TestDecryptSecretError(t *testing.T) {
return nil, fmt.Errorf("some error")
}
- _, err := resolver.Decrypt(testConf, "test")
+ _, err := resolver.Resolve(testConf, "test")
require.NotNil(t, err)
}
-func TestDecrypt(t *testing.T) {
+func TestResolve(t *testing.T) {
type testCase struct {
name string
testConf []byte
- decryptedConf string
+ resolveedConf string
expectedSecretOrigin handleToContext
expectedScrubbedKey []string
secretFetchCB func([]string) (map[string]string, error)
@@ -253,13 +224,13 @@ func TestDecrypt(t *testing.T) {
currentTest := t
testCases := []testCase{
{
- // TestDecryptSecretStringMapStringWithDashValue checks that a nested string config value
+ // TestResolveSecretStringMapStringWithDashValue checks that a nested string config value
// that can be interpreted as YAML (such as a "-") is not interpreted as YAML by the secrets
// decryption logic, but is left unchanged as a string instead.
// See https://github.com/DataDog/datadog-agent/pull/6586 for details.
name: "map with dash value",
testConf: testConfDash,
- decryptedConf: testConfDecryptedDash,
+ resolveedConf: testConfResolveedDash,
expectedSecretOrigin: testConfDashOrigin,
expectedScrubbedKey: []string{"some_encoded_password"},
secretFetchCB: func(secrets []string) (map[string]string, error) {
@@ -275,7 +246,7 @@ func TestDecrypt(t *testing.T) {
{
name: "multiline",
testConf: testConfMultiline,
- decryptedConf: testConfDecryptedMultiline,
+ resolveedConf: testConfResolveedMultiline,
expectedSecretOrigin: testConfMultilineOrigin,
expectedScrubbedKey: []string{"some_encoded_password"},
secretFetchCB: func(secrets []string) (map[string]string, error) {
@@ -291,7 +262,7 @@ func TestDecrypt(t *testing.T) {
{
name: "nested",
testConf: testConfNested,
- decryptedConf: testConfDecryptedNested,
+ resolveedConf: testConfResolveedNested,
expectedSecretOrigin: testConfNestedOrigin,
expectedScrubbedKey: []string{"data"},
secretFetchCB: func(secrets []string) (map[string]string, error) {
@@ -307,7 +278,7 @@ func TestDecrypt(t *testing.T) {
{
name: "no cache",
testConf: testConf,
- decryptedConf: testConfDecrypted,
+ resolveedConf: testConfResolveed,
expectedSecretOrigin: testConfOrigin,
expectedScrubbedKey: []string{"password", "password"},
secretFetchCB: func(secrets []string) (map[string]string, error) {
@@ -326,7 +297,7 @@ func TestDecrypt(t *testing.T) {
{
name: "partial cache",
testConf: testConf,
- decryptedConf: testConfDecrypted,
+ resolveedConf: testConfResolveed,
expectedSecretOrigin: testConfOrigin,
expectedScrubbedKey: []string{"password", "password"},
secretCache: map[string]string{"pass1": "password1"},
@@ -344,7 +315,7 @@ func TestDecrypt(t *testing.T) {
{
name: "full cache",
testConf: testConf,
- decryptedConf: testConfDecrypted,
+ resolveedConf: testConfResolveed,
expectedSecretOrigin: testConfOrigin,
expectedScrubbedKey: []string{"password", "password"},
secretCache: map[string]string{"pass1": "password1", "pass2": "password2"},
@@ -368,12 +339,56 @@ func TestDecrypt(t *testing.T) {
scrubbedKey := []string{}
resolver.scrubHookFunc = func(k []string) { scrubbedKey = append(scrubbedKey, k[0]) }
- newConf, err := resolver.Decrypt(tc.testConf, "test")
+ newConf, err := resolver.Resolve(tc.testConf, "test")
require.NoError(t, err)
- assert.Equal(t, tc.decryptedConf, string(newConf))
+ assert.Equal(t, tc.resolveedConf, string(newConf))
assert.Equal(t, tc.expectedSecretOrigin, resolver.origin)
assert.Equal(t, tc.expectedScrubbedKey, scrubbedKey)
})
}
}
+
+func TestResolveWithCallback(t *testing.T) {
+ testConf := testConfNestedMultiple
+
+ resolver := newEnabledSecretResolver()
+ resolver.backendCommand = "some_command"
+ resolver.cache = map[string]string{"pass3": "password3"}
+
+ resolver.fetchHookFunc = func(secrets []string) (map[string]string, error) {
+ return map[string]string{
+ "pass1": "password1",
+ "pass2": "password2",
+ }, nil
+ }
+
+ topLevelResolved := 0
+ secondLevelResolved := 0
+ thirdLevelResolved := 0
+ err := resolver.ResolveWithCallback(
+ testConf,
+ "test",
+ func(yamlPath []string, value any) {
+ switch strings.Join(yamlPath, "/") {
+ case "top_level":
+ assert.Equal(t, "password1", value)
+ topLevelResolved++
+ case "some/second_level":
+ assert.Equal(t, "password2", value)
+ secondLevelResolved++
+ case "some/encoded/third_level":
+ assert.Equal(t, "password3", value)
+ thirdLevelResolved++
+ default:
+ assert.Fail(t, "unknown yaml path: %s", yamlPath)
+ }
+ },
+ )
+ require.NoError(t, err)
+ assert.Equal(t, 1, topLevelResolved, "'top_level' secret was not resolved or resolved multiple times")
+ assert.Equal(t, 1, secondLevelResolved, "'second_level' secret was not resolved or resolved multiple times")
+ assert.Equal(t, 1, thirdLevelResolved, "'third_level' secret was not resolved or resolved multiple times")
+
+ assert.Equal(t, testConfNestedOriginMultiple, resolver.origin)
+}
diff --git a/comp/core/secrets/secretsimpl/walker.go b/comp/core/secrets/secretsimpl/walker.go
new file mode 100644
index 0000000000000..49a39584de09d
--- /dev/null
+++ b/comp/core/secrets/secretsimpl/walker.go
@@ -0,0 +1,114 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2016-present Datadog, Inc.
+
+package secretsimpl
+
+import (
+ "github.com/DataDog/datadog-agent/comp/core/secrets"
+)
+
+type resolverCallback func([]string, string) (string, error)
+
+type walker struct {
+ // resolver is called to fetch the value of a handle
+ resolver resolverCallback
+ // notifier is called each time a key from the YAML is updated. This is used by ResolveWithCallback.
+ //
+ // When a slice is updated, this will be called once with the final slice content.
+ notifier secrets.ResolveCallback
+}
+
+func (w *walker) notify(yamlPath []string, value any) {
+ if w.notifier != nil {
+ w.notifier(yamlPath, value)
+ }
+}
+
+func (w *walker) string(yamlPath []string, value string, shouldNotify bool) (string, error) {
+ newValue, err := w.resolver(yamlPath, value)
+ if err != nil {
+ return value, err
+ }
+
+ if shouldNotify && value != newValue {
+ w.notify(yamlPath, newValue)
+ }
+ return newValue, err
+}
+
+func (w *walker) slice(data []interface{}, yamlPath []string) error {
+ var shouldNotify bool
+ for idx, k := range data {
+ switch v := k.(type) {
+ case string:
+ if newValue, err := w.string(yamlPath, v, false); err == nil {
+ if v != newValue {
+ data[idx] = newValue
+ shouldNotify = true
+ }
+ } else {
+ return err
+ }
+ case map[interface{}]interface{}:
+ if err := w.hash(v, yamlPath); err != nil {
+ return err
+ }
+ case []interface{}:
+ if err := w.slice(v, yamlPath); err != nil {
+ return err
+ }
+ }
+ }
+ // for slice we notify once with the final values
+ if shouldNotify {
+ w.notify(yamlPath, data)
+ }
+ return nil
+}
+
+func (w *walker) hash(data map[interface{}]interface{}, yamlPath []string) error {
+ for k := range data {
+ path := yamlPath
+ if newkey, ok := k.(string); ok {
+ path = append(path, newkey)
+ }
+
+ switch v := data[k].(type) {
+ case string:
+ if newValue, err := w.string(path, v, true); err == nil {
+ data[k] = newValue
+ } else {
+ return err
+ }
+ case map[interface{}]interface{}:
+ if err := w.hash(v, path); err != nil {
+ return err
+ }
+ case []interface{}:
+ if err := w.slice(v, path); err != nil {
+ return err
+ }
+ }
+ }
+ return nil
+}
+
+// walk will go through loaded yaml and invoke the callback on every string node allowing
+// the callback to overwrite the string value
+func (w *walker) walk(data *interface{}) error {
+ switch v := (*data).(type) {
+ case string:
+ if newValue, err := w.string(nil, v, true); err == nil {
+ *data = newValue
+ } else {
+ return err
+ }
+ case map[interface{}]interface{}:
+ return w.hash(v, nil)
+ case []interface{}:
+ return w.slice(v, nil)
+ }
+ return nil
+}
diff --git a/comp/core/secrets/secretsimpl/walker_test.go b/comp/core/secrets/secretsimpl/walker_test.go
new file mode 100644
index 0000000000000..e347bf0360b0d
--- /dev/null
+++ b/comp/core/secrets/secretsimpl/walker_test.go
@@ -0,0 +1,134 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2016-present Datadog, Inc.
+
+package secretsimpl
+
+import (
+ "fmt"
+ "sort"
+ "strings"
+ "testing"
+
+ "github.com/stretchr/testify/assert"
+ "github.com/stretchr/testify/require"
+ yaml "gopkg.in/yaml.v2"
+)
+
+func TestWalkerError(t *testing.T) {
+ var config interface{}
+ err := yaml.Unmarshal(testYamlHash, &config)
+ require.NoError(t, err)
+
+ w := walker{
+ resolver: func([]string, string) (string, error) {
+ return "", fmt.Errorf("some error")
+ },
+ }
+
+ err = w.walk(&config)
+ assert.NotNil(t, err)
+}
+
+func TestWalkerSimple(t *testing.T) {
+ var config interface{}
+ err := yaml.Unmarshal([]byte("test"), &config)
+ require.NoError(t, err)
+
+ stringsCollected := []string{}
+
+ w := walker{
+ resolver: func(_ []string, str string) (string, error) {
+ stringsCollected = append(stringsCollected, str)
+ return str + "_verified", nil
+ },
+ }
+ err = w.walk(&config)
+ require.NoError(t, err)
+
+ assert.Equal(t, []string{"test"}, stringsCollected)
+
+ updatedConf, err := yaml.Marshal(config)
+ require.NoError(t, err)
+ assert.Equal(t, string("test_verified\n"), string(updatedConf))
+}
+
+func TestWalkerComplex(t *testing.T) {
+ var config interface{}
+ err := yaml.Unmarshal(testYamlHash, &config)
+ require.NoError(t, err)
+
+ stringsCollected := []string{}
+ w := walker{
+ resolver: func(_ []string, str string) (string, error) {
+ stringsCollected = append(stringsCollected, str)
+ return str + "_verified", nil
+ },
+ }
+ err = w.walk(&config)
+ require.NoError(t, err)
+
+ sort.Strings(stringsCollected)
+ assert.Equal(t, []string{
+ "1",
+ "2",
+ "test1",
+ "test2",
+ "test3",
+ "test4",
+ "test5",
+ }, stringsCollected)
+
+ updatedConf, err := yaml.Marshal(config)
+ require.NoError(t, err)
+ assert.Equal(t, string(testYamlHashUpdated), string(updatedConf))
+}
+
+func TestWalkerNotify(t *testing.T) {
+ yamlConf := []byte(`
+slice:
+ - "ENC 1"
+ - ["ENC test1", test2]
+ - 123
+hash:
+ a: test3
+ b: "ENC 2"
+ c: 456
+ slice:
+ - ENC test4
+ - test5
+`)
+
+ notification := map[string]any{}
+ w := walker{
+ resolver: func(_ []string, value string) (string, error) {
+ if strings.HasPrefix(value, "ENC ") {
+ return value[4:] + "_verified", nil
+ }
+ return value, nil
+ },
+ notifier: func(yamlPath []string, value any) {
+ notification[strings.Join(yamlPath, ".")] = value
+ },
+ }
+
+ var config interface{}
+ err := yaml.Unmarshal(yamlConf, &config)
+ require.NoError(t, err)
+
+ err = w.walk(&config)
+ require.NoError(t, err)
+
+ // we expect to be notified once for each updated value (especially a single call per slice)
+ expected := map[string]any{
+ "hash.b": "2_verified",
+ "hash.slice": []any{"test4_verified", "test5"},
+ "slice": []any{
+ "1_verified",
+ []any{"test1_verified", "test2"},
+ 123,
+ },
+ }
+ assert.Equal(t, expected, notification)
+}
diff --git a/comp/core/secrets/type.go b/comp/core/secrets/type.go
index 72f07c8389b72..7602578e9c390 100644
--- a/comp/core/secrets/type.go
+++ b/comp/core/secrets/type.go
@@ -11,5 +11,8 @@ type SecretVal struct {
ErrorMsg string `json:"error,omitempty"`
}
+// ResolveCallback is the callback type used by the ResolveWithCallback method
+type ResolveCallback func(key []string, value any)
+
// PayloadVersion defines the current payload version sent to a secret backend
const PayloadVersion = "1.0"
diff --git a/comp/dogstatsd/listeners/uds_common.go b/comp/dogstatsd/listeners/uds_common.go
index 5048dbeebf22e..53d5bfa3d1648 100644
--- a/comp/dogstatsd/listeners/uds_common.go
+++ b/comp/dogstatsd/listeners/uds_common.go
@@ -149,8 +149,10 @@ func NewUDSListener(packetOut chan packets.Packets, sharedPacketPoolManager *pac
func (l *UDSListener) handleConnection(conn *net.UnixConn, closeFunc CloseFunction) error {
listenerID := l.getListenerID(conn)
tlmListenerID := listenerID
- if !l.config.GetBool("dogstatsd_telemetry_enabled_listener_id") {
- tlmListenerID = ""
+ telemetryWithFullListenerID := l.config.GetBool("dogstatsd_telemetry_enabled_listener_id")
+ if !telemetryWithFullListenerID {
+ // In case we don't want the full listener id, we only keep the transport.
+ tlmListenerID = "uds-" + conn.LocalAddr().Network()
}
packetsBuffer := packets.NewBuffer(
@@ -163,7 +165,9 @@ func (l *UDSListener) handleConnection(conn *net.UnixConn, closeFunc CloseFuncti
defer func() {
_ = closeFunc(conn)
packetsBuffer.Close()
- l.clearTelemetry(tlmListenerID)
+ if telemetryWithFullListenerID {
+ l.clearTelemetry(tlmListenerID)
+ }
tlmUDSConnections.Dec(tlmListenerID, l.transport)
}()
diff --git a/comp/dogstatsd/server/server.go b/comp/dogstatsd/server/server.go
index 65d10ccac4744..8702b96b44928 100644
--- a/comp/dogstatsd/server/server.go
+++ b/comp/dogstatsd/server/server.go
@@ -179,7 +179,7 @@ func initTelemetry(cfg config.Reader, logger logComponent.Component) {
"dogstatsd",
"channel_latency",
[]string{"shard", "message_type"},
- "Time in millisecond to push metrics to the aggregator input buffer",
+ "Time in nanosecond to push metrics to the aggregator input buffer",
buckets)
listeners.InitTelemetry(get("telemetry.dogstatsd.listeners_latency_buckets"))
diff --git a/comp/languagedetection/client/client.go b/comp/languagedetection/client/client.go
index 341cf4022d19b..47d30c181d757 100644
--- a/comp/languagedetection/client/client.go
+++ b/comp/languagedetection/client/client.go
@@ -287,7 +287,6 @@ func (c *client) retryProcessEventsWithoutPod(containerIDs []string) {
c.handleProcessEvent(procEvent, true)
}
}
- c.processesWithoutPod = make(map[string]*eventsToRetry)
}
// handleProcessEvent updates the current batch and the freshlyUpdatedPods
@@ -341,6 +340,7 @@ func (c *client) handleProcessEvent(processEvent workloadmeta.Event, isRetry boo
added := containerInfo.Add(string(process.Language.Name))
if added {
c.freshlyUpdatedPods[pod.Name] = struct{}{}
+ delete(c.processesWithoutPod, process.ContainerID)
}
c.telemetry.ProcessedEvents.Inc(pod.Name, containerName, string(process.Language.Name))
}
@@ -352,15 +352,17 @@ func (c *client) handlePodEvent(podEvent workloadmeta.Event) {
for _, c := range append(pod.InitContainers, pod.Containers...) {
containerIDs = append(containerIDs, c.ID)
}
- if podEvent.Type == workloadmeta.EventTypeSet {
- c.retryProcessEventsWithoutPod(containerIDs)
- }
- for _, cid := range containerIDs {
- delete(c.processesWithoutPod, cid)
+ switch podEvent.Type {
+ case workloadmeta.EventTypeSet:
+ c.retryProcessEventsWithoutPod(containerIDs)
+ case workloadmeta.EventTypeUnset:
+ delete(c.currentBatch, pod.Name)
+ delete(c.freshlyUpdatedPods, pod.Name)
+ for _, cid := range containerIDs {
+ delete(c.processesWithoutPod, cid)
+ }
}
- delete(c.currentBatch, pod.Name)
- delete(c.freshlyUpdatedPods, pod.Name)
}
func (c *client) getCurrentBatchProto() *pbgo.ParentLanguageAnnotationRequest {
diff --git a/comp/languagedetection/client/client_test.go b/comp/languagedetection/client/client_test.go
index 84e31f0085a54..18d369d9b72f0 100644
--- a/comp/languagedetection/client/client_test.go
+++ b/comp/languagedetection/client/client_test.go
@@ -784,6 +784,20 @@ func TestRun(t *testing.T) {
},
}
+ container3 := &workloadmeta.Container{
+ EntityID: workloadmeta.EntityID{
+ ID: "python-cont-id3",
+ Kind: workloadmeta.KindContainer,
+ },
+ EntityMeta: workloadmeta.EntityMeta{
+ Name: "python-cont-name3",
+ },
+ Owner: &workloadmeta.EntityID{
+ ID: "python-pod-id3",
+ Kind: workloadmeta.KindKubernetesPod,
+ },
+ }
+
pod1 := &workloadmeta.KubernetesPod{
EntityID: workloadmeta.EntityID{
ID: "nginx-pod-id1",
@@ -832,6 +846,30 @@ func TestRun(t *testing.T) {
},
}
+ pod3 := &workloadmeta.KubernetesPod{
+ EntityID: workloadmeta.EntityID{
+ ID: "python-pod-id3",
+ Kind: workloadmeta.KindKubernetesPod,
+ },
+ EntityMeta: workloadmeta.EntityMeta{
+ Name: "python-pod-name3",
+ Namespace: "python-pod-namespace3",
+ },
+ Containers: []workloadmeta.OrchestratorContainer{
+ {
+ ID: "python-cont-id3",
+ Name: "python-cont-name3",
+ },
+ },
+ Owners: []workloadmeta.KubernetesPodOwner{
+ {
+ ID: "python-replicaset-id3",
+ Name: "python-replicaset-name3",
+ Kind: "replicaset",
+ },
+ },
+ }
+
process1 := &workloadmeta.Process{
EntityID: workloadmeta.EntityID{
Kind: workloadmeta.KindProcess,
@@ -843,38 +881,38 @@ func TestRun(t *testing.T) {
ContainerID: "nginx-cont-id1",
}
- processWithoutPod := &workloadmeta.Process{
+ process2 := &workloadmeta.Process{
EntityID: workloadmeta.EntityID{
Kind: workloadmeta.KindProcess,
- ID: "1234",
+ ID: "012",
},
Language: &languagemodels.Language{
- Name: "java",
+ Name: "go",
},
- ContainerID: "unknown-container",
+ ContainerID: "nginx-cont-id2",
}
- process2 := &workloadmeta.Process{
+ process3 := &workloadmeta.Process{
EntityID: workloadmeta.EntityID{
Kind: workloadmeta.KindProcess,
- ID: "012",
+ ID: "1234",
},
Language: &languagemodels.Language{
- Name: "go",
+ Name: "python",
},
- ContainerID: "nginx-cont-id2",
+ ContainerID: "python-cont-id3",
}
collectorEvents1 := []workloadmeta.CollectorEvent{
{
Type: workloadmeta.EventTypeSet,
Source: workloadmeta.SourceAll,
- Entity: pod1,
+ Entity: container1,
},
{
Type: workloadmeta.EventTypeSet,
Source: workloadmeta.SourceAll,
- Entity: container1,
+ Entity: pod1,
},
{
Type: workloadmeta.EventTypeSet,
@@ -884,7 +922,13 @@ func TestRun(t *testing.T) {
{
Type: workloadmeta.EventTypeSet,
Source: workloadmeta.SourceAll,
- Entity: processWithoutPod,
+ Entity: container1,
+ },
+ // Process 3 set event is here received before the set event of container 3 and pod 3
+ {
+ Type: workloadmeta.EventTypeSet,
+ Source: workloadmeta.SourceAll,
+ Entity: process3,
},
}
@@ -926,6 +970,18 @@ func TestRun(t *testing.T) {
Source: workloadmeta.SourceAll,
Entity: process2,
},
+ // Now we receive the set events of container 3 and pod 3.
+ // This should lead to retrying processing the process set event
+ {
+ Type: workloadmeta.EventTypeSet,
+ Source: workloadmeta.SourceAll,
+ Entity: container3,
+ },
+ {
+ Type: workloadmeta.EventTypeSet,
+ Source: workloadmeta.SourceAll,
+ Entity: pod3,
+ },
}
client.store.Notify(collectorEvents2)
@@ -957,6 +1013,19 @@ func TestRun(t *testing.T) {
Kind: "replicaset",
},
},
+ "python-pod-name3": {
+ namespace: "python-pod-namespace3",
+ containerInfo: langUtil.ContainersLanguages{
+ "python-cont-name3": {
+ "python": {},
+ },
+ },
+ ownerRef: &workloadmeta.KubernetesPodOwner{
+ ID: "python-replicaset-id3",
+ Name: "python-replicaset-name3",
+ Kind: "replicaset",
+ },
+ },
}
// the periodic flush mechanism should send the entire data every 100ms
@@ -975,6 +1044,11 @@ func TestRun(t *testing.T) {
Source: workloadmeta.SourceAll,
Entity: pod2,
},
+ {
+ Type: workloadmeta.EventTypeUnset,
+ Source: workloadmeta.SourceAll,
+ Entity: pod3,
+ },
}
client.store.Notify(unsetPodEvent)
diff --git a/comp/metadata/internal/util/inventory_payload.go b/comp/metadata/internal/util/inventory_payload.go
index 1318c6feb87ef..877f7ca14515a 100644
--- a/comp/metadata/internal/util/inventory_payload.go
+++ b/comp/metadata/internal/util/inventory_payload.go
@@ -68,7 +68,7 @@ import (
)
var (
- defaultMinInterval = 5 * time.Minute
+ defaultMinInterval = 1 * time.Minute
defaultMaxInterval = 10 * time.Minute
// For testing purposes
diff --git a/comp/metadata/inventoryagent/README.md b/comp/metadata/inventoryagent/README.md
index 38842969f9e46..017997f8267a9 100644
--- a/comp/metadata/inventoryagent/README.md
+++ b/comp/metadata/inventoryagent/README.md
@@ -6,7 +6,7 @@ This package populates some of the agent-related fields in the `inventories` pro
This is enabled by default but can be turned off using `inventories_enabled` config.
The payload is sent every 10min (see `inventories_max_interval` in the config) or whenever it's updated with at most 1
-update every 5 minutes (see `inventories_min_interval`).
+update every minute (see `inventories_min_interval`).
# Content
@@ -103,6 +103,16 @@ The payload is a JSON dict with the following fields
string. This includes the settings configured by the user (throuh the configuration file, the environment or CLI),
as well as any settings explicitly set by the agent (for example the number of workers is dynamically set by the
agent itself based on the load).
+ - `file_configuration` - **string**: the Agent configuration specified by the configuration file (scrubbed), as a YAML string.
+ Only the settings written in the configuration file are included, and their value might not match what's applyed by the agent because they can be overriden by other sources.
+ - `environment_variable_configuration` - **string**: the Agent configuration specified by the environment variables (scrubbed), as a YAML string.
+ Only the settings written in the environment variables are included, and their value might not match what's applyed by the agent because they can be overriden by other sources.
+ - `agent_runtime_configuration` - **string**: the Agent configuration set by the agent itself (scrubbed), as a YAML string.
+ Only the settings set by the agent itself are included, and their value might not match what's applyed by the agent because they can be overriden by other sources.
+ - `remote_configuration` - **string**: the Agent configuration specified by the Remote Configuration (scrubbed), as a YAML string.
+ Only the settings currently used by Remote Configuration are included, and their value might not match what's applyed by the agent because they can be overriden by other sources.
+ - `cli_configuration` - **string**: the Agent configuration specified by the CLI (scrubbed), as a YAML string.
+ Only the settings set in the CLI are included, they cannot be overriden by any other sources.
("scrubbed" indicates that secrets are removed from the field value just as they are in logs)
@@ -114,7 +124,6 @@ Here an example of an inventory payload:
{
"agent_metadata": {
"agent_version": "7.37.0-devel+git.198.68a5b69",
- "cloud_provider": "AWS",
"config_apm_dd_url": "",
"config_dd_url": "",
"config_logs_dd_url": "",
@@ -141,7 +150,11 @@ Here an example of an inventory payload:
"install_method_tool_version": "",
"logs_transport": "HTTP",
"full_configuration": "",
- "provided_configuration": "api_key: \"***************************aaaaa\"\ncheck_runners: 4\ncmd.check.fullsketches: false\ncontainerd_namespace: []\ncontainerd_namespaces: []\npython_version: \"3\"\ntracemalloc_debug: false"
+ "provided_configuration": "api_key: \"***************************aaaaa\"\ncheck_runners: 4\ncmd.check.fullsketches: false\ncontainerd_namespace: []\ncontainerd_namespaces: []\npython_version: \"3\"\ntracemalloc_debug: false\nlog_level: \"warn\"",
+ "file_configuration": "check_runners: 4\ncmd.check.fullsketches: false\ncontainerd_namespace: []\ncontainerd_namespaces: []\npython_version: \"3\"\ntracemalloc_debug: false",
+ "environment_variable_configuration": "api_key: \"***************************aaaaa\"",
+ "remote_configuration": "log_level: \"debug\"",
+ "cli_configuration": "log_level: \"warn\""
}
"hostname": "my-host",
"timestamp": 1631281754507358895
diff --git a/docs/cloud-workload-security/secl.json b/docs/cloud-workload-security/secl.json
index 20d3d9e14ee86..4b282e4a560d4 100644
--- a/docs/cloud-workload-security/secl.json
+++ b/docs/cloud-workload-security/secl.json
@@ -3009,6 +3009,11 @@
"definition": "Return value of the syscall",
"property_doc_link": "common-syscallevent-retval-doc"
},
+ {
+ "name": "mount.root.path",
+ "definition": "Root path of the mount",
+ "property_doc_link": "mount-root-path-doc"
+ },
{
"name": "mount.source.path",
"definition": "Source path of a bind mount",
@@ -8879,6 +8884,18 @@
"constants_link": "",
"examples": []
},
+ {
+ "name": "mount.root.path",
+ "link": "mount-root-path-doc",
+ "type": "string",
+ "definition": "Root path of the mount",
+ "prefixes": [
+ "mount"
+ ],
+ "constants": "",
+ "constants_link": "",
+ "examples": []
+ },
{
"name": "mount.source.path",
"link": "mount-source-path-doc",
diff --git a/docs/dev/agent_api.md b/docs/dev/agent_api.md
index f55ffaaf6e416..e43ba211543a5 100644
--- a/docs/dev/agent_api.md
+++ b/docs/dev/agent_api.md
@@ -5,7 +5,7 @@ groups:
2. **Telemetry**: These expose some internal telemetry that is useful for profiling and debugging.
## Control API
-This API is accessible via HTTPS only and listens by default on the `localhost` interface on port `5001`. The listening interface and port can be configured using the `cmd_host` and `cmd_port` config options.
+This API is accessible via HTTPS only and listens by default on the `localhost` interface on port `5001`. The listening interface and port can be configured using the `ipc_address` and `cmd_port` config options.
### Authentication
To avoid unprivileged users accessing the Agent control API, authentication is required and based on a generated token.
diff --git a/go.mod b/go.mod
index b0b1d6609cfea..8190335db181c 100644
--- a/go.mod
+++ b/go.mod
@@ -24,6 +24,8 @@ replace (
)
replace (
+ github.com/DataDog/datadog-agent/comp/core/flare/types => ./comp/core/flare/types
+ github.com/DataDog/datadog-agent/comp/core/secrets => ./comp/core/secrets
github.com/DataDog/datadog-agent/comp/core/telemetry => ./comp/core/telemetry/
github.com/DataDog/datadog-agent/pkg/aggregator/ckey => ./pkg/aggregator/ckey/
github.com/DataDog/datadog-agent/pkg/collector/check/defaults => ./pkg/collector/check/defaults
@@ -63,6 +65,7 @@ replace (
github.com/DataDog/datadog-agent/pkg/util/statstracker => ./pkg/util/statstracker
github.com/DataDog/datadog-agent/pkg/util/system/socket => ./pkg/util/system/socket/
github.com/DataDog/datadog-agent/pkg/util/testutil => ./pkg/util/testutil
+ github.com/DataDog/datadog-agent/pkg/util/winutil => ./pkg/util/winutil/
github.com/DataDog/datadog-agent/pkg/version => ./pkg/version
)
@@ -238,12 +241,12 @@ require (
go4.org/netipx v0.0.0-20220812043211-3cc044ffd68d
golang.org/x/arch v0.6.0
golang.org/x/exp v0.0.0-20231006140011-7918f672742d
- golang.org/x/net v0.18.0
+ golang.org/x/net v0.19.0
golang.org/x/sync v0.5.0
- golang.org/x/sys v0.14.1-0.20231108175955-e4099bfacb8c
+ golang.org/x/sys v0.15.0
golang.org/x/text v0.14.0
golang.org/x/time v0.3.0
- golang.org/x/tools v0.15.0
+ golang.org/x/tools v0.16.0
golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2
google.golang.org/genproto v0.0.0-20231030173426-d783a09b4405 // indirect
google.golang.org/grpc v1.59.0
@@ -546,10 +549,10 @@ require (
go.opentelemetry.io/otel/sdk/metric v1.20.0 // indirect
go.opentelemetry.io/otel/trace v1.20.0 // indirect
go.opentelemetry.io/proto/otlp v1.0.0 // indirect
- golang.org/x/crypto v0.15.0 // indirect
+ golang.org/x/crypto v0.16.0 // indirect
golang.org/x/mod v0.14.0
golang.org/x/oauth2 v0.11.0 // indirect
- golang.org/x/term v0.14.0 // indirect
+ golang.org/x/term v0.15.0 // indirect
gonum.org/v1/gonum v0.14.0 // indirect
google.golang.org/api v0.134.0 // indirect
google.golang.org/appengine v1.6.7 // indirect
@@ -583,6 +586,8 @@ require github.com/lorenzosaino/go-sysctl v0.3.1
require (
github.com/DATA-DOG/go-sqlmock v1.5.0
github.com/DataDog/agent-payload/v5 v5.0.100
+ github.com/DataDog/datadog-agent/comp/core/flare/types v0.0.0-00010101000000-000000000000
+ github.com/DataDog/datadog-agent/comp/core/secrets v0.0.0-00010101000000-000000000000
github.com/DataDog/datadog-agent/comp/core/telemetry v0.50.0-rc.4
github.com/DataDog/datadog-agent/pkg/aggregator/ckey v0.50.0-rc.4
github.com/DataDog/datadog-agent/pkg/collector/check/defaults v0.50.0-rc.4
@@ -611,6 +616,7 @@ require (
github.com/DataDog/datadog-agent/pkg/util/sort v0.50.0-rc.4
github.com/DataDog/datadog-agent/pkg/util/statstracker v0.50.0-rc.4
github.com/DataDog/datadog-agent/pkg/util/testutil v0.50.0-rc.4
+ github.com/DataDog/datadog-agent/pkg/util/winutil v0.0.0-00010101000000-000000000000
github.com/DataDog/datadog-agent/pkg/version v0.50.0-rc.4
github.com/DataDog/go-libddwaf/v2 v2.2.0
github.com/DataDog/opentelemetry-mapping-go/pkg/otlp/logs v0.8.0
diff --git a/go.sum b/go.sum
index 0b72c63002e69..3b350a26177d4 100644
--- a/go.sum
+++ b/go.sum
@@ -1847,8 +1847,8 @@ golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0
golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
-golang.org/x/crypto v0.15.0 h1:frVn1TEaCEaZcn3Tmd7Y2b5KKPaZ+I32Q2OA3kYp5TA=
-golang.org/x/crypto v0.15.0/go.mod h1:4ChreQoLWfG3xLDer1WdlH5NdlQ3+mwnQq1YTKY+72g=
+golang.org/x/crypto v0.16.0 h1:mMMrFzRSCF0GvB7Ne27XVtVAaXLrPmgPC7/v0tkwHaY=
+golang.org/x/crypto v0.16.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -1959,8 +1959,8 @@ golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
golang.org/x/net v0.3.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE=
golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
-golang.org/x/net v0.18.0 h1:mIYleuAkSbHh0tCv7RvjL3F6ZVbLjq4+R7zbOn3Kokg=
-golang.org/x/net v0.18.0/go.mod h1:/czyP5RqHAH4odGYxBJ1qz0+CE5WZ+2j1YgoEo8F2jQ=
+golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c=
+golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U=
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
golang.org/x/oauth2 v0.0.0-20190130055435-99b60b757ec1/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -2102,8 +2102,8 @@ golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.14.1-0.20231108175955-e4099bfacb8c h1:3kC/TjQ+xzIblQv39bCOyRk8fbEeJcDHwbyxPUU2BpA=
-golang.org/x/sys v0.14.1-0.20231108175955-e4099bfacb8c/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
+golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -2112,8 +2112,8 @@ golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA=
golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
-golang.org/x/term v0.14.0 h1:LGK9IlZ8T9jvdy6cTdfKUCltatMFOehAQo9SRC46UQ8=
-golang.org/x/term v0.14.0/go.mod h1:TySc+nGkYR6qt8km8wUhuFRTVSMIX3XPR58y2lC8vww=
+golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4=
+golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0=
golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -2206,8 +2206,8 @@ golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
golang.org/x/tools v0.4.0/go.mod h1:UE5sM2OK9E/d67R0ANs2xJizIymRP5gJU295PvKXxjQ=
golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/tools v0.15.0 h1:zdAyfUGbYmuVokhzVmghFl2ZJh5QhcfebBgmVPFYA+8=
-golang.org/x/tools v0.15.0/go.mod h1:hpksKq4dtpQWS1uQ61JkdqWM3LscIS6Slf+VVkm+wQk=
+golang.org/x/tools v0.16.0 h1:GO788SKMRunPIBCXiQyo2AaexLstOrVhuAL5YwsckQM=
+golang.org/x/tools v0.16.0/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
diff --git a/omnibus/config/software/datadog-agent-integrations-py3.rb b/omnibus/config/software/datadog-agent-integrations-py3.rb
index 48bda18943bcc..ffb437079370d 100644
--- a/omnibus/config/software/datadog-agent-integrations-py3.rb
+++ b/omnibus/config/software/datadog-agent-integrations-py3.rb
@@ -263,6 +263,18 @@
vars: { requirements: lib_req["req_lines"] }
end
+ # Constraints file for constraining transitive dependencies in those cases where there may be incompatible versions
+ constraints = []
+ if redhat_target?
+ constraints.push("bcrypt < 4.1.0")
+ end
+
+ constraints_file = windows_safe_path(project_dir, "constraints.txt")
+ block "Write constraints file" do
+ File.open(constraints_file, 'w') { |f| f << constraints.join("\n") }
+ end
+
+
# Increasing pip max retries (default: 5 times) and pip timeout (default 15 seconds) to avoid blocking network errors
pip_max_retries = 20
pip_timeout = 20
@@ -273,11 +285,11 @@
command "#{python} -m pip install datadog_checks_base --no-deps --no-index --find-links=#{wheel_build_dir}"
command "#{python} -m pip wheel . --no-deps --no-index --wheel-dir=#{wheel_build_dir}", :env => build_env, :cwd => cwd_downloader
command "#{python} -m pip install datadog_checks_downloader --no-deps --no-index --find-links=#{wheel_build_dir}"
- command "#{python} -m piptools compile --generate-hashes --output-file #{compiled_reqs_file_path} #{static_reqs_out_file} " \
+ command "#{python} -m piptools compile --generate-hashes -c #{constraints_file} --output-file #{compiled_reqs_file_path} #{static_reqs_out_file} " \
"--pip-args \"--retries #{pip_max_retries} --timeout #{pip_timeout}\"", :env => build_env
# Pip-compiling seperately each lib that needs a custom build installation
specific_build_env.each do |lib, env|
- command "#{python} -m piptools compile --generate-hashes --output-file #{requirements_custom[lib]["compiled_req_file_path"]} #{requirements_custom[lib]["req_file_path"]} " \
+ command "#{python} -m piptools compile --generate-hashes -c #{constraints_file} --output-file #{requirements_custom[lib]["compiled_req_file_path"]} #{requirements_custom[lib]["req_file_path"]} " \
"--pip-args \"--retries #{pip_max_retries} --timeout #{pip_timeout}\"", :env => env
end
diff --git a/omnibus/config/templates/datadog-agent/systemd.sysprobe.service.erb b/omnibus/config/templates/datadog-agent/systemd.sysprobe.service.erb
index 79e081d1ff133..68dc883843ccf 100644
--- a/omnibus/config/templates/datadog-agent/systemd.sysprobe.service.erb
+++ b/omnibus/config/templates/datadog-agent/systemd.sysprobe.service.erb
@@ -11,6 +11,7 @@ Type=simple
PIDFile=<%= install_dir %>/run/system-probe.pid
Restart=on-failure
ExecStart=<%= install_dir %>/embedded/bin/system-probe run --config=<%= etc_dir %>/system-probe.yaml --pid=<%= install_dir %>/run/system-probe.pid
+ExecReload=/bin/kill -HUP $MAINPID
# Since systemd 229, should be in [Unit] but in order to support systemd <229,
# it is also supported to have it here.
StartLimitInterval=10
diff --git a/pkg/autodiscovery/secrets.go b/pkg/autodiscovery/secrets.go
index 3f6735f107922..6db09d295809f 100644
--- a/pkg/autodiscovery/secrets.go
+++ b/pkg/autodiscovery/secrets.go
@@ -23,7 +23,7 @@ func decryptConfig(conf integration.Config, secretResolver secrets.Component) (i
var err error
// init_config
- conf.InitConfig, err = secretResolver.Decrypt(conf.InitConfig, conf.Name)
+ conf.InitConfig, err = secretResolver.Resolve(conf.InitConfig, conf.Name)
if err != nil {
return conf, fmt.Errorf("error while decrypting secrets in 'init_config': %s", err)
}
@@ -32,7 +32,7 @@ func decryptConfig(conf integration.Config, secretResolver secrets.Component) (i
// we cannot update in place as, being a slice, it would modify the input config as well
instances := make([]integration.Data, 0, len(conf.Instances))
for _, inputInstance := range conf.Instances {
- decryptedInstance, err := secretResolver.Decrypt(inputInstance, conf.Name)
+ decryptedInstance, err := secretResolver.Resolve(inputInstance, conf.Name)
if err != nil {
return conf, fmt.Errorf("error while decrypting secrets in an instance: %s", err)
}
@@ -41,13 +41,13 @@ func decryptConfig(conf integration.Config, secretResolver secrets.Component) (i
conf.Instances = instances
// metrics
- conf.MetricConfig, err = secretResolver.Decrypt(conf.MetricConfig, conf.Name)
+ conf.MetricConfig, err = secretResolver.Resolve(conf.MetricConfig, conf.Name)
if err != nil {
return conf, fmt.Errorf("error while decrypting secrets in 'metrics': %s", err)
}
// logs
- conf.LogsConfig, err = secretResolver.Decrypt(conf.LogsConfig, conf.Name)
+ conf.LogsConfig, err = secretResolver.Resolve(conf.LogsConfig, conf.Name)
if err != nil {
return conf, fmt.Errorf("error while decrypting secrets 'logs': %s", err)
}
diff --git a/pkg/autodiscovery/secrets_test.go b/pkg/autodiscovery/secrets_test.go
index b6590e9cdd2e0..e1eb4dc01c741 100644
--- a/pkg/autodiscovery/secrets_test.go
+++ b/pkg/autodiscovery/secrets_test.go
@@ -38,7 +38,7 @@ func (m *MockSecretResolver) Configure(_ string, _ []string, _, _ int, _, _ bool
func (m *MockSecretResolver) GetDebugInfo(_ io.Writer) {}
-func (m *MockSecretResolver) Decrypt(data []byte, origin string) ([]byte, error) {
+func (m *MockSecretResolver) Resolve(data []byte, origin string) ([]byte, error) {
if m.scenarios == nil {
return data, nil
}
@@ -48,8 +48,12 @@ func (m *MockSecretResolver) Decrypt(data []byte, origin string) ([]byte, error)
return scenario.returnedData, scenario.returnedError
}
}
- m.t.Errorf("Decrypt called with unexpected arguments: data=%s, origin=%s", string(data), origin)
- return nil, fmt.Errorf("Decrypt called with unexpected arguments: data=%s, origin=%s", string(data), origin)
+ m.t.Errorf("Resolve called with unexpected arguments: data=%s, origin=%s", string(data), origin)
+ return nil, fmt.Errorf("Resolve called with unexpected arguments: data=%s, origin=%s", string(data), origin)
+}
+
+func (m *MockSecretResolver) ResolveWithCallback(_ []byte, _ string, _ secrets.ResolveCallback) error {
+ return nil
}
func (m *MockSecretResolver) haveAllScenariosBeenCalled() bool {
@@ -111,29 +115,29 @@ var makeSharedScenarios = func() []mockSecretScenario {
}
}
-func TestSecretDecrypt(t *testing.T) {
- mockDecrypt := &MockSecretResolver{t, makeSharedScenarios()}
+func TestSecretResolve(t *testing.T) {
+ mockResolve := &MockSecretResolver{t, makeSharedScenarios()}
- newConfig, err := decryptConfig(sharedTpl, mockDecrypt)
+ newConfig, err := decryptConfig(sharedTpl, mockResolve)
require.NoError(t, err)
assert.NotEqual(t, newConfig.Instances, sharedTpl.Instances)
- assert.True(t, mockDecrypt.haveAllScenariosBeenCalled())
+ assert.True(t, mockResolve.haveAllScenariosBeenCalled())
}
-func TestSkipSecretDecrypt(t *testing.T) {
- mockDecrypt := &MockSecretResolver{t, makeSharedScenarios()}
+func TestSkipSecretResolve(t *testing.T) {
+ mockResolve := &MockSecretResolver{t, makeSharedScenarios()}
cfg := config.Mock(t)
cfg.SetWithoutSource("secret_backend_skip_checks", true)
defer cfg.SetWithoutSource("secret_backend_skip_checks", false)
- c, err := decryptConfig(sharedTpl, mockDecrypt)
+ c, err := decryptConfig(sharedTpl, mockResolve)
require.NoError(t, err)
assert.Equal(t, sharedTpl.Instances, c.Instances)
assert.Equal(t, sharedTpl.InitConfig, c.InitConfig)
- assert.True(t, mockDecrypt.haveAllScenariosNotCalled())
+ assert.True(t, mockResolve.haveAllScenariosNotCalled())
}
diff --git a/pkg/cli/subcommands/clusterchecks/command.go b/pkg/cli/subcommands/clusterchecks/command.go
index 21bedb0188c3b..aeebed8057196 100644
--- a/pkg/cli/subcommands/clusterchecks/command.go
+++ b/pkg/cli/subcommands/clusterchecks/command.go
@@ -40,8 +40,11 @@ type GlobalParams struct {
}
type cliParams struct {
+ GlobalParams
+
checkName string
force bool
+ checkID string
}
// MakeCommand returns a `clusterchecks` command to be used by cluster-agent
@@ -85,6 +88,23 @@ func MakeCommand(globalParamsGetter func() GlobalParams) *cobra.Command {
cmd.AddCommand(rebalanceCmd)
+ isolateCmd := &cobra.Command{
+ Use: "isolate",
+ Short: "Isolates a single check in the cluster runner",
+ Long: ``,
+ RunE: func(cmd *cobra.Command, args []string) error {
+ globalParams := globalParamsGetter()
+
+ return fxutil.OneShot(isolate,
+ fx.Supply(cliParams),
+ fx.Supply(bundleParams(globalParams)),
+ core.Bundle,
+ )
+ },
+ }
+ isolateCmd.Flags().StringVarP(&cliParams.checkID, "checkID", "", "", "the check ID to isolate")
+ cmd.AddCommand(isolateCmd)
+
return cmd
}
@@ -155,3 +175,44 @@ func rebalance(_ log.Component, _ config.Component, cliParams *cliParams) error
return nil
}
+
+func isolate(_ log.Component, _ config.Component, cliParams *cliParams) error {
+ c := util.GetClient(false) // FIX: get certificates right then make this true
+ if cliParams.checkID == "" {
+ return fmt.Errorf("checkID must be specified")
+ }
+ urlstr := fmt.Sprintf("https://localhost:%v/api/v1/clusterchecks/isolate/check/%s", pkgconfig.Datadog.GetInt("cluster_agent.cmd_port"), cliParams.checkID)
+
+ // Set session token
+ err := util.SetAuthToken()
+ if err != nil {
+ return err
+ }
+
+ r, err := util.DoPost(c, urlstr, "application/json", bytes.NewBuffer([]byte{}))
+ if err != nil {
+ var errMap = make(map[string]string)
+ json.Unmarshal(r, &errMap) //nolint:errcheck
+ // If the error has been marshalled into a json object, check it and return it properly
+ if e, found := errMap["error"]; found {
+ err = fmt.Errorf(e)
+ }
+
+ fmt.Printf(`
+ Could not reach agent: %v
+ Make sure the agent is running before requesting to isolate a cluster check.
+ Contact support if you continue having issues.`, err)
+
+ return err
+ }
+
+ var response types.IsolateResponse
+
+ json.Unmarshal(r, &response) //nolint:errcheck
+ if response.IsIsolated {
+ fmt.Printf("Check %s isolated successfully on node %s\n", response.CheckID, response.CheckNode)
+ } else {
+ fmt.Printf("Check %s could not be isolated: %s\n", response.CheckID, response.Reason)
+ }
+ return nil
+}
diff --git a/pkg/cli/subcommands/clusterchecks/command_test.go b/pkg/cli/subcommands/clusterchecks/command_test.go
index 61736ac285ade..388005f7bcd7f 100644
--- a/pkg/cli/subcommands/clusterchecks/command_test.go
+++ b/pkg/cli/subcommands/clusterchecks/command_test.go
@@ -10,8 +10,10 @@ package clusterchecks
import (
"testing"
+ "github.com/DataDog/datadog-agent/comp/core"
"github.com/DataDog/datadog-agent/pkg/util/fxutil"
"github.com/spf13/cobra"
+ "github.com/stretchr/testify/require"
)
func TestCommand(t *testing.T) {
@@ -41,3 +43,19 @@ func TestRebalance(t *testing.T) {
rebalance,
func() {})
}
+
+func TestIsolate(t *testing.T) {
+ commands := []*cobra.Command{
+ MakeCommand(func() GlobalParams {
+ return GlobalParams{}
+ }),
+ }
+
+ fxutil.TestOneShotSubcommand(t,
+ commands,
+ []string{"clusterchecks", "isolate", "--checkID", "checkID"},
+ isolate,
+ func(cliParams *cliParams, coreParams core.BundleParams) {
+ require.Equal(t, "checkID", cliParams.checkID)
+ })
+}
diff --git a/pkg/clusteragent/clusterchecks/checks_distribution.go b/pkg/clusteragent/clusterchecks/checks_distribution.go
index cba283511a89c..989b4e7e67a97 100644
--- a/pkg/clusteragent/clusterchecks/checks_distribution.go
+++ b/pkg/clusteragent/clusterchecks/checks_distribution.go
@@ -59,13 +59,19 @@ func newChecksDistribution(workersPerRunner map[string]int) checksDistribution {
// leastBusyRunner returns the runner with the lowest utilization. If there are
// several options, it gives preference to preferredRunner. If preferredRunner
// is not among the runners with the lowest utilization, it gives precedence to
-// the runner with the lowest number of checks deployed.
-func (distribution *checksDistribution) leastBusyRunner(preferredRunner string) string {
+// the runner with the lowest number of checks deployed. excludeRunner can be set
+// to avoid assigning a check to a specific runner.
+func (distribution *checksDistribution) leastBusyRunner(preferredRunner string, excludeRunner string) string {
leastBusyRunner := ""
minUtilization := 0.0
numChecksLeastBusyRunner := 0
for runnerName, runnerStatus := range distribution.Runners {
+ // Allow exclusion of a runner from selection
+ if runnerName == excludeRunner {
+ continue
+ }
+
runnerUtilization := runnerStatus.utilization()
runnerNumChecks := runnerStatus.NumChecks
@@ -84,8 +90,8 @@ func (distribution *checksDistribution) leastBusyRunner(preferredRunner string)
return leastBusyRunner
}
-func (distribution *checksDistribution) addToLeastBusy(checkID string, workersNeeded float64, preferredRunner string) {
- leastBusy := distribution.leastBusyRunner(preferredRunner)
+func (distribution *checksDistribution) addToLeastBusy(checkID string, workersNeeded float64, preferredRunner string, excludeRunner string) {
+ leastBusy := distribution.leastBusyRunner(preferredRunner, excludeRunner)
if leastBusy == "" {
return
}
diff --git a/pkg/clusteragent/clusterchecks/checks_distribution_test.go b/pkg/clusteragent/clusterchecks/checks_distribution_test.go
index 9c2d0f58c3e24..0972ff99fbe05 100644
--- a/pkg/clusteragent/clusterchecks/checks_distribution_test.go
+++ b/pkg/clusteragent/clusterchecks/checks_distribution_test.go
@@ -137,7 +137,7 @@ func TestAddToLeastBusy(t *testing.T) {
distribution.addCheck(checkID, checkStatus.WorkersNeeded, checkStatus.Runner)
}
- distribution.addToLeastBusy("newCheck", 10, test.preferredRunner)
+ distribution.addToLeastBusy("newCheck", 10, test.preferredRunner, "")
assert.Equal(t, test.expectedPlacement, distribution.runnerForCheck("newCheck"))
})
diff --git a/pkg/clusteragent/clusterchecks/dispatcher_isolate.go b/pkg/clusteragent/clusterchecks/dispatcher_isolate.go
new file mode 100644
index 0000000000000..ad54bc5a27489
--- /dev/null
+++ b/pkg/clusteragent/clusterchecks/dispatcher_isolate.go
@@ -0,0 +1,62 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2016-present Datadog, Inc.
+
+//go:build clusterchecks
+
+package clusterchecks
+
+import "github.com/DataDog/datadog-agent/pkg/clusteragent/clusterchecks/types"
+
+func (d *dispatcher) isolateCheck(isolateCheckID string) types.IsolateResponse {
+ // Update stats prior to starting isolate to ensure all checks are accounted for
+ d.updateRunnersStats()
+ currentDistribution := d.currentDistribution()
+
+ // If there is only one runner, we cannot isolate the check
+ if len(currentDistribution.runnerWorkers()) == 1 {
+ return types.IsolateResponse{
+ CheckID: isolateCheckID,
+ CheckNode: "",
+ IsIsolated: false,
+ Reason: "No other runners available",
+ }
+ }
+
+ isolateNode := currentDistribution.runnerForCheck(isolateCheckID)
+ if isolateNode == "" {
+ return types.IsolateResponse{
+ CheckID: isolateCheckID,
+ CheckNode: "",
+ IsIsolated: false,
+ Reason: "Unable to find check",
+ }
+ }
+
+ proposedDistribution := newChecksDistribution(currentDistribution.runnerWorkers())
+
+ for _, checkID := range currentDistribution.checksSortedByWorkersNeeded() {
+ if checkID == isolateCheckID {
+ // Keep the check to be isolated on its current runner
+ continue
+ }
+
+ workersNeededForCheck := currentDistribution.workersNeededForCheck(checkID)
+ runnerForCheck := currentDistribution.runnerForCheck(checkID)
+
+ proposedDistribution.addToLeastBusy(
+ checkID,
+ workersNeededForCheck,
+ runnerForCheck,
+ isolateNode,
+ )
+ }
+
+ d.applyDistribution(proposedDistribution, currentDistribution)
+ return types.IsolateResponse{
+ CheckID: isolateCheckID,
+ CheckNode: isolateNode,
+ IsIsolated: true,
+ }
+}
diff --git a/pkg/clusteragent/clusterchecks/dispatcher_isolate_test.go b/pkg/clusteragent/clusterchecks/dispatcher_isolate_test.go
new file mode 100644
index 0000000000000..b12e70c7edb46
--- /dev/null
+++ b/pkg/clusteragent/clusterchecks/dispatcher_isolate_test.go
@@ -0,0 +1,225 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2016-present Datadog, Inc.
+
+//go:build clusterchecks
+
+package clusterchecks
+
+import (
+ "testing"
+
+ "github.com/DataDog/datadog-agent/pkg/autodiscovery/integration"
+ "github.com/DataDog/datadog-agent/pkg/clusteragent/clusterchecks/types"
+ checkid "github.com/DataDog/datadog-agent/pkg/collector/check/id"
+ "github.com/DataDog/datadog-agent/pkg/config"
+ "github.com/stretchr/testify/assert"
+)
+
+func TestIsolateCheckSuccessful(t *testing.T) {
+ testDispatcher := newDispatcher()
+ testDispatcher.store.nodes["A"] = newNodeStore("A", "")
+ testDispatcher.store.nodes["A"].workers = config.DefaultNumWorkers
+ testDispatcher.store.nodes["B"] = newNodeStore("B", "")
+ testDispatcher.store.nodes["B"].workers = config.DefaultNumWorkers
+
+ testDispatcher.store.nodes["A"].clcRunnerStats = map[string]types.CLCRunnerStats{
+ "checkA0": {
+ AverageExecutionTime: 50,
+ MetricSamples: 10,
+ IsClusterCheck: true,
+ },
+ "checkA1": {
+ AverageExecutionTime: 20,
+ MetricSamples: 10,
+ IsClusterCheck: true,
+ },
+ "checkA2": {
+ AverageExecutionTime: 100,
+ MetricSamples: 10,
+ IsClusterCheck: true,
+ },
+ }
+
+ testDispatcher.store.nodes["B"].clcRunnerStats = map[string]types.CLCRunnerStats{
+ "checkB0": {
+ AverageExecutionTime: 50,
+ MetricSamples: 10,
+ IsClusterCheck: true,
+ },
+ "checkB1": {
+ AverageExecutionTime: 20,
+ MetricSamples: 10,
+ IsClusterCheck: true,
+ },
+ "checkB2": {
+ AverageExecutionTime: 100,
+ MetricSamples: 10,
+ IsClusterCheck: true,
+ },
+ }
+ testDispatcher.store.idToDigest = map[checkid.ID]string{
+ "checkA0": "digestA0",
+ "checkA1": "digestA1",
+ "checkA2": "digestA2",
+ "checkB0": "digestB0",
+ "checkB1": "digestB1",
+ "checkB2": "digestB2",
+ }
+ testDispatcher.store.digestToConfig = map[string]integration.Config{
+ "digestA0": {},
+ "digestA1": {},
+ "digestA2": {},
+ "digestB0": {},
+ "digestB1": {},
+ "digestB2": {},
+ }
+ testDispatcher.store.digestToNode = map[string]string{
+ "digestA0": "A",
+ "digestA1": "A",
+ "digestA2": "A",
+ "digestB0": "B",
+ "digestB1": "B",
+ "digestB2": "B",
+ }
+
+ response := testDispatcher.isolateCheck("checkA2")
+ assert.EqualValues(t, response.CheckID, "checkA2")
+ assert.EqualValues(t, response.CheckNode, "A")
+ assert.True(t, response.IsIsolated)
+ assert.EqualValues(t, response.Reason, "")
+ assert.EqualValues(t, len(testDispatcher.store.nodes["A"].clcRunnerStats), 1)
+ assert.EqualValues(t, len(testDispatcher.store.nodes["B"].clcRunnerStats), 5)
+ _, containsIsolatedCheck := testDispatcher.store.nodes["A"].clcRunnerStats["checkA2"]
+ assert.True(t, containsIsolatedCheck)
+
+ requireNotLocked(t, testDispatcher.store)
+}
+
+func TestIsolateNonExistentCheckFails(t *testing.T) {
+ testDispatcher := newDispatcher()
+ testDispatcher.store.nodes["A"] = newNodeStore("A", "")
+ testDispatcher.store.nodes["A"].workers = config.DefaultNumWorkers
+ testDispatcher.store.nodes["B"] = newNodeStore("B", "")
+ testDispatcher.store.nodes["B"].workers = config.DefaultNumWorkers
+
+ testDispatcher.store.nodes["A"].clcRunnerStats = map[string]types.CLCRunnerStats{
+ "checkA0": {
+ AverageExecutionTime: 50,
+ MetricSamples: 10,
+ IsClusterCheck: true,
+ },
+ "checkA1": {
+ AverageExecutionTime: 20,
+ MetricSamples: 10,
+ IsClusterCheck: true,
+ },
+ "checkA2": {
+ AverageExecutionTime: 100,
+ MetricSamples: 10,
+ IsClusterCheck: true,
+ },
+ }
+
+ testDispatcher.store.nodes["B"].clcRunnerStats = map[string]types.CLCRunnerStats{
+ "checkB0": {
+ AverageExecutionTime: 50,
+ MetricSamples: 10,
+ IsClusterCheck: true,
+ },
+ "checkB1": {
+ AverageExecutionTime: 20,
+ MetricSamples: 10,
+ IsClusterCheck: true,
+ },
+ "checkB2": {
+ AverageExecutionTime: 100,
+ MetricSamples: 10,
+ IsClusterCheck: true,
+ },
+ }
+ testDispatcher.store.idToDigest = map[checkid.ID]string{
+ "checkA0": "digestA0",
+ "checkA1": "digestA1",
+ "checkA2": "digestA2",
+ "checkB0": "digestB0",
+ "checkB1": "digestB1",
+ "checkB2": "digestB2",
+ }
+ testDispatcher.store.digestToConfig = map[string]integration.Config{
+ "digestA0": {},
+ "digestA1": {},
+ "digestA2": {},
+ "digestB0": {},
+ "digestB1": {},
+ "digestB2": {},
+ }
+ testDispatcher.store.digestToNode = map[string]string{
+ "digestA0": "A",
+ "digestA1": "A",
+ "digestA2": "A",
+ "digestB0": "B",
+ "digestB1": "B",
+ "digestB2": "B",
+ }
+
+ response := testDispatcher.isolateCheck("checkA5")
+ assert.EqualValues(t, response.CheckID, "checkA5")
+ assert.EqualValues(t, response.CheckNode, "")
+ assert.False(t, response.IsIsolated)
+ assert.EqualValues(t, response.Reason, "Unable to find check")
+ assert.EqualValues(t, len(testDispatcher.store.nodes["A"].clcRunnerStats), 3)
+ assert.EqualValues(t, len(testDispatcher.store.nodes["B"].clcRunnerStats), 3)
+
+ requireNotLocked(t, testDispatcher.store)
+}
+
+func TestIsolateCheckOnlyOneRunnerFails(t *testing.T) {
+ testDispatcher := newDispatcher()
+ testDispatcher.store.nodes["A"] = newNodeStore("A", "")
+ testDispatcher.store.nodes["A"].workers = config.DefaultNumWorkers
+
+ testDispatcher.store.nodes["A"].clcRunnerStats = map[string]types.CLCRunnerStats{
+ "checkA0": {
+ AverageExecutionTime: 50,
+ MetricSamples: 10,
+ IsClusterCheck: true,
+ },
+ "checkA1": {
+ AverageExecutionTime: 20,
+ MetricSamples: 10,
+ IsClusterCheck: true,
+ },
+ "checkA2": {
+ AverageExecutionTime: 100,
+ MetricSamples: 10,
+ IsClusterCheck: true,
+ },
+ }
+
+ testDispatcher.store.idToDigest = map[checkid.ID]string{
+ "checkA0": "digestA0",
+ "checkA1": "digestA1",
+ "checkA2": "digestA2",
+ }
+ testDispatcher.store.digestToConfig = map[string]integration.Config{
+ "digestA0": {},
+ "digestA1": {},
+ "digestA2": {},
+ }
+ testDispatcher.store.digestToNode = map[string]string{
+ "digestA0": "A",
+ "digestA1": "A",
+ "digestA2": "A",
+ }
+
+ response := testDispatcher.isolateCheck("checkA1")
+ assert.EqualValues(t, response.CheckID, "checkA1")
+ assert.EqualValues(t, response.CheckNode, "")
+ assert.False(t, response.IsIsolated)
+ assert.EqualValues(t, response.Reason, "No other runners available")
+ assert.EqualValues(t, len(testDispatcher.store.nodes["A"].clcRunnerStats), 3)
+
+ requireNotLocked(t, testDispatcher.store)
+}
diff --git a/pkg/clusteragent/clusterchecks/dispatcher_rebalance.go b/pkg/clusteragent/clusterchecks/dispatcher_rebalance.go
index c044efdfa31d4..d1e28bce5fe83 100644
--- a/pkg/clusteragent/clusterchecks/dispatcher_rebalance.go
+++ b/pkg/clusteragent/clusterchecks/dispatcher_rebalance.go
@@ -315,6 +315,7 @@ func (d *dispatcher) rebalanceUsingUtilization(force bool) []types.RebalanceResp
checkID,
currentChecksDistribution.workersNeededForCheck(checkID),
currentChecksDistribution.runnerForCheck(checkID),
+ "",
)
}
diff --git a/pkg/clusteragent/clusterchecks/handler_api.go b/pkg/clusteragent/clusterchecks/handler_api.go
index c13ddd0d69807..71aee7c5838c8 100644
--- a/pkg/clusteragent/clusterchecks/handler_api.go
+++ b/pkg/clusteragent/clusterchecks/handler_api.go
@@ -119,3 +119,10 @@ func (h *Handler) RebalanceClusterChecks(force bool) ([]types.RebalanceResponse,
return response, nil
}
+
+// IsolateCheck triggers an attempt to isolate a check in a runner. Other checks
+// will be redistributed to other runners using the existing rebalancing logic.
+func (h *Handler) IsolateCheck(isolateCheckID string) types.IsolateResponse {
+ response := h.dispatcher.isolateCheck(isolateCheckID)
+ return response
+}
diff --git a/pkg/clusteragent/clusterchecks/types/types.go b/pkg/clusteragent/clusterchecks/types/types.go
index 818597bb1541c..2ce00e8937118 100644
--- a/pkg/clusteragent/clusterchecks/types/types.go
+++ b/pkg/clusteragent/clusterchecks/types/types.go
@@ -39,6 +39,14 @@ type RebalanceResponse struct {
DestDiff int `json:"dest_diff"`
}
+// IsolateResponse holds the DCA response for an isolate request
+type IsolateResponse struct {
+ CheckID string `json:"check_id"`
+ CheckNode string `json:"check_node"`
+ IsIsolated bool `json:"is_isolated"`
+ Reason string `json:"reason"`
+}
+
// ConfigResponse holds the DCA response for a config query
type ConfigResponse struct {
LastChange int64 `json:"last_change"`
diff --git a/pkg/collector/corechecks/oracle-dbm/activity_queries.go b/pkg/collector/corechecks/oracle-dbm/activity_queries.go
index 9b81126715b62..4a3008a4f89ed 100644
--- a/pkg/collector/corechecks/oracle-dbm/activity_queries.go
+++ b/pkg/collector/corechecks/oracle-dbm/activity_queries.go
@@ -150,7 +150,7 @@ WHERE
)
AND status = 'ACTIVE'`
-const activityQueryDirect = `SELECT /* DD_ACTIVITY_SAMPLING */
+const activityQueryDirect = `SELECT /*+ push_pred(sq) push_pred(sq_prev) */ /* DD_ACTIVITY_SAMPLING */
s.sid,
s.serial#,
s.username,
diff --git a/pkg/collector/corechecks/oracle-dbm/init_test.go b/pkg/collector/corechecks/oracle-dbm/init_test.go
new file mode 100644
index 0000000000000..b3bca56565216
--- /dev/null
+++ b/pkg/collector/corechecks/oracle-dbm/init_test.go
@@ -0,0 +1,26 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2016-present Datadog, Inc.
+
+//go:build oracle_test
+
+package oracle
+
+import (
+ "testing"
+
+ "github.com/stretchr/testify/assert"
+ "github.com/stretchr/testify/require"
+)
+
+func TestTags(t *testing.T) {
+ c, _ := newRealCheck(t, `tags:
+ - foo1:bar1
+ - foo2:bar2`)
+ err := c.Run()
+ require.NoError(t, err)
+ assert.True(t, c.initialized, "Check not initialized")
+ assert.Contains(t, c.tags, dbmsTag, "Static tag not merged")
+ assert.Contains(t, c.tags, "foo1:bar1", "Config tag not in tags")
+}
diff --git a/pkg/collector/corechecks/oracle-dbm/oracle.go b/pkg/collector/corechecks/oracle-dbm/oracle.go
index bc2f6faf677a8..e39f3fc884440 100644
--- a/pkg/collector/corechecks/oracle-dbm/oracle.go
+++ b/pkg/collector/corechecks/oracle-dbm/oracle.go
@@ -316,6 +316,7 @@ func (c *Check) Configure(senderManager sender.SenderManager, integrationConfigD
c.checkInterval = float64(c.config.InitConfig.MinCollectionInterval)
tags := make([]string, len(c.config.Tags))
+ copy(tags, c.config.Tags)
tags = append(tags, fmt.Sprintf("dbms:%s", common.IntegrationName), fmt.Sprintf("ddagentversion:%s", c.agentVersion))
tags = append(tags, fmt.Sprintf("dbm:%t", c.dbmEnabled))
@@ -331,7 +332,10 @@ func (c *Check) Configure(senderManager sender.SenderManager, integrationConfigD
if c.config.ServiceName != "" {
tags = append(tags, fmt.Sprintf("service:%s", c.config.ServiceName))
}
+ c.configTags = make([]string, len(tags))
copy(c.configTags, tags)
+ c.tags = make([]string, len(tags))
+ copy(c.tags, tags)
c.logPrompt = config.GetLogPrompt(c.config.InstanceConfig)
diff --git a/pkg/collector/corechecks/oracle-dbm/sysmetrics_test.go b/pkg/collector/corechecks/oracle-dbm/sysmetrics_test.go
index e4de2c1549cc0..60470982d7d35 100644
--- a/pkg/collector/corechecks/oracle-dbm/sysmetrics_test.go
+++ b/pkg/collector/corechecks/oracle-dbm/sysmetrics_test.go
@@ -16,5 +16,5 @@ import (
func TestSysmetrics(t *testing.T) {
n, err := chk.sysMetrics()
assert.NoError(t, err, "failed to run sys metrics")
- assert.Equal(t, int64(144), n)
+ assert.Equal(t, int64(92), n)
}
diff --git a/pkg/collector/corechecks/oracle-dbm/testutil.go b/pkg/collector/corechecks/oracle-dbm/testutil.go
index 14feaa7da7e1f..c39b0e27d0cf1 100644
--- a/pkg/collector/corechecks/oracle-dbm/testutil.go
+++ b/pkg/collector/corechecks/oracle-dbm/testutil.go
@@ -11,8 +11,10 @@ import (
"fmt"
"testing"
+ "github.com/DataDog/datadog-agent/pkg/aggregator/mocksender"
"github.com/DataDog/datadog-agent/pkg/aggregator/sender"
"github.com/DataDog/datadog-agent/pkg/autodiscovery/integration"
+ "github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
@@ -37,3 +39,36 @@ var PASSWORD = "datadog"
var SERVICE_NAME = "XE"
var TNS_ALIAS = "XE"
var TNS_ADMIN = "/Users/nenad.noveljic/go/src/github.com/DataDog/datadog-agent/pkg/collector/corechecks/oracle-dbm/testutil/etc/netadmin"
+
+var dbmsTag = "dbms:oracle"
+
+func newRealCheck(t *testing.T, options string) (Check, *mocksender.MockSender) {
+ c := Check{}
+ config := fmt.Sprintf(`
+server: %s
+port: %d
+username: %s
+password: %s
+service_name: %s
+`, HOST, PORT, USER, PASSWORD, SERVICE_NAME)
+ if options != "" {
+ config = fmt.Sprintf(`%s
+%s`, config, options)
+ }
+ rawInstanceConfig := []byte(config)
+ senderManager := mocksender.CreateDefaultDemultiplexer()
+ err := c.Configure(senderManager, integration.FakeConfigHash, rawInstanceConfig, []byte(``), "oracle_test")
+ require.NoError(t, err)
+
+ sender := mocksender.NewMockSenderWithSenderManager(c.ID(), senderManager)
+ sender.SetupAcceptAll()
+ assert.Equal(t, c.config.InstanceConfig.Server, HOST)
+ assert.Equal(t, c.config.InstanceConfig.Port, PORT)
+ assert.Equal(t, c.config.InstanceConfig.Username, USER)
+ assert.Equal(t, c.config.InstanceConfig.Password, PASSWORD)
+ assert.Equal(t, c.config.InstanceConfig.ServiceName, SERVICE_NAME)
+
+ assert.Contains(t, c.configTags, dbmsTag, "c.configTags doesn't contain static tags")
+
+ return c, sender
+}
diff --git a/pkg/collector/corechecks/system/cpu/cpu_windows.go b/pkg/collector/corechecks/system/cpu/cpu_windows.go
index 98028ffdcc84b..8e729527c56a8 100644
--- a/pkg/collector/corechecks/system/cpu/cpu_windows.go
+++ b/pkg/collector/corechecks/system/cpu/cpu_windows.go
@@ -21,7 +21,7 @@ import (
"github.com/DataDog/datadog-agent/pkg/collector/check"
core "github.com/DataDog/datadog-agent/pkg/collector/corechecks"
"github.com/DataDog/datadog-agent/pkg/util/log"
- "github.com/DataDog/datadog-agent/pkg/util/winutil/pdhutil"
+ "github.com/DataDog/datadog-agent/pkg/util/pdhutil"
)
const cpuCheckName = "cpu"
diff --git a/pkg/collector/corechecks/system/cpu/cpu_windows_test.go b/pkg/collector/corechecks/system/cpu/cpu_windows_test.go
index a1c973a036324..57259500457a7 100644
--- a/pkg/collector/corechecks/system/cpu/cpu_windows_test.go
+++ b/pkg/collector/corechecks/system/cpu/cpu_windows_test.go
@@ -16,7 +16,7 @@ import (
"github.com/DataDog/datadog-agent/pkg/autodiscovery/integration"
gohaicpu "github.com/DataDog/datadog-agent/pkg/gohai/cpu"
gohaiutils "github.com/DataDog/datadog-agent/pkg/gohai/utils"
- pdhtest "github.com/DataDog/datadog-agent/pkg/util/winutil/pdhutil"
+ pdhtest "github.com/DataDog/datadog-agent/pkg/util/pdhutil"
)
func CPUInfo() *gohaicpu.Info {
diff --git a/pkg/collector/corechecks/system/disk/iostats_pdh_windows.go b/pkg/collector/corechecks/system/disk/iostats_pdh_windows.go
index e24bf49d64ea0..fee24cc3f7dc5 100644
--- a/pkg/collector/corechecks/system/disk/iostats_pdh_windows.go
+++ b/pkg/collector/corechecks/system/disk/iostats_pdh_windows.go
@@ -17,7 +17,7 @@ import (
"github.com/DataDog/datadog-agent/pkg/autodiscovery/integration"
core "github.com/DataDog/datadog-agent/pkg/collector/corechecks"
- "github.com/DataDog/datadog-agent/pkg/util/winutil/pdhutil"
+ "github.com/DataDog/datadog-agent/pkg/util/pdhutil"
"golang.org/x/sys/windows"
)
diff --git a/pkg/collector/corechecks/system/disk/iostats_pdh_windows_test.go b/pkg/collector/corechecks/system/disk/iostats_pdh_windows_test.go
index f98c978cca0aa..24cb3828c33f4 100644
--- a/pkg/collector/corechecks/system/disk/iostats_pdh_windows_test.go
+++ b/pkg/collector/corechecks/system/disk/iostats_pdh_windows_test.go
@@ -13,7 +13,7 @@ import (
"github.com/DataDog/datadog-agent/pkg/aggregator/mocksender"
"github.com/DataDog/datadog-agent/pkg/autodiscovery/integration"
- pdhtest "github.com/DataDog/datadog-agent/pkg/util/winutil/pdhutil"
+ pdhtest "github.com/DataDog/datadog-agent/pkg/util/pdhutil"
)
func testGetDriveType(drive string) uintptr {
diff --git a/pkg/collector/corechecks/system/filehandles/docs.go b/pkg/collector/corechecks/system/filehandles/docs.go
new file mode 100644
index 0000000000000..add0f8e747c61
--- /dev/null
+++ b/pkg/collector/corechecks/system/filehandles/docs.go
@@ -0,0 +1,7 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2016-present Datadog, Inc.
+
+// Package filehandles defines the file_handle core check
+package filehandles
diff --git a/pkg/collector/corechecks/system/filehandles/file_handles.go b/pkg/collector/corechecks/system/filehandles/file_handles.go
index c7a31168094db..10703d355e5f6 100644
--- a/pkg/collector/corechecks/system/filehandles/file_handles.go
+++ b/pkg/collector/corechecks/system/filehandles/file_handles.go
@@ -2,7 +2,7 @@
// under the Apache License Version 2.0.
// This product includes software developed at Datadog (https://www.datadoghq.com/).
// Copyright 2016-present Datadog, Inc.
-//go:build !windows && !freebsd
+//go:build !windows && !freebsd && !darwin
package filehandles
diff --git a/pkg/collector/corechecks/system/filehandles/file_handles_bsd.go b/pkg/collector/corechecks/system/filehandles/file_handles_bsd.go
new file mode 100644
index 0000000000000..2cd04b1907de9
--- /dev/null
+++ b/pkg/collector/corechecks/system/filehandles/file_handles_bsd.go
@@ -0,0 +1,71 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2016-present Datadog, Inc.
+//go:build freebsd || darwin
+
+package filehandles
+
+import (
+ "github.com/blabber/go-freebsd-sysctl/sysctl"
+
+ "github.com/DataDog/datadog-agent/pkg/aggregator/sender"
+ "github.com/DataDog/datadog-agent/pkg/autodiscovery/integration"
+ "github.com/DataDog/datadog-agent/pkg/collector/check"
+ core "github.com/DataDog/datadog-agent/pkg/collector/corechecks"
+ "github.com/DataDog/datadog-agent/pkg/util/log"
+)
+
+// For testing purpose
+var getInt64 = sysctl.GetInt64
+
+const fileHandlesCheckName = "file_handle"
+
+type fhCheck struct {
+ core.CheckBase
+}
+
+// Run executes the check
+func (c *fhCheck) Run() error {
+
+ sender, err := c.GetSender()
+ if err != nil {
+ return err
+ }
+ openFh, err := getInt64(openfilesOID)
+ if err != nil {
+ log.Warnf("Error getting %s value %v", openfilesOID, err)
+ return err
+ }
+ maxFh, err := getInt64("kern.maxfiles")
+ if err != nil {
+ log.Warnf("Error getting kern.maxfiles value %v", err)
+ return err
+ }
+ log.Debugf("Submitting %s %v", openfilesOID, openFh)
+ log.Debugf("Submitting kern.maxfiles %v", maxFh)
+ sender.Gauge("system.fs.file_handles.used", float64(openFh), "", nil)
+ sender.Gauge("system.fs.file_handles.max", float64(maxFh), "", nil)
+ sender.Commit()
+
+ return nil
+}
+
+// The check doesn't need configuration
+func (c *fhCheck) Configure(senderManager sender.SenderManager, integrationConfigDigest uint64, data integration.Data, initConfig integration.Data, source string) (err error) {
+ if err := c.CommonConfigure(senderManager, integrationConfigDigest, initConfig, data, source); err != nil {
+ return err
+ }
+
+ return err
+}
+
+func fhFactory() check.Check {
+ return &fhCheck{
+ CheckBase: core.NewCheckBase(fileHandlesCheckName),
+ }
+}
+
+func init() {
+ core.RegisterCheck(fileHandlesCheckName, fhFactory)
+}
diff --git a/pkg/collector/corechecks/system/filehandles/file_handles_bsd_test.go b/pkg/collector/corechecks/system/filehandles/file_handles_bsd_test.go
new file mode 100644
index 0000000000000..55c168d11e461
--- /dev/null
+++ b/pkg/collector/corechecks/system/filehandles/file_handles_bsd_test.go
@@ -0,0 +1,45 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2016-present Datadog, Inc.
+//go:build freebsd || darwin
+
+package filehandles
+
+import (
+ "testing"
+
+ "github.com/DataDog/datadog-agent/pkg/aggregator/mocksender"
+ "github.com/DataDog/datadog-agent/pkg/autodiscovery/integration"
+)
+
+func GetInt64(_ string) (value int64, err error) {
+ value = 65534
+ err = nil
+ return
+}
+
+func TestFhCheckFreeBSD(t *testing.T) {
+ getInt64 = GetInt64
+
+ // we have to init the mocked sender here before fileHandleCheck.Configure(mock.GetSenderManager(), integration.FakeConfigHash, ...)
+ // (and append it to the aggregator, which is automatically done in NewMockSender)
+ // because the FinalizeCheckServiceTag is called in Configure.
+ // Hopefully, the check ID is an empty string while running unit tests;
+ mock := mocksender.NewMockSender("")
+
+ fileHandleCheck := new(fhCheck)
+ fileHandleCheck.Configure(mock.GetSenderManager(), integration.FakeConfigHash, nil, nil, "test")
+
+ // reset the check ID for the sake of correctness
+ mocksender.SetSender(mock, fileHandleCheck.ID())
+
+ mock.On("Gauge", "system.fs.file_handles.used", float64(65534), "", []string(nil)).Return().Times(1)
+ mock.On("Gauge", "system.fs.file_handles.max", float64(65534), "", []string(nil)).Return().Times(1)
+ mock.On("Commit").Return().Times(1)
+ fileHandleCheck.Run()
+
+ mock.AssertExpectations(t)
+ mock.AssertNumberOfCalls(t, "Gauge", 2)
+ mock.AssertNumberOfCalls(t, "Commit", 1)
+}
diff --git a/pkg/collector/corechecks/system/filehandles/file_handles_darwin.go b/pkg/collector/corechecks/system/filehandles/file_handles_darwin.go
new file mode 100644
index 0000000000000..fba9b26115cd4
--- /dev/null
+++ b/pkg/collector/corechecks/system/filehandles/file_handles_darwin.go
@@ -0,0 +1,8 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2016-present Datadog, Inc.
+
+package filehandles
+
+const openfilesOID = "kern.num_files"
diff --git a/pkg/collector/corechecks/system/filehandles/file_handles_freebsd.go b/pkg/collector/corechecks/system/filehandles/file_handles_freebsd.go
index 3dabce43e9d17..9818f86001e78 100644
--- a/pkg/collector/corechecks/system/filehandles/file_handles_freebsd.go
+++ b/pkg/collector/corechecks/system/filehandles/file_handles_freebsd.go
@@ -2,70 +2,7 @@
// under the Apache License Version 2.0.
// This product includes software developed at Datadog (https://www.datadoghq.com/).
// Copyright 2016-present Datadog, Inc.
-//go:build freebsd
package filehandles
-import (
- "github.com/blabber/go-freebsd-sysctl/sysctl"
-
- "github.com/DataDog/datadog-agent/pkg/aggregator/sender"
- "github.com/DataDog/datadog-agent/pkg/autodiscovery/integration"
- "github.com/DataDog/datadog-agent/pkg/collector/check"
- core "github.com/DataDog/datadog-agent/pkg/collector/corechecks"
- "github.com/DataDog/datadog-agent/pkg/util/log"
-)
-
-// For testing purpose
-var getInt64 = sysctl.GetInt64
-
-const fileHandlesCheckName = "file_handle"
-
-type fhCheck struct {
- core.CheckBase
-}
-
-// Run executes the check
-func (c *fhCheck) Run() error {
-
- sender, err := c.GetSender()
- if err != nil {
- return err
- }
- openFh, err := getInt64("kern.openfiles")
- if err != nil {
- log.Warnf("Error getting kern.openfiles value %v", err)
- return err
- }
- maxFh, err := getInt64("kern.maxfiles")
- if err != nil {
- log.Warnf("Error getting kern.maxfiles value %v", err)
- return err
- }
- log.Debugf("Submitting kern.openfiles %v", openFh)
- log.Debugf("Submitting kern.maxfiles %v", maxFh)
- sender.Gauge("system.fs.file_handles.used", float64(openFh), "", nil)
- sender.Gauge("system.fs.file_handles.max", float64(maxFh), "", nil)
- sender.Commit()
-
- return nil
-}
-
-// The check doesn't need configuration
-func (c *fhCheck) Configure(senderManager sender.SenderManager, integrationConfigDigest uint64, data integration.Data, initConfig integration.Data, source string) (err error) {
- if err := c.CommonConfigure(senderManager, integrationConfigDigest, initConfig, data, source); err != nil {
- return err
- }
-
- return err
-}
-
-func fhFactory() check.Check {
- return &fhCheck{
- CheckBase: core.NewCheckBase(fileHandlesCheckName),
- }
-}
-
-func init() {
- core.RegisterCheck(fileHandlesCheckName, fhFactory)
-}
+const openfilesOID = "kern.openfiles"
diff --git a/pkg/collector/corechecks/system/filehandles/file_handles_freebsd_test.go b/pkg/collector/corechecks/system/filehandles/file_handles_freebsd_test.go
deleted file mode 100644
index 04182e34b94f1..0000000000000
--- a/pkg/collector/corechecks/system/filehandles/file_handles_freebsd_test.go
+++ /dev/null
@@ -1,39 +0,0 @@
-// Unless explicitly stated otherwise all files in this repository are licensed
-// under the Apache License Version 2.0.
-// This product includes software developed at Datadog (https://www.datadoghq.com/).
-// Copyright 2016-present Datadog, Inc.
-//go:build freebsd
-
-package filehandles
-
-import (
- "testing"
-
- "github.com/DataDog/datadog-agent/pkg/aggregator"
- "github.com/DataDog/datadog-agent/pkg/aggregator/mocksender"
- "github.com/DataDog/datadog-agent/pkg/autodiscovery/integration"
-)
-
-func GetInt64(name string) (value int64, err error) {
- value = 65534
- err = nil
- return
-}
-
-func TestFhCheckFreeBSD(t *testing.T) {
- getInt64 = GetInt64
-
- fileHandleCheck := new(fhCheck)
- fileHandleCheck.Configure(aggregator.NewNoOpSenderManager(), integration.FakeConfigHash, nil, nil, "test")
-
- mock := mocksender.NewMockSender(fileHandleCheck.ID())
-
- mock.On("Gauge", "system.fs.file_handles.used", 421, "", []string(nil)).Return().Times(1)
- mock.On("Gauge", "system.fs.file_handles.max", 65534, "", []string(nil)).Return().Times(1)
- mock.On("Commit").Return().Times(1)
- fileHandleCheck.Run()
-
- mock.AssertExpectations(t)
- mock.AssertNumberOfCalls(t, "Gauge", 2)
- mock.AssertNumberOfCalls(t, "Commit", 1)
-}
diff --git a/pkg/collector/corechecks/system/filehandles/file_handles_test.go b/pkg/collector/corechecks/system/filehandles/file_handles_test.go
index 4db2d94133fdf..ab8dd2fa57935 100644
--- a/pkg/collector/corechecks/system/filehandles/file_handles_test.go
+++ b/pkg/collector/corechecks/system/filehandles/file_handles_test.go
@@ -2,7 +2,7 @@
// under the Apache License Version 2.0.
// This product includes software developed at Datadog (https://www.datadoghq.com/).
// Copyright 2016-present Datadog, Inc.
-//go:build !windows
+//go:build !windows && !freebsd && !darwin
package filehandles
diff --git a/pkg/collector/corechecks/system/filehandles/file_handles_windows.go b/pkg/collector/corechecks/system/filehandles/file_handles_windows.go
index 022b4266625bb..68028ff2ec7cc 100644
--- a/pkg/collector/corechecks/system/filehandles/file_handles_windows.go
+++ b/pkg/collector/corechecks/system/filehandles/file_handles_windows.go
@@ -11,7 +11,7 @@ import (
"github.com/DataDog/datadog-agent/pkg/autodiscovery/integration"
"github.com/DataDog/datadog-agent/pkg/collector/check"
core "github.com/DataDog/datadog-agent/pkg/collector/corechecks"
- "github.com/DataDog/datadog-agent/pkg/util/winutil/pdhutil"
+ "github.com/DataDog/datadog-agent/pkg/util/pdhutil"
)
const fileHandlesCheckName = "file_handle"
diff --git a/pkg/collector/corechecks/system/filehandles/file_handles_windows_test.go b/pkg/collector/corechecks/system/filehandles/file_handles_windows_test.go
index aabeead694568..6f338f31425a1 100644
--- a/pkg/collector/corechecks/system/filehandles/file_handles_windows_test.go
+++ b/pkg/collector/corechecks/system/filehandles/file_handles_windows_test.go
@@ -11,7 +11,7 @@ import (
"github.com/DataDog/datadog-agent/pkg/aggregator/mocksender"
"github.com/DataDog/datadog-agent/pkg/autodiscovery/integration"
- pdhtest "github.com/DataDog/datadog-agent/pkg/util/winutil/pdhutil"
+ pdhtest "github.com/DataDog/datadog-agent/pkg/util/pdhutil"
)
func TestFhCheckWindows(t *testing.T) {
diff --git a/pkg/collector/corechecks/system/memory/memory_windows.go b/pkg/collector/corechecks/system/memory/memory_windows.go
index c8a74604af0a4..fc36d3279d38c 100644
--- a/pkg/collector/corechecks/system/memory/memory_windows.go
+++ b/pkg/collector/corechecks/system/memory/memory_windows.go
@@ -11,8 +11,8 @@ import (
"github.com/DataDog/datadog-agent/pkg/autodiscovery/integration"
core "github.com/DataDog/datadog-agent/pkg/collector/corechecks"
+ "github.com/DataDog/datadog-agent/pkg/util/pdhutil"
"github.com/DataDog/datadog-agent/pkg/util/winutil"
- "github.com/DataDog/datadog-agent/pkg/util/winutil/pdhutil"
)
// For testing purpose
diff --git a/pkg/collector/corechecks/system/memory/memory_windows_test.go b/pkg/collector/corechecks/system/memory/memory_windows_test.go
index db457ad58abdf..7c40e403e0448 100644
--- a/pkg/collector/corechecks/system/memory/memory_windows_test.go
+++ b/pkg/collector/corechecks/system/memory/memory_windows_test.go
@@ -14,8 +14,8 @@ import (
"github.com/DataDog/datadog-agent/pkg/aggregator/mocksender"
"github.com/DataDog/datadog-agent/pkg/autodiscovery/integration"
+ pdhtest "github.com/DataDog/datadog-agent/pkg/util/pdhutil"
"github.com/DataDog/datadog-agent/pkg/util/winutil"
- pdhtest "github.com/DataDog/datadog-agent/pkg/util/winutil/pdhutil"
)
func VirtualMemory() (*winutil.VirtualMemoryStat, error) {
diff --git a/pkg/collector/corechecks/system/wincrashdetect/wincrashdetect.go b/pkg/collector/corechecks/system/wincrashdetect/wincrashdetect.go
index 664f3d1eadd98..f0451db62f855 100644
--- a/pkg/collector/corechecks/system/wincrashdetect/wincrashdetect.go
+++ b/pkg/collector/corechecks/system/wincrashdetect/wincrashdetect.go
@@ -11,16 +11,17 @@ package wincrashdetect
import (
"fmt"
+ "golang.org/x/sys/windows/registry"
+ yaml "gopkg.in/yaml.v2"
+
"github.com/DataDog/datadog-agent/pkg/aggregator/sender"
"github.com/DataDog/datadog-agent/pkg/autodiscovery/integration"
"github.com/DataDog/datadog-agent/pkg/collector/check"
core "github.com/DataDog/datadog-agent/pkg/collector/corechecks"
"github.com/DataDog/datadog-agent/pkg/collector/corechecks/system/wincrashdetect/probe"
"github.com/DataDog/datadog-agent/pkg/metrics/event"
+ "github.com/DataDog/datadog-agent/pkg/util/crashreport"
"github.com/DataDog/datadog-agent/pkg/util/log"
- "github.com/DataDog/datadog-agent/pkg/util/winutil/crashreport"
- "golang.org/x/sys/windows/registry"
- yaml "gopkg.in/yaml.v2"
)
const (
diff --git a/pkg/collector/corechecks/system/winproc/winproc_windows.go b/pkg/collector/corechecks/system/winproc/winproc_windows.go
index 4896491707317..d4ca2b29c0163 100644
--- a/pkg/collector/corechecks/system/winproc/winproc_windows.go
+++ b/pkg/collector/corechecks/system/winproc/winproc_windows.go
@@ -11,7 +11,7 @@ import (
"github.com/DataDog/datadog-agent/pkg/autodiscovery/integration"
"github.com/DataDog/datadog-agent/pkg/collector/check"
core "github.com/DataDog/datadog-agent/pkg/collector/corechecks"
- "github.com/DataDog/datadog-agent/pkg/util/winutil/pdhutil"
+ "github.com/DataDog/datadog-agent/pkg/util/pdhutil"
)
const winprocCheckName = "winproc"
diff --git a/pkg/collector/corechecks/system/winproc/winproc_windows_test.go b/pkg/collector/corechecks/system/winproc/winproc_windows_test.go
index ad59684ed36a9..adf8cda4654a7 100644
--- a/pkg/collector/corechecks/system/winproc/winproc_windows_test.go
+++ b/pkg/collector/corechecks/system/winproc/winproc_windows_test.go
@@ -11,7 +11,7 @@ import (
"github.com/DataDog/datadog-agent/pkg/aggregator/mocksender"
"github.com/DataDog/datadog-agent/pkg/autodiscovery/integration"
- pdhtest "github.com/DataDog/datadog-agent/pkg/util/winutil/pdhutil"
+ pdhtest "github.com/DataDog/datadog-agent/pkg/util/pdhutil"
)
func TestWinprocCheckWindows(t *testing.T) {
diff --git a/pkg/compliance/reporter.go b/pkg/compliance/reporter.go
index 5fa58073af8a9..5967810ca9de1 100644
--- a/pkg/compliance/reporter.go
+++ b/pkg/compliance/reporter.go
@@ -6,7 +6,6 @@
package compliance
import (
- "context"
"encoding/json"
"fmt"
"strings"
@@ -23,13 +22,13 @@ import (
"github.com/DataDog/datadog-agent/pkg/logs/sources"
"github.com/DataDog/datadog-agent/pkg/security/common"
"github.com/DataDog/datadog-agent/pkg/status/health"
- "github.com/DataDog/datadog-agent/pkg/util/hostname"
"github.com/DataDog/datadog-agent/pkg/util/log"
"github.com/DataDog/datadog-agent/pkg/util/startstop"
)
// LogReporter is responsible for sending compliance logs to DataDog backends.
type LogReporter struct {
+ hostname string
logSource *sources.LogSource
logChan chan *message.Message
endpoints *config.Endpoints
@@ -37,11 +36,7 @@ type LogReporter struct {
}
// NewLogReporter instantiates a new log LogReporter
-func NewLogReporter(stopper startstop.Stopper, sourceName, sourceType, runPath string, endpoints *config.Endpoints, dstcontext *client.DestinationsContext) (*LogReporter, error) {
- hostname, err := hostname.Get(context.Background())
- if err != nil || hostname == "" {
- hostname = "unknown"
- }
+func NewLogReporter(hostname string, stopper startstop.Stopper, sourceName, sourceType, runPath string, endpoints *config.Endpoints, dstcontext *client.DestinationsContext) (*LogReporter, error) {
health := health.RegisterLiveness(sourceType)
// setup the auditor
@@ -79,6 +74,7 @@ func NewLogReporter(stopper startstop.Stopper, sourceName, sourceType, runPath s
}
return &LogReporter{
+ hostname: hostname,
logSource: logSource,
logChan: logChan,
endpoints: endpoints,
@@ -101,5 +97,6 @@ func (r *LogReporter) ReportEvent(event interface{}) {
origin := message.NewOrigin(r.logSource)
origin.SetTags(r.tags)
msg := message.NewMessage(buf, origin, message.StatusInfo, time.Now().UnixNano())
+ msg.Hostname = r.hostname
r.logChan <- msg
}
diff --git a/pkg/config/config.go b/pkg/config/config.go
index c35d180acd707..2bc47036604d6 100644
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -7,7 +7,6 @@
package config
import (
- "bytes"
"context"
"encoding/json"
"errors"
@@ -245,7 +244,7 @@ func InitConfig(config Config) {
config.BindEnvAndSetDefault("syslog_pem", "")
config.BindEnvAndSetDefault("syslog_key", "")
config.BindEnvAndSetDefault("syslog_tls_verify", true)
- config.BindEnvAndSetDefault("cmd_host", "localhost")
+ config.BindEnvAndSetDefault("ipc_address", "localhost")
config.BindEnvAndSetDefault("cmd_port", 5001)
config.BindEnvAndSetDefault("default_integration_http_timeout", 9)
config.BindEnvAndSetDefault("integration_tracing", false)
@@ -257,7 +256,6 @@ func InitConfig(config Config) {
config.BindEnvAndSetDefault("check_runners", int64(4))
config.BindEnvAndSetDefault("auth_token_file_path", "")
config.BindEnv("bind_host")
- config.BindEnvAndSetDefault("ipc_address", "localhost")
config.BindEnvAndSetDefault("health_port", int64(0))
config.BindEnvAndSetDefault("disable_py3_validation", false)
config.BindEnvAndSetDefault("python_version", DefaultPython)
@@ -1775,14 +1773,17 @@ func ResolveSecrets(config Config, secretResolver secrets.Component, origin stri
return fmt.Errorf("unable to marshal configuration to YAML to decrypt secrets: %v", err)
}
- finalYamlConf, err := secretResolver.Decrypt(yamlConf, origin)
+ err = secretResolver.ResolveWithCallback(
+ yamlConf,
+ origin,
+ func(yamlPath []string, value any) {
+ settingName := strings.Join(yamlPath, ".")
+ log.Debugf("replacing handle for setting '%s' with secret value", settingName)
+ config.Set(settingName, value, pkgconfigmodel.SourceAgentRuntime)
+ })
if err != nil {
return fmt.Errorf("unable to decrypt secret from datadog.yaml: %v", err)
}
- r := bytes.NewReader(finalYamlConf)
- if err = config.MergeConfigOverride(r); err != nil {
- return fmt.Errorf("could not update main configuration after decrypting secrets: %v", err)
- }
}
return nil
}
diff --git a/pkg/config/config_secret_test.go b/pkg/config/config_secret_test.go
index e178d662f36fa..d010371076b2c 100644
--- a/pkg/config/config_secret_test.go
+++ b/pkg/config/config_secret_test.go
@@ -28,10 +28,9 @@ func TestProxyWithSecret(t *testing.T) {
{
name: "secrets from configuration for proxy",
setup: func(t *testing.T, config Config, resolver *secretsimpl.MockSecretResolver) {
- resolver.Inject("http_handle", "http_url")
- resolver.Inject("https_handle", "https_url")
- resolver.Inject("no_proxy_1_handle", "no_proxy_1")
- resolver.Inject("no_proxy_2_handle", "no_proxy_2")
+ resolver.InjectCallback([]string{"proxy", "http"}, "http_url")
+ resolver.InjectCallback([]string{"proxy", "https"}, "https_url")
+ resolver.InjectCallback([]string{"proxy", "no_proxy"}, []string{"no_proxy_1", "no_proxy_2"})
config.SetWithoutSource("secret_backend_command", "some_command")
config.SetWithoutSource("proxy.http", "ENC[http_handle]")
@@ -51,10 +50,9 @@ func TestProxyWithSecret(t *testing.T) {
{
name: "secrets fron DD env vars for proxy",
setup: func(t *testing.T, config Config, resolver *secretsimpl.MockSecretResolver) {
- resolver.Inject("http_handle", "http_url")
- resolver.Inject("https_handle", "https_url")
- resolver.Inject("no_proxy_1_handle", "no_proxy_1")
- resolver.Inject("no_proxy_2_handle", "no_proxy_2")
+ resolver.InjectCallback([]string{"proxy", "http"}, "http_url")
+ resolver.InjectCallback([]string{"proxy", "https"}, "https_url")
+ resolver.InjectCallback([]string{"proxy", "no_proxy"}, []string{"no_proxy_1", "no_proxy_2"})
config.SetWithoutSource("secret_backend_command", "some_command")
t.Setenv("DD_PROXY_HTTP", "ENC[http_handle]")
@@ -74,10 +72,9 @@ func TestProxyWithSecret(t *testing.T) {
{
name: "secrets fron UNIX env vars for proxy",
setup: func(t *testing.T, config Config, resolver *secretsimpl.MockSecretResolver) {
- resolver.Inject("http_handle", "http_url")
- resolver.Inject("https_handle", "https_url")
- resolver.Inject("no_proxy_1_handle", "no_proxy_1")
- resolver.Inject("no_proxy_2_handle", "no_proxy_2")
+ resolver.InjectCallback([]string{"proxy", "http"}, "http_url")
+ resolver.InjectCallback([]string{"proxy", "https"}, "https_url")
+ resolver.InjectCallback([]string{"proxy", "no_proxy"}, []string{"no_proxy_1", "no_proxy_2"})
config.SetWithoutSource("secret_backend_command", "some_command")
t.Setenv("HTTP_PROXY", "ENC[http_handle]")
diff --git a/pkg/config/remote/service/service.go b/pkg/config/remote/service/service.go
index a8d5b08d36c59..dfbf79feaa9b7 100644
--- a/pkg/config/remote/service/service.go
+++ b/pkg/config/remote/service/service.go
@@ -270,7 +270,7 @@ func newRCBackendOrgUUIDProvider(http api.API) uptane.OrgUUIDProvider {
}
// Start the remote configuration management service
-func (s *Service) Start(ctx context.Context) error {
+func (s *Service) Start(ctx context.Context) {
ctx, cancel := context.WithCancel(ctx)
s.cancel = cancel
go func() {
@@ -324,7 +324,6 @@ func (s *Service) Start(ctx context.Context) error {
}
}
}()
- return nil
}
func (s *Service) Stop() error {
diff --git a/pkg/config/system_probe_cws.go b/pkg/config/system_probe_cws.go
index fb89071e50d07..c98e08302a9b5 100644
--- a/pkg/config/system_probe_cws.go
+++ b/pkg/config/system_probe_cws.go
@@ -42,7 +42,7 @@ func initCWSSystemProbeConfig(cfg Config) {
cfg.BindEnvAndSetDefault("runtime_security_config.activity_dump.traced_cgroups_count", 5)
cfg.BindEnvAndSetDefault("runtime_security_config.activity_dump.traced_event_types", []string{"exec", "open", "dns"})
cfg.BindEnv("runtime_security_config.activity_dump.cgroup_dump_timeout") // deprecated in favor of dump_duration
- cfg.BindEnvAndSetDefault("runtime_security_config.activity_dump.dump_duration", "1800s")
+ cfg.BindEnvAndSetDefault("runtime_security_config.activity_dump.dump_duration", "900s")
cfg.BindEnvAndSetDefault("runtime_security_config.activity_dump.rate_limiter", 500)
cfg.BindEnvAndSetDefault("runtime_security_config.activity_dump.cgroup_wait_list_timeout", "4500s")
cfg.BindEnvAndSetDefault("runtime_security_config.activity_dump.cgroup_differentiate_args", false)
@@ -55,7 +55,6 @@ func initCWSSystemProbeConfig(cfg Config) {
cfg.BindEnvAndSetDefault("runtime_security_config.activity_dump.tag_rules.enabled", true)
cfg.BindEnvAndSetDefault("runtime_security_config.activity_dump.silent_workloads.delay", "10s")
cfg.BindEnvAndSetDefault("runtime_security_config.activity_dump.silent_workloads.ticker", "10s")
- cfg.BindEnvAndSetDefault("runtime_security_config.activity_dump.auto_suppression.enabled", false)
cfg.BindEnvAndSetDefault("runtime_security_config.activity_dump.workload_deny_list", []string{})
// CWS - SBOM
@@ -70,20 +69,22 @@ func initCWSSystemProbeConfig(cfg Config) {
cfg.BindEnvAndSetDefault("runtime_security_config.security_profile.max_count", 400)
cfg.BindEnvAndSetDefault("runtime_security_config.security_profile.remote_configuration.enabled", false)
cfg.BindEnvAndSetDefault("runtime_security_config.security_profile.dns_match_max_depth", 3)
+ cfg.BindEnvAndSetDefault("runtime_security_config.security_profile.auto_suppression.enabled", true)
// CWS - Anomaly detection
cfg.BindEnvAndSetDefault("runtime_security_config.security_profile.anomaly_detection.event_types", []string{"exec", "dns"})
- cfg.BindEnvAndSetDefault("runtime_security_config.security_profile.anomaly_detection.default_minimum_stable_period", "48h")
- cfg.BindEnvAndSetDefault("runtime_security_config.security_profile.anomaly_detection.minimum_stable_period.exec", "48h")
- cfg.BindEnvAndSetDefault("runtime_security_config.security_profile.anomaly_detection.minimum_stable_period.dns", "96h")
+ cfg.BindEnvAndSetDefault("runtime_security_config.security_profile.anomaly_detection.default_minimum_stable_period", "900s")
+ cfg.BindEnvAndSetDefault("runtime_security_config.security_profile.anomaly_detection.minimum_stable_period.exec", "900s")
+ cfg.BindEnvAndSetDefault("runtime_security_config.security_profile.anomaly_detection.minimum_stable_period.dns", "900s")
cfg.BindEnvAndSetDefault("runtime_security_config.security_profile.anomaly_detection.workload_warmup_period", "180s")
- cfg.BindEnvAndSetDefault("runtime_security_config.security_profile.anomaly_detection.unstable_profile_time_threshold", "120h")
+ cfg.BindEnvAndSetDefault("runtime_security_config.security_profile.anomaly_detection.unstable_profile_time_threshold", "1h")
cfg.BindEnvAndSetDefault("runtime_security_config.security_profile.anomaly_detection.unstable_profile_size_threshold", 5000000)
- cfg.BindEnvAndSetDefault("runtime_security_config.security_profile.anomaly_detection.rate_limiter.period", "1s")
- cfg.BindEnvAndSetDefault("runtime_security_config.security_profile.anomaly_detection.rate_limiter.num_keys", 400)
- cfg.BindEnvAndSetDefault("runtime_security_config.security_profile.anomaly_detection.rate_limiter.num_events_allowed", 100)
+ cfg.BindEnvAndSetDefault("runtime_security_config.security_profile.anomaly_detection.rate_limiter.period", "5m")
+ cfg.BindEnvAndSetDefault("runtime_security_config.security_profile.anomaly_detection.rate_limiter.num_keys", 1000)
+ cfg.BindEnvAndSetDefault("runtime_security_config.security_profile.anomaly_detection.rate_limiter.num_events_allowed", 20)
cfg.BindEnvAndSetDefault("runtime_security_config.security_profile.anomaly_detection.tag_rules.enabled", true)
cfg.BindEnvAndSetDefault("runtime_security_config.security_profile.anomaly_detection.silent_rule_events.enabled", false)
+ cfg.BindEnvAndSetDefault("runtime_security_config.security_profile.anomaly_detection.enabled", false)
// CWS - Hash algorithms
cfg.BindEnvAndSetDefault("runtime_security_config.hash_resolver.enabled", true)
@@ -96,4 +97,8 @@ func initCWSSystemProbeConfig(cfg Config) {
// CWS - UserSessions
cfg.BindEnvAndSetDefault("runtime_security_config.user_sessions.cache_size", 1024)
+
+ // CWS -eBPF Less
+ cfg.BindEnvAndSetDefault("runtime_security_config.ebpfless.enabled", false)
+ cfg.BindEnvAndSetDefault("runtime_security_config.ebpfless.socket", "localhost:5678")
}
diff --git a/pkg/ebpf/btf.go b/pkg/ebpf/btf.go
index a64c73a1c9cc1..445ec9b5a9364 100644
--- a/pkg/ebpf/btf.go
+++ b/pkg/ebpf/btf.go
@@ -240,7 +240,7 @@ func (b *orderedBTFLoader) getEmbeddedBTF(platform, platformVersion, kernelVersi
for _, kvp := range kernelVersionPatterns {
if kvp.pattern.MatchString(kernelVersion) {
// remove possible paths that do not match possible platforms
- slices.DeleteFunc(possiblePaths, func(s string) bool {
+ possiblePaths = slices.DeleteFunc(possiblePaths, func(s string) bool {
pform := strings.Split(s, string(os.PathSeparator))[0]
return !slices.Contains(kvp.platforms, pform)
})
diff --git a/pkg/ebpf/btf_test.go b/pkg/ebpf/btf_test.go
index 9853dbaf6bcf9..cc593fa305270 100644
--- a/pkg/ebpf/btf_test.go
+++ b/pkg/ebpf/btf_test.go
@@ -40,6 +40,8 @@ func TestEmbeddedBTFMatch(t *testing.T) {
{"ubuntu", "22.04", "5.4.0-80-generic", "", true},
// non-existent kernel version
{"ubuntu", "22.04", "15.0", "", true},
+ // kernel is in testdata for centos, and fakecentos, so multiple matches, but platform filter
+ {"redhat", "7", "3.10.0-1062.0.0.0.1.el7.x86_64", "centos/3.10.0-1062.0.0.0.1.el7.x86_64.btf.tar.xz", false},
}
for i, test := range tests {
diff --git a/pkg/ebpf/co_re.go b/pkg/ebpf/co_re.go
index 6901ec0c179da..95cef42d7db89 100644
--- a/pkg/ebpf/co_re.go
+++ b/pkg/ebpf/co_re.go
@@ -61,6 +61,7 @@ func (c *coreAssetLoader) loadCOREAsset(filename string, startFn func(bytecode.A
VerifierOptions: bpflib.CollectionOptions{
Programs: bpflib.ProgramOptions{
KernelTypes: btfData,
+ LogSize: 10 * 1024 * 1024,
},
},
}
diff --git a/pkg/ebpf/map_cleaner.go b/pkg/ebpf/map_cleaner.go
index 54e0c6a57bbb4..38e5e117c39c2 100644
--- a/pkg/ebpf/map_cleaner.go
+++ b/pkg/ebpf/map_cleaner.go
@@ -8,34 +8,24 @@
package ebpf
import (
- "bytes"
- "encoding"
- "encoding/binary"
- "errors"
- "fmt"
- "reflect"
"sync"
"time"
"unsafe"
cebpf "github.com/cilium/ebpf"
+ "github.com/DataDog/datadog-agent/pkg/util/kernel"
"github.com/DataDog/datadog-agent/pkg/util/log"
- "github.com/DataDog/datadog-agent/pkg/util/native"
)
// MapCleaner is responsible for periodically sweeping an eBPF map
// and deleting entries that satisfy a certain predicate function supplied by the user
-type MapCleaner struct {
- emap *cebpf.Map
- key interface{}
- val interface{}
- once sync.Once
+type MapCleaner[K any, V any] struct {
+ emap *cebpf.Map
+ keyBatch []K
+ valuesBatch []V
- // we resort to unsafe.Pointers because by doing so the underlying eBPF
- // library avoids marshaling the key/value variables while traversing the map
- keyPtr unsafe.Pointer
- valPtr unsafe.Pointer
+ once sync.Once
// termination
stopOnce sync.Once
@@ -43,38 +33,44 @@ type MapCleaner struct {
}
// NewMapCleaner instantiates a new MapCleaner
-func NewMapCleaner(emap *cebpf.Map, key, val interface{}) (*MapCleaner, error) {
- // we force types to be of pointer kind because of the reasons mentioned above
- if reflect.ValueOf(key).Kind() != reflect.Ptr {
- return nil, fmt.Errorf("%T is not a pointer kind", key)
+func NewMapCleaner[K any, V any](emap *cebpf.Map, defaultBatchSize uint32) (*MapCleaner[K, V], error) {
+ batchSize := defaultBatchSize
+ if defaultBatchSize > emap.MaxEntries() {
+ batchSize = emap.MaxEntries()
}
- if reflect.ValueOf(val).Kind() != reflect.Ptr {
- return nil, fmt.Errorf("%T is not a pointer kind", val)
+ if batchSize == 0 {
+ batchSize = 1
}
- return &MapCleaner{
- emap: emap,
- key: key,
- val: val,
- keyPtr: unsafe.Pointer(reflect.ValueOf(key).Elem().Addr().Pointer()),
- valPtr: unsafe.Pointer(reflect.ValueOf(val).Elem().Addr().Pointer()),
- done: make(chan struct{}),
+ return &MapCleaner[K, V]{
+ emap: emap,
+ keyBatch: make([]K, batchSize),
+ valuesBatch: make([]V, batchSize),
+ done: make(chan struct{}),
}, nil
}
// Clean eBPF map
// `interval` determines how often the eBPF map is scanned;
-// `shouldClean` is a predicate method that determines whether or not a certain
+// `shouldClean` is a predicate method that determines whether a certain
// map entry should be deleted. the callback argument `nowTS` can be directly
// compared to timestamps generated using the `bpf_ktime_get_ns()` helper;
// `preClean` callback (optional, can pass nil) is invoked before the map is scanned; if it returns false,
// the map is not scanned; this can be used to synchronize with other maps, or preform preliminary checks.
// `postClean` callback (optional, can pass nil) is invoked after the map is scanned, to allow resource cleanup.
-func (mc *MapCleaner) Clean(interval time.Duration, preClean func() bool, postClean func(), shouldClean func(nowTS int64, k, v interface{}) bool) {
+func (mc *MapCleaner[K, V]) Clean(interval time.Duration, preClean func() bool, postClean func(), shouldClean func(nowTS int64, k K, v V) bool) {
if mc == nil {
return
}
+ // Since kernel 5.6, the eBPF library supports batch operations on maps, which reduces the number of syscalls
+ // required to clean the map. We use the new batch operations if the kernel version is >= 5.6, and fallback to
+ // the old method otherwise. The new API is also more efficient because it minimizes the number of allocations.
+ cleaner := mc.cleanWithoutBatches
+ if version, err := kernel.HostVersion(); err == nil && version >= kernel.VersionCode(5, 6, 0) {
+ cleaner = mc.cleanWithBatches
+ }
+
mc.once.Do(func() {
ticker := time.NewTicker(interval)
go func() {
@@ -91,7 +87,7 @@ func (mc *MapCleaner) Clean(interval time.Duration, preClean func() bool, postCl
if preClean != nil && !preClean() {
continue
}
- mc.clean(now, shouldClean)
+ cleaner(now, shouldClean)
// Allowing cleanup after the cleanup.
if postClean != nil {
postClean()
@@ -105,7 +101,7 @@ func (mc *MapCleaner) Clean(interval time.Duration, preClean func() bool, postCl
}
// Stop stops the map cleaner
-func (mc *MapCleaner) Stop() {
+func (mc *MapCleaner[K, V]) Stop() {
if mc == nil {
return
}
@@ -117,85 +113,81 @@ func (mc *MapCleaner) Stop() {
})
}
-func (mc *MapCleaner) clean(nowTS int64, shouldClean func(nowTS int64, k, v interface{}) bool) {
- keySize := int(mc.emap.KeySize())
- keysToDelete := make([][]byte, 0, 128)
- totalCount, deletedCount := 0, 0
+func (mc *MapCleaner[K, V]) cleanWithBatches(nowTS int64, shouldClean func(nowTS int64, k K, v V) bool) {
now := time.Now()
- entries := mc.emap.Iterate()
- for entries.Next(mc.keyPtr, mc.valPtr) {
- totalCount++
-
- if !shouldClean(nowTS, mc.key, mc.val) {
- continue
+ var keysToDelete []K
+ totalCount, deletedCount := 0, 0
+ var next K
+ var n int
+ for {
+ n, _ = mc.emap.BatchLookup(next, &next, mc.keyBatch, mc.valuesBatch, nil)
+ if n == 0 {
+ break
}
- marshalledKey, err := marshalBytes(mc.key, keySize)
- if err != nil {
- continue
+ totalCount += n
+ for i := 0; i < n; i++ {
+ if !shouldClean(nowTS, mc.keyBatch[i], mc.valuesBatch[i]) {
+ continue
+ }
+ keysToDelete = append(keysToDelete, mc.keyBatch[i])
}
- // we accumulate alll keys to delete because it isn't safe to delete map
- // entries during the traversal. the main downside of doing so is that all
- // fields from the key type must be exported in order to be marshaled (unless
- // the key type implements the `encoding.BinaryMarshaler` interface)
- keysToDelete = append(keysToDelete, marshalledKey)
+ // Just a safety check to avoid an infinite loop.
+ if totalCount >= int(mc.emap.MaxEntries()) {
+ break
+ }
}
-
- for _, key := range keysToDelete {
- err := mc.emap.Delete(key)
- if err == nil {
- deletedCount++
+ if len(keysToDelete) > 0 {
+ count, err := mc.emap.BatchDelete(keysToDelete, nil)
+ if err != nil {
+ log.Debugf("failed to delete map entries: %v", err)
+ return
}
+ deletedCount += count
}
- iterationErr := entries.Err()
elapsed := time.Since(now)
log.Debugf(
- "finished cleaning map=%s entries_checked=%d entries_deleted=%d iteration_error=%v elapsed=%s",
+ "finished cleaning map=%s entries_checked=%d entries_deleted=%d elapsed=%s",
mc.emap,
totalCount,
deletedCount,
- iterationErr,
elapsed,
)
}
-// marshalBytes converts an arbitrary value into a byte buffer.
-//
-// Returns an error if the given value isn't representable in exactly
-// length bytes.
-//
-// copied from: https://github.com/cilium/ebpf/blob/master/marshalers.go
-func marshalBytes(data interface{}, length int) (buf []byte, err error) {
- if data == nil {
- return nil, errors.New("can't marshal a nil value")
- }
+func (mc *MapCleaner[K, V]) cleanWithoutBatches(nowTS int64, shouldClean func(nowTS int64, k K, v V) bool) {
+ now := time.Now()
- switch value := data.(type) {
- case encoding.BinaryMarshaler:
- buf, err = value.MarshalBinary()
- case string:
- buf = []byte(value)
- case []byte:
- buf = value
- case unsafe.Pointer:
- err = errors.New("can't marshal from unsafe.Pointer")
- default:
- var wr bytes.Buffer
- err = binary.Write(&wr, native.Endian, value)
- if err != nil {
- err = fmt.Errorf("encoding %T: %v", value, err)
+ var keysToDelete []K
+ totalCount, deletedCount := 0, 0
+
+ entries := mc.emap.Iterate()
+ // we resort to unsafe.Pointers because by doing so the underlying eBPF
+ // library avoids marshaling the key/value variables while traversing the map
+ for entries.Next(unsafe.Pointer(&mc.keyBatch[0]), unsafe.Pointer(&mc.valuesBatch[0])) {
+ totalCount++
+ if !shouldClean(nowTS, mc.keyBatch[0], mc.valuesBatch[0]) {
+ continue
}
- buf = wr.Bytes()
- }
- if err != nil {
- return nil, err
+ keysToDelete = append(keysToDelete, mc.keyBatch[0])
}
- if len(buf) != length {
- return nil, fmt.Errorf("%T doesn't marshal to %d bytes", data, length)
+ for _, key := range keysToDelete {
+ err := mc.emap.Delete(unsafe.Pointer(&key))
+ if err == nil {
+ deletedCount++
+ }
}
- return buf, nil
+
+ elapsed := time.Since(now)
+ log.Debugf(
+ "finished cleaning map=%s entries_checked=%d entries_deleted=%d elapsed=%s",
+ mc.emap,
+ totalCount,
+ deletedCount,
+ elapsed,
+ )
}
diff --git a/pkg/ebpf/map_cleaner_test.go b/pkg/ebpf/map_cleaner_test.go
index b123789f042da..45fc6be3eb83d 100644
--- a/pkg/ebpf/map_cleaner_test.go
+++ b/pkg/ebpf/map_cleaner_test.go
@@ -8,15 +8,28 @@
package ebpf
import (
+ "os"
"testing"
"time"
+ "github.com/cihub/seelog"
cebpf "github.com/cilium/ebpf"
"github.com/cilium/ebpf/rlimit"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
+
+ "github.com/DataDog/datadog-agent/pkg/util/log"
)
+func TestMain(m *testing.M) {
+ logLevel := os.Getenv("DD_LOG_LEVEL")
+ if logLevel == "" {
+ logLevel = "warn"
+ }
+ log.SetupLogger(seelog.Default, logLevel)
+ os.Exit(m.Run())
+}
+
func TestMapCleaner(t *testing.T) {
const numMapEntries = 100
@@ -36,7 +49,7 @@ func TestMapCleaner(t *testing.T) {
})
require.NoError(t, err)
- cleaner, err := NewMapCleaner(m, key, val)
+ cleaner, err := NewMapCleaner[int64, int64](m, 10)
require.NoError(t, err)
for i := 0; i < numMapEntries; i++ {
*key = int64(i)
@@ -45,9 +58,8 @@ func TestMapCleaner(t *testing.T) {
}
// Clean all the even entries
- cleaner.Clean(100*time.Millisecond, nil, nil, func(now int64, k, v interface{}) bool {
- key := k.(*int64)
- return *key%2 == 0
+ cleaner.Clean(100*time.Millisecond, nil, nil, func(now int64, k int64, v int64) bool {
+ return k%2 == 0
})
time.Sleep(1 * time.Second)
@@ -66,3 +78,94 @@ func TestMapCleaner(t *testing.T) {
}
}
}
+
+func benchmarkBatchCleaner(b *testing.B, numMapEntries, batchSize uint32) {
+ var (
+ key = new(int64)
+ val = new(int64)
+ )
+
+ err := rlimit.RemoveMemlock()
+ require.NoError(b, err)
+
+ m, err := cebpf.NewMap(&cebpf.MapSpec{
+ Type: cebpf.Hash,
+ KeySize: 8,
+ ValueSize: 8,
+ MaxEntries: numMapEntries,
+ })
+ require.NoError(b, err)
+
+ cleaner, err := NewMapCleaner[int64, int64](m, batchSize)
+ require.NoError(b, err)
+
+ b.ReportAllocs()
+ b.ResetTimer()
+
+ for i := 0; i < b.N; i++ {
+ for i := uint32(0); i < numMapEntries; i++ {
+ *key = int64(i)
+ err := m.Put(key, val)
+ assert.Nilf(b, err, "can't put key=%d: %s", i, err)
+ }
+
+ // Clean all the even entries
+ if batchSize == 0 {
+ cleaner.cleanWithoutBatches(0, func(now int64, k int64, v int64) bool {
+ return k%2 == 0
+ })
+ } else {
+ cleaner.cleanWithBatches(0, func(now int64, k int64, v int64) bool {
+ return k%2 == 0
+ })
+ }
+ for i := uint32(0); i < numMapEntries; i++ {
+ *key = int64(i)
+ err := m.Lookup(key, val)
+
+ // If the entry is even, it should have been deleted
+ // otherwise it should be present
+ if i%2 == 0 {
+ assert.NotNilf(b, err, "entry key=%d should not be present", i)
+ } else {
+ assert.Nil(b, err)
+ }
+ }
+ }
+}
+
+func BenchmarkBatchCleaner1000Entries10PerBatch(b *testing.B) {
+ benchmarkBatchCleaner(b, 1000, 10)
+}
+
+func BenchmarkBatchCleaner1000Entries100PerBatch(b *testing.B) {
+ benchmarkBatchCleaner(b, 1000, 100)
+}
+
+func BenchmarkBatchCleaner10000Entries100PerBatch(b *testing.B) {
+ benchmarkBatchCleaner(b, 10000, 100)
+}
+
+func BenchmarkBatchCleaner10000Entries1000PerBatch(b *testing.B) {
+ benchmarkBatchCleaner(b, 10000, 1000)
+}
+
+func BenchmarkBatchCleaner100000Entries100PerBatch(b *testing.B) {
+ benchmarkBatchCleaner(b, 100000, 100)
+}
+
+func BenchmarkBatchCleaner100000Entries1000PerBatch(b *testing.B) {
+ benchmarkBatchCleaner(b, 100000, 1000)
+}
+
+func BenchmarkCleaner1000Entries(b *testing.B) {
+ benchmarkBatchCleaner(b, 1000, 0)
+}
+
+func BenchmarkCleaner10000Entries(b *testing.B) {
+ benchmarkBatchCleaner(b, 10000, 0)
+}
+
+func BenchmarkCleaner100000Entries(b *testing.B) {
+ benchmarkBatchCleaner(b, 100000, 0)
+}
diff --git a/pkg/ebpf/testdata/minimized-btfs.tar.xz b/pkg/ebpf/testdata/minimized-btfs.tar.xz
index 9602bb999f0ba..e9b983951044c 100644
Binary files a/pkg/ebpf/testdata/minimized-btfs.tar.xz and b/pkg/ebpf/testdata/minimized-btfs.tar.xz differ
diff --git a/pkg/gohai/go.mod b/pkg/gohai/go.mod
index f2dde927a9581..335e0dc5c5543 100644
--- a/pkg/gohai/go.mod
+++ b/pkg/gohai/go.mod
@@ -10,7 +10,7 @@ require (
github.com/moby/sys/mountinfo v0.7.1
github.com/shirou/gopsutil/v3 v3.23.10
github.com/stretchr/testify v1.8.4
- golang.org/x/sys v0.13.0
+ golang.org/x/sys v0.15.0
)
require (
diff --git a/pkg/gohai/go.sum b/pkg/gohai/go.sum
index ee59609ae21dd..1a1044c839089 100644
--- a/pkg/gohai/go.sum
+++ b/pkg/gohai/go.sum
@@ -57,8 +57,9 @@ golang.org/x/sys v0.0.0-20201204225414-ed752295db88/go.mod h1:h1NjWce9XRLGQEsW7w
golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
+golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
diff --git a/pkg/jmxfetch/jmxfetch.go b/pkg/jmxfetch/jmxfetch.go
index 8949f4d10f812..798831882d7c2 100644
--- a/pkg/jmxfetch/jmxfetch.go
+++ b/pkg/jmxfetch/jmxfetch.go
@@ -268,7 +268,10 @@ func (j *JMXFetch) Start(manage bool) error {
jmxLogLevel = "INFO"
}
- ipcHost := config.Datadog.GetString("cmd_host")
+ ipcHost, err := config.GetIPCAddress()
+ if err != nil {
+ return err
+ }
ipcPort := config.Datadog.GetInt("cmd_port")
if j.IPCHost != "" {
ipcHost = j.IPCHost
diff --git a/pkg/logs/message/message.go b/pkg/logs/message/message.go
index bfe1179980884..67e30ac80f7b1 100644
--- a/pkg/logs/message/message.go
+++ b/pkg/logs/message/message.go
@@ -31,6 +31,7 @@ type Payload struct {
// Message represents a log line sent to datadog, with its metadata
type Message struct {
MessageContent
+ Hostname string
Origin *Origin
Status string
IngestionTimestamp int64
@@ -307,6 +308,10 @@ func (m *Message) GetLatency() int64 {
// GetHostname returns the hostname to applied the given log message
func (m *Message) GetHostname() string {
+ if m.Hostname != "" {
+ return m.Hostname
+ }
+
if m.Lambda != nil {
return m.Lambda.ARN
}
diff --git a/pkg/network/ebpf/c/protocols/classification/defs.h b/pkg/network/ebpf/c/protocols/classification/defs.h
index a93942a2f1432..8f56a739783d1 100644
--- a/pkg/network/ebpf/c/protocols/classification/defs.h
+++ b/pkg/network/ebpf/c/protocols/classification/defs.h
@@ -34,6 +34,8 @@
#define FLAG_NPM_ENABLED 1 << 2
#define FLAG_TCP_CLOSE_DELETION 1 << 3
#define FLAG_SOCKET_FILTER_DELETION 1 << 4
+#define FLAG_SERVER_SIDE 1 << 5
+#define FLAG_CLIENT_SIDE 1 << 6
// The enum below represents all different protocols we're able to
// classify. Entries are segmented such that it is possible to infer the
diff --git a/pkg/network/ebpf/c/protocols/classification/shared-tracer-maps.h b/pkg/network/ebpf/c/protocols/classification/shared-tracer-maps.h
index 1cf95e67afb9a..cb408612dcf84 100644
--- a/pkg/network/ebpf/c/protocols/classification/shared-tracer-maps.h
+++ b/pkg/network/ebpf/c/protocols/classification/shared-tracer-maps.h
@@ -102,6 +102,16 @@ __maybe_unused static __always_inline void delete_protocol_stack(conn_tuple_t* n
return;
}
deletion:
+ if (stack->flags&FLAG_SERVER_SIDE && stack->flags&FLAG_CLIENT_SIDE) {
+ // If we reach this code path it means both client and server are
+ // present in this host. To avoid a race condition where one side
+ // potentially deletes protocol information before the other gets a
+ // chance to retrieve it, we clear these flags and bail out, which
+ // defers the deletion of protocol data to the last one to reach this
+ // code path.
+ stack->flags = stack->flags & ~(FLAG_SERVER_SIDE|FLAG_CLIENT_SIDE);
+ return;
+ }
bpf_map_delete_elem(&connection_protocol, normalized_tuple);
}
diff --git a/pkg/network/ebpf/c/protocols/http/http.h b/pkg/network/ebpf/c/protocols/http/http.h
index 8ee1d4797a988..b3ca4ca9d9972 100644
--- a/pkg/network/ebpf/c/protocols/http/http.h
+++ b/pkg/network/ebpf/c/protocols/http/http.h
@@ -78,13 +78,45 @@ static __always_inline bool http_closed(skb_info_t *skb_info) {
return (skb_info && skb_info->tcp_flags&(TCPHDR_FIN|TCPHDR_RST));
}
+// this is merely added here to improve readibility of code.
+// HTTP monitoring code is executed in two "contexts":
+// * via a socket filter program, which is used for monitoring plain traffic;
+// * via a uprobe-based programs, for the purposes of tracing encrypted traffic (SSL, Go TLS, Java TLS etc);
+// When code is executed from uprobes, skb_info is null[1].
+//
+// [1] There is one notable exception that happens when we process uprobes
+// triggering the termination of connections. In that particular context we
+// "inject" a special skb_info that has the tcp_flags field set to `TCPHDR_FIN`.
+static __always_inline bool is_uprobe_context(skb_info_t *skb_info) {
+ return skb_info == NULL || (skb_info->data_end == 0 && http_closed(skb_info));
+}
+
// The purpose of http_seen_before is to is to avoid re-processing certain TCP segments.
// We only care about 3 types of segments:
// * A segment with the beginning of a request (packet_type == HTTP_REQUEST);
// * A segment with the beginning of a response (packet_type == HTTP_RESPONSE);
// * A segment with a (FIN|RST) flag set;
static __always_inline bool http_seen_before(http_transaction_t *http, skb_info_t *skb_info, http_packet_t packet_type) {
- if (!skb_info) {
+ if (is_uprobe_context(skb_info) && !http_closed(skb_info)) {
+ // The purpose of setting tcp_seq = 0 in the context of uprobe tracing
+ // is innocuous for the most part (as this field will almost aways be 0)
+ // The only reason we do this here is to *minimize* the chance of a race
+ // condition that happens sometimes in the context of uprobe-based tracing:
+ //
+ // 1) handle_request for c1 (uprobe)
+ // 2) socket filter triggers termination code for c1 (server -> FIN -> client)
+ // 3) handle_response for c1 (uprobe)
+ // 4) socket filter triggers termination code for c1 (client -> FIN -> server)
+ //
+ // The problem is that 2) and 3) might happen in parallel, and 2) may
+ // delete the the eBPF data *before* 4) executes and flushes the data
+ // with both request and response information to userspace.
+ //
+ // Since we check if (skb_info->tcp_seq == HTTP_TERMINATING) evaluates
+ // to true before flushing and deleting the eBPF map data, setting it to
+ // 0 here gives a chance for the late response to "cancel" the map
+ // deletion.
+ http->tcp_seq = 0;
return false;
}
@@ -170,12 +202,15 @@ static __always_inline void http_process(http_event_t *event, skb_info_t *skb_in
http->response_last_seen = bpf_ktime_get_ns();
}
- if (http_closed(skb_info)) {
+ if (http->tcp_seq == HTTP_TERMINATING) {
http_batch_enqueue_wrapper(tuple, http);
- bpf_map_delete_elem(&http_in_flight, tuple);
+ // Check a second time to minimize the chance of accidentally deleting a
+ // map entry if there is a race with a late response.
+ // Please refer to comments in `http_seen_before` for more context.
+ if (http->tcp_seq == HTTP_TERMINATING) {
+ bpf_map_delete_elem(&http_in_flight, tuple);
+ }
}
-
- return;
}
// this function is called by the socket-filter program to decide whether or not we should inspect
diff --git a/pkg/network/ebpf/c/protocols/http2/decoding.h b/pkg/network/ebpf/c/protocols/http2/decoding.h
index 7a7aae8b91393..5ee59bf0fd0bd 100644
--- a/pkg/network/ebpf/c/protocols/http2/decoding.h
+++ b/pkg/network/ebpf/c/protocols/http2/decoding.h
@@ -42,17 +42,26 @@ static __always_inline http2_stream_t *http2_fetch_stream(const http2_stream_key
return bpf_map_lookup_elem(&http2_in_flight, http2_stream_key);
}
-// Similar to read_var_int, but with a small optimization of getting the current character as input argument.
-static __always_inline bool read_var_int_with_given_current_char(struct __sk_buff *skb, skb_info_t *skb_info, __u64 current_char_as_number, __u64 max_number_for_bits, __u64 *out) {
+// Similar to read_hpack_int, but with a small optimization of getting the
+// current character as input argument.
+static __always_inline bool read_hpack_int_with_given_current_char(struct __sk_buff *skb, skb_info_t *skb_info, __u64 current_char_as_number, __u64 max_number_for_bits, __u64 *out) {
current_char_as_number &= max_number_for_bits;
+ // In HPACK, if the number is too big to be stored in max_number_for_bits
+ // bits, then those bits are all set to one, and the rest of the number must
+ // be read from subsequent bytes.
if (current_char_as_number < max_number_for_bits) {
*out = current_char_as_number;
return true;
}
+ // Read the next byte, and check if it is the last byte of the number.
+ // While HPACK does support arbitrary sized numbers, we are limited by the
+ // number of instructions we can use in a single eBPF program, so we only
+ // parse one additional byte. The max value that can be parsed is
+ // `(2^max_number_for_bits - 1) + 127`.
__u64 next_char = 0;
- if (bpf_skb_load_bytes(skb, skb_info->data_off, &next_char, 1) >=0 && (next_char & 128) == 0) {
+ if (bpf_skb_load_bytes(skb, skb_info->data_off, &next_char, 1) >= 0 && (next_char & 128) == 0) {
skb_info->data_off++;
*out = current_char_as_number + (next_char & 127);
return true;
@@ -61,35 +70,42 @@ static __always_inline bool read_var_int_with_given_current_char(struct __sk_buf
return false;
}
-// read_var_int reads an unsigned variable length integer off the
-// beginning of p. n is the parameter as described in
-// https://httpwg.org/specs/rfc7541.html#rfc.section.5.1.
+// read_hpack_int reads an unsigned variable length integer as specified in the
+// HPACK specification, from an skb.
//
-// n must always be between 1 and 8.
+// See https://httpwg.org/specs/rfc7541.html#rfc.section.5.1 for more details on
+// how numbers are represented in HPACK.
//
-// The returned remain buffer is either a smaller suffix of p, or err != nil.
-static __always_inline bool read_var_int(struct __sk_buff *skb, skb_info_t *skb_info, __u64 max_number_for_bits, __u64 *out) {
+// max_number_for_bits represents the number of bits in the first byte that are
+// used to represent the MSB of number. It must always be between 1 and 8.
+//
+// The parsed number is stored in out.
+//
+// read_hpack_int returns true if the integer was successfully parsed, and false
+// otherwise.
+static __always_inline bool read_hpack_int(struct __sk_buff *skb, skb_info_t *skb_info, __u64 max_number_for_bits, __u64 *out) {
__u64 current_char_as_number = 0;
if (bpf_skb_load_bytes(skb, skb_info->data_off, ¤t_char_as_number, 1) < 0) {
return false;
}
skb_info->data_off++;
- return read_var_int_with_given_current_char(skb, skb_info, current_char_as_number, max_number_for_bits, out);
+ return read_hpack_int_with_given_current_char(skb, skb_info, current_char_as_number, max_number_for_bits, out);
}
-//get_dynamic_counter returns the current dynamic counter by the conn tup.
+// get_dynamic_counter returns the current dynamic counter by the conn tuple.
static __always_inline __u64 *get_dynamic_counter(conn_tuple_t *tup) {
__u64 counter = 0;
bpf_map_update_elem(&http2_dynamic_counter_table, tup, &counter, BPF_NOEXIST);
return bpf_map_lookup_elem(&http2_dynamic_counter_table, tup);
}
-// parse_field_indexed is handling the case which the header frame is part of the static table.
+// parse_field_indexed parses fully-indexed headers.
static __always_inline void parse_field_indexed(dynamic_table_index_t *dynamic_index, http2_header_t *headers_to_process, __u8 index, __u64 global_dynamic_counter, __u8 *interesting_headers_counter) {
if (headers_to_process == NULL) {
return;
}
+
// TODO: can improve by declaring MAX_INTERESTING_STATIC_TABLE_INDEX
if (is_interesting_static_entry(index)) {
headers_to_process->index = index;
@@ -101,8 +117,8 @@ static __always_inline void parse_field_indexed(dynamic_table_index_t *dynamic_i
return;
}
- // we change the index to fit our internal dynamic table implementation index.
- // the index is starting from 1 so we decrease 62 in order to be equal to the given index.
+ // We change the index to match our internal dynamic table implementation index.
+ // Our internal indexes start from 1, so we subtract 61 in order to match the given index.
dynamic_index->index = global_dynamic_counter - (index - MAX_STATIC_TABLE_INDEX);
if (bpf_map_lookup_elem(&http2_dynamic_table, dynamic_index) == NULL) {
@@ -117,29 +133,35 @@ static __always_inline void parse_field_indexed(dynamic_table_index_t *dynamic_i
READ_INTO_BUFFER(path, HTTP2_MAX_PATH_LEN, BLK_SIZE)
-// parse_field_literal handling the case when the key is part of the static table and the value is a dynamic string
-// which will be stored in the dynamic table.
+// parse_field_literal parses a header with a literal value.
+//
+// We are only interested in path headers, that we will store in our internal
+// dynamic table, and will skip headers that are not path headers.
static __always_inline bool parse_field_literal(struct __sk_buff *skb, skb_info_t *skb_info, http2_header_t *headers_to_process, __u64 index, __u64 global_dynamic_counter, __u8 *interesting_headers_counter) {
__u64 str_len = 0;
- if (!read_var_int(skb, skb_info, MAX_6_BITS, &str_len)) {
+ if (!read_hpack_int(skb, skb_info, MAX_6_BITS, &str_len)) {
return false;
}
- // The key is new and inserted into the dynamic table. So we are skipping the new value.
+ // The header name is new and inserted in the dynamic table - we skip the new value.
if (index == 0) {
skb_info->data_off += str_len;
str_len = 0;
- if (!read_var_int(skb, skb_info, MAX_6_BITS, &str_len)) {
+ if (!read_hpack_int(skb, skb_info, MAX_6_BITS, &str_len)) {
return false;
}
goto end;
}
+
+ // We skip if:
+ // - The string is too big
+ // - This is not a path
+ // - We won't be able to store the header info
if (str_len > HTTP2_MAX_PATH_LEN || index != kIndexPath || headers_to_process == NULL) {
goto end;
}
- __u32 final_size = str_len < HTTP2_MAX_PATH_LEN ? str_len : HTTP2_MAX_PATH_LEN;
- if (skb_info->data_off + final_size > skb_info->data_end) {
+ if (skb_info->data_off + str_len > skb_info->data_end) {
goto end;
}
@@ -148,12 +170,16 @@ static __always_inline bool parse_field_literal(struct __sk_buff *skb, skb_info_
headers_to_process->new_dynamic_value_offset = skb_info->data_off;
headers_to_process->new_dynamic_value_size = str_len;
(*interesting_headers_counter)++;
+
end:
skb_info->data_off += str_len;
return true;
}
-// This function reads the http2 headers frame.
+// filter_relevant_headers parses the http2 headers frame, and filters headers
+// that are relevant for us, to be processed later on.
+// The return value is the number of relevant headers that were found and inserted
+// in the `headers_to_process` table.
static __always_inline __u8 filter_relevant_headers(struct __sk_buff *skb, skb_info_t *skb_info, conn_tuple_t *tup, dynamic_table_index_t *dynamic_index, http2_header_t *headers_to_process, __u32 frame_length) {
__u8 current_ch;
__u8 interesting_headers = 0;
@@ -190,7 +216,7 @@ static __always_inline __u8 filter_relevant_headers(struct __sk_buff *skb, skb_i
}
index = 0;
- if (!read_var_int_with_given_current_char(skb, skb_info, current_ch, max_bits, &index)) {
+ if (!read_hpack_int_with_given_current_char(skb, skb_info, current_ch, max_bits, &index)) {
break;
}
@@ -218,6 +244,8 @@ static __always_inline __u8 filter_relevant_headers(struct __sk_buff *skb, skb_i
return interesting_headers;
}
+// process_headers processes the headers that were filtered in filter_relevant_headers,
+// looking for requests path, status code, and method.
static __always_inline void process_headers(struct __sk_buff *skb, dynamic_table_index_t *dynamic_index, http2_stream_t *current_stream, http2_header_t *headers_to_process, __u8 interesting_headers) {
http2_header_t *current_header;
dynamic_table_entry_t dynamic_value = {};
@@ -273,6 +301,7 @@ static __always_inline void process_headers(struct __sk_buff *skb, dynamic_table
}
static __always_inline void handle_end_of_stream(http2_stream_t *current_stream, http2_stream_key_t *http2_stream_key_template) {
+ // We want to see the EOS twice for a given stream: one for the client, one for the server.
if (!current_stream->request_end_of_stream) {
current_stream->request_end_of_stream = true;
return;
@@ -349,6 +378,8 @@ static __always_inline bool format_http2_frame_header(struct http2_frame *out) {
return out->type <= kContinuationFrame && out->length <= MAX_FRAME_SIZE && (out->stream_id == 0 || (out->stream_id % 2 == 1));
}
+// skip_preface is a helper function to check for the HTTP2 magic sent at the beginning
+// of an HTTP2 connection, and skip it if present.
static __always_inline void skip_preface(struct __sk_buff *skb, skb_info_t *skb_info) {
char preface[HTTP2_MARKER_SIZE];
bpf_memset((char *)preface, 0, HTTP2_MARKER_SIZE);
@@ -394,10 +425,7 @@ static __always_inline void fix_header_frame(struct __sk_buff *skb, skb_info_t *
}
static __always_inline void reset_frame(struct http2_frame *out) {
- out->type = 0;
- out->length = 0;
- out->stream_id = 0;
- out->flags = 0;
+ *out = (struct http2_frame){ 0 };
}
static __always_inline bool get_first_frame(struct __sk_buff *skb, skb_info_t *skb_info, frame_header_remainder_t *frame_state, struct http2_frame *current_frame) {
@@ -473,10 +501,24 @@ static __always_inline bool get_first_frame(struct __sk_buff *skb, skb_info_t *s
return false;
}
-static __always_inline __u8 find_relevant_headers(struct __sk_buff *skb, skb_info_t *skb_info, http2_frame_with_offset *frames_array, __u8 original_index) {
+// find_relevant_frames iterates over the packet and finds frames that are
+// relevant for us. The frames info and location are stored in the `frames_array` array,
+// and the number of frames found is returned.
+//
+// We consider frames as relevant if they are either:
+// - HEADERS frames
+// - RST_STREAM frames
+// - DATA frames with the END_STREAM flag set
+static __always_inline __u8 find_relevant_frames(struct __sk_buff *skb, skb_info_t *skb_info, http2_frame_with_offset *frames_array, __u8 original_index) {
bool is_headers_or_rst_frame, is_data_end_of_stream;
__u8 interesting_frame_index = 0;
struct http2_frame current_frame = {};
+
+ // We may have found a relevant frame already in http2_handle_first_frame,
+ // so we need to adjust the index accordingly. We do not set
+ // interesting_frame_index to original_index directly, as this will confuse
+ // the verifier, leading it into thinking the index could have an arbitrary
+ // value.
if (original_index == 1) {
interesting_frame_index = 1;
}
@@ -550,7 +592,7 @@ int socket__http2_handle_first_frame(struct __sk_buff *skb) {
iteration_value->frames_count = 0;
iteration_value->iteration = 0;
- // Filter preface.
+ // skip HTTP2 magic, if present
skip_preface(skb, &dispatcher_args_copy.skb_info);
frame_header_remainder_t *frame_state = bpf_map_lookup_elem(&http2_remainder, &dispatcher_args_copy.tup);
@@ -607,9 +649,9 @@ int socket__http2_filter(struct __sk_buff *skb) {
// The verifier cannot tell if `iteration_value->frames_count` is 0 or 1, so we have to help it. The value is
// 1 if we have found an interesting frame in `socket__http2_handle_first_frame`, otherwise it is 0.
// filter frames
- iteration_value->frames_count = find_relevant_headers(skb, &local_skb_info, iteration_value->frames_array, iteration_value->frames_count);
+ iteration_value->frames_count = find_relevant_frames(skb, &local_skb_info, iteration_value->frames_array, iteration_value->frames_count);
- frame_header_remainder_t new_frame_state = {0};
+ frame_header_remainder_t new_frame_state = { 0 };
if (local_skb_info.data_off > local_skb_info.data_end) {
// We have a remainder
new_frame_state.remainder = local_skb_info.data_off - local_skb_info.data_end;
diff --git a/pkg/network/ebpf/c/tracer/stats.h b/pkg/network/ebpf/c/tracer/stats.h
index 3fb663daefd23..07c9948527004 100644
--- a/pkg/network/ebpf/c/tracer/stats.h
+++ b/pkg/network/ebpf/c/tracer/stats.h
@@ -57,6 +57,38 @@ static __always_inline void update_conn_state(conn_tuple_t *t, conn_stats_ts_t *
}
}
+// this function marks the protocol stack object with the connection direction
+//
+// *how is the connection direction determined?*
+//
+// Basically we compare the src-side of the normalized USM tuple (which should
+// contain the client port), with the source port of the TCP *socket* (here
+// supplied as part the `pre_norm_tuple` argument). If they match, we mark the
+// protocol stack with FLAG_CLIENT_SIDE, otherwise we mark it with
+// FLAG_SERVER_SIDE.
+//
+// *why do we do that?*
+//
+// We do this to mitigate a race condition that may arise in the context of
+// localhost traffic when deleting the protocol_stack_t entry. This means that
+// we're pretty much only interested in the case where a protocol stack is
+// annothed with *both* FLAG_SERVER_SIDE and FLAG_CLIENT_SIDE. For more context
+// refer to classification/shared-tracer-maps.h
+//
+// *what if there is something wrong with the USM normalization?*
+//
+// This doesn't matter in our case. Even if FLAG_SERVER_SIDE and
+// FLAG_CLIENT_SIDE are flipped, all we care about is the case where both flags
+// are present.
+static __always_inline void mark_protocol_direction(conn_tuple_t *pre_norm_tuple, conn_tuple_t *norm_tuple, protocol_stack_t *protocol_stack) {
+ if (pre_norm_tuple->sport == norm_tuple->sport) {
+ set_protocol_flag(protocol_stack, FLAG_CLIENT_SIDE);
+ return;
+ }
+
+ set_protocol_flag(protocol_stack, FLAG_SERVER_SIDE);
+}
+
static __always_inline void update_protocol_classification_information(conn_tuple_t *t, conn_stats_ts_t *stats) {
if (is_fully_classified(&stats->protocol_stack)) {
return;
@@ -71,6 +103,7 @@ static __always_inline void update_protocol_classification_information(conn_tupl
protocol_stack_t *protocol_stack = __get_protocol_stack(&conn_tuple_copy);
set_protocol_flag(protocol_stack, FLAG_NPM_ENABLED);
+ mark_protocol_direction(t, &conn_tuple_copy, protocol_stack);
merge_protocol_stacks(&stats->protocol_stack, protocol_stack);
conn_tuple_t *cached_skb_conn_tup_ptr = bpf_map_lookup_elem(&conn_tuple_to_socket_skb_conn_tuple, &conn_tuple_copy);
@@ -81,6 +114,7 @@ static __always_inline void update_protocol_classification_information(conn_tupl
conn_tuple_copy = *cached_skb_conn_tup_ptr;
protocol_stack = __get_protocol_stack(&conn_tuple_copy);
set_protocol_flag(protocol_stack, FLAG_NPM_ENABLED);
+ mark_protocol_direction(t, &conn_tuple_copy, protocol_stack);
merge_protocol_stacks(&stats->protocol_stack, protocol_stack);
}
diff --git a/pkg/network/events/monitor.go b/pkg/network/events/monitor.go
index f2e570a420720..552feead6d39e 100644
--- a/pkg/network/events/monitor.go
+++ b/pkg/network/events/monitor.go
@@ -110,11 +110,13 @@ func (h *eventHandlerWrapper) Copy(ev *model.Event) any {
processStartTime = ev.GetProcessForkTime()
}
+ envs := ev.GetProcessEnvp()
+
return &Process{
Pid: ev.GetProcessPid(),
ContainerID: intern.GetByString(ev.GetContainerId()),
StartTime: processStartTime.UnixNano(),
- Envs: ev.GetProcessEnvp(map[string]bool{
+ Envs: model.FilterEnvs(envs, map[string]bool{
"DD_SERVICE": true,
"DD_VERSION": true,
"DD_ENV": true,
diff --git a/pkg/network/protocols/http/etw_http_service.go b/pkg/network/protocols/http/etw_http_service.go
index 61350e1ef1af5..6eeb9ba9badec 100644
--- a/pkg/network/protocols/http/etw_http_service.go
+++ b/pkg/network/protocols/http/etw_http_service.go
@@ -125,6 +125,8 @@ package http
import (
"encoding/binary"
"errors"
+ "fmt"
+ "net/netip"
"net/url"
"os"
"strconv"
@@ -329,8 +331,8 @@ func completeReqRespTracking(eventInfo *etw.DDEtwEventInfo, httpConnLink *HttpCo
log.Infof(" ConnActivityId: %v\n", etw.FormatGUID(httpConnLink.connActivityId))
log.Infof(" ActivityId: %v\n", etw.FormatGUID(eventInfo.Event.ActivityId))
if connFound {
- log.Infof(" Local: %v\n", etw.IPFormat(connOpen.conn.tup, true))
- log.Infof(" Remote: %v\n", etw.IPFormat(connOpen.conn.tup, false))
+ log.Infof(" Local: %v\n", IPFormat(connOpen.conn.tup, true))
+ log.Infof(" Remote: %v\n", IPFormat(connOpen.conn.tup, false))
log.Infof(" Family: %v\n", connOpen.conn.tup.Family)
}
log.Infof(" AppPool: %v\n", httpConnLink.http.AppPool)
@@ -345,8 +347,8 @@ func completeReqRespTracking(eventInfo *etw.DDEtwEventInfo, httpConnLink *HttpCo
log.Infof("%v. %v L[%v], R[%v], F[%v], P[%v], C[%v], V[%v], U[%v]\n",
completedRequestCount,
etw.FormatUnixTime(httpConnLink.http.Txn.RequestStarted),
- etw.IPFormat(connOpen.conn.tup, true),
- etw.IPFormat(connOpen.conn.tup, false),
+ IPFormat(connOpen.conn.tup, true),
+ IPFormat(connOpen.conn.tup, false),
connOpen.conn.tup.Family,
httpConnLink.http.AppPool,
httpConnLink.http.Txn.ResponseStatusCode,
@@ -504,8 +506,8 @@ func httpCallbackOnHTTPConnectionTraceTaskConnConn(eventInfo *etw.DDEtwEventInfo
if HttpServiceLogVerbosity == HttpServiceLogVeryVerbose {
log.Infof(" Time: %v\n", etw.FormatUnixTime(connOpen.conn.connected))
log.Infof(" ActivityId: %v\n", etw.FormatGUID(eventInfo.Event.ActivityId))
- log.Infof(" Local: %v\n", etw.IPFormat(connOpen.conn.tup, true))
- log.Infof(" Remote: %v\n", etw.IPFormat(connOpen.conn.tup, false))
+ log.Infof(" Local: %v\n", IPFormat(connOpen.conn.tup, true))
+ log.Infof(" Remote: %v\n", IPFormat(connOpen.conn.tup, false))
log.Infof(" Family: %v\n", connOpen.conn.tup.Family)
log.Infof("\n")
}
@@ -542,8 +544,8 @@ func httpCallbackOnHTTPConnectionTraceTaskConnClose(eventInfo *etw.DDEtwEventInf
if found {
log.Infof(" ActivityId: %v, Local[%v], Remote[%v], Family[%v]\n",
etw.FormatGUID(eventInfo.Event.ActivityId),
- etw.IPFormat(connOpen.conn.tup, true),
- etw.IPFormat(connOpen.conn.tup, false),
+ IPFormat(connOpen.conn.tup, true),
+ IPFormat(connOpen.conn.tup, false),
connOpen.conn.tup.Family)
} else {
log.Infof(" ActivityId: %v not found\n", etw.FormatGUID(eventInfo.Event.ActivityId))
@@ -634,8 +636,8 @@ func httpCallbackOnHTTPRequestTraceTaskRecvReq(eventInfo *etw.DDEtwEventInfo) {
log.Infof(" ActivityId: %v\n", etw.FormatGUID(eventInfo.Event.ActivityId))
log.Infof(" RelActivityId: %v\n", etw.FormatGUID(*eventInfo.RelatedActivityId))
if connFound {
- log.Infof(" Local: %v\n", etw.IPFormat(connOpen.conn.tup, true))
- log.Infof(" Remote: %v\n", etw.IPFormat(connOpen.conn.tup, false))
+ log.Infof(" Local: %v\n", IPFormat(connOpen.conn.tup, true))
+ log.Infof(" Remote: %v\n", IPFormat(connOpen.conn.tup, false))
log.Infof(" Family: %v\n", connOpen.conn.tup.Family)
}
log.Infof("\n")
@@ -804,8 +806,8 @@ func httpCallbackOnHTTPRequestTraceTaskDeliver(eventInfo *etw.DDEtwEventInfo) {
log.Infof(" AppPool: %v\n", httpConnLink.http.AppPool)
log.Infof(" Url: %v\n", httpConnLink.url)
if connFound {
- log.Infof(" Local: %v\n", etw.IPFormat(connOpen.conn.tup, true))
- log.Infof(" Remote: %v\n", etw.IPFormat(connOpen.conn.tup, false))
+ log.Infof(" Local: %v\n", IPFormat(connOpen.conn.tup, true))
+ log.Infof(" Remote: %v\n", IPFormat(connOpen.conn.tup, false))
log.Infof(" Family: %v\n", connOpen.conn.tup.Family)
}
log.Infof("\n")
@@ -1345,3 +1347,35 @@ func (hei *EtwInterface) OnStop() {
iisConfig = nil
}
}
+func ipAndPortFromTup(tup driver.ConnTupleType, local bool) ([16]uint8, uint16) {
+ if local {
+ return tup.LocalAddr, tup.LocalPort
+ }
+ return tup.RemoteAddr, tup.RemotePort
+}
+
+func ip4format(ip [16]uint8) string {
+ ipObj := netip.AddrFrom4(*(*[4]byte)(ip[:4]))
+ return ipObj.String()
+}
+
+func ip6format(ip [16]uint8) string {
+ ipObj := netip.AddrFrom16(ip)
+ return ipObj.String()
+}
+
+// IPFormat takes a binary ip representation and returns a string type
+func IPFormat(tup driver.ConnTupleType, local bool) string {
+ ip, port := ipAndPortFromTup(tup, local)
+
+ if tup.Family == 2 {
+ // IPv4
+ return fmt.Sprintf("%v:%v", ip4format(ip), port)
+ } else if tup.Family == 23 {
+ // IPv6
+ return fmt.Sprintf("[%v]:%v", ip6format(ip), port)
+ } else {
+ // everything else
+ return ""
+ }
+}
diff --git a/pkg/network/protocols/http/protocol.go b/pkg/network/protocols/http/protocol.go
index 2a058b0ed8ccf..c37e1e24d4a83 100644
--- a/pkg/network/protocols/http/protocol.go
+++ b/pkg/network/protocols/http/protocol.go
@@ -32,7 +32,7 @@ type protocol struct {
cfg *config.Config
telemetry *Telemetry
statkeeper *StatKeeper
- mapCleaner *ddebpf.MapCleaner
+ mapCleaner *ddebpf.MapCleaner[netebpf.ConnTuple, EbpfTx]
eventsConsumer *events.Consumer
}
@@ -175,24 +175,19 @@ func (p *protocol) setupMapCleaner(mgr *manager.Manager) {
log.Errorf("error getting http_in_flight map: %s", err)
return
}
- mapCleaner, err := ddebpf.NewMapCleaner(httpMap, new(netebpf.ConnTuple), new(EbpfTx))
+ mapCleaner, err := ddebpf.NewMapCleaner[netebpf.ConnTuple, EbpfTx](httpMap, 1024)
if err != nil {
log.Errorf("error creating map cleaner: %s", err)
return
}
ttl := p.cfg.HTTPIdleConnectionTTL.Nanoseconds()
- mapCleaner.Clean(p.cfg.HTTPMapCleanerInterval, nil, nil, func(now int64, key, val interface{}) bool {
- httpTxn, ok := val.(*EbpfTx)
- if !ok {
- return false
- }
-
- if updated := int64(httpTxn.Response_last_seen); updated > 0 {
+ mapCleaner.Clean(p.cfg.HTTPMapCleanerInterval, nil, nil, func(now int64, key netebpf.ConnTuple, val EbpfTx) bool {
+ if updated := int64(val.Response_last_seen); updated > 0 {
return (now - updated) > ttl
}
- started := int64(httpTxn.Request_started)
+ started := int64(val.Request_started)
return started > 0 && (now-started) > ttl
})
diff --git a/pkg/network/protocols/http2/protocol.go b/pkg/network/protocols/http2/protocol.go
index 0bdc6c4369129..d39baf549f870 100644
--- a/pkg/network/protocols/http2/protocol.go
+++ b/pkg/network/protocols/http2/protocol.go
@@ -37,8 +37,8 @@ type protocol struct {
telemetry *http.Telemetry
// TODO: Do we need to duplicate?
statkeeper *http.StatKeeper
- http2InFlightMapCleaner *ddebpf.MapCleaner
- dynamicTableMapCleaner *ddebpf.MapCleaner
+ http2InFlightMapCleaner *ddebpf.MapCleaner[http2StreamKey, EbpfTx]
+ dynamicTableMapCleaner *ddebpf.MapCleaner[http2DynamicTableIndex, http2DynamicTableEntry]
eventsConsumer *events.Consumer
terminatedConnectionsEventsConsumer *events.Consumer
@@ -267,24 +267,19 @@ func (p *protocol) setupHTTP2InFlightMapCleaner(mgr *manager.Manager) {
log.Errorf("error getting %q map: %s", inFlightMap, err)
return
}
- mapCleaner, err := ddebpf.NewMapCleaner(http2Map, new(http2StreamKey), new(EbpfTx))
+ mapCleaner, err := ddebpf.NewMapCleaner[http2StreamKey, EbpfTx](http2Map, 1024)
if err != nil {
log.Errorf("error creating map cleaner: %s", err)
return
}
ttl := p.cfg.HTTPIdleConnectionTTL.Nanoseconds()
- mapCleaner.Clean(p.cfg.HTTPMapCleanerInterval, nil, nil, func(now int64, key, val interface{}) bool {
- http2Txn, ok := val.(*EbpfTx)
- if !ok {
- return false
- }
-
- if updated := int64(http2Txn.Stream.Response_last_seen); updated > 0 {
+ mapCleaner.Clean(p.cfg.HTTPMapCleanerInterval, nil, nil, func(now int64, key http2StreamKey, val EbpfTx) bool {
+ if updated := int64(val.Stream.Response_last_seen); updated > 0 {
return (now - updated) > ttl
}
- started := int64(http2Txn.Stream.Request_started)
+ started := int64(val.Stream.Request_started)
return started > 0 && (now-started) > ttl
})
@@ -298,7 +293,7 @@ func (p *protocol) setupDynamicTableMapCleaner(mgr *manager.Manager) {
return
}
- mapCleaner, err := ddebpf.NewMapCleaner(dynamicTableMap, new(http2DynamicTableIndex), new(http2DynamicTableEntry))
+ mapCleaner, err := ddebpf.NewMapCleaner[http2DynamicTableIndex, http2DynamicTableEntry](dynamicTableMap, 1024)
if err != nil {
log.Errorf("error creating map cleaner: %s", err)
return
@@ -320,13 +315,8 @@ func (p *protocol) setupDynamicTableMapCleaner(mgr *manager.Manager) {
func() {
terminatedConnectionsMap = make(map[netebpf.ConnTuple]struct{})
},
- func(now int64, key, val interface{}) bool {
- keyIndex, ok := key.(*http2DynamicTableIndex)
- if !ok {
- return false
- }
-
- _, ok = terminatedConnectionsMap[keyIndex.Tup]
+ func(_ int64, key http2DynamicTableIndex, _ http2DynamicTableEntry) bool {
+ _, ok := terminatedConnectionsMap[key.Tup]
return ok
})
p.dynamicTableMapCleaner = mapCleaner
diff --git a/pkg/network/tracer/testutil/grpc/server.go b/pkg/network/tracer/testutil/grpc/server.go
index dae23aa6eec62..94e65a75f829b 100644
--- a/pkg/network/tracer/testutil/grpc/server.go
+++ b/pkg/network/tracer/testutil/grpc/server.go
@@ -226,10 +226,17 @@ func NewServer(addr string) (*Server, error) {
return nil, err
}
+ server := NewServerWithoutBind()
+ server.lis = lis
+ server.Address = lis.Addr().String()
+
+ return server, nil
+}
+
+// NewServerWithoutBind returns a new instance of the gRPC server.
+func NewServerWithoutBind() *Server {
server := &Server{
- Address: lis.Addr().String(),
grpcSrv: grpc.NewServer(grpc.MaxRecvMsgSize(100*1024*1024), grpc.MaxSendMsgSize(100*1024*1024)),
- lis: lis,
routeNotes: make(map[string][]*routeguide.RouteNote),
}
@@ -238,7 +245,12 @@ func NewServer(addr string) (*Server, error) {
routeguide.RegisterRouteGuideServer(server.grpcSrv, server)
pbStream.RegisterMathServer(server.grpcSrv, server)
- return server, nil
+ return server
+}
+
+// GetGRPCServer returns the gRPC server.
+func (s *Server) GetGRPCServer() *grpc.Server {
+ return s.grpcSrv
}
func (s *Server) Stop() {
diff --git a/pkg/network/tracer/tracer_usm_linux_test.go b/pkg/network/tracer/tracer_usm_linux_test.go
index 7b31b6b03db69..2b51d79a89cad 100644
--- a/pkg/network/tracer/tracer_usm_linux_test.go
+++ b/pkg/network/tracer/tracer_usm_linux_test.go
@@ -8,7 +8,6 @@
package tracer
import (
- "bufio"
"bytes"
"context"
"crypto/tls"
@@ -27,6 +26,7 @@ import (
"testing"
"time"
+ gorilla "github.com/gorilla/mux"
krpretty "github.com/kr/pretty"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
@@ -51,6 +51,7 @@ import (
"github.com/DataDog/datadog-agent/pkg/network/tracer/connection/kprobe"
"github.com/DataDog/datadog-agent/pkg/network/tracer/testutil/grpc"
"github.com/DataDog/datadog-agent/pkg/network/usm/utils"
+ grpc2 "github.com/DataDog/datadog-agent/pkg/util/grpc"
)
func httpSupported() bool {
@@ -598,9 +599,6 @@ func (s *USMSuite) TestProtocolClassification() {
func testProtocolConnectionProtocolMapCleanup(t *testing.T, tr *Tracer, clientHost, targetHost, serverHost string) {
t.Run("protocol cleanup", func(t *testing.T) {
- if tr.ebpfTracer.Type() == connection.TracerTypeFentry {
- t.Skip("protocol classification not supported for fentry tracer")
- }
t.Cleanup(func() { tr.ebpfTracer.Pause() })
dialer := &net.Dialer{
@@ -624,17 +622,21 @@ func testProtocolConnectionProtocolMapCleanup(t *testing.T, tr *Tracer, clientHo
initTracerState(t, tr)
require.NoError(t, tr.ebpfTracer.Resume())
- HTTPServer := NewTCPServerOnAddress(serverHost, func(c net.Conn) {
- r := bufio.NewReader(c)
- input, err := r.ReadBytes(byte('\n'))
- if err == nil {
- c.Write(input)
- }
- c.Close()
+ mux := gorilla.NewRouter()
+ mux.Handle("/test", nethttp.DefaultServeMux)
+ grpcHandler := grpc.NewServerWithoutBind()
+
+ lis, err := net.Listen("tcp", serverHost)
+ require.NoError(t, err)
+ srv := grpc2.NewMuxedGRPCServer(serverHost, nil, grpcHandler.GetGRPCServer(), mux)
+ srv.Addr = lis.Addr().String()
+
+ go srv.Serve(lis)
+ t.Cleanup(func() {
+ _ = srv.Shutdown(context.Background())
+ _ = lis.Close()
})
- t.Cleanup(HTTPServer.Shutdown)
- require.NoError(t, HTTPServer.Run())
- _, port, err := net.SplitHostPort(HTTPServer.address)
+ _, port, err := net.SplitHostPort(srv.Addr)
require.NoError(t, err)
targetAddr := net.JoinHostPort(targetHost, port)
@@ -644,19 +646,13 @@ func testProtocolConnectionProtocolMapCleanup(t *testing.T, tr *Tracer, clientHo
DialContext: dialer.DialContext,
},
}
- resp, err := client.Get("http://" + targetAddr + "/test")
- if err == nil {
- io.Copy(io.Discard, resp.Body)
- resp.Body.Close()
- }
+ resp, err := client.Post("http://"+targetAddr+"/test", "text/plain", bytes.NewReader(bytes.Repeat([]byte("test"), 100)))
+ require.NoError(t, err)
+ io.Copy(io.Discard, resp.Body)
+ resp.Body.Close()
client.CloseIdleConnections()
- waitForConnectionsWithProtocol(t, tr, targetAddr, HTTPServer.address, &protocols.Stack{Application: protocols.HTTP})
- HTTPServer.Shutdown()
-
- gRPCServer, err := grpc.NewServer(HTTPServer.address)
- require.NoError(t, err)
- gRPCServer.Run()
+ waitForConnectionsWithProtocol(t, tr, targetAddr, srv.Addr, &protocols.Stack{Application: protocols.HTTP})
grpcClient, err := grpc.NewClient(targetAddr, grpc.Options{
CustomDialer: dialer,
@@ -664,8 +660,7 @@ func testProtocolConnectionProtocolMapCleanup(t *testing.T, tr *Tracer, clientHo
require.NoError(t, err)
defer grpcClient.Close()
_ = grpcClient.HandleUnary(context.Background(), "test")
- gRPCServer.Stop()
- waitForConnectionsWithProtocol(t, tr, targetAddr, gRPCServer.Address, &protocols.Stack{Api: protocols.GRPC, Application: protocols.HTTP2})
+ waitForConnectionsWithProtocol(t, tr, targetAddr, srv.Addr, &protocols.Stack{Api: protocols.GRPC, Application: protocols.HTTP2})
})
}
@@ -837,7 +832,7 @@ func testHTTPGoTLSCaptureNewProcess(t *testing.T, cfg *config.Config) {
// Setup
closeServer := testutil.HTTPServer(t, serverAddr, testutil.Options{
EnableTLS: true,
- EnableKeepAlive: true,
+ EnableKeepAlive: false,
})
t.Cleanup(closeServer)
@@ -878,7 +873,7 @@ func testHTTPGoTLSCaptureAlreadyRunning(t *testing.T, cfg *config.Config) {
// Setup
closeServer := testutil.HTTPServer(t, serverAddr, testutil.Options{
EnableTLS: true,
- EnableKeepAlive: true,
+ EnableKeepAlive: false,
})
t.Cleanup(closeServer)
diff --git a/pkg/network/usm/ebpf_main.go b/pkg/network/usm/ebpf_main.go
index 795fdd677c431..a3da4d7a3b1a5 100644
--- a/pkg/network/usm/ebpf_main.go
+++ b/pkg/network/usm/ebpf_main.go
@@ -78,7 +78,7 @@ type ebpfProgram struct {
disabledProtocols []*protocols.ProtocolSpec
// Used for connection_protocol data expiration
- mapCleaner *ddebpf.MapCleaner
+ mapCleaner *ddebpf.MapCleaner[netebpf.ConnTuple, netebpf.ProtocolStackWrapper]
buildMode buildmode.Type
}
@@ -170,6 +170,16 @@ func (e *ebpfProgram) Init() error {
}
func (e *ebpfProgram) Start() error {
+ // Mainly for tests, but possible for other cases as well, we might have a nil (not shared) connection protocol map
+ // between NPM and USM. In such a case we just create our own instance, but we don't modify the
+ // `e.connectionProtocolMap` field.
+ if e.connectionProtocolMap == nil {
+ m, _, err := e.GetMap(probes.ConnectionProtocolMap)
+ if err != nil {
+ return err
+ }
+ e.connectionProtocolMap = m
+ }
mapCleaner, err := e.setupMapCleaner()
if err != nil {
log.Errorf("error creating map cleaner: %s", err)
@@ -403,21 +413,15 @@ func (e *ebpfProgram) init(buf bytecode.AssetReader, options manager.Options) er
const connProtoTTL = 3 * time.Minute
const connProtoCleaningInterval = 5 * time.Minute
-func (e *ebpfProgram) setupMapCleaner() (*ddebpf.MapCleaner, error) {
- mapCleaner, err := ddebpf.NewMapCleaner(e.connectionProtocolMap, new(netebpf.ConnTuple), new(netebpf.ProtocolStackWrapper))
+func (e *ebpfProgram) setupMapCleaner() (*ddebpf.MapCleaner[netebpf.ConnTuple, netebpf.ProtocolStackWrapper], error) {
+ mapCleaner, err := ddebpf.NewMapCleaner[netebpf.ConnTuple, netebpf.ProtocolStackWrapper](e.connectionProtocolMap, 1024)
if err != nil {
return nil, err
}
ttl := connProtoTTL.Nanoseconds()
- mapCleaner.Clean(connProtoCleaningInterval, nil, nil, func(now int64, key, val interface{}) bool {
- protoStack, ok := val.(*netebpf.ProtocolStackWrapper)
- if !ok {
- return false
- }
-
- updated := int64(protoStack.Updated)
- return (now - updated) > ttl
+ mapCleaner.Clean(connProtoCleaningInterval, nil, nil, func(now int64, key netebpf.ConnTuple, val netebpf.ProtocolStackWrapper) bool {
+ return (now - int64(val.Updated)) > ttl
})
return mapCleaner, nil
diff --git a/pkg/network/usm/monitor_test.go b/pkg/network/usm/monitor_test.go
index b53137822cf1f..32979f26b31fc 100644
--- a/pkg/network/usm/monitor_test.go
+++ b/pkg/network/usm/monitor_test.go
@@ -617,7 +617,8 @@ func (s *USMHTTP2Suite) TestHTTP2ManyDifferentPaths() {
defer monitor.Stop()
// Should be bigger than the length of the http2_dynamic_table which is 1024
- numberOfRequests := 1500
+ const numberOfRequests = 1500
+ const expectedNumberOfRequests = numberOfRequests * 2
clients := getClientsArray(t, 1)
for i := 0; i < numberOfRequests; i++ {
for j := 0; j < 2; j++ {
@@ -647,7 +648,9 @@ func (s *USMHTTP2Suite) TestHTTP2ManyDifferentPaths() {
}
}
- return matches.Load() == 2*numberOfRequests
+ // Due to a known issue in http2, we might consider an RST packet as a response to a request and therefore
+ // we might capture a request twice. This is why we are expecting to see 2*numberOfRequests instead of
+ return expectedNumberOfRequests <= matches.Load() && matches.Load() <= expectedNumberOfRequests+1
}, time.Second*10, time.Millisecond*100, "%v != %v", &matches, 2*numberOfRequests)
for i := 0; i < numberOfRequests; i++ {
diff --git a/pkg/process/procutil/process_windows.go b/pkg/process/procutil/process_windows.go
index 9598414f3c4a4..1661cdc954f6e 100644
--- a/pkg/process/procutil/process_windows.go
+++ b/pkg/process/procutil/process_windows.go
@@ -16,8 +16,8 @@ import (
"golang.org/x/sys/windows"
"github.com/DataDog/datadog-agent/pkg/util/log"
+ "github.com/DataDog/datadog-agent/pkg/util/pdhutil"
"github.com/DataDog/datadog-agent/pkg/util/winutil"
- "github.com/DataDog/datadog-agent/pkg/util/winutil/pdhutil"
)
var (
diff --git a/pkg/security/config/config.go b/pkg/security/config/config.go
index f6a10cecea925..5a6d88539c7f8 100644
--- a/pkg/security/config/config.go
+++ b/pkg/security/config/config.go
@@ -127,8 +127,6 @@ type RuntimeSecurityConfig struct {
ActivityDumpSilentWorkloadsDelay time.Duration
// ActivityDumpSilentWorkloadsTicker configures ticker that will check if a workload is silent and should be traced
ActivityDumpSilentWorkloadsTicker time.Duration
- // ActivityDumpAutoSuppressionEnabled do not send event if part of a profile
- ActivityDumpAutoSuppressionEnabled bool
// # Dynamic configuration fields:
// ActivityDumpMaxDumpSize defines the maximum size of a dump
@@ -148,6 +146,8 @@ type RuntimeSecurityConfig struct {
SecurityProfileRCEnabled bool
// SecurityProfileDNSMatchMaxDepth defines the max depth of subdomain to be matched for DNS anomaly detection (0 to match everything)
SecurityProfileDNSMatchMaxDepth int
+ // SecurityProfileAutoSuppressionEnabled do not send event if part of a profile
+ SecurityProfileAutoSuppressionEnabled bool
// AnomalyDetectionEventTypes defines the list of events that should be allowed to generate anomaly detections
AnomalyDetectionEventTypes []model.EventType
@@ -179,6 +179,8 @@ type RuntimeSecurityConfig struct {
AnomalyDetectionTagRulesEnabled bool
// AnomalyDetectionSilentRuleEventsEnabled do not send rule event if also part of an anomaly event
AnomalyDetectionSilentRuleEventsEnabled bool
+ // AnomalyDetectionEnabled defines if we should send anomaly detection events
+ AnomalyDetectionEnabled bool
// SBOMResolverEnabled defines if the SBOM resolver should be enabled
SBOMResolverEnabled bool
@@ -203,6 +205,11 @@ type RuntimeSecurityConfig struct {
// UserSessionsCacheSize defines the size of the User Sessions cache size
UserSessionsCacheSize int
+
+ // EBPFLessEnabled enables the ebpfless probe
+ EBPFLessEnabled bool
+ // EBPFLessSocket defines the socket used for the communication between system-probe and the ebpfless source
+ EBPFLessSocket string
}
// Config defines a security config
@@ -282,7 +289,6 @@ func NewRuntimeSecurityConfig() (*RuntimeSecurityConfig, error) {
ActivityDumpSilentWorkloadsDelay: coreconfig.SystemProbe.GetDuration("runtime_security_config.activity_dump.silent_workloads.delay"),
ActivityDumpSilentWorkloadsTicker: coreconfig.SystemProbe.GetDuration("runtime_security_config.activity_dump.silent_workloads.ticker"),
ActivityDumpWorkloadDenyList: coreconfig.SystemProbe.GetStringSlice("runtime_security_config.activity_dump.workload_deny_list"),
- ActivityDumpAutoSuppressionEnabled: coreconfig.SystemProbe.GetBool("runtime_security_config.security_profile.anomaly_detection.auto_suppression.enabled"),
// activity dump dynamic fields
ActivityDumpMaxDumpSize: func() int {
mds := coreconfig.SystemProbe.GetInt("runtime_security_config.activity_dump.max_dump_size")
@@ -306,13 +312,14 @@ func NewRuntimeSecurityConfig() (*RuntimeSecurityConfig, error) {
HashResolverCacheSize: coreconfig.SystemProbe.GetInt("runtime_security_config.hash_resolver.cache_size"),
// security profiles
- SecurityProfileEnabled: coreconfig.SystemProbe.GetBool("runtime_security_config.security_profile.enabled"),
- SecurityProfileDir: coreconfig.SystemProbe.GetString("runtime_security_config.security_profile.dir"),
- SecurityProfileWatchDir: coreconfig.SystemProbe.GetBool("runtime_security_config.security_profile.watch_dir"),
- SecurityProfileCacheSize: coreconfig.SystemProbe.GetInt("runtime_security_config.security_profile.cache_size"),
- SecurityProfileMaxCount: coreconfig.SystemProbe.GetInt("runtime_security_config.security_profile.max_count"),
- SecurityProfileRCEnabled: coreconfig.SystemProbe.GetBool("runtime_security_config.security_profile.remote_configuration.enabled"),
- SecurityProfileDNSMatchMaxDepth: coreconfig.SystemProbe.GetInt("runtime_security_config.security_profile.dns_match_max_depth"),
+ SecurityProfileEnabled: coreconfig.SystemProbe.GetBool("runtime_security_config.security_profile.enabled"),
+ SecurityProfileDir: coreconfig.SystemProbe.GetString("runtime_security_config.security_profile.dir"),
+ SecurityProfileWatchDir: coreconfig.SystemProbe.GetBool("runtime_security_config.security_profile.watch_dir"),
+ SecurityProfileCacheSize: coreconfig.SystemProbe.GetInt("runtime_security_config.security_profile.cache_size"),
+ SecurityProfileMaxCount: coreconfig.SystemProbe.GetInt("runtime_security_config.security_profile.max_count"),
+ SecurityProfileRCEnabled: coreconfig.SystemProbe.GetBool("runtime_security_config.security_profile.remote_configuration.enabled"),
+ SecurityProfileDNSMatchMaxDepth: coreconfig.SystemProbe.GetInt("runtime_security_config.security_profile.dns_match_max_depth"),
+ SecurityProfileAutoSuppressionEnabled: coreconfig.SystemProbe.GetBool("runtime_security_config.security_profile.auto_suppression.enabled"),
// anomaly detection
AnomalyDetectionEventTypes: parseEventTypeStringSlice(coreconfig.SystemProbe.GetStringSlice("runtime_security_config.security_profile.anomaly_detection.event_types")),
@@ -329,6 +336,10 @@ func NewRuntimeSecurityConfig() (*RuntimeSecurityConfig, error) {
// User Sessions
UserSessionsCacheSize: coreconfig.SystemProbe.GetInt("runtime_security_config.user_sessions.cache_size"),
+
+ // ebpf less
+ EBPFLessEnabled: coreconfig.SystemProbe.GetBool("runtime_security_config.ebpfless.enabled"),
+ EBPFLessSocket: coreconfig.SystemProbe.GetString("runtime_security_config.ebpfless.socket"),
}
if err := rsConfig.sanitize(); err != nil {
diff --git a/pkg/security/ebpf/c/include/constants/custom.h b/pkg/security/ebpf/c/include/constants/custom.h
index cbea2e31a7f03..6112a27c6f87d 100644
--- a/pkg/security/ebpf/c/include/constants/custom.h
+++ b/pkg/security/ebpf/c/include/constants/custom.h
@@ -51,8 +51,6 @@ enum DENTRY_RESOLVER_KEYS {
DR_DENTRY_RESOLVER_KERN_KEY,
DR_AD_FILTER_KEY,
DR_ERPC_KEY,
- DR_ERPC_PARENT_KEY,
- DR_ERPC_SEGMENT_KEY,
};
#define DR_ERPC_BUFFER_LENGTH 8*4096
diff --git a/pkg/security/ebpf/c/include/constants/enums.h b/pkg/security/ebpf/c/include/constants/enums.h
index c85a4cdaf1121..3d9f059eb3a2c 100644
--- a/pkg/security/ebpf/c/include/constants/enums.h
+++ b/pkg/security/ebpf/c/include/constants/enums.h
@@ -162,9 +162,9 @@ enum erpc_op {
UNKNOWN_OP,
DISCARD_INODE_OP,
DISCARD_PID_OP,
- RESOLVE_SEGMENT_OP,
+ RESOLVE_SEGMENT_OP, // DEPRECATED
RESOLVE_PATH_OP,
- RESOLVE_PARENT_OP,
+ RESOLVE_PARENT_OP, // DEPRECATED
REGISTER_SPAN_TLS_OP, // can be used outside of the CWS, do not change the value
EXPIRE_INODE_DISCARDER_OP,
EXPIRE_PID_DISCARDER_OP,
diff --git a/pkg/security/ebpf/c/include/helpers/erpc.h b/pkg/security/ebpf/c/include/helpers/erpc.h
index 4d77b2b1c56f2..a71b5c83d1059 100644
--- a/pkg/security/ebpf/c/include/helpers/erpc.h
+++ b/pkg/security/ebpf/c/include/helpers/erpc.h
@@ -121,12 +121,8 @@ int __attribute__((always_inline)) handle_erpc_request(ctx_t *ctx) {
}
switch (op) {
- case RESOLVE_SEGMENT_OP:
- return handle_dr_request(ctx, data, DR_ERPC_SEGMENT_KEY); // func (dr *DentryResolver) ResolveFromERPC in the userspace code side triggers handle_dr_request
case RESOLVE_PATH_OP:
return handle_dr_request(ctx, data, DR_ERPC_KEY);
- case RESOLVE_PARENT_OP:
- return handle_dr_request(ctx, data, DR_ERPC_PARENT_KEY);
case USER_SESSION_CONTEXT_OP:
return handle_register_user_session(data);
case REGISTER_SPAN_TLS_OP:
diff --git a/pkg/security/ebpf/c/include/hooks/dentry_resolver.h b/pkg/security/ebpf/c/include/hooks/dentry_resolver.h
index 866f241e41818..0e4a7310afef5 100644
--- a/pkg/security/ebpf/c/include/hooks/dentry_resolver.h
+++ b/pkg/security/ebpf/c/include/hooks/dentry_resolver.h
@@ -41,7 +41,7 @@ int __attribute__((always_inline)) resolve_dentry_tail_call(void *ctx, struct de
next_key.mount_id = 0;
}
- if (input->discarder_type && i <= 3) {
+ if (input->discarder_type && input->iteration == 1 && i <= 3) {
params->discarder.path_key.ino = key.ino;
params->discarder.path_key.mount_id = key.mount_id;
params->discarder.is_leaf = i == 0;
@@ -296,208 +296,6 @@ int tail_call_target_dentry_resolver_erpc_mmap(ctx_t *ctx) {
return dentry_resolver_erpc_mmap(ctx, DR_KPROBE_OR_FENTRY);
}
-int __attribute__((always_inline)) dentry_resolver_segment_erpc_write_user(void *ctx) {
- u32 key = 0;
- u32 resolution_err = 0;
-
- struct dr_erpc_state_t *state = bpf_map_lookup_elem(&dr_erpc_state, &key);
- if (state == NULL) {
- return 0;
- }
-
- // resolve segment and write in buffer
- struct path_key_t path_key = state->key;
- struct path_leaf_t *map_value = bpf_map_lookup_elem(&pathnames, &path_key);
- if (map_value == NULL) {
- resolution_err = DR_ERPC_CACHE_MISS;
- goto exit;
- }
-
- if (map_value->len + sizeof(key) > state->buffer_size) {
- // make sure we do not write outside of the provided buffer
- resolution_err = DR_ERPC_BUFFER_SIZE;
- goto exit;
- }
-
- int ret = bpf_probe_write_user((void *) state->userspace_buffer, &state->key, sizeof(state->key));
- if (ret < 0) {
- resolution_err = ret == -14 ? DR_ERPC_WRITE_PAGE_FAULT : DR_ERPC_UNKNOWN_ERROR;
- goto exit;
- }
- ret = bpf_probe_write_user((void *) state->userspace_buffer + offsetof(struct path_key_t, path_id), &state->challenge, sizeof(state->challenge));
- if (ret < 0) {
- resolution_err = ret == -14 ? DR_ERPC_WRITE_PAGE_FAULT : DR_ERPC_UNKNOWN_ERROR;
- goto exit;
- }
-
- ret = bpf_probe_write_user((void *) state->userspace_buffer + sizeof(state->key), map_value->name, DR_MAX_SEGMENT_LENGTH + 1);
- if (ret < 0) {
- resolution_err = ret == -14 ? DR_ERPC_WRITE_PAGE_FAULT : DR_ERPC_UNKNOWN_ERROR;
- goto exit;
- }
-
-exit:
- monitor_resolution_err(resolution_err);
- return 0;
-}
-
-TAIL_CALL_TARGET("dentry_resolver_segment_erpc_write_user")
-int tail_call_target_dentry_resolver_segment_erpc_write_user(ctx_t *ctx) {
- return dentry_resolver_segment_erpc_write_user(ctx);
-}
-
-int __attribute__((always_inline)) dentry_resolver_segment_erpc_mmap(void *ctx) {
- u32 key = 0;
- u32 resolution_err = 0;
- char *mmapped_userspace_buffer = NULL;
-
- struct dr_erpc_state_t *state = bpf_map_lookup_elem(&dr_erpc_state, &key);
- if (state == NULL) {
- return 0;
- }
-
- mmapped_userspace_buffer = bpf_map_lookup_elem(&dr_erpc_buffer, &key);
- if (mmapped_userspace_buffer == NULL) {
- resolution_err = DR_ERPC_UNKNOWN_ERROR;
- goto exit;
- }
-
- // resolve segment and write in buffer
- struct path_key_t path_key = state->key;
- struct path_leaf_t *map_value = bpf_map_lookup_elem(&pathnames, &path_key);
- if (map_value == NULL) {
- resolution_err = DR_ERPC_CACHE_MISS;
- goto exit;
- }
-
- if (map_value->len + sizeof(key) > state->buffer_size) {
- // make sure we do not write outside of the provided buffer
- resolution_err = DR_ERPC_BUFFER_SIZE;
- goto exit;
- }
-
- int ret = bpf_probe_read((void *) mmapped_userspace_buffer, sizeof(state->key), &state->key);
- if (ret < 0) {
- resolution_err = ret == -14 ? DR_ERPC_WRITE_PAGE_FAULT : DR_ERPC_UNKNOWN_ERROR;
- goto exit;
- }
-
- ret = bpf_probe_read((void *) mmapped_userspace_buffer + (offsetof(struct path_key_t, path_id) & 0x7FFF), sizeof(state->challenge), &state->challenge);
- if (ret < 0) {
- resolution_err = ret == -14 ? DR_ERPC_WRITE_PAGE_FAULT : DR_ERPC_UNKNOWN_ERROR;
- goto exit;
- }
-
- ret = bpf_probe_read((void *) mmapped_userspace_buffer + (sizeof(state->key) & 0x7FFF), DR_MAX_SEGMENT_LENGTH + 1, map_value->name);
- if (ret < 0) {
- resolution_err = ret == -14 ? DR_ERPC_WRITE_PAGE_FAULT : DR_ERPC_UNKNOWN_ERROR;
- goto exit;
- }
-
-exit:
- monitor_resolution_err(resolution_err);
- return 0;
-}
-
-TAIL_CALL_TARGET("dentry_resolver_segment_erpc_mmap")
-int tail_call_target_dentry_resolver_segment_erpc_mmap(ctx_t *ctx) {
- return dentry_resolver_segment_erpc_mmap(ctx);
-}
-
-int __attribute__((always_inline)) dentry_resolver_parent_erpc_write_user(void *ctx) {
- u32 key = 0;
- u32 resolution_err = 0;
-
- struct dr_erpc_state_t *state = bpf_map_lookup_elem(&dr_erpc_state, &key);
- if (state == NULL) {
- return 0;
- }
-
- // resolve segment and write in buffer
- struct path_key_t path_key = state->key;
- struct path_leaf_t *map_value = bpf_map_lookup_elem(&pathnames, &path_key);
- if (map_value == NULL) {
- resolution_err = DR_ERPC_CACHE_MISS;
- goto exit;
- }
-
- if (sizeof(map_value->parent) > state->buffer_size) {
- // make sure we do not write outside of the provided buffer
- resolution_err = DR_ERPC_BUFFER_SIZE;
- goto exit;
- }
-
- int ret = bpf_probe_write_user((void *) state->userspace_buffer, &map_value->parent, sizeof(map_value->parent));
- if (ret < 0) {
- resolution_err = ret == -14 ? DR_ERPC_WRITE_PAGE_FAULT : DR_ERPC_UNKNOWN_ERROR;
- goto exit;
- }
- ret = bpf_probe_write_user((void *) state->userspace_buffer + offsetof(struct path_key_t, path_id), &state->challenge, sizeof(state->challenge));
- if (ret < 0) {
- resolution_err = ret == -14 ? DR_ERPC_WRITE_PAGE_FAULT : DR_ERPC_UNKNOWN_ERROR;
- goto exit;
- }
-
-exit:
- monitor_resolution_err(resolution_err);
- return 0;
-}
-
-TAIL_CALL_TARGET("dentry_resolver_parent_erpc_write_user")
-int tail_call_target_dentry_resolver_parent_erpc_write_user(ctx_t *ctx) {
- return dentry_resolver_parent_erpc_write_user(ctx);
-}
-
-int __attribute__((always_inline)) dentry_resolver_parent_erpc_mmap(void *ctx) {
- u32 key = 0;
- u32 resolution_err = 0;
- char *mmapped_userspace_buffer = NULL;
-
- struct dr_erpc_state_t *state = bpf_map_lookup_elem(&dr_erpc_state, &key);
- if (state == NULL) {
- return 0;
- }
-
- mmapped_userspace_buffer = bpf_map_lookup_elem(&dr_erpc_buffer, &key);
- if (mmapped_userspace_buffer == NULL) {
- resolution_err = DR_ERPC_UNKNOWN_ERROR;
- goto exit;
- }
-
- // resolve segment and write in buffer
- struct path_key_t path_key = state->key;
- struct path_leaf_t *map_value = bpf_map_lookup_elem(&pathnames, &path_key);
- if (map_value == NULL) {
- resolution_err = DR_ERPC_CACHE_MISS;
- goto exit;
- }
-
- if (sizeof(map_value->parent) > state->buffer_size) {
- // make sure we do not write outside of the provided buffer
- resolution_err = DR_ERPC_BUFFER_SIZE;
- goto exit;
- }
-
- int ret = bpf_probe_read((void *) mmapped_userspace_buffer, sizeof(map_value->parent), &map_value->parent);
- if (ret < 0) {
- resolution_err = ret == -14 ? DR_ERPC_WRITE_PAGE_FAULT : DR_ERPC_UNKNOWN_ERROR;
- goto exit;
- }
- ret = bpf_probe_read((void *) mmapped_userspace_buffer + (offsetof(struct path_key_t, path_id) & 0x7FFF), sizeof(state->challenge), &state->challenge);
- if (ret < 0) {
- resolution_err = ret == -14 ? DR_ERPC_WRITE_PAGE_FAULT : DR_ERPC_UNKNOWN_ERROR;
- goto exit;
- }
-
-exit:
- monitor_resolution_err(resolution_err);
- return 0;
-}
-
-TAIL_CALL_TARGET("dentry_resolver_parent_erpc_mmap")
-int tail_call_target_dentry_resolver_parent_erpc_mmap(ctx_t *ctx) {
- return dentry_resolver_parent_erpc_mmap(ctx);
-}
TAIL_CALL_TARGET("dentry_resolver_ad_filter")
int tail_call_target_dentry_resolver_ad_filter(ctx_t *ctx) {
diff --git a/pkg/security/ebpf/probes/all.go b/pkg/security/ebpf/probes/all.go
index ff84ce189ac02..f29b392f9bdee 100644
--- a/pkg/security/ebpf/probes/all.go
+++ b/pkg/security/ebpf/probes/all.go
@@ -257,8 +257,6 @@ func AllTailRoutes(ERPCDentryResolutionEnabled, networkEnabled, supportMmapableM
func AllBPFProbeWriteUserProgramFunctions() []string {
return []string{
"tail_call_target_dentry_resolver_erpc_write_user",
- "tail_call_target_dentry_resolver_parent_erpc_write_user",
- "tail_call_target_dentry_resolver_segment_erpc_write_user",
}
}
diff --git a/pkg/security/ebpf/probes/dentry.go b/pkg/security/ebpf/probes/dentry.go
index 56a25d2eab899..866ee4d104e82 100644
--- a/pkg/security/ebpf/probes/dentry.go
+++ b/pkg/security/ebpf/probes/dentry.go
@@ -200,20 +200,6 @@ func getDentryResolverTailCallRoutes(ERPCDentryResolutionEnabled, supportMmapabl
EBPFFuncName: "tail_call_target_dentry_resolver_erpc" + ebpfSuffix,
},
},
- {
- ProgArrayName: dentryResolverProgs,
- Key: DentryResolverParentERPCKey,
- ProbeIdentificationPair: manager.ProbeIdentificationPair{
- EBPFFuncName: "tail_call_target_dentry_resolver_parent_erpc" + ebpfSuffix,
- },
- },
- {
- ProgArrayName: dentryResolverProgs,
- Key: DentryResolverSegmentERPCKey,
- ProbeIdentificationPair: manager.ProbeIdentificationPair{
- EBPFFuncName: "tail_call_target_dentry_resolver_segment_erpc" + ebpfSuffix,
- },
- },
}...)
}
diff --git a/pkg/security/module/cws_linux.go b/pkg/security/module/cws_linux.go
index c7062fc8f6983..4461174af2c10 100644
--- a/pkg/security/module/cws_linux.go
+++ b/pkg/security/module/cws_linux.go
@@ -8,6 +8,7 @@ package module
import (
"github.com/DataDog/datadog-agent/pkg/eventmonitor"
"github.com/DataDog/datadog-agent/pkg/security/config"
+ "github.com/DataDog/datadog-agent/pkg/security/probe"
)
// UpdateEventMonitorOpts adapt the event monitor options
@@ -15,6 +16,7 @@ func UpdateEventMonitorOpts(opts *eventmonitor.Opts, config *config.Config) {
opts.ProbeOpts.PathResolutionEnabled = true
opts.ProbeOpts.TTYFallbackEnabled = true
opts.ProbeOpts.SyscallsMonitorEnabled = config.Probe.SyscallsMonitorEnabled
+ opts.ProbeOpts.EBPFLessEnabled = config.RuntimeSecurity.EBPFLessEnabled
}
// DisableRuntimeSecurity disables all the runtime security features
@@ -27,7 +29,9 @@ func DisableRuntimeSecurity(config *config.Config) {
// platform specific init function
func (c *CWSConsumer) init(evm *eventmonitor.EventMonitor, config *config.RuntimeSecurityConfig, opts Opts) error { //nolint:revive // TODO fix revive unused-parameter
// Activity dumps related
- evm.Probe.AddActivityDumpHandler(c)
+ if p, ok := evm.Probe.PlatformProbe.(*probe.EBPFProbe); ok {
+ p.AddActivityDumpHandler(c)
+ }
return nil
}
diff --git a/pkg/security/module/server.go b/pkg/security/module/server.go
index dac0ddd5bdaa7..57ffae033a63f 100644
--- a/pkg/security/module/server.go
+++ b/pkg/security/module/server.go
@@ -321,7 +321,7 @@ func (a *APIServer) SendEvent(rule *rules.Rule, e events.Event, extTagsCb func()
func marshalEvent(event events.Event, probe *sprobe.Probe) ([]byte, error) {
if ev, ok := event.(*model.Event); ok {
- return serializers.MarshalEvent(ev, probe.GetResolvers())
+ return serializers.MarshalEvent(ev)
}
if ev, ok := event.(events.EventMarshaler); ok {
@@ -482,7 +482,9 @@ func newDirectReporter(stopper startstop.Stopper) (common.RawReporter, error) {
log.Info(status)
}
- reporter, err := reporter.NewCWSReporter(runPath, stopper, endpoints, destinationsCtx)
+ // we set the hostname to the empty string to take advantage of the out of the box message hostname
+ // resolution
+ reporter, err := reporter.NewCWSReporter("", runPath, stopper, endpoints, destinationsCtx)
if err != nil {
return nil, fmt.Errorf("failed to create direct reporter: %w", err)
}
diff --git a/pkg/security/module/server_linux.go b/pkg/security/module/server_linux.go
index 1c2f7db76f34f..8c3fb6c697ea2 100644
--- a/pkg/security/module/server_linux.go
+++ b/pkg/security/module/server_linux.go
@@ -12,13 +12,14 @@ import (
"errors"
"fmt"
+ "github.com/DataDog/datadog-agent/pkg/security/probe"
"github.com/DataDog/datadog-agent/pkg/security/proto/api"
"github.com/DataDog/datadog-agent/pkg/security/seclog"
"github.com/DataDog/datadog-agent/pkg/util/kernel"
)
// DumpDiscarders handles discarder dump requests
-func (a *APIServer) DumpDiscarders(ctx context.Context, params *api.DumpDiscardersParams) (*api.DumpDiscardersMessage, error) { //nolint:revive // TODO fix revive unused-parameter
+func (a *APIServer) DumpDiscarders(_ context.Context, _ *api.DumpDiscardersParams) (*api.DumpDiscardersMessage, error) {
filePath, err := a.probe.DumpDiscarders()
if err != nil {
return nil, err
@@ -29,10 +30,8 @@ func (a *APIServer) DumpDiscarders(ctx context.Context, params *api.DumpDiscarde
}
// DumpProcessCache handles process cache dump requests
-func (a *APIServer) DumpProcessCache(ctx context.Context, params *api.DumpProcessCacheParams) (*api.SecurityDumpProcessCacheMessage, error) { //nolint:revive // TODO fix revive unused-parameter
- resolvers := a.probe.GetResolvers()
-
- filename, err := resolvers.ProcessResolver.Dump(params.WithArgs)
+func (a *APIServer) DumpProcessCache(_ context.Context, params *api.DumpProcessCacheParams) (*api.SecurityDumpProcessCacheMessage, error) {
+ filename, err := a.probe.DumpProcessCache(params.WithArgs)
if err != nil {
return nil, err
}
@@ -43,8 +42,13 @@ func (a *APIServer) DumpProcessCache(ctx context.Context, params *api.DumpProces
}
// DumpActivity handle an activity dump request
-func (a *APIServer) DumpActivity(ctx context.Context, params *api.ActivityDumpParams) (*api.ActivityDumpMessage, error) { //nolint:revive // TODO fix revive unused-parameter
- if managers := a.probe.GetProfileManagers(); managers != nil {
+func (a *APIServer) DumpActivity(_ context.Context, params *api.ActivityDumpParams) (*api.ActivityDumpMessage, error) {
+ p, ok := a.probe.PlatformProbe.(*probe.EBPFProbe)
+ if !ok {
+ return nil, fmt.Errorf("not supported")
+ }
+
+ if managers := p.GetProfileManagers(); managers != nil {
msg, err := managers.DumpActivity(params)
if err != nil {
seclog.Errorf(err.Error())
@@ -56,8 +60,13 @@ func (a *APIServer) DumpActivity(ctx context.Context, params *api.ActivityDumpPa
}
// ListActivityDumps returns the list of active dumps
-func (a *APIServer) ListActivityDumps(ctx context.Context, params *api.ActivityDumpListParams) (*api.ActivityDumpListMessage, error) { //nolint:revive // TODO fix revive unused-parameter
- if managers := a.probe.GetProfileManagers(); managers != nil {
+func (a *APIServer) ListActivityDumps(_ context.Context, params *api.ActivityDumpListParams) (*api.ActivityDumpListMessage, error) {
+ p, ok := a.probe.PlatformProbe.(*probe.EBPFProbe)
+ if !ok {
+ return nil, fmt.Errorf("not supported")
+ }
+
+ if managers := p.GetProfileManagers(); managers != nil {
msg, err := managers.ListActivityDumps(params)
if err != nil {
seclog.Errorf(err.Error())
@@ -69,8 +78,13 @@ func (a *APIServer) ListActivityDumps(ctx context.Context, params *api.ActivityD
}
// StopActivityDump stops an active activity dump if it exists
-func (a *APIServer) StopActivityDump(ctx context.Context, params *api.ActivityDumpStopParams) (*api.ActivityDumpStopMessage, error) { //nolint:revive // TODO fix revive unused-parameter
- if managers := a.probe.GetProfileManagers(); managers != nil {
+func (a *APIServer) StopActivityDump(_ context.Context, params *api.ActivityDumpStopParams) (*api.ActivityDumpStopMessage, error) {
+ p, ok := a.probe.PlatformProbe.(*probe.EBPFProbe)
+ if !ok {
+ return nil, fmt.Errorf("not supported")
+ }
+
+ if managers := p.GetProfileManagers(); managers != nil {
msg, err := managers.StopActivityDump(params)
if err != nil {
seclog.Errorf(err.Error())
@@ -82,8 +96,13 @@ func (a *APIServer) StopActivityDump(ctx context.Context, params *api.ActivityDu
}
// TranscodingRequest encodes an activity dump following the requested parameters
-func (a *APIServer) TranscodingRequest(ctx context.Context, params *api.TranscodingRequestParams) (*api.TranscodingRequestMessage, error) { //nolint:revive // TODO fix revive unused-parameter
- if managers := a.probe.GetProfileManagers(); managers != nil {
+func (a *APIServer) TranscodingRequest(_ context.Context, params *api.TranscodingRequestParams) (*api.TranscodingRequestMessage, error) {
+ p, ok := a.probe.PlatformProbe.(*probe.EBPFProbe)
+ if !ok {
+ return nil, fmt.Errorf("not supported")
+ }
+
+ if managers := p.GetProfileManagers(); managers != nil {
msg, err := managers.GenerateTranscoding(params)
if err != nil {
seclog.Errorf(err.Error())
@@ -95,8 +114,13 @@ func (a *APIServer) TranscodingRequest(ctx context.Context, params *api.Transcod
}
// ListSecurityProfiles returns the list of security profiles
-func (a *APIServer) ListSecurityProfiles(ctx context.Context, params *api.SecurityProfileListParams) (*api.SecurityProfileListMessage, error) { //nolint:revive // TODO fix revive unused-parameter
- if managers := a.probe.GetProfileManagers(); managers != nil {
+func (a *APIServer) ListSecurityProfiles(_ context.Context, params *api.SecurityProfileListParams) (*api.SecurityProfileListMessage, error) {
+ p, ok := a.probe.PlatformProbe.(*probe.EBPFProbe)
+ if !ok {
+ return nil, fmt.Errorf("not supported")
+ }
+
+ if managers := p.GetProfileManagers(); managers != nil {
msg, err := managers.ListSecurityProfiles(params)
if err != nil {
seclog.Errorf(err.Error())
@@ -108,8 +132,13 @@ func (a *APIServer) ListSecurityProfiles(ctx context.Context, params *api.Securi
}
// SaveSecurityProfile saves the requested security profile to disk
-func (a *APIServer) SaveSecurityProfile(ctx context.Context, params *api.SecurityProfileSaveParams) (*api.SecurityProfileSaveMessage, error) { //nolint:revive // TODO fix revive unused-parameter
- if managers := a.probe.GetProfileManagers(); managers != nil {
+func (a *APIServer) SaveSecurityProfile(_ context.Context, params *api.SecurityProfileSaveParams) (*api.SecurityProfileSaveMessage, error) {
+ p, ok := a.probe.PlatformProbe.(*probe.EBPFProbe)
+ if !ok {
+ return nil, fmt.Errorf("not supported")
+ }
+
+ if managers := p.GetProfileManagers(); managers != nil {
msg, err := managers.SaveSecurityProfile(params)
if err != nil {
seclog.Errorf(err.Error())
@@ -121,32 +150,39 @@ func (a *APIServer) SaveSecurityProfile(ctx context.Context, params *api.Securit
}
// GetStatus returns the status of the module
-func (a *APIServer) GetStatus(ctx context.Context, params *api.GetStatusParams) (*api.Status, error) { //nolint:revive // TODO fix revive unused-parameter
- status, err := a.probe.GetConstantFetcherStatus()
- if err != nil {
- return nil, err
+func (a *APIServer) GetStatus(_ context.Context, _ *api.GetStatusParams) (*api.Status, error) {
+ apiStatus := &api.Status{
+ SelfTests: a.selfTester.GetStatus(),
}
- constants := make([]*api.ConstantValueAndSource, 0, len(status.Values))
- for _, v := range status.Values {
- constants = append(constants, &api.ConstantValueAndSource{
- ID: v.ID,
- Value: v.Value,
- Source: v.FetcherName,
- })
- }
+ p, ok := a.probe.PlatformProbe.(*probe.EBPFProbe)
+ if ok {
+ status, err := p.GetConstantFetcherStatus()
+ if err != nil {
+ return nil, err
+ }
- apiStatus := &api.Status{
- Environment: &api.EnvironmentStatus{
+ constants := make([]*api.ConstantValueAndSource, 0, len(status.Values))
+ for _, v := range status.Values {
+ constants = append(constants, &api.ConstantValueAndSource{
+ ID: v.ID,
+ Value: v.Value,
+ Source: v.FetcherName,
+ })
+ }
+
+ apiStatus.Environment = &api.EnvironmentStatus{
Constants: &api.ConstantFetcherStatus{
Fetchers: status.Fetchers,
Values: constants,
},
- },
- SelfTests: a.selfTester.GetStatus(),
+ KernelLockdown: string(kernel.GetLockdownMode()),
+ UseMmapableMaps: p.GetKernelVersion().HaveMmapableMaps(),
+ UseRingBuffer: p.UseRingBuffers(),
+ }
}
- envErrors := a.probe.VerifyEnvironment()
+ envErrors := p.VerifyEnvironment()
if envErrors != nil {
apiStatus.Environment.Warnings = make([]string, len(envErrors.Errors))
for i, err := range envErrors.Errors {
@@ -154,20 +190,21 @@ func (a *APIServer) GetStatus(ctx context.Context, params *api.GetStatusParams)
}
}
- apiStatus.Environment.KernelLockdown = string(kernel.GetLockdownMode())
- apiStatus.Environment.UseMmapableMaps = a.probe.GetKernelVersion().HaveMmapableMaps()
- apiStatus.Environment.UseRingBuffer = a.probe.UseRingBuffers()
-
return apiStatus, nil
}
// DumpNetworkNamespace handles network namespace cache dump requests
-func (a *APIServer) DumpNetworkNamespace(ctx context.Context, params *api.DumpNetworkNamespaceParams) (*api.DumpNetworkNamespaceMessage, error) { //nolint:revive // TODO fix revive unused-parameter
- return a.probe.GetResolvers().NamespaceResolver.DumpNetworkNamespaces(params), nil
+func (a *APIServer) DumpNetworkNamespace(_ context.Context, params *api.DumpNetworkNamespaceParams) (*api.DumpNetworkNamespaceMessage, error) {
+ p, ok := a.probe.PlatformProbe.(*probe.EBPFProbe)
+ if !ok {
+ return nil, fmt.Errorf("not supported")
+ }
+
+ return p.Resolvers.NamespaceResolver.DumpNetworkNamespaces(params), nil
}
// RunSelfTest runs self test and then reload the current policies
-func (a *APIServer) RunSelfTest(ctx context.Context, params *api.RunSelfTestParams) (*api.SecuritySelfTestResultMessage, error) { //nolint:revive // TODO fix revive unused-parameter
+func (a *APIServer) RunSelfTest(_ context.Context, _ *api.RunSelfTestParams) (*api.SecuritySelfTestResultMessage, error) {
if a.cwsConsumer == nil {
return nil, errors.New("failed to found module in APIServer")
}
diff --git a/pkg/security/probe/constantfetch/btfhub/constants.json b/pkg/security/probe/constantfetch/btfhub/constants.json
index e940c12db3191..4f33d57a1a90d 100644
--- a/pkg/security/probe/constantfetch/btfhub/constants.json
+++ b/pkg/security/probe/constantfetch/btfhub/constants.json
@@ -1,5 +1,5 @@
{
- "commit": "0810ea32e42a7caeeb884d6d34e5d80ab06b5396",
+ "commit": "b6b3f8186864ec31c48168c1cc1bce70aac65da0",
"constants": [
{
"binprm_file_offset": 168,
@@ -14140,6 +14140,13 @@
"uname_release": "3.10.0-1160.105.1.0.1.el7.x86_64",
"cindex": 82
},
+ {
+ "distrib": "ol",
+ "version": "7",
+ "arch": "x86_64",
+ "uname_release": "3.10.0-1160.105.1.0.2.el7.x86_64",
+ "cindex": 82
+ },
{
"distrib": "ol",
"version": "7",
@@ -18438,6 +18445,13 @@
"uname_release": "4.14.35-2047.532.2.el7uek.x86_64",
"cindex": 86
},
+ {
+ "distrib": "ol",
+ "version": "7",
+ "arch": "x86_64",
+ "uname_release": "4.14.35-2047.532.3.el7uek.x86_64",
+ "cindex": 86
+ },
{
"distrib": "ol",
"version": "7",
diff --git a/pkg/security/probe/custom_events.go b/pkg/security/probe/custom_events.go
index 7982299d99b92..5556080dfb4f2 100644
--- a/pkg/security/probe/custom_events.go
+++ b/pkg/security/probe/custom_events.go
@@ -90,15 +90,15 @@ func (a AbnormalEvent) ToJSON() ([]byte, error) {
}
// NewAbnormalEvent returns the rule and a populated custom event for a abnormal event
-func NewAbnormalEvent(id string, description string, event *model.Event, probe *Probe, err error) (*rules.Rule, *events.CustomEvent) {
+func NewAbnormalEvent(id string, description string, event *model.Event, err error) (*rules.Rule, *events.CustomEvent) {
marshalerCtor := func() events.EventMarshaler {
evt := AbnormalEvent{
- Event: serializers.NewEventSerializer(event, probe.resolvers),
+ Event: serializers.NewEventSerializer(event),
Error: err.Error(),
}
evt.FillCustomEventCommonFields()
// Overwrite common timestamp with event timestamp
- evt.Timestamp = event.FieldHandlers.ResolveEventTime(event)
+ evt.Timestamp = event.ResolveEventTime()
return evt
}
diff --git a/pkg/security/probe/discarders_linux.go b/pkg/security/probe/discarders_linux.go
index 49e3cd446ca42..335a7df2e60f3 100644
--- a/pkg/security/probe/discarders_linux.go
+++ b/pkg/security/probe/discarders_linux.go
@@ -55,7 +55,7 @@ var (
recentlyAddedTimeout = uint64(2 * time.Second.Nanoseconds())
)
-type onDiscarderHandler func(rs *rules.RuleSet, event *model.Event, probe *Probe, discarder Discarder) (bool, error)
+type onDiscarderHandler func(rs *rules.RuleSet, event *model.Event, probe *EBPFProbe, discarder Discarder) (bool, error)
var (
allDiscarderHandlers = make(map[eval.EventType][]onDiscarderHandler)
@@ -446,7 +446,7 @@ func (id *inodeDiscarders) discardParentInode(req *erpc.Request, rs *rules.RuleS
type inodeEventGetter = func(event *model.Event) (eval.Field, *model.FileEvent, bool)
func filenameDiscarderWrapper(eventType model.EventType, getter inodeEventGetter) onDiscarderHandler {
- return func(rs *rules.RuleSet, event *model.Event, probe *Probe, discarder Discarder) (bool, error) {
+ return func(rs *rules.RuleSet, event *model.Event, probe *EBPFProbe, discarder Discarder) (bool, error) {
field, fileEvent, isDeleted := getter(event)
if fileEvent.PathResolutionError != nil {
diff --git a/pkg/security/probe/erpc/erpc.go b/pkg/security/probe/erpc/erpc.go
index 3970ac1cedc4a..ffe7a525b1a8e 100644
--- a/pkg/security/probe/erpc/erpc.go
+++ b/pkg/security/probe/erpc/erpc.go
@@ -26,11 +26,11 @@ const (
DiscardInodeOp = iota + 1
// DiscardPidOp discards a pid
DiscardPidOp
- // ResolveSegmentOp resolves the requested segment
+ // ResolveSegmentOp resolves the requested segment (DEPRECATED)
ResolveSegmentOp
// ResolvePathOp resolves the requested path
ResolvePathOp
- // ResolveParentOp resolves the parent of the provide path key
+ // ResolveParentOp resolves the parent of the provide path key (DEPRECATED)
ResolveParentOp
// RegisterSpanTLSOP is used for span TLS registration
RegisterSpanTLSOP
diff --git a/pkg/security/probe/eventstream/ringbuffer/ringbuffer.go b/pkg/security/probe/eventstream/ringbuffer/ringbuffer.go
index 4b8117d385923..4748691f3e7a6 100644
--- a/pkg/security/probe/eventstream/ringbuffer/ringbuffer.go
+++ b/pkg/security/probe/eventstream/ringbuffer/ringbuffer.go
@@ -13,6 +13,7 @@ import (
"sync"
manager "github.com/DataDog/ebpf-manager"
+ "github.com/cilium/ebpf/ringbuf"
"github.com/DataDog/datadog-agent/pkg/security/probe/config"
"github.com/DataDog/datadog-agent/pkg/security/probe/eventstream"
@@ -23,6 +24,7 @@ import (
type RingBuffer struct {
ringBuffer *manager.RingBuffer
handler func(int, []byte)
+ recordPool *sync.Pool
}
// Init the ring buffer
@@ -33,7 +35,10 @@ func (rb *RingBuffer) Init(mgr *manager.Manager, config *config.Config) error {
}
rb.ringBuffer.RingBufferOptions = manager.RingBufferOptions{
- DataHandler: rb.handleEvent,
+ RecordGetter: func() *ringbuf.Record {
+ return rb.recordPool.Get().(*ringbuf.Record)
+ },
+ RecordHandler: rb.handleEvent,
}
if config.EventStreamBufferSize != 0 {
@@ -51,8 +56,9 @@ func (rb *RingBuffer) Start(wg *sync.WaitGroup) error {
// SetMonitor set the monitor
func (rb *RingBuffer) SetMonitor(counter eventstream.LostEventCounter) {}
-func (rb *RingBuffer) handleEvent(CPU int, data []byte, ringBuffer *manager.RingBuffer, manager *manager.Manager) {
- rb.handler(CPU, data)
+func (rb *RingBuffer) handleEvent(record *ringbuf.Record, _ *manager.RingBuffer, _ *manager.Manager) {
+ rb.handler(0, record.RawSample)
+ rb.recordPool.Put(record)
}
// Pause the event stream. Do nothing when using ring buffer
@@ -67,7 +73,14 @@ func (rb *RingBuffer) Resume() error {
// New returns a new ring buffer based event stream.
func New(handler func(int, []byte)) *RingBuffer {
+ recordPool := &sync.Pool{
+ New: func() interface{} {
+ return new(ringbuf.Record)
+ },
+ }
+
return &RingBuffer{
- handler: handler,
+ recordPool: recordPool,
+ handler: handler,
}
}
diff --git a/pkg/security/probe/field_handlers.go b/pkg/security/probe/field_handlers.go
index 5f9ea48b7ac5c..942b154d116a3 100644
--- a/pkg/security/probe/field_handlers.go
+++ b/pkg/security/probe/field_handlers.go
@@ -12,20 +12,9 @@ import (
"sort"
"strings"
- "github.com/DataDog/datadog-agent/pkg/security/resolvers"
"github.com/DataDog/datadog-agent/pkg/security/secl/model"
)
-// FieldHandlers defines a field handlers
-type FieldHandlers struct {
- resolvers *resolvers.Resolvers
-}
-
-// ResolveEventTimestamp resolves the monolitic kernel event timestamp to an absolute time
-func (fh *FieldHandlers) ResolveEventTimestamp(ev *model.Event, e *model.BaseEvent) int {
- return int(fh.ResolveEventTime(ev).UnixNano())
-}
-
func bestGuessServiceTag(serviceValues []string) string {
if len(serviceValues) == 0 {
return ""
@@ -51,13 +40,8 @@ func bestGuessServiceTag(serviceValues []string) string {
return serviceValues[0]
}
-// GetProcessService returns the service tag based on the process context
-func (fh *FieldHandlers) GetProcessService(ev *model.Event) string {
- entry, _ := fh.ResolveProcessCacheEntry(ev)
- if entry == nil {
- return ""
- }
-
+// getProcessService returns the service tag based on the process context
+func getProcessService(entry *model.ProcessCacheEntry) string {
var serviceValues []string
// first search in the process context itself
@@ -84,76 +68,3 @@ func (fh *FieldHandlers) GetProcessService(ev *model.Event) string {
return bestGuessServiceTag(serviceValues)
}
-
-// ResolveContainerID resolves the container ID of the event
-func (fh *FieldHandlers) ResolveContainerID(ev *model.Event, e *model.ContainerContext) string {
- if len(e.ID) == 0 {
- if entry, _ := fh.ResolveProcessCacheEntry(ev); entry != nil {
- e.ID = entry.ContainerID
- }
- }
- return e.ID
-}
-
-// ResolveContainerCreatedAt resolves the container creation time of the event
-func (fh *FieldHandlers) ResolveContainerCreatedAt(ev *model.Event, e *model.ContainerContext) int {
- if e.CreatedAt == 0 {
- if containerContext, _ := fh.ResolveContainerContext(ev); containerContext != nil {
- e.CreatedAt = containerContext.CreatedAt
- }
- }
- return int(e.CreatedAt)
-}
-
-// ResolveContainerTags resolves the container tags of the event
-func (fh *FieldHandlers) ResolveContainerTags(_ *model.Event, e *model.ContainerContext) []string {
- if len(e.Tags) == 0 && e.ID != "" {
- e.Tags = fh.resolvers.TagsResolver.Resolve(e.ID)
- }
- return e.Tags
-}
-
-// ResolveProcessCreatedAt resolves process creation time
-func (fh *FieldHandlers) ResolveProcessCreatedAt(_ *model.Event, e *model.Process) int {
- return int(e.ExecTime.UnixNano())
-}
-
-// ResolveK8SUsername resolves the k8s username of the event
-func (fh *FieldHandlers) ResolveK8SUsername(_ *model.Event, evtCtx *model.UserSessionContext) string {
- if !evtCtx.Resolved {
- if ctx := fh.resolvers.UserSessions.ResolveUserSession(evtCtx.ID); ctx != nil {
- *evtCtx = *ctx
- }
- }
- return evtCtx.K8SUsername
-}
-
-// ResolveK8SUID resolves the k8s UID of the event
-func (fh *FieldHandlers) ResolveK8SUID(_ *model.Event, evtCtx *model.UserSessionContext) string {
- if !evtCtx.Resolved {
- if ctx := fh.resolvers.UserSessions.ResolveUserSession(evtCtx.ID); ctx != nil {
- *evtCtx = *ctx
- }
- }
- return evtCtx.K8SUID
-}
-
-// ResolveK8SGroups resolves the k8s groups of the event
-func (fh *FieldHandlers) ResolveK8SGroups(_ *model.Event, evtCtx *model.UserSessionContext) []string {
- if !evtCtx.Resolved {
- if ctx := fh.resolvers.UserSessions.ResolveUserSession(evtCtx.ID); ctx != nil {
- *evtCtx = *ctx
- }
- }
- return evtCtx.K8SGroups
-}
-
-// ResolveK8SExtra resolves the k8s extra of the event
-func (fh *FieldHandlers) ResolveK8SExtra(_ *model.Event, evtCtx *model.UserSessionContext) map[string][]string {
- if !evtCtx.Resolved {
- if ctx := fh.resolvers.UserSessions.ResolveUserSession(evtCtx.ID); ctx != nil {
- *evtCtx = *ctx
- }
- }
- return evtCtx.K8SExtra
-}
diff --git a/pkg/security/probe/field_handlers_linux.go b/pkg/security/probe/field_handlers_ebpf.go
similarity index 59%
rename from pkg/security/probe/field_handlers_linux.go
rename to pkg/security/probe/field_handlers_ebpf.go
index 9fed217d89869..d84f914907b73 100644
--- a/pkg/security/probe/field_handlers_linux.go
+++ b/pkg/security/probe/field_handlers_ebpf.go
@@ -3,6 +3,8 @@
// This product includes software developed at Datadog (https://www.datadoghq.com/).
// Copyright 2016-present Datadog, Inc.
+//go:build linux
+
// Package probe holds probe related files
package probe
@@ -12,14 +14,20 @@ import (
"syscall"
"time"
+ "github.com/DataDog/datadog-agent/pkg/security/resolvers"
sprocess "github.com/DataDog/datadog-agent/pkg/security/resolvers/process"
"github.com/DataDog/datadog-agent/pkg/security/secl/args"
"github.com/DataDog/datadog-agent/pkg/security/secl/model"
)
+// EBPFFieldHandlers defines a field handlers
+type EBPFFieldHandlers struct {
+ resolvers *resolvers.EBPFResolvers
+}
+
// ResolveProcessCacheEntry queries the ProcessResolver to retrieve the ProcessContext of the event
-func (fh *FieldHandlers) ResolveProcessCacheEntry(ev *model.Event) (*model.ProcessCacheEntry, bool) {
+func (fh *EBPFFieldHandlers) ResolveProcessCacheEntry(ev *model.Event) (*model.ProcessCacheEntry, bool) {
if ev.PIDContext.IsKworker {
return model.GetPlaceholderProcessCacheEntry(ev.PIDContext.Pid, ev.PIDContext.Tid, true), false
}
@@ -37,7 +45,7 @@ func (fh *FieldHandlers) ResolveProcessCacheEntry(ev *model.Event) (*model.Proce
}
// ResolveFilePath resolves the inode to a full path
-func (fh *FieldHandlers) ResolveFilePath(ev *model.Event, f *model.FileEvent) string {
+func (fh *EBPFFieldHandlers) ResolveFilePath(ev *model.Event, f *model.FileEvent) string {
if !f.IsPathnameStrResolved && len(f.PathnameStr) == 0 {
path, err := fh.resolvers.PathResolver.ResolveFileFieldsPath(&f.FileFields, &ev.PIDContext, ev.ContainerContext)
if err != nil {
@@ -50,7 +58,7 @@ func (fh *FieldHandlers) ResolveFilePath(ev *model.Event, f *model.FileEvent) st
}
// ResolveFileBasename resolves the inode to a full path
-func (fh *FieldHandlers) ResolveFileBasename(ev *model.Event, f *model.FileEvent) string {
+func (fh *EBPFFieldHandlers) ResolveFileBasename(_ *model.Event, f *model.FileEvent) string {
if !f.IsBasenameStrResolved && len(f.BasenameStr) == 0 {
if f.PathnameStr != "" {
f.SetBasenameStr(path.Base(f.PathnameStr))
@@ -62,7 +70,7 @@ func (fh *FieldHandlers) ResolveFileBasename(ev *model.Event, f *model.FileEvent
}
// ResolveFileFilesystem resolves the filesystem a file resides in
-func (fh *FieldHandlers) ResolveFileFilesystem(ev *model.Event, f *model.FileEvent) string {
+func (fh *EBPFFieldHandlers) ResolveFileFilesystem(ev *model.Event, f *model.FileEvent) string {
if f.Filesystem == "" {
if f.IsFileless() {
f.Filesystem = model.TmpFS
@@ -78,22 +86,22 @@ func (fh *FieldHandlers) ResolveFileFilesystem(ev *model.Event, f *model.FileEve
}
// ResolveProcessArgsFlags resolves the arguments flags of the event
-func (fh *FieldHandlers) ResolveProcessArgsFlags(ev *model.Event, process *model.Process) (flags []string) {
+func (fh *EBPFFieldHandlers) ResolveProcessArgsFlags(ev *model.Event, process *model.Process) (flags []string) {
return args.ParseProcessFlags(fh.ResolveProcessArgv(ev, process))
}
// ResolveProcessArgsOptions resolves the arguments options of the event
-func (fh *FieldHandlers) ResolveProcessArgsOptions(ev *model.Event, process *model.Process) (options []string) {
+func (fh *EBPFFieldHandlers) ResolveProcessArgsOptions(ev *model.Event, process *model.Process) (options []string) {
return args.ParseProcessOptions(fh.ResolveProcessArgv(ev, process))
}
// ResolveFileFieldsInUpperLayer resolves whether the file is in an upper layer
-func (fh *FieldHandlers) ResolveFileFieldsInUpperLayer(ev *model.Event, f *model.FileFields) bool {
+func (fh *EBPFFieldHandlers) ResolveFileFieldsInUpperLayer(_ *model.Event, f *model.FileFields) bool {
return f.GetInUpperLayer()
}
// ResolveXAttrName returns the string representation of the extended attribute name
-func (fh *FieldHandlers) ResolveXAttrName(ev *model.Event, e *model.SetXAttrEvent) string {
+func (fh *EBPFFieldHandlers) ResolveXAttrName(_ *model.Event, e *model.SetXAttrEvent) string {
if len(e.Name) == 0 {
e.Name, _ = model.UnmarshalString(e.NameRaw[:], 200)
}
@@ -101,7 +109,7 @@ func (fh *FieldHandlers) ResolveXAttrName(ev *model.Event, e *model.SetXAttrEven
}
// ResolveXAttrNamespace returns the string representation of the extended attribute namespace
-func (fh *FieldHandlers) ResolveXAttrNamespace(ev *model.Event, e *model.SetXAttrEvent) string {
+func (fh *EBPFFieldHandlers) ResolveXAttrNamespace(ev *model.Event, e *model.SetXAttrEvent) string {
if len(e.Namespace) == 0 {
ns, _, found := strings.Cut(fh.ResolveXAttrName(ev, e), ".")
if found {
@@ -112,7 +120,7 @@ func (fh *FieldHandlers) ResolveXAttrNamespace(ev *model.Event, e *model.SetXAtt
}
// ResolveMountPointPath resolves a mount point path
-func (fh *FieldHandlers) ResolveMountPointPath(ev *model.Event, e *model.MountEvent) string {
+func (fh *EBPFFieldHandlers) ResolveMountPointPath(ev *model.Event, e *model.MountEvent) string {
if len(e.MountPointPath) == 0 {
mountPointPath, err := fh.resolvers.MountResolver.ResolveMountPath(e.MountID, 0, ev.PIDContext.Pid, ev.ContainerContext.ID)
if err != nil {
@@ -125,7 +133,7 @@ func (fh *FieldHandlers) ResolveMountPointPath(ev *model.Event, e *model.MountEv
}
// ResolveMountSourcePath resolves a mount source path
-func (fh *FieldHandlers) ResolveMountSourcePath(ev *model.Event, e *model.MountEvent) string {
+func (fh *EBPFFieldHandlers) ResolveMountSourcePath(ev *model.Event, e *model.MountEvent) string {
if e.BindSrcMountID != 0 && len(e.MountSourcePath) == 0 {
bindSourceMountPath, err := fh.resolvers.MountResolver.ResolveMountPath(e.BindSrcMountID, 0, ev.PIDContext.Pid, ev.ContainerContext.ID)
if err != nil {
@@ -142,8 +150,21 @@ func (fh *FieldHandlers) ResolveMountSourcePath(ev *model.Event, e *model.MountE
return e.MountSourcePath
}
+// ResolveMountRootPath resolves a mount root path
+func (fh *EBPFFieldHandlers) ResolveMountRootPath(ev *model.Event, e *model.MountEvent) string {
+ if len(e.MountRootPath) == 0 {
+ mountRootPath, err := fh.resolvers.MountResolver.ResolveMountRoot(e.MountID, 0, ev.PIDContext.Pid, ev.ContainerContext.ID)
+ if err != nil {
+ e.MountRootPathResolutionError = err
+ return ""
+ }
+ e.MountRootPath = mountRootPath
+ }
+ return e.MountRootPath
+}
+
// ResolveContainerContext queries the cgroup resolver to retrieve the ContainerContext of the event
-func (fh *FieldHandlers) ResolveContainerContext(ev *model.Event) (*model.ContainerContext, bool) {
+func (fh *EBPFFieldHandlers) ResolveContainerContext(ev *model.Event) (*model.ContainerContext, bool) {
if ev.ContainerContext.ID != "" && !ev.ContainerContext.Resolved {
if containerContext, _ := fh.resolvers.CGroupResolver.GetWorkload(ev.ContainerContext.ID); containerContext != nil {
ev.ContainerContext = &containerContext.ContainerContext
@@ -154,12 +175,12 @@ func (fh *FieldHandlers) ResolveContainerContext(ev *model.Event) (*model.Contai
}
// ResolveRights resolves the rights of a file
-func (fh *FieldHandlers) ResolveRights(ev *model.Event, e *model.FileFields) int {
+func (fh *EBPFFieldHandlers) ResolveRights(_ *model.Event, e *model.FileFields) int {
return int(e.Mode) & (syscall.S_ISUID | syscall.S_ISGID | syscall.S_ISVTX | syscall.S_IRWXU | syscall.S_IRWXG | syscall.S_IRWXO)
}
// ResolveChownUID resolves the ResolveProcessCacheEntry id of a chown event to a username
-func (fh *FieldHandlers) ResolveChownUID(ev *model.Event, e *model.ChownEvent) string {
+func (fh *EBPFFieldHandlers) ResolveChownUID(ev *model.Event, e *model.ChownEvent) string {
if len(e.User) == 0 {
e.User, _ = fh.resolvers.UserGroupResolver.ResolveUser(int(e.UID), ev.ContainerContext.ID)
}
@@ -167,7 +188,7 @@ func (fh *FieldHandlers) ResolveChownUID(ev *model.Event, e *model.ChownEvent) s
}
// ResolveChownGID resolves the group id of a chown event to a group name
-func (fh *FieldHandlers) ResolveChownGID(ev *model.Event, e *model.ChownEvent) string {
+func (fh *EBPFFieldHandlers) ResolveChownGID(ev *model.Event, e *model.ChownEvent) string {
if len(e.Group) == 0 {
e.Group, _ = fh.resolvers.UserGroupResolver.ResolveGroup(int(e.GID), ev.ContainerContext.ID)
}
@@ -175,54 +196,59 @@ func (fh *FieldHandlers) ResolveChownGID(ev *model.Event, e *model.ChownEvent) s
}
// ResolveProcessArgv0 resolves the first arg of the event
-func (fh *FieldHandlers) ResolveProcessArgv0(ev *model.Event, process *model.Process) string {
+func (fh *EBPFFieldHandlers) ResolveProcessArgv0(_ *model.Event, process *model.Process) string {
arg0, _ := sprocess.GetProcessArgv0(process)
return arg0
}
// ResolveProcessArgs resolves the args of the event
-func (fh *FieldHandlers) ResolveProcessArgs(ev *model.Event, process *model.Process) string {
+func (fh *EBPFFieldHandlers) ResolveProcessArgs(ev *model.Event, process *model.Process) string {
return strings.Join(fh.ResolveProcessArgv(ev, process), " ")
}
+// ResolveProcessArgsScrubbed resolves the args of the event
+func (fh *EBPFFieldHandlers) ResolveProcessArgsScrubbed(ev *model.Event, process *model.Process) string {
+ return strings.Join(fh.ResolveProcessArgvScrubbed(ev, process), " ")
+}
+
// ResolveProcessArgv resolves the unscrubbed args of the process as an array. Use with caution.
-func (fh *FieldHandlers) ResolveProcessArgv(ev *model.Event, process *model.Process) []string {
+func (fh *EBPFFieldHandlers) ResolveProcessArgv(_ *model.Event, process *model.Process) []string {
argv, _ := sprocess.GetProcessArgv(process)
return argv
}
// ResolveProcessArgvScrubbed resolves the args of the process as an array
-func (fh *FieldHandlers) ResolveProcessArgvScrubbed(ev *model.Event, process *model.Process) []string { //nolint:revive // TODO fix revive unused-parameter
+func (fh *EBPFFieldHandlers) ResolveProcessArgvScrubbed(_ *model.Event, process *model.Process) []string {
argv, _ := fh.resolvers.ProcessResolver.GetProcessArgvScrubbed(process)
return argv
}
// ResolveProcessEnvp resolves the envp of the event as an array
-func (fh *FieldHandlers) ResolveProcessEnvp(ev *model.Event, process *model.Process) []string {
+func (fh *EBPFFieldHandlers) ResolveProcessEnvp(_ *model.Event, process *model.Process) []string {
envp, _ := fh.resolvers.ProcessResolver.GetProcessEnvp(process)
return envp
}
// ResolveProcessArgsTruncated returns whether the args are truncated
-func (fh *FieldHandlers) ResolveProcessArgsTruncated(ev *model.Event, process *model.Process) bool {
+func (fh *EBPFFieldHandlers) ResolveProcessArgsTruncated(_ *model.Event, process *model.Process) bool {
_, truncated := sprocess.GetProcessArgv(process)
return truncated
}
// ResolveProcessEnvsTruncated returns whether the envs are truncated
-func (fh *FieldHandlers) ResolveProcessEnvsTruncated(ev *model.Event, process *model.Process) bool {
+func (fh *EBPFFieldHandlers) ResolveProcessEnvsTruncated(_ *model.Event, process *model.Process) bool {
_, truncated := fh.resolvers.ProcessResolver.GetProcessEnvs(process)
return truncated
}
// ResolveProcessEnvs resolves the unscrubbed envs of the event. Use with caution.
-func (fh *FieldHandlers) ResolveProcessEnvs(ev *model.Event, process *model.Process) []string {
+func (fh *EBPFFieldHandlers) ResolveProcessEnvs(_ *model.Event, process *model.Process) []string {
envs, _ := fh.resolvers.ProcessResolver.GetProcessEnvs(process)
return envs
}
// ResolveSetuidUser resolves the user of the Setuid event
-func (fh *FieldHandlers) ResolveSetuidUser(ev *model.Event, e *model.SetuidEvent) string {
+func (fh *EBPFFieldHandlers) ResolveSetuidUser(ev *model.Event, e *model.SetuidEvent) string {
if len(e.User) == 0 {
e.User, _ = fh.resolvers.UserGroupResolver.ResolveUser(int(e.UID), ev.ContainerContext.ID)
}
@@ -230,7 +256,7 @@ func (fh *FieldHandlers) ResolveSetuidUser(ev *model.Event, e *model.SetuidEvent
}
// ResolveSetuidEUser resolves the effective user of the Setuid event
-func (fh *FieldHandlers) ResolveSetuidEUser(ev *model.Event, e *model.SetuidEvent) string {
+func (fh *EBPFFieldHandlers) ResolveSetuidEUser(ev *model.Event, e *model.SetuidEvent) string {
if len(e.EUser) == 0 {
e.EUser, _ = fh.resolvers.UserGroupResolver.ResolveUser(int(e.EUID), ev.ContainerContext.ID)
}
@@ -238,7 +264,7 @@ func (fh *FieldHandlers) ResolveSetuidEUser(ev *model.Event, e *model.SetuidEven
}
// ResolveSetuidFSUser resolves the file-system user of the Setuid event
-func (fh *FieldHandlers) ResolveSetuidFSUser(ev *model.Event, e *model.SetuidEvent) string {
+func (fh *EBPFFieldHandlers) ResolveSetuidFSUser(ev *model.Event, e *model.SetuidEvent) string {
if len(e.FSUser) == 0 {
e.FSUser, _ = fh.resolvers.UserGroupResolver.ResolveUser(int(e.FSUID), ev.ContainerContext.ID)
}
@@ -246,7 +272,7 @@ func (fh *FieldHandlers) ResolveSetuidFSUser(ev *model.Event, e *model.SetuidEve
}
// ResolveSetgidGroup resolves the group of the Setgid event
-func (fh *FieldHandlers) ResolveSetgidGroup(ev *model.Event, e *model.SetgidEvent) string {
+func (fh *EBPFFieldHandlers) ResolveSetgidGroup(ev *model.Event, e *model.SetgidEvent) string {
if len(e.Group) == 0 {
e.Group, _ = fh.resolvers.UserGroupResolver.ResolveUser(int(e.GID), ev.ContainerContext.ID)
}
@@ -254,7 +280,7 @@ func (fh *FieldHandlers) ResolveSetgidGroup(ev *model.Event, e *model.SetgidEven
}
// ResolveSetgidEGroup resolves the effective group of the Setgid event
-func (fh *FieldHandlers) ResolveSetgidEGroup(ev *model.Event, e *model.SetgidEvent) string {
+func (fh *EBPFFieldHandlers) ResolveSetgidEGroup(ev *model.Event, e *model.SetgidEvent) string {
if len(e.EGroup) == 0 {
e.EGroup, _ = fh.resolvers.UserGroupResolver.ResolveUser(int(e.EGID), ev.ContainerContext.ID)
}
@@ -262,7 +288,7 @@ func (fh *FieldHandlers) ResolveSetgidEGroup(ev *model.Event, e *model.SetgidEve
}
// ResolveSetgidFSGroup resolves the file-system group of the Setgid event
-func (fh *FieldHandlers) ResolveSetgidFSGroup(ev *model.Event, e *model.SetgidEvent) string {
+func (fh *EBPFFieldHandlers) ResolveSetgidFSGroup(ev *model.Event, e *model.SetgidEvent) string {
if len(e.FSGroup) == 0 {
e.FSGroup, _ = fh.resolvers.UserGroupResolver.ResolveUser(int(e.FSGID), ev.ContainerContext.ID)
}
@@ -270,7 +296,7 @@ func (fh *FieldHandlers) ResolveSetgidFSGroup(ev *model.Event, e *model.SetgidEv
}
// ResolveSELinuxBoolName resolves the boolean name of the SELinux event
-func (fh *FieldHandlers) ResolveSELinuxBoolName(ev *model.Event, e *model.SELinuxEvent) string {
+func (fh *EBPFFieldHandlers) ResolveSELinuxBoolName(_ *model.Event, e *model.SELinuxEvent) string {
if e.EventKind != model.SELinuxBoolChangeEventKind {
return ""
}
@@ -282,7 +308,7 @@ func (fh *FieldHandlers) ResolveSELinuxBoolName(ev *model.Event, e *model.SELinu
}
// GetProcessCacheEntry queries the ProcessResolver to retrieve the ProcessContext of the event
-func (fh *FieldHandlers) GetProcessCacheEntry(ev *model.Event) (*model.ProcessCacheEntry, bool) {
+func (fh *EBPFFieldHandlers) GetProcessCacheEntry(ev *model.Event) (*model.ProcessCacheEntry, bool) {
ev.ProcessCacheEntry = fh.resolvers.ProcessResolver.Resolve(ev.PIDContext.Pid, ev.PIDContext.Tid, ev.PIDContext.ExecInode, false)
if ev.ProcessCacheEntry == nil {
ev.ProcessCacheEntry = model.GetPlaceholderProcessCacheEntry(ev.PIDContext.Pid, ev.PIDContext.Tid, false)
@@ -292,7 +318,7 @@ func (fh *FieldHandlers) GetProcessCacheEntry(ev *model.Event) (*model.ProcessCa
}
// ResolveFileFieldsGroup resolves the group id of the file to a group name
-func (fh *FieldHandlers) ResolveFileFieldsGroup(ev *model.Event, e *model.FileFields) string {
+func (fh *EBPFFieldHandlers) ResolveFileFieldsGroup(ev *model.Event, e *model.FileFields) string {
if len(e.Group) == 0 {
e.Group, _ = fh.resolvers.UserGroupResolver.ResolveGroup(int(e.GID), ev.ContainerContext.ID)
}
@@ -300,7 +326,7 @@ func (fh *FieldHandlers) ResolveFileFieldsGroup(ev *model.Event, e *model.FileFi
}
// ResolveNetworkDeviceIfName returns the network iterface name from the network context
-func (fh *FieldHandlers) ResolveNetworkDeviceIfName(ev *model.Event, device *model.NetworkDeviceContext) string {
+func (fh *EBPFFieldHandlers) ResolveNetworkDeviceIfName(_ *model.Event, device *model.NetworkDeviceContext) string {
if len(device.IfName) == 0 && fh.resolvers.TCResolver != nil {
ifName, ok := fh.resolvers.TCResolver.ResolveNetworkDeviceIfName(device.IfIndex, device.NetNS)
if ok {
@@ -312,17 +338,31 @@ func (fh *FieldHandlers) ResolveNetworkDeviceIfName(ev *model.Event, device *mod
}
// ResolveFileFieldsUser resolves the user id of the file to a username
-func (fh *FieldHandlers) ResolveFileFieldsUser(ev *model.Event, e *model.FileFields) string {
+func (fh *EBPFFieldHandlers) ResolveFileFieldsUser(ev *model.Event, e *model.FileFields) string {
if len(e.User) == 0 {
e.User, _ = fh.resolvers.UserGroupResolver.ResolveUser(int(e.UID), ev.ContainerContext.ID)
}
return e.User
}
+// ResolveEventTimestamp resolves the monolitic kernel event timestamp to an absolute time
+func (fh *EBPFFieldHandlers) ResolveEventTimestamp(ev *model.Event, e *model.BaseEvent) int {
+ return int(fh.ResolveEventTime(ev, e).UnixNano())
+}
+
+// GetProcessService returns the service tag based on the process context
+func (fh *EBPFFieldHandlers) GetProcessService(ev *model.Event) string {
+ entry, _ := fh.ResolveProcessCacheEntry(ev)
+ if entry == nil {
+ return ""
+ }
+ return getProcessService(entry)
+}
+
// ResolveEventTime resolves the monolitic kernel event timestamp to an absolute time
-func (fh *FieldHandlers) ResolveEventTime(ev *model.Event) time.Time {
+func (fh *EBPFFieldHandlers) ResolveEventTime(ev *model.Event, _ *model.BaseEvent) time.Time {
if ev.Timestamp.IsZero() {
- fh := ev.FieldHandlers.(*FieldHandlers)
+ fh := ev.FieldHandlers.(*EBPFFieldHandlers)
ev.Timestamp = fh.resolvers.TimeResolver.ResolveMonotonicTimestamp(ev.TimestampRaw)
if ev.Timestamp.IsZero() {
@@ -333,13 +373,13 @@ func (fh *FieldHandlers) ResolveEventTime(ev *model.Event) time.Time {
}
// ResolveAsync resolves the async flag
-func (fh *FieldHandlers) ResolveAsync(ev *model.Event) bool {
+func (fh *EBPFFieldHandlers) ResolveAsync(ev *model.Event) bool {
ev.Async = ev.Flags&model.EventFlagsAsync > 0
return ev.Async
}
// ResolvePackageName resolves the name of the package providing this file
-func (fh *FieldHandlers) ResolvePackageName(ev *model.Event, f *model.FileEvent) string {
+func (fh *EBPFFieldHandlers) ResolvePackageName(ev *model.Event, f *model.FileEvent) string {
if f.PkgName == "" {
// Force the resolution of file path to be able to map to a package provided file
if fh.ResolveFilePath(ev, f) == "" {
@@ -358,7 +398,7 @@ func (fh *FieldHandlers) ResolvePackageName(ev *model.Event, f *model.FileEvent)
}
// ResolvePackageVersion resolves the version of the package providing this file
-func (fh *FieldHandlers) ResolvePackageVersion(ev *model.Event, f *model.FileEvent) string {
+func (fh *EBPFFieldHandlers) ResolvePackageVersion(ev *model.Event, f *model.FileEvent) string {
if f.PkgVersion == "" {
// Force the resolution of file path to be able to map to a package provided file
if fh.ResolveFilePath(ev, f) == "" {
@@ -377,7 +417,7 @@ func (fh *FieldHandlers) ResolvePackageVersion(ev *model.Event, f *model.FileEve
}
// ResolvePackageSourceVersion resolves the version of the source package of the package providing this file
-func (fh *FieldHandlers) ResolvePackageSourceVersion(ev *model.Event, f *model.FileEvent) string {
+func (fh *EBPFFieldHandlers) ResolvePackageSourceVersion(ev *model.Event, f *model.FileEvent) string {
if f.PkgSrcVersion == "" {
// Force the resolution of file path to be able to map to a package provided file
if fh.ResolveFilePath(ev, f) == "" {
@@ -396,7 +436,7 @@ func (fh *FieldHandlers) ResolvePackageSourceVersion(ev *model.Event, f *model.F
}
// ResolveModuleArgv resolves the unscrubbed args of the module as an array. Use with caution.
-func (fh *FieldHandlers) ResolveModuleArgv(ev *model.Event, module *model.LoadModuleEvent) []string {
+func (fh *EBPFFieldHandlers) ResolveModuleArgv(_ *model.Event, module *model.LoadModuleEvent) []string {
// strings.Split return [""] if args is empty, so we do a manual check before
if len(module.Args) == 0 {
module.Argv = nil
@@ -411,7 +451,7 @@ func (fh *FieldHandlers) ResolveModuleArgv(ev *model.Event, module *model.LoadMo
}
// ResolveModuleArgs resolves the correct args if the arguments were truncated, if not return module.Args
-func (fh *FieldHandlers) ResolveModuleArgs(ev *model.Event, module *model.LoadModuleEvent) string {
+func (fh *EBPFFieldHandlers) ResolveModuleArgs(_ *model.Event, module *model.LoadModuleEvent) string {
if module.ArgsTruncated {
argsTmp := strings.Split(module.Args, " ")
argsTmp = argsTmp[:len(argsTmp)-1]
@@ -421,11 +461,84 @@ func (fh *FieldHandlers) ResolveModuleArgs(ev *model.Event, module *model.LoadMo
}
// ResolveHashesFromEvent resolves the hashes of the requested event
-func (fh *FieldHandlers) ResolveHashesFromEvent(ev *model.Event, f *model.FileEvent) []string {
+func (fh *EBPFFieldHandlers) ResolveHashesFromEvent(ev *model.Event, f *model.FileEvent) []string {
return fh.resolvers.HashResolver.ComputeHashesFromEvent(ev, f)
}
// ResolveHashes resolves the hashes of the requested file event
-func (fh *FieldHandlers) ResolveHashes(eventType model.EventType, process *model.Process, file *model.FileEvent) []string {
+func (fh *EBPFFieldHandlers) ResolveHashes(eventType model.EventType, process *model.Process, file *model.FileEvent) []string {
return fh.resolvers.HashResolver.ComputeHashes(eventType, process, file)
}
+
+// ResolveContainerID resolves the container ID of the event
+func (fh *EBPFFieldHandlers) ResolveContainerID(ev *model.Event, e *model.ContainerContext) string {
+ if len(e.ID) == 0 {
+ if entry, _ := fh.ResolveProcessCacheEntry(ev); entry != nil {
+ e.ID = entry.ContainerID
+ }
+ }
+ return e.ID
+}
+
+// ResolveContainerCreatedAt resolves the container creation time of the event
+func (fh *EBPFFieldHandlers) ResolveContainerCreatedAt(ev *model.Event, e *model.ContainerContext) int {
+ if e.CreatedAt == 0 {
+ if containerContext, _ := fh.ResolveContainerContext(ev); containerContext != nil {
+ e.CreatedAt = containerContext.CreatedAt
+ }
+ }
+ return int(e.CreatedAt)
+}
+
+// ResolveContainerTags resolves the container tags of the event
+func (fh *EBPFFieldHandlers) ResolveContainerTags(_ *model.Event, e *model.ContainerContext) []string {
+ if len(e.Tags) == 0 && e.ID != "" {
+ e.Tags = fh.resolvers.TagsResolver.Resolve(e.ID)
+ }
+ return e.Tags
+}
+
+// ResolveProcessCreatedAt resolves process creation time
+func (fh *EBPFFieldHandlers) ResolveProcessCreatedAt(_ *model.Event, e *model.Process) int {
+ return int(e.ExecTime.UnixNano())
+}
+
+// ResolveK8SUsername resolves the k8s username of the event
+func (fh *EBPFFieldHandlers) ResolveK8SUsername(_ *model.Event, evtCtx *model.UserSessionContext) string {
+ if !evtCtx.Resolved {
+ if ctx := fh.resolvers.UserSessions.ResolveUserSession(evtCtx.ID); ctx != nil {
+ *evtCtx = *ctx
+ }
+ }
+ return evtCtx.K8SUsername
+}
+
+// ResolveK8SUID resolves the k8s UID of the event
+func (fh *EBPFFieldHandlers) ResolveK8SUID(_ *model.Event, evtCtx *model.UserSessionContext) string {
+ if !evtCtx.Resolved {
+ if ctx := fh.resolvers.UserSessions.ResolveUserSession(evtCtx.ID); ctx != nil {
+ *evtCtx = *ctx
+ }
+ }
+ return evtCtx.K8SUID
+}
+
+// ResolveK8SGroups resolves the k8s groups of the event
+func (fh *EBPFFieldHandlers) ResolveK8SGroups(_ *model.Event, evtCtx *model.UserSessionContext) []string {
+ if !evtCtx.Resolved {
+ if ctx := fh.resolvers.UserSessions.ResolveUserSession(evtCtx.ID); ctx != nil {
+ *evtCtx = *ctx
+ }
+ }
+ return evtCtx.K8SGroups
+}
+
+// ResolveK8SExtra resolves the k8s extra of the event
+func (fh *EBPFFieldHandlers) ResolveK8SExtra(_ *model.Event, evtCtx *model.UserSessionContext) map[string][]string {
+ if !evtCtx.Resolved {
+ if ctx := fh.resolvers.UserSessions.ResolveUserSession(evtCtx.ID); ctx != nil {
+ *evtCtx = *ctx
+ }
+ }
+ return evtCtx.K8SExtra
+}
diff --git a/pkg/security/probe/field_handlers_ebpfless.go b/pkg/security/probe/field_handlers_ebpfless.go
new file mode 100644
index 0000000000000..2b873788152c5
--- /dev/null
+++ b/pkg/security/probe/field_handlers_ebpfless.go
@@ -0,0 +1,147 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2016-present Datadog, Inc.
+
+//go:build linux
+
+// Package probe holds probe related files
+package probe
+
+import (
+ "strings"
+ "time"
+
+ "github.com/DataDog/datadog-agent/pkg/security/resolvers"
+ sprocess "github.com/DataDog/datadog-agent/pkg/security/resolvers/process"
+
+ "github.com/DataDog/datadog-agent/pkg/security/secl/args"
+ "github.com/DataDog/datadog-agent/pkg/security/secl/model"
+)
+
+// EBPFLessFieldHandlers defines a field handlers
+type EBPFLessFieldHandlers struct {
+ // TODO(safchain) remove this when support for multiple platform with the same build tags is available
+ // keeping it can be dangerous as it can hide non implemented handlers
+ model.DefaultFieldHandlers
+
+ resolvers *resolvers.EBPFLessResolvers
+}
+
+// GetProcessService returns the service tag based on the process context
+func (fh *EBPFLessFieldHandlers) GetProcessService(ev *model.Event) string {
+ entry, _ := fh.ResolveProcessCacheEntry(ev)
+ if entry == nil {
+ return ""
+ }
+ return getProcessService(entry)
+}
+
+// ResolveProcessCacheEntry queries the ProcessResolver to retrieve the ProcessContext of the event
+func (fh *EBPFLessFieldHandlers) ResolveProcessCacheEntry(ev *model.Event) (*model.ProcessCacheEntry, bool) {
+ if ev.ProcessCacheEntry == nil && ev.PIDContext.Pid != 0 {
+ ev.ProcessCacheEntry = fh.resolvers.ProcessResolver.Resolve(ev.PIDContext.Pid)
+ }
+
+ if ev.ProcessCacheEntry == nil {
+ ev.ProcessCacheEntry = model.GetPlaceholderProcessCacheEntry(ev.PIDContext.Pid, ev.PIDContext.Pid, false)
+ return ev.ProcessCacheEntry, false
+ }
+
+ return ev.ProcessCacheEntry, true
+}
+
+// ResolveFilePath resolves the inode to a full path
+func (fh *EBPFLessFieldHandlers) ResolveFilePath(_ *model.Event, f *model.FileEvent) string {
+ return f.PathnameStr
+}
+
+// ResolveFileBasename resolves the inode to a full path
+func (fh *EBPFLessFieldHandlers) ResolveFileBasename(_ *model.Event, f *model.FileEvent) string {
+ return f.BasenameStr
+}
+
+// ResolveProcessArgsFlags resolves the arguments flags of the event
+func (fh *EBPFLessFieldHandlers) ResolveProcessArgsFlags(ev *model.Event, process *model.Process) (flags []string) {
+ return args.ParseProcessFlags(fh.ResolveProcessArgv(ev, process))
+}
+
+// ResolveProcessArgsOptions resolves the arguments options of the event
+func (fh *EBPFLessFieldHandlers) ResolveProcessArgsOptions(ev *model.Event, process *model.Process) (options []string) {
+ return args.ParseProcessOptions(fh.ResolveProcessArgv(ev, process))
+}
+
+// ResolveContainerContext retrieve the ContainerContext of the event
+func (fh *EBPFLessFieldHandlers) ResolveContainerContext(ev *model.Event) (*model.ContainerContext, bool) {
+ return ev.ContainerContext, ev.ContainerContext != nil
+}
+
+// ResolveProcessArgv0 resolves the first arg of the event
+func (fh *EBPFLessFieldHandlers) ResolveProcessArgv0(_ *model.Event, process *model.Process) string {
+ arg0, _ := sprocess.GetProcessArgv0(process)
+ return arg0
+}
+
+// ResolveProcessArgs resolves the args of the event
+func (fh *EBPFLessFieldHandlers) ResolveProcessArgs(ev *model.Event, process *model.Process) string {
+ return strings.Join(fh.ResolveProcessArgv(ev, process), " ")
+}
+
+// ResolveProcessArgv resolves the unscrubbed args of the process as an array. Use with caution.
+func (fh *EBPFLessFieldHandlers) ResolveProcessArgv(_ *model.Event, process *model.Process) []string {
+ argv, _ := sprocess.GetProcessArgv(process)
+ return argv
+}
+
+// ResolveProcessArgvScrubbed resolves the args of the process as an array
+func (fh *EBPFLessFieldHandlers) ResolveProcessArgvScrubbed(_ *model.Event, process *model.Process) []string {
+ argv, _ := fh.resolvers.ProcessResolver.GetProcessArgvScrubbed(process)
+ return argv
+}
+
+// ResolveProcessArgsScrubbed resolves the args of the event
+func (fh *EBPFLessFieldHandlers) ResolveProcessArgsScrubbed(ev *model.Event, process *model.Process) string {
+ return strings.Join(fh.ResolveProcessArgvScrubbed(ev, process), " ")
+}
+
+// ResolveProcessEnvp resolves the envp of the event as an array
+func (fh *EBPFLessFieldHandlers) ResolveProcessEnvp(_ *model.Event, process *model.Process) []string {
+ envp, _ := fh.resolvers.ProcessResolver.GetProcessEnvp(process)
+ return envp
+}
+
+// ResolveProcessArgsTruncated returns whether the args are truncated
+func (fh *EBPFLessFieldHandlers) ResolveProcessArgsTruncated(_ *model.Event, process *model.Process) bool {
+ _, truncated := sprocess.GetProcessArgv(process)
+ return truncated
+}
+
+// ResolveProcessEnvsTruncated returns whether the envs are truncated
+func (fh *EBPFLessFieldHandlers) ResolveProcessEnvsTruncated(_ *model.Event, process *model.Process) bool {
+ _, truncated := fh.resolvers.ProcessResolver.GetProcessEnvs(process)
+ return truncated
+}
+
+// ResolveProcessEnvs resolves the unscrubbed envs of the event. Use with caution.
+func (fh *EBPFLessFieldHandlers) ResolveProcessEnvs(_ *model.Event, process *model.Process) []string {
+ envs, _ := fh.resolvers.ProcessResolver.GetProcessEnvs(process)
+ return envs
+}
+
+// GetProcessCacheEntry queries the ProcessResolver to retrieve the ProcessContext of the event
+func (fh *EBPFLessFieldHandlers) GetProcessCacheEntry(ev *model.Event) (*model.ProcessCacheEntry, bool) {
+ ev.ProcessCacheEntry = fh.resolvers.ProcessResolver.Resolve(ev.PIDContext.Pid)
+ if ev.ProcessCacheEntry == nil {
+ ev.ProcessCacheEntry = model.GetPlaceholderProcessCacheEntry(ev.PIDContext.Pid, ev.PIDContext.Pid, false)
+ return ev.ProcessCacheEntry, false
+ }
+ return ev.ProcessCacheEntry, true
+}
+
+// ResolveEventTime resolves the monolitic kernel event timestamp to an absolute time
+func (fh *EBPFLessFieldHandlers) ResolveEventTime(ev *model.Event, _ *model.BaseEvent) time.Time {
+ if ev.Timestamp.IsZero() {
+ ev.Timestamp = time.Now()
+ }
+ return ev.Timestamp
+}
diff --git a/pkg/security/probe/field_handlers_windows.go b/pkg/security/probe/field_handlers_windows.go
index 427c401a9cd0f..d3ad4ee796307 100644
--- a/pkg/security/probe/field_handlers_windows.go
+++ b/pkg/security/probe/field_handlers_windows.go
@@ -9,11 +9,21 @@ package probe
import (
"time"
+ "github.com/DataDog/datadog-agent/pkg/security/resolvers"
"github.com/DataDog/datadog-agent/pkg/security/secl/model"
)
+// FieldHandlers defines a field handlers
+type FieldHandlers struct {
+ // TODO(safchain) remove this when support for multiple platform with the same build tags is available
+ // keeping it can be dangerous as it can hide non implemented handlers
+ model.DefaultFieldHandlers
+
+ resolvers *resolvers.Resolvers
+}
+
// ResolveEventTime resolves the monolitic kernel event timestamp to an absolute time
-func (fh *FieldHandlers) ResolveEventTime(ev *model.Event) time.Time {
+func (fh *FieldHandlers) ResolveEventTime(ev *model.Event, _ *model.BaseEvent) time.Time {
if ev.Timestamp.IsZero() {
ev.Timestamp = time.Now()
}
@@ -58,3 +68,12 @@ func (fh *FieldHandlers) ResolveProcessCacheEntry(ev *model.Event) (*model.Proce
return ev.ProcessCacheEntry, true
}
+
+// GetProcessService returns the service tag based on the process context
+func (fh *FieldHandlers) GetProcessService(ev *model.Event) string {
+ entry, _ := fh.ResolveProcessCacheEntry(ev)
+ if entry == nil {
+ return ""
+ }
+ return getProcessService(entry)
+}
diff --git a/pkg/security/probe/model.go b/pkg/security/probe/model.go
index 44aa73f9bc65c..aa70301434fcd 100644
--- a/pkg/security/probe/model.go
+++ b/pkg/security/probe/model.go
@@ -8,18 +8,7 @@
// Package probe holds probe related files
package probe
-import (
- "github.com/DataDog/datadog-agent/pkg/security/secl/model"
-)
-
const (
// ServiceEnvVar environment variable used to report service
ServiceEnvVar = "DD_SERVICE"
)
-
-// NewEvent returns a new event
-func NewEvent(fh *FieldHandlers) *model.Event {
- event := model.NewDefaultEvent()
- event.FieldHandlers = fh
- return event
-}
diff --git a/pkg/security/probe/model_linux.go b/pkg/security/probe/model_ebpf.go
similarity index 79%
rename from pkg/security/probe/model_linux.go
rename to pkg/security/probe/model_ebpf.go
index f353a6c7da21f..4ead826c0a544 100644
--- a/pkg/security/probe/model_linux.go
+++ b/pkg/security/probe/model_ebpf.go
@@ -3,6 +3,8 @@
// This product includes software developed at Datadog (https://www.datadoghq.com/).
// Copyright 2016-present Datadog, Inc.
+//go:build linux
+
// Package probe holds probe related files
package probe
@@ -14,8 +16,8 @@ import (
"github.com/DataDog/datadog-agent/pkg/security/secl/model"
)
-// NewModel returns a new model with some extra field validation
-func NewModel(probe *Probe) *model.Model {
+// NewEBPFModel returns a new model with some extra field validation
+func NewEBPFModel(probe *EBPFProbe) *model.Model {
return &model.Model{
ExtraValidateFieldFnc: func(field eval.Field, fieldValue eval.FieldValue) error {
switch field {
@@ -34,3 +36,10 @@ func NewModel(probe *Probe) *model.Model {
},
}
}
+
+// NewEBPFEvent returns a new event
+func NewEBPFEvent(fh *EBPFFieldHandlers) *model.Event {
+ event := model.NewDefaultEvent()
+ event.FieldHandlers = fh
+ return event
+}
diff --git a/pkg/security/probe/model_ebpfless.go b/pkg/security/probe/model_ebpfless.go
new file mode 100644
index 0000000000000..9a13f7301acfb
--- /dev/null
+++ b/pkg/security/probe/model_ebpfless.go
@@ -0,0 +1,41 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2016-present Datadog, Inc.
+
+//go:build linux
+
+// Package probe holds probe related files
+package probe
+
+import (
+ "fmt"
+ "strings"
+
+ "github.com/DataDog/datadog-agent/pkg/security/secl/compiler/eval"
+ "github.com/DataDog/datadog-agent/pkg/security/secl/model"
+)
+
+// NewEBPFLessModel returns a new model with some extra field validation
+func NewEBPFLessModel() *model.Model {
+ return &model.Model{
+ ExtraValidateFieldFnc: func(field eval.Field, fieldValue eval.FieldValue) error {
+ // TODO(safchain) remove this check when multiple model per platform will be supported in the SECL package
+ if !strings.HasPrefix(field, "exec.") &&
+ !strings.HasPrefix(field, "exit.") &&
+ !strings.HasPrefix(field, "open.") &&
+ !strings.HasPrefix(field, "process.") &&
+ !strings.HasPrefix(field, "container.") {
+ return fmt.Errorf("%s is not available with the eBPF less version", field)
+ }
+ return nil
+ },
+ }
+}
+
+// NewEBPFLessEvent returns a new event
+func NewEBPFLessEvent(fh *EBPFLessFieldHandlers) *model.Event {
+ event := model.NewDefaultEvent()
+ event.FieldHandlers = fh
+ return event
+}
diff --git a/pkg/security/probe/model_test.go b/pkg/security/probe/model_test.go
index 36729e2390683..8530478a36a01 100644
--- a/pkg/security/probe/model_test.go
+++ b/pkg/security/probe/model_test.go
@@ -30,7 +30,7 @@ func TestProcessArgsFlags(t *testing.T) {
"-9", "-", "--",
}
- resolver, _ := process.NewResolver(&manager.Manager{}, &config.Config{}, &statsd.NoOpClient{},
+ resolver, _ := process.NewEBPFResolver(&manager.Manager{}, &config.Config{}, &statsd.NoOpClient{},
&procutil.DataScrubber{}, nil, nil, nil, nil, nil, nil, process.NewResolverOpts())
e := model.Event{
@@ -40,8 +40,8 @@ func TestProcessArgsFlags(t *testing.T) {
},
},
BaseEvent: model.BaseEvent{
- FieldHandlers: &FieldHandlers{
- resolvers: &resolvers.Resolvers{
+ FieldHandlers: &EBPFFieldHandlers{
+ resolvers: &resolvers.EBPFResolvers{
ProcessResolver: resolver,
},
},
@@ -93,7 +93,7 @@ func TestProcessArgsOptions(t *testing.T) {
"--", "---", "-9",
}
- resolver, _ := process.NewResolver(&manager.Manager{}, &config.Config{}, &statsd.NoOpClient{},
+ resolver, _ := process.NewEBPFResolver(&manager.Manager{}, &config.Config{}, &statsd.NoOpClient{},
&procutil.DataScrubber{}, nil, nil, nil, nil, nil, nil, process.NewResolverOpts())
e := model.Event{
@@ -103,8 +103,8 @@ func TestProcessArgsOptions(t *testing.T) {
},
},
BaseEvent: model.BaseEvent{
- FieldHandlers: &FieldHandlers{
- resolvers: &resolvers.Resolvers{
+ FieldHandlers: &EBPFFieldHandlers{
+ resolvers: &resolvers.EBPFResolvers{
ProcessResolver: resolver,
},
},
diff --git a/pkg/security/probe/model_windows.go b/pkg/security/probe/model_windows.go
index 43c9ba728186a..cb7520cd64691 100644
--- a/pkg/security/probe/model_windows.go
+++ b/pkg/security/probe/model_windows.go
@@ -7,10 +7,31 @@
package probe
import (
+ "fmt"
+ "strings"
+
+ "github.com/DataDog/datadog-agent/pkg/security/secl/compiler/eval"
"github.com/DataDog/datadog-agent/pkg/security/secl/model"
)
-// NewModel returns a new model with some extra field validation
-func NewModel(probe *Probe) *model.Model {
- return &model.Model{}
+// NewWindowsModel returns a new model with some extra field validation
+func NewWindowsModel(_ *WindowsProbe) *model.Model {
+ return &model.Model{
+ ExtraValidateFieldFnc: func(field eval.Field, fieldValue eval.FieldValue) error {
+ // TODO(safchain) remove this check when multiple model per platform will be supported in the SECL package
+ if !strings.HasPrefix(field, "exec.") &&
+ !strings.HasPrefix(field, "exit.") &&
+ !strings.HasPrefix(field, "process.") {
+ return fmt.Errorf("%s is not available with the Windows version", field)
+ }
+ return nil
+ },
+ }
+}
+
+// NewWindowsEvent returns a new event
+func NewWindowsEvent(fh *FieldHandlers) *model.Event {
+ event := model.NewDefaultEvent()
+ event.FieldHandlers = fh
+ return event
}
diff --git a/pkg/security/probe/opts_linux.go b/pkg/security/probe/opts_linux.go
index cd9bb52f7c7fd..4126b42b11e86 100644
--- a/pkg/security/probe/opts_linux.go
+++ b/pkg/security/probe/opts_linux.go
@@ -27,6 +27,8 @@ type Opts struct {
SyscallsMonitorEnabled bool
// TTYFallbackEnabled enable the tty procfs fallback
TTYFallbackEnabled bool
+ // EBPFLessEnabled use ebpfless source
+ EBPFLessEnabled bool
}
func (o *Opts) normalize() {
diff --git a/pkg/security/probe/probe.go b/pkg/security/probe/probe.go
index f4e6e91da5789..e5f29f320974e 100644
--- a/pkg/security/probe/probe.go
+++ b/pkg/security/probe/probe.go
@@ -9,24 +9,44 @@
package probe
import (
- "context"
"errors"
- "sync"
"time"
"github.com/DataDog/datadog-go/v5/statsd"
- "golang.org/x/time/rate"
"github.com/DataDog/datadog-agent/pkg/process/procutil"
"github.com/DataDog/datadog-agent/pkg/security/config"
"github.com/DataDog/datadog-agent/pkg/security/events"
- "github.com/DataDog/datadog-agent/pkg/security/resolvers"
+ "github.com/DataDog/datadog-agent/pkg/security/probe/kfilters"
"github.com/DataDog/datadog-agent/pkg/security/secl/compiler/eval"
"github.com/DataDog/datadog-agent/pkg/security/secl/model"
"github.com/DataDog/datadog-agent/pkg/security/secl/rules"
"github.com/DataDog/datadog-agent/pkg/security/seclog"
+ "github.com/DataDog/datadog-agent/pkg/security/serializers"
)
+// PlatformProbe defines a platform dependant probe
+type PlatformProbe interface {
+ Setup() error
+ Init() error
+ Start() error
+ Stop()
+ SendStats() error
+ Snapshot() error
+ Close() error
+ NewModel() *model.Model
+ DumpDiscarders() (string, error)
+ FlushDiscarders() error
+ ApplyRuleSet(_ *rules.RuleSet) (*kfilters.ApplyRuleSetReport, error)
+ OnNewDiscarder(_ *rules.RuleSet, _ *model.Event, _ eval.Field, _ eval.EventType)
+ HandleActions(_ *rules.Rule, _ eval.Event)
+ NewEvent() *model.Event
+ GetFieldHandlers() model.FieldHandlers
+ DumpProcessCache(_ bool) (string, error)
+ AddDiscarderPushedCallback(_ DiscarderPushedCallback)
+ GetEventTags(_ string) []string
+}
+
// FullAccessEventHandler represents a handler for events sent by the probe that needs access to all the fields in the SECL model
type FullAccessEventHandler interface {
HandleEvent(event *model.Event)
@@ -43,41 +63,106 @@ type CustomEventHandler interface {
HandleCustomEvent(rule *rules.Rule, event *events.CustomEvent)
}
-// NotifyDiscarderPushedCallback describe the callback used to retrieve pushed discarders information
-type NotifyDiscarderPushedCallback func(eventType string, event *model.Event, field string)
+// DiscarderPushedCallback describe the callback used to retrieve pushed discarders information
+type DiscarderPushedCallback func(eventType string, event *model.Event, field string)
// Probe represents the runtime security eBPF probe in charge of
// setting up the required kProbes and decoding events sent from the kernel
type Probe struct {
- PlatformProbe
+ PlatformProbe PlatformProbe
// Constants and configuration
Opts Opts
Config *config.Config
StatsdClient statsd.ClientInterface
startTime time.Time
- ctx context.Context
- cancelFnc context.CancelFunc
- wg sync.WaitGroup
// internals
scrubber *procutil.DataScrubber
+ event *model.Event
// Events section
fullAccessEventHandlers [model.MaxAllEventType][]FullAccessEventHandler
eventHandlers [model.MaxAllEventType][]EventHandler
customEventHandlers [model.MaxAllEventType][]CustomEventHandler
+}
- discarderRateLimiter *rate.Limiter
- // internals
- resolvers *resolvers.Resolvers
- fieldHandlers *FieldHandlers
- event *model.Event
+// Init initializes the probe
+func (p *Probe) Init() error {
+ p.startTime = time.Now()
+ return p.PlatformProbe.Init()
+}
+
+// Setup the runtime security probe
+func (p *Probe) Setup() error {
+ return p.PlatformProbe.Setup()
+}
+
+// Start plays the snapshot data and then start the event stream
+func (p *Probe) Start() error {
+ return p.PlatformProbe.Start()
+}
+
+// SendStats sends statistics about the probe to Datadog
+func (p *Probe) SendStats() error {
+ return p.PlatformProbe.SendStats()
+}
+
+// Close the probe
+func (p *Probe) Close() error {
+ return p.PlatformProbe.Close()
+}
+
+// Stop the probe
+func (p *Probe) Stop() {
+ p.PlatformProbe.Stop()
+}
+
+// FlushDiscarders invalidates all the discarders
+func (p *Probe) FlushDiscarders() error {
+ seclog.Debugf("Flushing discarders")
+ return p.PlatformProbe.FlushDiscarders()
+}
+
+// ApplyRuleSet setup the probes for the provided set of rules and returns the policy report.
+func (p *Probe) ApplyRuleSet(rs *rules.RuleSet) (*kfilters.ApplyRuleSetReport, error) {
+ return p.PlatformProbe.ApplyRuleSet(rs)
+}
+
+// Snapshot runs the different snapshot functions of the resolvers that
+// require to sync with the current state of the system
+func (p *Probe) Snapshot() error {
+ return p.PlatformProbe.Snapshot()
+}
+
+// OnNewDiscarder is called when a new discarder is found
+func (p *Probe) OnNewDiscarder(rs *rules.RuleSet, ev *model.Event, field eval.Field, eventType eval.EventType) {
+ p.PlatformProbe.OnNewDiscarder(rs, ev, field, eventType)
+}
+
+// DumpDiscarders removes all the discarders
+func (p *Probe) DumpDiscarders() (string, error) {
+ seclog.Debugf("Dumping discarders")
+ return p.PlatformProbe.DumpDiscarders()
+}
+
+// DumpProcessCache dump the process cache
+func (p *Probe) DumpProcessCache(withArgs bool) (string, error) {
+ return p.PlatformProbe.DumpProcessCache(withArgs)
+}
+
+// GetDebugStats returns the debug stats
+func (p *Probe) GetDebugStats() map[string]interface{} {
+ debug := map[string]interface{}{
+ "start_time": p.startTime.String(),
+ }
+ // TODO(Will): add manager state
+ return debug
}
-// GetResolvers returns the resolvers of Probe
-func (p *Probe) GetResolvers() *resolvers.Resolvers {
- return p.resolvers
+// HandleActions executes the actions of a triggered rule
+func (p *Probe) HandleActions(rule *rules.Rule, event eval.Event) {
+ p.PlatformProbe.HandleActions(rule, event)
}
// AddEventHandler sets a probe event handler
@@ -109,9 +194,58 @@ func (p *Probe) AddCustomEventHandler(eventType model.EventType, handler CustomE
return nil
}
+func (p *Probe) sendEventToWildcardHandlers(event *model.Event) {
+ for _, handler := range p.fullAccessEventHandlers[model.UnknownEventType] {
+ handler.HandleEvent(event)
+ }
+}
+
+func (p *Probe) sendEventToSpecificEventTypeHandlers(event *model.Event) {
+ for _, handler := range p.eventHandlers[event.GetEventType()] {
+ handler.HandleEvent(handler.Copy(event))
+ }
+}
+
+func traceEvent(fmt string, marshaller func() ([]byte, model.EventType, error)) {
+ if !seclog.DefaultLogger.IsTracing() {
+ return
+ }
+
+ eventJSON, eventType, err := marshaller()
+ if err != nil {
+ seclog.DefaultLogger.TraceTagf(eventType, fmt, err)
+ return
+ }
+
+ seclog.DefaultLogger.TraceTagf(eventType, fmt, string(eventJSON))
+}
+
+// AddDiscarderPushedCallback add a callback to the list of func that have to be called when a discarder is pushed to kernel
+func (p *Probe) AddDiscarderPushedCallback(cb DiscarderPushedCallback) {
+ p.PlatformProbe.AddDiscarderPushedCallback(cb)
+}
+
+// DispatchCustomEvent sends a custom event to the probe event handler
+func (p *Probe) DispatchCustomEvent(rule *rules.Rule, event *events.CustomEvent) {
+ traceEvent("Dispatching custom event %s", func() ([]byte, model.EventType, error) {
+ eventJSON, err := serializers.MarshalCustomEvent(event)
+ return eventJSON, event.GetEventType(), err
+ })
+
+ // send wildcard first
+ for _, handler := range p.customEventHandlers[model.UnknownEventType] {
+ handler.HandleCustomEvent(rule, event)
+ }
+
+ // send specific event
+ for _, handler := range p.customEventHandlers[event.GetEventType()] {
+ handler.HandleCustomEvent(rule, event)
+ }
+}
+
func (p *Probe) zeroEvent() *model.Event {
p.event.Zero()
- p.event.FieldHandlers = p.fieldHandlers
+ p.event.FieldHandlers = p.PlatformProbe.GetFieldHandlers()
return p.event
}
@@ -122,7 +256,7 @@ func (p *Probe) StatsPollingInterval() time.Duration {
// GetEventTags returns the event tags
func (p *Probe) GetEventTags(containerID string) []string {
- return p.GetResolvers().TagsResolver.Resolve(containerID)
+ return p.PlatformProbe.GetEventTags(containerID)
}
// GetService returns the service name from the process tree
@@ -146,10 +280,10 @@ func (p *Probe) NewEvaluationSet(eventTypeEnabled map[eval.EventType]bool, ruleS
}
eventCtor := func() eval.Event {
- return NewEvent(p.fieldHandlers)
+ return p.PlatformProbe.NewEvent()
}
- rs := rules.NewRuleSet(NewModel(p), eventCtor, ruleOpts.WithRuleSetTag(ruleSetTagValue), evalOpts)
+ rs := rules.NewRuleSet(p.PlatformProbe.NewModel(), eventCtor, ruleOpts.WithRuleSetTag(ruleSetTagValue), evalOpts)
ruleSetsToInclude = append(ruleSetsToInclude, rs)
}
diff --git a/pkg/security/probe/probe_ebpf.go b/pkg/security/probe/probe_ebpf.go
new file mode 100644
index 0000000000000..80b074272f105
--- /dev/null
+++ b/pkg/security/probe/probe_ebpf.go
@@ -0,0 +1,1921 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2016-present Datadog, Inc.
+
+//go:build linux
+
+// Package probe holds probe related files
+package probe
+
+import (
+ "context"
+ "errors"
+ "fmt"
+ "math"
+ "os"
+ "path/filepath"
+ "runtime"
+ "sync"
+ "syscall"
+ "time"
+
+ lib "github.com/cilium/ebpf"
+ "github.com/hashicorp/go-multierror"
+ "github.com/moby/sys/mountinfo"
+ "golang.org/x/exp/slices"
+ "golang.org/x/sys/unix"
+ "golang.org/x/time/rate"
+ "gopkg.in/yaml.v3"
+
+ "github.com/DataDog/datadog-go/v5/statsd"
+ manager "github.com/DataDog/ebpf-manager"
+ "github.com/DataDog/ebpf-manager/tracefs"
+
+ "github.com/DataDog/datadog-agent/pkg/collector/corechecks/ebpf/probe/ebpfcheck"
+ aconfig "github.com/DataDog/datadog-agent/pkg/config"
+ commonebpf "github.com/DataDog/datadog-agent/pkg/ebpf"
+ "github.com/DataDog/datadog-agent/pkg/security/config"
+ "github.com/DataDog/datadog-agent/pkg/security/ebpf"
+ "github.com/DataDog/datadog-agent/pkg/security/ebpf/kernel"
+ "github.com/DataDog/datadog-agent/pkg/security/ebpf/probes"
+ "github.com/DataDog/datadog-agent/pkg/security/events"
+ "github.com/DataDog/datadog-agent/pkg/security/metrics"
+ pconfig "github.com/DataDog/datadog-agent/pkg/security/probe/config"
+ "github.com/DataDog/datadog-agent/pkg/security/probe/constantfetch"
+ "github.com/DataDog/datadog-agent/pkg/security/probe/erpc"
+ "github.com/DataDog/datadog-agent/pkg/security/probe/eventstream"
+ "github.com/DataDog/datadog-agent/pkg/security/probe/eventstream/reorderer"
+ "github.com/DataDog/datadog-agent/pkg/security/probe/eventstream/ringbuffer"
+ "github.com/DataDog/datadog-agent/pkg/security/probe/kfilters"
+ "github.com/DataDog/datadog-agent/pkg/security/probe/managerhelper"
+ "github.com/DataDog/datadog-agent/pkg/security/resolvers"
+ "github.com/DataDog/datadog-agent/pkg/security/resolvers/mount"
+ "github.com/DataDog/datadog-agent/pkg/security/resolvers/netns"
+ "github.com/DataDog/datadog-agent/pkg/security/resolvers/path"
+ "github.com/DataDog/datadog-agent/pkg/security/resolvers/process"
+ "github.com/DataDog/datadog-agent/pkg/security/secl/compiler/eval"
+ "github.com/DataDog/datadog-agent/pkg/security/secl/model"
+ "github.com/DataDog/datadog-agent/pkg/security/secl/rules"
+ "github.com/DataDog/datadog-agent/pkg/security/seclog"
+ "github.com/DataDog/datadog-agent/pkg/security/security_profile/dump"
+ "github.com/DataDog/datadog-agent/pkg/security/serializers"
+ "github.com/DataDog/datadog-agent/pkg/security/utils"
+ utilkernel "github.com/DataDog/datadog-agent/pkg/util/kernel"
+ "github.com/DataDog/datadog-agent/pkg/util/log"
+)
+
+// EventStream describes the interface implemented by reordered perf maps or ring buffers
+type EventStream interface {
+ Init(*manager.Manager, *pconfig.Config) error
+ SetMonitor(eventstream.LostEventCounter)
+ Start(*sync.WaitGroup) error
+ Pause() error
+ Resume() error
+}
+
+var (
+ // defaultEventTypes event types used whatever the event handlers or the rules
+ defaultEventTypes = []eval.EventType{
+ model.ForkEventType.String(),
+ model.ExecEventType.String(),
+ model.ExitEventType.String(),
+ }
+)
+
+// EBPFProbe defines a platform probe
+type EBPFProbe struct {
+ Resolvers *resolvers.EBPFResolvers
+
+ // Constants and configuration
+ opts Opts
+ config *config.Config
+ statsdClient statsd.ClientInterface
+
+ probe *Probe
+ Manager *manager.Manager
+ managerOptions manager.Options
+ kernelVersion *kernel.Version
+
+ // internals
+ monitors *EBPFMonitors
+ profileManagers *SecurityProfileManagers
+ fieldHandlers *EBPFFieldHandlers
+
+ ctx context.Context
+ cancelFnc context.CancelFunc
+ wg sync.WaitGroup
+
+ // Ring
+ eventStream EventStream
+
+ // ActivityDumps section
+ activityDumpHandler dump.ActivityDumpHandler
+
+ // Approvers / discarders section
+ Erpc *erpc.ERPC
+ erpcRequest *erpc.Request
+ inodeDiscarders *inodeDiscarders
+ discarderPushedCallbacks []DiscarderPushedCallback
+ approvers map[eval.EventType]kfilters.ActiveApprovers
+
+ // Approvers / discarders section
+ discarderPushedCallbacksLock sync.RWMutex
+ discarderRateLimiter *rate.Limiter
+
+ killListMap *lib.Map
+ supportsBPFSendSignal bool
+
+ isRuntimeDiscarded bool
+ constantOffsets map[string]uint64
+ runtimeCompiled bool
+ useFentry bool
+}
+
+func (p *EBPFProbe) detectKernelVersion() error {
+ kernelVersion, err := kernel.NewKernelVersion()
+ if err != nil {
+ return fmt.Errorf("unable to detect the kernel version: %w", err)
+ }
+ p.kernelVersion = kernelVersion
+ return nil
+}
+
+// GetKernelVersion computes and returns the running kernel version
+func (p *EBPFProbe) GetKernelVersion() *kernel.Version {
+ return p.kernelVersion
+}
+
+// UseRingBuffers returns true if eBPF ring buffers are supported and used
+func (p *EBPFProbe) UseRingBuffers() bool {
+ return p.config.Probe.EventStreamUseRingBuffer && p.kernelVersion.HaveRingBuffers()
+}
+
+func (p *EBPFProbe) selectFentryMode() {
+ if !p.config.Probe.EventStreamUseFentry {
+ p.useFentry = false
+ return
+ }
+
+ supported := p.kernelVersion.HaveFentrySupport()
+ if !supported {
+ seclog.Errorf("fentry enabled but not supported, falling back to kprobe mode")
+ }
+ p.useFentry = supported
+}
+
+func (p *EBPFProbe) sanityChecks() error {
+ // make sure debugfs is mounted
+ if _, err := tracefs.Root(); err != nil {
+ return err
+ }
+
+ if utilkernel.GetLockdownMode() == utilkernel.Confidentiality {
+ return errors.New("eBPF not supported in lockdown `confidentiality` mode")
+ }
+
+ if p.config.Probe.NetworkEnabled && p.kernelVersion.IsRH7Kernel() {
+ seclog.Warnf("The network feature of CWS isn't supported on Centos7, setting runtime_security_config.network.enabled to false")
+ p.config.Probe.NetworkEnabled = false
+ }
+
+ return nil
+}
+
+// NewModel returns a new Model
+func (p *EBPFProbe) NewModel() *model.Model {
+ return NewEBPFModel(p)
+}
+
+// VerifyOSVersion returns an error if the current kernel version is not supported
+func (p *EBPFProbe) VerifyOSVersion() error {
+ if !p.kernelVersion.IsRH7Kernel() && !p.kernelVersion.IsRH8Kernel() && p.kernelVersion.Code < kernel.Kernel4_15 {
+ return fmt.Errorf("the following kernel is not supported: %s", p.kernelVersion)
+ }
+ return nil
+}
+
+// VerifyEnvironment returns an error if the current environment seems to be misconfigured
+func (p *EBPFProbe) VerifyEnvironment() *multierror.Error {
+ var err *multierror.Error
+ if aconfig.IsContainerized() {
+ if mounted, _ := mountinfo.Mounted("/etc/passwd"); !mounted {
+ err = multierror.Append(err, errors.New("/etc/passwd doesn't seem to be a mountpoint"))
+ }
+
+ if mounted, _ := mountinfo.Mounted("/etc/group"); !mounted {
+ err = multierror.Append(err, errors.New("/etc/group doesn't seem to be a mountpoint"))
+ }
+
+ if mounted, _ := mountinfo.Mounted(utilkernel.ProcFSRoot()); !mounted {
+ err = multierror.Append(err, errors.New("/etc/group doesn't seem to be a mountpoint"))
+ }
+
+ if mounted, _ := mountinfo.Mounted(p.kernelVersion.OsReleasePath); !mounted {
+ err = multierror.Append(err, fmt.Errorf("%s doesn't seem to be a mountpoint", p.kernelVersion.OsReleasePath))
+ }
+
+ securityFSPath := filepath.Join(utilkernel.SysFSRoot(), "kernel/security")
+ if mounted, _ := mountinfo.Mounted(securityFSPath); !mounted {
+ err = multierror.Append(err, fmt.Errorf("%s doesn't seem to be a mountpoint", securityFSPath))
+ }
+
+ capsEffective, _, capErr := utils.CapEffCapEprm(utils.Getpid())
+ if capErr != nil {
+ err = multierror.Append(capErr, errors.New("failed to get process capabilities"))
+ } else {
+ requiredCaps := []string{
+ "CAP_SYS_ADMIN",
+ "CAP_SYS_RESOURCE",
+ "CAP_SYS_PTRACE",
+ "CAP_NET_ADMIN",
+ "CAP_NET_BROADCAST",
+ "CAP_NET_RAW",
+ "CAP_IPC_LOCK",
+ "CAP_CHOWN",
+ }
+
+ for _, requiredCap := range requiredCaps {
+ capConst := model.KernelCapabilityConstants[requiredCap]
+ if capsEffective&capConst == 0 {
+ err = multierror.Append(err, fmt.Errorf("%s capability is missing", requiredCap))
+ }
+ }
+ }
+ }
+
+ return err
+}
+
+// Init initializes the probe
+func (p *EBPFProbe) Init() error {
+ useSyscallWrapper, err := ebpf.IsSyscallWrapperRequired()
+ if err != nil {
+ return err
+ }
+
+ loader := ebpf.NewProbeLoader(p.config.Probe, useSyscallWrapper, p.UseRingBuffers(), p.useFentry, p.statsdClient)
+ defer loader.Close()
+
+ bytecodeReader, runtimeCompiled, err := loader.Load()
+ if err != nil {
+ return err
+ }
+ defer bytecodeReader.Close()
+
+ p.runtimeCompiled = runtimeCompiled
+
+ if err := p.eventStream.Init(p.Manager, p.config.Probe); err != nil {
+ return err
+ }
+
+ if p.isRuntimeDiscarded {
+ p.managerOptions.ConstantEditors = append(p.managerOptions.ConstantEditors, manager.ConstantEditor{
+ Name: "runtime_discarded",
+ Value: uint64(1),
+ })
+ }
+
+ p.managerOptions.ActivatedProbes = append(p.managerOptions.ActivatedProbes, probes.SnapshotSelectors(p.useFentry)...)
+
+ if err := p.Manager.InitWithOptions(bytecodeReader, p.managerOptions); err != nil {
+ return fmt.Errorf("failed to init manager: %w", err)
+ }
+
+ p.inodeDiscarders = newInodeDiscarders(p.Erpc, p.Resolvers.DentryResolver)
+
+ if err := p.Resolvers.Start(p.ctx); err != nil {
+ return err
+ }
+
+ err = p.monitors.Init()
+ if err != nil {
+ return err
+ }
+
+ p.profileManagers, err = NewSecurityProfileManagers(p)
+ if err != nil {
+ return err
+ }
+ p.profileManagers.AddActivityDumpHandler(p.activityDumpHandler)
+
+ p.eventStream.SetMonitor(p.monitors.eventStreamMonitor)
+
+ p.killListMap, err = managerhelper.Map(p.Manager, "kill_list")
+ if err != nil {
+ return err
+ }
+
+ return nil
+}
+
+// IsRuntimeCompiled returns true if the eBPF programs where successfully runtime compiled
+func (p *EBPFProbe) IsRuntimeCompiled() bool {
+ return p.runtimeCompiled
+}
+
+// Setup the probe
+func (p *EBPFProbe) Setup() error {
+ if err := p.Manager.Start(); err != nil {
+ return err
+ }
+ ebpfcheck.AddNameMappings(p.Manager, "cws")
+
+ p.applyDefaultFilterPolicies()
+
+ needRawSyscalls := p.isNeededForActivityDump(model.SyscallsEventType.String())
+
+ if err := p.updateProbes(defaultEventTypes, needRawSyscalls); err != nil {
+ return err
+ }
+
+ p.profileManagers.Start(p.ctx, &p.wg)
+
+ return nil
+}
+
+// Start the probe
+func (p *EBPFProbe) Start() error {
+ // Apply rules to the snapshotted data before starting the event stream to avoid concurrency issues
+ p.playSnapshot()
+ return p.eventStream.Start(&p.wg)
+}
+
+// playSnapshot plays a snapshot
+func (p *EBPFProbe) playSnapshot() {
+ // Get the snapshotted data
+ var events []*model.Event
+
+ entryToEvent := func(entry *model.ProcessCacheEntry) {
+ if entry.Source != model.ProcessCacheEntryFromSnapshot {
+ return
+ }
+ entry.Retain()
+ event := NewEBPFEvent(p.fieldHandlers)
+ event.Type = uint32(model.ExecEventType)
+ event.TimestampRaw = uint64(time.Now().UnixNano())
+ event.ProcessCacheEntry = entry
+ event.ProcessContext = &entry.ProcessContext
+ event.Exec.Process = &entry.Process
+ event.ProcessContext.Process.ContainerID = entry.ContainerID
+
+ if _, err := entry.HasValidLineage(); err != nil {
+ event.Error = &model.ErrProcessBrokenLineage{Err: err}
+ }
+
+ events = append(events, event)
+ }
+ p.Resolvers.ProcessResolver.Walk(entryToEvent)
+ for _, event := range events {
+ p.DispatchEvent(event)
+ event.ProcessCacheEntry.Release()
+ }
+}
+
+func (p *EBPFProbe) sendAnomalyDetection(event *model.Event) {
+ tags := p.probe.GetEventTags(event.ContainerContext.ID)
+ if service := p.probe.GetService(event); service != "" {
+ tags = append(tags, "service:"+service)
+ }
+
+ p.probe.DispatchCustomEvent(
+ events.NewCustomRule(events.AnomalyDetectionRuleID, events.AnomalyDetectionRuleDesc),
+ events.NewCustomEventLazy(event.GetEventType(), p.EventMarshallerCtor(event), tags...),
+ )
+}
+
+// AddActivityDumpHandler set the probe activity dump handler
+func (p *EBPFProbe) AddActivityDumpHandler(handler dump.ActivityDumpHandler) {
+ p.activityDumpHandler = handler
+}
+
+// DispatchEvent sends an event to the probe event handler
+func (p *EBPFProbe) DispatchEvent(event *model.Event) {
+ traceEvent("Dispatching event %s", func() ([]byte, model.EventType, error) {
+ eventJSON, err := serializers.MarshalEvent(event)
+ return eventJSON, event.GetEventType(), err
+ })
+
+ // filter out event if already present on a profile
+ if p.config.RuntimeSecurity.SecurityProfileEnabled {
+ p.profileManagers.securityProfileManager.LookupEventInProfiles(event)
+ }
+
+ // send event to wildcard handlers, like the CWS rule engine, first
+ p.probe.sendEventToWildcardHandlers(event)
+
+ // send event to specific event handlers, like the event monitor consumers, subsequently
+ p.probe.sendEventToSpecificEventTypeHandlers(event)
+
+ // handle anomaly detections
+ if event.IsAnomalyDetectionEvent() {
+ if event.IsKernelSpaceAnomalyDetectionEvent() {
+ p.profileManagers.securityProfileManager.FillProfileContextFromContainerID(event.FieldHandlers.ResolveContainerID(event, event.ContainerContext), &event.SecurityProfileContext)
+ }
+ if p.config.RuntimeSecurity.AnomalyDetectionEnabled {
+ p.sendAnomalyDetection(event)
+ }
+ } else if event.Error == nil {
+ // Process event after evaluation because some monitors need the DentryResolver to have been called first.
+ if p.profileManagers.activityDumpManager != nil {
+ p.profileManagers.activityDumpManager.ProcessEvent(event)
+ }
+ }
+ p.monitors.ProcessEvent(event)
+}
+
+// SendStats sends statistics about the probe to Datadog
+func (p *EBPFProbe) SendStats() error {
+ p.Resolvers.TCResolver.SendTCProgramsStats(p.statsdClient)
+
+ if err := p.profileManagers.SendStats(); err != nil {
+ return err
+ }
+
+ return p.monitors.SendStats()
+}
+
+// GetMonitors returns the monitor of the probe
+func (p *EBPFProbe) GetMonitors() *EBPFMonitors {
+ return p.monitors
+}
+
+// EventMarshallerCtor returns the event marshaller ctor
+func (p *EBPFProbe) EventMarshallerCtor(event *model.Event) func() events.EventMarshaler {
+ return func() events.EventMarshaler {
+ return serializers.NewEventSerializer(event)
+ }
+}
+
+func (p *EBPFProbe) unmarshalContexts(data []byte, event *model.Event) (int, error) {
+ read, err := model.UnmarshalBinary(data, &event.PIDContext, &event.SpanContext, event.ContainerContext)
+ if err != nil {
+ return 0, err
+ }
+
+ return read, nil
+}
+
+func eventWithNoProcessContext(eventType model.EventType) bool {
+ return eventType == model.DNSEventType || eventType == model.LoadModuleEventType || eventType == model.UnloadModuleEventType
+}
+
+func (p *EBPFProbe) unmarshalProcessCacheEntry(ev *model.Event, data []byte) (int, error) {
+ entry := p.Resolvers.ProcessResolver.NewProcessCacheEntry(ev.PIDContext)
+ ev.ProcessCacheEntry = entry
+
+ n, err := entry.Process.UnmarshalBinary(data)
+ if err != nil {
+ return n, err
+ }
+ entry.Process.ContainerID = ev.ContainerContext.ID
+ entry.Source = model.ProcessCacheEntryFromEvent
+
+ return n, nil
+}
+
+func (p *EBPFProbe) onEventLost(perfMapName string, perEvent map[string]uint64) {
+ if p.config.RuntimeSecurity.InternalMonitoringEnabled {
+ p.probe.DispatchCustomEvent(
+ NewEventLostWriteEvent(perfMapName, perEvent),
+ )
+ }
+
+ // snapshot traced cgroups if a CgroupTracing event was lost
+ if p.probe.IsActivityDumpEnabled() && perEvent[model.CgroupTracingEventType.String()] > 0 {
+ p.profileManagers.SnapshotTracedCgroups()
+ }
+}
+
+// setProcessContext set the process context, should return false if the event shouldn't be dispatched
+func (p *EBPFProbe) setProcessContext(eventType model.EventType, event *model.Event) bool {
+ entry, isResolved := p.fieldHandlers.ResolveProcessCacheEntry(event)
+ event.ProcessCacheEntry = entry
+ if event.ProcessCacheEntry == nil {
+ panic("should always return a process cache entry")
+ }
+
+ // use ProcessCacheEntry process context as process context
+ event.ProcessContext = &event.ProcessCacheEntry.ProcessContext
+ if event.ProcessContext == nil {
+ panic("should always return a process context")
+ }
+
+ if process.IsKThread(event.ProcessContext.PPid, event.ProcessContext.Pid) {
+ return false
+ }
+
+ if !eventWithNoProcessContext(eventType) {
+ if !isResolved {
+ event.Error = &model.ErrNoProcessContext{Err: errors.New("process context not resolved")}
+ } else if _, err := entry.HasValidLineage(); err != nil {
+ event.Error = &model.ErrProcessBrokenLineage{Err: err}
+ p.Resolvers.ProcessResolver.CountBrokenLineage()
+ }
+ }
+
+ // flush exited process
+ p.Resolvers.ProcessResolver.DequeueExited()
+
+ return true
+}
+
+func (p *EBPFProbe) handleEvent(CPU int, data []byte) {
+ offset := 0
+ event := p.probe.zeroEvent()
+
+ dataLen := uint64(len(data))
+
+ read, err := event.UnmarshalBinary(data)
+ if err != nil {
+ seclog.Errorf("failed to decode event: %s", err)
+ return
+ }
+ offset += read
+
+ eventType := event.GetEventType()
+ if eventType > model.MaxKernelEventType {
+ seclog.Errorf("unsupported event type %d", eventType)
+ return
+ }
+
+ p.monitors.eventStreamMonitor.CountEvent(eventType, event.TimestampRaw, 1, dataLen, eventstream.EventStreamMap, CPU)
+
+ // no need to dispatch events
+ switch eventType {
+ case model.MountReleasedEventType:
+ if _, err = event.MountReleased.UnmarshalBinary(data[offset:]); err != nil {
+ seclog.Errorf("failed to decode mount released event: %s (offset %d, len %d)", err, offset, dataLen)
+ return
+ }
+
+ // Remove all dentry entries belonging to the mountID
+ p.Resolvers.DentryResolver.DelCacheEntries(event.MountReleased.MountID)
+
+ // Delete new mount point from cache
+ if err = p.Resolvers.MountResolver.Delete(event.MountReleased.MountID); err != nil {
+ seclog.Tracef("failed to delete mount point %d from cache: %s", event.MountReleased.MountID, err)
+ }
+ return
+ case model.ArgsEnvsEventType:
+ if _, err = event.ArgsEnvs.UnmarshalBinary(data[offset:]); err != nil {
+ seclog.Errorf("failed to decode args envs event: %s (offset %d, len %d)", err, offset, dataLen)
+ return
+ }
+
+ p.Resolvers.ProcessResolver.UpdateArgsEnvs(&event.ArgsEnvs)
+
+ return
+ case model.CgroupTracingEventType:
+ if !p.config.RuntimeSecurity.ActivityDumpEnabled {
+ seclog.Errorf("shouldn't receive Cgroup event if activity dumps are disabled")
+ return
+ }
+
+ if _, err = event.CgroupTracing.UnmarshalBinary(data[offset:]); err != nil {
+ seclog.Errorf("failed to decode cgroup tracing event: %s (offset %d, len %d)", err, offset, dataLen)
+ return
+ }
+
+ p.profileManagers.activityDumpManager.HandleCGroupTracingEvent(&event.CgroupTracing)
+ return
+ case model.UnshareMountNsEventType:
+ if _, err = event.UnshareMountNS.UnmarshalBinary(data[offset:]); err != nil {
+ seclog.Errorf("failed to decode unshare mnt ns event: %s (offset %d, len %d)", err, offset, dataLen)
+ return
+ }
+ if err := p.handleNewMount(event, &event.UnshareMountNS.Mount); err != nil {
+ seclog.Debugf("failed to handle new mount from unshare mnt ns event: %s", err)
+ }
+ return
+ }
+
+ read, err = p.unmarshalContexts(data[offset:], event)
+ if err != nil {
+ seclog.Errorf("failed to decode event `%s`: %s", eventType, err)
+ return
+ }
+ offset += read
+
+ // save netns handle if applicable
+ nsPath := utils.NetNSPathFromPid(event.PIDContext.Pid)
+ _, _ = p.Resolvers.NamespaceResolver.SaveNetworkNamespaceHandle(event.PIDContext.NetNS, nsPath)
+
+ if model.GetEventTypeCategory(eventType.String()) == model.NetworkCategory {
+ if read, err = event.NetworkContext.UnmarshalBinary(data[offset:]); err != nil {
+ seclog.Errorf("failed to decode Network Context")
+ }
+ offset += read
+ }
+
+ // handle exec and fork before process context resolution as they modify the process context resolution
+ switch eventType {
+ case model.ForkEventType:
+ if _, err = p.unmarshalProcessCacheEntry(event, data[offset:]); err != nil {
+ seclog.Errorf("failed to decode fork event: %s (offset %d, len %d)", err, offset, dataLen)
+ return
+ }
+
+ if process.IsKThread(event.ProcessCacheEntry.PPid, event.ProcessCacheEntry.Pid) {
+ return
+ }
+
+ p.Resolvers.ProcessResolver.ApplyBootTime(event.ProcessCacheEntry)
+ event.ProcessCacheEntry.SetSpan(event.SpanContext.SpanID, event.SpanContext.TraceID)
+
+ p.Resolvers.ProcessResolver.AddForkEntry(event.ProcessCacheEntry, event.PIDContext.ExecInode)
+ case model.ExecEventType:
+ // unmarshal and fill event.processCacheEntry
+ if _, err = p.unmarshalProcessCacheEntry(event, data[offset:]); err != nil {
+ seclog.Errorf("failed to decode exec event: %s (offset %d, len %d)", err, offset, len(data))
+ return
+ }
+
+ if err = p.Resolvers.ProcessResolver.ResolveNewProcessCacheEntry(event.ProcessCacheEntry, event.ContainerContext); err != nil {
+ seclog.Debugf("failed to resolve new process cache entry context for pid %d: %s", event.PIDContext.Pid, err)
+
+ var errResolution *path.ErrPathResolution
+ if errors.As(err, &errResolution) {
+ event.SetPathResolutionError(&event.ProcessCacheEntry.FileEvent, err)
+ }
+ } else {
+ p.Resolvers.ProcessResolver.AddExecEntry(event.ProcessCacheEntry, event.PIDContext.ExecInode)
+ }
+
+ event.Exec.Process = &event.ProcessCacheEntry.Process
+ }
+
+ if !p.setProcessContext(eventType, event) {
+ return
+ }
+
+ switch eventType {
+ case model.FileMountEventType:
+ if _, err = event.Mount.UnmarshalBinary(data[offset:]); err != nil {
+ seclog.Errorf("failed to decode mount event: %s (offset %d, len %d)", err, offset, dataLen)
+ return
+ }
+ if err := p.handleNewMount(event, &event.Mount.Mount); err != nil {
+ seclog.Debugf("failed to handle new mount from mount event: %s\n", err)
+ return
+ }
+
+ // TODO: this should be moved in the resolver itself in order to handle the fallbacks
+ if event.Mount.GetFSType() == "nsfs" {
+ nsid := uint32(event.Mount.RootPathKey.Inode)
+ mountPath, err := p.Resolvers.MountResolver.ResolveMountPath(event.Mount.MountID, event.Mount.Device, event.PIDContext.Pid, event.ContainerContext.ID)
+ if err != nil {
+ seclog.Debugf("failed to get mount path: %v", err)
+ } else {
+ mountNetNSPath := utils.NetNSPathFromPath(mountPath)
+ _, _ = p.Resolvers.NamespaceResolver.SaveNetworkNamespaceHandle(nsid, mountNetNSPath)
+ }
+ }
+
+ case model.FileUmountEventType:
+ if _, err = event.Umount.UnmarshalBinary(data[offset:]); err != nil {
+ seclog.Errorf("failed to decode umount event: %s (offset %d, len %d)", err, offset, dataLen)
+ return
+ }
+
+ // we can skip this error as this is for the umount only and there is no impact on the filepath resolution
+ mount, _ := p.Resolvers.MountResolver.ResolveMount(event.Umount.MountID, 0, event.PIDContext.Pid, event.ContainerContext.ID)
+ if mount != nil && mount.GetFSType() == "nsfs" {
+ nsid := uint32(mount.RootPathKey.Inode)
+ if namespace := p.Resolvers.NamespaceResolver.ResolveNetworkNamespace(nsid); namespace != nil {
+ p.FlushNetworkNamespace(namespace)
+ }
+ }
+
+ case model.FileOpenEventType:
+ if _, err = event.Open.UnmarshalBinary(data[offset:]); err != nil {
+ seclog.Errorf("failed to decode open event: %s (offset %d, len %d)", err, offset, dataLen)
+ return
+ }
+ case model.FileMkdirEventType:
+ if _, err = event.Mkdir.UnmarshalBinary(data[offset:]); err != nil {
+ seclog.Errorf("failed to decode mkdir event: %s (offset %d, len %d)", err, offset, dataLen)
+ return
+ }
+ case model.FileRmdirEventType:
+ if _, err = event.Rmdir.UnmarshalBinary(data[offset:]); err != nil {
+ seclog.Errorf("failed to decode rmdir event: %s (offset %d, len %d)", err, offset, dataLen)
+ return
+ }
+ case model.FileUnlinkEventType:
+ if _, err = event.Unlink.UnmarshalBinary(data[offset:]); err != nil {
+ seclog.Errorf("failed to decode unlink event: %s (offset %d, len %d)", err, offset, dataLen)
+ return
+ }
+ case model.FileRenameEventType:
+ if _, err = event.Rename.UnmarshalBinary(data[offset:]); err != nil {
+ seclog.Errorf("failed to decode rename event: %s (offset %d, len %d)", err, offset, dataLen)
+ return
+ }
+ case model.FileChmodEventType:
+ if _, err = event.Chmod.UnmarshalBinary(data[offset:]); err != nil {
+ seclog.Errorf("failed to decode chmod event: %s (offset %d, len %d)", err, offset, dataLen)
+ return
+ }
+ case model.FileChownEventType:
+ if _, err = event.Chown.UnmarshalBinary(data[offset:]); err != nil {
+ seclog.Errorf("failed to decode chown event: %s (offset %d, len %d)", err, offset, dataLen)
+ return
+ }
+ case model.FileUtimesEventType:
+ if _, err = event.Utimes.UnmarshalBinary(data[offset:]); err != nil {
+ seclog.Errorf("failed to decode utime event: %s (offset %d, len %d)", err, offset, dataLen)
+ return
+ }
+ case model.FileLinkEventType:
+ if _, err = event.Link.UnmarshalBinary(data[offset:]); err != nil {
+ seclog.Errorf("failed to decode link event: %s (offset %d, len %d)", err, offset, dataLen)
+ return
+ }
+ case model.FileSetXAttrEventType:
+ if _, err = event.SetXAttr.UnmarshalBinary(data[offset:]); err != nil {
+ seclog.Errorf("failed to decode setxattr event: %s (offset %d, len %d)", err, offset, dataLen)
+ return
+ }
+ case model.FileRemoveXAttrEventType:
+ if _, err = event.RemoveXAttr.UnmarshalBinary(data[offset:]); err != nil {
+ seclog.Errorf("failed to decode removexattr event: %s (offset %d, len %d)", err, offset, dataLen)
+ return
+ }
+ case model.ExitEventType:
+ if _, err = event.Exit.UnmarshalBinary(data[offset:]); err != nil {
+ seclog.Errorf("failed to decode exit event: %s (offset %d, len %d)", err, offset, len(data))
+ return
+ }
+
+ var exists bool
+ event.ProcessCacheEntry, exists = p.fieldHandlers.GetProcessCacheEntry(event)
+ if !exists {
+ // no need to dispatch an exit event that don't have the corresponding cache entry
+ return
+ }
+
+ // Use the event timestamp as exit time
+ // The local process cache hasn't been updated yet with the exit time when the exit event is first seen
+ // The pid_cache kernel map has the exit_time but it's only accessed if there's a local miss
+ event.ProcessCacheEntry.Process.ExitTime = p.fieldHandlers.ResolveEventTime(event, &event.BaseEvent)
+ event.Exit.Process = &event.ProcessCacheEntry.Process
+ case model.SetuidEventType:
+ // the process context may be incorrect, do not modify it
+ if event.Error != nil {
+ break
+ }
+
+ if _, err = event.SetUID.UnmarshalBinary(data[offset:]); err != nil {
+ seclog.Errorf("failed to decode setuid event: %s (offset %d, len %d)", err, offset, len(data))
+ return
+ }
+ defer p.Resolvers.ProcessResolver.UpdateUID(event.PIDContext.Pid, event)
+ case model.SetgidEventType:
+ // the process context may be incorrect, do not modify it
+ if event.Error != nil {
+ break
+ }
+
+ if _, err = event.SetGID.UnmarshalBinary(data[offset:]); err != nil {
+ seclog.Errorf("failed to decode setgid event: %s (offset %d, len %d)", err, offset, len(data))
+ return
+ }
+ defer p.Resolvers.ProcessResolver.UpdateGID(event.PIDContext.Pid, event)
+ case model.CapsetEventType:
+ // the process context may be incorrect, do not modify it
+ if event.Error != nil {
+ break
+ }
+
+ if _, err = event.Capset.UnmarshalBinary(data[offset:]); err != nil {
+ seclog.Errorf("failed to decode capset event: %s (offset %d, len %d)", err, offset, len(data))
+ return
+ }
+ defer p.Resolvers.ProcessResolver.UpdateCapset(event.PIDContext.Pid, event)
+ case model.SELinuxEventType:
+ if _, err = event.SELinux.UnmarshalBinary(data[offset:]); err != nil {
+ seclog.Errorf("failed to decode selinux event: %s (offset %d, len %d)", err, offset, len(data))
+ return
+ }
+ case model.BPFEventType:
+ if _, err = event.BPF.UnmarshalBinary(data[offset:]); err != nil {
+ seclog.Errorf("failed to decode bpf event: %s (offset %d, len %d)", err, offset, len(data))
+ return
+ }
+ case model.PTraceEventType:
+ if _, err = event.PTrace.UnmarshalBinary(data[offset:]); err != nil {
+ seclog.Errorf("failed to decode ptrace event: %s (offset %d, len %d)", err, offset, len(data))
+ return
+ }
+ // resolve tracee process context
+ var pce *model.ProcessCacheEntry
+ if event.PTrace.PID > 0 { // pid can be 0 for a PTRACE_TRACEME request
+ pce = p.Resolvers.ProcessResolver.Resolve(event.PTrace.PID, event.PTrace.PID, 0, false)
+ }
+ if pce == nil {
+ pce = model.NewPlaceholderProcessCacheEntry(event.PTrace.PID, event.PTrace.PID, false)
+ }
+ event.PTrace.Tracee = &pce.ProcessContext
+ case model.MMapEventType:
+ if _, err = event.MMap.UnmarshalBinary(data[offset:]); err != nil {
+ seclog.Errorf("failed to decode mmap event: %s (offset %d, len %d)", err, offset, len(data))
+ return
+ }
+
+ if event.MMap.Flags&unix.MAP_ANONYMOUS != 0 {
+ // no need to trigger a dentry resolver, not backed by any file
+ event.MMap.File.SetPathnameStr("")
+ event.MMap.File.SetBasenameStr("")
+ }
+ case model.MProtectEventType:
+ if _, err = event.MProtect.UnmarshalBinary(data[offset:]); err != nil {
+ seclog.Errorf("failed to decode mprotect event: %s (offset %d, len %d)", err, offset, len(data))
+ return
+ }
+ case model.LoadModuleEventType:
+ if _, err = event.LoadModule.UnmarshalBinary(data[offset:]); err != nil {
+ seclog.Errorf("failed to decode load_module event: %s (offset %d, len %d)", err, offset, len(data))
+ return
+ }
+
+ if event.LoadModule.LoadedFromMemory {
+ // no need to trigger a dentry resolver, not backed by any file
+ event.LoadModule.File.SetPathnameStr("")
+ event.LoadModule.File.SetBasenameStr("")
+ }
+ case model.UnloadModuleEventType:
+ if _, err = event.UnloadModule.UnmarshalBinary(data[offset:]); err != nil {
+ seclog.Errorf("failed to decode unload_module event: %s (offset %d, len %d)", err, offset, len(data))
+ }
+ case model.SignalEventType:
+ if _, err = event.Signal.UnmarshalBinary(data[offset:]); err != nil {
+ seclog.Errorf("failed to decode signal event: %s (offset %d, len %d)", err, offset, len(data))
+ return
+ }
+ // resolve target process context
+ var pce *model.ProcessCacheEntry
+ if event.Signal.PID > 0 { // Linux accepts a kill syscall with both negative and zero pid
+ pce = p.Resolvers.ProcessResolver.Resolve(event.Signal.PID, event.Signal.PID, 0, false)
+ }
+ if pce == nil {
+ pce = model.NewPlaceholderProcessCacheEntry(event.Signal.PID, event.Signal.PID, false)
+ }
+ event.Signal.Target = &pce.ProcessContext
+ case model.SpliceEventType:
+ if _, err = event.Splice.UnmarshalBinary(data[offset:]); err != nil {
+ seclog.Errorf("failed to decode splice event: %s (offset %d, len %d)", err, offset, len(data))
+ return
+ }
+ case model.NetDeviceEventType:
+ if _, err = event.NetDevice.UnmarshalBinary(data[offset:]); err != nil {
+ seclog.Errorf("failed to decode net_device event: %s (offset %d, len %d)", err, offset, len(data))
+ return
+ }
+ _ = p.setupNewTCClassifier(event.NetDevice.Device)
+ case model.VethPairEventType:
+ if _, err = event.VethPair.UnmarshalBinary(data[offset:]); err != nil {
+ seclog.Errorf("failed to decode veth_pair event: %s (offset %d, len %d)", err, offset, len(data))
+ return
+ }
+ _ = p.setupNewTCClassifier(event.VethPair.PeerDevice)
+ case model.DNSEventType:
+ if _, err = event.DNS.UnmarshalBinary(data[offset:]); err != nil {
+ if errors.Is(err, model.ErrDNSNameMalformatted) {
+ seclog.Debugf("failed to validate DNS event: %s", event.DNS.Name)
+ } else if errors.Is(err, model.ErrDNSNamePointerNotSupported) {
+ seclog.Tracef("failed to decode DNS event: %s (offset %d, len %d)", err, offset, len(data))
+ } else {
+ seclog.Errorf("failed to decode DNS event: %s (offset %d, len %d)", err, offset, len(data))
+ }
+
+ return
+ }
+ case model.BindEventType:
+ if _, err = event.Bind.UnmarshalBinary(data[offset:]); err != nil {
+ seclog.Errorf("failed to decode bind event: %s (offset %d, len %d)", err, offset, len(data))
+ return
+ }
+ case model.SyscallsEventType:
+ if _, err = event.Syscalls.UnmarshalBinary(data[offset:]); err != nil {
+ seclog.Errorf("failed to decode syscalls event: %s (offset %d, len %d)", err, offset, len(data))
+ return
+ }
+ case model.AnomalyDetectionSyscallEventType:
+ if _, err = event.AnomalyDetectionSyscallEvent.UnmarshalBinary(data[offset:]); err != nil {
+ seclog.Errorf("failed to decode anomaly detection for syscall event: %s (offset %d, len %d)", err, offset, len(data))
+ return
+ }
+ }
+
+ // resolve the container context
+ event.ContainerContext, _ = p.fieldHandlers.ResolveContainerContext(event)
+
+ p.DispatchEvent(event)
+
+ if eventType == model.ExitEventType {
+ p.Resolvers.ProcessResolver.DeleteEntry(event.ProcessContext.Pid, event.ResolveEventTime())
+ }
+}
+
+// AddDiscarderPushedCallback add a callback to the list of func that have to be called when a discarder is pushed to kernel
+func (p *EBPFProbe) AddDiscarderPushedCallback(cb DiscarderPushedCallback) {
+ p.discarderPushedCallbacksLock.Lock()
+ defer p.discarderPushedCallbacksLock.Unlock()
+
+ p.discarderPushedCallbacks = append(p.discarderPushedCallbacks, cb)
+}
+
+// GetEventTags returns the event tags
+func (p *EBPFProbe) GetEventTags(containerID string) []string {
+ return p.Resolvers.TagsResolver.Resolve(containerID)
+}
+
+// OnNewDiscarder handles new discarders
+func (p *EBPFProbe) OnNewDiscarder(rs *rules.RuleSet, ev *model.Event, field eval.Field, eventType eval.EventType) {
+ // discarders disabled
+ if !p.config.Probe.EnableDiscarders {
+ return
+ }
+
+ if p.isRuntimeDiscarded {
+ fakeTime := time.Unix(0, int64(ev.TimestampRaw))
+ if !p.discarderRateLimiter.AllowN(fakeTime, 1) {
+ return
+ }
+ }
+
+ seclog.Tracef("New discarder of type %s for field %s", eventType, field)
+
+ if handlers, ok := allDiscarderHandlers[eventType]; ok {
+ for _, handler := range handlers {
+ discarderPushed, _ := handler(rs, ev, p, Discarder{Field: field})
+
+ if discarderPushed {
+ p.discarderPushedCallbacksLock.RLock()
+ defer p.discarderPushedCallbacksLock.RUnlock()
+ for _, cb := range p.discarderPushedCallbacks {
+ cb(eventType, ev, field)
+ }
+ }
+ }
+ }
+}
+
+// ApplyFilterPolicy is called when a passing policy for an event type is applied
+func (p *EBPFProbe) ApplyFilterPolicy(eventType eval.EventType, mode kfilters.PolicyMode, flags kfilters.PolicyFlag) error {
+ seclog.Infof("Setting in-kernel filter policy to `%s` for `%s`", mode, eventType)
+ table, err := managerhelper.Map(p.Manager, "filter_policy")
+ if err != nil {
+ return fmt.Errorf("unable to find policy table: %w", err)
+ }
+
+ et := config.ParseEvalEventType(eventType)
+ if et == model.UnknownEventType {
+ return errors.New("unable to parse the eval event type")
+ }
+
+ policy := &kfilters.FilterPolicy{
+ Mode: mode,
+ Flags: flags,
+ }
+
+ return table.Put(ebpf.Uint32MapItem(et), policy)
+}
+
+// SetApprovers applies approvers and removes the unused ones
+func (p *EBPFProbe) SetApprovers(eventType eval.EventType, approvers rules.Approvers) error {
+ handler, exists := kfilters.AllApproversHandlers[eventType]
+ if !exists {
+ return nil
+ }
+
+ newApprovers, err := handler(approvers)
+ if err != nil {
+ seclog.Errorf("Error while adding approvers fallback in-kernel policy to `%s` for `%s`: %s", kfilters.PolicyModeAccept, eventType, err)
+ }
+
+ type tag struct {
+ eventType eval.EventType
+ approverType string
+ }
+ approverAddedMetricCounter := make(map[tag]float64)
+
+ for _, newApprover := range newApprovers {
+ seclog.Tracef("Applying approver %+v for event type %s", newApprover, eventType)
+ if err := newApprover.Apply(p.Manager); err != nil {
+ return err
+ }
+
+ approverType := getApproverType(newApprover.GetTableName())
+ approverAddedMetricCounter[tag{eventType, approverType}]++
+ }
+
+ if previousApprovers, exist := p.approvers[eventType]; exist {
+ previousApprovers.Sub(newApprovers)
+ for _, previousApprover := range previousApprovers {
+ seclog.Tracef("Removing previous approver %+v for event type %s", previousApprover, eventType)
+ if err := previousApprover.Remove(p.Manager); err != nil {
+ return err
+ }
+
+ approverType := getApproverType(previousApprover.GetTableName())
+ approverAddedMetricCounter[tag{eventType, approverType}]--
+ if approverAddedMetricCounter[tag{eventType, approverType}] <= 0 {
+ delete(approverAddedMetricCounter, tag{eventType, approverType})
+ }
+ }
+ }
+
+ for tags, count := range approverAddedMetricCounter {
+ tags := []string{
+ fmt.Sprintf("approver_type:%s", tags.approverType),
+ fmt.Sprintf("event_type:%s", tags.eventType),
+ }
+
+ if err := p.statsdClient.Gauge(metrics.MetricApproverAdded, count, tags, 1.0); err != nil {
+ seclog.Tracef("couldn't set MetricApproverAdded metric: %s", err)
+ }
+ }
+
+ p.approvers[eventType] = newApprovers
+ return nil
+}
+
+func getApproverType(approverTableName string) string {
+ approverType := "flag"
+
+ if approverTableName == kfilters.BasenameApproverKernelMapName {
+ approverType = "basename"
+ }
+
+ return approverType
+}
+
+func (p *EBPFProbe) isNeededForActivityDump(eventType eval.EventType) bool {
+ if p.config.RuntimeSecurity.ActivityDumpEnabled {
+ for _, e := range p.profileManagers.GetActivityDumpTracedEventTypes() {
+ if e.String() == eventType {
+ return true
+ }
+ }
+ }
+ return false
+}
+
+func (p *EBPFProbe) isNeededForSecurityProfile(eventType eval.EventType) bool {
+ if p.config.RuntimeSecurity.SecurityProfileEnabled {
+ for _, e := range p.config.RuntimeSecurity.AnomalyDetectionEventTypes {
+ if e.String() == eventType {
+ return true
+ }
+ }
+ }
+ return false
+}
+
+func (p *EBPFProbe) validEventTypeForConfig(eventType string) bool {
+ if eventType == "dns" && !p.config.Probe.NetworkEnabled {
+ return false
+ }
+ return true
+}
+
+// updateProbes applies the loaded set of rules and returns a report
+// of the applied approvers for it.
+func (p *EBPFProbe) updateProbes(ruleEventTypes []eval.EventType, needRawSyscalls bool) error {
+ // event types enabled either by event handlers or by rules
+ eventTypes := append([]eval.EventType{}, defaultEventTypes...)
+ eventTypes = append(eventTypes, ruleEventTypes...)
+ for eventType, handlers := range p.probe.eventHandlers {
+ if len(handlers) == 0 {
+ continue
+ }
+ if slices.Contains(eventTypes, model.EventType(eventType).String()) {
+ continue
+ }
+ if eventType != int(model.UnknownEventType) && eventType != int(model.MaxAllEventType) {
+ eventTypes = append(eventTypes, model.EventType(eventType).String())
+ }
+ }
+
+ activatedProbes := probes.SnapshotSelectors(p.useFentry)
+
+ // extract probe to activate per the event types
+ for eventType, selectors := range probes.GetSelectorsPerEventType(p.useFentry) {
+ if (eventType == "*" || slices.Contains(eventTypes, eventType) || p.isNeededForActivityDump(eventType) || p.isNeededForSecurityProfile(eventType)) && p.validEventTypeForConfig(eventType) {
+ activatedProbes = append(activatedProbes, selectors...)
+ }
+ }
+
+ activatedProbes = append(activatedProbes, p.Resolvers.TCResolver.SelectTCProbes())
+
+ if needRawSyscalls {
+ activatedProbes = append(activatedProbes, probes.SyscallMonitorSelectors...)
+ } else {
+ // ActivityDumps
+ if p.config.RuntimeSecurity.ActivityDumpEnabled {
+ for _, e := range p.profileManagers.GetActivityDumpTracedEventTypes() {
+ if e == model.SyscallsEventType {
+ activatedProbes = append(activatedProbes, probes.SyscallMonitorSelectors...)
+ break
+ }
+ }
+ }
+ }
+
+ // Print the list of unique probe identification IDs that are registered
+ var selectedIDs []manager.ProbeIdentificationPair
+ for _, selector := range activatedProbes {
+ for _, id := range selector.GetProbesIdentificationPairList() {
+ var exists bool
+ for _, selectedID := range selectedIDs {
+ if selectedID == id {
+ exists = true
+ }
+ }
+ if !exists {
+ selectedIDs = append(selectedIDs, id)
+ seclog.Tracef("probe %s selected", id)
+ }
+ }
+ }
+
+ enabledEventsMap, err := managerhelper.Map(p.Manager, "enabled_events")
+ if err != nil {
+ return err
+ }
+
+ enabledEvents := uint64(0)
+ for _, eventName := range eventTypes {
+ if eventName != "*" {
+ eventType := config.ParseEvalEventType(eventName)
+ if eventType == model.UnknownEventType {
+ return fmt.Errorf("unknown event type '%s'", eventName)
+ }
+ enabledEvents |= 1 << (eventType - 1)
+ }
+ }
+
+ if err := enabledEventsMap.Put(ebpf.ZeroUint32MapItem, enabledEvents); err != nil {
+ return fmt.Errorf("failed to set enabled events: %w", err)
+ }
+
+ return p.Manager.UpdateActivatedProbes(activatedProbes)
+}
+
+// GetDiscarders retrieve the discarders
+func (p *EBPFProbe) GetDiscarders() (*DiscardersDump, error) {
+ inodeMap, err := managerhelper.Map(p.Manager, "inode_discarders")
+ if err != nil {
+ return nil, err
+ }
+
+ pidMap, err := managerhelper.Map(p.Manager, "pid_discarders")
+ if err != nil {
+ return nil, err
+ }
+
+ statsFB, err := managerhelper.Map(p.Manager, "fb_discarder_stats")
+ if err != nil {
+ return nil, err
+ }
+
+ statsBB, err := managerhelper.Map(p.Manager, "bb_discarder_stats")
+ if err != nil {
+ return nil, err
+ }
+
+ dump, err := dumpDiscarders(p.Resolvers.DentryResolver, pidMap, inodeMap, statsFB, statsBB)
+ if err != nil {
+ return nil, err
+ }
+ return &dump, nil
+}
+
+// DumpDiscarders dump the discarders
+func (p *EBPFProbe) DumpDiscarders() (string, error) {
+ dump, err := p.GetDiscarders()
+ if err != nil {
+ return "", err
+ }
+
+ fp, err := os.CreateTemp("/tmp", "discarder-dump-")
+ if err != nil {
+ return "", err
+ }
+ defer fp.Close()
+
+ if err := os.Chmod(fp.Name(), 0400); err != nil {
+ return "", err
+ }
+
+ encoder := yaml.NewEncoder(fp)
+ defer encoder.Close()
+
+ if err := encoder.Encode(dump); err != nil {
+ return "", err
+ }
+ err = fp.Close()
+ if err != nil {
+ return "", fmt.Errorf("could not close file [%s]: %w", fp.Name(), err)
+ }
+ return fp.Name(), err
+}
+
+// FlushDiscarders flush the discarders
+func (p *EBPFProbe) FlushDiscarders() error {
+ return bumpDiscardersRevision(p.Erpc)
+}
+
+// RefreshUserCache refreshes the user cache
+func (p *EBPFProbe) RefreshUserCache(containerID string) error {
+ return p.Resolvers.UserGroupResolver.RefreshCache(containerID)
+}
+
+// Snapshot runs the different snapshot functions of the resolvers that
+// require to sync with the current state of the system
+func (p *EBPFProbe) Snapshot() error {
+ // the snapshot for the read of a lot of file which can allocate a lot of memory.
+ defer runtime.GC()
+ return p.Resolvers.Snapshot()
+}
+
+// Stop the probe
+func (p *EBPFProbe) Stop() {
+ _ = p.Manager.StopReaders(manager.CleanAll)
+}
+
+// Close the probe
+func (p *EBPFProbe) Close() error {
+ // Cancelling the context will stop the reorderer = we won't dequeue events anymore and new events from the
+ // perf map reader are ignored
+ p.cancelFnc()
+
+ // we wait until both the reorderer and the monitor are stopped
+ p.wg.Wait()
+
+ ebpfcheck.RemoveNameMappings(p.Manager)
+ // Stopping the manager will stop the perf map reader and unload eBPF programs
+ if err := p.Manager.Stop(manager.CleanAll); err != nil {
+ return err
+ }
+
+ // when we reach this point, we do not generate nor consume events anymore, we can close the resolvers
+ return p.Resolvers.Close()
+}
+
+// QueuedNetworkDeviceError is used to indicate that the new network device was queued until its namespace handle is
+// resolved.
+type QueuedNetworkDeviceError struct {
+ msg string
+}
+
+func (err QueuedNetworkDeviceError) Error() string {
+ return err.msg
+}
+
+func (p *EBPFProbe) setupNewTCClassifier(device model.NetDevice) error {
+ // select netns handle
+ var handle *os.File
+ var err error
+ netns := p.Resolvers.NamespaceResolver.ResolveNetworkNamespace(device.NetNS)
+ if netns != nil {
+ handle, err = netns.GetNamespaceHandleDup()
+ }
+ if err != nil {
+ defer handle.Close()
+ }
+ if netns == nil || err != nil || handle == nil {
+ // queue network device so that a TC classifier can be added later
+ p.Resolvers.NamespaceResolver.QueueNetworkDevice(device)
+ return QueuedNetworkDeviceError{msg: fmt.Sprintf("device %s is queued until %d is resolved", device.Name, device.NetNS)}
+ }
+ err = p.Resolvers.TCResolver.SetupNewTCClassifierWithNetNSHandle(device, handle, p.Manager)
+ if err != nil {
+ return err
+ }
+ if handle != nil {
+ if err := handle.Close(); err != nil {
+ return fmt.Errorf("could not close file [%s]: %w", handle.Name(), err)
+ }
+ }
+ return err
+}
+
+// FlushNetworkNamespace removes all references and stops all TC programs in the provided network namespace. This method
+// flushes the network namespace in the network namespace resolver as well.
+func (p *EBPFProbe) FlushNetworkNamespace(namespace *netns.NetworkNamespace) {
+ p.Resolvers.NamespaceResolver.FlushNetworkNamespace(namespace)
+
+ // cleanup internal structures
+ p.Resolvers.TCResolver.FlushNetworkNamespaceID(namespace.ID(), p.Manager)
+}
+
+func (p *EBPFProbe) handleNewMount(ev *model.Event, m *model.Mount) error {
+ // There could be entries of a previous mount_id in the cache for instance,
+ // runc does the following : it bind mounts itself (using /proc/exe/self),
+ // opens a file descriptor on the new file with O_CLOEXEC then umount the bind mount using
+ // MNT_DETACH. It then does an exec syscall, that will cause the fd to be closed.
+ // Our dentry resolution of the exec event causes the inode/mount_id to be put in cache,
+ // so we remove all dentry entries belonging to the mountID.
+ p.Resolvers.DentryResolver.DelCacheEntries(m.MountID)
+
+ // Resolve mount point
+ if err := p.Resolvers.PathResolver.SetMountPoint(ev, m); err != nil {
+ seclog.Debugf("failed to set mount point: %v", err)
+ return err
+ }
+ // Resolve root
+ if err := p.Resolvers.PathResolver.SetMountRoot(ev, m); err != nil {
+ seclog.Debugf("failed to set mount root: %v", err)
+ return err
+ }
+
+ // Insert new mount point in cache, passing it a copy of the mount that we got from the event
+ if err := p.Resolvers.MountResolver.Insert(*m); err != nil {
+ seclog.Errorf("failed to insert mount event: %v", err)
+ return err
+ }
+
+ return nil
+}
+
+func (p *EBPFProbe) applyDefaultFilterPolicies() {
+ if !p.config.Probe.EnableKernelFilters {
+ seclog.Warnf("Forcing in-kernel filter policy to `pass`: filtering not enabled")
+ }
+
+ for eventType := model.FirstEventType; eventType <= model.LastEventType; eventType++ {
+ var mode kfilters.PolicyMode
+
+ if !p.config.Probe.EnableKernelFilters {
+ mode = kfilters.PolicyModeNoFilter
+ } else if len(p.probe.eventHandlers[eventType]) > 0 {
+ mode = kfilters.PolicyModeAccept
+ } else {
+ mode = kfilters.PolicyModeDeny
+ }
+
+ if err := p.ApplyFilterPolicy(eventType.String(), mode, math.MaxUint8); err != nil {
+ seclog.Debugf("unable to apply to filter policy `%s` for `%s`", eventType, mode)
+ }
+ }
+}
+
+// ApplyRuleSet apply the required update to handle the new ruleset
+func (p *EBPFProbe) ApplyRuleSet(rs *rules.RuleSet) (*kfilters.ApplyRuleSetReport, error) {
+ if p.opts.SyscallsMonitorEnabled {
+ if err := p.monitors.syscallsMonitor.Disable(); err != nil {
+ return nil, err
+ }
+ }
+
+ ars, err := kfilters.NewApplyRuleSetReport(p.config.Probe, rs)
+ if err != nil {
+ return nil, err
+ }
+
+ for eventType, report := range ars.Policies {
+ if err := p.ApplyFilterPolicy(eventType, report.Mode, report.Flags); err != nil {
+ return nil, err
+ }
+ if err := p.SetApprovers(eventType, report.Approvers); err != nil {
+ return nil, err
+ }
+ }
+
+ needRawSyscalls := p.isNeededForActivityDump(model.SyscallsEventType.String())
+ if !needRawSyscalls {
+ // Add syscall monitor probes if it's either activated or
+ // there is an 'kill' action in the ruleset
+ for _, rule := range rs.GetRules() {
+ for _, action := range rule.Definition.Actions {
+ if action.Kill != nil {
+ needRawSyscalls = true
+ break
+ }
+ }
+ }
+ }
+
+ if err := p.updateProbes(rs.GetEventTypes(), needRawSyscalls); err != nil {
+ return nil, fmt.Errorf("failed to select probes: %w", err)
+ }
+
+ if p.opts.SyscallsMonitorEnabled {
+ if err := p.monitors.syscallsMonitor.Flush(); err != nil {
+ return nil, err
+ }
+ if err := p.monitors.syscallsMonitor.Enable(); err != nil {
+ return nil, err
+ }
+ }
+
+ return ars, nil
+}
+
+// NewEvent returns a new event
+func (p *EBPFProbe) NewEvent() *model.Event {
+ return NewEBPFEvent(p.fieldHandlers)
+}
+
+// GetFieldHandlers returns the field handlers
+func (p *EBPFProbe) GetFieldHandlers() model.FieldHandlers {
+ return p.fieldHandlers
+}
+
+// DumpProcessCache dumps the process cache
+func (p *EBPFProbe) DumpProcessCache(withArgs bool) (string, error) {
+ return p.Resolvers.ProcessResolver.Dump(withArgs)
+}
+
+// NewEBPFProbe instantiates a new runtime security agent probe
+func NewEBPFProbe(probe *Probe, config *config.Config, opts Opts) (*EBPFProbe, error) {
+ nerpc, err := erpc.NewERPC()
+ if err != nil {
+ return nil, err
+ }
+
+ ctx, cancelFnc := context.WithCancel(context.Background())
+
+ p := &EBPFProbe{
+ probe: probe,
+ config: config,
+ opts: opts,
+ statsdClient: opts.StatsdClient,
+ discarderRateLimiter: rate.NewLimiter(rate.Every(time.Second/5), 100),
+ approvers: make(map[eval.EventType]kfilters.ActiveApprovers),
+ managerOptions: ebpf.NewDefaultOptions(),
+ Erpc: nerpc,
+ erpcRequest: erpc.NewERPCRequest(0),
+ isRuntimeDiscarded: !probe.Opts.DontDiscardRuntime,
+ ctx: ctx,
+ cancelFnc: cancelFnc,
+ }
+
+ if err := p.detectKernelVersion(); err != nil {
+ // we need the kernel version to start, fail if we can't get it
+ return nil, err
+ }
+
+ if err := p.sanityChecks(); err != nil {
+ return nil, err
+ }
+
+ if err := p.VerifyOSVersion(); err != nil {
+ seclog.Warnf("the current kernel isn't officially supported, some features might not work properly: %v", err)
+ }
+
+ if err := p.VerifyEnvironment(); err != nil {
+ seclog.Warnf("the current environment may be misconfigured: %v", err)
+ }
+
+ p.selectFentryMode()
+
+ useRingBuffers := p.UseRingBuffers()
+ useMmapableMaps := p.kernelVersion.HaveMmapableMaps()
+
+ p.Manager = ebpf.NewRuntimeSecurityManager(useRingBuffers, p.useFentry)
+
+ p.supportsBPFSendSignal = p.kernelVersion.SupportBPFSendSignal()
+
+ p.ensureConfigDefaults()
+
+ p.monitors = NewEBPFMonitors(p)
+
+ numCPU, err := utils.NumCPU()
+ if err != nil {
+ return nil, fmt.Errorf("failed to parse CPU count: %w", err)
+ }
+
+ p.managerOptions.MapSpecEditors = probes.AllMapSpecEditors(numCPU, probes.MapSpecEditorOpts{
+ TracedCgroupSize: config.RuntimeSecurity.ActivityDumpTracedCgroupsCount,
+ UseRingBuffers: useRingBuffers,
+ UseMmapableMaps: useMmapableMaps,
+ RingBufferSize: uint32(config.Probe.EventStreamBufferSize),
+ PathResolutionEnabled: probe.Opts.PathResolutionEnabled,
+ SecurityProfileMaxCount: config.RuntimeSecurity.SecurityProfileMaxCount,
+ })
+
+ if config.RuntimeSecurity.ActivityDumpEnabled {
+ for _, e := range config.RuntimeSecurity.ActivityDumpTracedEventTypes {
+ if e == model.SyscallsEventType {
+ // Add syscall monitor probes
+ p.managerOptions.ActivatedProbes = append(p.managerOptions.ActivatedProbes, probes.SyscallMonitorSelectors...)
+ break
+ }
+ }
+ }
+
+ p.constantOffsets, err = p.GetOffsetConstants()
+ if err != nil {
+ seclog.Warnf("constant fetcher failed: %v", err)
+ return nil, err
+ }
+
+ p.managerOptions.ConstantEditors = append(p.managerOptions.ConstantEditors, constantfetch.CreateConstantEditors(p.constantOffsets)...)
+
+ areCGroupADsEnabled := config.RuntimeSecurity.ActivityDumpTracedCgroupsCount > 0
+
+ // Add global constant editors
+ p.managerOptions.ConstantEditors = append(p.managerOptions.ConstantEditors,
+ manager.ConstantEditor{
+ Name: "runtime_pid",
+ Value: uint64(utils.Getpid()),
+ },
+ manager.ConstantEditor{
+ Name: "do_fork_input",
+ Value: getDoForkInput(p.kernelVersion),
+ },
+ manager.ConstantEditor{
+ Name: "has_usernamespace_first_arg",
+ Value: getHasUsernamespaceFirstArg(p.kernelVersion),
+ },
+ manager.ConstantEditor{
+ Name: "ovl_path_in_ovl_inode",
+ Value: getOvlPathInOvlInode(p.kernelVersion),
+ },
+ manager.ConstantEditor{
+ Name: "mount_id_offset",
+ Value: mount.GetMountIDOffset(p.kernelVersion),
+ },
+ manager.ConstantEditor{
+ Name: "getattr2",
+ Value: getAttr2(p.kernelVersion),
+ },
+ manager.ConstantEditor{
+ Name: "vfs_unlink_dentry_position",
+ Value: mount.GetVFSLinkDentryPosition(p.kernelVersion),
+ },
+ manager.ConstantEditor{
+ Name: "vfs_mkdir_dentry_position",
+ Value: mount.GetVFSMKDirDentryPosition(p.kernelVersion),
+ },
+ manager.ConstantEditor{
+ Name: "vfs_link_target_dentry_position",
+ Value: mount.GetVFSLinkTargetDentryPosition(p.kernelVersion),
+ },
+ manager.ConstantEditor{
+ Name: "vfs_setxattr_dentry_position",
+ Value: mount.GetVFSSetxattrDentryPosition(p.kernelVersion),
+ },
+ manager.ConstantEditor{
+ Name: "vfs_removexattr_dentry_position",
+ Value: mount.GetVFSRemovexattrDentryPosition(p.kernelVersion),
+ },
+ manager.ConstantEditor{
+ Name: "vfs_rename_input_type",
+ Value: mount.GetVFSRenameInputType(p.kernelVersion),
+ },
+ manager.ConstantEditor{
+ Name: "check_helper_call_input",
+ Value: getCheckHelperCallInputType(p.kernelVersion),
+ },
+ manager.ConstantEditor{
+ Name: "cgroup_activity_dumps_enabled",
+ Value: utils.BoolTouint64(config.RuntimeSecurity.ActivityDumpEnabled && areCGroupADsEnabled),
+ },
+ manager.ConstantEditor{
+ Name: "net_struct_type",
+ Value: getNetStructType(p.kernelVersion),
+ },
+ manager.ConstantEditor{
+ Name: "syscall_monitor_event_period",
+ Value: uint64(config.RuntimeSecurity.ActivityDumpSyscallMonitorPeriod.Nanoseconds()),
+ },
+ manager.ConstantEditor{
+ Name: "send_signal",
+ Value: utils.BoolTouint64(p.kernelVersion.SupportBPFSendSignal()),
+ },
+ manager.ConstantEditor{
+ Name: "anomaly_syscalls",
+ Value: utils.BoolTouint64(slices.Contains(config.RuntimeSecurity.AnomalyDetectionEventTypes, model.SyscallsEventType)),
+ },
+ manager.ConstantEditor{
+ Name: "monitor_syscalls_map_enabled",
+ Value: utils.BoolTouint64(probe.Opts.SyscallsMonitorEnabled),
+ },
+ )
+
+ p.managerOptions.ConstantEditors = append(p.managerOptions.ConstantEditors, DiscarderConstants...)
+ p.managerOptions.ConstantEditors = append(p.managerOptions.ConstantEditors, getCGroupWriteConstants())
+
+ // if we are using tracepoints to probe syscall exits, i.e. if we are using an old kernel version (< 4.12)
+ // we need to use raw_syscall tracepoints for exits, as syscall are not trace when running an ia32 userspace
+ // process
+ if probes.ShouldUseSyscallExitTracepoints() {
+ p.managerOptions.ConstantEditors = append(p.managerOptions.ConstantEditors,
+ manager.ConstantEditor{
+ Name: "tracepoint_raw_syscall_fallback",
+ Value: utils.BoolTouint64(true),
+ },
+ )
+ }
+
+ if useRingBuffers {
+ p.managerOptions.ConstantEditors = append(p.managerOptions.ConstantEditors,
+ manager.ConstantEditor{
+ Name: "use_ring_buffer",
+ Value: utils.BoolTouint64(true),
+ },
+ )
+ }
+
+ if p.kernelVersion.HavePIDLinkStruct() {
+ p.managerOptions.ConstantEditors = append(p.managerOptions.ConstantEditors,
+ manager.ConstantEditor{
+ Name: "kernel_has_pid_link_struct",
+ Value: utils.BoolTouint64(true),
+ },
+ )
+ }
+
+ if p.kernelVersion.HaveLegacyPipeInodeInfoStruct() {
+ p.managerOptions.ConstantEditors = append(p.managerOptions.ConstantEditors,
+ manager.ConstantEditor{
+ Name: "kernel_has_legacy_pipe_inode_info",
+ Value: utils.BoolTouint64(true),
+ },
+ )
+ }
+
+ // tail calls
+ p.managerOptions.TailCallRouter = probes.AllTailRoutes(config.Probe.ERPCDentryResolutionEnabled, config.Probe.NetworkEnabled, useMmapableMaps, p.useFentry)
+ if !config.Probe.ERPCDentryResolutionEnabled || useMmapableMaps {
+ // exclude the programs that use the bpf_probe_write_user helper
+ p.managerOptions.ExcludedFunctions = probes.AllBPFProbeWriteUserProgramFunctions()
+ }
+
+ if !config.Probe.NetworkEnabled {
+ // prevent all TC classifiers from loading
+ p.managerOptions.ExcludedFunctions = append(p.managerOptions.ExcludedFunctions, probes.GetAllTCProgramFunctions()...)
+ }
+
+ if p.useFentry {
+ afBasedExcluder, err := newAvailableFunctionsBasedExcluder()
+ if err != nil {
+ return nil, err
+ }
+
+ p.managerOptions.AdditionalExcludedFunctionCollector = afBasedExcluder
+ }
+
+ resolversOpts := resolvers.Opts{
+ PathResolutionEnabled: probe.Opts.PathResolutionEnabled,
+ TagsResolver: probe.Opts.TagsResolver,
+ UseRingBuffer: useRingBuffers,
+ TTYFallbackEnabled: probe.Opts.TTYFallbackEnabled,
+ }
+
+ p.Resolvers, err = resolvers.NewEBPFResolvers(config, p.Manager, probe.StatsdClient, probe.scrubber, p.Erpc, resolversOpts)
+ if err != nil {
+ return nil, err
+ }
+
+ // TODO safchain change the fields handlers
+ p.fieldHandlers = &EBPFFieldHandlers{resolvers: p.Resolvers}
+
+ if useRingBuffers {
+ p.eventStream = ringbuffer.New(p.handleEvent)
+ p.managerOptions.SkipRingbufferReaderStartup = map[string]bool{
+ eventstream.EventStreamMap: true,
+ }
+ } else {
+ p.eventStream, err = reorderer.NewOrderedPerfMap(p.ctx, p.handleEvent, probe.StatsdClient)
+ if err != nil {
+ return nil, err
+ }
+ p.managerOptions.SkipPerfMapReaderStartup = map[string]bool{
+ eventstream.EventStreamMap: true,
+ }
+ }
+
+ return p, nil
+}
+
+// GetProfileManagers returns the security profile managers
+func (p *EBPFProbe) GetProfileManagers() *SecurityProfileManagers {
+ return p.profileManagers
+}
+
+func (p *EBPFProbe) ensureConfigDefaults() {
+ // enable runtime compiled constants on COS by default
+ if !p.config.Probe.RuntimeCompiledConstantsIsSet && p.kernelVersion.IsCOSKernel() {
+ p.config.Probe.RuntimeCompiledConstantsEnabled = true
+ }
+}
+
+const (
+ netStructHasProcINum uint64 = 0
+ netStructHasNS uint64 = 1
+)
+
+// getNetStructType returns whether the net structure has a namespace attribute
+func getNetStructType(kv *kernel.Version) uint64 {
+ if kv.IsRH7Kernel() {
+ return netStructHasProcINum
+ }
+ return netStructHasNS
+}
+
+const (
+ doForkListInput uint64 = iota
+ doForkStructInput
+)
+
+func getAttr2(kernelVersion *kernel.Version) uint64 {
+ if kernelVersion.IsRH7Kernel() {
+ return 1
+ }
+ return 0
+}
+
+// getDoForkInput returns the expected input type of _do_fork, do_fork and kernel_clone
+func getDoForkInput(kernelVersion *kernel.Version) uint64 {
+ if kernelVersion.Code != 0 && kernelVersion.Code >= kernel.Kernel5_3 {
+ return doForkStructInput
+ }
+ return doForkListInput
+}
+
+func getHasUsernamespaceFirstArg(kernelVersion *kernel.Version) uint64 {
+ if kernelVersion.Code != 0 && kernelVersion.Code >= kernel.Kernel6_0 {
+ return 1
+ }
+ return 0
+}
+
+func getOvlPathInOvlInode(kernelVersion *kernel.Version) uint64 {
+ // https://github.com/torvalds/linux/commit/0af950f57fefabab628f1963af881e6b9bfe7f38
+ if kernelVersion.Code != 0 && kernelVersion.Code >= kernel.Kernel6_5 {
+ return 2
+ }
+
+ // https://github.com/torvalds/linux/commit/ffa5723c6d259b3191f851a50a98d0352b345b39
+ // changes a bit how the lower dentry/inode is stored in `ovl_inode`. To check if we
+ // are in this configuration we first probe the kernel version, then we check for the
+ // presence of the function introduced in the same patch.
+ const patchSentinel = "ovl_i_path_real"
+
+ if kernelVersion.Code != 0 && kernelVersion.Code >= kernel.Kernel5_19 {
+ return 1
+ }
+
+ check, err := commonebpf.VerifyKernelFuncs(patchSentinel)
+ if err != nil {
+ return 0
+ }
+
+ // VerifyKernelFuncs returns the missing functions
+ if _, ok := check[patchSentinel]; !ok {
+ return 1
+ }
+
+ return 0
+}
+
+// getCGroupWriteConstants returns the value of the constant used to determine how cgroups should be captured in kernel
+// space
+func getCGroupWriteConstants() manager.ConstantEditor {
+ cgroupWriteConst := uint64(1)
+ kv, err := kernel.NewKernelVersion()
+ if err == nil {
+ if kv.IsRH7Kernel() {
+ cgroupWriteConst = 2
+ }
+ }
+
+ return manager.ConstantEditor{
+ Name: "cgroup_write_type",
+ Value: cgroupWriteConst,
+ }
+}
+
+// GetOffsetConstants returns the offsets and struct sizes constants
+func (p *EBPFProbe) GetOffsetConstants() (map[string]uint64, error) {
+ constantFetcher := constantfetch.ComposeConstantFetchers(constantfetch.GetAvailableConstantFetchers(p.config.Probe, p.kernelVersion, p.statsdClient))
+ AppendProbeRequestsToFetcher(constantFetcher, p.kernelVersion)
+ return constantFetcher.FinishAndGetResults()
+}
+
+// GetConstantFetcherStatus returns the status of the constant fetcher associated with this probe
+func (p *EBPFProbe) GetConstantFetcherStatus() (*constantfetch.ConstantFetcherStatus, error) {
+ constantFetcher := constantfetch.ComposeConstantFetchers(constantfetch.GetAvailableConstantFetchers(p.config.Probe, p.kernelVersion, p.statsdClient))
+ AppendProbeRequestsToFetcher(constantFetcher, p.kernelVersion)
+ return constantFetcher.FinishAndGetStatus()
+}
+
+// AppendProbeRequestsToFetcher returns the offsets and struct sizes constants, from a constant fetcher
+func AppendProbeRequestsToFetcher(constantFetcher constantfetch.ConstantFetcher, kv *kernel.Version) {
+ constantFetcher.AppendSizeofRequest(constantfetch.SizeOfInode, "struct inode", "linux/fs.h")
+ constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameSuperBlockStructSFlags, "struct super_block", "s_flags", "linux/fs.h")
+ constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameSuperBlockStructSMagic, "struct super_block", "s_magic", "linux/fs.h")
+ constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameDentryStructDSB, "struct dentry", "d_sb", "linux/dcache.h")
+ constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameSignalStructStructTTY, "struct signal_struct", "tty", "linux/sched/signal.h")
+ constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameTTYStructStructName, "struct tty_struct", "name", "linux/tty.h")
+ constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameCredStructUID, "struct cred", "uid", "linux/cred.h")
+ constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameLinuxBinprmP, "struct linux_binprm", "p", "linux/binfmts.h")
+ constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameLinuxBinprmArgc, "struct linux_binprm", "argc", "linux/binfmts.h")
+ constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameLinuxBinprmEnvc, "struct linux_binprm", "envc", "linux/binfmts.h")
+ constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameVMAreaStructFlags, "struct vm_area_struct", "vm_flags", "linux/mm_types.h")
+ constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameFileFinode, "struct file", "f_inode", "linux/fs.h")
+ constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameFileFpath, "struct file", "f_path", "linux/fs.h")
+ if kv.Code >= kernel.Kernel5_3 {
+ constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameKernelCloneArgsExitSignal, "struct kernel_clone_args", "exit_signal", "linux/sched/task.h")
+ }
+
+ // bpf offsets
+ constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameBPFMapStructID, "struct bpf_map", "id", "linux/bpf.h")
+ if kv.Code != 0 && (kv.Code >= kernel.Kernel4_15 || kv.IsRH7Kernel()) {
+ constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameBPFMapStructName, "struct bpf_map", "name", "linux/bpf.h")
+ }
+ constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameBPFMapStructMapType, "struct bpf_map", "map_type", "linux/bpf.h")
+ constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameBPFProgAuxStructID, "struct bpf_prog_aux", "id", "linux/bpf.h")
+ if kv.Code != 0 && (kv.Code >= kernel.Kernel4_15 || kv.IsRH7Kernel()) {
+ constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameBPFProgAuxStructName, "struct bpf_prog_aux", "name", "linux/bpf.h")
+ }
+ constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameBPFProgStructTag, "struct bpf_prog", "tag", "linux/filter.h")
+ constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameBPFProgStructAux, "struct bpf_prog", "aux", "linux/filter.h")
+ constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameBPFProgStructType, "struct bpf_prog", "type", "linux/filter.h")
+
+ if kv.Code != 0 && (kv.Code > kernel.Kernel4_16 || kv.IsSuse12Kernel() || kv.IsSuse15Kernel()) {
+ constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameBPFProgStructExpectedAttachType, "struct bpf_prog", "expected_attach_type", "linux/filter.h")
+ }
+ // namespace nr offsets
+ constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNamePIDStructLevel, "struct pid", "level", "linux/pid.h")
+ constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNamePIDStructNumbers, "struct pid", "numbers", "linux/pid.h")
+ constantFetcher.AppendSizeofRequest(constantfetch.SizeOfUPID, "struct upid", "linux/pid.h")
+ if kv.HavePIDLinkStruct() {
+ constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameTaskStructPIDLink, "struct task_struct", "pids", "linux/sched.h")
+ constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNamePIDLinkStructPID, "struct pid_link", "pid", "linux/pid.h")
+ } else {
+ constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameTaskStructPID, "struct task_struct", "thread_pid", "linux/sched.h")
+ }
+
+ // splice event
+ constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNamePipeInodeInfoStructBufs, "struct pipe_inode_info", "bufs", "linux/pipe_fs_i.h")
+ if kv.HaveLegacyPipeInodeInfoStruct() {
+ constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNamePipeInodeInfoStructNrbufs, "struct pipe_inode_info", "nrbufs", "linux/pipe_fs_i.h")
+ constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNamePipeInodeInfoStructCurbuf, "struct pipe_inode_info", "curbuf", "linux/pipe_fs_i.h")
+ constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNamePipeInodeInfoStructBuffers, "struct pipe_inode_info", "buffers", "linux/pipe_fs_i.h")
+ } else {
+ constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNamePipeInodeInfoStructHead, "struct pipe_inode_info", "head", "linux/pipe_fs_i.h")
+ constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNamePipeInodeInfoStructRingsize, "struct pipe_inode_info", "ring_size", "linux/pipe_fs_i.h")
+ }
+
+ // network related constants
+ constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameNetDeviceStructIfIndex, "struct net_device", "ifindex", "linux/netdevice.h")
+ constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameSockCommonStructSKCNet, "struct sock_common", "skc_net", "net/sock.h")
+ constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameSockCommonStructSKCFamily, "struct sock_common", "skc_family", "net/sock.h")
+ constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameFlowI4StructSADDR, "struct flowi4", "saddr", "net/flow.h")
+ constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameFlowI4StructULI, "struct flowi4", "uli", "net/flow.h")
+ constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameFlowI6StructSADDR, "struct flowi6", "saddr", "net/flow.h")
+ constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameFlowI6StructULI, "struct flowi6", "uli", "net/flow.h")
+ constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameSocketStructSK, "struct socket", "sk", "linux/net.h")
+
+ // Interpreter constants
+ constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameLinuxBinprmStructFile, "struct linux_binprm", "file", "linux/binfmts.h")
+
+ if !kv.IsRH7Kernel() {
+ constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameNFConnStructCTNet, "struct nf_conn", "ct_net", "net/netfilter/nf_conntrack.h")
+ }
+
+ if getNetStructType(kv) == netStructHasProcINum {
+ constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameNetStructProcInum, "struct net", "proc_inum", "net/net_namespace.h")
+ } else {
+ constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameNetStructNS, "struct net", "ns", "net/net_namespace.h")
+ }
+
+ // iouring
+ if kv.Code != 0 && (kv.Code >= kernel.Kernel5_1) {
+ constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameIoKiocbStructCtx, "struct io_kiocb", "ctx", "")
+ }
+}
+
+// HandleActions handles the rule actions
+func (p *EBPFProbe) HandleActions(rule *rules.Rule, event eval.Event) {
+ ev := event.(*model.Event)
+ for _, action := range rule.Definition.Actions {
+ switch {
+ case action.InternalCallbackDefinition != nil && rule.ID == events.RefreshUserCacheRuleID:
+ _ = p.RefreshUserCache(ev.ContainerContext.ID)
+
+ case action.Kill != nil:
+ if pid := ev.ProcessContext.Pid; pid > 1 && pid != utils.Getpid() {
+ log.Debugf("Requesting signal %s to be sent to %d", action.Kill.Signal, pid)
+ sig := model.SignalConstants[action.Kill.Signal]
+
+ var err error
+ if p.supportsBPFSendSignal {
+ err = p.killListMap.Put(uint32(pid), uint32(sig))
+ } else {
+ err = syscall.Kill(int(pid), syscall.Signal(sig))
+ }
+ if err != nil {
+ seclog.Warnf("failed to kill process %d: %s", pid, err)
+ }
+ }
+ }
+ }
+}
diff --git a/pkg/security/probe/probe_linux_test.go b/pkg/security/probe/probe_ebpf_test.go
similarity index 100%
rename from pkg/security/probe/probe_linux_test.go
rename to pkg/security/probe/probe_ebpf_test.go
diff --git a/pkg/security/probe/probe_epbfless.go b/pkg/security/probe/probe_epbfless.go
new file mode 100644
index 0000000000000..039ea352060e5
--- /dev/null
+++ b/pkg/security/probe/probe_epbfless.go
@@ -0,0 +1,246 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2016-present Datadog, Inc.
+
+//go:build linux
+
+// Package probe holds probe related files
+package probe
+
+import (
+ "context"
+ "errors"
+ "net"
+ "path/filepath"
+
+ "google.golang.org/grpc"
+
+ "github.com/DataDog/datadog-agent/pkg/security/config"
+ "github.com/DataDog/datadog-agent/pkg/security/probe/kfilters"
+ "github.com/DataDog/datadog-agent/pkg/security/proto/ebpfless"
+ "github.com/DataDog/datadog-agent/pkg/security/resolvers"
+ "github.com/DataDog/datadog-agent/pkg/security/secl/compiler/eval"
+ "github.com/DataDog/datadog-agent/pkg/security/secl/model"
+ "github.com/DataDog/datadog-agent/pkg/security/secl/rules"
+ "github.com/DataDog/datadog-agent/pkg/security/seclog"
+ "github.com/DataDog/datadog-agent/pkg/security/serializers"
+ "github.com/DataDog/datadog-go/v5/statsd"
+)
+
+// EBPFLessProbe defines an eBPF less probe
+type EBPFLessProbe struct {
+ Resolvers *resolvers.EBPFLessResolvers
+
+ // Constants and configuration
+ opts Opts
+ config *config.Config
+ statsdClient statsd.ClientInterface
+
+ // internals
+ ebpfless.UnimplementedSyscallMsgStreamServer
+ server *grpc.Server
+ seqNum uint64
+ probe *Probe
+ ctx context.Context
+ cancelFnc context.CancelFunc
+ fieldHandlers *EBPFLessFieldHandlers
+}
+
+// SendSyscallMsg handles gRPC messages
+func (p *EBPFLessProbe) SendSyscallMsg(_ context.Context, syscallMsg *ebpfless.SyscallMsg) (*ebpfless.Response, error) {
+ if p.seqNum != syscallMsg.SeqNum {
+ seclog.Errorf("communication out of sync %d vs %d", p.seqNum, syscallMsg.SeqNum)
+ }
+ p.seqNum++
+
+ event := p.probe.zeroEvent()
+
+ switch syscallMsg.Type {
+ case ebpfless.SyscallType_Exec:
+ event.Type = uint32(model.ExecEventType)
+ entry := p.Resolvers.ProcessResolver.AddExecEntry(syscallMsg.PID, syscallMsg.Exec.Filename, syscallMsg.Exec.Args, syscallMsg.Exec.Envs, syscallMsg.ContainerContext.ID)
+ event.Exec.Process = &entry.Process
+ case ebpfless.SyscallType_Fork:
+ event.Type = uint32(model.ForkEventType)
+ p.Resolvers.ProcessResolver.AddForkEntry(syscallMsg.PID, syscallMsg.Fork.PPID)
+ case ebpfless.SyscallType_Open:
+ event.Type = uint32(model.FileOpenEventType)
+ event.Open.File.PathnameStr = syscallMsg.Open.Filename
+ event.Open.File.BasenameStr = filepath.Base(syscallMsg.Open.Filename)
+ event.Open.Flags = syscallMsg.Open.Flags
+ event.Open.Mode = syscallMsg.Open.Mode
+ default:
+ return &ebpfless.Response{}, nil
+ }
+
+ // container context
+ event.ContainerContext.ID = syscallMsg.ContainerContext.ID
+ event.ContainerContext.CreatedAt = syscallMsg.ContainerContext.CreatedAt
+ event.ContainerContext.Tags = []string{
+ "image_name:" + syscallMsg.ContainerContext.Name,
+ "image_tag:" + syscallMsg.ContainerContext.Tag,
+ }
+
+ // use ProcessCacheEntry process context as process context
+ event.ProcessCacheEntry = p.Resolvers.ProcessResolver.Resolve(syscallMsg.PID)
+ if event.ProcessCacheEntry == nil {
+ event.ProcessCacheEntry = model.NewPlaceholderProcessCacheEntry(syscallMsg.PID, syscallMsg.PID, false)
+ }
+ event.ProcessContext = &event.ProcessCacheEntry.ProcessContext
+
+ p.DispatchEvent(event)
+
+ return &ebpfless.Response{}, nil
+}
+
+// DispatchEvent sends an event to the probe event handler
+func (p *EBPFLessProbe) DispatchEvent(event *model.Event) {
+ traceEvent("Dispatching event %s", func() ([]byte, model.EventType, error) {
+ eventJSON, err := serializers.MarshalEvent(event)
+ return eventJSON, event.GetEventType(), err
+ })
+
+ // send event to wildcard handlers, like the CWS rule engine, first
+ p.probe.sendEventToWildcardHandlers(event)
+
+ // send event to specific event handlers, like the event monitor consumers, subsequently
+ p.probe.sendEventToSpecificEventTypeHandlers(event)
+}
+
+// Init the probe
+func (p *EBPFLessProbe) Init() error {
+ if err := p.Resolvers.Start(p.ctx); err != nil {
+ return err
+ }
+
+ return nil
+}
+
+// Stop the probe
+func (p *EBPFLessProbe) Stop() {
+ p.server.GracefulStop()
+ p.cancelFnc()
+}
+
+// Close the probe
+func (p *EBPFLessProbe) Close() error {
+ return nil
+}
+
+// Start the probe
+func (p *EBPFLessProbe) Start() error {
+ family, address := config.GetFamilyAddress(p.config.RuntimeSecurity.EBPFLessSocket)
+
+ conn, err := net.Listen(family, address)
+ if err != nil {
+ return err
+ }
+
+ go func() {
+ _ = p.server.Serve(conn)
+ }()
+
+ seclog.Infof("starting listening for ebpf less events on : %s", p.config.RuntimeSecurity.EBPFLessSocket)
+
+ return nil
+}
+
+// Snapshot the already exsisting entities
+func (p *EBPFLessProbe) Snapshot() error {
+ return nil
+}
+
+// Setup the probe
+func (p *EBPFLessProbe) Setup() error {
+ return nil
+}
+
+// OnNewDiscarder handles discarders
+func (p *EBPFLessProbe) OnNewDiscarder(_ *rules.RuleSet, _ *model.Event, _ eval.Field, _ eval.EventType) {
+}
+
+// NewModel returns a new Model
+func (p *EBPFLessProbe) NewModel() *model.Model {
+ return NewEBPFLessModel()
+}
+
+// SendStats send the stats
+func (p *EBPFLessProbe) SendStats() error {
+ return nil
+}
+
+// DumpDiscarders dump the discarders
+func (p *EBPFLessProbe) DumpDiscarders() (string, error) {
+ return "", errors.New("not supported")
+}
+
+// FlushDiscarders flush the discarders
+func (p *EBPFLessProbe) FlushDiscarders() error {
+ return nil
+}
+
+// ApplyRuleSet applies the new ruleset
+func (p *EBPFLessProbe) ApplyRuleSet(_ *rules.RuleSet) (*kfilters.ApplyRuleSetReport, error) {
+ return &kfilters.ApplyRuleSetReport{}, nil
+}
+
+// HandleActions handles the rule actions
+func (p *EBPFLessProbe) HandleActions(_ *rules.Rule, _ eval.Event) {}
+
+// NewEvent returns a new event
+func (p *EBPFLessProbe) NewEvent() *model.Event {
+ return NewEBPFLessEvent(p.fieldHandlers)
+}
+
+// GetFieldHandlers returns the field handlers
+func (p *EBPFLessProbe) GetFieldHandlers() model.FieldHandlers {
+ return p.fieldHandlers
+}
+
+// DumpProcessCache dumps the process cache
+func (p *EBPFLessProbe) DumpProcessCache(withArgs bool) (string, error) {
+ return p.Resolvers.ProcessResolver.Dump(withArgs)
+}
+
+// AddDiscarderPushedCallback add a callback to the list of func that have to be called when a discarder is pushed to kernel
+func (p *EBPFLessProbe) AddDiscarderPushedCallback(_ DiscarderPushedCallback) {}
+
+// GetEventTags returns the event tags
+func (p *EBPFLessProbe) GetEventTags(containerID string) []string {
+ return p.Resolvers.TagsResolver.Resolve(containerID)
+}
+
+// NewEBPFLessProbe returns a new eBPF less probe
+func NewEBPFLessProbe(probe *Probe, config *config.Config, opts Opts) (*EBPFLessProbe, error) {
+ opts.normalize()
+
+ ctx, cancelFnc := context.WithCancel(context.Background())
+
+ var grpcOpts []grpc.ServerOption
+ p := &EBPFLessProbe{
+ probe: probe,
+ config: config,
+ opts: opts,
+ statsdClient: opts.StatsdClient,
+ server: grpc.NewServer(grpcOpts...),
+ ctx: ctx,
+ cancelFnc: cancelFnc,
+ }
+
+ ebpfless.RegisterSyscallMsgStreamServer(p.server, p)
+
+ resolversOpts := resolvers.Opts{
+ TagsResolver: opts.TagsResolver,
+ }
+
+ var err error
+ p.Resolvers, err = resolvers.NewEBPFLessResolvers(config, p.statsdClient, probe.scrubber, resolversOpts)
+ if err != nil {
+ return nil, err
+ }
+
+ p.fieldHandlers = &EBPFLessFieldHandlers{resolvers: p.Resolvers}
+
+ return p, nil
+}
diff --git a/pkg/security/probe/probe_linux.go b/pkg/security/probe/probe_linux.go
index 6654e970cc365..6d3dd68d838c9 100644
--- a/pkg/security/probe/probe_linux.go
+++ b/pkg/security/probe/probe_linux.go
@@ -3,1947 +3,42 @@
// This product includes software developed at Datadog (https://www.datadoghq.com/).
// Copyright 2016-present Datadog, Inc.
-//go:build linux
-
-// Package probe holds probe related files
-package probe
-
-import (
- "context"
- "errors"
- "fmt"
- "math"
- "os"
- "path/filepath"
- "runtime"
- "sync"
- "syscall"
- "time"
-
- lib "github.com/cilium/ebpf"
- "github.com/hashicorp/go-multierror"
- "github.com/moby/sys/mountinfo"
- "golang.org/x/exp/slices"
- "golang.org/x/sys/unix"
- "golang.org/x/time/rate"
- "gopkg.in/yaml.v3"
-
- manager "github.com/DataDog/ebpf-manager"
- "github.com/DataDog/ebpf-manager/tracefs"
-
- "github.com/DataDog/datadog-agent/pkg/collector/corechecks/ebpf/probe/ebpfcheck"
- aconfig "github.com/DataDog/datadog-agent/pkg/config"
- commonebpf "github.com/DataDog/datadog-agent/pkg/ebpf"
- "github.com/DataDog/datadog-agent/pkg/security/config"
- "github.com/DataDog/datadog-agent/pkg/security/ebpf"
- "github.com/DataDog/datadog-agent/pkg/security/ebpf/kernel"
- "github.com/DataDog/datadog-agent/pkg/security/ebpf/probes"
- "github.com/DataDog/datadog-agent/pkg/security/events"
- "github.com/DataDog/datadog-agent/pkg/security/metrics"
- pconfig "github.com/DataDog/datadog-agent/pkg/security/probe/config"
- "github.com/DataDog/datadog-agent/pkg/security/probe/constantfetch"
- "github.com/DataDog/datadog-agent/pkg/security/probe/erpc"
- "github.com/DataDog/datadog-agent/pkg/security/probe/eventstream"
- "github.com/DataDog/datadog-agent/pkg/security/probe/eventstream/reorderer"
- "github.com/DataDog/datadog-agent/pkg/security/probe/eventstream/ringbuffer"
- "github.com/DataDog/datadog-agent/pkg/security/probe/kfilters"
- "github.com/DataDog/datadog-agent/pkg/security/probe/managerhelper"
- "github.com/DataDog/datadog-agent/pkg/security/resolvers"
- "github.com/DataDog/datadog-agent/pkg/security/resolvers/mount"
- "github.com/DataDog/datadog-agent/pkg/security/resolvers/netns"
- "github.com/DataDog/datadog-agent/pkg/security/resolvers/path"
- "github.com/DataDog/datadog-agent/pkg/security/resolvers/process"
- "github.com/DataDog/datadog-agent/pkg/security/secl/compiler/eval"
- "github.com/DataDog/datadog-agent/pkg/security/secl/model"
- "github.com/DataDog/datadog-agent/pkg/security/secl/rules"
- "github.com/DataDog/datadog-agent/pkg/security/seclog"
- "github.com/DataDog/datadog-agent/pkg/security/security_profile/dump"
- "github.com/DataDog/datadog-agent/pkg/security/serializers"
- "github.com/DataDog/datadog-agent/pkg/security/utils"
- utilkernel "github.com/DataDog/datadog-agent/pkg/util/kernel"
- "github.com/DataDog/datadog-agent/pkg/util/log"
-)
-
-// EventStream describes the interface implemented by reordered perf maps or ring buffers
-type EventStream interface {
- Init(*manager.Manager, *pconfig.Config) error
- SetMonitor(eventstream.LostEventCounter)
- Start(*sync.WaitGroup) error
- Pause() error
- Resume() error
-}
-
-var (
- // defaultEventTypes event types used whatever the event handlers or the rules
- defaultEventTypes = []eval.EventType{
- model.ForkEventType.String(),
- model.ExecEventType.String(),
- model.ExitEventType.String(),
- }
-)
-
-// PlatformProbe defines a platform probe
-type PlatformProbe struct {
- // Constants and configuration
- Manager *manager.Manager
- managerOptions manager.Options
- kernelVersion *kernel.Version
-
- // internals
- monitors *Monitors
- profileManagers *SecurityProfileManagers
-
- // Ring
- eventStream EventStream
-
- // ActivityDumps section
- activityDumpHandler dump.ActivityDumpHandler
-
- // Approvers / discarders section
- Erpc *erpc.ERPC
- erpcRequest *erpc.Request
- inodeDiscarders *inodeDiscarders
- notifyDiscarderPushedCallbacks []NotifyDiscarderPushedCallback
- approvers map[eval.EventType]kfilters.ActiveApprovers
-
- // Approvers / discarders section
- notifyDiscarderPushedCallbacksLock sync.Mutex
-
- killListMap *lib.Map
- supportsBPFSendSignal bool
-
- isRuntimeDiscarded bool
- constantOffsets map[string]uint64
- runtimeCompiled bool
- useFentry bool
-}
-
-func (p *Probe) detectKernelVersion() error {
- kernelVersion, err := kernel.NewKernelVersion()
- if err != nil {
- return fmt.Errorf("unable to detect the kernel version: %w", err)
- }
- p.kernelVersion = kernelVersion
- return nil
-}
-
-// GetKernelVersion computes and returns the running kernel version
-func (p *Probe) GetKernelVersion() *kernel.Version {
- return p.kernelVersion
-}
-
-// UseRingBuffers returns true if eBPF ring buffers are supported and used
-func (p *Probe) UseRingBuffers() bool {
- return p.Config.Probe.EventStreamUseRingBuffer && p.kernelVersion.HaveRingBuffers()
-}
-
-func (p *Probe) selectFentryMode() {
- if !p.Config.Probe.EventStreamUseFentry {
- p.useFentry = false
- return
- }
-
- supported := p.kernelVersion.HaveFentrySupport()
- if !supported {
- seclog.Errorf("fentry enabled but not supported, falling back to kprobe mode")
- }
- p.useFentry = supported
-}
-
-func (p *Probe) sanityChecks() error {
- // make sure debugfs is mounted
- if _, err := tracefs.Root(); err != nil {
- return err
- }
-
- if utilkernel.GetLockdownMode() == utilkernel.Confidentiality {
- return errors.New("eBPF not supported in lockdown `confidentiality` mode")
- }
-
- if p.Config.Probe.NetworkEnabled && p.kernelVersion.IsRH7Kernel() {
- seclog.Warnf("The network feature of CWS isn't supported on Centos7, setting runtime_security_config.network.enabled to false")
- p.Config.Probe.NetworkEnabled = false
- }
-
- return nil
-}
-
-// VerifyOSVersion returns an error if the current kernel version is not supported
-func (p *Probe) VerifyOSVersion() error {
- if !p.kernelVersion.IsRH7Kernel() && !p.kernelVersion.IsRH8Kernel() && p.kernelVersion.Code < kernel.Kernel4_15 {
- return fmt.Errorf("the following kernel is not supported: %s", p.kernelVersion)
- }
- return nil
-}
-
-// VerifyEnvironment returns an error if the current environment seems to be misconfigured
-func (p *Probe) VerifyEnvironment() *multierror.Error {
- var err *multierror.Error
- if aconfig.IsContainerized() {
- if mounted, _ := mountinfo.Mounted("/etc/passwd"); !mounted {
- err = multierror.Append(err, errors.New("/etc/passwd doesn't seem to be a mountpoint"))
- }
-
- if mounted, _ := mountinfo.Mounted("/etc/group"); !mounted {
- err = multierror.Append(err, errors.New("/etc/group doesn't seem to be a mountpoint"))
- }
-
- if mounted, _ := mountinfo.Mounted(utilkernel.ProcFSRoot()); !mounted {
- err = multierror.Append(err, errors.New("/etc/group doesn't seem to be a mountpoint"))
- }
-
- if mounted, _ := mountinfo.Mounted(p.kernelVersion.OsReleasePath); !mounted {
- err = multierror.Append(err, fmt.Errorf("%s doesn't seem to be a mountpoint", p.kernelVersion.OsReleasePath))
- }
-
- securityFSPath := filepath.Join(utilkernel.SysFSRoot(), "kernel/security")
- if mounted, _ := mountinfo.Mounted(securityFSPath); !mounted {
- err = multierror.Append(err, fmt.Errorf("%s doesn't seem to be a mountpoint", securityFSPath))
- }
-
- capsEffective, _, capErr := utils.CapEffCapEprm(utils.Getpid())
- if capErr != nil {
- err = multierror.Append(capErr, errors.New("failed to get process capabilities"))
- } else {
- requiredCaps := []string{
- "CAP_SYS_ADMIN",
- "CAP_SYS_RESOURCE",
- "CAP_SYS_PTRACE",
- "CAP_NET_ADMIN",
- "CAP_NET_BROADCAST",
- "CAP_NET_RAW",
- "CAP_IPC_LOCK",
- "CAP_CHOWN",
- }
-
- for _, requiredCap := range requiredCaps {
- capConst := model.KernelCapabilityConstants[requiredCap]
- if capsEffective&capConst == 0 {
- err = multierror.Append(err, fmt.Errorf("%s capability is missing", requiredCap))
- }
- }
- }
- }
-
- return err
-}
-
-// Init initializes the probe
-func (p *Probe) Init() error {
- p.startTime = time.Now()
-
- useSyscallWrapper, err := ebpf.IsSyscallWrapperRequired()
- if err != nil {
- return err
- }
-
- loader := ebpf.NewProbeLoader(p.Config.Probe, useSyscallWrapper, p.UseRingBuffers(), p.useFentry, p.StatsdClient)
- defer loader.Close()
-
- bytecodeReader, runtimeCompiled, err := loader.Load()
- if err != nil {
- return err
- }
- defer bytecodeReader.Close()
-
- p.runtimeCompiled = runtimeCompiled
-
- if err := p.eventStream.Init(p.Manager, p.Config.Probe); err != nil {
- return err
- }
-
- if p.isRuntimeDiscarded {
- p.managerOptions.ConstantEditors = append(p.managerOptions.ConstantEditors, manager.ConstantEditor{
- Name: "runtime_discarded",
- Value: uint64(1),
- })
- }
-
- p.managerOptions.ActivatedProbes = append(p.managerOptions.ActivatedProbes, probes.SnapshotSelectors(p.useFentry)...)
-
- if err := p.Manager.InitWithOptions(bytecodeReader, p.managerOptions); err != nil {
- return fmt.Errorf("failed to init manager: %w", err)
- }
-
- p.inodeDiscarders = newInodeDiscarders(p.Erpc, p.resolvers.DentryResolver)
-
- if err := p.resolvers.Start(p.ctx); err != nil {
- return err
- }
-
- err = p.monitors.Init()
- if err != nil {
- return err
- }
-
- p.profileManagers, err = NewSecurityProfileManagers(p)
- if err != nil {
- return err
- }
- p.profileManagers.AddActivityDumpHandler(p.activityDumpHandler)
-
- p.eventStream.SetMonitor(p.monitors.eventStreamMonitor)
-
- p.killListMap, err = managerhelper.Map(p.Manager, "kill_list")
- if err != nil {
- return err
- }
-
- return nil
-}
-
-// IsRuntimeCompiled returns true if the eBPF programs where successfully runtime compiled
-func (p *Probe) IsRuntimeCompiled() bool {
- return p.runtimeCompiled
-}
-
-// Setup the runtime security probe
-func (p *Probe) Setup() error {
- if err := p.Manager.Start(); err != nil {
- return err
- }
- ebpfcheck.AddNameMappings(p.Manager, "cws")
-
- p.applyDefaultFilterPolicies()
-
- needRawSyscalls := p.isNeededForActivityDump(model.SyscallsEventType.String())
-
- if err := p.updateProbes(defaultEventTypes, needRawSyscalls); err != nil {
- return err
- }
-
- p.profileManagers.Start(p.ctx, &p.wg)
-
- return nil
-}
-
-// Start plays the snapshot data and then start the event stream
-func (p *Probe) Start() error {
- // Apply rules to the snapshotted data before starting the event stream to avoid concurrency issues
- p.playSnapshot()
- return p.eventStream.Start(&p.wg)
-}
-
-// playSnapshot plays a snapshot
-func (p *Probe) playSnapshot() {
- // Get the snapshotted data
- var events []*model.Event
-
- entryToEvent := func(entry *model.ProcessCacheEntry) {
- if entry.Source != model.ProcessCacheEntryFromSnapshot {
- return
- }
- entry.Retain()
- event := NewEvent(p.fieldHandlers)
- event.Type = uint32(model.ExecEventType)
- event.TimestampRaw = uint64(time.Now().UnixNano())
- event.ProcessCacheEntry = entry
- event.ProcessContext = &entry.ProcessContext
- event.Exec.Process = &entry.Process
- event.ProcessContext.Process.ContainerID = entry.ContainerID
-
- if _, err := entry.HasValidLineage(); err != nil {
- event.Error = &model.ErrProcessBrokenLineage{Err: err}
- }
-
- events = append(events, event)
- }
- p.GetResolvers().ProcessResolver.Walk(entryToEvent)
- for _, event := range events {
- p.DispatchEvent(event)
- event.ProcessCacheEntry.Release()
- }
-}
-
-func (p *Probe) sendAnomalyDetection(event *model.Event) {
- tags := p.GetEventTags(event.ContainerContext.ID)
- if service := p.GetService(event); service != "" {
- tags = append(tags, "service:"+service)
- }
-
- p.DispatchCustomEvent(
- events.NewCustomRule(events.AnomalyDetectionRuleID, events.AnomalyDetectionRuleDesc),
- events.NewCustomEventLazy(event.GetEventType(), p.EventMarshallerCtor(event), tags...),
- )
-}
-
-// AddActivityDumpHandler set the probe activity dump handler
-func (p *Probe) AddActivityDumpHandler(handler dump.ActivityDumpHandler) {
- p.activityDumpHandler = handler
-}
-
-// DispatchEvent sends an event to the probe event handler
-func (p *Probe) DispatchEvent(event *model.Event) {
- traceEvent("Dispatching event %s", func() ([]byte, model.EventType, error) {
- eventJSON, err := serializers.MarshalEvent(event, p.resolvers)
- return eventJSON, event.GetEventType(), err
- })
-
- // filter out event if already present on a profile
- if p.Config.RuntimeSecurity.SecurityProfileEnabled {
- p.profileManagers.securityProfileManager.LookupEventInProfiles(event)
- }
-
- // send event to wildcard handlers, like the CWS rule engine, first
- p.sendEventToWildcardHandlers(event)
-
- // send event to specific event handlers, like the event monitor consumers, subsequently
- p.sendEventToSpecificEventTypeHandlers(event)
-
- // handle anomaly detections
- if event.IsAnomalyDetectionEvent() {
- if event.IsKernelSpaceAnomalyDetectionEvent() {
- p.profileManagers.securityProfileManager.FillProfileContextFromContainerID(event.FieldHandlers.ResolveContainerID(event, event.ContainerContext), &event.SecurityProfileContext)
- }
- p.sendAnomalyDetection(event)
- } else if event.Error == nil {
- // Process event after evaluation because some monitors need the DentryResolver to have been called first.
- if p.profileManagers.activityDumpManager != nil {
- p.profileManagers.activityDumpManager.ProcessEvent(event)
- }
- }
- p.monitors.ProcessEvent(event)
-}
-
-func (p *Probe) sendEventToWildcardHandlers(event *model.Event) {
- for _, handler := range p.fullAccessEventHandlers[model.UnknownEventType] {
- handler.HandleEvent(event)
- }
-}
-
-func (p *Probe) sendEventToSpecificEventTypeHandlers(event *model.Event) {
- for _, handler := range p.eventHandlers[event.GetEventType()] {
- handler.HandleEvent(handler.Copy(event))
- }
-}
-
-// DispatchCustomEvent sends a custom event to the probe event handler
-func (p *Probe) DispatchCustomEvent(rule *rules.Rule, event *events.CustomEvent) {
- traceEvent("Dispatching custom event %s", func() ([]byte, model.EventType, error) {
- eventJSON, err := serializers.MarshalCustomEvent(event)
- return eventJSON, event.GetEventType(), err
- })
-
- // send wildcard first
- for _, handler := range p.customEventHandlers[model.UnknownEventType] {
- handler.HandleCustomEvent(rule, event)
- }
-
- // send specific event
- for _, handler := range p.customEventHandlers[event.GetEventType()] {
- handler.HandleCustomEvent(rule, event)
- }
-}
-
-func traceEvent(fmt string, marshaller func() ([]byte, model.EventType, error)) {
- if !seclog.DefaultLogger.IsTracing() {
- return
- }
-
- eventJSON, eventType, err := marshaller()
- if err != nil {
- seclog.DefaultLogger.TraceTagf(eventType, fmt, err)
- return
- }
-
- seclog.DefaultLogger.TraceTagf(eventType, fmt, string(eventJSON))
-}
-
-// SendStats sends statistics about the probe to Datadog
-func (p *Probe) SendStats() error {
- p.resolvers.TCResolver.SendTCProgramsStats(p.StatsdClient)
-
- if err := p.profileManagers.SendStats(); err != nil {
- return err
- }
-
- return p.monitors.SendStats()
-}
-
-// GetMonitors returns the monitor of the probe
-func (p *Probe) GetMonitors() *Monitors {
- return p.monitors
-}
-
-// EventMarshallerCtor returns the event marshaller ctor
-func (p *Probe) EventMarshallerCtor(event *model.Event) func() events.EventMarshaler {
- return func() events.EventMarshaler {
- return serializers.NewEventSerializer(event, p.resolvers)
- }
-}
-
-func (p *Probe) unmarshalContexts(data []byte, event *model.Event) (int, error) {
- read, err := model.UnmarshalBinary(data, &event.PIDContext, &event.SpanContext, event.ContainerContext)
- if err != nil {
- return 0, err
- }
-
- return read, nil
-}
-
-func eventWithNoProcessContext(eventType model.EventType) bool {
- return eventType == model.DNSEventType || eventType == model.LoadModuleEventType || eventType == model.UnloadModuleEventType
-}
-
-func (p *Probe) unmarshalProcessCacheEntry(ev *model.Event, data []byte) (int, error) {
- entry := p.resolvers.ProcessResolver.NewProcessCacheEntry(ev.PIDContext)
- ev.ProcessCacheEntry = entry
-
- n, err := entry.Process.UnmarshalBinary(data)
- if err != nil {
- return n, err
- }
- entry.Process.ContainerID = ev.ContainerContext.ID
- entry.Source = model.ProcessCacheEntryFromEvent
-
- return n, nil
-}
-
-func (p *Probe) onEventLost(perfMapName string, perEvent map[string]uint64) {
- if p.Config.RuntimeSecurity.InternalMonitoringEnabled {
- p.DispatchCustomEvent(
- NewEventLostWriteEvent(perfMapName, perEvent),
- )
- }
-
- // snapshot traced cgroups if a CgroupTracing event was lost
- if p.IsActivityDumpEnabled() && perEvent[model.CgroupTracingEventType.String()] > 0 {
- p.profileManagers.SnapshotTracedCgroups()
- }
-}
-
-// setProcessContext set the process context, should return false if the event shouldn't be dispatched
-func (p *Probe) setProcessContext(eventType model.EventType, event *model.Event) bool {
- entry, isResolved := p.fieldHandlers.ResolveProcessCacheEntry(event)
- event.ProcessCacheEntry = entry
- if event.ProcessCacheEntry == nil {
- panic("should always return a process cache entry")
- }
-
- // use ProcessCacheEntry process context as process context
- event.ProcessContext = &event.ProcessCacheEntry.ProcessContext
- if event.ProcessContext == nil {
- panic("should always return a process context")
- }
-
- if process.IsKThread(event.ProcessContext.PPid, event.ProcessContext.Pid) {
- return false
- }
-
- if !eventWithNoProcessContext(eventType) {
- if !isResolved {
- event.Error = &model.ErrNoProcessContext{Err: errors.New("process context not resolved")}
- } else if _, err := entry.HasValidLineage(); err != nil {
- event.Error = &model.ErrProcessBrokenLineage{Err: err}
- p.resolvers.ProcessResolver.CountBrokenLineage()
- }
- }
-
- // flush exited process
- p.resolvers.ProcessResolver.DequeueExited()
-
- return true
-}
-
-func (p *Probe) handleEvent(CPU int, data []byte) {
- offset := 0
- event := p.zeroEvent()
-
- dataLen := uint64(len(data))
-
- read, err := event.UnmarshalBinary(data)
- if err != nil {
- seclog.Errorf("failed to decode event: %s", err)
- return
- }
- offset += read
-
- eventType := event.GetEventType()
- if eventType > model.MaxKernelEventType {
- seclog.Errorf("unsupported event type %d", eventType)
- return
- }
-
- p.monitors.eventStreamMonitor.CountEvent(eventType, event.TimestampRaw, 1, dataLen, eventstream.EventStreamMap, CPU)
-
- // no need to dispatch events
- switch eventType {
- case model.MountReleasedEventType:
- if _, err = event.MountReleased.UnmarshalBinary(data[offset:]); err != nil {
- seclog.Errorf("failed to decode mount released event: %s (offset %d, len %d)", err, offset, dataLen)
- return
- }
-
- // Remove all dentry entries belonging to the mountID
- p.resolvers.DentryResolver.DelCacheEntries(event.MountReleased.MountID)
-
- // Delete new mount point from cache
- if err = p.resolvers.MountResolver.Delete(event.MountReleased.MountID); err != nil {
- seclog.Tracef("failed to delete mount point %d from cache: %s", event.MountReleased.MountID, err)
- }
- return
- case model.ArgsEnvsEventType:
- if _, err = event.ArgsEnvs.UnmarshalBinary(data[offset:]); err != nil {
- seclog.Errorf("failed to decode args envs event: %s (offset %d, len %d)", err, offset, dataLen)
- return
- }
-
- p.resolvers.ProcessResolver.UpdateArgsEnvs(&event.ArgsEnvs)
-
- return
- case model.CgroupTracingEventType:
- if !p.Config.RuntimeSecurity.ActivityDumpEnabled {
- seclog.Errorf("shouldn't receive Cgroup event if activity dumps are disabled")
- return
- }
-
- if _, err = event.CgroupTracing.UnmarshalBinary(data[offset:]); err != nil {
- seclog.Errorf("failed to decode cgroup tracing event: %s (offset %d, len %d)", err, offset, dataLen)
- return
- }
-
- p.profileManagers.activityDumpManager.HandleCGroupTracingEvent(&event.CgroupTracing)
- return
- case model.UnshareMountNsEventType:
- if _, err = event.UnshareMountNS.UnmarshalBinary(data[offset:]); err != nil {
- seclog.Errorf("failed to decode unshare mnt ns event: %s (offset %d, len %d)", err, offset, dataLen)
- return
- }
- if err := p.handleNewMount(event, &event.UnshareMountNS.Mount); err != nil {
- seclog.Debugf("failed to handle new mount from unshare mnt ns event: %s", err)
- }
- return
- }
-
- read, err = p.unmarshalContexts(data[offset:], event)
- if err != nil {
- seclog.Errorf("failed to decode event `%s`: %s", eventType, err)
- return
- }
- offset += read
-
- // save netns handle if applicable
- nsPath := utils.NetNSPathFromPid(event.PIDContext.Pid)
- _, _ = p.resolvers.NamespaceResolver.SaveNetworkNamespaceHandle(event.PIDContext.NetNS, nsPath)
-
- if model.GetEventTypeCategory(eventType.String()) == model.NetworkCategory {
- if read, err = event.NetworkContext.UnmarshalBinary(data[offset:]); err != nil {
- seclog.Errorf("failed to decode Network Context")
- }
- offset += read
- }
-
- // handle exec and fork before process context resolution as they modify the process context resolution
- switch eventType {
- case model.ForkEventType:
- if _, err = p.unmarshalProcessCacheEntry(event, data[offset:]); err != nil {
- seclog.Errorf("failed to decode fork event: %s (offset %d, len %d)", err, offset, dataLen)
- return
- }
-
- if process.IsKThread(event.ProcessCacheEntry.PPid, event.ProcessCacheEntry.Pid) {
- return
- }
-
- p.resolvers.ProcessResolver.ApplyBootTime(event.ProcessCacheEntry)
- event.ProcessCacheEntry.SetSpan(event.SpanContext.SpanID, event.SpanContext.TraceID)
-
- p.resolvers.ProcessResolver.AddForkEntry(event.ProcessCacheEntry, event.PIDContext.ExecInode)
- case model.ExecEventType:
- // unmarshal and fill event.processCacheEntry
- if _, err = p.unmarshalProcessCacheEntry(event, data[offset:]); err != nil {
- seclog.Errorf("failed to decode exec event: %s (offset %d, len %d)", err, offset, len(data))
- return
- }
-
- if err = p.resolvers.ProcessResolver.ResolveNewProcessCacheEntry(event.ProcessCacheEntry, event.ContainerContext); err != nil {
- seclog.Debugf("failed to resolve new process cache entry context for pid %d: %s", event.PIDContext.Pid, err)
-
- var errResolution *path.ErrPathResolution
- if errors.As(err, &errResolution) {
- event.SetPathResolutionError(&event.ProcessCacheEntry.FileEvent, err)
- }
- } else {
- p.resolvers.ProcessResolver.AddExecEntry(event.ProcessCacheEntry, event.PIDContext.ExecInode)
- }
-
- event.Exec.Process = &event.ProcessCacheEntry.Process
- }
-
- if !p.setProcessContext(eventType, event) {
- return
- }
-
- switch eventType {
- case model.FileMountEventType:
- if _, err = event.Mount.UnmarshalBinary(data[offset:]); err != nil {
- seclog.Errorf("failed to decode mount event: %s (offset %d, len %d)", err, offset, dataLen)
- return
- }
- if err := p.handleNewMount(event, &event.Mount.Mount); err != nil {
- seclog.Debugf("failed to handle new mount from mount event: %s\n", err)
- return
- }
-
- // TODO: this should be moved in the resolver itself in order to handle the fallbacks
- if event.Mount.GetFSType() == "nsfs" {
- nsid := uint32(event.Mount.RootPathKey.Inode)
- mountPath, err := p.resolvers.MountResolver.ResolveMountPath(event.Mount.MountID, event.Mount.Device, event.PIDContext.Pid, event.ContainerContext.ID)
- if err != nil {
- seclog.Debugf("failed to get mount path: %v", err)
- } else {
- mountNetNSPath := utils.NetNSPathFromPath(mountPath)
- _, _ = p.resolvers.NamespaceResolver.SaveNetworkNamespaceHandle(nsid, mountNetNSPath)
- }
- }
-
- case model.FileUmountEventType:
- if _, err = event.Umount.UnmarshalBinary(data[offset:]); err != nil {
- seclog.Errorf("failed to decode umount event: %s (offset %d, len %d)", err, offset, dataLen)
- return
- }
-
- // we can skip this error as this is for the umount only and there is no impact on the filepath resolution
- mount, _ := p.resolvers.MountResolver.ResolveMount(event.Umount.MountID, 0, event.PIDContext.Pid, event.ContainerContext.ID)
- if mount != nil && mount.GetFSType() == "nsfs" {
- nsid := uint32(mount.RootPathKey.Inode)
- if namespace := p.resolvers.NamespaceResolver.ResolveNetworkNamespace(nsid); namespace != nil {
- p.FlushNetworkNamespace(namespace)
- }
- }
-
- case model.FileOpenEventType:
- if _, err = event.Open.UnmarshalBinary(data[offset:]); err != nil {
- seclog.Errorf("failed to decode open event: %s (offset %d, len %d)", err, offset, dataLen)
- return
- }
- case model.FileMkdirEventType:
- if _, err = event.Mkdir.UnmarshalBinary(data[offset:]); err != nil {
- seclog.Errorf("failed to decode mkdir event: %s (offset %d, len %d)", err, offset, dataLen)
- return
- }
- case model.FileRmdirEventType:
- if _, err = event.Rmdir.UnmarshalBinary(data[offset:]); err != nil {
- seclog.Errorf("failed to decode rmdir event: %s (offset %d, len %d)", err, offset, dataLen)
- return
- }
- case model.FileUnlinkEventType:
- if _, err = event.Unlink.UnmarshalBinary(data[offset:]); err != nil {
- seclog.Errorf("failed to decode unlink event: %s (offset %d, len %d)", err, offset, dataLen)
- return
- }
- case model.FileRenameEventType:
- if _, err = event.Rename.UnmarshalBinary(data[offset:]); err != nil {
- seclog.Errorf("failed to decode rename event: %s (offset %d, len %d)", err, offset, dataLen)
- return
- }
- case model.FileChmodEventType:
- if _, err = event.Chmod.UnmarshalBinary(data[offset:]); err != nil {
- seclog.Errorf("failed to decode chmod event: %s (offset %d, len %d)", err, offset, dataLen)
- return
- }
- case model.FileChownEventType:
- if _, err = event.Chown.UnmarshalBinary(data[offset:]); err != nil {
- seclog.Errorf("failed to decode chown event: %s (offset %d, len %d)", err, offset, dataLen)
- return
- }
- case model.FileUtimesEventType:
- if _, err = event.Utimes.UnmarshalBinary(data[offset:]); err != nil {
- seclog.Errorf("failed to decode utime event: %s (offset %d, len %d)", err, offset, dataLen)
- return
- }
- case model.FileLinkEventType:
- if _, err = event.Link.UnmarshalBinary(data[offset:]); err != nil {
- seclog.Errorf("failed to decode link event: %s (offset %d, len %d)", err, offset, dataLen)
- return
- }
- case model.FileSetXAttrEventType:
- if _, err = event.SetXAttr.UnmarshalBinary(data[offset:]); err != nil {
- seclog.Errorf("failed to decode setxattr event: %s (offset %d, len %d)", err, offset, dataLen)
- return
- }
- case model.FileRemoveXAttrEventType:
- if _, err = event.RemoveXAttr.UnmarshalBinary(data[offset:]); err != nil {
- seclog.Errorf("failed to decode removexattr event: %s (offset %d, len %d)", err, offset, dataLen)
- return
- }
- case model.ExitEventType:
- if _, err = event.Exit.UnmarshalBinary(data[offset:]); err != nil {
- seclog.Errorf("failed to decode exit event: %s (offset %d, len %d)", err, offset, len(data))
- return
- }
-
- var exists bool
- event.ProcessCacheEntry, exists = p.fieldHandlers.GetProcessCacheEntry(event)
- if !exists {
- // no need to dispatch an exit event that don't have the corresponding cache entry
- return
- }
-
- // Use the event timestamp as exit time
- // The local process cache hasn't been updated yet with the exit time when the exit event is first seen
- // The pid_cache kernel map has the exit_time but it's only accessed if there's a local miss
- event.ProcessCacheEntry.Process.ExitTime = p.fieldHandlers.ResolveEventTime(event)
- event.Exit.Process = &event.ProcessCacheEntry.Process
-
- // update mount pid mapping
- p.resolvers.MountResolver.DelPid(event.Exit.Pid)
- case model.SetuidEventType:
- // the process context may be incorrect, do not modify it
- if event.Error != nil {
- break
- }
-
- if _, err = event.SetUID.UnmarshalBinary(data[offset:]); err != nil {
- seclog.Errorf("failed to decode setuid event: %s (offset %d, len %d)", err, offset, len(data))
- return
- }
- defer p.resolvers.ProcessResolver.UpdateUID(event.PIDContext.Pid, event)
- case model.SetgidEventType:
- // the process context may be incorrect, do not modify it
- if event.Error != nil {
- break
- }
-
- if _, err = event.SetGID.UnmarshalBinary(data[offset:]); err != nil {
- seclog.Errorf("failed to decode setgid event: %s (offset %d, len %d)", err, offset, len(data))
- return
- }
- defer p.resolvers.ProcessResolver.UpdateGID(event.PIDContext.Pid, event)
- case model.CapsetEventType:
- // the process context may be incorrect, do not modify it
- if event.Error != nil {
- break
- }
-
- if _, err = event.Capset.UnmarshalBinary(data[offset:]); err != nil {
- seclog.Errorf("failed to decode capset event: %s (offset %d, len %d)", err, offset, len(data))
- return
- }
- defer p.resolvers.ProcessResolver.UpdateCapset(event.PIDContext.Pid, event)
- case model.SELinuxEventType:
- if _, err = event.SELinux.UnmarshalBinary(data[offset:]); err != nil {
- seclog.Errorf("failed to decode selinux event: %s (offset %d, len %d)", err, offset, len(data))
- return
- }
- case model.BPFEventType:
- if _, err = event.BPF.UnmarshalBinary(data[offset:]); err != nil {
- seclog.Errorf("failed to decode bpf event: %s (offset %d, len %d)", err, offset, len(data))
- return
- }
- case model.PTraceEventType:
- if _, err = event.PTrace.UnmarshalBinary(data[offset:]); err != nil {
- seclog.Errorf("failed to decode ptrace event: %s (offset %d, len %d)", err, offset, len(data))
- return
- }
- // resolve tracee process context
- var pce *model.ProcessCacheEntry
- if event.PTrace.PID > 0 { // pid can be 0 for a PTRACE_TRACEME request
- pce = p.resolvers.ProcessResolver.Resolve(event.PTrace.PID, event.PTrace.PID, 0, false)
- }
- if pce == nil {
- pce = model.NewPlaceholderProcessCacheEntry(event.PTrace.PID, event.PTrace.PID, false)
- }
- event.PTrace.Tracee = &pce.ProcessContext
- case model.MMapEventType:
- if _, err = event.MMap.UnmarshalBinary(data[offset:]); err != nil {
- seclog.Errorf("failed to decode mmap event: %s (offset %d, len %d)", err, offset, len(data))
- return
- }
-
- if event.MMap.Flags&unix.MAP_ANONYMOUS != 0 {
- // no need to trigger a dentry resolver, not backed by any file
- event.MMap.File.SetPathnameStr("")
- event.MMap.File.SetBasenameStr("")
- }
- case model.MProtectEventType:
- if _, err = event.MProtect.UnmarshalBinary(data[offset:]); err != nil {
- seclog.Errorf("failed to decode mprotect event: %s (offset %d, len %d)", err, offset, len(data))
- return
- }
- case model.LoadModuleEventType:
- if _, err = event.LoadModule.UnmarshalBinary(data[offset:]); err != nil {
- seclog.Errorf("failed to decode load_module event: %s (offset %d, len %d)", err, offset, len(data))
- return
- }
-
- if event.LoadModule.LoadedFromMemory {
- // no need to trigger a dentry resolver, not backed by any file
- event.LoadModule.File.SetPathnameStr("")
- event.LoadModule.File.SetBasenameStr("")
- }
- case model.UnloadModuleEventType:
- if _, err = event.UnloadModule.UnmarshalBinary(data[offset:]); err != nil {
- seclog.Errorf("failed to decode unload_module event: %s (offset %d, len %d)", err, offset, len(data))
- }
- case model.SignalEventType:
- if _, err = event.Signal.UnmarshalBinary(data[offset:]); err != nil {
- seclog.Errorf("failed to decode signal event: %s (offset %d, len %d)", err, offset, len(data))
- return
- }
- // resolve target process context
- var pce *model.ProcessCacheEntry
- if event.Signal.PID > 0 { // Linux accepts a kill syscall with both negative and zero pid
- pce = p.resolvers.ProcessResolver.Resolve(event.Signal.PID, event.Signal.PID, 0, false)
- }
- if pce == nil {
- pce = model.NewPlaceholderProcessCacheEntry(event.Signal.PID, event.Signal.PID, false)
- }
- event.Signal.Target = &pce.ProcessContext
- case model.SpliceEventType:
- if _, err = event.Splice.UnmarshalBinary(data[offset:]); err != nil {
- seclog.Errorf("failed to decode splice event: %s (offset %d, len %d)", err, offset, len(data))
- return
- }
- case model.NetDeviceEventType:
- if _, err = event.NetDevice.UnmarshalBinary(data[offset:]); err != nil {
- seclog.Errorf("failed to decode net_device event: %s (offset %d, len %d)", err, offset, len(data))
- return
- }
- _ = p.setupNewTCClassifier(event.NetDevice.Device)
- case model.VethPairEventType:
- if _, err = event.VethPair.UnmarshalBinary(data[offset:]); err != nil {
- seclog.Errorf("failed to decode veth_pair event: %s (offset %d, len %d)", err, offset, len(data))
- return
- }
- _ = p.setupNewTCClassifier(event.VethPair.PeerDevice)
- case model.DNSEventType:
- if _, err = event.DNS.UnmarshalBinary(data[offset:]); err != nil {
- if errors.Is(err, model.ErrDNSNameMalformatted) {
- seclog.Debugf("failed to validate DNS event: %s", event.DNS.Name)
- } else if errors.Is(err, model.ErrDNSNamePointerNotSupported) {
- seclog.Tracef("failed to decode DNS event: %s (offset %d, len %d)", err, offset, len(data))
- } else {
- seclog.Errorf("failed to decode DNS event: %s (offset %d, len %d)", err, offset, len(data))
- }
-
- return
- }
- case model.BindEventType:
- if _, err = event.Bind.UnmarshalBinary(data[offset:]); err != nil {
- seclog.Errorf("failed to decode bind event: %s (offset %d, len %d)", err, offset, len(data))
- return
- }
- case model.SyscallsEventType:
- if _, err = event.Syscalls.UnmarshalBinary(data[offset:]); err != nil {
- seclog.Errorf("failed to decode syscalls event: %s (offset %d, len %d)", err, offset, len(data))
- return
- }
- case model.AnomalyDetectionSyscallEventType:
- if _, err = event.AnomalyDetectionSyscallEvent.UnmarshalBinary(data[offset:]); err != nil {
- seclog.Errorf("failed to decode anomaly detection for syscall event: %s (offset %d, len %d)", err, offset, len(data))
- return
- }
- }
-
- // resolve the container context
- event.ContainerContext, _ = p.fieldHandlers.ResolveContainerContext(event)
-
- p.DispatchEvent(event)
-
- if eventType == model.ExitEventType {
- p.resolvers.ProcessResolver.DeleteEntry(event.ProcessContext.Pid, p.fieldHandlers.ResolveEventTime(event))
- }
-}
-
-// AddNewNotifyDiscarderPushedCallback add a callback to the list of func that have to be called when a discarder is pushed to kernel
-func (p *Probe) AddNewNotifyDiscarderPushedCallback(cb NotifyDiscarderPushedCallback) {
- p.notifyDiscarderPushedCallbacksLock.Lock()
- defer p.notifyDiscarderPushedCallbacksLock.Unlock()
-
- p.notifyDiscarderPushedCallbacks = append(p.notifyDiscarderPushedCallbacks, cb)
-}
-
-// OnNewDiscarder is called when a new discarder is found
-func (p *Probe) OnNewDiscarder(rs *rules.RuleSet, ev *model.Event, field eval.Field, eventType eval.EventType) {
- // discarders disabled
- if !p.Config.Probe.EnableDiscarders {
- return
- }
-
- if p.isRuntimeDiscarded {
- fakeTime := time.Unix(0, int64(ev.TimestampRaw))
- if !p.discarderRateLimiter.AllowN(fakeTime, 1) {
- return
- }
- }
-
- seclog.Tracef("New discarder of type %s for field %s", eventType, field)
-
- if handlers, ok := allDiscarderHandlers[eventType]; ok {
- for _, handler := range handlers {
- discarderPushed, _ := handler(rs, ev, p, Discarder{Field: field})
-
- if discarderPushed {
- p.notifyDiscarderPushedCallbacksLock.Lock()
- defer p.notifyDiscarderPushedCallbacksLock.Unlock()
- for _, cb := range p.notifyDiscarderPushedCallbacks {
- cb(eventType, ev, field)
- }
- }
- }
- }
-}
-
-// ApplyFilterPolicy is called when a passing policy for an event type is applied
-func (p *Probe) ApplyFilterPolicy(eventType eval.EventType, mode kfilters.PolicyMode, flags kfilters.PolicyFlag) error {
- seclog.Infof("Setting in-kernel filter policy to `%s` for `%s`", mode, eventType)
- table, err := managerhelper.Map(p.Manager, "filter_policy")
- if err != nil {
- return fmt.Errorf("unable to find policy table: %w", err)
- }
-
- et := config.ParseEvalEventType(eventType)
- if et == model.UnknownEventType {
- return errors.New("unable to parse the eval event type")
- }
-
- policy := &kfilters.FilterPolicy{
- Mode: mode,
- Flags: flags,
- }
-
- return table.Put(ebpf.Uint32MapItem(et), policy)
-}
-
-// SetApprovers applies approvers and removes the unused ones
-func (p *Probe) SetApprovers(eventType eval.EventType, approvers rules.Approvers) error {
- handler, exists := kfilters.AllApproversHandlers[eventType]
- if !exists {
- return nil
- }
-
- newApprovers, err := handler(approvers)
- if err != nil {
- seclog.Errorf("Error while adding approvers fallback in-kernel policy to `%s` for `%s`: %s", kfilters.PolicyModeAccept, eventType, err)
- }
-
- type tag struct {
- eventType eval.EventType
- approverType string
- }
- approverAddedMetricCounter := make(map[tag]float64)
-
- for _, newApprover := range newApprovers {
- seclog.Tracef("Applying approver %+v for event type %s", newApprover, eventType)
- if err := newApprover.Apply(p.Manager); err != nil {
- return err
- }
-
- approverType := getApproverType(newApprover.GetTableName())
- approverAddedMetricCounter[tag{eventType, approverType}]++
- }
-
- if previousApprovers, exist := p.approvers[eventType]; exist {
- previousApprovers.Sub(newApprovers)
- for _, previousApprover := range previousApprovers {
- seclog.Tracef("Removing previous approver %+v for event type %s", previousApprover, eventType)
- if err := previousApprover.Remove(p.Manager); err != nil {
- return err
- }
-
- approverType := getApproverType(previousApprover.GetTableName())
- approverAddedMetricCounter[tag{eventType, approverType}]--
- if approverAddedMetricCounter[tag{eventType, approverType}] <= 0 {
- delete(approverAddedMetricCounter, tag{eventType, approverType})
- }
- }
- }
-
- for tags, count := range approverAddedMetricCounter {
- tags := []string{
- fmt.Sprintf("approver_type:%s", tags.approverType),
- fmt.Sprintf("event_type:%s", tags.eventType),
- }
-
- if err := p.StatsdClient.Gauge(metrics.MetricApproverAdded, count, tags, 1.0); err != nil {
- seclog.Tracef("couldn't set MetricApproverAdded metric: %s", err)
- }
- }
-
- p.approvers[eventType] = newApprovers
- return nil
-}
-
-func getApproverType(approverTableName string) string {
- approverType := "flag"
-
- if approverTableName == kfilters.BasenameApproverKernelMapName {
- approverType = "basename"
- }
-
- return approverType
-}
-
-func (p *Probe) isNeededForActivityDump(eventType eval.EventType) bool {
- if p.Config.RuntimeSecurity.ActivityDumpEnabled {
- for _, e := range p.profileManagers.GetActivityDumpTracedEventTypes() {
- if e.String() == eventType {
- return true
- }
- }
- }
- return false
-}
-
-func (p *Probe) isNeededForSecurityProfile(eventType eval.EventType) bool {
- if p.Config.RuntimeSecurity.SecurityProfileEnabled {
- for _, e := range p.Config.RuntimeSecurity.AnomalyDetectionEventTypes {
- if e.String() == eventType {
- return true
- }
- }
- }
- return false
-}
-
-func (p *Probe) validEventTypeForConfig(eventType string) bool {
- if eventType == "dns" && !p.Config.Probe.NetworkEnabled {
- return false
- }
- return true
-}
-
-// updateProbes applies the loaded set of rules and returns a report
-// of the applied approvers for it.
-func (p *Probe) updateProbes(ruleEventTypes []eval.EventType, needRawSyscalls bool) error {
- // event types enabled either by event handlers or by rules
- eventTypes := append([]eval.EventType{}, defaultEventTypes...)
- eventTypes = append(eventTypes, ruleEventTypes...)
- for eventType, handlers := range p.eventHandlers {
- if len(handlers) == 0 {
- continue
- }
- if slices.Contains(eventTypes, model.EventType(eventType).String()) {
- continue
- }
- if eventType != int(model.UnknownEventType) && eventType != int(model.MaxAllEventType) {
- eventTypes = append(eventTypes, model.EventType(eventType).String())
- }
- }
-
- activatedProbes := probes.SnapshotSelectors(p.useFentry)
-
- // extract probe to activate per the event types
- for eventType, selectors := range probes.GetSelectorsPerEventType(p.useFentry) {
- if (eventType == "*" || slices.Contains(eventTypes, eventType) || p.isNeededForActivityDump(eventType) || p.isNeededForSecurityProfile(eventType)) && p.validEventTypeForConfig(eventType) {
- activatedProbes = append(activatedProbes, selectors...)
- }
- }
-
- activatedProbes = append(activatedProbes, p.resolvers.TCResolver.SelectTCProbes())
-
- if needRawSyscalls {
- activatedProbes = append(activatedProbes, probes.SyscallMonitorSelectors...)
- } else {
- // ActivityDumps
- if p.Config.RuntimeSecurity.ActivityDumpEnabled {
- for _, e := range p.profileManagers.GetActivityDumpTracedEventTypes() {
- if e == model.SyscallsEventType {
- activatedProbes = append(activatedProbes, probes.SyscallMonitorSelectors...)
- break
- }
- }
- }
- }
-
- // Print the list of unique probe identification IDs that are registered
- var selectedIDs []manager.ProbeIdentificationPair
- for _, selector := range activatedProbes {
- for _, id := range selector.GetProbesIdentificationPairList() {
- var exists bool
- for _, selectedID := range selectedIDs {
- if selectedID == id {
- exists = true
- }
- }
- if !exists {
- selectedIDs = append(selectedIDs, id)
- seclog.Tracef("probe %s selected", id)
- }
- }
- }
-
- enabledEventsMap, err := managerhelper.Map(p.Manager, "enabled_events")
- if err != nil {
- return err
- }
-
- enabledEvents := uint64(0)
- for _, eventName := range eventTypes {
- if eventName != "*" {
- eventType := config.ParseEvalEventType(eventName)
- if eventType == model.UnknownEventType {
- return fmt.Errorf("unknown event type '%s'", eventName)
- }
- enabledEvents |= 1 << (eventType - 1)
- }
- }
-
- if err := enabledEventsMap.Put(ebpf.ZeroUint32MapItem, enabledEvents); err != nil {
- return fmt.Errorf("failed to set enabled events: %w", err)
- }
-
- return p.Manager.UpdateActivatedProbes(activatedProbes)
-}
-
-// GetDiscarders retrieve the discarders
-func (p *Probe) GetDiscarders() (*DiscardersDump, error) {
- inodeMap, err := managerhelper.Map(p.Manager, "inode_discarders")
- if err != nil {
- return nil, err
- }
-
- pidMap, err := managerhelper.Map(p.Manager, "pid_discarders")
- if err != nil {
- return nil, err
- }
-
- statsFB, err := managerhelper.Map(p.Manager, "fb_discarder_stats")
- if err != nil {
- return nil, err
- }
-
- statsBB, err := managerhelper.Map(p.Manager, "bb_discarder_stats")
- if err != nil {
- return nil, err
- }
-
- dump, err := dumpDiscarders(p.resolvers.DentryResolver, pidMap, inodeMap, statsFB, statsBB)
- if err != nil {
- return nil, err
- }
- return &dump, nil
-}
-
-// DumpDiscarders removes all the discarders
-func (p *Probe) DumpDiscarders() (string, error) {
- seclog.Debugf("Dumping discarders")
-
- dump, err := p.GetDiscarders()
- if err != nil {
- return "", err
- }
-
- fp, err := os.CreateTemp("/tmp", "discarder-dump-")
- if err != nil {
- return "", err
- }
- defer fp.Close()
-
- if err := os.Chmod(fp.Name(), 0400); err != nil {
- return "", err
- }
-
- encoder := yaml.NewEncoder(fp)
- defer encoder.Close()
-
- if err := encoder.Encode(dump); err != nil {
- return "", err
- }
- err = fp.Close()
- if err != nil {
- return "", fmt.Errorf("could not close file [%s]: %w", fp.Name(), err)
- }
- return fp.Name(), err
-}
-
-// FlushDiscarders invalidates all the discarders
-func (p *Probe) FlushDiscarders() error {
- seclog.Debugf("Flushing discarders")
- return bumpDiscardersRevision(p.Erpc)
-}
-
-// RefreshUserCache refreshes the user cache
-func (p *Probe) RefreshUserCache(containerID string) error {
- return p.GetResolvers().UserGroupResolver.RefreshCache(containerID)
-}
-
-// Snapshot runs the different snapshot functions of the resolvers that
-// require to sync with the current state of the system
-func (p *Probe) Snapshot() error {
- // the snapshot for the read of a lot of file which can allocate a lot of memory.
- defer runtime.GC()
- return p.resolvers.Snapshot()
-}
-
-// Stop the probe
-func (p *Probe) Stop() {
- _ = p.Manager.StopReaders(manager.CleanAll)
-}
-
-// Close the probe
-func (p *Probe) Close() error {
- // Cancelling the context will stop the reorderer = we won't dequeue events anymore and new events from the
- // perf map reader are ignored
- p.cancelFnc()
-
- // we wait until both the reorderer and the monitor are stopped
- p.wg.Wait()
-
- ebpfcheck.RemoveNameMappings(p.Manager)
- // Stopping the manager will stop the perf map reader and unload eBPF programs
- if err := p.Manager.Stop(manager.CleanAll); err != nil {
- return err
- }
-
- // when we reach this point, we do not generate nor consume events anymore, we can close the resolvers
- return p.resolvers.Close()
-}
-
-// GetDebugStats returns the debug stats
-func (p *Probe) GetDebugStats() map[string]interface{} {
- debug := map[string]interface{}{
- "start_time": p.startTime.String(),
- }
- // TODO(Will): add manager state
- return debug
-}
-
-// QueuedNetworkDeviceError is used to indicate that the new network device was queued until its namespace handle is
-// resolved.
-type QueuedNetworkDeviceError struct {
- msg string
-}
-
-func (err QueuedNetworkDeviceError) Error() string {
- return err.msg
-}
-
-func (p *Probe) setupNewTCClassifier(device model.NetDevice) error {
- // select netns handle
- var handle *os.File
- var err error
- netns := p.resolvers.NamespaceResolver.ResolveNetworkNamespace(device.NetNS)
- if netns != nil {
- handle, err = netns.GetNamespaceHandleDup()
- }
- if err != nil {
- defer handle.Close()
- }
- if netns == nil || err != nil || handle == nil {
- // queue network device so that a TC classifier can be added later
- p.resolvers.NamespaceResolver.QueueNetworkDevice(device)
- return QueuedNetworkDeviceError{msg: fmt.Sprintf("device %s is queued until %d is resolved", device.Name, device.NetNS)}
- }
- err = p.resolvers.TCResolver.SetupNewTCClassifierWithNetNSHandle(device, handle, p.Manager)
- if err != nil {
- return err
- }
- if handle != nil {
- if err := handle.Close(); err != nil {
- return fmt.Errorf("could not close file [%s]: %w", handle.Name(), err)
- }
- }
- return err
-}
-
-// FlushNetworkNamespace removes all references and stops all TC programs in the provided network namespace. This method
-// flushes the network namespace in the network namespace resolver as well.
-func (p *Probe) FlushNetworkNamespace(namespace *netns.NetworkNamespace) {
- p.resolvers.NamespaceResolver.FlushNetworkNamespace(namespace)
-
- // cleanup internal structures
- p.resolvers.TCResolver.FlushNetworkNamespaceID(namespace.ID(), p.Manager)
-}
-
-func (p *Probe) handleNewMount(ev *model.Event, m *model.Mount) error {
- // There could be entries of a previous mount_id in the cache for instance,
- // runc does the following : it bind mounts itself (using /proc/exe/self),
- // opens a file descriptor on the new file with O_CLOEXEC then umount the bind mount using
- // MNT_DETACH. It then does an exec syscall, that will cause the fd to be closed.
- // Our dentry resolution of the exec event causes the inode/mount_id to be put in cache,
- // so we remove all dentry entries belonging to the mountID.
- p.resolvers.DentryResolver.DelCacheEntries(m.MountID)
-
- // Resolve mount point
- if err := p.resolvers.PathResolver.SetMountPoint(ev, m); err != nil {
- seclog.Debugf("failed to set mount point: %v", err)
- return err
- }
- // Resolve root
- if err := p.resolvers.PathResolver.SetMountRoot(ev, m); err != nil {
- seclog.Debugf("failed to set mount root: %v", err)
- return err
- }
-
- // Insert new mount point in cache, passing it a copy of the mount that we got from the event
- if err := p.resolvers.MountResolver.Insert(*m, 0); err != nil {
- seclog.Errorf("failed to insert mount event: %v", err)
- return err
- }
-
- return nil
-}
-
-func (p *Probe) applyDefaultFilterPolicies() {
- if !p.Config.Probe.EnableKernelFilters {
- seclog.Warnf("Forcing in-kernel filter policy to `pass`: filtering not enabled")
- }
-
- for eventType := model.FirstEventType; eventType <= model.LastEventType; eventType++ {
- var mode kfilters.PolicyMode
-
- if !p.Config.Probe.EnableKernelFilters {
- mode = kfilters.PolicyModeNoFilter
- } else if len(p.eventHandlers[eventType]) > 0 {
- mode = kfilters.PolicyModeAccept
- } else {
- mode = kfilters.PolicyModeDeny
- }
-
- if err := p.ApplyFilterPolicy(eventType.String(), mode, math.MaxUint8); err != nil {
- seclog.Debugf("unable to apply to filter policy `%s` for `%s`", eventType, mode)
- }
- }
-}
-
-// ApplyRuleSet setup the probes for the provided set of rules and returns the policy report.
-func (p *Probe) ApplyRuleSet(rs *rules.RuleSet) (*kfilters.ApplyRuleSetReport, error) {
- if p.Opts.SyscallsMonitorEnabled {
- if err := p.monitors.syscallsMonitor.Disable(); err != nil {
- return nil, err
- }
- }
-
- ars, err := kfilters.NewApplyRuleSetReport(p.Config.Probe, rs)
- if err != nil {
- return nil, err
- }
-
- for eventType, report := range ars.Policies {
- if err := p.ApplyFilterPolicy(eventType, report.Mode, report.Flags); err != nil {
- return nil, err
- }
- if err := p.SetApprovers(eventType, report.Approvers); err != nil {
- return nil, err
- }
- }
-
- needRawSyscalls := p.isNeededForActivityDump(model.SyscallsEventType.String())
- if !needRawSyscalls {
- // Add syscall monitor probes if it's either activated or
- // there is an 'kill' action in the ruleset
- for _, rule := range rs.GetRules() {
- for _, action := range rule.Definition.Actions {
- if action.Kill != nil {
- needRawSyscalls = true
- break
- }
- }
- }
- }
-
- if err := p.updateProbes(rs.GetEventTypes(), needRawSyscalls); err != nil {
- return nil, fmt.Errorf("failed to select probes: %w", err)
- }
-
- if p.Opts.SyscallsMonitorEnabled {
- if err := p.monitors.syscallsMonitor.Flush(); err != nil {
- return nil, err
- }
- if err := p.monitors.syscallsMonitor.Enable(); err != nil {
- return nil, err
- }
- }
+// Package probe holds probe related files
+package probe
- return ars, nil
-}
+import (
+ "github.com/DataDog/datadog-agent/pkg/security/config"
+)
// NewProbe instantiates a new runtime security agent probe
func NewProbe(config *config.Config, opts Opts) (*Probe, error) {
opts.normalize()
- nerpc, err := erpc.NewERPC()
- if err != nil {
- return nil, err
- }
-
- ctx, cancel := context.WithCancel(context.Background())
-
p := &Probe{
- Opts: opts,
- Config: config,
- ctx: ctx,
- cancelFnc: cancel,
- StatsdClient: opts.StatsdClient,
- discarderRateLimiter: rate.NewLimiter(rate.Every(time.Second/5), 100),
- PlatformProbe: PlatformProbe{
- approvers: make(map[eval.EventType]kfilters.ActiveApprovers),
- managerOptions: ebpf.NewDefaultOptions(),
- Erpc: nerpc,
- erpcRequest: erpc.NewERPCRequest(0),
- isRuntimeDiscarded: !opts.DontDiscardRuntime,
- },
- }
-
- if err := p.detectKernelVersion(); err != nil {
- // we need the kernel version to start, fail if we can't get it
- return nil, err
- }
-
- if err := p.sanityChecks(); err != nil {
- return nil, err
- }
-
- if err := p.VerifyOSVersion(); err != nil {
- seclog.Warnf("the current kernel isn't officially supported, some features might not work properly: %v", err)
- }
-
- if err := p.VerifyEnvironment(); err != nil {
- seclog.Warnf("the current environment may be misconfigured: %v", err)
- }
-
- p.selectFentryMode()
-
- useRingBuffers := p.UseRingBuffers()
- useMmapableMaps := p.kernelVersion.HaveMmapableMaps()
-
- p.Manager = ebpf.NewRuntimeSecurityManager(useRingBuffers, p.useFentry)
-
- p.supportsBPFSendSignal = p.kernelVersion.SupportBPFSendSignal()
-
- p.ensureConfigDefaults()
-
- p.monitors = NewMonitors(p)
-
- numCPU, err := utils.NumCPU()
- if err != nil {
- return nil, fmt.Errorf("failed to parse CPU count: %w", err)
- }
-
- p.managerOptions.MapSpecEditors = probes.AllMapSpecEditors(numCPU, probes.MapSpecEditorOpts{
- TracedCgroupSize: p.Config.RuntimeSecurity.ActivityDumpTracedCgroupsCount,
- UseRingBuffers: useRingBuffers,
- UseMmapableMaps: useMmapableMaps,
- RingBufferSize: uint32(p.Config.Probe.EventStreamBufferSize),
- PathResolutionEnabled: p.Opts.PathResolutionEnabled,
- SecurityProfileMaxCount: p.Config.RuntimeSecurity.SecurityProfileMaxCount,
- })
-
- if config.RuntimeSecurity.ActivityDumpEnabled {
- for _, e := range config.RuntimeSecurity.ActivityDumpTracedEventTypes {
- if e == model.SyscallsEventType {
- // Add syscall monitor probes
- p.managerOptions.ActivatedProbes = append(p.managerOptions.ActivatedProbes, probes.SyscallMonitorSelectors...)
- break
- }
- }
- }
-
- p.constantOffsets, err = p.GetOffsetConstants()
- if err != nil {
- seclog.Warnf("constant fetcher failed: %v", err)
- return nil, err
- }
-
- p.managerOptions.ConstantEditors = append(p.managerOptions.ConstantEditors, constantfetch.CreateConstantEditors(p.constantOffsets)...)
-
- areCGroupADsEnabled := config.RuntimeSecurity.ActivityDumpTracedCgroupsCount > 0
-
- // Add global constant editors
- p.managerOptions.ConstantEditors = append(p.managerOptions.ConstantEditors,
- manager.ConstantEditor{
- Name: "runtime_pid",
- Value: uint64(utils.Getpid()),
- },
- manager.ConstantEditor{
- Name: "do_fork_input",
- Value: getDoForkInput(p.kernelVersion),
- },
- manager.ConstantEditor{
- Name: "has_usernamespace_first_arg",
- Value: getHasUsernamespaceFirstArg(p.kernelVersion),
- },
- manager.ConstantEditor{
- Name: "ovl_path_in_ovl_inode",
- Value: getOvlPathInOvlInode(p.kernelVersion),
- },
- manager.ConstantEditor{
- Name: "mount_id_offset",
- Value: mount.GetMountIDOffset(p.kernelVersion),
- },
- manager.ConstantEditor{
- Name: "getattr2",
- Value: getAttr2(p.kernelVersion),
- },
- manager.ConstantEditor{
- Name: "vfs_unlink_dentry_position",
- Value: mount.GetVFSLinkDentryPosition(p.kernelVersion),
- },
- manager.ConstantEditor{
- Name: "vfs_mkdir_dentry_position",
- Value: mount.GetVFSMKDirDentryPosition(p.kernelVersion),
- },
- manager.ConstantEditor{
- Name: "vfs_link_target_dentry_position",
- Value: mount.GetVFSLinkTargetDentryPosition(p.kernelVersion),
- },
- manager.ConstantEditor{
- Name: "vfs_setxattr_dentry_position",
- Value: mount.GetVFSSetxattrDentryPosition(p.kernelVersion),
- },
- manager.ConstantEditor{
- Name: "vfs_removexattr_dentry_position",
- Value: mount.GetVFSRemovexattrDentryPosition(p.kernelVersion),
- },
- manager.ConstantEditor{
- Name: "vfs_rename_input_type",
- Value: mount.GetVFSRenameInputType(p.kernelVersion),
- },
- manager.ConstantEditor{
- Name: "check_helper_call_input",
- Value: getCheckHelperCallInputType(p.kernelVersion),
- },
- manager.ConstantEditor{
- Name: "cgroup_activity_dumps_enabled",
- Value: utils.BoolTouint64(config.RuntimeSecurity.ActivityDumpEnabled && areCGroupADsEnabled),
- },
- manager.ConstantEditor{
- Name: "net_struct_type",
- Value: getNetStructType(p.kernelVersion),
- },
- manager.ConstantEditor{
- Name: "syscall_monitor_event_period",
- Value: uint64(config.RuntimeSecurity.ActivityDumpSyscallMonitorPeriod.Nanoseconds()),
- },
- manager.ConstantEditor{
- Name: "send_signal",
- Value: utils.BoolTouint64(p.kernelVersion.SupportBPFSendSignal()),
- },
- manager.ConstantEditor{
- Name: "anomaly_syscalls",
- Value: utils.BoolTouint64(slices.Contains(p.Config.RuntimeSecurity.AnomalyDetectionEventTypes, model.SyscallsEventType)),
- },
- manager.ConstantEditor{
- Name: "monitor_syscalls_map_enabled",
- Value: utils.BoolTouint64(opts.SyscallsMonitorEnabled),
- },
- )
-
- p.managerOptions.ConstantEditors = append(p.managerOptions.ConstantEditors, DiscarderConstants...)
- p.managerOptions.ConstantEditors = append(p.managerOptions.ConstantEditors, getCGroupWriteConstants())
-
- // if we are using tracepoints to probe syscall exits, i.e. if we are using an old kernel version (< 4.12)
- // we need to use raw_syscall tracepoints for exits, as syscall are not trace when running an ia32 userspace
- // process
- if probes.ShouldUseSyscallExitTracepoints() {
- p.managerOptions.ConstantEditors = append(p.managerOptions.ConstantEditors,
- manager.ConstantEditor{
- Name: "tracepoint_raw_syscall_fallback",
- Value: utils.BoolTouint64(true),
- },
- )
+ Opts: opts,
+ Config: config,
+ StatsdClient: opts.StatsdClient,
+ scrubber: newProcScrubber(config.Probe.CustomSensitiveWords),
}
- if useRingBuffers {
- p.managerOptions.ConstantEditors = append(p.managerOptions.ConstantEditors,
- manager.ConstantEditor{
- Name: "use_ring_buffer",
- Value: utils.BoolTouint64(true),
- },
- )
- }
-
- if p.kernelVersion.HavePIDLinkStruct() {
- p.managerOptions.ConstantEditors = append(p.managerOptions.ConstantEditors,
- manager.ConstantEditor{
- Name: "kernel_has_pid_link_struct",
- Value: utils.BoolTouint64(true),
- },
- )
- }
-
- if p.kernelVersion.HaveLegacyPipeInodeInfoStruct() {
- p.managerOptions.ConstantEditors = append(p.managerOptions.ConstantEditors,
- manager.ConstantEditor{
- Name: "kernel_has_legacy_pipe_inode_info",
- Value: utils.BoolTouint64(true),
- },
- )
- }
-
- // tail calls
- p.managerOptions.TailCallRouter = probes.AllTailRoutes(p.Config.Probe.ERPCDentryResolutionEnabled, p.Config.Probe.NetworkEnabled, useMmapableMaps, p.useFentry)
- if !p.Config.Probe.ERPCDentryResolutionEnabled || useMmapableMaps {
- // exclude the programs that use the bpf_probe_write_user helper
- p.managerOptions.ExcludedFunctions = probes.AllBPFProbeWriteUserProgramFunctions()
- }
-
- if !p.Config.Probe.NetworkEnabled {
- // prevent all TC classifiers from loading
- p.managerOptions.ExcludedFunctions = append(p.managerOptions.ExcludedFunctions, probes.GetAllTCProgramFunctions()...)
- }
-
- if p.useFentry {
- afBasedExcluder, err := newAvailableFunctionsBasedExcluder()
+ if opts.EBPFLessEnabled {
+ pp, err := NewEBPFLessProbe(p, config, opts)
if err != nil {
return nil, err
}
-
- p.managerOptions.AdditionalExcludedFunctionCollector = afBasedExcluder
- }
-
- p.scrubber = newProcScrubber(config.Probe.CustomSensitiveWords)
-
- resolversOpts := resolvers.Opts{
- PathResolutionEnabled: opts.PathResolutionEnabled,
- TagsResolver: opts.TagsResolver,
- UseRingBuffer: useRingBuffers,
- TTYFallbackEnabled: opts.TTYFallbackEnabled,
- }
- p.resolvers, err = resolvers.NewResolvers(config, p.Manager, p.StatsdClient, p.scrubber, p.Erpc, resolversOpts)
- if err != nil {
- return nil, err
- }
-
- p.fieldHandlers = &FieldHandlers{resolvers: p.resolvers}
-
- p.event = NewEvent(p.fieldHandlers)
-
- // be sure to zero the probe event before everything else
- p.zeroEvent()
-
- if useRingBuffers {
- p.eventStream = ringbuffer.New(p.handleEvent)
- p.managerOptions.SkipRingbufferReaderStartup = map[string]bool{
- eventstream.EventStreamMap: true,
- }
+ p.PlatformProbe = pp
} else {
- p.eventStream, err = reorderer.NewOrderedPerfMap(p.ctx, p.handleEvent, p.StatsdClient)
+ pp, err := NewEBPFProbe(p, config, opts)
if err != nil {
return nil, err
}
- p.managerOptions.SkipPerfMapReaderStartup = map[string]bool{
- eventstream.EventStreamMap: true,
- }
- }
-
- return p, nil
-}
-
-// GetProfileManagers returns the security profile managers
-func (p *Probe) GetProfileManagers() *SecurityProfileManagers {
- return p.profileManagers
-}
-
-func (p *Probe) ensureConfigDefaults() {
- // enable runtime compiled constants on COS by default
- if !p.Config.Probe.RuntimeCompiledConstantsIsSet && p.kernelVersion.IsCOSKernel() {
- p.Config.Probe.RuntimeCompiledConstantsEnabled = true
- }
-}
-
-const (
- netStructHasProcINum uint64 = 0
- netStructHasNS uint64 = 1
-)
-
-// getNetStructType returns whether the net structure has a namespace attribute
-func getNetStructType(kv *kernel.Version) uint64 {
- if kv.IsRH7Kernel() {
- return netStructHasProcINum
- }
- return netStructHasNS
-}
-
-const (
- doForkListInput uint64 = iota
- doForkStructInput
-)
-
-func getAttr2(kernelVersion *kernel.Version) uint64 {
- if kernelVersion.IsRH7Kernel() {
- return 1
- }
- return 0
-}
-
-// getDoForkInput returns the expected input type of _do_fork, do_fork and kernel_clone
-func getDoForkInput(kernelVersion *kernel.Version) uint64 {
- if kernelVersion.Code != 0 && kernelVersion.Code >= kernel.Kernel5_3 {
- return doForkStructInput
- }
- return doForkListInput
-}
-
-func getHasUsernamespaceFirstArg(kernelVersion *kernel.Version) uint64 {
- if kernelVersion.Code != 0 && kernelVersion.Code >= kernel.Kernel6_0 {
- return 1
- }
- return 0
-}
-
-func getOvlPathInOvlInode(kernelVersion *kernel.Version) uint64 {
- // https://github.com/torvalds/linux/commit/0af950f57fefabab628f1963af881e6b9bfe7f38
- if kernelVersion.Code != 0 && kernelVersion.Code >= kernel.Kernel6_5 {
- return 2
- }
-
- // https://github.com/torvalds/linux/commit/ffa5723c6d259b3191f851a50a98d0352b345b39
- // changes a bit how the lower dentry/inode is stored in `ovl_inode`. To check if we
- // are in this configuration we first probe the kernel version, then we check for the
- // presence of the function introduced in the same patch.
- const patchSentinel = "ovl_i_path_real"
-
- if kernelVersion.Code != 0 && kernelVersion.Code >= kernel.Kernel5_19 {
- return 1
- }
-
- check, err := commonebpf.VerifyKernelFuncs(patchSentinel)
- if err != nil {
- return 0
- }
-
- // VerifyKernelFuncs returns the missing functions
- if _, ok := check[patchSentinel]; !ok {
- return 1
- }
-
- return 0
-}
-
-// getCGroupWriteConstants returns the value of the constant used to determine how cgroups should be captured in kernel
-// space
-func getCGroupWriteConstants() manager.ConstantEditor {
- cgroupWriteConst := uint64(1)
- kv, err := kernel.NewKernelVersion()
- if err == nil {
- if kv.IsRH7Kernel() {
- cgroupWriteConst = 2
- }
- }
-
- return manager.ConstantEditor{
- Name: "cgroup_write_type",
- Value: cgroupWriteConst,
- }
-}
-
-// GetOffsetConstants returns the offsets and struct sizes constants
-func (p *Probe) GetOffsetConstants() (map[string]uint64, error) {
- constantFetcher := constantfetch.ComposeConstantFetchers(constantfetch.GetAvailableConstantFetchers(p.Config.Probe, p.kernelVersion, p.StatsdClient))
- AppendProbeRequestsToFetcher(constantFetcher, p.kernelVersion)
- return constantFetcher.FinishAndGetResults()
-}
-
-// GetConstantFetcherStatus returns the status of the constant fetcher associated with this probe
-func (p *Probe) GetConstantFetcherStatus() (*constantfetch.ConstantFetcherStatus, error) {
- constantFetcher := constantfetch.ComposeConstantFetchers(constantfetch.GetAvailableConstantFetchers(p.Config.Probe, p.kernelVersion, p.StatsdClient))
- AppendProbeRequestsToFetcher(constantFetcher, p.kernelVersion)
- return constantFetcher.FinishAndGetStatus()
-}
-
-// AppendProbeRequestsToFetcher returns the offsets and struct sizes constants, from a constant fetcher
-func AppendProbeRequestsToFetcher(constantFetcher constantfetch.ConstantFetcher, kv *kernel.Version) {
- constantFetcher.AppendSizeofRequest(constantfetch.SizeOfInode, "struct inode", "linux/fs.h")
- constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameSuperBlockStructSFlags, "struct super_block", "s_flags", "linux/fs.h")
- constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameSuperBlockStructSMagic, "struct super_block", "s_magic", "linux/fs.h")
- constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameDentryStructDSB, "struct dentry", "d_sb", "linux/dcache.h")
- constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameSignalStructStructTTY, "struct signal_struct", "tty", "linux/sched/signal.h")
- constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameTTYStructStructName, "struct tty_struct", "name", "linux/tty.h")
- constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameCredStructUID, "struct cred", "uid", "linux/cred.h")
- constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameLinuxBinprmP, "struct linux_binprm", "p", "linux/binfmts.h")
- constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameLinuxBinprmArgc, "struct linux_binprm", "argc", "linux/binfmts.h")
- constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameLinuxBinprmEnvc, "struct linux_binprm", "envc", "linux/binfmts.h")
- constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameVMAreaStructFlags, "struct vm_area_struct", "vm_flags", "linux/mm_types.h")
- constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameFileFinode, "struct file", "f_inode", "linux/fs.h")
- constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameFileFpath, "struct file", "f_path", "linux/fs.h")
- if kv.Code >= kernel.Kernel5_3 {
- constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameKernelCloneArgsExitSignal, "struct kernel_clone_args", "exit_signal", "linux/sched/task.h")
- }
-
- // bpf offsets
- constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameBPFMapStructID, "struct bpf_map", "id", "linux/bpf.h")
- if kv.Code != 0 && (kv.Code >= kernel.Kernel4_15 || kv.IsRH7Kernel()) {
- constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameBPFMapStructName, "struct bpf_map", "name", "linux/bpf.h")
- }
- constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameBPFMapStructMapType, "struct bpf_map", "map_type", "linux/bpf.h")
- constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameBPFProgAuxStructID, "struct bpf_prog_aux", "id", "linux/bpf.h")
- if kv.Code != 0 && (kv.Code >= kernel.Kernel4_15 || kv.IsRH7Kernel()) {
- constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameBPFProgAuxStructName, "struct bpf_prog_aux", "name", "linux/bpf.h")
- }
- constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameBPFProgStructTag, "struct bpf_prog", "tag", "linux/filter.h")
- constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameBPFProgStructAux, "struct bpf_prog", "aux", "linux/filter.h")
- constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameBPFProgStructType, "struct bpf_prog", "type", "linux/filter.h")
-
- if kv.Code != 0 && (kv.Code > kernel.Kernel4_16 || kv.IsSuse12Kernel() || kv.IsSuse15Kernel()) {
- constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameBPFProgStructExpectedAttachType, "struct bpf_prog", "expected_attach_type", "linux/filter.h")
- }
- // namespace nr offsets
- constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNamePIDStructLevel, "struct pid", "level", "linux/pid.h")
- constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNamePIDStructNumbers, "struct pid", "numbers", "linux/pid.h")
- constantFetcher.AppendSizeofRequest(constantfetch.SizeOfUPID, "struct upid", "linux/pid.h")
- if kv.HavePIDLinkStruct() {
- constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameTaskStructPIDLink, "struct task_struct", "pids", "linux/sched.h")
- constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNamePIDLinkStructPID, "struct pid_link", "pid", "linux/pid.h")
- } else {
- constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameTaskStructPID, "struct task_struct", "thread_pid", "linux/sched.h")
- }
-
- // splice event
- constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNamePipeInodeInfoStructBufs, "struct pipe_inode_info", "bufs", "linux/pipe_fs_i.h")
- if kv.HaveLegacyPipeInodeInfoStruct() {
- constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNamePipeInodeInfoStructNrbufs, "struct pipe_inode_info", "nrbufs", "linux/pipe_fs_i.h")
- constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNamePipeInodeInfoStructCurbuf, "struct pipe_inode_info", "curbuf", "linux/pipe_fs_i.h")
- constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNamePipeInodeInfoStructBuffers, "struct pipe_inode_info", "buffers", "linux/pipe_fs_i.h")
- } else {
- constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNamePipeInodeInfoStructHead, "struct pipe_inode_info", "head", "linux/pipe_fs_i.h")
- constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNamePipeInodeInfoStructRingsize, "struct pipe_inode_info", "ring_size", "linux/pipe_fs_i.h")
- }
-
- // network related constants
- constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameNetDeviceStructIfIndex, "struct net_device", "ifindex", "linux/netdevice.h")
- constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameSockCommonStructSKCNet, "struct sock_common", "skc_net", "net/sock.h")
- constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameSockCommonStructSKCFamily, "struct sock_common", "skc_family", "net/sock.h")
- constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameFlowI4StructSADDR, "struct flowi4", "saddr", "net/flow.h")
- constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameFlowI4StructULI, "struct flowi4", "uli", "net/flow.h")
- constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameFlowI6StructSADDR, "struct flowi6", "saddr", "net/flow.h")
- constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameFlowI6StructULI, "struct flowi6", "uli", "net/flow.h")
- constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameSocketStructSK, "struct socket", "sk", "linux/net.h")
-
- // Interpreter constants
- constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameLinuxBinprmStructFile, "struct linux_binprm", "file", "linux/binfmts.h")
-
- if !kv.IsRH7Kernel() {
- constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameNFConnStructCTNet, "struct nf_conn", "ct_net", "net/netfilter/nf_conntrack.h")
- }
-
- if getNetStructType(kv) == netStructHasProcINum {
- constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameNetStructProcInum, "struct net", "proc_inum", "net/net_namespace.h")
- } else {
- constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameNetStructNS, "struct net", "ns", "net/net_namespace.h")
+ p.PlatformProbe = pp
}
- // iouring
- if kv.Code != 0 && (kv.Code >= kernel.Kernel5_1) {
- constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameIoKiocbStructCtx, "struct io_kiocb", "ctx", "")
- }
-}
+ p.event = p.PlatformProbe.NewEvent()
-// HandleActions executes the actions of a triggered rule
-func (p *Probe) HandleActions(rule *rules.Rule, event eval.Event) {
- ev := event.(*model.Event)
- for _, action := range rule.Definition.Actions {
- switch {
- case action.InternalCallbackDefinition != nil && rule.ID == events.RefreshUserCacheRuleID:
- _ = p.RefreshUserCache(ev.ContainerContext.ID)
-
- case action.Kill != nil:
- if pid := ev.ProcessContext.Pid; pid > 1 && pid != utils.Getpid() {
- log.Debugf("Requesting signal %s to be sent to %d", action.Kill.Signal, pid)
- sig := model.SignalConstants[action.Kill.Signal]
+ // be sure to zero the probe event before everything else
+ p.zeroEvent()
- var err error
- if p.supportsBPFSendSignal {
- err = p.killListMap.Put(uint32(pid), uint32(sig))
- } else {
- err = syscall.Kill(int(pid), syscall.Signal(sig))
- }
- if err != nil {
- seclog.Warnf("failed to kill process %d: %s", pid, err)
- }
- }
- }
- }
+ return p, nil
}
diff --git a/pkg/security/probe/probe_monitor.go b/pkg/security/probe/probe_monitor.go
index fc2b8b7c1d343..6953fffecf0e8 100644
--- a/pkg/security/probe/probe_monitor.go
+++ b/pkg/security/probe/probe_monitor.go
@@ -25,8 +25,8 @@ import (
)
// Monitor regroups all the work we want to do to monitor the probes we pushed in the kernel
-type Monitors struct {
- probe *Probe
+type EBPFMonitors struct {
+ ebpfProbe *EBPFProbe
eventStreamMonitor *eventstream.Monitor
runtimeMonitor *runtime.Monitor
@@ -36,61 +36,61 @@ type Monitors struct {
syscallsMonitor *syscalls.Monitor
}
-// NewMonitors returns a new instance of a ProbeMonitor
-func NewMonitors(p *Probe) *Monitors {
- return &Monitors{
- probe: p,
+// NewEBPFMonitors returns a new instance of a ProbeMonitor
+func NewEBPFMonitors(p *EBPFProbe) *EBPFMonitors {
+ return &EBPFMonitors{
+ ebpfProbe: p,
}
}
// Init initializes the monitor
-func (m *Monitors) Init() error {
+func (m *EBPFMonitors) Init() error {
var err error
- p := m.probe
+ p := m.ebpfProbe
// instantiate a new event statistics monitor
- m.eventStreamMonitor, err = eventstream.NewEventStreamMonitor(p.Config.Probe, p.Erpc, p.Manager, p.StatsdClient, p.onEventLost, p.UseRingBuffers())
+ m.eventStreamMonitor, err = eventstream.NewEventStreamMonitor(p.config.Probe, p.Erpc, p.Manager, p.statsdClient, p.onEventLost, p.UseRingBuffers())
if err != nil {
return fmt.Errorf("couldn't create the events statistics monitor: %w", err)
}
- if p.Config.Probe.RuntimeMonitor {
- m.runtimeMonitor = runtime.NewRuntimeMonitor(p.StatsdClient)
+ if p.config.Probe.RuntimeMonitor {
+ m.runtimeMonitor = runtime.NewRuntimeMonitor(p.statsdClient)
}
- m.discarderMonitor, err = discarder.NewDiscarderMonitor(p.Manager, p.StatsdClient)
+ m.discarderMonitor, err = discarder.NewDiscarderMonitor(p.Manager, p.statsdClient)
if err != nil {
return fmt.Errorf("couldn't create the discarder monitor: %w", err)
}
- m.approverMonitor, err = approver.NewApproverMonitor(p.Manager, p.StatsdClient)
+ m.approverMonitor, err = approver.NewApproverMonitor(p.Manager, p.statsdClient)
if err != nil {
return fmt.Errorf("couldn't create the approver monitor: %w", err)
}
- if p.Opts.SyscallsMonitorEnabled {
- m.syscallsMonitor, err = syscalls.NewSyscallsMonitor(p.Manager, p.StatsdClient)
+ if p.opts.SyscallsMonitorEnabled {
+ m.syscallsMonitor, err = syscalls.NewSyscallsMonitor(p.Manager, p.statsdClient)
if err != nil {
return fmt.Errorf("couldn't create the approver monitor: %w", err)
}
}
- m.cgroupsMonitor = cgroups.NewCgroupsMonitor(p.StatsdClient, p.resolvers.CGroupResolver)
+ m.cgroupsMonitor = cgroups.NewCgroupsMonitor(p.statsdClient, p.Resolvers.CGroupResolver)
return nil
}
// GetEventStreamMonitor returns the perf buffer monitor
-func (m *Monitors) GetEventStreamMonitor() *eventstream.Monitor {
+func (m *EBPFMonitors) GetEventStreamMonitor() *eventstream.Monitor {
return m.eventStreamMonitor
}
// SendStats sends statistics about the probe to Datadog
-func (m *Monitors) SendStats() error {
+func (m *EBPFMonitors) SendStats() error {
// delay between two send in order to reduce the statsd pool presure
const delay = time.Second
time.Sleep(delay)
- if resolvers := m.probe.GetResolvers(); resolvers != nil {
+ if resolvers := m.ebpfProbe.Resolvers; resolvers != nil {
if err := resolvers.ProcessResolver.SendStats(); err != nil {
return fmt.Errorf("failed to send process_resolver stats: %w", err)
}
@@ -122,7 +122,7 @@ func (m *Monitors) SendStats() error {
}
time.Sleep(delay)
- if m.probe.Config.Probe.RuntimeMonitor {
+ if m.ebpfProbe.config.Probe.RuntimeMonitor {
if err := m.runtimeMonitor.SendStats(); err != nil {
return fmt.Errorf("failed to send runtime monitor stats: %w", err)
}
@@ -140,7 +140,7 @@ func (m *Monitors) SendStats() error {
return fmt.Errorf("failed to send evaluation set stats: %w", err)
}
- if m.probe.Opts.SyscallsMonitorEnabled {
+ if m.ebpfProbe.opts.SyscallsMonitorEnabled {
if err := m.syscallsMonitor.SendStats(); err != nil {
return fmt.Errorf("failed to send evaluation set stats: %w", err)
}
@@ -150,8 +150,8 @@ func (m *Monitors) SendStats() error {
}
// ProcessEvent processes an event through the various monitors and controllers of the probe
-func (m *Monitors) ProcessEvent(event *model.Event) {
- if !m.probe.Config.RuntimeSecurity.InternalMonitoringEnabled {
+func (m *EBPFMonitors) ProcessEvent(event *model.Event) {
+ if !m.ebpfProbe.config.RuntimeSecurity.InternalMonitoringEnabled {
return
}
@@ -167,22 +167,22 @@ func (m *Monitors) ProcessEvent(event *model.Event) {
var pathErr *path.ErrPathResolution
if errors.As(event.Error, &pathErr) {
- m.probe.DispatchCustomEvent(
- NewAbnormalEvent(events.AbnormalPathRuleID, events.AbnormalPathRuleDesc, event, m.probe, pathErr.Err),
+ m.ebpfProbe.probe.DispatchCustomEvent(
+ NewAbnormalEvent(events.AbnormalPathRuleID, events.AbnormalPathRuleDesc, event, pathErr.Err),
)
}
var processContextErr *model.ErrNoProcessContext
if errors.As(event.Error, &processContextErr) {
- m.probe.DispatchCustomEvent(
- NewAbnormalEvent(events.NoProcessContextErrorRuleID, events.NoProcessContextErrorRuleDesc, event, m.probe, event.Error),
+ m.ebpfProbe.probe.DispatchCustomEvent(
+ NewAbnormalEvent(events.NoProcessContextErrorRuleID, events.NoProcessContextErrorRuleDesc, event, event.Error),
)
}
var brokenLineageErr *model.ErrProcessBrokenLineage
if errors.As(event.Error, &brokenLineageErr) {
- m.probe.DispatchCustomEvent(
- NewAbnormalEvent(events.BrokenProcessLineageErrorRuleID, events.BrokenProcessLineageErrorRuleDesc, event, m.probe, event.Error),
+ m.ebpfProbe.probe.DispatchCustomEvent(
+ NewAbnormalEvent(events.BrokenProcessLineageErrorRuleID, events.BrokenProcessLineageErrorRuleDesc, event, event.Error),
)
}
}
diff --git a/pkg/security/probe/probe_others.go b/pkg/security/probe/probe_others.go
index c5f6ddb2a35c5..f3e14d131eb24 100644
--- a/pkg/security/probe/probe_others.go
+++ b/pkg/security/probe/probe_others.go
@@ -12,7 +12,6 @@ import (
"github.com/DataDog/datadog-agent/pkg/security/config"
"github.com/DataDog/datadog-agent/pkg/security/probe/kfilters"
- "github.com/DataDog/datadog-agent/pkg/security/resolvers"
"github.com/DataDog/datadog-agent/pkg/security/secl/compiler/eval"
"github.com/DataDog/datadog-agent/pkg/security/secl/model"
"github.com/DataDog/datadog-agent/pkg/security/secl/rules"
@@ -87,11 +86,6 @@ func (p *Probe) StatsPollingInterval() time.Duration {
return p.Config.Probe.StatsPollingInterval
}
-// GetResolvers returns the resolvers of Probe
-func (p *Probe) GetResolvers() *resolvers.Resolvers {
- return nil
-}
-
// FlushDiscarders invalidates all the discarders
func (p *Probe) FlushDiscarders() error {
return nil
diff --git a/pkg/security/probe/probe_windows.go b/pkg/security/probe/probe_windows.go
index 420b873e9bd9e..123b77d9787a1 100644
--- a/pkg/security/probe/probe_windows.go
+++ b/pkg/security/probe/probe_windows.go
@@ -3,17 +3,15 @@
// This product includes software developed at Datadog (https://www.datadoghq.com/).
// Copyright 2016-present Datadog, Inc.
-//go:build windows
-
// Package probe holds probe related files
package probe
import (
"context"
+ "errors"
+ "sync"
"time"
- "golang.org/x/time/rate"
-
"github.com/DataDog/datadog-agent/pkg/process/procutil"
"github.com/DataDog/datadog-agent/pkg/security/config"
"github.com/DataDog/datadog-agent/pkg/security/probe/kfilters"
@@ -22,20 +20,34 @@ import (
"github.com/DataDog/datadog-agent/pkg/security/secl/compiler/eval"
"github.com/DataDog/datadog-agent/pkg/security/secl/model"
"github.com/DataDog/datadog-agent/pkg/security/secl/rules"
+ "github.com/DataDog/datadog-agent/pkg/security/serializers"
"github.com/DataDog/datadog-agent/pkg/util/log"
"github.com/DataDog/datadog-agent/pkg/windowsdriver/procmon"
+ "github.com/DataDog/datadog-go/v5/statsd"
)
-type PlatformProbe struct {
- pm *procmon.WinProcmon
- onStart chan *procmon.ProcessStartNotification
- onStop chan *procmon.ProcessStopNotification
+// WindowsProbe defines a Windows probe
+type WindowsProbe struct {
+ Resolvers *resolvers.Resolvers
+
+ // Constants and configuration
+ opts Opts
+ config *config.Config
+ statsdClient statsd.ClientInterface
+
+ // internals
+ ctx context.Context
+ cancelFnc context.CancelFunc
+ wg sync.WaitGroup
+ probe *Probe
+ fieldHandlers *FieldHandlers
+ pm *procmon.WinProcmon
+ onStart chan *procmon.ProcessStartNotification
+ onStop chan *procmon.ProcessStopNotification
}
// Init initializes the probe
-func (p *Probe) Init() error {
- p.startTime = time.Now()
-
+func (p *WindowsProbe) Init() error {
pm, err := procmon.NewWinProcMon(p.onStart, p.onStop)
if err != nil {
return err
@@ -46,17 +58,17 @@ func (p *Probe) Init() error {
}
// Setup the runtime security probe
-func (p *Probe) Setup() error {
+func (p *WindowsProbe) Setup() error {
return nil
}
// Stop the probe
-func (p *Probe) Stop() {
+func (p *WindowsProbe) Stop() {
p.pm.Stop()
}
// Start processing events
-func (p *Probe) Start() error {
+func (p *WindowsProbe) Start() error {
log.Infof("Windows probe started")
p.wg.Add(1)
@@ -68,7 +80,7 @@ func (p *Probe) Start() error {
)
for {
- ev := p.zeroEvent()
+ ev := p.probe.zeroEvent()
select {
case <-p.ctx.Done():
return
@@ -87,7 +99,7 @@ func (p *Probe) Start() error {
continue
}
- pce, err = p.resolvers.ProcessResolver.AddNewEntry(pid, ppid, start.ImageFile, start.CmdLine)
+ pce, err = p.Resolvers.ProcessResolver.AddNewEntry(pid, ppid, start.ImageFile, start.CmdLine)
if err != nil {
log.Errorf("error in resolver %v", err)
continue
@@ -102,8 +114,8 @@ func (p *Probe) Start() error {
}
log.Infof("Received stop %v", stop)
- pce := p.resolvers.ProcessResolver.GetEntry(pid)
- defer p.resolvers.ProcessResolver.DeleteEntry(pid, time.Now())
+ pce := p.Resolvers.ProcessResolver.GetEntry(pid)
+ defer p.Resolvers.ProcessResolver.DeleteEntry(pid, time.Now())
ev.Type = uint32(model.ExitEventType)
if pce == nil {
@@ -128,36 +140,28 @@ func (p *Probe) Start() error {
}
// DispatchEvent sends an event to the probe event handler
-func (p *Probe) DispatchEvent(event *model.Event) {
+func (p *WindowsProbe) DispatchEvent(event *model.Event) {
+ traceEvent("Dispatching event %s", func() ([]byte, model.EventType, error) {
+ eventJSON, err := serializers.MarshalEvent(event)
+ return eventJSON, event.GetEventType(), err
+ })
// send event to wildcard handlers, like the CWS rule engine, first
- p.sendEventToWildcardHandlers(event)
+ p.probe.sendEventToWildcardHandlers(event)
// send event to specific event handlers, like the event monitor consumers, subsequently
- p.sendEventToSpecificEventTypeHandlers(event)
-
-}
-
-func (p *Probe) sendEventToWildcardHandlers(event *model.Event) {
- for _, handler := range p.fullAccessEventHandlers[model.UnknownEventType] {
- handler.HandleEvent(event)
- }
-}
+ p.probe.sendEventToSpecificEventTypeHandlers(event)
-func (p *Probe) sendEventToSpecificEventTypeHandlers(event *model.Event) {
- for _, handler := range p.eventHandlers[event.GetEventType()] {
- handler.HandleEvent(handler.Copy(event))
- }
}
// Snapshot runs the different snapshot functions of the resolvers that
// require to sync with the current state of the system
-func (p *Probe) Snapshot() error {
- return p.resolvers.Snapshot()
+func (p *WindowsProbe) Snapshot() error {
+ return p.Resolvers.Snapshot()
}
// Close the probe
-func (p *Probe) Close() error {
+func (p *WindowsProbe) Close() error {
p.pm.Stop()
p.cancelFnc()
p.wg.Wait()
@@ -165,72 +169,107 @@ func (p *Probe) Close() error {
}
// SendStats sends statistics about the probe to Datadog
-func (p *Probe) SendStats() error {
- //p.resolvers.TCResolver.SendTCProgramsStats(p.StatsdClient)
- //
- //return p.monitor.SendStats()
+func (p *WindowsProbe) SendStats() error {
return nil
}
-// GetDebugStats returns the debug stats
-func (p *Probe) GetDebugStats() map[string]interface{} {
- debug := map[string]interface{}{
- "start_time": p.startTime.String(),
+// NewWindowsProbe instantiates a new runtime security agent probe
+func NewWindowsProbe(probe *Probe, config *config.Config, opts Opts) (*WindowsProbe, error) {
+ ctx, cancelFnc := context.WithCancel(context.Background())
+
+ p := &WindowsProbe{
+ probe: probe,
+ config: config,
+ opts: opts,
+ statsdClient: opts.StatsdClient,
+ ctx: ctx,
+ cancelFnc: cancelFnc,
+ onStart: make(chan *procmon.ProcessStartNotification),
+ onStop: make(chan *procmon.ProcessStopNotification),
}
- return debug
-}
-// NewProbe instantiates a new runtime security agent probe
-func NewProbe(config *config.Config, opts Opts) (*Probe, error) {
- opts.normalize()
+ var err error
+ p.Resolvers, err = resolvers.NewResolvers(config, p.statsdClient, probe.scrubber)
+ if err != nil {
+ return nil, err
+ }
- ctx, cancel := context.WithCancel(context.Background())
+ p.fieldHandlers = &FieldHandlers{resolvers: p.Resolvers}
- p := &Probe{
- Opts: opts,
- Config: config,
- ctx: ctx,
- cancelFnc: cancel,
- StatsdClient: opts.StatsdClient,
- discarderRateLimiter: rate.NewLimiter(rate.Every(time.Second/5), 100),
- PlatformProbe: PlatformProbe{
- onStart: make(chan *procmon.ProcessStartNotification),
- onStop: make(chan *procmon.ProcessStopNotification),
- },
- }
+ return p, nil
+}
- p.scrubber = newProcScrubber(config.Probe.CustomSensitiveWords)
+// ApplyRuleSet setup the probes for the provided set of rules and returns the policy report.
+func (p *WindowsProbe) ApplyRuleSet(rs *rules.RuleSet) (*kfilters.ApplyRuleSetReport, error) {
+ return kfilters.NewApplyRuleSetReport(p.config.Probe, rs)
+}
- resolvers, err := resolvers.NewResolvers(config, p.StatsdClient, p.scrubber)
- if err != nil {
- return nil, err
- }
- p.resolvers = resolvers
+// FlushDiscarders invalidates all the discarders
+func (p *WindowsProbe) FlushDiscarders() error {
+ return nil
+}
- p.fieldHandlers = &FieldHandlers{resolvers: resolvers}
+// OnNewDiscarder handles discarders
+func (p *WindowsProbe) OnNewDiscarder(_ *rules.RuleSet, _ *model.Event, _ eval.Field, _ eval.EventType) {
+}
- p.event = NewEvent(p.fieldHandlers)
+// NewModel returns a new Model
+func (p *WindowsProbe) NewModel() *model.Model {
+ return NewWindowsModel(p)
+}
- // be sure to zero the probe event before everything else
- p.zeroEvent()
+// DumpDiscarders dump the discarders
+func (p *WindowsProbe) DumpDiscarders() (string, error) {
+ return "", errors.New("not supported")
+}
- return p, nil
+// GetFieldHandlers returns the field handlers
+func (p *WindowsProbe) GetFieldHandlers() model.FieldHandlers {
+ return p.fieldHandlers
}
-// OnNewDiscarder is called when a new discarder is found. We currently don't generate discarders on Windows.
-func (p *Probe) OnNewDiscarder(rs *rules.RuleSet, ev *model.Event, field eval.Field, eventType eval.EventType) { //nolint:revive // TODO fix revive unused-parameter
+// DumpProcessCache dumps the process cache
+func (p *WindowsProbe) DumpProcessCache(_ bool) (string, error) {
+ return "", errors.New("not supported")
}
-// ApplyRuleSet setup the probes for the provided set of rules and returns the policy report.
-func (p *Probe) ApplyRuleSet(rs *rules.RuleSet) (*kfilters.ApplyRuleSetReport, error) {
- return kfilters.NewApplyRuleSetReport(p.Config.Probe, rs)
+// NewEvent returns a new event
+func (p *WindowsProbe) NewEvent() *model.Event {
+ return NewWindowsEvent(p.fieldHandlers)
}
-// FlushDiscarders invalidates all the discarders
-func (p *Probe) FlushDiscarders() error {
+// HandleActions executes the actions of a triggered rule
+func (p *WindowsProbe) HandleActions(_ *rules.Rule, _ eval.Event) {}
+
+// AddDiscarderPushedCallback add a callback to the list of func that have to be called when a discarder is pushed to kernel
+func (p *WindowsProbe) AddDiscarderPushedCallback(_ DiscarderPushedCallback) {}
+
+// GetEventTags returns the event tags
+func (p *WindowsProbe) GetEventTags(_ string) []string {
return nil
}
-// HandleActions executes the actions of a triggered rule
-func (p *Probe) HandleActions(_ *rules.Rule, _ eval.Event) {
+// NewProbe instantiates a new runtime security agent probe
+func NewProbe(config *config.Config, opts Opts) (*Probe, error) {
+ opts.normalize()
+
+ p := &Probe{
+ Opts: opts,
+ Config: config,
+ StatsdClient: opts.StatsdClient,
+ scrubber: newProcScrubber(config.Probe.CustomSensitiveWords),
+ }
+
+ pp, err := NewWindowsProbe(p, config, opts)
+ if err != nil {
+ return nil, err
+ }
+ p.PlatformProbe = pp
+
+ p.event = p.PlatformProbe.NewEvent()
+
+ // be sure to zero the probe event before everything else
+ p.zeroEvent()
+
+ return p, nil
}
diff --git a/pkg/security/probe/security_profile.go b/pkg/security/probe/security_profile.go
index 4f2dc65c580ee..a78f04cf4bd60 100644
--- a/pkg/security/probe/security_profile.go
+++ b/pkg/security/probe/security_profile.go
@@ -30,28 +30,28 @@ type SecurityProfileManagers struct {
}
// NewSecurityProfileManagers returns a new manager object
-func NewSecurityProfileManagers(probe *Probe) (*SecurityProfileManagers, error) {
+func NewSecurityProfileManagers(p *EBPFProbe) (*SecurityProfileManagers, error) {
managers := SecurityProfileManagers{
- config: probe.Config,
+ config: p.config,
}
- if probe.IsActivityDumpEnabled() {
- activityDumpManager, err := dump.NewActivityDumpManager(probe.Config, probe.StatsdClient, func() *model.Event { return NewEvent(probe.fieldHandlers) }, probe.resolvers, probe.kernelVersion, probe.Manager)
+ if p.probe.IsActivityDumpEnabled() {
+ activityDumpManager, err := dump.NewActivityDumpManager(p.config, p.statsdClient, p.NewEvent, p.Resolvers, p.kernelVersion, p.Manager)
if err != nil {
return nil, fmt.Errorf("couldn't create the activity dump manager: %w", err)
}
managers.activityDumpManager = activityDumpManager
}
- if probe.IsSecurityProfileEnabled() {
- securityProfileManager, err := profile.NewSecurityProfileManager(probe.Config, probe.StatsdClient, probe.resolvers, probe.Manager)
+ if p.probe.IsSecurityProfileEnabled() {
+ securityProfileManager, err := profile.NewSecurityProfileManager(p.config, p.statsdClient, p.Resolvers, p.Manager)
if err != nil {
return nil, fmt.Errorf("couldn't create the security profile manager: %w", err)
}
managers.securityProfileManager = securityProfileManager
}
- if probe.IsActivityDumpEnabled() && probe.IsSecurityProfileEnabled() {
+ if p.probe.IsActivityDumpEnabled() && p.probe.IsSecurityProfileEnabled() {
managers.activityDumpManager.SetSecurityProfileManager(managers.securityProfileManager)
managers.securityProfileManager.SetActivityDumpManager(managers.activityDumpManager)
}
diff --git a/pkg/security/probe/selftests/tester_linux.go b/pkg/security/probe/selftests/tester_linux.go
index b82b501ceaa07..363d2f2fdc452 100644
--- a/pkg/security/probe/selftests/tester_linux.go
+++ b/pkg/security/probe/selftests/tester_linux.go
@@ -186,14 +186,14 @@ type selfTestEvent struct {
}
// IsExpectedEvent sends an event to the tester
-func (t *SelfTester) IsExpectedEvent(rule *rules.Rule, event eval.Event, p *probe.Probe) bool {
+func (t *SelfTester) IsExpectedEvent(rule *rules.Rule, event eval.Event, _ *probe.Probe) bool {
if t.waitingForEvent.Load() && rule.Definition.Policy.Source == policySource {
ev, ok := event.(*model.Event)
if !ok {
return true
}
- s := serializers.NewEventSerializer(ev, p.GetResolvers())
+ s := serializers.NewEventSerializer(ev)
if s == nil || s.FileEventSerializer == nil {
return true
}
diff --git a/pkg/security/proto/api/README.md b/pkg/security/proto/README.md
similarity index 100%
rename from pkg/security/proto/api/README.md
rename to pkg/security/proto/README.md
diff --git a/pkg/security/proto/ebpfless/service.pb.go b/pkg/security/proto/ebpfless/service.pb.go
new file mode 100644
index 0000000000000..d63a158862ede
--- /dev/null
+++ b/pkg/security/proto/ebpfless/service.pb.go
@@ -0,0 +1,803 @@
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// protoc-gen-go v1.31.0
+// protoc
+// source: pkg/security/proto/ebpfless/service.proto
+
+package ebpfless
+
+import (
+ protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+ protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+ reflect "reflect"
+ sync "sync"
+)
+
+const (
+ // Verify that this generated code is sufficiently up-to-date.
+ _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+ // Verify that runtime/protoimpl is sufficiently up-to-date.
+ _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+type SyscallType int32
+
+const (
+ SyscallType_Unknown SyscallType = 0
+ SyscallType_Exec SyscallType = 1
+ SyscallType_Fork SyscallType = 2
+ SyscallType_Open SyscallType = 3
+ SyscallType_Exit SyscallType = 4
+ SyscallType_Fcntl SyscallType = 5
+)
+
+// Enum value maps for SyscallType.
+var (
+ SyscallType_name = map[int32]string{
+ 0: "Unknown",
+ 1: "Exec",
+ 2: "Fork",
+ 3: "Open",
+ 4: "Exit",
+ 5: "Fcntl",
+ }
+ SyscallType_value = map[string]int32{
+ "Unknown": 0,
+ "Exec": 1,
+ "Fork": 2,
+ "Open": 3,
+ "Exit": 4,
+ "Fcntl": 5,
+ }
+)
+
+func (x SyscallType) Enum() *SyscallType {
+ p := new(SyscallType)
+ *p = x
+ return p
+}
+
+func (x SyscallType) String() string {
+ return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x))
+}
+
+func (SyscallType) Descriptor() protoreflect.EnumDescriptor {
+ return file_pkg_security_proto_ebpfless_service_proto_enumTypes[0].Descriptor()
+}
+
+func (SyscallType) Type() protoreflect.EnumType {
+ return &file_pkg_security_proto_ebpfless_service_proto_enumTypes[0]
+}
+
+func (x SyscallType) Number() protoreflect.EnumNumber {
+ return protoreflect.EnumNumber(x)
+}
+
+// Deprecated: Use SyscallType.Descriptor instead.
+func (SyscallType) EnumDescriptor() ([]byte, []int) {
+ return file_pkg_security_proto_ebpfless_service_proto_rawDescGZIP(), []int{0}
+}
+
+type ContainerContext struct {
+ state protoimpl.MessageState
+ sizeCache protoimpl.SizeCache
+ unknownFields protoimpl.UnknownFields
+
+ ID string `protobuf:"bytes,1,opt,name=ID,proto3" json:"ID,omitempty"`
+ Name string `protobuf:"bytes,2,opt,name=Name,proto3" json:"Name,omitempty"`
+ Tag string `protobuf:"bytes,3,opt,name=Tag,proto3" json:"Tag,omitempty"`
+ CreatedAt uint64 `protobuf:"varint,4,opt,name=CreatedAt,proto3" json:"CreatedAt,omitempty"`
+}
+
+func (x *ContainerContext) Reset() {
+ *x = ContainerContext{}
+ if protoimpl.UnsafeEnabled {
+ mi := &file_pkg_security_proto_ebpfless_service_proto_msgTypes[0]
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ ms.StoreMessageInfo(mi)
+ }
+}
+
+func (x *ContainerContext) String() string {
+ return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ContainerContext) ProtoMessage() {}
+
+func (x *ContainerContext) ProtoReflect() protoreflect.Message {
+ mi := &file_pkg_security_proto_ebpfless_service_proto_msgTypes[0]
+ if protoimpl.UnsafeEnabled && x != nil {
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ if ms.LoadMessageInfo() == nil {
+ ms.StoreMessageInfo(mi)
+ }
+ return ms
+ }
+ return mi.MessageOf(x)
+}
+
+// Deprecated: Use ContainerContext.ProtoReflect.Descriptor instead.
+func (*ContainerContext) Descriptor() ([]byte, []int) {
+ return file_pkg_security_proto_ebpfless_service_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *ContainerContext) GetID() string {
+ if x != nil {
+ return x.ID
+ }
+ return ""
+}
+
+func (x *ContainerContext) GetName() string {
+ if x != nil {
+ return x.Name
+ }
+ return ""
+}
+
+func (x *ContainerContext) GetTag() string {
+ if x != nil {
+ return x.Tag
+ }
+ return ""
+}
+
+func (x *ContainerContext) GetCreatedAt() uint64 {
+ if x != nil {
+ return x.CreatedAt
+ }
+ return 0
+}
+
+type FcntlSyscallMsg struct {
+ state protoimpl.MessageState
+ sizeCache protoimpl.SizeCache
+ unknownFields protoimpl.UnknownFields
+
+ Fd uint32 `protobuf:"varint,1,opt,name=Fd,proto3" json:"Fd,omitempty"`
+ Cmd uint32 `protobuf:"varint,2,opt,name=Cmd,proto3" json:"Cmd,omitempty"`
+}
+
+func (x *FcntlSyscallMsg) Reset() {
+ *x = FcntlSyscallMsg{}
+ if protoimpl.UnsafeEnabled {
+ mi := &file_pkg_security_proto_ebpfless_service_proto_msgTypes[1]
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ ms.StoreMessageInfo(mi)
+ }
+}
+
+func (x *FcntlSyscallMsg) String() string {
+ return protoimpl.X.MessageStringOf(x)
+}
+
+func (*FcntlSyscallMsg) ProtoMessage() {}
+
+func (x *FcntlSyscallMsg) ProtoReflect() protoreflect.Message {
+ mi := &file_pkg_security_proto_ebpfless_service_proto_msgTypes[1]
+ if protoimpl.UnsafeEnabled && x != nil {
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ if ms.LoadMessageInfo() == nil {
+ ms.StoreMessageInfo(mi)
+ }
+ return ms
+ }
+ return mi.MessageOf(x)
+}
+
+// Deprecated: Use FcntlSyscallMsg.ProtoReflect.Descriptor instead.
+func (*FcntlSyscallMsg) Descriptor() ([]byte, []int) {
+ return file_pkg_security_proto_ebpfless_service_proto_rawDescGZIP(), []int{1}
+}
+
+func (x *FcntlSyscallMsg) GetFd() uint32 {
+ if x != nil {
+ return x.Fd
+ }
+ return 0
+}
+
+func (x *FcntlSyscallMsg) GetCmd() uint32 {
+ if x != nil {
+ return x.Cmd
+ }
+ return 0
+}
+
+type ExecSyscallMsg struct {
+ state protoimpl.MessageState
+ sizeCache protoimpl.SizeCache
+ unknownFields protoimpl.UnknownFields
+
+ Filename string `protobuf:"bytes,1,opt,name=Filename,proto3" json:"Filename,omitempty"`
+ Args []string `protobuf:"bytes,2,rep,name=Args,proto3" json:"Args,omitempty"`
+ Envs []string `protobuf:"bytes,3,rep,name=Envs,proto3" json:"Envs,omitempty"`
+}
+
+func (x *ExecSyscallMsg) Reset() {
+ *x = ExecSyscallMsg{}
+ if protoimpl.UnsafeEnabled {
+ mi := &file_pkg_security_proto_ebpfless_service_proto_msgTypes[2]
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ ms.StoreMessageInfo(mi)
+ }
+}
+
+func (x *ExecSyscallMsg) String() string {
+ return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ExecSyscallMsg) ProtoMessage() {}
+
+func (x *ExecSyscallMsg) ProtoReflect() protoreflect.Message {
+ mi := &file_pkg_security_proto_ebpfless_service_proto_msgTypes[2]
+ if protoimpl.UnsafeEnabled && x != nil {
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ if ms.LoadMessageInfo() == nil {
+ ms.StoreMessageInfo(mi)
+ }
+ return ms
+ }
+ return mi.MessageOf(x)
+}
+
+// Deprecated: Use ExecSyscallMsg.ProtoReflect.Descriptor instead.
+func (*ExecSyscallMsg) Descriptor() ([]byte, []int) {
+ return file_pkg_security_proto_ebpfless_service_proto_rawDescGZIP(), []int{2}
+}
+
+func (x *ExecSyscallMsg) GetFilename() string {
+ if x != nil {
+ return x.Filename
+ }
+ return ""
+}
+
+func (x *ExecSyscallMsg) GetArgs() []string {
+ if x != nil {
+ return x.Args
+ }
+ return nil
+}
+
+func (x *ExecSyscallMsg) GetEnvs() []string {
+ if x != nil {
+ return x.Envs
+ }
+ return nil
+}
+
+type ForkSyscallMsg struct {
+ state protoimpl.MessageState
+ sizeCache protoimpl.SizeCache
+ unknownFields protoimpl.UnknownFields
+
+ PPID uint32 `protobuf:"varint,1,opt,name=PPID,proto3" json:"PPID,omitempty"`
+}
+
+func (x *ForkSyscallMsg) Reset() {
+ *x = ForkSyscallMsg{}
+ if protoimpl.UnsafeEnabled {
+ mi := &file_pkg_security_proto_ebpfless_service_proto_msgTypes[3]
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ ms.StoreMessageInfo(mi)
+ }
+}
+
+func (x *ForkSyscallMsg) String() string {
+ return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ForkSyscallMsg) ProtoMessage() {}
+
+func (x *ForkSyscallMsg) ProtoReflect() protoreflect.Message {
+ mi := &file_pkg_security_proto_ebpfless_service_proto_msgTypes[3]
+ if protoimpl.UnsafeEnabled && x != nil {
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ if ms.LoadMessageInfo() == nil {
+ ms.StoreMessageInfo(mi)
+ }
+ return ms
+ }
+ return mi.MessageOf(x)
+}
+
+// Deprecated: Use ForkSyscallMsg.ProtoReflect.Descriptor instead.
+func (*ForkSyscallMsg) Descriptor() ([]byte, []int) {
+ return file_pkg_security_proto_ebpfless_service_proto_rawDescGZIP(), []int{3}
+}
+
+func (x *ForkSyscallMsg) GetPPID() uint32 {
+ if x != nil {
+ return x.PPID
+ }
+ return 0
+}
+
+type ExitSyscallMsg struct {
+ state protoimpl.MessageState
+ sizeCache protoimpl.SizeCache
+ unknownFields protoimpl.UnknownFields
+}
+
+func (x *ExitSyscallMsg) Reset() {
+ *x = ExitSyscallMsg{}
+ if protoimpl.UnsafeEnabled {
+ mi := &file_pkg_security_proto_ebpfless_service_proto_msgTypes[4]
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ ms.StoreMessageInfo(mi)
+ }
+}
+
+func (x *ExitSyscallMsg) String() string {
+ return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ExitSyscallMsg) ProtoMessage() {}
+
+func (x *ExitSyscallMsg) ProtoReflect() protoreflect.Message {
+ mi := &file_pkg_security_proto_ebpfless_service_proto_msgTypes[4]
+ if protoimpl.UnsafeEnabled && x != nil {
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ if ms.LoadMessageInfo() == nil {
+ ms.StoreMessageInfo(mi)
+ }
+ return ms
+ }
+ return mi.MessageOf(x)
+}
+
+// Deprecated: Use ExitSyscallMsg.ProtoReflect.Descriptor instead.
+func (*ExitSyscallMsg) Descriptor() ([]byte, []int) {
+ return file_pkg_security_proto_ebpfless_service_proto_rawDescGZIP(), []int{4}
+}
+
+type OpenSyscallMsg struct {
+ state protoimpl.MessageState
+ sizeCache protoimpl.SizeCache
+ unknownFields protoimpl.UnknownFields
+
+ Filename string `protobuf:"bytes,1,opt,name=Filename,proto3" json:"Filename,omitempty"`
+ Flags uint32 `protobuf:"varint,2,opt,name=Flags,proto3" json:"Flags,omitempty"`
+ Mode uint32 `protobuf:"varint,3,opt,name=Mode,proto3" json:"Mode,omitempty"`
+}
+
+func (x *OpenSyscallMsg) Reset() {
+ *x = OpenSyscallMsg{}
+ if protoimpl.UnsafeEnabled {
+ mi := &file_pkg_security_proto_ebpfless_service_proto_msgTypes[5]
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ ms.StoreMessageInfo(mi)
+ }
+}
+
+func (x *OpenSyscallMsg) String() string {
+ return protoimpl.X.MessageStringOf(x)
+}
+
+func (*OpenSyscallMsg) ProtoMessage() {}
+
+func (x *OpenSyscallMsg) ProtoReflect() protoreflect.Message {
+ mi := &file_pkg_security_proto_ebpfless_service_proto_msgTypes[5]
+ if protoimpl.UnsafeEnabled && x != nil {
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ if ms.LoadMessageInfo() == nil {
+ ms.StoreMessageInfo(mi)
+ }
+ return ms
+ }
+ return mi.MessageOf(x)
+}
+
+// Deprecated: Use OpenSyscallMsg.ProtoReflect.Descriptor instead.
+func (*OpenSyscallMsg) Descriptor() ([]byte, []int) {
+ return file_pkg_security_proto_ebpfless_service_proto_rawDescGZIP(), []int{5}
+}
+
+func (x *OpenSyscallMsg) GetFilename() string {
+ if x != nil {
+ return x.Filename
+ }
+ return ""
+}
+
+func (x *OpenSyscallMsg) GetFlags() uint32 {
+ if x != nil {
+ return x.Flags
+ }
+ return 0
+}
+
+func (x *OpenSyscallMsg) GetMode() uint32 {
+ if x != nil {
+ return x.Mode
+ }
+ return 0
+}
+
+type SyscallMsg struct {
+ state protoimpl.MessageState
+ sizeCache protoimpl.SizeCache
+ unknownFields protoimpl.UnknownFields
+
+ SeqNum uint64 `protobuf:"varint,1,opt,name=SeqNum,proto3" json:"SeqNum,omitempty"`
+ Type SyscallType `protobuf:"varint,2,opt,name=Type,proto3,enum=ebpfless.SyscallType" json:"Type,omitempty"`
+ PID uint32 `protobuf:"varint,3,opt,name=PID,proto3" json:"PID,omitempty"`
+ ContainerContext *ContainerContext `protobuf:"bytes,4,opt,name=ContainerContext,proto3" json:"ContainerContext,omitempty"`
+ Exec *ExecSyscallMsg `protobuf:"bytes,5,opt,name=Exec,proto3" json:"Exec,omitempty"`
+ Open *OpenSyscallMsg `protobuf:"bytes,6,opt,name=Open,proto3" json:"Open,omitempty"`
+ Fork *ForkSyscallMsg `protobuf:"bytes,7,opt,name=Fork,proto3" json:"Fork,omitempty"`
+ Exit *ExitSyscallMsg `protobuf:"bytes,8,opt,name=Exit,proto3" json:"Exit,omitempty"`
+ Fcntl *FcntlSyscallMsg `protobuf:"bytes,9,opt,name=Fcntl,proto3" json:"Fcntl,omitempty"`
+}
+
+func (x *SyscallMsg) Reset() {
+ *x = SyscallMsg{}
+ if protoimpl.UnsafeEnabled {
+ mi := &file_pkg_security_proto_ebpfless_service_proto_msgTypes[6]
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ ms.StoreMessageInfo(mi)
+ }
+}
+
+func (x *SyscallMsg) String() string {
+ return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SyscallMsg) ProtoMessage() {}
+
+func (x *SyscallMsg) ProtoReflect() protoreflect.Message {
+ mi := &file_pkg_security_proto_ebpfless_service_proto_msgTypes[6]
+ if protoimpl.UnsafeEnabled && x != nil {
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ if ms.LoadMessageInfo() == nil {
+ ms.StoreMessageInfo(mi)
+ }
+ return ms
+ }
+ return mi.MessageOf(x)
+}
+
+// Deprecated: Use SyscallMsg.ProtoReflect.Descriptor instead.
+func (*SyscallMsg) Descriptor() ([]byte, []int) {
+ return file_pkg_security_proto_ebpfless_service_proto_rawDescGZIP(), []int{6}
+}
+
+func (x *SyscallMsg) GetSeqNum() uint64 {
+ if x != nil {
+ return x.SeqNum
+ }
+ return 0
+}
+
+func (x *SyscallMsg) GetType() SyscallType {
+ if x != nil {
+ return x.Type
+ }
+ return SyscallType_Unknown
+}
+
+func (x *SyscallMsg) GetPID() uint32 {
+ if x != nil {
+ return x.PID
+ }
+ return 0
+}
+
+func (x *SyscallMsg) GetContainerContext() *ContainerContext {
+ if x != nil {
+ return x.ContainerContext
+ }
+ return nil
+}
+
+func (x *SyscallMsg) GetExec() *ExecSyscallMsg {
+ if x != nil {
+ return x.Exec
+ }
+ return nil
+}
+
+func (x *SyscallMsg) GetOpen() *OpenSyscallMsg {
+ if x != nil {
+ return x.Open
+ }
+ return nil
+}
+
+func (x *SyscallMsg) GetFork() *ForkSyscallMsg {
+ if x != nil {
+ return x.Fork
+ }
+ return nil
+}
+
+func (x *SyscallMsg) GetExit() *ExitSyscallMsg {
+ if x != nil {
+ return x.Exit
+ }
+ return nil
+}
+
+func (x *SyscallMsg) GetFcntl() *FcntlSyscallMsg {
+ if x != nil {
+ return x.Fcntl
+ }
+ return nil
+}
+
+type Response struct {
+ state protoimpl.MessageState
+ sizeCache protoimpl.SizeCache
+ unknownFields protoimpl.UnknownFields
+}
+
+func (x *Response) Reset() {
+ *x = Response{}
+ if protoimpl.UnsafeEnabled {
+ mi := &file_pkg_security_proto_ebpfless_service_proto_msgTypes[7]
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ ms.StoreMessageInfo(mi)
+ }
+}
+
+func (x *Response) String() string {
+ return protoimpl.X.MessageStringOf(x)
+}
+
+func (*Response) ProtoMessage() {}
+
+func (x *Response) ProtoReflect() protoreflect.Message {
+ mi := &file_pkg_security_proto_ebpfless_service_proto_msgTypes[7]
+ if protoimpl.UnsafeEnabled && x != nil {
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ if ms.LoadMessageInfo() == nil {
+ ms.StoreMessageInfo(mi)
+ }
+ return ms
+ }
+ return mi.MessageOf(x)
+}
+
+// Deprecated: Use Response.ProtoReflect.Descriptor instead.
+func (*Response) Descriptor() ([]byte, []int) {
+ return file_pkg_security_proto_ebpfless_service_proto_rawDescGZIP(), []int{7}
+}
+
+var File_pkg_security_proto_ebpfless_service_proto protoreflect.FileDescriptor
+
+var file_pkg_security_proto_ebpfless_service_proto_rawDesc = []byte{
+ 0x0a, 0x29, 0x70, 0x6b, 0x67, 0x2f, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x70,
+ 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x65, 0x62, 0x70, 0x66, 0x6c, 0x65, 0x73, 0x73, 0x2f, 0x73, 0x65,
+ 0x72, 0x76, 0x69, 0x63, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x08, 0x65, 0x62, 0x70,
+ 0x66, 0x6c, 0x65, 0x73, 0x73, 0x22, 0x66, 0x0a, 0x10, 0x43, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e,
+ 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x12, 0x0e, 0x0a, 0x02, 0x49, 0x44, 0x18,
+ 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x49, 0x44, 0x12, 0x12, 0x0a, 0x04, 0x4e, 0x61, 0x6d,
+ 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x10, 0x0a,
+ 0x03, 0x54, 0x61, 0x67, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x54, 0x61, 0x67, 0x12,
+ 0x1c, 0x0a, 0x09, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x64, 0x41, 0x74, 0x18, 0x04, 0x20, 0x01,
+ 0x28, 0x04, 0x52, 0x09, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x64, 0x41, 0x74, 0x22, 0x33, 0x0a,
+ 0x0f, 0x46, 0x63, 0x6e, 0x74, 0x6c, 0x53, 0x79, 0x73, 0x63, 0x61, 0x6c, 0x6c, 0x4d, 0x73, 0x67,
+ 0x12, 0x0e, 0x0a, 0x02, 0x46, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x02, 0x46, 0x64,
+ 0x12, 0x10, 0x0a, 0x03, 0x43, 0x6d, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x03, 0x43,
+ 0x6d, 0x64, 0x22, 0x54, 0x0a, 0x0e, 0x45, 0x78, 0x65, 0x63, 0x53, 0x79, 0x73, 0x63, 0x61, 0x6c,
+ 0x6c, 0x4d, 0x73, 0x67, 0x12, 0x1a, 0x0a, 0x08, 0x46, 0x69, 0x6c, 0x65, 0x6e, 0x61, 0x6d, 0x65,
+ 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x46, 0x69, 0x6c, 0x65, 0x6e, 0x61, 0x6d, 0x65,
+ 0x12, 0x12, 0x0a, 0x04, 0x41, 0x72, 0x67, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x04,
+ 0x41, 0x72, 0x67, 0x73, 0x12, 0x12, 0x0a, 0x04, 0x45, 0x6e, 0x76, 0x73, 0x18, 0x03, 0x20, 0x03,
+ 0x28, 0x09, 0x52, 0x04, 0x45, 0x6e, 0x76, 0x73, 0x22, 0x24, 0x0a, 0x0e, 0x46, 0x6f, 0x72, 0x6b,
+ 0x53, 0x79, 0x73, 0x63, 0x61, 0x6c, 0x6c, 0x4d, 0x73, 0x67, 0x12, 0x12, 0x0a, 0x04, 0x50, 0x50,
+ 0x49, 0x44, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x04, 0x50, 0x50, 0x49, 0x44, 0x22, 0x10,
+ 0x0a, 0x0e, 0x45, 0x78, 0x69, 0x74, 0x53, 0x79, 0x73, 0x63, 0x61, 0x6c, 0x6c, 0x4d, 0x73, 0x67,
+ 0x22, 0x56, 0x0a, 0x0e, 0x4f, 0x70, 0x65, 0x6e, 0x53, 0x79, 0x73, 0x63, 0x61, 0x6c, 0x6c, 0x4d,
+ 0x73, 0x67, 0x12, 0x1a, 0x0a, 0x08, 0x46, 0x69, 0x6c, 0x65, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01,
+ 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x46, 0x69, 0x6c, 0x65, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x14,
+ 0x0a, 0x05, 0x46, 0x6c, 0x61, 0x67, 0x73, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x05, 0x46,
+ 0x6c, 0x61, 0x67, 0x73, 0x12, 0x12, 0x0a, 0x04, 0x4d, 0x6f, 0x64, 0x65, 0x18, 0x03, 0x20, 0x01,
+ 0x28, 0x0d, 0x52, 0x04, 0x4d, 0x6f, 0x64, 0x65, 0x22, 0x92, 0x03, 0x0a, 0x0a, 0x53, 0x79, 0x73,
+ 0x63, 0x61, 0x6c, 0x6c, 0x4d, 0x73, 0x67, 0x12, 0x16, 0x0a, 0x06, 0x53, 0x65, 0x71, 0x4e, 0x75,
+ 0x6d, 0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x06, 0x53, 0x65, 0x71, 0x4e, 0x75, 0x6d, 0x12,
+ 0x29, 0x0a, 0x04, 0x54, 0x79, 0x70, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x15, 0x2e,
+ 0x65, 0x62, 0x70, 0x66, 0x6c, 0x65, 0x73, 0x73, 0x2e, 0x53, 0x79, 0x73, 0x63, 0x61, 0x6c, 0x6c,
+ 0x54, 0x79, 0x70, 0x65, 0x52, 0x04, 0x54, 0x79, 0x70, 0x65, 0x12, 0x10, 0x0a, 0x03, 0x50, 0x49,
+ 0x44, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x03, 0x50, 0x49, 0x44, 0x12, 0x46, 0x0a, 0x10,
+ 0x43, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74,
+ 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x65, 0x62, 0x70, 0x66, 0x6c, 0x65, 0x73,
+ 0x73, 0x2e, 0x43, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x74, 0x65,
+ 0x78, 0x74, 0x52, 0x10, 0x43, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x43, 0x6f, 0x6e,
+ 0x74, 0x65, 0x78, 0x74, 0x12, 0x2c, 0x0a, 0x04, 0x45, 0x78, 0x65, 0x63, 0x18, 0x05, 0x20, 0x01,
+ 0x28, 0x0b, 0x32, 0x18, 0x2e, 0x65, 0x62, 0x70, 0x66, 0x6c, 0x65, 0x73, 0x73, 0x2e, 0x45, 0x78,
+ 0x65, 0x63, 0x53, 0x79, 0x73, 0x63, 0x61, 0x6c, 0x6c, 0x4d, 0x73, 0x67, 0x52, 0x04, 0x45, 0x78,
+ 0x65, 0x63, 0x12, 0x2c, 0x0a, 0x04, 0x4f, 0x70, 0x65, 0x6e, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b,
+ 0x32, 0x18, 0x2e, 0x65, 0x62, 0x70, 0x66, 0x6c, 0x65, 0x73, 0x73, 0x2e, 0x4f, 0x70, 0x65, 0x6e,
+ 0x53, 0x79, 0x73, 0x63, 0x61, 0x6c, 0x6c, 0x4d, 0x73, 0x67, 0x52, 0x04, 0x4f, 0x70, 0x65, 0x6e,
+ 0x12, 0x2c, 0x0a, 0x04, 0x46, 0x6f, 0x72, 0x6b, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x18,
+ 0x2e, 0x65, 0x62, 0x70, 0x66, 0x6c, 0x65, 0x73, 0x73, 0x2e, 0x46, 0x6f, 0x72, 0x6b, 0x53, 0x79,
+ 0x73, 0x63, 0x61, 0x6c, 0x6c, 0x4d, 0x73, 0x67, 0x52, 0x04, 0x46, 0x6f, 0x72, 0x6b, 0x12, 0x2c,
+ 0x0a, 0x04, 0x45, 0x78, 0x69, 0x74, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x18, 0x2e, 0x65,
+ 0x62, 0x70, 0x66, 0x6c, 0x65, 0x73, 0x73, 0x2e, 0x45, 0x78, 0x69, 0x74, 0x53, 0x79, 0x73, 0x63,
+ 0x61, 0x6c, 0x6c, 0x4d, 0x73, 0x67, 0x52, 0x04, 0x45, 0x78, 0x69, 0x74, 0x12, 0x2f, 0x0a, 0x05,
+ 0x46, 0x63, 0x6e, 0x74, 0x6c, 0x18, 0x09, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x65, 0x62,
+ 0x70, 0x66, 0x6c, 0x65, 0x73, 0x73, 0x2e, 0x46, 0x63, 0x6e, 0x74, 0x6c, 0x53, 0x79, 0x73, 0x63,
+ 0x61, 0x6c, 0x6c, 0x4d, 0x73, 0x67, 0x52, 0x05, 0x46, 0x63, 0x6e, 0x74, 0x6c, 0x22, 0x0a, 0x0a,
+ 0x08, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x2a, 0x4d, 0x0a, 0x0b, 0x53, 0x79, 0x73,
+ 0x63, 0x61, 0x6c, 0x6c, 0x54, 0x79, 0x70, 0x65, 0x12, 0x0b, 0x0a, 0x07, 0x55, 0x6e, 0x6b, 0x6e,
+ 0x6f, 0x77, 0x6e, 0x10, 0x00, 0x12, 0x08, 0x0a, 0x04, 0x45, 0x78, 0x65, 0x63, 0x10, 0x01, 0x12,
+ 0x08, 0x0a, 0x04, 0x46, 0x6f, 0x72, 0x6b, 0x10, 0x02, 0x12, 0x08, 0x0a, 0x04, 0x4f, 0x70, 0x65,
+ 0x6e, 0x10, 0x03, 0x12, 0x08, 0x0a, 0x04, 0x45, 0x78, 0x69, 0x74, 0x10, 0x04, 0x12, 0x09, 0x0a,
+ 0x05, 0x46, 0x63, 0x6e, 0x74, 0x6c, 0x10, 0x05, 0x32, 0x50, 0x0a, 0x10, 0x53, 0x79, 0x73, 0x63,
+ 0x61, 0x6c, 0x6c, 0x4d, 0x73, 0x67, 0x53, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x12, 0x3c, 0x0a, 0x0e,
+ 0x53, 0x65, 0x6e, 0x64, 0x53, 0x79, 0x73, 0x63, 0x61, 0x6c, 0x6c, 0x4d, 0x73, 0x67, 0x12, 0x14,
+ 0x2e, 0x65, 0x62, 0x70, 0x66, 0x6c, 0x65, 0x73, 0x73, 0x2e, 0x53, 0x79, 0x73, 0x63, 0x61, 0x6c,
+ 0x6c, 0x4d, 0x73, 0x67, 0x1a, 0x12, 0x2e, 0x65, 0x62, 0x70, 0x66, 0x6c, 0x65, 0x73, 0x73, 0x2e,
+ 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x42, 0x1d, 0x5a, 0x1b, 0x70, 0x6b,
+ 0x67, 0x2f, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f,
+ 0x2f, 0x65, 0x62, 0x70, 0x66, 0x6c, 0x65, 0x73, 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f,
+ 0x33,
+}
+
+var (
+ file_pkg_security_proto_ebpfless_service_proto_rawDescOnce sync.Once
+ file_pkg_security_proto_ebpfless_service_proto_rawDescData = file_pkg_security_proto_ebpfless_service_proto_rawDesc
+)
+
+func file_pkg_security_proto_ebpfless_service_proto_rawDescGZIP() []byte {
+ file_pkg_security_proto_ebpfless_service_proto_rawDescOnce.Do(func() {
+ file_pkg_security_proto_ebpfless_service_proto_rawDescData = protoimpl.X.CompressGZIP(file_pkg_security_proto_ebpfless_service_proto_rawDescData)
+ })
+ return file_pkg_security_proto_ebpfless_service_proto_rawDescData
+}
+
+var file_pkg_security_proto_ebpfless_service_proto_enumTypes = make([]protoimpl.EnumInfo, 1)
+var file_pkg_security_proto_ebpfless_service_proto_msgTypes = make([]protoimpl.MessageInfo, 8)
+var file_pkg_security_proto_ebpfless_service_proto_goTypes = []interface{}{
+ (SyscallType)(0), // 0: ebpfless.SyscallType
+ (*ContainerContext)(nil), // 1: ebpfless.ContainerContext
+ (*FcntlSyscallMsg)(nil), // 2: ebpfless.FcntlSyscallMsg
+ (*ExecSyscallMsg)(nil), // 3: ebpfless.ExecSyscallMsg
+ (*ForkSyscallMsg)(nil), // 4: ebpfless.ForkSyscallMsg
+ (*ExitSyscallMsg)(nil), // 5: ebpfless.ExitSyscallMsg
+ (*OpenSyscallMsg)(nil), // 6: ebpfless.OpenSyscallMsg
+ (*SyscallMsg)(nil), // 7: ebpfless.SyscallMsg
+ (*Response)(nil), // 8: ebpfless.Response
+}
+var file_pkg_security_proto_ebpfless_service_proto_depIdxs = []int32{
+ 0, // 0: ebpfless.SyscallMsg.Type:type_name -> ebpfless.SyscallType
+ 1, // 1: ebpfless.SyscallMsg.ContainerContext:type_name -> ebpfless.ContainerContext
+ 3, // 2: ebpfless.SyscallMsg.Exec:type_name -> ebpfless.ExecSyscallMsg
+ 6, // 3: ebpfless.SyscallMsg.Open:type_name -> ebpfless.OpenSyscallMsg
+ 4, // 4: ebpfless.SyscallMsg.Fork:type_name -> ebpfless.ForkSyscallMsg
+ 5, // 5: ebpfless.SyscallMsg.Exit:type_name -> ebpfless.ExitSyscallMsg
+ 2, // 6: ebpfless.SyscallMsg.Fcntl:type_name -> ebpfless.FcntlSyscallMsg
+ 7, // 7: ebpfless.SyscallMsgStream.SendSyscallMsg:input_type -> ebpfless.SyscallMsg
+ 8, // 8: ebpfless.SyscallMsgStream.SendSyscallMsg:output_type -> ebpfless.Response
+ 8, // [8:9] is the sub-list for method output_type
+ 7, // [7:8] is the sub-list for method input_type
+ 7, // [7:7] is the sub-list for extension type_name
+ 7, // [7:7] is the sub-list for extension extendee
+ 0, // [0:7] is the sub-list for field type_name
+}
+
+func init() { file_pkg_security_proto_ebpfless_service_proto_init() }
+func file_pkg_security_proto_ebpfless_service_proto_init() {
+ if File_pkg_security_proto_ebpfless_service_proto != nil {
+ return
+ }
+ if !protoimpl.UnsafeEnabled {
+ file_pkg_security_proto_ebpfless_service_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
+ switch v := v.(*ContainerContext); i {
+ case 0:
+ return &v.state
+ case 1:
+ return &v.sizeCache
+ case 2:
+ return &v.unknownFields
+ default:
+ return nil
+ }
+ }
+ file_pkg_security_proto_ebpfless_service_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
+ switch v := v.(*FcntlSyscallMsg); i {
+ case 0:
+ return &v.state
+ case 1:
+ return &v.sizeCache
+ case 2:
+ return &v.unknownFields
+ default:
+ return nil
+ }
+ }
+ file_pkg_security_proto_ebpfless_service_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} {
+ switch v := v.(*ExecSyscallMsg); i {
+ case 0:
+ return &v.state
+ case 1:
+ return &v.sizeCache
+ case 2:
+ return &v.unknownFields
+ default:
+ return nil
+ }
+ }
+ file_pkg_security_proto_ebpfless_service_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} {
+ switch v := v.(*ForkSyscallMsg); i {
+ case 0:
+ return &v.state
+ case 1:
+ return &v.sizeCache
+ case 2:
+ return &v.unknownFields
+ default:
+ return nil
+ }
+ }
+ file_pkg_security_proto_ebpfless_service_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} {
+ switch v := v.(*ExitSyscallMsg); i {
+ case 0:
+ return &v.state
+ case 1:
+ return &v.sizeCache
+ case 2:
+ return &v.unknownFields
+ default:
+ return nil
+ }
+ }
+ file_pkg_security_proto_ebpfless_service_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} {
+ switch v := v.(*OpenSyscallMsg); i {
+ case 0:
+ return &v.state
+ case 1:
+ return &v.sizeCache
+ case 2:
+ return &v.unknownFields
+ default:
+ return nil
+ }
+ }
+ file_pkg_security_proto_ebpfless_service_proto_msgTypes[6].Exporter = func(v interface{}, i int) interface{} {
+ switch v := v.(*SyscallMsg); i {
+ case 0:
+ return &v.state
+ case 1:
+ return &v.sizeCache
+ case 2:
+ return &v.unknownFields
+ default:
+ return nil
+ }
+ }
+ file_pkg_security_proto_ebpfless_service_proto_msgTypes[7].Exporter = func(v interface{}, i int) interface{} {
+ switch v := v.(*Response); i {
+ case 0:
+ return &v.state
+ case 1:
+ return &v.sizeCache
+ case 2:
+ return &v.unknownFields
+ default:
+ return nil
+ }
+ }
+ }
+ type x struct{}
+ out := protoimpl.TypeBuilder{
+ File: protoimpl.DescBuilder{
+ GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+ RawDescriptor: file_pkg_security_proto_ebpfless_service_proto_rawDesc,
+ NumEnums: 1,
+ NumMessages: 8,
+ NumExtensions: 0,
+ NumServices: 1,
+ },
+ GoTypes: file_pkg_security_proto_ebpfless_service_proto_goTypes,
+ DependencyIndexes: file_pkg_security_proto_ebpfless_service_proto_depIdxs,
+ EnumInfos: file_pkg_security_proto_ebpfless_service_proto_enumTypes,
+ MessageInfos: file_pkg_security_proto_ebpfless_service_proto_msgTypes,
+ }.Build()
+ File_pkg_security_proto_ebpfless_service_proto = out.File
+ file_pkg_security_proto_ebpfless_service_proto_rawDesc = nil
+ file_pkg_security_proto_ebpfless_service_proto_goTypes = nil
+ file_pkg_security_proto_ebpfless_service_proto_depIdxs = nil
+}
diff --git a/pkg/security/proto/ebpfless/service.proto b/pkg/security/proto/ebpfless/service.proto
new file mode 100644
index 0000000000000..bc9ad365874ef
--- /dev/null
+++ b/pkg/security/proto/ebpfless/service.proto
@@ -0,0 +1,63 @@
+syntax = "proto3";
+
+option go_package = "pkg/security/proto/ebpfless";
+
+package ebpfless;
+
+enum SyscallType {
+ Unknown = 0;
+ Exec = 1;
+ Fork = 2;
+ Open = 3;
+ Exit = 4;
+ Fcntl = 5;
+}
+
+message ContainerContext {
+ string ID = 1;
+ string Name = 2;
+ string Tag = 3;
+ uint64 CreatedAt = 4;
+}
+
+message FcntlSyscallMsg {
+ uint32 Fd = 1;
+ uint32 Cmd = 2;
+}
+
+message ExecSyscallMsg {
+ string Filename = 1;
+ repeated string Args = 2;
+ repeated string Envs = 3;
+}
+
+message ForkSyscallMsg {
+ uint32 PPID = 1;
+}
+
+message ExitSyscallMsg {}
+
+message OpenSyscallMsg {
+ string Filename = 1;
+ uint32 Flags = 2;
+ uint32 Mode = 3;
+}
+
+message SyscallMsg {
+ uint64 SeqNum = 1;
+ SyscallType Type = 2;
+ uint32 PID = 3;
+ ContainerContext ContainerContext = 4;
+
+ ExecSyscallMsg Exec = 5;
+ OpenSyscallMsg Open = 6;
+ ForkSyscallMsg Fork = 7;
+ ExitSyscallMsg Exit = 8;
+ FcntlSyscallMsg Fcntl = 9;
+}
+
+message Response {}
+
+service SyscallMsgStream {
+ rpc SendSyscallMsg (SyscallMsg) returns (Response) {}
+}
\ No newline at end of file
diff --git a/pkg/security/proto/ebpfless/service_grpc.pb.go b/pkg/security/proto/ebpfless/service_grpc.pb.go
new file mode 100644
index 0000000000000..b8bbc6f3f83e9
--- /dev/null
+++ b/pkg/security/proto/ebpfless/service_grpc.pb.go
@@ -0,0 +1,109 @@
+// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
+// versions:
+// - protoc-gen-go-grpc v1.3.0
+// - protoc v3.21.12
+// source: pkg/security/proto/ebpfless/service.proto
+
+package ebpfless
+
+import (
+ context "context"
+ grpc "google.golang.org/grpc"
+ codes "google.golang.org/grpc/codes"
+ status "google.golang.org/grpc/status"
+)
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the grpc package it is being compiled against.
+// Requires gRPC-Go v1.32.0 or later.
+const _ = grpc.SupportPackageIsVersion7
+
+const (
+ SyscallMsgStream_SendSyscallMsg_FullMethodName = "/ebpfless.SyscallMsgStream/SendSyscallMsg"
+)
+
+// SyscallMsgStreamClient is the client API for SyscallMsgStream service.
+//
+// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
+type SyscallMsgStreamClient interface {
+ SendSyscallMsg(ctx context.Context, in *SyscallMsg, opts ...grpc.CallOption) (*Response, error)
+}
+
+type syscallMsgStreamClient struct {
+ cc grpc.ClientConnInterface
+}
+
+func NewSyscallMsgStreamClient(cc grpc.ClientConnInterface) SyscallMsgStreamClient {
+ return &syscallMsgStreamClient{cc}
+}
+
+func (c *syscallMsgStreamClient) SendSyscallMsg(ctx context.Context, in *SyscallMsg, opts ...grpc.CallOption) (*Response, error) {
+ out := new(Response)
+ err := c.cc.Invoke(ctx, SyscallMsgStream_SendSyscallMsg_FullMethodName, in, out, opts...)
+ if err != nil {
+ return nil, err
+ }
+ return out, nil
+}
+
+// SyscallMsgStreamServer is the server API for SyscallMsgStream service.
+// All implementations must embed UnimplementedSyscallMsgStreamServer
+// for forward compatibility
+type SyscallMsgStreamServer interface {
+ SendSyscallMsg(context.Context, *SyscallMsg) (*Response, error)
+ mustEmbedUnimplementedSyscallMsgStreamServer()
+}
+
+// UnimplementedSyscallMsgStreamServer must be embedded to have forward compatible implementations.
+type UnimplementedSyscallMsgStreamServer struct {
+}
+
+func (UnimplementedSyscallMsgStreamServer) SendSyscallMsg(context.Context, *SyscallMsg) (*Response, error) {
+ return nil, status.Errorf(codes.Unimplemented, "method SendSyscallMsg not implemented")
+}
+func (UnimplementedSyscallMsgStreamServer) mustEmbedUnimplementedSyscallMsgStreamServer() {}
+
+// UnsafeSyscallMsgStreamServer may be embedded to opt out of forward compatibility for this service.
+// Use of this interface is not recommended, as added methods to SyscallMsgStreamServer will
+// result in compilation errors.
+type UnsafeSyscallMsgStreamServer interface {
+ mustEmbedUnimplementedSyscallMsgStreamServer()
+}
+
+func RegisterSyscallMsgStreamServer(s grpc.ServiceRegistrar, srv SyscallMsgStreamServer) {
+ s.RegisterService(&SyscallMsgStream_ServiceDesc, srv)
+}
+
+func _SyscallMsgStream_SendSyscallMsg_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+ in := new(SyscallMsg)
+ if err := dec(in); err != nil {
+ return nil, err
+ }
+ if interceptor == nil {
+ return srv.(SyscallMsgStreamServer).SendSyscallMsg(ctx, in)
+ }
+ info := &grpc.UnaryServerInfo{
+ Server: srv,
+ FullMethod: SyscallMsgStream_SendSyscallMsg_FullMethodName,
+ }
+ handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+ return srv.(SyscallMsgStreamServer).SendSyscallMsg(ctx, req.(*SyscallMsg))
+ }
+ return interceptor(ctx, in, info, handler)
+}
+
+// SyscallMsgStream_ServiceDesc is the grpc.ServiceDesc for SyscallMsgStream service.
+// It's only intended for direct use with grpc.RegisterService,
+// and not to be introspected or modified (even as a copy)
+var SyscallMsgStream_ServiceDesc = grpc.ServiceDesc{
+ ServiceName: "ebpfless.SyscallMsgStream",
+ HandlerType: (*SyscallMsgStreamServer)(nil),
+ Methods: []grpc.MethodDesc{
+ {
+ MethodName: "SendSyscallMsg",
+ Handler: _SyscallMsgStream_SendSyscallMsg_Handler,
+ },
+ },
+ Streams: []grpc.StreamDesc{},
+ Metadata: "pkg/security/proto/ebpfless/service.proto",
+}
diff --git a/pkg/security/proto/ebpfless/service_vtproto.pb.go b/pkg/security/proto/ebpfless/service_vtproto.pb.go
new file mode 100644
index 0000000000000..6b92a888fac45
--- /dev/null
+++ b/pkg/security/proto/ebpfless/service_vtproto.pb.go
@@ -0,0 +1,1726 @@
+// Code generated by protoc-gen-go-vtproto. DO NOT EDIT.
+// protoc-gen-go-vtproto version: v0.5.0
+// source: pkg/security/proto/ebpfless/service.proto
+
+package ebpfless
+
+import (
+ fmt "fmt"
+ protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+ io "io"
+ bits "math/bits"
+)
+
+const (
+ // Verify that this generated code is sufficiently up-to-date.
+ _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+ // Verify that runtime/protoimpl is sufficiently up-to-date.
+ _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+func (m *ContainerContext) MarshalVT() (dAtA []byte, err error) {
+ if m == nil {
+ return nil, nil
+ }
+ size := m.SizeVT()
+ dAtA = make([]byte, size)
+ n, err := m.MarshalToSizedBufferVT(dAtA[:size])
+ if err != nil {
+ return nil, err
+ }
+ return dAtA[:n], nil
+}
+
+func (m *ContainerContext) MarshalToVT(dAtA []byte) (int, error) {
+ size := m.SizeVT()
+ return m.MarshalToSizedBufferVT(dAtA[:size])
+}
+
+func (m *ContainerContext) MarshalToSizedBufferVT(dAtA []byte) (int, error) {
+ if m == nil {
+ return 0, nil
+ }
+ i := len(dAtA)
+ _ = i
+ var l int
+ _ = l
+ if m.unknownFields != nil {
+ i -= len(m.unknownFields)
+ copy(dAtA[i:], m.unknownFields)
+ }
+ if m.CreatedAt != 0 {
+ i = encodeVarint(dAtA, i, uint64(m.CreatedAt))
+ i--
+ dAtA[i] = 0x20
+ }
+ if len(m.Tag) > 0 {
+ i -= len(m.Tag)
+ copy(dAtA[i:], m.Tag)
+ i = encodeVarint(dAtA, i, uint64(len(m.Tag)))
+ i--
+ dAtA[i] = 0x1a
+ }
+ if len(m.Name) > 0 {
+ i -= len(m.Name)
+ copy(dAtA[i:], m.Name)
+ i = encodeVarint(dAtA, i, uint64(len(m.Name)))
+ i--
+ dAtA[i] = 0x12
+ }
+ if len(m.ID) > 0 {
+ i -= len(m.ID)
+ copy(dAtA[i:], m.ID)
+ i = encodeVarint(dAtA, i, uint64(len(m.ID)))
+ i--
+ dAtA[i] = 0xa
+ }
+ return len(dAtA) - i, nil
+}
+
+func (m *FcntlSyscallMsg) MarshalVT() (dAtA []byte, err error) {
+ if m == nil {
+ return nil, nil
+ }
+ size := m.SizeVT()
+ dAtA = make([]byte, size)
+ n, err := m.MarshalToSizedBufferVT(dAtA[:size])
+ if err != nil {
+ return nil, err
+ }
+ return dAtA[:n], nil
+}
+
+func (m *FcntlSyscallMsg) MarshalToVT(dAtA []byte) (int, error) {
+ size := m.SizeVT()
+ return m.MarshalToSizedBufferVT(dAtA[:size])
+}
+
+func (m *FcntlSyscallMsg) MarshalToSizedBufferVT(dAtA []byte) (int, error) {
+ if m == nil {
+ return 0, nil
+ }
+ i := len(dAtA)
+ _ = i
+ var l int
+ _ = l
+ if m.unknownFields != nil {
+ i -= len(m.unknownFields)
+ copy(dAtA[i:], m.unknownFields)
+ }
+ if m.Cmd != 0 {
+ i = encodeVarint(dAtA, i, uint64(m.Cmd))
+ i--
+ dAtA[i] = 0x10
+ }
+ if m.Fd != 0 {
+ i = encodeVarint(dAtA, i, uint64(m.Fd))
+ i--
+ dAtA[i] = 0x8
+ }
+ return len(dAtA) - i, nil
+}
+
+func (m *ExecSyscallMsg) MarshalVT() (dAtA []byte, err error) {
+ if m == nil {
+ return nil, nil
+ }
+ size := m.SizeVT()
+ dAtA = make([]byte, size)
+ n, err := m.MarshalToSizedBufferVT(dAtA[:size])
+ if err != nil {
+ return nil, err
+ }
+ return dAtA[:n], nil
+}
+
+func (m *ExecSyscallMsg) MarshalToVT(dAtA []byte) (int, error) {
+ size := m.SizeVT()
+ return m.MarshalToSizedBufferVT(dAtA[:size])
+}
+
+func (m *ExecSyscallMsg) MarshalToSizedBufferVT(dAtA []byte) (int, error) {
+ if m == nil {
+ return 0, nil
+ }
+ i := len(dAtA)
+ _ = i
+ var l int
+ _ = l
+ if m.unknownFields != nil {
+ i -= len(m.unknownFields)
+ copy(dAtA[i:], m.unknownFields)
+ }
+ if len(m.Envs) > 0 {
+ for iNdEx := len(m.Envs) - 1; iNdEx >= 0; iNdEx-- {
+ i -= len(m.Envs[iNdEx])
+ copy(dAtA[i:], m.Envs[iNdEx])
+ i = encodeVarint(dAtA, i, uint64(len(m.Envs[iNdEx])))
+ i--
+ dAtA[i] = 0x1a
+ }
+ }
+ if len(m.Args) > 0 {
+ for iNdEx := len(m.Args) - 1; iNdEx >= 0; iNdEx-- {
+ i -= len(m.Args[iNdEx])
+ copy(dAtA[i:], m.Args[iNdEx])
+ i = encodeVarint(dAtA, i, uint64(len(m.Args[iNdEx])))
+ i--
+ dAtA[i] = 0x12
+ }
+ }
+ if len(m.Filename) > 0 {
+ i -= len(m.Filename)
+ copy(dAtA[i:], m.Filename)
+ i = encodeVarint(dAtA, i, uint64(len(m.Filename)))
+ i--
+ dAtA[i] = 0xa
+ }
+ return len(dAtA) - i, nil
+}
+
+func (m *ForkSyscallMsg) MarshalVT() (dAtA []byte, err error) {
+ if m == nil {
+ return nil, nil
+ }
+ size := m.SizeVT()
+ dAtA = make([]byte, size)
+ n, err := m.MarshalToSizedBufferVT(dAtA[:size])
+ if err != nil {
+ return nil, err
+ }
+ return dAtA[:n], nil
+}
+
+func (m *ForkSyscallMsg) MarshalToVT(dAtA []byte) (int, error) {
+ size := m.SizeVT()
+ return m.MarshalToSizedBufferVT(dAtA[:size])
+}
+
+func (m *ForkSyscallMsg) MarshalToSizedBufferVT(dAtA []byte) (int, error) {
+ if m == nil {
+ return 0, nil
+ }
+ i := len(dAtA)
+ _ = i
+ var l int
+ _ = l
+ if m.unknownFields != nil {
+ i -= len(m.unknownFields)
+ copy(dAtA[i:], m.unknownFields)
+ }
+ if m.PPID != 0 {
+ i = encodeVarint(dAtA, i, uint64(m.PPID))
+ i--
+ dAtA[i] = 0x8
+ }
+ return len(dAtA) - i, nil
+}
+
+func (m *ExitSyscallMsg) MarshalVT() (dAtA []byte, err error) {
+ if m == nil {
+ return nil, nil
+ }
+ size := m.SizeVT()
+ dAtA = make([]byte, size)
+ n, err := m.MarshalToSizedBufferVT(dAtA[:size])
+ if err != nil {
+ return nil, err
+ }
+ return dAtA[:n], nil
+}
+
+func (m *ExitSyscallMsg) MarshalToVT(dAtA []byte) (int, error) {
+ size := m.SizeVT()
+ return m.MarshalToSizedBufferVT(dAtA[:size])
+}
+
+func (m *ExitSyscallMsg) MarshalToSizedBufferVT(dAtA []byte) (int, error) {
+ if m == nil {
+ return 0, nil
+ }
+ i := len(dAtA)
+ _ = i
+ var l int
+ _ = l
+ if m.unknownFields != nil {
+ i -= len(m.unknownFields)
+ copy(dAtA[i:], m.unknownFields)
+ }
+ return len(dAtA) - i, nil
+}
+
+func (m *OpenSyscallMsg) MarshalVT() (dAtA []byte, err error) {
+ if m == nil {
+ return nil, nil
+ }
+ size := m.SizeVT()
+ dAtA = make([]byte, size)
+ n, err := m.MarshalToSizedBufferVT(dAtA[:size])
+ if err != nil {
+ return nil, err
+ }
+ return dAtA[:n], nil
+}
+
+func (m *OpenSyscallMsg) MarshalToVT(dAtA []byte) (int, error) {
+ size := m.SizeVT()
+ return m.MarshalToSizedBufferVT(dAtA[:size])
+}
+
+func (m *OpenSyscallMsg) MarshalToSizedBufferVT(dAtA []byte) (int, error) {
+ if m == nil {
+ return 0, nil
+ }
+ i := len(dAtA)
+ _ = i
+ var l int
+ _ = l
+ if m.unknownFields != nil {
+ i -= len(m.unknownFields)
+ copy(dAtA[i:], m.unknownFields)
+ }
+ if m.Mode != 0 {
+ i = encodeVarint(dAtA, i, uint64(m.Mode))
+ i--
+ dAtA[i] = 0x18
+ }
+ if m.Flags != 0 {
+ i = encodeVarint(dAtA, i, uint64(m.Flags))
+ i--
+ dAtA[i] = 0x10
+ }
+ if len(m.Filename) > 0 {
+ i -= len(m.Filename)
+ copy(dAtA[i:], m.Filename)
+ i = encodeVarint(dAtA, i, uint64(len(m.Filename)))
+ i--
+ dAtA[i] = 0xa
+ }
+ return len(dAtA) - i, nil
+}
+
+func (m *SyscallMsg) MarshalVT() (dAtA []byte, err error) {
+ if m == nil {
+ return nil, nil
+ }
+ size := m.SizeVT()
+ dAtA = make([]byte, size)
+ n, err := m.MarshalToSizedBufferVT(dAtA[:size])
+ if err != nil {
+ return nil, err
+ }
+ return dAtA[:n], nil
+}
+
+func (m *SyscallMsg) MarshalToVT(dAtA []byte) (int, error) {
+ size := m.SizeVT()
+ return m.MarshalToSizedBufferVT(dAtA[:size])
+}
+
+func (m *SyscallMsg) MarshalToSizedBufferVT(dAtA []byte) (int, error) {
+ if m == nil {
+ return 0, nil
+ }
+ i := len(dAtA)
+ _ = i
+ var l int
+ _ = l
+ if m.unknownFields != nil {
+ i -= len(m.unknownFields)
+ copy(dAtA[i:], m.unknownFields)
+ }
+ if m.Fcntl != nil {
+ size, err := m.Fcntl.MarshalToSizedBufferVT(dAtA[:i])
+ if err != nil {
+ return 0, err
+ }
+ i -= size
+ i = encodeVarint(dAtA, i, uint64(size))
+ i--
+ dAtA[i] = 0x4a
+ }
+ if m.Exit != nil {
+ size, err := m.Exit.MarshalToSizedBufferVT(dAtA[:i])
+ if err != nil {
+ return 0, err
+ }
+ i -= size
+ i = encodeVarint(dAtA, i, uint64(size))
+ i--
+ dAtA[i] = 0x42
+ }
+ if m.Fork != nil {
+ size, err := m.Fork.MarshalToSizedBufferVT(dAtA[:i])
+ if err != nil {
+ return 0, err
+ }
+ i -= size
+ i = encodeVarint(dAtA, i, uint64(size))
+ i--
+ dAtA[i] = 0x3a
+ }
+ if m.Open != nil {
+ size, err := m.Open.MarshalToSizedBufferVT(dAtA[:i])
+ if err != nil {
+ return 0, err
+ }
+ i -= size
+ i = encodeVarint(dAtA, i, uint64(size))
+ i--
+ dAtA[i] = 0x32
+ }
+ if m.Exec != nil {
+ size, err := m.Exec.MarshalToSizedBufferVT(dAtA[:i])
+ if err != nil {
+ return 0, err
+ }
+ i -= size
+ i = encodeVarint(dAtA, i, uint64(size))
+ i--
+ dAtA[i] = 0x2a
+ }
+ if m.ContainerContext != nil {
+ size, err := m.ContainerContext.MarshalToSizedBufferVT(dAtA[:i])
+ if err != nil {
+ return 0, err
+ }
+ i -= size
+ i = encodeVarint(dAtA, i, uint64(size))
+ i--
+ dAtA[i] = 0x22
+ }
+ if m.PID != 0 {
+ i = encodeVarint(dAtA, i, uint64(m.PID))
+ i--
+ dAtA[i] = 0x18
+ }
+ if m.Type != 0 {
+ i = encodeVarint(dAtA, i, uint64(m.Type))
+ i--
+ dAtA[i] = 0x10
+ }
+ if m.SeqNum != 0 {
+ i = encodeVarint(dAtA, i, uint64(m.SeqNum))
+ i--
+ dAtA[i] = 0x8
+ }
+ return len(dAtA) - i, nil
+}
+
+func (m *Response) MarshalVT() (dAtA []byte, err error) {
+ if m == nil {
+ return nil, nil
+ }
+ size := m.SizeVT()
+ dAtA = make([]byte, size)
+ n, err := m.MarshalToSizedBufferVT(dAtA[:size])
+ if err != nil {
+ return nil, err
+ }
+ return dAtA[:n], nil
+}
+
+func (m *Response) MarshalToVT(dAtA []byte) (int, error) {
+ size := m.SizeVT()
+ return m.MarshalToSizedBufferVT(dAtA[:size])
+}
+
+func (m *Response) MarshalToSizedBufferVT(dAtA []byte) (int, error) {
+ if m == nil {
+ return 0, nil
+ }
+ i := len(dAtA)
+ _ = i
+ var l int
+ _ = l
+ if m.unknownFields != nil {
+ i -= len(m.unknownFields)
+ copy(dAtA[i:], m.unknownFields)
+ }
+ return len(dAtA) - i, nil
+}
+
+func encodeVarint(dAtA []byte, offset int, v uint64) int {
+ offset -= sov(v)
+ base := offset
+ for v >= 1<<7 {
+ dAtA[offset] = uint8(v&0x7f | 0x80)
+ v >>= 7
+ offset++
+ }
+ dAtA[offset] = uint8(v)
+ return base
+}
+func (m *ContainerContext) SizeVT() (n int) {
+ if m == nil {
+ return 0
+ }
+ var l int
+ _ = l
+ l = len(m.ID)
+ if l > 0 {
+ n += 1 + l + sov(uint64(l))
+ }
+ l = len(m.Name)
+ if l > 0 {
+ n += 1 + l + sov(uint64(l))
+ }
+ l = len(m.Tag)
+ if l > 0 {
+ n += 1 + l + sov(uint64(l))
+ }
+ if m.CreatedAt != 0 {
+ n += 1 + sov(uint64(m.CreatedAt))
+ }
+ n += len(m.unknownFields)
+ return n
+}
+
+func (m *FcntlSyscallMsg) SizeVT() (n int) {
+ if m == nil {
+ return 0
+ }
+ var l int
+ _ = l
+ if m.Fd != 0 {
+ n += 1 + sov(uint64(m.Fd))
+ }
+ if m.Cmd != 0 {
+ n += 1 + sov(uint64(m.Cmd))
+ }
+ n += len(m.unknownFields)
+ return n
+}
+
+func (m *ExecSyscallMsg) SizeVT() (n int) {
+ if m == nil {
+ return 0
+ }
+ var l int
+ _ = l
+ l = len(m.Filename)
+ if l > 0 {
+ n += 1 + l + sov(uint64(l))
+ }
+ if len(m.Args) > 0 {
+ for _, s := range m.Args {
+ l = len(s)
+ n += 1 + l + sov(uint64(l))
+ }
+ }
+ if len(m.Envs) > 0 {
+ for _, s := range m.Envs {
+ l = len(s)
+ n += 1 + l + sov(uint64(l))
+ }
+ }
+ n += len(m.unknownFields)
+ return n
+}
+
+func (m *ForkSyscallMsg) SizeVT() (n int) {
+ if m == nil {
+ return 0
+ }
+ var l int
+ _ = l
+ if m.PPID != 0 {
+ n += 1 + sov(uint64(m.PPID))
+ }
+ n += len(m.unknownFields)
+ return n
+}
+
+func (m *ExitSyscallMsg) SizeVT() (n int) {
+ if m == nil {
+ return 0
+ }
+ var l int
+ _ = l
+ n += len(m.unknownFields)
+ return n
+}
+
+func (m *OpenSyscallMsg) SizeVT() (n int) {
+ if m == nil {
+ return 0
+ }
+ var l int
+ _ = l
+ l = len(m.Filename)
+ if l > 0 {
+ n += 1 + l + sov(uint64(l))
+ }
+ if m.Flags != 0 {
+ n += 1 + sov(uint64(m.Flags))
+ }
+ if m.Mode != 0 {
+ n += 1 + sov(uint64(m.Mode))
+ }
+ n += len(m.unknownFields)
+ return n
+}
+
+func (m *SyscallMsg) SizeVT() (n int) {
+ if m == nil {
+ return 0
+ }
+ var l int
+ _ = l
+ if m.SeqNum != 0 {
+ n += 1 + sov(uint64(m.SeqNum))
+ }
+ if m.Type != 0 {
+ n += 1 + sov(uint64(m.Type))
+ }
+ if m.PID != 0 {
+ n += 1 + sov(uint64(m.PID))
+ }
+ if m.ContainerContext != nil {
+ l = m.ContainerContext.SizeVT()
+ n += 1 + l + sov(uint64(l))
+ }
+ if m.Exec != nil {
+ l = m.Exec.SizeVT()
+ n += 1 + l + sov(uint64(l))
+ }
+ if m.Open != nil {
+ l = m.Open.SizeVT()
+ n += 1 + l + sov(uint64(l))
+ }
+ if m.Fork != nil {
+ l = m.Fork.SizeVT()
+ n += 1 + l + sov(uint64(l))
+ }
+ if m.Exit != nil {
+ l = m.Exit.SizeVT()
+ n += 1 + l + sov(uint64(l))
+ }
+ if m.Fcntl != nil {
+ l = m.Fcntl.SizeVT()
+ n += 1 + l + sov(uint64(l))
+ }
+ n += len(m.unknownFields)
+ return n
+}
+
+func (m *Response) SizeVT() (n int) {
+ if m == nil {
+ return 0
+ }
+ var l int
+ _ = l
+ n += len(m.unknownFields)
+ return n
+}
+
+func sov(x uint64) (n int) {
+ return (bits.Len64(x|1) + 6) / 7
+}
+func soz(x uint64) (n int) {
+ return sov(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (m *ContainerContext) UnmarshalVT(dAtA []byte) error {
+ l := len(dAtA)
+ iNdEx := 0
+ for iNdEx < l {
+ preIndex := iNdEx
+ var wire uint64
+ for shift := uint(0); ; shift += 7 {
+ if shift >= 64 {
+ return ErrIntOverflow
+ }
+ if iNdEx >= l {
+ return io.ErrUnexpectedEOF
+ }
+ b := dAtA[iNdEx]
+ iNdEx++
+ wire |= uint64(b&0x7F) << shift
+ if b < 0x80 {
+ break
+ }
+ }
+ fieldNum := int32(wire >> 3)
+ wireType := int(wire & 0x7)
+ if wireType == 4 {
+ return fmt.Errorf("proto: ContainerContext: wiretype end group for non-group")
+ }
+ if fieldNum <= 0 {
+ return fmt.Errorf("proto: ContainerContext: illegal tag %d (wire type %d)", fieldNum, wire)
+ }
+ switch fieldNum {
+ case 1:
+ if wireType != 2 {
+ return fmt.Errorf("proto: wrong wireType = %d for field ID", wireType)
+ }
+ var stringLen uint64
+ for shift := uint(0); ; shift += 7 {
+ if shift >= 64 {
+ return ErrIntOverflow
+ }
+ if iNdEx >= l {
+ return io.ErrUnexpectedEOF
+ }
+ b := dAtA[iNdEx]
+ iNdEx++
+ stringLen |= uint64(b&0x7F) << shift
+ if b < 0x80 {
+ break
+ }
+ }
+ intStringLen := int(stringLen)
+ if intStringLen < 0 {
+ return ErrInvalidLength
+ }
+ postIndex := iNdEx + intStringLen
+ if postIndex < 0 {
+ return ErrInvalidLength
+ }
+ if postIndex > l {
+ return io.ErrUnexpectedEOF
+ }
+ m.ID = string(dAtA[iNdEx:postIndex])
+ iNdEx = postIndex
+ case 2:
+ if wireType != 2 {
+ return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType)
+ }
+ var stringLen uint64
+ for shift := uint(0); ; shift += 7 {
+ if shift >= 64 {
+ return ErrIntOverflow
+ }
+ if iNdEx >= l {
+ return io.ErrUnexpectedEOF
+ }
+ b := dAtA[iNdEx]
+ iNdEx++
+ stringLen |= uint64(b&0x7F) << shift
+ if b < 0x80 {
+ break
+ }
+ }
+ intStringLen := int(stringLen)
+ if intStringLen < 0 {
+ return ErrInvalidLength
+ }
+ postIndex := iNdEx + intStringLen
+ if postIndex < 0 {
+ return ErrInvalidLength
+ }
+ if postIndex > l {
+ return io.ErrUnexpectedEOF
+ }
+ m.Name = string(dAtA[iNdEx:postIndex])
+ iNdEx = postIndex
+ case 3:
+ if wireType != 2 {
+ return fmt.Errorf("proto: wrong wireType = %d for field Tag", wireType)
+ }
+ var stringLen uint64
+ for shift := uint(0); ; shift += 7 {
+ if shift >= 64 {
+ return ErrIntOverflow
+ }
+ if iNdEx >= l {
+ return io.ErrUnexpectedEOF
+ }
+ b := dAtA[iNdEx]
+ iNdEx++
+ stringLen |= uint64(b&0x7F) << shift
+ if b < 0x80 {
+ break
+ }
+ }
+ intStringLen := int(stringLen)
+ if intStringLen < 0 {
+ return ErrInvalidLength
+ }
+ postIndex := iNdEx + intStringLen
+ if postIndex < 0 {
+ return ErrInvalidLength
+ }
+ if postIndex > l {
+ return io.ErrUnexpectedEOF
+ }
+ m.Tag = string(dAtA[iNdEx:postIndex])
+ iNdEx = postIndex
+ case 4:
+ if wireType != 0 {
+ return fmt.Errorf("proto: wrong wireType = %d for field CreatedAt", wireType)
+ }
+ m.CreatedAt = 0
+ for shift := uint(0); ; shift += 7 {
+ if shift >= 64 {
+ return ErrIntOverflow
+ }
+ if iNdEx >= l {
+ return io.ErrUnexpectedEOF
+ }
+ b := dAtA[iNdEx]
+ iNdEx++
+ m.CreatedAt |= uint64(b&0x7F) << shift
+ if b < 0x80 {
+ break
+ }
+ }
+ default:
+ iNdEx = preIndex
+ skippy, err := skip(dAtA[iNdEx:])
+ if err != nil {
+ return err
+ }
+ if (skippy < 0) || (iNdEx+skippy) < 0 {
+ return ErrInvalidLength
+ }
+ if (iNdEx + skippy) > l {
+ return io.ErrUnexpectedEOF
+ }
+ m.unknownFields = append(m.unknownFields, dAtA[iNdEx:iNdEx+skippy]...)
+ iNdEx += skippy
+ }
+ }
+
+ if iNdEx > l {
+ return io.ErrUnexpectedEOF
+ }
+ return nil
+}
+func (m *FcntlSyscallMsg) UnmarshalVT(dAtA []byte) error {
+ l := len(dAtA)
+ iNdEx := 0
+ for iNdEx < l {
+ preIndex := iNdEx
+ var wire uint64
+ for shift := uint(0); ; shift += 7 {
+ if shift >= 64 {
+ return ErrIntOverflow
+ }
+ if iNdEx >= l {
+ return io.ErrUnexpectedEOF
+ }
+ b := dAtA[iNdEx]
+ iNdEx++
+ wire |= uint64(b&0x7F) << shift
+ if b < 0x80 {
+ break
+ }
+ }
+ fieldNum := int32(wire >> 3)
+ wireType := int(wire & 0x7)
+ if wireType == 4 {
+ return fmt.Errorf("proto: FcntlSyscallMsg: wiretype end group for non-group")
+ }
+ if fieldNum <= 0 {
+ return fmt.Errorf("proto: FcntlSyscallMsg: illegal tag %d (wire type %d)", fieldNum, wire)
+ }
+ switch fieldNum {
+ case 1:
+ if wireType != 0 {
+ return fmt.Errorf("proto: wrong wireType = %d for field Fd", wireType)
+ }
+ m.Fd = 0
+ for shift := uint(0); ; shift += 7 {
+ if shift >= 64 {
+ return ErrIntOverflow
+ }
+ if iNdEx >= l {
+ return io.ErrUnexpectedEOF
+ }
+ b := dAtA[iNdEx]
+ iNdEx++
+ m.Fd |= uint32(b&0x7F) << shift
+ if b < 0x80 {
+ break
+ }
+ }
+ case 2:
+ if wireType != 0 {
+ return fmt.Errorf("proto: wrong wireType = %d for field Cmd", wireType)
+ }
+ m.Cmd = 0
+ for shift := uint(0); ; shift += 7 {
+ if shift >= 64 {
+ return ErrIntOverflow
+ }
+ if iNdEx >= l {
+ return io.ErrUnexpectedEOF
+ }
+ b := dAtA[iNdEx]
+ iNdEx++
+ m.Cmd |= uint32(b&0x7F) << shift
+ if b < 0x80 {
+ break
+ }
+ }
+ default:
+ iNdEx = preIndex
+ skippy, err := skip(dAtA[iNdEx:])
+ if err != nil {
+ return err
+ }
+ if (skippy < 0) || (iNdEx+skippy) < 0 {
+ return ErrInvalidLength
+ }
+ if (iNdEx + skippy) > l {
+ return io.ErrUnexpectedEOF
+ }
+ m.unknownFields = append(m.unknownFields, dAtA[iNdEx:iNdEx+skippy]...)
+ iNdEx += skippy
+ }
+ }
+
+ if iNdEx > l {
+ return io.ErrUnexpectedEOF
+ }
+ return nil
+}
+func (m *ExecSyscallMsg) UnmarshalVT(dAtA []byte) error {
+ l := len(dAtA)
+ iNdEx := 0
+ for iNdEx < l {
+ preIndex := iNdEx
+ var wire uint64
+ for shift := uint(0); ; shift += 7 {
+ if shift >= 64 {
+ return ErrIntOverflow
+ }
+ if iNdEx >= l {
+ return io.ErrUnexpectedEOF
+ }
+ b := dAtA[iNdEx]
+ iNdEx++
+ wire |= uint64(b&0x7F) << shift
+ if b < 0x80 {
+ break
+ }
+ }
+ fieldNum := int32(wire >> 3)
+ wireType := int(wire & 0x7)
+ if wireType == 4 {
+ return fmt.Errorf("proto: ExecSyscallMsg: wiretype end group for non-group")
+ }
+ if fieldNum <= 0 {
+ return fmt.Errorf("proto: ExecSyscallMsg: illegal tag %d (wire type %d)", fieldNum, wire)
+ }
+ switch fieldNum {
+ case 1:
+ if wireType != 2 {
+ return fmt.Errorf("proto: wrong wireType = %d for field Filename", wireType)
+ }
+ var stringLen uint64
+ for shift := uint(0); ; shift += 7 {
+ if shift >= 64 {
+ return ErrIntOverflow
+ }
+ if iNdEx >= l {
+ return io.ErrUnexpectedEOF
+ }
+ b := dAtA[iNdEx]
+ iNdEx++
+ stringLen |= uint64(b&0x7F) << shift
+ if b < 0x80 {
+ break
+ }
+ }
+ intStringLen := int(stringLen)
+ if intStringLen < 0 {
+ return ErrInvalidLength
+ }
+ postIndex := iNdEx + intStringLen
+ if postIndex < 0 {
+ return ErrInvalidLength
+ }
+ if postIndex > l {
+ return io.ErrUnexpectedEOF
+ }
+ m.Filename = string(dAtA[iNdEx:postIndex])
+ iNdEx = postIndex
+ case 2:
+ if wireType != 2 {
+ return fmt.Errorf("proto: wrong wireType = %d for field Args", wireType)
+ }
+ var stringLen uint64
+ for shift := uint(0); ; shift += 7 {
+ if shift >= 64 {
+ return ErrIntOverflow
+ }
+ if iNdEx >= l {
+ return io.ErrUnexpectedEOF
+ }
+ b := dAtA[iNdEx]
+ iNdEx++
+ stringLen |= uint64(b&0x7F) << shift
+ if b < 0x80 {
+ break
+ }
+ }
+ intStringLen := int(stringLen)
+ if intStringLen < 0 {
+ return ErrInvalidLength
+ }
+ postIndex := iNdEx + intStringLen
+ if postIndex < 0 {
+ return ErrInvalidLength
+ }
+ if postIndex > l {
+ return io.ErrUnexpectedEOF
+ }
+ m.Args = append(m.Args, string(dAtA[iNdEx:postIndex]))
+ iNdEx = postIndex
+ case 3:
+ if wireType != 2 {
+ return fmt.Errorf("proto: wrong wireType = %d for field Envs", wireType)
+ }
+ var stringLen uint64
+ for shift := uint(0); ; shift += 7 {
+ if shift >= 64 {
+ return ErrIntOverflow
+ }
+ if iNdEx >= l {
+ return io.ErrUnexpectedEOF
+ }
+ b := dAtA[iNdEx]
+ iNdEx++
+ stringLen |= uint64(b&0x7F) << shift
+ if b < 0x80 {
+ break
+ }
+ }
+ intStringLen := int(stringLen)
+ if intStringLen < 0 {
+ return ErrInvalidLength
+ }
+ postIndex := iNdEx + intStringLen
+ if postIndex < 0 {
+ return ErrInvalidLength
+ }
+ if postIndex > l {
+ return io.ErrUnexpectedEOF
+ }
+ m.Envs = append(m.Envs, string(dAtA[iNdEx:postIndex]))
+ iNdEx = postIndex
+ default:
+ iNdEx = preIndex
+ skippy, err := skip(dAtA[iNdEx:])
+ if err != nil {
+ return err
+ }
+ if (skippy < 0) || (iNdEx+skippy) < 0 {
+ return ErrInvalidLength
+ }
+ if (iNdEx + skippy) > l {
+ return io.ErrUnexpectedEOF
+ }
+ m.unknownFields = append(m.unknownFields, dAtA[iNdEx:iNdEx+skippy]...)
+ iNdEx += skippy
+ }
+ }
+
+ if iNdEx > l {
+ return io.ErrUnexpectedEOF
+ }
+ return nil
+}
+func (m *ForkSyscallMsg) UnmarshalVT(dAtA []byte) error {
+ l := len(dAtA)
+ iNdEx := 0
+ for iNdEx < l {
+ preIndex := iNdEx
+ var wire uint64
+ for shift := uint(0); ; shift += 7 {
+ if shift >= 64 {
+ return ErrIntOverflow
+ }
+ if iNdEx >= l {
+ return io.ErrUnexpectedEOF
+ }
+ b := dAtA[iNdEx]
+ iNdEx++
+ wire |= uint64(b&0x7F) << shift
+ if b < 0x80 {
+ break
+ }
+ }
+ fieldNum := int32(wire >> 3)
+ wireType := int(wire & 0x7)
+ if wireType == 4 {
+ return fmt.Errorf("proto: ForkSyscallMsg: wiretype end group for non-group")
+ }
+ if fieldNum <= 0 {
+ return fmt.Errorf("proto: ForkSyscallMsg: illegal tag %d (wire type %d)", fieldNum, wire)
+ }
+ switch fieldNum {
+ case 1:
+ if wireType != 0 {
+ return fmt.Errorf("proto: wrong wireType = %d for field PPID", wireType)
+ }
+ m.PPID = 0
+ for shift := uint(0); ; shift += 7 {
+ if shift >= 64 {
+ return ErrIntOverflow
+ }
+ if iNdEx >= l {
+ return io.ErrUnexpectedEOF
+ }
+ b := dAtA[iNdEx]
+ iNdEx++
+ m.PPID |= uint32(b&0x7F) << shift
+ if b < 0x80 {
+ break
+ }
+ }
+ default:
+ iNdEx = preIndex
+ skippy, err := skip(dAtA[iNdEx:])
+ if err != nil {
+ return err
+ }
+ if (skippy < 0) || (iNdEx+skippy) < 0 {
+ return ErrInvalidLength
+ }
+ if (iNdEx + skippy) > l {
+ return io.ErrUnexpectedEOF
+ }
+ m.unknownFields = append(m.unknownFields, dAtA[iNdEx:iNdEx+skippy]...)
+ iNdEx += skippy
+ }
+ }
+
+ if iNdEx > l {
+ return io.ErrUnexpectedEOF
+ }
+ return nil
+}
+func (m *ExitSyscallMsg) UnmarshalVT(dAtA []byte) error {
+ l := len(dAtA)
+ iNdEx := 0
+ for iNdEx < l {
+ preIndex := iNdEx
+ var wire uint64
+ for shift := uint(0); ; shift += 7 {
+ if shift >= 64 {
+ return ErrIntOverflow
+ }
+ if iNdEx >= l {
+ return io.ErrUnexpectedEOF
+ }
+ b := dAtA[iNdEx]
+ iNdEx++
+ wire |= uint64(b&0x7F) << shift
+ if b < 0x80 {
+ break
+ }
+ }
+ fieldNum := int32(wire >> 3)
+ wireType := int(wire & 0x7)
+ if wireType == 4 {
+ return fmt.Errorf("proto: ExitSyscallMsg: wiretype end group for non-group")
+ }
+ if fieldNum <= 0 {
+ return fmt.Errorf("proto: ExitSyscallMsg: illegal tag %d (wire type %d)", fieldNum, wire)
+ }
+ switch fieldNum {
+ default:
+ iNdEx = preIndex
+ skippy, err := skip(dAtA[iNdEx:])
+ if err != nil {
+ return err
+ }
+ if (skippy < 0) || (iNdEx+skippy) < 0 {
+ return ErrInvalidLength
+ }
+ if (iNdEx + skippy) > l {
+ return io.ErrUnexpectedEOF
+ }
+ m.unknownFields = append(m.unknownFields, dAtA[iNdEx:iNdEx+skippy]...)
+ iNdEx += skippy
+ }
+ }
+
+ if iNdEx > l {
+ return io.ErrUnexpectedEOF
+ }
+ return nil
+}
+func (m *OpenSyscallMsg) UnmarshalVT(dAtA []byte) error {
+ l := len(dAtA)
+ iNdEx := 0
+ for iNdEx < l {
+ preIndex := iNdEx
+ var wire uint64
+ for shift := uint(0); ; shift += 7 {
+ if shift >= 64 {
+ return ErrIntOverflow
+ }
+ if iNdEx >= l {
+ return io.ErrUnexpectedEOF
+ }
+ b := dAtA[iNdEx]
+ iNdEx++
+ wire |= uint64(b&0x7F) << shift
+ if b < 0x80 {
+ break
+ }
+ }
+ fieldNum := int32(wire >> 3)
+ wireType := int(wire & 0x7)
+ if wireType == 4 {
+ return fmt.Errorf("proto: OpenSyscallMsg: wiretype end group for non-group")
+ }
+ if fieldNum <= 0 {
+ return fmt.Errorf("proto: OpenSyscallMsg: illegal tag %d (wire type %d)", fieldNum, wire)
+ }
+ switch fieldNum {
+ case 1:
+ if wireType != 2 {
+ return fmt.Errorf("proto: wrong wireType = %d for field Filename", wireType)
+ }
+ var stringLen uint64
+ for shift := uint(0); ; shift += 7 {
+ if shift >= 64 {
+ return ErrIntOverflow
+ }
+ if iNdEx >= l {
+ return io.ErrUnexpectedEOF
+ }
+ b := dAtA[iNdEx]
+ iNdEx++
+ stringLen |= uint64(b&0x7F) << shift
+ if b < 0x80 {
+ break
+ }
+ }
+ intStringLen := int(stringLen)
+ if intStringLen < 0 {
+ return ErrInvalidLength
+ }
+ postIndex := iNdEx + intStringLen
+ if postIndex < 0 {
+ return ErrInvalidLength
+ }
+ if postIndex > l {
+ return io.ErrUnexpectedEOF
+ }
+ m.Filename = string(dAtA[iNdEx:postIndex])
+ iNdEx = postIndex
+ case 2:
+ if wireType != 0 {
+ return fmt.Errorf("proto: wrong wireType = %d for field Flags", wireType)
+ }
+ m.Flags = 0
+ for shift := uint(0); ; shift += 7 {
+ if shift >= 64 {
+ return ErrIntOverflow
+ }
+ if iNdEx >= l {
+ return io.ErrUnexpectedEOF
+ }
+ b := dAtA[iNdEx]
+ iNdEx++
+ m.Flags |= uint32(b&0x7F) << shift
+ if b < 0x80 {
+ break
+ }
+ }
+ case 3:
+ if wireType != 0 {
+ return fmt.Errorf("proto: wrong wireType = %d for field Mode", wireType)
+ }
+ m.Mode = 0
+ for shift := uint(0); ; shift += 7 {
+ if shift >= 64 {
+ return ErrIntOverflow
+ }
+ if iNdEx >= l {
+ return io.ErrUnexpectedEOF
+ }
+ b := dAtA[iNdEx]
+ iNdEx++
+ m.Mode |= uint32(b&0x7F) << shift
+ if b < 0x80 {
+ break
+ }
+ }
+ default:
+ iNdEx = preIndex
+ skippy, err := skip(dAtA[iNdEx:])
+ if err != nil {
+ return err
+ }
+ if (skippy < 0) || (iNdEx+skippy) < 0 {
+ return ErrInvalidLength
+ }
+ if (iNdEx + skippy) > l {
+ return io.ErrUnexpectedEOF
+ }
+ m.unknownFields = append(m.unknownFields, dAtA[iNdEx:iNdEx+skippy]...)
+ iNdEx += skippy
+ }
+ }
+
+ if iNdEx > l {
+ return io.ErrUnexpectedEOF
+ }
+ return nil
+}
+func (m *SyscallMsg) UnmarshalVT(dAtA []byte) error {
+ l := len(dAtA)
+ iNdEx := 0
+ for iNdEx < l {
+ preIndex := iNdEx
+ var wire uint64
+ for shift := uint(0); ; shift += 7 {
+ if shift >= 64 {
+ return ErrIntOverflow
+ }
+ if iNdEx >= l {
+ return io.ErrUnexpectedEOF
+ }
+ b := dAtA[iNdEx]
+ iNdEx++
+ wire |= uint64(b&0x7F) << shift
+ if b < 0x80 {
+ break
+ }
+ }
+ fieldNum := int32(wire >> 3)
+ wireType := int(wire & 0x7)
+ if wireType == 4 {
+ return fmt.Errorf("proto: SyscallMsg: wiretype end group for non-group")
+ }
+ if fieldNum <= 0 {
+ return fmt.Errorf("proto: SyscallMsg: illegal tag %d (wire type %d)", fieldNum, wire)
+ }
+ switch fieldNum {
+ case 1:
+ if wireType != 0 {
+ return fmt.Errorf("proto: wrong wireType = %d for field SeqNum", wireType)
+ }
+ m.SeqNum = 0
+ for shift := uint(0); ; shift += 7 {
+ if shift >= 64 {
+ return ErrIntOverflow
+ }
+ if iNdEx >= l {
+ return io.ErrUnexpectedEOF
+ }
+ b := dAtA[iNdEx]
+ iNdEx++
+ m.SeqNum |= uint64(b&0x7F) << shift
+ if b < 0x80 {
+ break
+ }
+ }
+ case 2:
+ if wireType != 0 {
+ return fmt.Errorf("proto: wrong wireType = %d for field Type", wireType)
+ }
+ m.Type = 0
+ for shift := uint(0); ; shift += 7 {
+ if shift >= 64 {
+ return ErrIntOverflow
+ }
+ if iNdEx >= l {
+ return io.ErrUnexpectedEOF
+ }
+ b := dAtA[iNdEx]
+ iNdEx++
+ m.Type |= SyscallType(b&0x7F) << shift
+ if b < 0x80 {
+ break
+ }
+ }
+ case 3:
+ if wireType != 0 {
+ return fmt.Errorf("proto: wrong wireType = %d for field PID", wireType)
+ }
+ m.PID = 0
+ for shift := uint(0); ; shift += 7 {
+ if shift >= 64 {
+ return ErrIntOverflow
+ }
+ if iNdEx >= l {
+ return io.ErrUnexpectedEOF
+ }
+ b := dAtA[iNdEx]
+ iNdEx++
+ m.PID |= uint32(b&0x7F) << shift
+ if b < 0x80 {
+ break
+ }
+ }
+ case 4:
+ if wireType != 2 {
+ return fmt.Errorf("proto: wrong wireType = %d for field ContainerContext", wireType)
+ }
+ var msglen int
+ for shift := uint(0); ; shift += 7 {
+ if shift >= 64 {
+ return ErrIntOverflow
+ }
+ if iNdEx >= l {
+ return io.ErrUnexpectedEOF
+ }
+ b := dAtA[iNdEx]
+ iNdEx++
+ msglen |= int(b&0x7F) << shift
+ if b < 0x80 {
+ break
+ }
+ }
+ if msglen < 0 {
+ return ErrInvalidLength
+ }
+ postIndex := iNdEx + msglen
+ if postIndex < 0 {
+ return ErrInvalidLength
+ }
+ if postIndex > l {
+ return io.ErrUnexpectedEOF
+ }
+ if m.ContainerContext == nil {
+ m.ContainerContext = &ContainerContext{}
+ }
+ if err := m.ContainerContext.UnmarshalVT(dAtA[iNdEx:postIndex]); err != nil {
+ return err
+ }
+ iNdEx = postIndex
+ case 5:
+ if wireType != 2 {
+ return fmt.Errorf("proto: wrong wireType = %d for field Exec", wireType)
+ }
+ var msglen int
+ for shift := uint(0); ; shift += 7 {
+ if shift >= 64 {
+ return ErrIntOverflow
+ }
+ if iNdEx >= l {
+ return io.ErrUnexpectedEOF
+ }
+ b := dAtA[iNdEx]
+ iNdEx++
+ msglen |= int(b&0x7F) << shift
+ if b < 0x80 {
+ break
+ }
+ }
+ if msglen < 0 {
+ return ErrInvalidLength
+ }
+ postIndex := iNdEx + msglen
+ if postIndex < 0 {
+ return ErrInvalidLength
+ }
+ if postIndex > l {
+ return io.ErrUnexpectedEOF
+ }
+ if m.Exec == nil {
+ m.Exec = &ExecSyscallMsg{}
+ }
+ if err := m.Exec.UnmarshalVT(dAtA[iNdEx:postIndex]); err != nil {
+ return err
+ }
+ iNdEx = postIndex
+ case 6:
+ if wireType != 2 {
+ return fmt.Errorf("proto: wrong wireType = %d for field Open", wireType)
+ }
+ var msglen int
+ for shift := uint(0); ; shift += 7 {
+ if shift >= 64 {
+ return ErrIntOverflow
+ }
+ if iNdEx >= l {
+ return io.ErrUnexpectedEOF
+ }
+ b := dAtA[iNdEx]
+ iNdEx++
+ msglen |= int(b&0x7F) << shift
+ if b < 0x80 {
+ break
+ }
+ }
+ if msglen < 0 {
+ return ErrInvalidLength
+ }
+ postIndex := iNdEx + msglen
+ if postIndex < 0 {
+ return ErrInvalidLength
+ }
+ if postIndex > l {
+ return io.ErrUnexpectedEOF
+ }
+ if m.Open == nil {
+ m.Open = &OpenSyscallMsg{}
+ }
+ if err := m.Open.UnmarshalVT(dAtA[iNdEx:postIndex]); err != nil {
+ return err
+ }
+ iNdEx = postIndex
+ case 7:
+ if wireType != 2 {
+ return fmt.Errorf("proto: wrong wireType = %d for field Fork", wireType)
+ }
+ var msglen int
+ for shift := uint(0); ; shift += 7 {
+ if shift >= 64 {
+ return ErrIntOverflow
+ }
+ if iNdEx >= l {
+ return io.ErrUnexpectedEOF
+ }
+ b := dAtA[iNdEx]
+ iNdEx++
+ msglen |= int(b&0x7F) << shift
+ if b < 0x80 {
+ break
+ }
+ }
+ if msglen < 0 {
+ return ErrInvalidLength
+ }
+ postIndex := iNdEx + msglen
+ if postIndex < 0 {
+ return ErrInvalidLength
+ }
+ if postIndex > l {
+ return io.ErrUnexpectedEOF
+ }
+ if m.Fork == nil {
+ m.Fork = &ForkSyscallMsg{}
+ }
+ if err := m.Fork.UnmarshalVT(dAtA[iNdEx:postIndex]); err != nil {
+ return err
+ }
+ iNdEx = postIndex
+ case 8:
+ if wireType != 2 {
+ return fmt.Errorf("proto: wrong wireType = %d for field Exit", wireType)
+ }
+ var msglen int
+ for shift := uint(0); ; shift += 7 {
+ if shift >= 64 {
+ return ErrIntOverflow
+ }
+ if iNdEx >= l {
+ return io.ErrUnexpectedEOF
+ }
+ b := dAtA[iNdEx]
+ iNdEx++
+ msglen |= int(b&0x7F) << shift
+ if b < 0x80 {
+ break
+ }
+ }
+ if msglen < 0 {
+ return ErrInvalidLength
+ }
+ postIndex := iNdEx + msglen
+ if postIndex < 0 {
+ return ErrInvalidLength
+ }
+ if postIndex > l {
+ return io.ErrUnexpectedEOF
+ }
+ if m.Exit == nil {
+ m.Exit = &ExitSyscallMsg{}
+ }
+ if err := m.Exit.UnmarshalVT(dAtA[iNdEx:postIndex]); err != nil {
+ return err
+ }
+ iNdEx = postIndex
+ case 9:
+ if wireType != 2 {
+ return fmt.Errorf("proto: wrong wireType = %d for field Fcntl", wireType)
+ }
+ var msglen int
+ for shift := uint(0); ; shift += 7 {
+ if shift >= 64 {
+ return ErrIntOverflow
+ }
+ if iNdEx >= l {
+ return io.ErrUnexpectedEOF
+ }
+ b := dAtA[iNdEx]
+ iNdEx++
+ msglen |= int(b&0x7F) << shift
+ if b < 0x80 {
+ break
+ }
+ }
+ if msglen < 0 {
+ return ErrInvalidLength
+ }
+ postIndex := iNdEx + msglen
+ if postIndex < 0 {
+ return ErrInvalidLength
+ }
+ if postIndex > l {
+ return io.ErrUnexpectedEOF
+ }
+ if m.Fcntl == nil {
+ m.Fcntl = &FcntlSyscallMsg{}
+ }
+ if err := m.Fcntl.UnmarshalVT(dAtA[iNdEx:postIndex]); err != nil {
+ return err
+ }
+ iNdEx = postIndex
+ default:
+ iNdEx = preIndex
+ skippy, err := skip(dAtA[iNdEx:])
+ if err != nil {
+ return err
+ }
+ if (skippy < 0) || (iNdEx+skippy) < 0 {
+ return ErrInvalidLength
+ }
+ if (iNdEx + skippy) > l {
+ return io.ErrUnexpectedEOF
+ }
+ m.unknownFields = append(m.unknownFields, dAtA[iNdEx:iNdEx+skippy]...)
+ iNdEx += skippy
+ }
+ }
+
+ if iNdEx > l {
+ return io.ErrUnexpectedEOF
+ }
+ return nil
+}
+func (m *Response) UnmarshalVT(dAtA []byte) error {
+ l := len(dAtA)
+ iNdEx := 0
+ for iNdEx < l {
+ preIndex := iNdEx
+ var wire uint64
+ for shift := uint(0); ; shift += 7 {
+ if shift >= 64 {
+ return ErrIntOverflow
+ }
+ if iNdEx >= l {
+ return io.ErrUnexpectedEOF
+ }
+ b := dAtA[iNdEx]
+ iNdEx++
+ wire |= uint64(b&0x7F) << shift
+ if b < 0x80 {
+ break
+ }
+ }
+ fieldNum := int32(wire >> 3)
+ wireType := int(wire & 0x7)
+ if wireType == 4 {
+ return fmt.Errorf("proto: Response: wiretype end group for non-group")
+ }
+ if fieldNum <= 0 {
+ return fmt.Errorf("proto: Response: illegal tag %d (wire type %d)", fieldNum, wire)
+ }
+ switch fieldNum {
+ default:
+ iNdEx = preIndex
+ skippy, err := skip(dAtA[iNdEx:])
+ if err != nil {
+ return err
+ }
+ if (skippy < 0) || (iNdEx+skippy) < 0 {
+ return ErrInvalidLength
+ }
+ if (iNdEx + skippy) > l {
+ return io.ErrUnexpectedEOF
+ }
+ m.unknownFields = append(m.unknownFields, dAtA[iNdEx:iNdEx+skippy]...)
+ iNdEx += skippy
+ }
+ }
+
+ if iNdEx > l {
+ return io.ErrUnexpectedEOF
+ }
+ return nil
+}
+
+func skip(dAtA []byte) (n int, err error) {
+ l := len(dAtA)
+ iNdEx := 0
+ depth := 0
+ for iNdEx < l {
+ var wire uint64
+ for shift := uint(0); ; shift += 7 {
+ if shift >= 64 {
+ return 0, ErrIntOverflow
+ }
+ if iNdEx >= l {
+ return 0, io.ErrUnexpectedEOF
+ }
+ b := dAtA[iNdEx]
+ iNdEx++
+ wire |= (uint64(b) & 0x7F) << shift
+ if b < 0x80 {
+ break
+ }
+ }
+ wireType := int(wire & 0x7)
+ switch wireType {
+ case 0:
+ for shift := uint(0); ; shift += 7 {
+ if shift >= 64 {
+ return 0, ErrIntOverflow
+ }
+ if iNdEx >= l {
+ return 0, io.ErrUnexpectedEOF
+ }
+ iNdEx++
+ if dAtA[iNdEx-1] < 0x80 {
+ break
+ }
+ }
+ case 1:
+ iNdEx += 8
+ case 2:
+ var length int
+ for shift := uint(0); ; shift += 7 {
+ if shift >= 64 {
+ return 0, ErrIntOverflow
+ }
+ if iNdEx >= l {
+ return 0, io.ErrUnexpectedEOF
+ }
+ b := dAtA[iNdEx]
+ iNdEx++
+ length |= (int(b) & 0x7F) << shift
+ if b < 0x80 {
+ break
+ }
+ }
+ if length < 0 {
+ return 0, ErrInvalidLength
+ }
+ iNdEx += length
+ case 3:
+ depth++
+ case 4:
+ if depth == 0 {
+ return 0, ErrUnexpectedEndOfGroup
+ }
+ depth--
+ case 5:
+ iNdEx += 4
+ default:
+ return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
+ }
+ if iNdEx < 0 {
+ return 0, ErrInvalidLength
+ }
+ if depth == 0 {
+ return iNdEx, nil
+ }
+ }
+ return 0, io.ErrUnexpectedEOF
+}
+
+var (
+ ErrInvalidLength = fmt.Errorf("proto: negative length found during unmarshaling")
+ ErrIntOverflow = fmt.Errorf("proto: integer overflow")
+ ErrUnexpectedEndOfGroup = fmt.Errorf("proto: unexpected end of group")
+)
diff --git a/pkg/security/proto/ebpfless/vt_grpc.go b/pkg/security/proto/ebpfless/vt_grpc.go
new file mode 100644
index 0000000000000..185e428b27d0f
--- /dev/null
+++ b/pkg/security/proto/ebpfless/vt_grpc.go
@@ -0,0 +1,72 @@
+// Copyright 2021 The Vitess Authors.
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// This implementation is based on
+// https://github.com/vitessio/vitess/blob/main/go/vt/servenv/grpc_codec.go
+
+// Package ebpfless holds api related files
+package ebpfless
+
+import (
+ fmt "fmt"
+
+ "google.golang.org/grpc/encoding"
+ _ "google.golang.org/grpc/encoding/proto" // for default proto registration purposes
+ "google.golang.org/protobuf/proto"
+)
+
+// VTProtoCodecName represents the name of the vtproto codec, using vtproto instead of the default marshalling functions
+const VTProtoCodecName = "vtproto"
+
+// maybeVTCodec represents a codec able to encode and decode vt enabled proto messages
+type maybeVTCodec struct{}
+
+type vtprotoMessage interface {
+ MarshalVT() ([]byte, error)
+ UnmarshalVT([]byte) error
+}
+
+// Marshal encodes the protobuf message to a byte array
+func (maybeVTCodec) Marshal(v interface{}) ([]byte, error) {
+ vt, ok := v.(vtprotoMessage)
+ if ok {
+ return vt.MarshalVT()
+ }
+
+ msg, ok := v.(proto.Message)
+ if !ok {
+ return nil, fmt.Errorf("failed to marshal, message is %T, want proto.Message", v)
+ }
+ return proto.Marshal(msg)
+}
+
+// Unmarshal decodes the byte array to the provided value
+func (maybeVTCodec) Unmarshal(data []byte, v interface{}) error {
+ vt, ok := v.(vtprotoMessage)
+ if ok {
+ return vt.UnmarshalVT(data)
+ }
+
+ msg, ok := v.(proto.Message)
+ if !ok {
+ return fmt.Errorf("failed to unmarshal, message is %T, want proto.Message", v)
+ }
+ return proto.Unmarshal(data, msg)
+}
+
+// Name returns the name of the codec
+func (maybeVTCodec) Name() string {
+ return VTProtoCodecName
+}
+
+func init() {
+ encoding.RegisterCodec(maybeVTCodec{})
+}
diff --git a/pkg/security/reporter/reporter.go b/pkg/security/reporter/reporter.go
index fc530ca05d2c1..61bd53b36c4e7 100644
--- a/pkg/security/reporter/reporter.go
+++ b/pkg/security/reporter/reporter.go
@@ -24,6 +24,7 @@ import (
// RuntimeReporter represents a CWS reporter, used to send events to the intake
type RuntimeReporter struct {
+ hostname string
logSource *sources.LogSource
logChan chan *message.Message
}
@@ -34,15 +35,16 @@ func (r *RuntimeReporter) ReportRaw(content []byte, service string, tags ...stri
origin.SetTags(tags)
origin.SetService(service)
msg := message.NewMessage(content, origin, message.StatusInfo, time.Now().UnixNano())
+ msg.Hostname = r.hostname
r.logChan <- msg
}
// NewCWSReporter returns a new CWS reported based on the fields necessary to communicate with the intake
-func NewCWSReporter(runPath string, stopper startstop.Stopper, endpoints *logsconfig.Endpoints, context *client.DestinationsContext) (seccommon.RawReporter, error) {
- return newReporter(runPath, stopper, "runtime-security-agent", "runtime-security", endpoints, context)
+func NewCWSReporter(hostname string, runPath string, stopper startstop.Stopper, endpoints *logsconfig.Endpoints, context *client.DestinationsContext) (seccommon.RawReporter, error) {
+ return newReporter(hostname, runPath, stopper, "runtime-security-agent", "runtime-security", endpoints, context)
}
-func newReporter(runPath string, stopper startstop.Stopper, sourceName, sourceType string, endpoints *logsconfig.Endpoints, context *client.DestinationsContext) (seccommon.RawReporter, error) {
+func newReporter(hostname string, runPath string, stopper startstop.Stopper, sourceName, sourceType string, endpoints *logsconfig.Endpoints, context *client.DestinationsContext) (seccommon.RawReporter, error) {
health := health.RegisterLiveness("runtime-security")
// setup the auditor
@@ -64,6 +66,7 @@ func newReporter(runPath string, stopper startstop.Stopper, sourceName, sourceTy
)
logChan := pipelineProvider.NextPipelineChan()
return &RuntimeReporter{
+ hostname: hostname,
logSource: logSource,
logChan: logChan,
}, nil
diff --git a/pkg/security/resolvers/dentry/resolver.go b/pkg/security/resolvers/dentry/resolver.go
index 8593ba8a55dd7..2bf30caa80715 100644
--- a/pkg/security/resolvers/dentry/resolver.go
+++ b/pkg/security/resolvers/dentry/resolver.go
@@ -273,9 +273,6 @@ func (dr *Resolver) ResolveNameFromMap(pathKey model.PathKey) (string, error) {
// ResolveName resolves an inode/mount ID pair to a file basename
func (dr *Resolver) ResolveName(pathKey model.PathKey) string {
name, err := dr.ResolveNameFromCache(pathKey)
- if err != nil && dr.config.ERPCDentryResolutionEnabled {
- name, err = dr.ResolveNameFromERPC(pathKey)
- }
if err != nil && dr.config.MapDentryResolutionEnabled {
name, err = dr.ResolveNameFromMap(pathKey)
}
@@ -465,34 +462,6 @@ func (dr *Resolver) requestResolve(op uint8, pathKey model.PathKey) (uint32, err
return challenge, dr.erpc.Request(dr.erpcRequest)
}
-// ResolveNameFromERPC resolves the name of the provided inode / mount id / path id
-func (dr *Resolver) ResolveNameFromERPC(pathKey model.PathKey) (string, error) {
- entry := counterEntry{
- resolutionType: metrics.ERPCTag,
- resolution: metrics.SegmentResolutionTag,
- }
-
- challenge, err := dr.requestResolve(erpc.ResolveSegmentOp, pathKey)
- if err != nil {
- dr.missCounters[entry].Inc()
- return "", fmt.Errorf("unable to get the name of mountID `%d` and inode `%d` with eRPC: %w", pathKey.MountID, pathKey.Inode, err)
- }
-
- if challenge != model.ByteOrder.Uint32(dr.erpcSegment[12:16]) {
- dr.missCounters[entry].Inc()
- return "", errERPCRequestNotProcessed
- }
-
- seg := model.NullTerminatedString(dr.erpcSegment[16:])
- if len(seg) == 0 || len(seg) > 0 && seg[0] == 0 {
- dr.missCounters[entry].Inc()
- return "", fmt.Errorf("couldn't resolve segment (len: %d)", len(seg))
- }
-
- dr.hitsCounters[entry].Inc()
- return seg, nil
-}
-
func (dr *Resolver) cacheEntries(keys []model.PathKey, entries []PathEntry) error {
var cacheEntry PathEntry
@@ -631,32 +600,6 @@ func (dr *Resolver) ResolveParentFromCache(pathKey model.PathKey) (model.PathKey
return path.Parent, nil
}
-// ResolveParentFromERPC resolves the parent
-func (dr *Resolver) ResolveParentFromERPC(pathKey model.PathKey) (model.PathKey, error) {
- entry := counterEntry{
- resolutionType: metrics.ERPCTag,
- resolution: metrics.ParentResolutionTag,
- }
-
- // create eRPC request
- challenge, err := dr.requestResolve(erpc.ResolveParentOp, pathKey)
- if err != nil {
- dr.missCounters[entry].Inc()
- return model.PathKey{}, fmt.Errorf("unable to resolve the parent of mountID `%d` and inode `%d` with eRPC: %w", pathKey.MountID, pathKey.Inode, err)
- }
-
- if challenge != model.ByteOrder.Uint32(dr.erpcSegment[12:16]) {
- dr.missCounters[entry].Inc()
- return model.PathKey{}, errERPCRequestNotProcessed
- }
-
- pathKey.Inode = model.ByteOrder.Uint64(dr.erpcSegment[0:8])
- pathKey.MountID = model.ByteOrder.Uint32(dr.erpcSegment[8:12])
-
- dr.hitsCounters[entry].Inc()
- return pathKey, nil
-}
-
// ResolveParentFromMap resolves the parent
func (dr *Resolver) ResolveParentFromMap(pathKey model.PathKey) (model.PathKey, error) {
entry := counterEntry{
@@ -677,10 +620,7 @@ func (dr *Resolver) ResolveParentFromMap(pathKey model.PathKey) (model.PathKey,
// GetParent returns the parent mount_id/inode
func (dr *Resolver) GetParent(pathKey model.PathKey) (model.PathKey, error) {
pathKey, err := dr.ResolveParentFromCache(pathKey)
- if err != nil && dr.config.ERPCDentryResolutionEnabled {
- pathKey, err = dr.ResolveParentFromERPC(pathKey)
- }
- if err != nil && err != errTruncatedParentsERPC && dr.config.MapDentryResolutionEnabled {
+ if err != nil && dr.config.MapDentryResolutionEnabled {
pathKey, err = dr.ResolveParentFromMap(pathKey)
}
diff --git a/pkg/security/resolvers/mount/resolver.go b/pkg/security/resolvers/mount/resolver.go
index aef4685fc374a..1a8ec19da3bef 100644
--- a/pkg/security/resolvers/mount/resolver.go
+++ b/pkg/security/resolvers/mount/resolver.go
@@ -69,7 +69,6 @@ type Resolver struct {
statsdClient statsd.ClientInterface
lock sync.RWMutex
mounts map[uint32]*model.Mount
- pidToMounts map[uint32]map[uint32]*model.Mount
minMountID uint32 // used to find the first userspace visible mount ID
redemption *simplelru.LRU[uint32, *redemptionEntry]
fallbackLimiter *utils.Limiter[uint64]
@@ -120,13 +119,12 @@ func (mr *Resolver) syncPid(pid uint32) error {
}
for _, mnt := range mnts {
- if m, exists := mr.mounts[uint32(mnt.ID)]; exists {
- mr.updatePidMapping(m, pid)
+ if _, exists := mr.mounts[uint32(mnt.ID)]; exists {
continue
}
m := newMountFromMountInfo(mnt)
- mr.insert(m, pid)
+ mr.insert(m)
}
return nil
@@ -160,7 +158,7 @@ func (mr *Resolver) delete(mount *model.Mount) {
curr, rest := openQueue[len(openQueue)-1], openQueue[:len(openQueue)-1]
openQueue = rest
- delete(mr.mounts, curr.MountID)
+ mr.finalize(curr)
entry := redemptionEntry{
mount: curr,
@@ -173,10 +171,6 @@ func (mr *Resolver) delete(mount *model.Mount) {
openQueue = append(openQueue, child)
}
}
-
- for _, mounts := range mr.pidToMounts {
- delete(mounts, mount.MountID)
- }
}
}
@@ -212,7 +206,7 @@ func (mr *Resolver) ResolveFilesystem(mountID uint32, device uint32, pid uint32,
}
// Insert a new mount point in the cache
-func (mr *Resolver) Insert(m model.Mount, pid uint32) error {
+func (mr *Resolver) Insert(m model.Mount) error {
if m.MountID == 0 {
return ErrMountUndefined
}
@@ -220,37 +214,12 @@ func (mr *Resolver) Insert(m model.Mount, pid uint32) error {
mr.lock.Lock()
defer mr.lock.Unlock()
- mr.insert(&m, pid)
+ mr.insert(&m)
return nil
}
-func (mr *Resolver) updatePidMapping(m *model.Mount, pid uint32) {
- if pid == 0 {
- return
- }
-
- mounts := mr.pidToMounts[pid]
- if mounts == nil {
- mounts = make(map[uint32]*model.Mount)
- mr.pidToMounts[pid] = mounts
- }
- mounts[m.MountID] = m
-}
-
-// DelPid removes the pid form the pid mapping
-func (mr *Resolver) DelPid(pid uint32) {
- if pid == 0 {
- return
- }
-
- mr.lock.Lock()
- defer mr.lock.Unlock()
-
- delete(mr.pidToMounts, pid)
-}
-
-func (mr *Resolver) insert(m *model.Mount, pid uint32) {
+func (mr *Resolver) insert(m *model.Mount) {
// umount the previous one if exists
if prev, ok := mr.mounts[m.MountID]; ok {
// put the prev entry and the all the children in the redemption list
@@ -273,8 +242,6 @@ func (mr *Resolver) insert(m *model.Mount, pid uint32) {
}
mr.mounts[m.MountID] = m
-
- mr.updatePidMapping(m, pid)
}
func (mr *Resolver) getFromRedemption(mountID uint32) *model.Mount {
@@ -286,20 +253,14 @@ func (mr *Resolver) getFromRedemption(mountID uint32) *model.Mount {
}
func (mr *Resolver) lookupByMountID(mountID uint32) *model.Mount {
- mount := mr.mounts[mountID]
- if mount != nil {
- return mount
- }
-
- return mr.getFromRedemption(mountID)
+ return mr.mounts[mountID]
}
-func (mr *Resolver) lookupByDevice(device uint32, pid uint32) *model.Mount {
+/*
+func (mr *Resolver) lookupByDevice(device uint32) *model.Mount {
var result *model.Mount
- mounts := mr.pidToMounts[pid]
-
- for _, mount := range mounts {
+ for _, mount := range mr.mounts {
if mount.Device == device {
// should be consistent across all the mounts
if result != nil && result.MountPointStr != mount.MountPointStr {
@@ -311,22 +272,33 @@ func (mr *Resolver) lookupByDevice(device uint32, pid uint32) *model.Mount {
return result
}
+*/
-func (mr *Resolver) lookupMount(mountID uint32, device uint32, pid uint32) *model.Mount {
- mount := mr.lookupByMountID(mountID)
- if mount != nil {
- return mount
+func (mr *Resolver) lookupMount(mountID uint32, _ uint32, allowFallbacks bool) *model.Mount {
+ if m := mr.lookupByMountID(mountID); m != nil {
+ return m
}
- return mr.lookupByDevice(device, pid)
+ if allowFallbacks {
+ // TODO(safchain) reintroduce using a namespace aware approach
+ /*if m := mr.lookupByDevice(device); m != nil {
+ return m
+ }*/
+
+ if m := mr.getFromRedemption(mountID); m != nil {
+ return m
+ }
+ }
+
+ return nil
}
-func (mr *Resolver) _getMountPath(mountID uint32, device uint32, pid uint32, cache map[uint32]bool) (string, error) {
+func (mr *Resolver) _getMountPath(mountID uint32, device uint32, cache map[uint32]bool, allowFallbacks bool) (string, error) {
if _, err := mr.IsMountIDValid(mountID); err != nil {
return "", err
}
- mount := mr.lookupMount(mountID, device, pid)
+ mount := mr.lookupMount(mountID, device, allowFallbacks)
if mount == nil {
return "", &ErrMountNotFound{MountID: mountID}
}
@@ -350,7 +322,7 @@ func (mr *Resolver) _getMountPath(mountID uint32, device uint32, pid uint32, cac
return "", ErrMountUndefined
}
- parentMountPath, err := mr._getMountPath(mount.ParentPathKey.MountID, mount.Device, pid, cache)
+ parentMountPath, err := mr._getMountPath(mount.ParentPathKey.MountID, mount.Device, cache, allowFallbacks)
if err != nil {
return "", err
}
@@ -365,8 +337,8 @@ func (mr *Resolver) _getMountPath(mountID uint32, device uint32, pid uint32, cac
return mountPointStr, nil
}
-func (mr *Resolver) getMountPath(mountID uint32, device uint32, pid uint32) (string, error) {
- return mr._getMountPath(mountID, device, pid, map[uint32]bool{})
+func (mr *Resolver) getMountPath(mountID uint32, device uint32, allowDeviceFallback bool) (string, error) {
+ return mr._getMountPath(mountID, device, map[uint32]bool{}, allowDeviceFallback)
}
// ResolveMountRoot returns the root of a mount identified by its mount ID.
@@ -420,7 +392,11 @@ func (mr *Resolver) resolveMountPath(mountID uint32, device uint32, pid uint32,
// force a resolution here to make sure the LRU keeps doing its job and doesn't evict important entries
workload, _ := mr.cgroupsResolver.GetWorkload(containerID)
- path, err := mr.getMountPath(mountID, device, pid)
+ // if UseProcFS is disabled, we can directly allow the device fallback and redemption since getMountPath will be called
+ // only once
+ allowFallbacks := !mr.opts.UseProcFS
+
+ path, err := mr.getMountPath(mountID, device, allowFallbacks)
if err == nil {
mr.cacheHitsStats.Inc()
return path, nil
@@ -435,7 +411,7 @@ func (mr *Resolver) resolveMountPath(mountID uint32, device uint32, pid uint32,
return "", err
}
- path, err = mr.getMountPath(mountID, device, pid)
+ path, err = mr.getMountPath(mountID, device, true)
if err == nil {
mr.procHitsStats.Inc()
return path, nil
@@ -461,7 +437,11 @@ func (mr *Resolver) resolveMount(mountID uint32, device uint32, pid uint32, cont
// force a resolution here to make sure the LRU keeps doing its job and doesn't evict important entries
workload, _ := mr.cgroupsResolver.GetWorkload(containerID)
- mount := mr.lookupMount(mountID, device, pid)
+ // if UseProcFS is disabled, we can directly allow the device fallback and redemption since getMountPath will be called
+ // only once
+ allowFallbacks := !mr.opts.UseProcFS
+
+ mount := mr.lookupMount(mountID, device, allowFallbacks)
if mount != nil {
mr.cacheHitsStats.Inc()
return mount, nil
@@ -476,7 +456,7 @@ func (mr *Resolver) resolveMount(mountID uint32, device uint32, pid uint32, cont
return nil, err
}
- mount = mr.mounts[mountID]
+ mount = mr.lookupMount(mountID, device, true)
if mount != nil {
mr.procHitsStats.Inc()
return mount, nil
@@ -598,7 +578,6 @@ func NewResolver(statsdClient statsd.ClientInterface, cgroupsResolver *cgroup.Re
cgroupsResolver: cgroupsResolver,
lock: sync.RWMutex{},
mounts: make(map[uint32]*model.Mount),
- pidToMounts: make(map[uint32]map[uint32]*model.Mount),
cacheHitsStats: atomic.NewInt64(0),
procHitsStats: atomic.NewInt64(0),
cacheMissStats: atomic.NewInt64(0),
diff --git a/pkg/security/resolvers/mount/resolver_test.go b/pkg/security/resolvers/mount/resolver_test.go
index 517872059e945..bb86ba1afe94d 100644
--- a/pkg/security/resolvers/mount/resolver_test.go
+++ b/pkg/security/resolvers/mount/resolver_test.go
@@ -110,7 +110,7 @@ func TestMountResolver(t *testing.T) {
},
},
},
- {
+ /*{
"insert_device",
args{
[]event{
@@ -137,7 +137,7 @@ func TestMountResolver(t *testing.T) {
},
},
},
- },
+ },*/
{
"remove_overlay",
args{
@@ -444,7 +444,7 @@ func TestMountResolver(t *testing.T) {
t.Run(tt.name, func(t *testing.T) {
for _, evt := range tt.args.events {
if evt.mount != nil {
- mr.insert(&evt.mount.Mount, pid)
+ mr.insert(&evt.mount.Mount)
}
if evt.umount != nil {
mount, err := mr.ResolveMount(evt.umount.MountID, 0, pid, "")
@@ -505,7 +505,7 @@ func TestMountGetParentPath(t *testing.T) {
},
}
- parentPath, err := mr.getMountPath(4, 44, 1)
+ parentPath, err := mr.getMountPath(4, 44, false)
assert.NoError(t, err)
assert.Equal(t, "/a/b/c", parentPath)
}
@@ -541,7 +541,7 @@ func TestMountLoop(t *testing.T) {
},
}
- parentPath, err := mr.getMountPath(3, 44, 1)
+ parentPath, err := mr.getMountPath(3, 44, false)
assert.Equal(t, ErrMountLoop, err)
assert.Equal(t, "", parentPath)
}
@@ -568,6 +568,6 @@ func BenchmarkGetParentPath(b *testing.B) {
b.ResetTimer()
for i := 0; i < b.N; i++ {
- _, _ = mr.getMountPath(100, 44, 1)
+ _, _ = mr.getMountPath(100, 44, false)
}
}
diff --git a/pkg/security/resolvers/opts_linux.go b/pkg/security/resolvers/opts_linux.go
new file mode 100644
index 0000000000000..e2ee9890e80fe
--- /dev/null
+++ b/pkg/security/resolvers/opts_linux.go
@@ -0,0 +1,17 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2016-present Datadog, Inc.
+
+// Package resolvers holds resolvers related files
+package resolvers
+
+import "github.com/DataDog/datadog-agent/pkg/security/resolvers/tags"
+
+// Opts defines common options
+type Opts struct {
+ PathResolutionEnabled bool
+ TagsResolver tags.Resolver
+ UseRingBuffer bool
+ TTYFallbackEnabled bool
+}
diff --git a/pkg/security/resolvers/process/opts_linux.go b/pkg/security/resolvers/process/opts_linux.go
new file mode 100644
index 0000000000000..ec28641c37ff3
--- /dev/null
+++ b/pkg/security/resolvers/process/opts_linux.go
@@ -0,0 +1,34 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2016-present Datadog, Inc.
+
+// Package process holds process related files
+package process
+
+// ResolverOpts options of resolver
+type ResolverOpts struct {
+ ttyFallbackEnabled bool
+ envsWithValue map[string]bool
+}
+
+// WithEnvsValue specifies envs with value
+func (o *ResolverOpts) WithEnvsValue(envsWithValue []string) *ResolverOpts {
+ for _, envVar := range envsWithValue {
+ o.envsWithValue[envVar] = true
+ }
+ return o
+}
+
+// WithTTYFallbackEnabled enables the TTY fallback
+func (o *ResolverOpts) WithTTYFallbackEnabled() *ResolverOpts {
+ o.ttyFallbackEnabled = true
+ return o
+}
+
+// NewResolverOpts returns a new set of process resolver options
+func NewResolverOpts() *ResolverOpts {
+ return &ResolverOpts{
+ envsWithValue: make(map[string]bool),
+ }
+}
diff --git a/pkg/security/resolvers/process/resolver_others.go b/pkg/security/resolvers/process/opts_windows.go
similarity index 58%
rename from pkg/security/resolvers/process/resolver_others.go
rename to pkg/security/resolvers/process/opts_windows.go
index 3b03be00ae0a7..5fd2847199772 100644
--- a/pkg/security/resolvers/process/resolver_others.go
+++ b/pkg/security/resolvers/process/opts_windows.go
@@ -3,15 +3,15 @@
// This product includes software developed at Datadog (https://www.datadoghq.com/).
// Copyright 2016-present Datadog, Inc.
-//go:build !linux && !windows
-
// Package process holds process related files
package process
-import "go.uber.org/atomic"
+// ResolverOpts options of resolver
+type ResolverOpts struct {
+ envsWithValue map[string]bool
+}
-// Resolver defines a resolver
-type Resolver struct {
- // stats
- cacheSize *atomic.Int64
+// NewResolverOpts returns a new set of process resolver options
+func NewResolverOpts() ResolverOpts {
+ return ResolverOpts{}
}
diff --git a/pkg/security/resolvers/process/resolver.go b/pkg/security/resolvers/process/resolver.go
index 62461ac051038..ec64299312fea 100644
--- a/pkg/security/resolvers/process/resolver.go
+++ b/pkg/security/resolvers/process/resolver.go
@@ -29,7 +29,7 @@ func (p *Pool) Put(pce *model.ProcessCacheEntry) {
}
// NewProcessCacheEntryPool returns a new Pool
-func NewProcessCacheEntryPool(p *Resolver) *Pool {
+func NewProcessCacheEntryPool(onRelease func()) *Pool {
pcep := Pool{pool: &sync.Pool{}}
pcep.pool.New = func() interface{} {
@@ -38,7 +38,7 @@ func NewProcessCacheEntryPool(p *Resolver) *Pool {
pce.Ancestor.Release()
}
- p.cacheSize.Dec()
+ onRelease()
pcep.Put(pce)
})
diff --git a/pkg/security/resolvers/process/resolver_linux.go b/pkg/security/resolvers/process/resolver_ebpf.go
similarity index 87%
rename from pkg/security/resolvers/process/resolver_linux.go
rename to pkg/security/resolvers/process/resolver_ebpf.go
index 1eabc9ffcce97..08cb4439eec0d 100644
--- a/pkg/security/resolvers/process/resolver_linux.go
+++ b/pkg/security/resolvers/process/resolver_ebpf.go
@@ -56,14 +56,8 @@ const (
procFallbackLimiterPeriod = 30 * time.Second // proc fallback period by pid
)
-// ResolverOpts options of resolver
-type ResolverOpts struct {
- ttyFallbackEnabled bool
- envsWithValue map[string]bool
-}
-
-// Resolver resolved process context
-type Resolver struct {
+// EBPFResolver resolved process context
+type EBPFResolver struct {
sync.RWMutex
state *atomic.Int64
@@ -113,7 +107,7 @@ type Resolver struct {
}
// DequeueExited dequeue exited process
-func (p *Resolver) DequeueExited() {
+func (p *EBPFResolver) DequeueExited() {
p.Lock()
defer p.Unlock()
@@ -142,7 +136,7 @@ func (p *Resolver) DequeueExited() {
}
// NewProcessCacheEntry returns a new process cache entry
-func (p *Resolver) NewProcessCacheEntry(pidContext model.PIDContext) *model.ProcessCacheEntry {
+func (p *EBPFResolver) NewProcessCacheEntry(pidContext model.PIDContext) *model.ProcessCacheEntry {
entry := p.processCacheEntryPool.Get()
entry.PIDContext = pidContext
entry.Cookie = utils.NewCookie()
@@ -150,12 +144,12 @@ func (p *Resolver) NewProcessCacheEntry(pidContext model.PIDContext) *model.Proc
}
// CountBrokenLineage increments the counter of broken lineage
-func (p *Resolver) CountBrokenLineage() {
+func (p *EBPFResolver) CountBrokenLineage() {
p.brokenLineage.Inc()
}
// SendStats sends process resolver metrics
-func (p *Resolver) SendStats() error {
+func (p *EBPFResolver) SendStats() error {
if err := p.statsdClient.Gauge(metrics.MetricProcessResolverCacheSize, p.getCacheSize(), []string{}, 1.0); err != nil {
return fmt.Errorf("failed to send process_resolver cache_size metric: %w", err)
}
@@ -285,7 +279,7 @@ func (e *argsEnvsCacheEntry) extend(event *model.ArgsEnvsEvent) {
}
// UpdateArgsEnvs updates arguments or environment variables of the given id
-func (p *Resolver) UpdateArgsEnvs(event *model.ArgsEnvsEvent) {
+func (p *EBPFResolver) UpdateArgsEnvs(event *model.ArgsEnvsEvent) {
if list, found := p.argsEnvsCache.Get(event.ID); found {
list.extend(event)
} else {
@@ -294,7 +288,7 @@ func (p *Resolver) UpdateArgsEnvs(event *model.ArgsEnvsEvent) {
}
// AddForkEntry adds an entry to the local cache and returns the newly created entry
-func (p *Resolver) AddForkEntry(entry *model.ProcessCacheEntry, inode uint64) {
+func (p *EBPFResolver) AddForkEntry(entry *model.ProcessCacheEntry, inode uint64) {
p.Lock()
defer p.Unlock()
@@ -302,7 +296,7 @@ func (p *Resolver) AddForkEntry(entry *model.ProcessCacheEntry, inode uint64) {
}
// AddExecEntry adds an entry to the local cache and returns the newly created entry
-func (p *Resolver) AddExecEntry(entry *model.ProcessCacheEntry, inode uint64) {
+func (p *EBPFResolver) AddExecEntry(entry *model.ProcessCacheEntry, inode uint64) {
p.Lock()
defer p.Unlock()
@@ -310,7 +304,7 @@ func (p *Resolver) AddExecEntry(entry *model.ProcessCacheEntry, inode uint64) {
}
// enrichEventFromProc uses /proc to enrich a ProcessCacheEntry with additional metadata
-func (p *Resolver) enrichEventFromProc(entry *model.ProcessCacheEntry, proc *process.Process, filledProc *utils.FilledProcess) error {
+func (p *EBPFResolver) enrichEventFromProc(entry *model.ProcessCacheEntry, proc *process.Process, filledProc *utils.FilledProcess) error {
// the provided process is a kernel process if its virtual memory size is null
if filledProc.MemInfo.VMS == 0 {
return fmt.Errorf("cannot snapshot kernel threads")
@@ -347,7 +341,7 @@ func (p *Resolver) enrichEventFromProc(entry *model.ProcessCacheEntry, proc *pro
if entry.FileEvent.IsFileless() {
entry.FileEvent.Filesystem = model.TmpFS
} else {
- // resolve container path with the MountResolver
+ // resolve container path with the MountEBPFResolver
entry.FileEvent.Filesystem, err = p.mountResolver.ResolveFilesystem(entry.Process.FileEvent.MountID, entry.Process.FileEvent.Device, entry.Process.Pid, string(containerID))
if err != nil {
seclog.Debugf("snapshot failed for mount %d with pid %d : couldn't get the filesystem: %s", entry.Process.FileEvent.MountID, proc.Pid, err)
@@ -434,7 +428,7 @@ func (p *Resolver) enrichEventFromProc(entry *model.ProcessCacheEntry, proc *pro
}
// retrieveExecFileFields fetches inode metadata from kernel space
-func (p *Resolver) retrieveExecFileFields(procExecPath string) (*model.FileFields, error) {
+func (p *EBPFResolver) retrieveExecFileFields(procExecPath string) (*model.FileFields, error) {
fi, err := os.Stat(procExecPath)
if err != nil {
return nil, fmt.Errorf("snapshot failed for `%s`: couldn't stat binary: %w", procExecPath, err)
@@ -465,7 +459,7 @@ func (p *Resolver) retrieveExecFileFields(procExecPath string) (*model.FileField
return &fileFields, nil
}
-func (p *Resolver) insertEntry(entry, prev *model.ProcessCacheEntry, source uint64) {
+func (p *EBPFResolver) insertEntry(entry, prev *model.ProcessCacheEntry, source uint64) {
entry.Source = source
p.entryCache[entry.Pid] = entry
entry.Retain()
@@ -491,7 +485,7 @@ func (p *Resolver) insertEntry(entry, prev *model.ProcessCacheEntry, source uint
p.cacheSize.Inc()
}
-func (p *Resolver) insertForkEntry(entry *model.ProcessCacheEntry, inode uint64, source uint64) {
+func (p *EBPFResolver) insertForkEntry(entry *model.ProcessCacheEntry, inode uint64, source uint64) {
prev := p.entryCache[entry.Pid]
if prev != nil {
// this shouldn't happen but it is better to exit the prev and let the new one replace it
@@ -519,7 +513,7 @@ func (p *Resolver) insertForkEntry(entry *model.ProcessCacheEntry, inode uint64,
p.insertEntry(entry, prev, source)
}
-func (p *Resolver) insertExecEntry(entry *model.ProcessCacheEntry, inode uint64, source uint64) {
+func (p *EBPFResolver) insertExecEntry(entry *model.ProcessCacheEntry, inode uint64, source uint64) {
prev := p.entryCache[entry.Pid]
if prev != nil {
if inode != 0 && prev.FileEvent.Inode != inode {
@@ -541,7 +535,7 @@ func (p *Resolver) insertExecEntry(entry *model.ProcessCacheEntry, inode uint64,
p.insertEntry(entry, prev, source)
}
-func (p *Resolver) deleteEntry(pid uint32, exitTime time.Time) {
+func (p *EBPFResolver) deleteEntry(pid uint32, exitTime time.Time) {
// Start by updating the exit timestamp of the pid cache entry
entry, ok := p.entryCache[pid]
if !ok {
@@ -558,7 +552,7 @@ func (p *Resolver) deleteEntry(pid uint32, exitTime time.Time) {
}
// DeleteEntry tries to delete an entry in the process cache
-func (p *Resolver) DeleteEntry(pid uint32, exitTime time.Time) {
+func (p *EBPFResolver) DeleteEntry(pid uint32, exitTime time.Time) {
p.Lock()
defer p.Unlock()
@@ -566,14 +560,14 @@ func (p *Resolver) DeleteEntry(pid uint32, exitTime time.Time) {
}
// Resolve returns the cache entry for the given pid
-func (p *Resolver) Resolve(pid, tid uint32, inode uint64, useProcFS bool) *model.ProcessCacheEntry {
+func (p *EBPFResolver) Resolve(pid, tid uint32, inode uint64, useProcFS bool) *model.ProcessCacheEntry {
p.Lock()
defer p.Unlock()
return p.resolve(pid, tid, inode, useProcFS)
}
-func (p *Resolver) resolve(pid, tid uint32, inode uint64, useProcFS bool) *model.ProcessCacheEntry {
+func (p *EBPFResolver) resolve(pid, tid uint32, inode uint64, useProcFS bool) *model.ProcessCacheEntry {
if entry := p.resolveFromCache(pid, tid, inode); entry != nil {
p.hitsStats[metrics.CacheTag].Inc()
return entry
@@ -615,7 +609,7 @@ func setPathname(fileEvent *model.FileEvent, pathnameStr string) {
fileEvent.SetBasenameStr(path.Base(pathnameStr))
}
-func (p *Resolver) resolveFileFieldsPath(e *model.FileFields, pce *model.ProcessCacheEntry, ctrCtx *model.ContainerContext) (string, error) {
+func (p *EBPFResolver) resolveFileFieldsPath(e *model.FileFields, pce *model.ProcessCacheEntry, ctrCtx *model.ContainerContext) (string, error) {
var (
pathnameStr string
err error
@@ -640,7 +634,7 @@ func (p *Resolver) resolveFileFieldsPath(e *model.FileFields, pce *model.Process
}
// SetProcessPath resolves process file path
-func (p *Resolver) SetProcessPath(fileEvent *model.FileEvent, pce *model.ProcessCacheEntry, ctrCtx *model.ContainerContext) (string, error) {
+func (p *EBPFResolver) SetProcessPath(fileEvent *model.FileEvent, pce *model.ProcessCacheEntry, ctrCtx *model.ContainerContext) (string, error) {
onError := func(pathnameStr string, err error) (string, error) {
fileEvent.SetPathnameStr("")
fileEvent.SetBasenameStr("")
@@ -669,7 +663,7 @@ func IsBusybox(pathname string) bool {
}
// SetProcessSymlink resolves process file symlink path
-func (p *Resolver) SetProcessSymlink(entry *model.ProcessCacheEntry) {
+func (p *EBPFResolver) SetProcessSymlink(entry *model.ProcessCacheEntry) {
// TODO: busybox workaround only for now
if IsBusybox(entry.FileEvent.PathnameStr) {
arg0, _ := GetProcessArgv0(&entry.Process)
@@ -683,7 +677,7 @@ func (p *Resolver) SetProcessSymlink(entry *model.ProcessCacheEntry) {
}
// SetProcessFilesystem resolves process file system
-func (p *Resolver) SetProcessFilesystem(entry *model.ProcessCacheEntry) (string, error) {
+func (p *EBPFResolver) SetProcessFilesystem(entry *model.ProcessCacheEntry) (string, error) {
if entry.FileEvent.MountID != 0 {
fs, err := p.mountResolver.ResolveFilesystem(entry.FileEvent.MountID, entry.FileEvent.Device, entry.Pid, entry.ContainerID)
if err != nil {
@@ -696,20 +690,20 @@ func (p *Resolver) SetProcessFilesystem(entry *model.ProcessCacheEntry) (string,
}
// ApplyBootTime realign timestamp from the boot time
-func (p *Resolver) ApplyBootTime(entry *model.ProcessCacheEntry) {
+func (p *EBPFResolver) ApplyBootTime(entry *model.ProcessCacheEntry) {
entry.ExecTime = p.timeResolver.ApplyBootTime(entry.ExecTime)
entry.ForkTime = p.timeResolver.ApplyBootTime(entry.ForkTime)
entry.ExitTime = p.timeResolver.ApplyBootTime(entry.ExitTime)
}
// ResolveFromCache resolves cache entry from the cache
-func (p *Resolver) ResolveFromCache(pid, tid uint32, inode uint64) *model.ProcessCacheEntry {
+func (p *EBPFResolver) ResolveFromCache(pid, tid uint32, inode uint64) *model.ProcessCacheEntry {
p.Lock()
defer p.Unlock()
return p.resolveFromCache(pid, tid, inode)
}
-func (p *Resolver) resolveFromCache(pid, tid uint32, inode uint64) *model.ProcessCacheEntry {
+func (p *EBPFResolver) resolveFromCache(pid, tid uint32, inode uint64) *model.ProcessCacheEntry {
entry, exists := p.entryCache[pid]
if !exists {
return nil
@@ -729,7 +723,7 @@ func (p *Resolver) resolveFromCache(pid, tid uint32, inode uint64) *model.Proces
}
// ResolveNewProcessCacheEntry resolves the context fields of a new process cache entry parsed from kernel data
-func (p *Resolver) ResolveNewProcessCacheEntry(entry *model.ProcessCacheEntry, ctrCtx *model.ContainerContext) error {
+func (p *EBPFResolver) ResolveNewProcessCacheEntry(entry *model.ProcessCacheEntry, ctrCtx *model.ContainerContext) error {
if _, err := p.SetProcessPath(&entry.FileEvent, entry, ctrCtx); err != nil {
return &spath.ErrPathResolution{Err: fmt.Errorf("failed to resolve exec path: %w", err)}
}
@@ -757,13 +751,13 @@ func (p *Resolver) ResolveNewProcessCacheEntry(entry *model.ProcessCacheEntry, c
}
// ResolveFromKernelMaps resolves the entry from the kernel maps
-func (p *Resolver) ResolveFromKernelMaps(pid, tid uint32, inode uint64) *model.ProcessCacheEntry {
+func (p *EBPFResolver) ResolveFromKernelMaps(pid, tid uint32, inode uint64) *model.ProcessCacheEntry {
p.Lock()
defer p.Unlock()
return p.resolveFromKernelMaps(pid, tid, inode)
}
-func (p *Resolver) resolveFromKernelMaps(pid, tid uint32, inode uint64) *model.ProcessCacheEntry {
+func (p *EBPFResolver) resolveFromKernelMaps(pid, tid uint32, inode uint64) *model.ProcessCacheEntry {
pidb := make([]byte, 4)
model.ByteOrder.PutUint32(pidb, pid)
@@ -839,13 +833,13 @@ func IsKThread(ppid, pid uint32) bool {
}
// ResolveFromProcfs resolves the entry from procfs
-func (p *Resolver) ResolveFromProcfs(pid uint32) *model.ProcessCacheEntry {
+func (p *EBPFResolver) ResolveFromProcfs(pid uint32) *model.ProcessCacheEntry {
p.Lock()
defer p.Unlock()
return p.resolveFromProcfs(pid, procResolveMaxDepth)
}
-func (p *Resolver) resolveFromProcfs(pid uint32, maxDepth int) *model.ProcessCacheEntry {
+func (p *EBPFResolver) resolveFromProcfs(pid uint32, maxDepth int) *model.ProcessCacheEntry {
if maxDepth < 1 {
seclog.Tracef("max depth reached during procfs resolution: %d", pid)
return nil
@@ -895,7 +889,7 @@ func (p *Resolver) resolveFromProcfs(pid uint32, maxDepth int) *model.ProcessCac
}
// SetProcessArgs set arguments to cache entry
-func (p *Resolver) SetProcessArgs(pce *model.ProcessCacheEntry) {
+func (p *EBPFResolver) SetProcessArgs(pce *model.ProcessCacheEntry) {
if entry, found := p.argsEnvsCache.Get(pce.ArgsID); found {
if pce.ArgsTruncated {
p.argsTruncated.Inc()
@@ -943,7 +937,7 @@ func GetProcessArgv0(pr *model.Process) (string, bool) {
}
// GetProcessArgvScrubbed returns the scrubbed args of the event as an array
-func (p *Resolver) GetProcessArgvScrubbed(pr *model.Process) ([]string, bool) {
+func (p *EBPFResolver) GetProcessArgvScrubbed(pr *model.Process) ([]string, bool) {
if pr.ArgsEntry == nil || pr.ScrubbedArgvResolved {
return pr.Argv, pr.ArgsTruncated
}
@@ -955,13 +949,15 @@ func (p *Resolver) GetProcessArgvScrubbed(pr *model.Process) ([]string, bool) {
argv, _ = p.scrubber.ScrubCommand(argv)
pr.ArgsEntry.Values = []string{pr.ArgsEntry.Values[0]}
pr.ArgsEntry.Values = append(pr.ArgsEntry.Values, argv...)
+
+ pr.ScrubbedArgvResolved = true
}
return argv, truncated
}
// SetProcessEnvs set envs to cache entry
-func (p *Resolver) SetProcessEnvs(pce *model.ProcessCacheEntry) {
+func (p *EBPFResolver) SetProcessEnvs(pce *model.ProcessCacheEntry) {
if entry, found := p.argsEnvsCache.Get(pce.EnvsID); found {
if pce.EnvsTruncated {
p.envsTruncated.Inc()
@@ -980,7 +976,7 @@ func (p *Resolver) SetProcessEnvs(pce *model.ProcessCacheEntry) {
}
// GetProcessEnvs returns the envs of the event
-func (p *Resolver) GetProcessEnvs(pr *model.Process) ([]string, bool) {
+func (p *EBPFResolver) GetProcessEnvs(pr *model.Process) ([]string, bool) {
if pr.EnvsEntry == nil {
return pr.Envs, pr.EnvsTruncated
}
@@ -992,7 +988,7 @@ func (p *Resolver) GetProcessEnvs(pr *model.Process) ([]string, bool) {
}
// GetProcessEnvp returns the unscrubbed envs of the event with their values. Use with caution.
-func (p *Resolver) GetProcessEnvp(pr *model.Process) ([]string, bool) {
+func (p *EBPFResolver) GetProcessEnvp(pr *model.Process) ([]string, bool) {
if pr.EnvsEntry == nil {
return pr.Envp, pr.EnvsTruncated
}
@@ -1003,7 +999,7 @@ func (p *Resolver) GetProcessEnvp(pr *model.Process) ([]string, bool) {
}
// SetProcessTTY resolves TTY and cache the result
-func (p *Resolver) SetProcessTTY(pce *model.ProcessCacheEntry) string {
+func (p *EBPFResolver) SetProcessTTY(pce *model.ProcessCacheEntry) string {
if pce.TTYName == "" && p.opts.ttyFallbackEnabled {
tty := utils.PidTTY(pce.Pid)
pce.TTYName = tty
@@ -1012,7 +1008,7 @@ func (p *Resolver) SetProcessTTY(pce *model.ProcessCacheEntry) string {
}
// SetProcessUsersGroups resolves and set users and groups
-func (p *Resolver) SetProcessUsersGroups(pce *model.ProcessCacheEntry) {
+func (p *EBPFResolver) SetProcessUsersGroups(pce *model.ProcessCacheEntry) {
pce.User, _ = p.userGroupResolver.ResolveUser(int(pce.Credentials.UID), pce.ContainerID)
pce.EUser, _ = p.userGroupResolver.ResolveUser(int(pce.Credentials.EUID), pce.ContainerID)
pce.FSUser, _ = p.userGroupResolver.ResolveUser(int(pce.Credentials.FSUID), pce.ContainerID)
@@ -1023,14 +1019,14 @@ func (p *Resolver) SetProcessUsersGroups(pce *model.ProcessCacheEntry) {
}
// Get returns the cache entry for a specified pid
-func (p *Resolver) Get(pid uint32) *model.ProcessCacheEntry {
+func (p *EBPFResolver) Get(pid uint32) *model.ProcessCacheEntry {
p.RLock()
defer p.RUnlock()
return p.entryCache[pid]
}
// UpdateUID updates the credentials of the provided pid
-func (p *Resolver) UpdateUID(pid uint32, e *model.Event) {
+func (p *EBPFResolver) UpdateUID(pid uint32, e *model.Event) {
if e.ProcessContext.Pid != e.ProcessContext.Tid {
return
}
@@ -1049,7 +1045,7 @@ func (p *Resolver) UpdateUID(pid uint32, e *model.Event) {
}
// UpdateGID updates the credentials of the provided pid
-func (p *Resolver) UpdateGID(pid uint32, e *model.Event) {
+func (p *EBPFResolver) UpdateGID(pid uint32, e *model.Event) {
if e.ProcessContext.Pid != e.ProcessContext.Tid {
return
}
@@ -1068,7 +1064,7 @@ func (p *Resolver) UpdateGID(pid uint32, e *model.Event) {
}
// UpdateCapset updates the credentials of the provided pid
-func (p *Resolver) UpdateCapset(pid uint32, e *model.Event) {
+func (p *EBPFResolver) UpdateCapset(pid uint32, e *model.Event) {
if e.ProcessContext.Pid != e.ProcessContext.Tid {
return
}
@@ -1083,7 +1079,7 @@ func (p *Resolver) UpdateCapset(pid uint32, e *model.Event) {
}
// Start starts the resolver
-func (p *Resolver) Start(ctx context.Context) error {
+func (p *EBPFResolver) Start(ctx context.Context) error {
var err error
if p.execFileCacheMap, err = managerhelper.Map(p.manager, "exec_file_cache"); err != nil {
return err
@@ -1102,7 +1098,7 @@ func (p *Resolver) Start(ctx context.Context) error {
return nil
}
-func (p *Resolver) cacheFlush(ctx context.Context) {
+func (p *EBPFResolver) cacheFlush(ctx context.Context) {
ticker := time.NewTicker(2 * time.Minute)
defer ticker.Stop()
@@ -1134,7 +1130,7 @@ func (p *Resolver) cacheFlush(ctx context.Context) {
}
// SyncCache snapshots /proc for the provided pid. This method returns true if it updated the process cache.
-func (p *Resolver) SyncCache(proc *process.Process) bool {
+func (p *EBPFResolver) SyncCache(proc *process.Process) bool {
// Only a R lock is necessary to check if the entry exists, but if it exists, we'll update it, so a RW lock is
// required.
p.Lock()
@@ -1150,7 +1146,7 @@ func (p *Resolver) SyncCache(proc *process.Process) bool {
return ret
}
-func (p *Resolver) setAncestor(pce *model.ProcessCacheEntry) {
+func (p *EBPFResolver) setAncestor(pce *model.ProcessCacheEntry) {
parent := p.entryCache[pce.PPid]
if parent != nil {
pce.SetAncestor(parent)
@@ -1158,7 +1154,7 @@ func (p *Resolver) setAncestor(pce *model.ProcessCacheEntry) {
}
// syncCache snapshots /proc for the provided pid. This method returns true if it updated the process cache.
-func (p *Resolver) syncCache(proc *process.Process, filledProc *utils.FilledProcess, source uint64) (*model.ProcessCacheEntry, bool) {
+func (p *EBPFResolver) syncCache(proc *process.Process, filledProc *utils.FilledProcess, source uint64) (*model.ProcessCacheEntry, bool) {
pid := uint32(proc.Pid)
// Check if an entry is already in cache for the given pid.
@@ -1182,7 +1178,7 @@ func (p *Resolver) syncCache(proc *process.Process, filledProc *utils.FilledProc
p.setAncestor(entry)
- p.insertEntry(entry, p.entryCache[pid], model.ProcessCacheEntryFromSnapshot)
+ p.insertEntry(entry, p.entryCache[pid], source)
bootTime := p.timeResolver.GetBootTime()
@@ -1211,7 +1207,7 @@ func (p *Resolver) syncCache(proc *process.Process, filledProc *utils.FilledProc
return entry, true
}
-func (p *Resolver) dumpEntry(writer io.Writer, entry *model.ProcessCacheEntry, already map[string]bool, withArgs bool) {
+func (p *EBPFResolver) dumpEntry(writer io.Writer, entry *model.ProcessCacheEntry, already map[string]bool, withArgs bool) {
for entry != nil {
label := fmt.Sprintf("%s:%d", entry.Comm, entry.Pid)
if _, exists := already[label]; !exists {
@@ -1244,7 +1240,7 @@ func (p *Resolver) dumpEntry(writer io.Writer, entry *model.ProcessCacheEntry, a
}
// Dump create a temp file and dump the cache
-func (p *Resolver) Dump(withArgs bool) (string, error) {
+func (p *EBPFResolver) Dump(withArgs bool) (string, error) {
dump, err := os.CreateTemp("/tmp", "process-cache-dump-")
if err != nil {
return "", err
@@ -1275,24 +1271,24 @@ func (p *Resolver) Dump(withArgs bool) (string, error) {
}
// getCacheSize returns the cache size of the process resolver
-func (p *Resolver) getCacheSize() float64 {
+func (p *EBPFResolver) getCacheSize() float64 {
p.RLock()
defer p.RUnlock()
return float64(len(p.entryCache))
}
// getEntryCacheSize returns the cache size of the process resolver
-func (p *Resolver) getEntryCacheSize() float64 {
+func (p *EBPFResolver) getEntryCacheSize() float64 {
return float64(p.cacheSize.Load())
}
// SetState sets the process resolver state
-func (p *Resolver) SetState(state int64) {
+func (p *EBPFResolver) SetState(state int64) {
p.state.Store(state)
}
// Walk iterates through the entire tree and call the provided callback on each entry
-func (p *Resolver) Walk(callback func(entry *model.ProcessCacheEntry)) {
+func (p *EBPFResolver) Walk(callback func(entry *model.ProcessCacheEntry)) {
p.RLock()
defer p.RUnlock()
@@ -1301,17 +1297,17 @@ func (p *Resolver) Walk(callback func(entry *model.ProcessCacheEntry)) {
}
}
-// NewResolver returns a new process resolver
-func NewResolver(manager *manager.Manager, config *config.Config, statsdClient statsd.ClientInterface,
+// NewEBPFResolver returns a new process resolver
+func NewEBPFResolver(manager *manager.Manager, config *config.Config, statsdClient statsd.ClientInterface,
scrubber *procutil.DataScrubber, containerResolver *container.Resolver, mountResolver *mount.Resolver,
cgroupResolver *cgroup.Resolver, userGroupResolver *usergroup.Resolver, timeResolver *stime.Resolver,
- pathResolver spath.ResolverInterface, opts *ResolverOpts) (*Resolver, error) {
+ pathResolver spath.ResolverInterface, opts *ResolverOpts) (*EBPFResolver, error) {
argsEnvsCache, err := simplelru.NewLRU[uint32, *argsEnvsCacheEntry](maxParallelArgsEnvs, nil)
if err != nil {
return nil, err
}
- p := &Resolver{
+ p := &EBPFResolver{
manager: manager,
config: config,
statsdClient: statsdClient,
@@ -1345,7 +1341,7 @@ func NewResolver(manager *manager.Manager, config *config.Config, statsdClient s
for _, t := range metrics.AllTypesTags {
p.hitsStats[t] = atomic.NewInt64(0)
}
- p.processCacheEntryPool = NewProcessCacheEntryPool(p)
+ p.processCacheEntryPool = NewProcessCacheEntryPool(func() { p.cacheSize.Dec() })
// Create rate limiter that allows for 128 pids
limiter, err := utils.NewLimiter[uint32](128, numAllowedPIDsToResolvePerPeriod, procFallbackLimiterPeriod)
@@ -1356,24 +1352,3 @@ func NewResolver(manager *manager.Manager, config *config.Config, statsdClient s
return p, nil
}
-
-// WithEnvsValue specifies envs with value
-func (o *ResolverOpts) WithEnvsValue(envsWithValue []string) *ResolverOpts {
- for _, envVar := range envsWithValue {
- o.envsWithValue[envVar] = true
- }
- return o
-}
-
-// WithTTYFallbackEnabled enables the TTY fallback
-func (o *ResolverOpts) WithTTYFallbackEnabled() *ResolverOpts {
- o.ttyFallbackEnabled = true
- return o
-}
-
-// NewResolverOpts returns a new set of process resolver options
-func NewResolverOpts() *ResolverOpts {
- return &ResolverOpts{
- envsWithValue: make(map[string]bool),
- }
-}
diff --git a/pkg/security/resolvers/process/resolver_ebpfless.go b/pkg/security/resolvers/process/resolver_ebpfless.go
new file mode 100644
index 0000000000000..8083f46033eaf
--- /dev/null
+++ b/pkg/security/resolvers/process/resolver_ebpfless.go
@@ -0,0 +1,234 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2016-present Datadog, Inc.
+
+//go:build linux
+
+// Package process holds process related files
+package process
+
+import (
+ "context"
+ "errors"
+ "fmt"
+ "path/filepath"
+ "sync"
+ "time"
+
+ "go.uber.org/atomic"
+
+ "github.com/DataDog/datadog-go/v5/statsd"
+
+ "github.com/DataDog/datadog-agent/pkg/process/procutil"
+ "github.com/DataDog/datadog-agent/pkg/security/metrics"
+ "github.com/DataDog/datadog-agent/pkg/security/probe/config"
+ "github.com/DataDog/datadog-agent/pkg/security/secl/model"
+)
+
+// EBPFLessResolver defines a resolver
+type EBPFLessResolver struct {
+ sync.RWMutex
+ entryCache map[uint32]*model.ProcessCacheEntry
+ opts ResolverOpts
+ scrubber *procutil.DataScrubber
+ statsdClient statsd.ClientInterface
+
+ // stats
+ cacheSize *atomic.Int64
+
+ processCacheEntryPool *Pool
+}
+
+// NewEBPFLessResolver returns a new process resolver
+func NewEBPFLessResolver(_ *config.Config, statsdClient statsd.ClientInterface, scrubber *procutil.DataScrubber, opts *ResolverOpts) (*EBPFLessResolver, error) {
+ p := &EBPFLessResolver{
+ entryCache: make(map[uint32]*model.ProcessCacheEntry),
+ opts: *opts,
+ scrubber: scrubber,
+ cacheSize: atomic.NewInt64(0),
+ statsdClient: statsdClient,
+ }
+
+ p.processCacheEntryPool = NewProcessCacheEntryPool(func() { p.cacheSize.Dec() })
+
+ return p, nil
+}
+
+func (p *EBPFLessResolver) deleteEntry(pid uint32, exitTime time.Time) {
+ entry, ok := p.entryCache[pid]
+ if !ok {
+ return
+ }
+
+ entry.Exit(exitTime)
+ delete(p.entryCache, entry.Pid)
+ entry.Release()
+}
+
+// DeleteEntry tries to delete an entry in the process cache
+func (p *EBPFLessResolver) DeleteEntry(pid uint32, exitTime time.Time) {
+ p.Lock()
+ defer p.Unlock()
+
+ p.deleteEntry(pid, exitTime)
+}
+
+// AddForkEntry adds an entry to the local cache and returns the newly created entry
+func (p *EBPFLessResolver) AddForkEntry(pid uint32, ppid uint32) *model.ProcessCacheEntry {
+ entry := p.processCacheEntryPool.Get()
+ entry.PIDContext.Pid = pid
+ entry.PPid = ppid
+
+ p.Lock()
+ defer p.Unlock()
+
+ p.insertForkEntry(entry)
+
+ return entry
+}
+
+// AddExecEntry adds an entry to the local cache and returns the newly created entry
+func (p *EBPFLessResolver) AddExecEntry(pid uint32, file string, argv []string, envs []string, ctrID string) *model.ProcessCacheEntry {
+ entry := p.processCacheEntryPool.Get()
+ entry.PIDContext.Pid = pid
+
+ entry.Process.ArgsEntry = &model.ArgsEntry{Values: argv}
+ if len(argv) > 0 {
+ entry.Process.Comm = argv[0]
+ entry.Process.Argv0 = argv[0]
+ }
+
+ entry.Process.EnvsEntry = &model.EnvsEntry{Values: envs}
+
+ entry.Process.FileEvent.PathnameStr = file
+ entry.Process.FileEvent.BasenameStr = filepath.Base(entry.Process.FileEvent.PathnameStr)
+ entry.Process.ContainerID = ctrID
+
+ // TODO fix timestamp
+ entry.ExecTime = time.Now()
+
+ p.Lock()
+ defer p.Unlock()
+
+ p.insertExecEntry(entry)
+
+ return entry
+}
+
+func (p *EBPFLessResolver) insertEntry(entry, prev *model.ProcessCacheEntry) {
+ p.entryCache[entry.Pid] = entry
+ entry.Retain()
+
+ if prev != nil {
+ prev.Release()
+ }
+
+ p.cacheSize.Inc()
+}
+
+func (p *EBPFLessResolver) insertForkEntry(entry *model.ProcessCacheEntry) {
+ prev := p.entryCache[entry.Pid]
+ if prev != nil {
+ // this shouldn't happen but it is better to exit the prev and let the new one replace it
+ prev.Exit(entry.ForkTime)
+ }
+
+ if entry.Pid != 1 {
+ parent := p.entryCache[entry.PPid]
+ if parent != nil {
+ parent.Fork(entry)
+ }
+ }
+
+ p.insertEntry(entry, prev)
+}
+
+func (p *EBPFLessResolver) insertExecEntry(entry *model.ProcessCacheEntry) {
+ prev := p.entryCache[entry.Pid]
+ if prev != nil {
+ prev.Exec(entry)
+ }
+
+ p.insertEntry(entry, prev)
+}
+
+// Resolve returns the cache entry for the given pid
+func (p *EBPFLessResolver) Resolve(pid uint32) *model.ProcessCacheEntry {
+ p.Lock()
+ defer p.Unlock()
+ if e, ok := p.entryCache[pid]; ok {
+ return e
+ }
+ return nil
+}
+
+// getCacheSize returns the cache size of the process resolver
+func (p *EBPFLessResolver) getCacheSize() float64 {
+ p.RLock()
+ defer p.RUnlock()
+ return float64(len(p.entryCache))
+}
+
+// SendStats sends process resolver metrics
+func (p *EBPFLessResolver) SendStats() error {
+ if err := p.statsdClient.Gauge(metrics.MetricProcessResolverCacheSize, p.getCacheSize(), []string{}, 1.0); err != nil {
+ return fmt.Errorf("failed to send process_resolver cache_size metric: %w", err)
+ }
+
+ return nil
+}
+
+// Start starts the resolver
+func (p *EBPFLessResolver) Start(_ context.Context) error {
+ return nil
+}
+
+// Snapshot snapshot existing entryCache
+func (p *EBPFLessResolver) Snapshot() {}
+
+// Dump create a temp file and dump the cache
+func (p *EBPFLessResolver) Dump(_ bool) (string, error) {
+ return "", errors.New("not supported")
+}
+
+// GetProcessArgvScrubbed returns the scrubbed args of the event as an array
+func (p *EBPFLessResolver) GetProcessArgvScrubbed(pr *model.Process) ([]string, bool) {
+ if pr.ArgsEntry == nil || pr.ScrubbedArgvResolved {
+ return pr.Argv, pr.ArgsTruncated
+ }
+
+ argv, truncated := GetProcessArgv(pr)
+
+ if p.scrubber != nil && len(argv) > 0 {
+ // replace with the scrubbed version
+ argv, _ = p.scrubber.ScrubCommand(argv)
+ pr.ArgsEntry.Values = []string{pr.ArgsEntry.Values[0]}
+ pr.ArgsEntry.Values = append(pr.ArgsEntry.Values, argv...)
+ }
+
+ return argv, truncated
+}
+
+// GetProcessEnvs returns the envs of the event
+func (p *EBPFLessResolver) GetProcessEnvs(pr *model.Process) ([]string, bool) {
+ if pr.EnvsEntry == nil {
+ return pr.Envs, pr.EnvsTruncated
+ }
+
+ keys, truncated := pr.EnvsEntry.FilterEnvs(p.opts.envsWithValue)
+ pr.Envs = keys
+ pr.EnvsTruncated = pr.EnvsTruncated || truncated
+ return pr.Envs, pr.EnvsTruncated
+}
+
+// GetProcessEnvp returns the unscrubbed envs of the event with their values. Use with caution.
+func (p *EBPFLessResolver) GetProcessEnvp(pr *model.Process) ([]string, bool) {
+ if pr.EnvsEntry == nil {
+ return pr.Envp, pr.EnvsTruncated
+ }
+
+ pr.Envp = pr.EnvsEntry.Values
+ pr.EnvsTruncated = pr.EnvsTruncated || pr.EnvsEntry.Truncated
+ return pr.Envp, pr.EnvsTruncated
+}
diff --git a/pkg/security/resolvers/process/resolver_test.go b/pkg/security/resolvers/process/resolver_test.go
index 7eb3d61782a70..523cdc30555e8 100644
--- a/pkg/security/resolvers/process/resolver_test.go
+++ b/pkg/security/resolvers/process/resolver_test.go
@@ -20,7 +20,7 @@ import (
"github.com/DataDog/datadog-go/v5/statsd"
)
-func testCacheSize(t *testing.T, resolver *Resolver) {
+func testCacheSize(t *testing.T, resolver *EBPFResolver) {
err := retry.Do(
func() error {
if resolver.cacheSize.Load() == 0 {
@@ -34,7 +34,7 @@ func testCacheSize(t *testing.T, resolver *Resolver) {
}
func TestFork1st(t *testing.T) {
- resolver, err := NewResolver(nil, nil, &statsd.NoOpClient{}, nil, nil, nil, nil, nil, nil, nil, NewResolverOpts())
+ resolver, err := NewEBPFResolver(nil, nil, &statsd.NoOpClient{}, nil, nil, nil, nil, nil, nil, nil, NewResolverOpts())
if err != nil {
t.Fatal(err)
}
@@ -73,7 +73,7 @@ func TestFork1st(t *testing.T) {
}
func TestFork2nd(t *testing.T) {
- resolver, err := NewResolver(nil, nil, &statsd.NoOpClient{}, nil, nil, nil, nil, nil, nil, nil, NewResolverOpts())
+ resolver, err := NewEBPFResolver(nil, nil, &statsd.NoOpClient{}, nil, nil, nil, nil, nil, nil, nil, NewResolverOpts())
if err != nil {
t.Fatal(err)
}
@@ -114,7 +114,7 @@ func TestFork2nd(t *testing.T) {
}
func TestForkExec(t *testing.T) {
- resolver, err := NewResolver(nil, nil, &statsd.NoOpClient{}, nil, nil, nil, nil, nil, nil, nil, NewResolverOpts())
+ resolver, err := NewEBPFResolver(nil, nil, &statsd.NoOpClient{}, nil, nil, nil, nil, nil, nil, nil, NewResolverOpts())
if err != nil {
t.Fatal(err)
}
@@ -170,7 +170,7 @@ func TestForkExec(t *testing.T) {
}
func TestOrphanExec(t *testing.T) {
- resolver, err := NewResolver(nil, nil, &statsd.NoOpClient{}, nil, nil, nil, nil, nil, nil, nil, NewResolverOpts())
+ resolver, err := NewEBPFResolver(nil, nil, &statsd.NoOpClient{}, nil, nil, nil, nil, nil, nil, nil, NewResolverOpts())
if err != nil {
t.Fatal(err)
}
@@ -226,7 +226,7 @@ func TestOrphanExec(t *testing.T) {
}
func TestForkExecExec(t *testing.T) {
- resolver, err := NewResolver(nil, nil, &statsd.NoOpClient{}, nil, nil, nil, nil, nil, nil, nil, NewResolverOpts())
+ resolver, err := NewEBPFResolver(nil, nil, &statsd.NoOpClient{}, nil, nil, nil, nil, nil, nil, nil, NewResolverOpts())
if err != nil {
t.Fatal(err)
}
@@ -297,7 +297,7 @@ func TestForkExecExec(t *testing.T) {
}
func TestForkReuse(t *testing.T) {
- resolver, err := NewResolver(nil, nil, &statsd.NoOpClient{}, nil, nil, nil, nil, nil, nil, nil, NewResolverOpts())
+ resolver, err := NewEBPFResolver(nil, nil, &statsd.NoOpClient{}, nil, nil, nil, nil, nil, nil, nil, NewResolverOpts())
if err != nil {
t.Fatal(err)
}
@@ -392,7 +392,7 @@ func TestForkReuse(t *testing.T) {
}
func TestForkForkExec(t *testing.T) {
- resolver, err := NewResolver(nil, nil, &statsd.NoOpClient{}, nil, nil, nil, nil, nil, nil, nil, NewResolverOpts())
+ resolver, err := NewEBPFResolver(nil, nil, &statsd.NoOpClient{}, nil, nil, nil, nil, nil, nil, nil, NewResolverOpts())
if err != nil {
t.Fatal(err)
}
@@ -468,7 +468,7 @@ func TestForkForkExec(t *testing.T) {
}
func TestExecBomb(t *testing.T) {
- resolver, err := NewResolver(nil, nil, &statsd.NoOpClient{}, nil, nil, nil, nil, nil, nil, nil, NewResolverOpts())
+ resolver, err := NewEBPFResolver(nil, nil, &statsd.NoOpClient{}, nil, nil, nil, nil, nil, nil, nil, NewResolverOpts())
if err != nil {
t.Fatal(err)
}
@@ -537,7 +537,7 @@ func TestExecBomb(t *testing.T) {
}
func TestExecLostFork(t *testing.T) {
- resolver, err := NewResolver(nil, nil, &statsd.NoOpClient{}, nil, nil, nil, nil, nil, nil, nil, NewResolverOpts())
+ resolver, err := NewEBPFResolver(nil, nil, &statsd.NoOpClient{}, nil, nil, nil, nil, nil, nil, nil, NewResolverOpts())
if err != nil {
t.Fatal(err)
}
@@ -579,7 +579,7 @@ func TestExecLostFork(t *testing.T) {
}
func TestExecLostExec(t *testing.T) {
- resolver, err := NewResolver(nil, nil, &statsd.NoOpClient{}, nil, nil, nil, nil, nil, nil, nil, NewResolverOpts())
+ resolver, err := NewEBPFResolver(nil, nil, &statsd.NoOpClient{}, nil, nil, nil, nil, nil, nil, nil, NewResolverOpts())
if err != nil {
t.Fatal(err)
}
@@ -622,7 +622,7 @@ func TestExecLostExec(t *testing.T) {
}
func TestIsExecChildRuntime(t *testing.T) {
- resolver, err := NewResolver(nil, nil, &statsd.NoOpClient{}, nil, nil, nil, nil, nil, nil, nil, NewResolverOpts())
+ resolver, err := NewEBPFResolver(nil, nil, &statsd.NoOpClient{}, nil, nil, nil, nil, nil, nil, nil, NewResolverOpts())
if err != nil {
t.Fatal(err)
}
@@ -683,7 +683,7 @@ func TestIsExecChildRuntime(t *testing.T) {
}
func TestIsExecChildSnapshot(t *testing.T) {
- resolver, err := NewResolver(nil, nil, &statsd.NoOpClient{}, nil, nil, nil, nil, nil, nil, nil, NewResolverOpts())
+ resolver, err := NewEBPFResolver(nil, nil, &statsd.NoOpClient{}, nil, nil, nil, nil, nil, nil, nil, NewResolverOpts())
if err != nil {
t.Fatal(err)
}
diff --git a/pkg/security/resolvers/process/resolver_windows.go b/pkg/security/resolvers/process/resolver_windows.go
index 68e01614f19ee..bdfcfb00ed6ea 100644
--- a/pkg/security/resolvers/process/resolver_windows.go
+++ b/pkg/security/resolvers/process/resolver_windows.go
@@ -3,8 +3,6 @@
// This product includes software developed at Datadog (https://www.datadoghq.com/).
// Copyright 2016-present Datadog, Inc.
-//go:build windows
-
// Package process holds process related files
package process
@@ -44,11 +42,6 @@ type Resolver struct {
processCacheEntryPool *Pool
}
-// ResolverOpts options of resolver
-type ResolverOpts struct {
- envsWithValue map[string]bool
-}
-
// NewResolver returns a new process resolver
func NewResolver(config *config.Config, statsdClient statsd.ClientInterface, scrubber *procutil.DataScrubber, //nolint:revive // TODO fix revive unused-parameter
opts ResolverOpts) (*Resolver, error) {
@@ -61,16 +54,11 @@ func NewResolver(config *config.Config, statsdClient statsd.ClientInterface, scr
statsdClient: statsdClient,
}
- p.processCacheEntryPool = NewProcessCacheEntryPool(p)
+ p.processCacheEntryPool = NewProcessCacheEntryPool(func() { p.cacheSize.Dec() })
return p, nil
}
-// NewResolverOpts returns a new set of process resolver options
-func NewResolverOpts() ResolverOpts {
- return ResolverOpts{}
-}
-
func (p *Resolver) insertEntry(entry *model.ProcessCacheEntry) {
// PID collision
if prev := p.processes[entry.Pid]; prev != nil {
diff --git a/pkg/security/resolvers/resolvers_linux.go b/pkg/security/resolvers/resolvers_ebpf.go
similarity index 90%
rename from pkg/security/resolvers/resolvers_linux.go
rename to pkg/security/resolvers/resolvers_ebpf.go
index b81a3c9383c8d..0167a28cae9c4 100644
--- a/pkg/security/resolvers/resolvers_linux.go
+++ b/pkg/security/resolvers/resolvers_ebpf.go
@@ -40,16 +40,8 @@ import (
"github.com/DataDog/datadog-agent/pkg/util/log"
)
-// Opts defines common options
-type Opts struct {
- PathResolutionEnabled bool
- TagsResolver tags.Resolver
- UseRingBuffer bool
- TTYFallbackEnabled bool
-}
-
-// Resolvers holds the list of the event attribute resolvers
-type Resolvers struct {
+// EBPFResolvers holds the list of the event attribute resolvers
+type EBPFResolvers struct {
manager *manager.Manager
MountResolver *mount.Resolver
ContainerResolver *container.Resolver
@@ -57,7 +49,7 @@ type Resolvers struct {
UserGroupResolver *usergroup.Resolver
TagsResolver tags.Resolver
DentryResolver *dentry.Resolver
- ProcessResolver *process.Resolver
+ ProcessResolver *process.EBPFResolver
NamespaceResolver *netns.Resolver
CGroupResolver *cgroup.Resolver
TCResolver *tc.Resolver
@@ -67,8 +59,8 @@ type Resolvers struct {
UserSessions *usersessions.Resolver
}
-// NewResolvers creates a new instance of Resolvers
-func NewResolvers(config *config.Config, manager *manager.Manager, statsdClient statsd.ClientInterface, scrubber *procutil.DataScrubber, eRPC *erpc.ERPC, opts Opts) (*Resolvers, error) {
+// NewEBPFResolvers creates a new instance of EBPFResolvers
+func NewEBPFResolvers(config *config.Config, manager *manager.Manager, statsdClient statsd.ClientInterface, scrubber *procutil.DataScrubber, eRPC *erpc.ERPC, opts Opts) (*EBPFResolvers, error) {
dentryResolver, err := dentry.NewResolver(config.Probe, statsdClient, eRPC)
if err != nil {
return nil, err
@@ -145,7 +137,7 @@ func NewResolvers(config *config.Config, manager *manager.Manager, statsdClient
processOpts.WithTTYFallbackEnabled()
}
- processResolver, err := process.NewResolver(manager, config.Probe, statsdClient,
+ processResolver, err := process.NewEBPFResolver(manager, config.Probe, statsdClient,
scrubber, containerResolver, mountResolver, cgroupsResolver, userGroupResolver, timeResolver, pathResolver, processOpts)
if err != nil {
return nil, err
@@ -160,7 +152,7 @@ func NewResolvers(config *config.Config, manager *manager.Manager, statsdClient
return nil, err
}
- resolvers := &Resolvers{
+ resolvers := &EBPFResolvers{
manager: manager,
MountResolver: mountResolver,
ContainerResolver: containerResolver,
@@ -182,7 +174,7 @@ func NewResolvers(config *config.Config, manager *manager.Manager, statsdClient
}
// Start the resolvers
-func (r *Resolvers) Start(ctx context.Context) error {
+func (r *EBPFResolvers) Start(ctx context.Context) error {
if err := r.ProcessResolver.Start(ctx); err != nil {
return err
}
@@ -207,7 +199,7 @@ func (r *Resolvers) Start(ctx context.Context) error {
}
// Snapshot collects data on the current state of the system to populate user space and kernel space caches.
-func (r *Resolvers) Snapshot() error {
+func (r *EBPFResolvers) Snapshot() error {
if err := r.snapshot(); err != nil {
return fmt.Errorf("unable to snapshot processes: %w", err)
}
@@ -228,7 +220,7 @@ func (r *Resolvers) Snapshot() error {
}
// snapshot internal version of Snapshot. Calls the relevant resolvers to sync their caches.
-func (r *Resolvers) snapshot() error {
+func (r *EBPFResolvers) snapshot() error {
// List all processes, to trigger the process and mount snapshots
processes, err := utils.GetProcesses()
if err != nil {
@@ -288,7 +280,7 @@ func (r *Resolvers) snapshot() error {
}
// Close cleans up any underlying resolver that requires a cleanup
-func (r *Resolvers) Close() error {
+func (r *EBPFResolvers) Close() error {
// clean up the dentry resolver eRPC segment
return r.DentryResolver.Close()
}
diff --git a/pkg/security/resolvers/resolvers_ebpfless.go b/pkg/security/resolvers/resolvers_ebpfless.go
new file mode 100644
index 0000000000000..1297ca5fe894d
--- /dev/null
+++ b/pkg/security/resolvers/resolvers_ebpfless.go
@@ -0,0 +1,76 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2016-present Datadog, Inc.
+
+//go:build linux
+
+// Package resolvers holds resolvers related files
+package resolvers
+
+import (
+ "context"
+
+ "github.com/DataDog/datadog-go/v5/statsd"
+
+ "github.com/DataDog/datadog-agent/pkg/process/procutil"
+ "github.com/DataDog/datadog-agent/pkg/security/config"
+ "github.com/DataDog/datadog-agent/pkg/security/resolvers/container"
+ "github.com/DataDog/datadog-agent/pkg/security/resolvers/process"
+ "github.com/DataDog/datadog-agent/pkg/security/resolvers/tags"
+)
+
+// EBPFLessResolvers holds the list of the event attribute resolvers
+type EBPFLessResolvers struct {
+ ContainerResolver *container.Resolver
+ TagsResolver tags.Resolver
+ ProcessResolver *process.EBPFLessResolver
+}
+
+// NewEBPFLessResolvers creates a new instance of EBPFLessResolvers
+func NewEBPFLessResolvers(config *config.Config, statsdClient statsd.ClientInterface, scrubber *procutil.DataScrubber, opts Opts) (*EBPFLessResolvers, error) {
+ var tagsResolver tags.Resolver
+ if opts.TagsResolver != nil {
+ tagsResolver = opts.TagsResolver
+ } else {
+ tagsResolver = tags.NewResolver(config.Probe)
+ }
+
+ processOpts := process.NewResolverOpts()
+ processOpts.WithEnvsValue(config.Probe.EnvsWithValue)
+
+ processResolver, err := process.NewEBPFLessResolver(config.Probe, statsdClient, scrubber, processOpts)
+ if err != nil {
+ return nil, err
+ }
+
+ resolvers := &EBPFLessResolvers{
+ TagsResolver: tagsResolver,
+ ProcessResolver: processResolver,
+ }
+
+ return resolvers, nil
+}
+
+// Start the resolvers
+func (r *EBPFLessResolvers) Start(ctx context.Context) error {
+ if err := r.ProcessResolver.Start(ctx); err != nil {
+ return err
+ }
+
+ if err := r.TagsResolver.Start(ctx); err != nil {
+ return err
+ }
+
+ return nil
+}
+
+// Snapshot collects data on the current state of the system to populate user space and kernel space caches.
+func (r *EBPFLessResolvers) Snapshot() error {
+ return nil
+}
+
+// Close cleans up any underlying resolver that requires a cleanup
+func (r *EBPFLessResolvers) Close() error {
+ return nil
+}
diff --git a/pkg/security/resolvers/resolvers_others.go b/pkg/security/resolvers/resolvers_others.go
deleted file mode 100644
index 54635c1aa1582..0000000000000
--- a/pkg/security/resolvers/resolvers_others.go
+++ /dev/null
@@ -1,24 +0,0 @@
-// Unless explicitly stated otherwise all files in this repository are licensed
-// under the Apache License Version 2.0.
-// This product includes software developed at Datadog (https://www.datadoghq.com/).
-// Copyright 2016-present Datadog, Inc.
-
-//go:build !linux && !windows
-
-// Package resolvers holds resolvers related files
-package resolvers
-
-import (
- "fmt"
- "github.com/DataDog/datadog-agent/pkg/security/config"
- "github.com/DataDog/datadog-go/v5/statsd"
-)
-
-// Resolvers holds the list of the event attribute resolvers
-type Resolvers struct {
-}
-
-// NewResolvers creates a new instance of Resolvers
-func NewResolvers(config *config.Config, statsdClient statsd.ClientInterface) (*Resolvers, error) {
- return nil, fmt.Errorf("Not implemented on this platform")
-}
diff --git a/pkg/security/secl/compiler/generators/accessors/accessors.go b/pkg/security/secl/compiler/generators/accessors/accessors.go
index 0fa91a6a5458a..6b333945acb3f 100644
--- a/pkg/security/secl/compiler/generators/accessors/accessors.go
+++ b/pkg/security/secl/compiler/generators/accessors/accessors.go
@@ -26,6 +26,7 @@ import (
"github.com/Masterminds/sprig/v3"
"github.com/davecgh/go-spew/spew"
"github.com/fatih/structtag"
+ "golang.org/x/exp/slices"
"golang.org/x/text/cases"
"golang.org/x/text/language"
"golang.org/x/tools/go/packages"
@@ -103,6 +104,10 @@ func origTypeToBasicType(kind string) string {
return kind
}
+func isNetType(kind string) bool {
+ return kind == "net.IPNet"
+}
+
func isBasicType(kind string) bool {
switch kind {
case "string", "bool", "int", "int8", "int16", "int32", "int64", "uint8", "uint16", "uint32", "uint64", "net.IPNet":
@@ -112,8 +117,12 @@ func isBasicType(kind string) bool {
}
func isBasicTypeForGettersOnly(kind string) bool {
+ if isBasicType(kind) {
+ return true
+ }
+
switch kind {
- case "string", "bool", "int", "int8", "int16", "int32", "int64", "uint8", "uint16", "uint32", "uint64", "net.IPNet", "time.Time":
+ case "time.Time":
return true
}
return false
@@ -156,13 +165,10 @@ func handleBasic(module *common.Module, field seclField, name, alias, aliasPrefi
Struct: containerStructName,
Alias: alias,
AliasPrefix: aliasPrefix,
+ GettersOnly: field.gettersOnly,
}
- if field.gettersOnly {
- module.GettersOnlyFields[alias] = newStructField
- } else {
- module.Fields[alias] = newStructField
- }
+ module.Fields[alias] = newStructField
if _, ok := module.EventTypes[event]; !ok {
module.EventTypes[event] = common.NewEventTypeMetada()
@@ -187,13 +193,10 @@ func handleBasic(module *common.Module, field seclField, name, alias, aliasPrefi
Struct: "string",
Alias: alias,
AliasPrefix: aliasPrefix,
+ GettersOnly: field.gettersOnly,
}
- if field.gettersOnly {
- module.GettersOnlyFields[alias] = newStructField
- } else {
- module.Fields[alias] = newStructField
- }
+ module.Fields[alias] = newStructField
}
}
@@ -288,13 +291,10 @@ func handleFieldWithHandler(module *common.Module, field seclField, aliasPrefix,
Check: field.check,
Alias: alias,
AliasPrefix: aliasPrefix,
+ GettersOnly: field.gettersOnly,
}
- if field.gettersOnly {
- module.GettersOnlyFields[alias] = newStructField
- } else {
- module.Fields[alias] = newStructField
- }
+ module.Fields[alias] = newStructField
if field.lengthField {
var lengthField = *module.Fields[alias]
@@ -529,6 +529,12 @@ func handleSpecRecursive(module *common.Module, astFiles *AstFiles, spec interfa
continue
}
+ if isNetType((fieldType)) {
+ if !slices.Contains(module.Imports, "net") {
+ module.Imports = append(module.Imports, "net")
+ }
+ }
+
alias := seclField.name
if isBasicType(fieldType) {
handleBasic(module, seclField, fieldBasename, alias, aliasPrefix, prefix, fieldType, event, opOverrides, fieldCommentText, seclField.containerStructName, fieldIterator, isArray)
@@ -563,7 +569,6 @@ func handleSpecRecursive(module *common.Module, astFiles *AstFiles, spec interfa
}
if handler := seclField.handler; handler != "" {
-
handleFieldWithHandler(module, seclField, aliasPrefix, prefix, prefixedFieldName, fieldType, seclField.containerStructName, event, fieldCommentText, opOverrides, handler, isPointer, isArray, fieldIterator)
delete(dejavu, fieldBasename)
@@ -682,15 +687,14 @@ func parseFile(modelFile string, typesFile string, pkgName string) (*common.Modu
}
module := &common.Module{
- Name: moduleName,
- SourcePkg: pkgName,
- TargetPkg: pkgName,
- BuildTags: formatBuildTags(buildTags),
- Fields: make(map[string]*common.StructField),
- GettersOnlyFields: make(map[string]*common.StructField),
- AllFields: make(map[string]*common.StructField),
- Iterators: make(map[string]*common.StructField),
- EventTypes: make(map[string]*common.EventTypeMetadata),
+ Name: moduleName,
+ SourcePkg: pkgName,
+ TargetPkg: pkgName,
+ BuildTags: formatBuildTags(buildTags),
+ Fields: make(map[string]*common.StructField),
+ AllFields: make(map[string]*common.StructField),
+ Iterators: make(map[string]*common.StructField),
+ EventTypes: make(map[string]*common.EventTypeMetadata),
}
// If the target package is different from the model package
@@ -736,7 +740,7 @@ func newField(allFields map[string]*common.StructField, field *common.StructFiel
return result
}
-func generatePrefixNilChecks(allFields map[string]*common.StructField, field *common.StructField) string {
+func generatePrefixNilChecks(allFields map[string]*common.StructField, returnType string, field *common.StructField) string {
var fieldPath, result string
for _, node := range strings.Split(field.Name, ".") {
if fieldPath != "" {
@@ -747,7 +751,7 @@ func generatePrefixNilChecks(allFields map[string]*common.StructField, field *co
if field, ok := allFields[fieldPath]; ok {
if field.IsOrigTypePtr {
- result += fmt.Sprintf("if ev.%s == nil { return zeroValue }\n", field.Name)
+ result += fmt.Sprintf("if ev.%s == nil { return %s }\n", field.Name, getDefaultValueOfType(returnType))
}
}
}
@@ -835,25 +839,6 @@ func needScrubbed(fieldName string) bool {
return false
}
-func needFiltered(fieldName string) bool {
- loweredFieldName := strings.ToLower(fieldName)
- if strings.Contains(loweredFieldName, "env") && !strings.Contains(loweredFieldName, "truncated") {
- return true
- }
- return false
-}
-
-func combineFieldMaps(map1 map[string]*common.StructField, map2 map[string]*common.StructField) map[string]*common.StructField {
- combined := make(map[string]*common.StructField)
- for k, v := range map1 {
- combined[k] = v
- }
- for key, value := range map2 {
- combined[key] = value
- }
- return combined
-}
-
func addSuffixToFuncPrototype(suffix string, prototype string) string {
chunks := strings.SplitN(prototype, "(", 3)
chunks = append(chunks[:1], append([]string{suffix, "("}, chunks[1:]...)...)
@@ -977,8 +962,6 @@ var funcMap = map[string]interface{}{
"PascalCaseFieldName": pascalCaseFieldName,
"GetDefaultValueOfType": getDefaultValueOfType,
"NeedScrubbed": needScrubbed,
- "NeedFiltered": needFiltered,
- "CombineFieldMaps": combineFieldMaps,
"AddSuffixToFuncPrototype": addSuffixToFuncPrototype,
}
@@ -1076,7 +1059,7 @@ func removeEmptyLines(input *bytes.Buffer) string {
func init() {
flag.BoolVar(&verbose, "verbose", false, "Be verbose")
- flag.StringVar(&docOutput, "doc", "../../../../docs/cloud-workload-security/secl.json", "Generate documentation JSON")
+ flag.StringVar(&docOutput, "doc", "", "Generate documentation JSON")
flag.StringVar(&fieldHandlersOutput, "field-handlers", "field_handlers_unix.go", "Field handlers output file")
flag.StringVar(&modelFile, "input", os.Getenv("GOFILE"), "Go file to generate decoders from")
flag.StringVar(&typesFile, "types-file", os.Getenv("TYPESFILE"), "Go type file to use with the model file")
diff --git a/pkg/security/secl/compiler/generators/accessors/accessors.tmpl b/pkg/security/secl/compiler/generators/accessors/accessors.tmpl
index a9f04a0f6606a..f7df03d7b3ac9 100644
--- a/pkg/security/secl/compiler/generators/accessors/accessors.tmpl
+++ b/pkg/security/secl/compiler/generators/accessors/accessors.tmpl
@@ -9,16 +9,15 @@
package {{.Name}}
import (
- "net"
- "reflect"
+ {{range .Imports }}
+ "{{.}}"
+ {{end}}
+ "reflect"
{{if ne $.SourcePkg $.TargetPkg}}"{{.SourcePkg}}"{{end}}
"github.com/DataDog/datadog-agent/pkg/security/secl/compiler/eval"
)
-// Aliases used to avoid compilation error in case of unused imported package
-type NetIP = net.IP
-
func (m *Model) GetIterator(field eval.Field) (eval.Iterator, error) {
switch field {
{{range $Name, $Field := .Iterators}}
@@ -43,6 +42,10 @@ func (m *Model) GetEventTypes() []eval.EventType {
func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Evaluator, error) {
switch field {
{{range $Name, $Field := .Fields}}
+ {{- if $Field.GettersOnly }}
+ {{continue}}
+ {{end}}
+
case "{{$Name}}":
return &{{$Field.GetEvaluatorType}}{
{{- if $Field.OpOverrides}}
@@ -195,6 +198,10 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
func (ev *Event) GetFields() []eval.Field {
return []eval.Field{
{{range $Name, $Field := .Fields}}
+ {{- if $Field.GettersOnly }}
+ {{continue}}
+ {{end}}
+
"{{$Name}}",
{{end}}
}
@@ -203,6 +210,10 @@ func (ev *Event) GetFields() []eval.Field {
func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
switch field {
{{range $Name, $Field := .Fields}}
+ {{- if $Field.GettersOnly }}
+ {{continue}}
+ {{end}}
+
case "{{$Name}}":
{{if $Field.Iterator}}
var values []{{$Field.ReturnType}}
@@ -313,6 +324,10 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
func (ev *Event) GetFieldEventType(field eval.Field) (eval.EventType, error) {
switch field {
{{range $Name, $Field := .Fields}}
+ {{- if $Field.GettersOnly }}
+ {{continue}}
+ {{end}}
+
case "{{$Name}}":
return "{{$Field.Event}}", nil
{{end}}
@@ -324,6 +339,9 @@ func (ev *Event) GetFieldEventType(field eval.Field) (eval.EventType, error) {
func (ev *Event) GetFieldType(field eval.Field) (reflect.Kind, error) {
switch field {
{{range $Name, $Field := .Fields}}
+ {{- if $Field.GettersOnly }}
+ {{continue}}
+ {{end}}
case "{{$Name}}":
{{if eq $Field.ReturnType "string"}}
@@ -344,6 +362,10 @@ func (ev *Event) GetFieldType(field eval.Field) (reflect.Kind, error) {
func (ev *Event) SetFieldValue(field eval.Field, value interface{}) error {
switch field {
{{range $Name, $Field := .Fields}}
+ {{- if $Field.GettersOnly }}
+ {{continue}}
+ {{end}}
+
{{$FieldName := $Field.Name | printf "ev.%s"}}
case "{{$Name}}":
{{- $Field | NewField $.AllFields}}
diff --git a/pkg/security/secl/compiler/generators/accessors/common/types.go b/pkg/security/secl/compiler/generators/accessors/common/types.go
index d78b4c9f5c816..ce34fe4a041ed 100644
--- a/pkg/security/secl/compiler/generators/accessors/common/types.go
+++ b/pkg/security/secl/compiler/generators/accessors/common/types.go
@@ -30,17 +30,18 @@ const (
// Module represents everything needed to generate the accessors for a specific module (fields, build tags, ...)
type Module struct {
- Name string
- SourcePkgPrefix string
- SourcePkg string
- TargetPkg string
- BuildTags []string
- Fields map[string]*StructField // Fields only contains fields that are exposed in SECL
- GettersOnlyFields map[string]*StructField // GettersOnlyFields only contains fields that have generated getters but are not exposed in SECL
- AllFields map[string]*StructField
- Iterators map[string]*StructField
- EventTypes map[string]*EventTypeMetadata
- Mock bool
+ Name string
+ SourcePkgPrefix string
+ SourcePkg string
+ TargetPkg string
+ BuildTags []string
+ Fields map[string]*StructField // Fields only contains fields that are exposed in SECL
+ //GettersOnlyFields map[string]*StructField // GettersOnlyFields only contains fields that have generated getters but are not exposed in SECL
+ AllFields map[string]*StructField
+ Iterators map[string]*StructField
+ EventTypes map[string]*EventTypeMetadata
+ Mock bool
+ Imports []string
}
// StructField represents a structure field for which an accessor will be generated
@@ -65,6 +66,7 @@ type StructField struct {
Check string
Alias string
AliasPrefix string
+ GettersOnly bool
}
// GetEvaluatorType returns the evaluator type name
diff --git a/pkg/security/secl/compiler/generators/accessors/doc/doc.go b/pkg/security/secl/compiler/generators/accessors/doc/doc.go
index 182307a5583d0..29fac0eb8dc77 100644
--- a/pkg/security/secl/compiler/generators/accessors/doc/doc.go
+++ b/pkg/security/secl/compiler/generators/accessors/doc/doc.go
@@ -97,6 +97,10 @@ func GenerateDocJSON(module *common.Module, seclModelPath, outputPath string) er
cachedDocumentation := make(map[string]*propertyDocumentation)
for name, field := range module.Fields {
+ if field.GettersOnly {
+ continue
+ }
+
var propertyKey string
var propertySuffix string
var propertyDefinition string
diff --git a/pkg/security/secl/compiler/generators/accessors/field_accessors.tmpl b/pkg/security/secl/compiler/generators/accessors/field_accessors.tmpl
index 785d738f3c7d6..407a122f4aaa3 100644
--- a/pkg/security/secl/compiler/generators/accessors/field_accessors.tmpl
+++ b/pkg/security/secl/compiler/generators/accessors/field_accessors.tmpl
@@ -9,15 +9,15 @@
package {{.Name}}
import (
- "net"
+ {{range .Imports }}
+ "{{.}}"
+ {{end}}
"time"
"github.com/DataDog/datadog-agent/pkg/security/secl/compiler/eval"
)
-{{$combinedFieldMaps := CombineFieldMaps .Fields .GettersOnlyFields}}
-
-{{range $Name, $Field := $combinedFieldMaps}}
+{{range $Name, $Field := .Fields}}
{{ $pascalCaseName := PascalCaseFieldName $Name }}
@@ -31,17 +31,14 @@ import (
{{ end }}
// Get{{$pascalCaseName}} returns the value of the field, resolving if necessary
-func (ev *Event) Get{{$pascalCaseName}}{{if NeedFiltered $Field.Handler }}(desiredKeys map[string]bool){{else}}(){{end}} {{ $accessorReturnType }} {
- {{ if and (ne $Field.Handler "ResolveAsync") (and (ne $Field.Handler "ResolveEventTimestamp") (ne $Field.Handler "ResolveEventTime")) }}
- zeroValue := {{ GetDefaultValueOfType $accessorReturnType}}
- {{ end }}
+func (ev *Event) Get{{$pascalCaseName}}() {{ $accessorReturnType }} {
{{if ne $Field.Event "*"}}
if ev.GetEventType().String() != "{{$Field.Event}}" {
- return zeroValue
+ return {{ GetDefaultValueOfType $accessorReturnType}}
}
{{end}}
- {{$Field | GeneratePrefixNilChecks $.AllFields}}
+ {{$Field | GeneratePrefixNilChecks $.AllFields $accessorReturnType}}
{{if $Field.Iterator}}
var values {{ $accessorReturnType }}
@@ -65,11 +62,7 @@ func (ev *Event) Get{{$pascalCaseName}}{{if NeedFiltered $Field.Handler }}(desir
{{if $Field.Handler}}
{{$SubName = $Field.Iterator.Name | TrimPrefix $Field.Prefix}}
{{$Handler := $Field.Iterator.Name | TrimPrefix $Field.Handler}}
- {{ if NeedScrubbed $Name }}
- {{$Return = print "ev.FieldHandlers." $Handler "Scrubbed(ev, &element" $SubName ")"}}
- {{ else }}
- {{$Return = print "ev.FieldHandlers." $Handler "(ev, &element" $SubName ")"}}
- {{ end }}
+ {{$Return = print "ev.FieldHandlers." $Handler "(ev, &element" $SubName ")"}}
{{end}}
{{if $Field.IsLength}}
@@ -89,9 +82,6 @@ func (ev *Event) Get{{$pascalCaseName}}{{if NeedFiltered $Field.Handler }}(desir
{{if not $Field.GetArrayPrefix}}
values = append(values, result)
{{else}}
- {{if NeedFiltered $Field.Handler }}
- result = filterEnvs(result, desiredKeys)
- {{ end }}
values = append(values, result...)
{{end}}
@@ -123,28 +113,16 @@ func (ev *Event) Get{{$pascalCaseName}}{{if NeedFiltered $Field.Handler }}(desir
{{end}}
{{$Prefix := $Field.Prefix}}
- {{ if or (eq $Field.Handler "ResolveEventTime") (not $Prefix) }}
+ {{ if not $Prefix }}
{{$Return = print "ev.FieldHandlers." $Field.Handler "(ev)"}}
{{- else if $Field.IsLength }}
{{$Return = print "len(ev.FieldHandlers." $Field.Handler "(ev, " $Ptr "ev." $Prefix "))"}}
- {{- else if NeedScrubbed $Field.Handler }}
- {{$Return = print "ev.FieldHandlers." $Field.Handler "Scrubbed(ev, " $Ptr "ev." $Prefix ")"}}
{{ else }}
{{$Return = print "ev.FieldHandlers." $Field.Handler "(ev, " $Ptr "ev." $Prefix ")"}}
{{end}}
{{end}}
- {{ if ($Field.IsArray) }}
- resolvedField := {{$Return}}
- {{if NeedFiltered $Field.Handler }}
- resolvedField = filterEnvs(resolvedField, desiredKeys)
- {{ end }}
- fieldCopy := make({{$accessorReturnType}}, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
- {{ else }}
- return {{$Return}}
- {{ end }}
+ return {{$Return}}
{{end}}
}
diff --git a/pkg/security/secl/compiler/generators/accessors/field_handlers.tmpl b/pkg/security/secl/compiler/generators/accessors/field_handlers.tmpl
index 53df4b621f615..a91e393171f64 100644
--- a/pkg/security/secl/compiler/generators/accessors/field_handlers.tmpl
+++ b/pkg/security/secl/compiler/generators/accessors/field_handlers.tmpl
@@ -8,6 +8,10 @@
package {{.Name}}
+import (
+ "time"
+)
+
// ResolveFields resolves all the fields associate to the event type. Context fields are automatically resolved.
func (ev *Event) ResolveFields() {
ev.resolveFields(false)
@@ -22,6 +26,10 @@ func (ev *Event) resolveFields(forADs bool) {
{{ $uniqueResolvers := dict }}
// resolve context fields that are not related to any event type
{{- range $Key, $Field := .Fields}}
+ {{- if $Field.GettersOnly }}
+ {{continue}}
+ {{end}}
+
{{- if and (eq $Field.Event "*") }}
{{ $resolver := $Field | GetFieldHandler $.AllFields }}
{{ if and (ne $resolver "") (not (hasKey $uniqueResolvers $resolver)) }}
@@ -89,12 +97,7 @@ func (ev *Event) resolveFields(forADs bool) {
type FieldHandlers interface {
{{$Handlers := .Fields | GetHandlers}}
{{range $Proto, $Impl := $Handlers}}
- {{ if NeedScrubbed $Proto }}
- {{$Proto}}
- {{$Proto | AddSuffixToFuncPrototype "Scrubbed"}}
- {{else}}
- {{$Proto}}
- {{ end }}
+ {{$Proto}}
{{end}}
// custom handlers not tied to any fields
@@ -105,10 +108,5 @@ type DefaultFieldHandlers struct {}
{{$Handlers := .Fields | GetHandlers}}
{{range $Proto, $Impl := $Handlers}}
- {{ if NeedScrubbed $Proto }}
- func (dfh *DefaultFieldHandlers) {{$Proto}} {{$Impl}}
- func (dfh *DefaultFieldHandlers) {{$Proto | AddSuffixToFuncPrototype "Scrubbed"}} {{$Impl}}
- {{else}}
- func (dfh *DefaultFieldHandlers) {{$Proto}} {{$Impl}}
- {{ end }}
+ func (dfh *DefaultFieldHandlers) {{$Proto}} {{$Impl}}
{{end}}
diff --git a/pkg/security/secl/go.mod b/pkg/security/secl/go.mod
index 48111ba9c8aea..4c13c1860617d 100644
--- a/pkg/security/secl/go.mod
+++ b/pkg/security/secl/go.mod
@@ -16,9 +16,9 @@ require (
github.com/spf13/cast v1.5.1
github.com/stretchr/testify v1.8.4
golang.org/x/exp v0.0.0-20221114191408-850992195362
- golang.org/x/sys v0.14.0
+ golang.org/x/sys v0.15.0
golang.org/x/text v0.14.0
- golang.org/x/tools v0.15.0
+ golang.org/x/tools v0.16.0
gopkg.in/yaml.v2 v2.4.0
gopkg.in/yaml.v3 v3.0.1
)
diff --git a/pkg/security/secl/go.sum b/pkg/security/secl/go.sum
index 11c886023fd75..aa78e93db1957 100644
--- a/pkg/security/secl/go.sum
+++ b/pkg/security/secl/go.sum
@@ -82,8 +82,8 @@ golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBc
golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.14.0 h1:Vz7Qs629MkJkGyHxUlRHizWJRG2j8fbQKjELVSNhy7Q=
-golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
+golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
@@ -96,8 +96,8 @@ golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.15.0 h1:zdAyfUGbYmuVokhzVmghFl2ZJh5QhcfebBgmVPFYA+8=
-golang.org/x/tools v0.15.0/go.mod h1:hpksKq4dtpQWS1uQ61JkdqWM3LscIS6Slf+VVkm+wQk=
+golang.org/x/tools v0.16.0 h1:GO788SKMRunPIBCXiQyo2AaexLstOrVhuAL5YwsckQM=
+golang.org/x/tools v0.16.0/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
diff --git a/pkg/security/secl/model/accessors_unix.go b/pkg/security/secl/model/accessors_unix.go
index 4017dc67fe9e3..6c6095403ceef 100644
--- a/pkg/security/secl/model/accessors_unix.go
+++ b/pkg/security/secl/model/accessors_unix.go
@@ -15,9 +15,6 @@ import (
"reflect"
)
-// Aliases used to avoid compilation error in case of unused imported package
-type NetIP = net.IP
-
func (m *Model) GetIterator(field eval.Field) (eval.Iterator, error) {
switch field {
case "process.ancestors":
@@ -759,7 +756,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
return ev.FieldHandlers.ResolveProcessArgs(ev, ev.Exec.Process)
},
Field: field,
- Weight: 100 * eval.HandlerWeight,
+ Weight: 500 * eval.HandlerWeight,
}, nil
case "exec.args_flags":
return &eval.StringArrayEvaluator{
@@ -795,7 +792,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
return ev.FieldHandlers.ResolveProcessArgv(ev, ev.Exec.Process)
},
Field: field,
- Weight: 100 * eval.HandlerWeight,
+ Weight: 500 * eval.HandlerWeight,
}, nil
case "exec.argv0":
return &eval.StringEvaluator{
@@ -1550,7 +1547,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
return ev.FieldHandlers.ResolveProcessArgs(ev, ev.Exit.Process)
},
Field: field,
- Weight: 100 * eval.HandlerWeight,
+ Weight: 500 * eval.HandlerWeight,
}, nil
case "exit.args_flags":
return &eval.StringArrayEvaluator{
@@ -1586,7 +1583,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
return ev.FieldHandlers.ResolveProcessArgv(ev, ev.Exit.Process)
},
Field: field,
- Weight: 100 * eval.HandlerWeight,
+ Weight: 500 * eval.HandlerWeight,
}, nil
case "exit.argv0":
return &eval.StringEvaluator{
@@ -3416,6 +3413,15 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
Field: field,
Weight: eval.FunctionWeight,
}, nil
+ case "mount.root.path":
+ return &eval.StringEvaluator{
+ EvalFnc: func(ctx *eval.Context) string {
+ ev := ctx.Event.(*Event)
+ return ev.FieldHandlers.ResolveMountRootPath(ev, &ev.Mount)
+ },
+ Field: field,
+ Weight: eval.HandlerWeight,
+ }, nil
case "mount.source.path":
return &eval.StringEvaluator{
EvalFnc: func(ctx *eval.Context) string {
@@ -3763,7 +3769,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
ctx.StringCache[field] = results
return results
}, Field: field,
- Weight: 100 * eval.IteratorWeight,
+ Weight: 500 * eval.IteratorWeight,
}, nil
case "process.ancestors.args_flags":
return &eval.StringArrayEvaluator{
@@ -3847,7 +3853,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
ctx.StringCache[field] = results
return results
}, Field: field,
- Weight: 100 * eval.IteratorWeight,
+ Weight: 500 * eval.IteratorWeight,
}, nil
case "process.ancestors.argv0":
return &eval.StringArrayEvaluator{
@@ -5478,7 +5484,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
return ev.FieldHandlers.ResolveProcessArgs(ev, &ev.BaseEvent.ProcessContext.Process)
},
Field: field,
- Weight: 100 * eval.HandlerWeight,
+ Weight: 500 * eval.HandlerWeight,
}, nil
case "process.args_flags":
return &eval.StringArrayEvaluator{
@@ -5514,7 +5520,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
return ev.FieldHandlers.ResolveProcessArgv(ev, &ev.BaseEvent.ProcessContext.Process)
},
Field: field,
- Weight: 100 * eval.HandlerWeight,
+ Weight: 500 * eval.HandlerWeight,
}, nil
case "process.argv0":
return &eval.StringEvaluator{
@@ -6191,7 +6197,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
return ev.FieldHandlers.ResolveProcessArgs(ev, ev.BaseEvent.ProcessContext.Parent)
},
Field: field,
- Weight: 100 * eval.HandlerWeight,
+ Weight: 500 * eval.HandlerWeight,
}, nil
case "process.parent.args_flags":
return &eval.StringArrayEvaluator{
@@ -6239,7 +6245,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
return ev.FieldHandlers.ResolveProcessArgv(ev, ev.BaseEvent.ProcessContext.Parent)
},
Field: field,
- Weight: 100 * eval.HandlerWeight,
+ Weight: 500 * eval.HandlerWeight,
}, nil
case "process.parent.argv0":
return &eval.StringEvaluator{
@@ -7303,7 +7309,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
ctx.StringCache[field] = results
return results
}, Field: field,
- Weight: 100 * eval.IteratorWeight,
+ Weight: 500 * eval.IteratorWeight,
}, nil
case "ptrace.tracee.ancestors.args_flags":
return &eval.StringArrayEvaluator{
@@ -7387,7 +7393,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
ctx.StringCache[field] = results
return results
}, Field: field,
- Weight: 100 * eval.IteratorWeight,
+ Weight: 500 * eval.IteratorWeight,
}, nil
case "ptrace.tracee.ancestors.argv0":
return &eval.StringArrayEvaluator{
@@ -9018,7 +9024,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
return ev.FieldHandlers.ResolveProcessArgs(ev, &ev.PTrace.Tracee.Process)
},
Field: field,
- Weight: 100 * eval.HandlerWeight,
+ Weight: 500 * eval.HandlerWeight,
}, nil
case "ptrace.tracee.args_flags":
return &eval.StringArrayEvaluator{
@@ -9054,7 +9060,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
return ev.FieldHandlers.ResolveProcessArgv(ev, &ev.PTrace.Tracee.Process)
},
Field: field,
- Weight: 100 * eval.HandlerWeight,
+ Weight: 500 * eval.HandlerWeight,
}, nil
case "ptrace.tracee.argv0":
return &eval.StringEvaluator{
@@ -9731,7 +9737,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
return ev.FieldHandlers.ResolveProcessArgs(ev, ev.PTrace.Tracee.Parent)
},
Field: field,
- Weight: 100 * eval.HandlerWeight,
+ Weight: 500 * eval.HandlerWeight,
}, nil
case "ptrace.tracee.parent.args_flags":
return &eval.StringArrayEvaluator{
@@ -9779,7 +9785,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
return ev.FieldHandlers.ResolveProcessArgv(ev, ev.PTrace.Tracee.Parent)
},
Field: field,
- Weight: 100 * eval.HandlerWeight,
+ Weight: 500 * eval.HandlerWeight,
}, nil
case "ptrace.tracee.parent.argv0":
return &eval.StringEvaluator{
@@ -11979,7 +11985,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
ctx.StringCache[field] = results
return results
}, Field: field,
- Weight: 100 * eval.IteratorWeight,
+ Weight: 500 * eval.IteratorWeight,
}, nil
case "signal.target.ancestors.args_flags":
return &eval.StringArrayEvaluator{
@@ -12063,7 +12069,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
ctx.StringCache[field] = results
return results
}, Field: field,
- Weight: 100 * eval.IteratorWeight,
+ Weight: 500 * eval.IteratorWeight,
}, nil
case "signal.target.ancestors.argv0":
return &eval.StringArrayEvaluator{
@@ -13694,7 +13700,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
return ev.FieldHandlers.ResolveProcessArgs(ev, &ev.Signal.Target.Process)
},
Field: field,
- Weight: 100 * eval.HandlerWeight,
+ Weight: 500 * eval.HandlerWeight,
}, nil
case "signal.target.args_flags":
return &eval.StringArrayEvaluator{
@@ -13730,7 +13736,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
return ev.FieldHandlers.ResolveProcessArgv(ev, &ev.Signal.Target.Process)
},
Field: field,
- Weight: 100 * eval.HandlerWeight,
+ Weight: 500 * eval.HandlerWeight,
}, nil
case "signal.target.argv0":
return &eval.StringEvaluator{
@@ -14407,7 +14413,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
return ev.FieldHandlers.ResolveProcessArgs(ev, ev.Signal.Target.Parent)
},
Field: field,
- Weight: 100 * eval.HandlerWeight,
+ Weight: 500 * eval.HandlerWeight,
}, nil
case "signal.target.parent.args_flags":
return &eval.StringArrayEvaluator{
@@ -14455,7 +14461,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
return ev.FieldHandlers.ResolveProcessArgv(ev, ev.Signal.Target.Parent)
},
Field: field,
- Weight: 100 * eval.HandlerWeight,
+ Weight: 500 * eval.HandlerWeight,
}, nil
case "signal.target.parent.argv0":
return &eval.StringEvaluator{
@@ -16463,6 +16469,7 @@ func (ev *Event) GetFields() []eval.Field {
"mount.fs_type",
"mount.mountpoint.path",
"mount.retval",
+ "mount.root.path",
"mount.source.path",
"mprotect.req_protection",
"mprotect.retval",
@@ -18281,6 +18288,8 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
return ev.FieldHandlers.ResolveMountPointPath(ev, &ev.Mount), nil
case "mount.retval":
return int(ev.Mount.SyscallEvent.Retval), nil
+ case "mount.root.path":
+ return ev.FieldHandlers.ResolveMountRootPath(ev, &ev.Mount), nil
case "mount.source.path":
return ev.FieldHandlers.ResolveMountSourcePath(ev, &ev.Mount), nil
case "mprotect.req_protection":
@@ -24325,6 +24334,8 @@ func (ev *Event) GetFieldEventType(field eval.Field) (eval.EventType, error) {
return "mount", nil
case "mount.retval":
return "mount", nil
+ case "mount.root.path":
+ return "mount", nil
case "mount.source.path":
return "mount", nil
case "mprotect.req_protection":
@@ -26832,6 +26843,8 @@ func (ev *Event) GetFieldType(field eval.Field) (reflect.Kind, error) {
return reflect.String, nil
case "mount.retval":
return reflect.Int, nil
+ case "mount.root.path":
+ return reflect.String, nil
case "mount.source.path":
return reflect.String, nil
case "mprotect.req_protection":
@@ -31478,6 +31491,13 @@ func (ev *Event) SetFieldValue(field eval.Field, value interface{}) error {
}
ev.Mount.SyscallEvent.Retval = int64(rv)
return nil
+ case "mount.root.path":
+ rv, ok := value.(string)
+ if !ok {
+ return &eval.ErrValueTypeMismatch{Field: "Mount.MountRootPath"}
+ }
+ ev.Mount.MountRootPath = rv
+ return nil
case "mount.source.path":
rv, ok := value.(string)
if !ok {
diff --git a/pkg/security/secl/model/accessors_windows.go b/pkg/security/secl/model/accessors_windows.go
index 6eb08c38aa01f..855cbb4aa786b 100644
--- a/pkg/security/secl/model/accessors_windows.go
+++ b/pkg/security/secl/model/accessors_windows.go
@@ -11,13 +11,9 @@ package model
import (
"github.com/DataDog/datadog-agent/pkg/security/secl/compiler/eval"
- "net"
"reflect"
)
-// Aliases used to avoid compilation error in case of unused imported package
-type NetIP = net.IP
-
func (m *Model) GetIterator(field eval.Field) (eval.Iterator, error) {
switch field {
case "process.ancestors":
@@ -27,7 +23,6 @@ func (m *Model) GetIterator(field eval.Field) (eval.Iterator, error) {
}
func (m *Model) GetEventTypes() []eval.EventType {
return []eval.EventType{
- eval.EventType("dns"),
eval.EventType("exec"),
eval.EventType("exit"),
}
@@ -74,10 +69,10 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
return &eval.StringEvaluator{
EvalFnc: func(ctx *eval.Context) string {
ev := ctx.Event.(*Event)
- return ev.Exec.Process.CmdLine
+ return ev.FieldHandlers.ResolveProcessCmdLine(ev, ev.Exec.Process)
},
Field: field,
- Weight: eval.FunctionWeight,
+ Weight: 200 * eval.HandlerWeight,
}, nil
case "exec.container.id":
return &eval.StringEvaluator{
@@ -182,10 +177,10 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
return &eval.StringEvaluator{
EvalFnc: func(ctx *eval.Context) string {
ev := ctx.Event.(*Event)
- return ev.Exit.Process.CmdLine
+ return ev.FieldHandlers.ResolveProcessCmdLine(ev, ev.Exit.Process)
},
Field: field,
- Weight: eval.FunctionWeight,
+ Weight: 200 * eval.HandlerWeight,
}, nil
case "exit.code":
return &eval.IntEvaluator{
@@ -286,72 +281,10 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
Field: field,
Weight: eval.FunctionWeight,
}, nil
- case "network.destination.ip":
- return &eval.CIDREvaluator{
- EvalFnc: func(ctx *eval.Context) net.IPNet {
- ev := ctx.Event.(*Event)
- return ev.BaseEvent.NetworkContext.Destination.IPNet
- },
- Field: field,
- Weight: eval.FunctionWeight,
- }, nil
- case "network.destination.port":
- return &eval.IntEvaluator{
- EvalFnc: func(ctx *eval.Context) int {
- ev := ctx.Event.(*Event)
- return int(ev.BaseEvent.NetworkContext.Destination.Port)
- },
- Field: field,
- Weight: eval.FunctionWeight,
- }, nil
- case "network.l3_protocol":
- return &eval.IntEvaluator{
- EvalFnc: func(ctx *eval.Context) int {
- ev := ctx.Event.(*Event)
- return int(ev.BaseEvent.NetworkContext.L3Protocol)
- },
- Field: field,
- Weight: eval.FunctionWeight,
- }, nil
- case "network.l4_protocol":
- return &eval.IntEvaluator{
- EvalFnc: func(ctx *eval.Context) int {
- ev := ctx.Event.(*Event)
- return int(ev.BaseEvent.NetworkContext.L4Protocol)
- },
- Field: field,
- Weight: eval.FunctionWeight,
- }, nil
- case "network.size":
- return &eval.IntEvaluator{
- EvalFnc: func(ctx *eval.Context) int {
- ev := ctx.Event.(*Event)
- return int(ev.BaseEvent.NetworkContext.Size)
- },
- Field: field,
- Weight: eval.FunctionWeight,
- }, nil
- case "network.source.ip":
- return &eval.CIDREvaluator{
- EvalFnc: func(ctx *eval.Context) net.IPNet {
- ev := ctx.Event.(*Event)
- return ev.BaseEvent.NetworkContext.Source.IPNet
- },
- Field: field,
- Weight: eval.FunctionWeight,
- }, nil
- case "network.source.port":
- return &eval.IntEvaluator{
- EvalFnc: func(ctx *eval.Context) int {
- ev := ctx.Event.(*Event)
- return int(ev.BaseEvent.NetworkContext.Source.Port)
- },
- Field: field,
- Weight: eval.FunctionWeight,
- }, nil
case "process.ancestors.cmdline":
return &eval.StringArrayEvaluator{
EvalFnc: func(ctx *eval.Context) []string {
+ ev := ctx.Event.(*Event)
if result, ok := ctx.StringCache[field]; ok {
return result
}
@@ -360,14 +293,14 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
value := iterator.Front(ctx)
for value != nil {
element := (*ProcessCacheEntry)(value)
- result := element.ProcessContext.Process.CmdLine
+ result := ev.FieldHandlers.ResolveProcessCmdLine(ev, &element.ProcessContext.Process)
results = append(results, result)
value = iterator.Next()
}
ctx.StringCache[field] = results
return results
}, Field: field,
- Weight: eval.IteratorWeight,
+ Weight: 200 * eval.IteratorWeight,
}, nil
case "process.ancestors.container.id":
return &eval.StringArrayEvaluator{
@@ -580,10 +513,10 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
return &eval.StringEvaluator{
EvalFnc: func(ctx *eval.Context) string {
ev := ctx.Event.(*Event)
- return ev.BaseEvent.ProcessContext.Process.CmdLine
+ return ev.FieldHandlers.ResolveProcessCmdLine(ev, &ev.BaseEvent.ProcessContext.Process)
},
Field: field,
- Weight: eval.FunctionWeight,
+ Weight: 200 * eval.HandlerWeight,
}, nil
case "process.container.id":
return &eval.StringEvaluator{
@@ -664,10 +597,10 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
if !ev.BaseEvent.ProcessContext.HasParent() {
return ""
}
- return ev.BaseEvent.ProcessContext.Parent.CmdLine
+ return ev.FieldHandlers.ResolveProcessCmdLine(ev, ev.BaseEvent.ProcessContext.Parent)
},
Field: field,
- Weight: eval.FunctionWeight,
+ Weight: 200 * eval.HandlerWeight,
}, nil
case "process.parent.container.id":
return &eval.StringEvaluator{
@@ -834,13 +767,6 @@ func (ev *Event) GetFields() []eval.Field {
"exit.file.path.length",
"exit.pid",
"exit.ppid",
- "network.destination.ip",
- "network.destination.port",
- "network.l3_protocol",
- "network.l4_protocol",
- "network.size",
- "network.source.ip",
- "network.source.port",
"process.ancestors.cmdline",
"process.ancestors.container.id",
"process.ancestors.created_at",
@@ -887,7 +813,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
case "event.timestamp":
return int(ev.FieldHandlers.ResolveEventTimestamp(ev, &ev.BaseEvent)), nil
case "exec.cmdline":
- return ev.Exec.Process.CmdLine, nil
+ return ev.FieldHandlers.ResolveProcessCmdLine(ev, ev.Exec.Process), nil
case "exec.container.id":
return ev.Exec.Process.ContainerID, nil
case "exec.created_at":
@@ -911,7 +837,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
case "exit.cause":
return int(ev.Exit.Cause), nil
case "exit.cmdline":
- return ev.Exit.Process.CmdLine, nil
+ return ev.FieldHandlers.ResolveProcessCmdLine(ev, ev.Exit.Process), nil
case "exit.code":
return int(ev.Exit.Code), nil
case "exit.container.id":
@@ -934,20 +860,6 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
return int(ev.Exit.Process.PIDContext.Pid), nil
case "exit.ppid":
return int(ev.Exit.Process.PPid), nil
- case "network.destination.ip":
- return ev.BaseEvent.NetworkContext.Destination.IPNet, nil
- case "network.destination.port":
- return int(ev.BaseEvent.NetworkContext.Destination.Port), nil
- case "network.l3_protocol":
- return int(ev.BaseEvent.NetworkContext.L3Protocol), nil
- case "network.l4_protocol":
- return int(ev.BaseEvent.NetworkContext.L4Protocol), nil
- case "network.size":
- return int(ev.BaseEvent.NetworkContext.Size), nil
- case "network.source.ip":
- return ev.BaseEvent.NetworkContext.Source.IPNet, nil
- case "network.source.port":
- return int(ev.BaseEvent.NetworkContext.Source.Port), nil
case "process.ancestors.cmdline":
var values []string
ctx := eval.NewContext(ev)
@@ -955,7 +867,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
ptr := iterator.Front(ctx)
for ptr != nil {
element := (*ProcessCacheEntry)(ptr)
- result := element.ProcessContext.Process.CmdLine
+ result := ev.FieldHandlers.ResolveProcessCmdLine(ev, &element.ProcessContext.Process)
values = append(values, result)
ptr = iterator.Next()
}
@@ -1081,7 +993,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
}
return values, nil
case "process.cmdline":
- return ev.BaseEvent.ProcessContext.Process.CmdLine, nil
+ return ev.FieldHandlers.ResolveProcessCmdLine(ev, &ev.BaseEvent.ProcessContext.Process), nil
case "process.container.id":
return ev.BaseEvent.ProcessContext.Process.ContainerID, nil
case "process.created_at":
@@ -1102,7 +1014,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
if !ev.BaseEvent.ProcessContext.HasParent() {
return "", &eval.ErrNotSupported{Field: field}
}
- return ev.BaseEvent.ProcessContext.Parent.CmdLine, nil
+ return ev.FieldHandlers.ResolveProcessCmdLine(ev, ev.BaseEvent.ProcessContext.Parent), nil
case "process.parent.container.id":
if !ev.BaseEvent.ProcessContext.HasParent() {
return "", &eval.ErrNotSupported{Field: field}
@@ -1212,20 +1124,6 @@ func (ev *Event) GetFieldEventType(field eval.Field) (eval.EventType, error) {
return "exit", nil
case "exit.ppid":
return "exit", nil
- case "network.destination.ip":
- return "dns", nil
- case "network.destination.port":
- return "dns", nil
- case "network.l3_protocol":
- return "dns", nil
- case "network.l4_protocol":
- return "dns", nil
- case "network.size":
- return "dns", nil
- case "network.source.ip":
- return "dns", nil
- case "network.source.port":
- return "dns", nil
case "process.ancestors.cmdline":
return "*", nil
case "process.ancestors.container.id":
@@ -1353,20 +1251,6 @@ func (ev *Event) GetFieldType(field eval.Field) (reflect.Kind, error) {
return reflect.Int, nil
case "exit.ppid":
return reflect.Int, nil
- case "network.destination.ip":
- return reflect.Struct, nil
- case "network.destination.port":
- return reflect.Int, nil
- case "network.l3_protocol":
- return reflect.Int, nil
- case "network.l4_protocol":
- return reflect.Int, nil
- case "network.size":
- return reflect.Int, nil
- case "network.source.ip":
- return reflect.Struct, nil
- case "network.source.port":
- return reflect.Int, nil
case "process.ancestors.cmdline":
return reflect.String, nil
case "process.ancestors.container.id":
@@ -1704,55 +1588,6 @@ func (ev *Event) SetFieldValue(field eval.Field, value interface{}) error {
}
ev.Exit.Process.PPid = uint32(rv)
return nil
- case "network.destination.ip":
- rv, ok := value.(net.IPNet)
- if !ok {
- return &eval.ErrValueTypeMismatch{Field: "BaseEvent.NetworkContext.Destination.IPNet"}
- }
- ev.BaseEvent.NetworkContext.Destination.IPNet = rv
- return nil
- case "network.destination.port":
- rv, ok := value.(int)
- if !ok {
- return &eval.ErrValueTypeMismatch{Field: "BaseEvent.NetworkContext.Destination.Port"}
- }
- ev.BaseEvent.NetworkContext.Destination.Port = uint16(rv)
- return nil
- case "network.l3_protocol":
- rv, ok := value.(int)
- if !ok {
- return &eval.ErrValueTypeMismatch{Field: "BaseEvent.NetworkContext.L3Protocol"}
- }
- ev.BaseEvent.NetworkContext.L3Protocol = uint16(rv)
- return nil
- case "network.l4_protocol":
- rv, ok := value.(int)
- if !ok {
- return &eval.ErrValueTypeMismatch{Field: "BaseEvent.NetworkContext.L4Protocol"}
- }
- ev.BaseEvent.NetworkContext.L4Protocol = uint16(rv)
- return nil
- case "network.size":
- rv, ok := value.(int)
- if !ok {
- return &eval.ErrValueTypeMismatch{Field: "BaseEvent.NetworkContext.Size"}
- }
- ev.BaseEvent.NetworkContext.Size = uint32(rv)
- return nil
- case "network.source.ip":
- rv, ok := value.(net.IPNet)
- if !ok {
- return &eval.ErrValueTypeMismatch{Field: "BaseEvent.NetworkContext.Source.IPNet"}
- }
- ev.BaseEvent.NetworkContext.Source.IPNet = rv
- return nil
- case "network.source.port":
- rv, ok := value.(int)
- if !ok {
- return &eval.ErrValueTypeMismatch{Field: "BaseEvent.NetworkContext.Source.Port"}
- }
- ev.BaseEvent.NetworkContext.Source.Port = uint16(rv)
- return nil
case "process.ancestors.cmdline":
if ev.BaseEvent.ProcessContext == nil {
ev.BaseEvent.ProcessContext = &ProcessContext{}
diff --git a/pkg/security/secl/model/args_envs.go b/pkg/security/secl/model/args_envs.go
index 1c697af19f401..9de6ab1a43b21 100644
--- a/pkg/security/secl/model/args_envs.go
+++ b/pkg/security/secl/model/args_envs.go
@@ -79,9 +79,7 @@ func (p *EnvsEntry) FilterEnvs(envsWithValue map[string]bool) ([]string, bool) {
}
// FilterEnvs returns an array of environment variable key value pairs matching the desired keys
-//
-//nolint:unused
-func filterEnvs(allEnvVars []string, desiredKeys map[string]bool) []string {
+func FilterEnvs(allEnvVars []string, desiredKeys map[string]bool) []string {
if len(allEnvVars) == 0 {
return nil
}
diff --git a/pkg/security/secl/model/field_accessors_unix.go b/pkg/security/secl/model/field_accessors_unix.go
index 2a20f6a292aa5..5597942d65c5c 100644
--- a/pkg/security/secl/model/field_accessors_unix.go
+++ b/pkg/security/secl/model/field_accessors_unix.go
@@ -17,669 +17,584 @@ import (
// GetBindAddrFamily returns the value of the field, resolving if necessary
func (ev *Event) GetBindAddrFamily() uint16 {
- zeroValue := uint16(0)
if ev.GetEventType().String() != "bind" {
- return zeroValue
+ return uint16(0)
}
return ev.Bind.AddrFamily
}
// GetBindAddrIp returns the value of the field, resolving if necessary
func (ev *Event) GetBindAddrIp() net.IPNet {
- zeroValue := net.IPNet{}
if ev.GetEventType().String() != "bind" {
- return zeroValue
+ return net.IPNet{}
}
return ev.Bind.Addr.IPNet
}
// GetBindAddrPort returns the value of the field, resolving if necessary
func (ev *Event) GetBindAddrPort() uint16 {
- zeroValue := uint16(0)
if ev.GetEventType().String() != "bind" {
- return zeroValue
+ return uint16(0)
}
return ev.Bind.Addr.Port
}
// GetBindRetval returns the value of the field, resolving if necessary
func (ev *Event) GetBindRetval() int64 {
- zeroValue := int64(0)
if ev.GetEventType().String() != "bind" {
- return zeroValue
+ return int64(0)
}
return ev.Bind.SyscallEvent.Retval
}
// GetBpfCmd returns the value of the field, resolving if necessary
func (ev *Event) GetBpfCmd() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "bpf" {
- return zeroValue
+ return uint32(0)
}
return ev.BPF.Cmd
}
// GetBpfMapName returns the value of the field, resolving if necessary
func (ev *Event) GetBpfMapName() string {
- zeroValue := ""
if ev.GetEventType().String() != "bpf" {
- return zeroValue
+ return ""
}
return ev.BPF.Map.Name
}
// GetBpfMapType returns the value of the field, resolving if necessary
func (ev *Event) GetBpfMapType() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "bpf" {
- return zeroValue
+ return uint32(0)
}
return ev.BPF.Map.Type
}
// GetBpfProgAttachType returns the value of the field, resolving if necessary
func (ev *Event) GetBpfProgAttachType() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "bpf" {
- return zeroValue
+ return uint32(0)
}
return ev.BPF.Program.AttachType
}
// GetBpfProgHelpers returns the value of the field, resolving if necessary
func (ev *Event) GetBpfProgHelpers() []uint32 {
- zeroValue := []uint32{}
if ev.GetEventType().String() != "bpf" {
- return zeroValue
+ return []uint32{}
}
- resolvedField := ev.BPF.Program.Helpers
- fieldCopy := make([]uint32, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.BPF.Program.Helpers
}
// GetBpfProgName returns the value of the field, resolving if necessary
func (ev *Event) GetBpfProgName() string {
- zeroValue := ""
if ev.GetEventType().String() != "bpf" {
- return zeroValue
+ return ""
}
return ev.BPF.Program.Name
}
// GetBpfProgTag returns the value of the field, resolving if necessary
func (ev *Event) GetBpfProgTag() string {
- zeroValue := ""
if ev.GetEventType().String() != "bpf" {
- return zeroValue
+ return ""
}
return ev.BPF.Program.Tag
}
// GetBpfProgType returns the value of the field, resolving if necessary
func (ev *Event) GetBpfProgType() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "bpf" {
- return zeroValue
+ return uint32(0)
}
return ev.BPF.Program.Type
}
// GetBpfRetval returns the value of the field, resolving if necessary
func (ev *Event) GetBpfRetval() int64 {
- zeroValue := int64(0)
if ev.GetEventType().String() != "bpf" {
- return zeroValue
+ return int64(0)
}
return ev.BPF.SyscallEvent.Retval
}
// GetCapsetCapEffective returns the value of the field, resolving if necessary
func (ev *Event) GetCapsetCapEffective() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "capset" {
- return zeroValue
+ return uint64(0)
}
return ev.Capset.CapEffective
}
// GetCapsetCapPermitted returns the value of the field, resolving if necessary
func (ev *Event) GetCapsetCapPermitted() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "capset" {
- return zeroValue
+ return uint64(0)
}
return ev.Capset.CapPermitted
}
// GetChmodFileChangeTime returns the value of the field, resolving if necessary
func (ev *Event) GetChmodFileChangeTime() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "chmod" {
- return zeroValue
+ return uint64(0)
}
return ev.Chmod.File.FileFields.CTime
}
// GetChmodFileDestinationMode returns the value of the field, resolving if necessary
func (ev *Event) GetChmodFileDestinationMode() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "chmod" {
- return zeroValue
+ return uint32(0)
}
return ev.Chmod.Mode
}
// GetChmodFileDestinationRights returns the value of the field, resolving if necessary
func (ev *Event) GetChmodFileDestinationRights() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "chmod" {
- return zeroValue
+ return uint32(0)
}
return ev.Chmod.Mode
}
// GetChmodFileFilesystem returns the value of the field, resolving if necessary
func (ev *Event) GetChmodFileFilesystem() string {
- zeroValue := ""
if ev.GetEventType().String() != "chmod" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Chmod.File)
}
// GetChmodFileGid returns the value of the field, resolving if necessary
func (ev *Event) GetChmodFileGid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "chmod" {
- return zeroValue
+ return uint32(0)
}
return ev.Chmod.File.FileFields.GID
}
// GetChmodFileGroup returns the value of the field, resolving if necessary
func (ev *Event) GetChmodFileGroup() string {
- zeroValue := ""
if ev.GetEventType().String() != "chmod" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Chmod.File.FileFields)
}
// GetChmodFileHashes returns the value of the field, resolving if necessary
func (ev *Event) GetChmodFileHashes() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "chmod" {
- return zeroValue
+ return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Chmod.File)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Chmod.File)
}
// GetChmodFileInUpperLayer returns the value of the field, resolving if necessary
func (ev *Event) GetChmodFileInUpperLayer() bool {
- zeroValue := false
if ev.GetEventType().String() != "chmod" {
- return zeroValue
+ return false
}
return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Chmod.File.FileFields)
}
// GetChmodFileInode returns the value of the field, resolving if necessary
func (ev *Event) GetChmodFileInode() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "chmod" {
- return zeroValue
+ return uint64(0)
}
return ev.Chmod.File.FileFields.PathKey.Inode
}
// GetChmodFileMode returns the value of the field, resolving if necessary
func (ev *Event) GetChmodFileMode() uint16 {
- zeroValue := uint16(0)
if ev.GetEventType().String() != "chmod" {
- return zeroValue
+ return uint16(0)
}
return ev.Chmod.File.FileFields.Mode
}
// GetChmodFileModificationTime returns the value of the field, resolving if necessary
func (ev *Event) GetChmodFileModificationTime() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "chmod" {
- return zeroValue
+ return uint64(0)
}
return ev.Chmod.File.FileFields.MTime
}
// GetChmodFileMountId returns the value of the field, resolving if necessary
func (ev *Event) GetChmodFileMountId() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "chmod" {
- return zeroValue
+ return uint32(0)
}
return ev.Chmod.File.FileFields.PathKey.MountID
}
// GetChmodFileName returns the value of the field, resolving if necessary
func (ev *Event) GetChmodFileName() string {
- zeroValue := ""
if ev.GetEventType().String() != "chmod" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Chmod.File)
}
// GetChmodFileNameLength returns the value of the field, resolving if necessary
func (ev *Event) GetChmodFileNameLength() int {
- zeroValue := 0
if ev.GetEventType().String() != "chmod" {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Chmod.File))
}
// GetChmodFilePackageName returns the value of the field, resolving if necessary
func (ev *Event) GetChmodFilePackageName() string {
- zeroValue := ""
if ev.GetEventType().String() != "chmod" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolvePackageName(ev, &ev.Chmod.File)
}
// GetChmodFilePackageSourceVersion returns the value of the field, resolving if necessary
func (ev *Event) GetChmodFilePackageSourceVersion() string {
- zeroValue := ""
if ev.GetEventType().String() != "chmod" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Chmod.File)
}
// GetChmodFilePackageVersion returns the value of the field, resolving if necessary
func (ev *Event) GetChmodFilePackageVersion() string {
- zeroValue := ""
if ev.GetEventType().String() != "chmod" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Chmod.File)
}
// GetChmodFilePath returns the value of the field, resolving if necessary
func (ev *Event) GetChmodFilePath() string {
- zeroValue := ""
if ev.GetEventType().String() != "chmod" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFilePath(ev, &ev.Chmod.File)
}
// GetChmodFilePathLength returns the value of the field, resolving if necessary
func (ev *Event) GetChmodFilePathLength() int {
- zeroValue := 0
if ev.GetEventType().String() != "chmod" {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Chmod.File))
}
// GetChmodFileRights returns the value of the field, resolving if necessary
func (ev *Event) GetChmodFileRights() int {
- zeroValue := 0
if ev.GetEventType().String() != "chmod" {
- return zeroValue
+ return 0
}
return ev.FieldHandlers.ResolveRights(ev, &ev.Chmod.File.FileFields)
}
// GetChmodFileUid returns the value of the field, resolving if necessary
func (ev *Event) GetChmodFileUid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "chmod" {
- return zeroValue
+ return uint32(0)
}
return ev.Chmod.File.FileFields.UID
}
// GetChmodFileUser returns the value of the field, resolving if necessary
func (ev *Event) GetChmodFileUser() string {
- zeroValue := ""
if ev.GetEventType().String() != "chmod" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Chmod.File.FileFields)
}
// GetChmodRetval returns the value of the field, resolving if necessary
func (ev *Event) GetChmodRetval() int64 {
- zeroValue := int64(0)
if ev.GetEventType().String() != "chmod" {
- return zeroValue
+ return int64(0)
}
return ev.Chmod.SyscallEvent.Retval
}
// GetChownFileChangeTime returns the value of the field, resolving if necessary
func (ev *Event) GetChownFileChangeTime() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "chown" {
- return zeroValue
+ return uint64(0)
}
return ev.Chown.File.FileFields.CTime
}
// GetChownFileDestinationGid returns the value of the field, resolving if necessary
func (ev *Event) GetChownFileDestinationGid() int64 {
- zeroValue := int64(0)
if ev.GetEventType().String() != "chown" {
- return zeroValue
+ return int64(0)
}
return ev.Chown.GID
}
// GetChownFileDestinationGroup returns the value of the field, resolving if necessary
func (ev *Event) GetChownFileDestinationGroup() string {
- zeroValue := ""
if ev.GetEventType().String() != "chown" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveChownGID(ev, &ev.Chown)
}
// GetChownFileDestinationUid returns the value of the field, resolving if necessary
func (ev *Event) GetChownFileDestinationUid() int64 {
- zeroValue := int64(0)
if ev.GetEventType().String() != "chown" {
- return zeroValue
+ return int64(0)
}
return ev.Chown.UID
}
// GetChownFileDestinationUser returns the value of the field, resolving if necessary
func (ev *Event) GetChownFileDestinationUser() string {
- zeroValue := ""
if ev.GetEventType().String() != "chown" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveChownUID(ev, &ev.Chown)
}
// GetChownFileFilesystem returns the value of the field, resolving if necessary
func (ev *Event) GetChownFileFilesystem() string {
- zeroValue := ""
if ev.GetEventType().String() != "chown" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Chown.File)
}
// GetChownFileGid returns the value of the field, resolving if necessary
func (ev *Event) GetChownFileGid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "chown" {
- return zeroValue
+ return uint32(0)
}
return ev.Chown.File.FileFields.GID
}
// GetChownFileGroup returns the value of the field, resolving if necessary
func (ev *Event) GetChownFileGroup() string {
- zeroValue := ""
if ev.GetEventType().String() != "chown" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Chown.File.FileFields)
}
// GetChownFileHashes returns the value of the field, resolving if necessary
func (ev *Event) GetChownFileHashes() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "chown" {
- return zeroValue
+ return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Chown.File)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Chown.File)
}
// GetChownFileInUpperLayer returns the value of the field, resolving if necessary
func (ev *Event) GetChownFileInUpperLayer() bool {
- zeroValue := false
if ev.GetEventType().String() != "chown" {
- return zeroValue
+ return false
}
return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Chown.File.FileFields)
}
// GetChownFileInode returns the value of the field, resolving if necessary
func (ev *Event) GetChownFileInode() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "chown" {
- return zeroValue
+ return uint64(0)
}
return ev.Chown.File.FileFields.PathKey.Inode
}
// GetChownFileMode returns the value of the field, resolving if necessary
func (ev *Event) GetChownFileMode() uint16 {
- zeroValue := uint16(0)
if ev.GetEventType().String() != "chown" {
- return zeroValue
+ return uint16(0)
}
return ev.Chown.File.FileFields.Mode
}
// GetChownFileModificationTime returns the value of the field, resolving if necessary
func (ev *Event) GetChownFileModificationTime() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "chown" {
- return zeroValue
+ return uint64(0)
}
return ev.Chown.File.FileFields.MTime
}
// GetChownFileMountId returns the value of the field, resolving if necessary
func (ev *Event) GetChownFileMountId() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "chown" {
- return zeroValue
+ return uint32(0)
}
return ev.Chown.File.FileFields.PathKey.MountID
}
// GetChownFileName returns the value of the field, resolving if necessary
func (ev *Event) GetChownFileName() string {
- zeroValue := ""
if ev.GetEventType().String() != "chown" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Chown.File)
}
// GetChownFileNameLength returns the value of the field, resolving if necessary
func (ev *Event) GetChownFileNameLength() int {
- zeroValue := 0
if ev.GetEventType().String() != "chown" {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Chown.File))
}
// GetChownFilePackageName returns the value of the field, resolving if necessary
func (ev *Event) GetChownFilePackageName() string {
- zeroValue := ""
if ev.GetEventType().String() != "chown" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolvePackageName(ev, &ev.Chown.File)
}
// GetChownFilePackageSourceVersion returns the value of the field, resolving if necessary
func (ev *Event) GetChownFilePackageSourceVersion() string {
- zeroValue := ""
if ev.GetEventType().String() != "chown" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Chown.File)
}
// GetChownFilePackageVersion returns the value of the field, resolving if necessary
func (ev *Event) GetChownFilePackageVersion() string {
- zeroValue := ""
if ev.GetEventType().String() != "chown" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Chown.File)
}
// GetChownFilePath returns the value of the field, resolving if necessary
func (ev *Event) GetChownFilePath() string {
- zeroValue := ""
if ev.GetEventType().String() != "chown" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFilePath(ev, &ev.Chown.File)
}
// GetChownFilePathLength returns the value of the field, resolving if necessary
func (ev *Event) GetChownFilePathLength() int {
- zeroValue := 0
if ev.GetEventType().String() != "chown" {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Chown.File))
}
// GetChownFileRights returns the value of the field, resolving if necessary
func (ev *Event) GetChownFileRights() int {
- zeroValue := 0
if ev.GetEventType().String() != "chown" {
- return zeroValue
+ return 0
}
return ev.FieldHandlers.ResolveRights(ev, &ev.Chown.File.FileFields)
}
// GetChownFileUid returns the value of the field, resolving if necessary
func (ev *Event) GetChownFileUid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "chown" {
- return zeroValue
+ return uint32(0)
}
return ev.Chown.File.FileFields.UID
}
// GetChownFileUser returns the value of the field, resolving if necessary
func (ev *Event) GetChownFileUser() string {
- zeroValue := ""
if ev.GetEventType().String() != "chown" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Chown.File.FileFields)
}
// GetChownRetval returns the value of the field, resolving if necessary
func (ev *Event) GetChownRetval() int64 {
- zeroValue := int64(0)
if ev.GetEventType().String() != "chown" {
- return zeroValue
+ return int64(0)
}
return ev.Chown.SyscallEvent.Retval
}
// GetContainerCreatedAt returns the value of the field, resolving if necessary
func (ev *Event) GetContainerCreatedAt() int {
- zeroValue := 0
if ev.BaseEvent.ContainerContext == nil {
- return zeroValue
+ return 0
}
return ev.FieldHandlers.ResolveContainerCreatedAt(ev, ev.BaseEvent.ContainerContext)
}
// GetContainerId returns the value of the field, resolving if necessary
func (ev *Event) GetContainerId() string {
- zeroValue := ""
if ev.BaseEvent.ContainerContext == nil {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveContainerID(ev, ev.BaseEvent.ContainerContext)
}
// GetContainerTags returns the value of the field, resolving if necessary
func (ev *Event) GetContainerTags() []string {
- zeroValue := []string{}
if ev.BaseEvent.ContainerContext == nil {
- return zeroValue
+ return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveContainerTags(ev, ev.BaseEvent.ContainerContext)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveContainerTags(ev, ev.BaseEvent.ContainerContext)
}
// GetDnsId returns the value of the field, resolving if necessary
func (ev *Event) GetDnsId() uint16 {
- zeroValue := uint16(0)
if ev.GetEventType().String() != "dns" {
- return zeroValue
+ return uint16(0)
}
return ev.DNS.ID
}
// GetDnsQuestionClass returns the value of the field, resolving if necessary
func (ev *Event) GetDnsQuestionClass() uint16 {
- zeroValue := uint16(0)
if ev.GetEventType().String() != "dns" {
- return zeroValue
+ return uint16(0)
}
return ev.DNS.Class
}
// GetDnsQuestionCount returns the value of the field, resolving if necessary
func (ev *Event) GetDnsQuestionCount() uint16 {
- zeroValue := uint16(0)
if ev.GetEventType().String() != "dns" {
- return zeroValue
+ return uint16(0)
}
return ev.DNS.Count
}
// GetDnsQuestionLength returns the value of the field, resolving if necessary
func (ev *Event) GetDnsQuestionLength() uint16 {
- zeroValue := uint16(0)
if ev.GetEventType().String() != "dns" {
- return zeroValue
+ return uint16(0)
}
return ev.DNS.Size
}
// GetDnsQuestionName returns the value of the field, resolving if necessary
func (ev *Event) GetDnsQuestionName() string {
- zeroValue := ""
if ev.GetEventType().String() != "dns" {
- return zeroValue
+ return ""
}
return ev.DNS.Name
}
// GetDnsQuestionNameLength returns the value of the field, resolving if necessary
func (ev *Event) GetDnsQuestionNameLength() int {
- zeroValue := 0
if ev.GetEventType().String() != "dns" {
- return zeroValue
+ return 0
}
return len(ev.DNS.Name)
}
// GetDnsQuestionType returns the value of the field, resolving if necessary
func (ev *Event) GetDnsQuestionType() uint16 {
- zeroValue := uint16(0)
if ev.GetEventType().String() != "dns" {
- return zeroValue
+ return uint16(0)
}
return ev.DNS.Type
}
@@ -696,269 +611,253 @@ func (ev *Event) GetEventTimestamp() int {
// GetExecArgs returns the value of the field, resolving if necessary
func (ev *Event) GetExecArgs() string {
- zeroValue := ""
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return ""
}
if ev.Exec.Process == nil {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveProcessArgs(ev, ev.Exec.Process)
}
// GetExecArgsFlags returns the value of the field, resolving if necessary
func (ev *Event) GetExecArgsFlags() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return []string{}
}
if ev.Exec.Process == nil {
- return zeroValue
+ return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveProcessArgsFlags(ev, ev.Exec.Process)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveProcessArgsFlags(ev, ev.Exec.Process)
}
// GetExecArgsOptions returns the value of the field, resolving if necessary
func (ev *Event) GetExecArgsOptions() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return []string{}
+ }
+ if ev.Exec.Process == nil {
+ return []string{}
+ }
+ return ev.FieldHandlers.ResolveProcessArgsOptions(ev, ev.Exec.Process)
+}
+
+// GetExecArgsScrubbed returns the value of the field, resolving if necessary
+func (ev *Event) GetExecArgsScrubbed() string {
+ if ev.GetEventType().String() != "exec" {
+ return ""
}
if ev.Exec.Process == nil {
- return zeroValue
+ return ""
}
- resolvedField := ev.FieldHandlers.ResolveProcessArgsOptions(ev, ev.Exec.Process)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveProcessArgsScrubbed(ev, ev.Exec.Process)
}
// GetExecArgsTruncated returns the value of the field, resolving if necessary
func (ev *Event) GetExecArgsTruncated() bool {
- zeroValue := false
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return false
}
if ev.Exec.Process == nil {
- return zeroValue
+ return false
}
return ev.FieldHandlers.ResolveProcessArgsTruncated(ev, ev.Exec.Process)
}
// GetExecArgv returns the value of the field, resolving if necessary
func (ev *Event) GetExecArgv() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return []string{}
}
if ev.Exec.Process == nil {
- return zeroValue
+ return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveProcessArgvScrubbed(ev, ev.Exec.Process)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveProcessArgv(ev, ev.Exec.Process)
}
// GetExecArgv0 returns the value of the field, resolving if necessary
func (ev *Event) GetExecArgv0() string {
- zeroValue := ""
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return ""
}
if ev.Exec.Process == nil {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveProcessArgv0(ev, ev.Exec.Process)
}
+// GetExecArgvScrubbed returns the value of the field, resolving if necessary
+func (ev *Event) GetExecArgvScrubbed() []string {
+ if ev.GetEventType().String() != "exec" {
+ return []string{}
+ }
+ if ev.Exec.Process == nil {
+ return []string{}
+ }
+ return ev.FieldHandlers.ResolveProcessArgvScrubbed(ev, ev.Exec.Process)
+}
+
// GetExecCapEffective returns the value of the field, resolving if necessary
func (ev *Event) GetExecCapEffective() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return uint64(0)
}
if ev.Exec.Process == nil {
- return zeroValue
+ return uint64(0)
}
return ev.Exec.Process.Credentials.CapEffective
}
// GetExecCapPermitted returns the value of the field, resolving if necessary
func (ev *Event) GetExecCapPermitted() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return uint64(0)
}
if ev.Exec.Process == nil {
- return zeroValue
+ return uint64(0)
}
return ev.Exec.Process.Credentials.CapPermitted
}
// GetExecComm returns the value of the field, resolving if necessary
func (ev *Event) GetExecComm() string {
- zeroValue := ""
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return ""
}
if ev.Exec.Process == nil {
- return zeroValue
+ return ""
}
return ev.Exec.Process.Comm
}
// GetExecContainerId returns the value of the field, resolving if necessary
func (ev *Event) GetExecContainerId() string {
- zeroValue := ""
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return ""
}
if ev.Exec.Process == nil {
- return zeroValue
+ return ""
}
return ev.Exec.Process.ContainerID
}
// GetExecCreatedAt returns the value of the field, resolving if necessary
func (ev *Event) GetExecCreatedAt() int {
- zeroValue := 0
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return 0
}
if ev.Exec.Process == nil {
- return zeroValue
+ return 0
}
return ev.FieldHandlers.ResolveProcessCreatedAt(ev, ev.Exec.Process)
}
// GetExecEgid returns the value of the field, resolving if necessary
func (ev *Event) GetExecEgid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return uint32(0)
}
if ev.Exec.Process == nil {
- return zeroValue
+ return uint32(0)
}
return ev.Exec.Process.Credentials.EGID
}
// GetExecEgroup returns the value of the field, resolving if necessary
func (ev *Event) GetExecEgroup() string {
- zeroValue := ""
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return ""
}
if ev.Exec.Process == nil {
- return zeroValue
+ return ""
}
return ev.Exec.Process.Credentials.EGroup
}
// GetExecEnvp returns the value of the field, resolving if necessary
-func (ev *Event) GetExecEnvp(desiredKeys map[string]bool) []string {
- zeroValue := []string{}
+func (ev *Event) GetExecEnvp() []string {
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return []string{}
}
if ev.Exec.Process == nil {
- return zeroValue
+ return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveProcessEnvp(ev, ev.Exec.Process)
- resolvedField = filterEnvs(resolvedField, desiredKeys)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveProcessEnvp(ev, ev.Exec.Process)
}
// GetExecEnvs returns the value of the field, resolving if necessary
-func (ev *Event) GetExecEnvs(desiredKeys map[string]bool) []string {
- zeroValue := []string{}
+func (ev *Event) GetExecEnvs() []string {
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return []string{}
}
if ev.Exec.Process == nil {
- return zeroValue
+ return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveProcessEnvs(ev, ev.Exec.Process)
- resolvedField = filterEnvs(resolvedField, desiredKeys)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveProcessEnvs(ev, ev.Exec.Process)
}
// GetExecEnvsTruncated returns the value of the field, resolving if necessary
func (ev *Event) GetExecEnvsTruncated() bool {
- zeroValue := false
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return false
}
if ev.Exec.Process == nil {
- return zeroValue
+ return false
}
return ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, ev.Exec.Process)
}
// GetExecEuid returns the value of the field, resolving if necessary
func (ev *Event) GetExecEuid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return uint32(0)
}
if ev.Exec.Process == nil {
- return zeroValue
+ return uint32(0)
}
return ev.Exec.Process.Credentials.EUID
}
// GetExecEuser returns the value of the field, resolving if necessary
func (ev *Event) GetExecEuser() string {
- zeroValue := ""
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return ""
}
if ev.Exec.Process == nil {
- return zeroValue
+ return ""
}
return ev.Exec.Process.Credentials.EUser
}
// GetExecExecTime returns the value of the field, resolving if necessary
func (ev *Event) GetExecExecTime() time.Time {
- zeroValue := time.Time{}
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return time.Time{}
}
if ev.Exec.Process == nil {
- return zeroValue
+ return time.Time{}
}
return ev.Exec.Process.ExecTime
}
// GetExecExitTime returns the value of the field, resolving if necessary
func (ev *Event) GetExecExitTime() time.Time {
- zeroValue := time.Time{}
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return time.Time{}
}
if ev.Exec.Process == nil {
- return zeroValue
+ return time.Time{}
}
return ev.Exec.Process.ExitTime
}
// GetExecFileChangeTime returns the value of the field, resolving if necessary
func (ev *Event) GetExecFileChangeTime() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return uint64(0)
}
if ev.Exec.Process == nil {
- return zeroValue
+ return uint64(0)
}
if !ev.Exec.Process.IsNotKworker() {
return uint64(0)
@@ -968,12 +867,11 @@ func (ev *Event) GetExecFileChangeTime() uint64 {
// GetExecFileFilesystem returns the value of the field, resolving if necessary
func (ev *Event) GetExecFileFilesystem() string {
- zeroValue := ""
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return ""
}
if ev.Exec.Process == nil {
- return zeroValue
+ return ""
}
if !ev.Exec.Process.IsNotKworker() {
return ""
@@ -983,12 +881,11 @@ func (ev *Event) GetExecFileFilesystem() string {
// GetExecFileGid returns the value of the field, resolving if necessary
func (ev *Event) GetExecFileGid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return uint32(0)
}
if ev.Exec.Process == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.Exec.Process.IsNotKworker() {
return uint32(0)
@@ -998,12 +895,11 @@ func (ev *Event) GetExecFileGid() uint32 {
// GetExecFileGroup returns the value of the field, resolving if necessary
func (ev *Event) GetExecFileGroup() string {
- zeroValue := ""
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return ""
}
if ev.Exec.Process == nil {
- return zeroValue
+ return ""
}
if !ev.Exec.Process.IsNotKworker() {
return ""
@@ -1013,30 +909,25 @@ func (ev *Event) GetExecFileGroup() string {
// GetExecFileHashes returns the value of the field, resolving if necessary
func (ev *Event) GetExecFileHashes() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return []string{}
}
if ev.Exec.Process == nil {
- return zeroValue
+ return []string{}
}
if !ev.Exec.Process.IsNotKworker() {
return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Exec.Process.FileEvent)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Exec.Process.FileEvent)
}
// GetExecFileInUpperLayer returns the value of the field, resolving if necessary
func (ev *Event) GetExecFileInUpperLayer() bool {
- zeroValue := false
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return false
}
if ev.Exec.Process == nil {
- return zeroValue
+ return false
}
if !ev.Exec.Process.IsNotKworker() {
return false
@@ -1046,12 +937,11 @@ func (ev *Event) GetExecFileInUpperLayer() bool {
// GetExecFileInode returns the value of the field, resolving if necessary
func (ev *Event) GetExecFileInode() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return uint64(0)
}
if ev.Exec.Process == nil {
- return zeroValue
+ return uint64(0)
}
if !ev.Exec.Process.IsNotKworker() {
return uint64(0)
@@ -1061,12 +951,11 @@ func (ev *Event) GetExecFileInode() uint64 {
// GetExecFileMode returns the value of the field, resolving if necessary
func (ev *Event) GetExecFileMode() uint16 {
- zeroValue := uint16(0)
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return uint16(0)
}
if ev.Exec.Process == nil {
- return zeroValue
+ return uint16(0)
}
if !ev.Exec.Process.IsNotKworker() {
return uint16(0)
@@ -1076,12 +965,11 @@ func (ev *Event) GetExecFileMode() uint16 {
// GetExecFileModificationTime returns the value of the field, resolving if necessary
func (ev *Event) GetExecFileModificationTime() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return uint64(0)
}
if ev.Exec.Process == nil {
- return zeroValue
+ return uint64(0)
}
if !ev.Exec.Process.IsNotKworker() {
return uint64(0)
@@ -1091,12 +979,11 @@ func (ev *Event) GetExecFileModificationTime() uint64 {
// GetExecFileMountId returns the value of the field, resolving if necessary
func (ev *Event) GetExecFileMountId() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return uint32(0)
}
if ev.Exec.Process == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.Exec.Process.IsNotKworker() {
return uint32(0)
@@ -1106,12 +993,11 @@ func (ev *Event) GetExecFileMountId() uint32 {
// GetExecFileName returns the value of the field, resolving if necessary
func (ev *Event) GetExecFileName() string {
- zeroValue := ""
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return ""
}
if ev.Exec.Process == nil {
- return zeroValue
+ return ""
}
if !ev.Exec.Process.IsNotKworker() {
return ""
@@ -1121,24 +1007,22 @@ func (ev *Event) GetExecFileName() string {
// GetExecFileNameLength returns the value of the field, resolving if necessary
func (ev *Event) GetExecFileNameLength() int {
- zeroValue := 0
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return 0
}
if ev.Exec.Process == nil {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exec.Process.FileEvent))
}
// GetExecFilePackageName returns the value of the field, resolving if necessary
func (ev *Event) GetExecFilePackageName() string {
- zeroValue := ""
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return ""
}
if ev.Exec.Process == nil {
- return zeroValue
+ return ""
}
if !ev.Exec.Process.IsNotKworker() {
return ""
@@ -1148,12 +1032,11 @@ func (ev *Event) GetExecFilePackageName() string {
// GetExecFilePackageSourceVersion returns the value of the field, resolving if necessary
func (ev *Event) GetExecFilePackageSourceVersion() string {
- zeroValue := ""
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return ""
}
if ev.Exec.Process == nil {
- return zeroValue
+ return ""
}
if !ev.Exec.Process.IsNotKworker() {
return ""
@@ -1163,12 +1046,11 @@ func (ev *Event) GetExecFilePackageSourceVersion() string {
// GetExecFilePackageVersion returns the value of the field, resolving if necessary
func (ev *Event) GetExecFilePackageVersion() string {
- zeroValue := ""
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return ""
}
if ev.Exec.Process == nil {
- return zeroValue
+ return ""
}
if !ev.Exec.Process.IsNotKworker() {
return ""
@@ -1178,12 +1060,11 @@ func (ev *Event) GetExecFilePackageVersion() string {
// GetExecFilePath returns the value of the field, resolving if necessary
func (ev *Event) GetExecFilePath() string {
- zeroValue := ""
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return ""
}
if ev.Exec.Process == nil {
- return zeroValue
+ return ""
}
if !ev.Exec.Process.IsNotKworker() {
return ""
@@ -1193,24 +1074,22 @@ func (ev *Event) GetExecFilePath() string {
// GetExecFilePathLength returns the value of the field, resolving if necessary
func (ev *Event) GetExecFilePathLength() int {
- zeroValue := 0
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return 0
}
if ev.Exec.Process == nil {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Exec.Process.FileEvent))
}
// GetExecFileRights returns the value of the field, resolving if necessary
func (ev *Event) GetExecFileRights() int {
- zeroValue := 0
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return 0
}
if ev.Exec.Process == nil {
- return zeroValue
+ return 0
}
if !ev.Exec.Process.IsNotKworker() {
return 0
@@ -1220,12 +1099,11 @@ func (ev *Event) GetExecFileRights() int {
// GetExecFileUid returns the value of the field, resolving if necessary
func (ev *Event) GetExecFileUid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return uint32(0)
}
if ev.Exec.Process == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.Exec.Process.IsNotKworker() {
return uint32(0)
@@ -1235,12 +1113,11 @@ func (ev *Event) GetExecFileUid() uint32 {
// GetExecFileUser returns the value of the field, resolving if necessary
func (ev *Event) GetExecFileUser() string {
- zeroValue := ""
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return ""
}
if ev.Exec.Process == nil {
- return zeroValue
+ return ""
}
if !ev.Exec.Process.IsNotKworker() {
return ""
@@ -1250,96 +1127,88 @@ func (ev *Event) GetExecFileUser() string {
// GetExecForkTime returns the value of the field, resolving if necessary
func (ev *Event) GetExecForkTime() time.Time {
- zeroValue := time.Time{}
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return time.Time{}
}
if ev.Exec.Process == nil {
- return zeroValue
+ return time.Time{}
}
return ev.Exec.Process.ForkTime
}
// GetExecFsgid returns the value of the field, resolving if necessary
func (ev *Event) GetExecFsgid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return uint32(0)
}
if ev.Exec.Process == nil {
- return zeroValue
+ return uint32(0)
}
return ev.Exec.Process.Credentials.FSGID
}
// GetExecFsgroup returns the value of the field, resolving if necessary
func (ev *Event) GetExecFsgroup() string {
- zeroValue := ""
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return ""
}
if ev.Exec.Process == nil {
- return zeroValue
+ return ""
}
return ev.Exec.Process.Credentials.FSGroup
}
// GetExecFsuid returns the value of the field, resolving if necessary
func (ev *Event) GetExecFsuid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return uint32(0)
}
if ev.Exec.Process == nil {
- return zeroValue
+ return uint32(0)
}
return ev.Exec.Process.Credentials.FSUID
}
// GetExecFsuser returns the value of the field, resolving if necessary
func (ev *Event) GetExecFsuser() string {
- zeroValue := ""
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return ""
}
if ev.Exec.Process == nil {
- return zeroValue
+ return ""
}
return ev.Exec.Process.Credentials.FSUser
}
// GetExecGid returns the value of the field, resolving if necessary
func (ev *Event) GetExecGid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return uint32(0)
}
if ev.Exec.Process == nil {
- return zeroValue
+ return uint32(0)
}
return ev.Exec.Process.Credentials.GID
}
// GetExecGroup returns the value of the field, resolving if necessary
func (ev *Event) GetExecGroup() string {
- zeroValue := ""
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return ""
}
if ev.Exec.Process == nil {
- return zeroValue
+ return ""
}
return ev.Exec.Process.Credentials.Group
}
// GetExecInterpreterFileChangeTime returns the value of the field, resolving if necessary
func (ev *Event) GetExecInterpreterFileChangeTime() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return uint64(0)
}
if ev.Exec.Process == nil {
- return zeroValue
+ return uint64(0)
}
if !ev.Exec.Process.HasInterpreter() {
return uint64(0)
@@ -1349,12 +1218,11 @@ func (ev *Event) GetExecInterpreterFileChangeTime() uint64 {
// GetExecInterpreterFileFilesystem returns the value of the field, resolving if necessary
func (ev *Event) GetExecInterpreterFileFilesystem() string {
- zeroValue := ""
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return ""
}
if ev.Exec.Process == nil {
- return zeroValue
+ return ""
}
if !ev.Exec.Process.HasInterpreter() {
return ""
@@ -1364,12 +1232,11 @@ func (ev *Event) GetExecInterpreterFileFilesystem() string {
// GetExecInterpreterFileGid returns the value of the field, resolving if necessary
func (ev *Event) GetExecInterpreterFileGid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return uint32(0)
}
if ev.Exec.Process == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.Exec.Process.HasInterpreter() {
return uint32(0)
@@ -1379,12 +1246,11 @@ func (ev *Event) GetExecInterpreterFileGid() uint32 {
// GetExecInterpreterFileGroup returns the value of the field, resolving if necessary
func (ev *Event) GetExecInterpreterFileGroup() string {
- zeroValue := ""
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return ""
}
if ev.Exec.Process == nil {
- return zeroValue
+ return ""
}
if !ev.Exec.Process.HasInterpreter() {
return ""
@@ -1394,30 +1260,25 @@ func (ev *Event) GetExecInterpreterFileGroup() string {
// GetExecInterpreterFileHashes returns the value of the field, resolving if necessary
func (ev *Event) GetExecInterpreterFileHashes() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return []string{}
}
if ev.Exec.Process == nil {
- return zeroValue
+ return []string{}
}
if !ev.Exec.Process.HasInterpreter() {
return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Exec.Process.LinuxBinprm.FileEvent)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Exec.Process.LinuxBinprm.FileEvent)
}
// GetExecInterpreterFileInUpperLayer returns the value of the field, resolving if necessary
func (ev *Event) GetExecInterpreterFileInUpperLayer() bool {
- zeroValue := false
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return false
}
if ev.Exec.Process == nil {
- return zeroValue
+ return false
}
if !ev.Exec.Process.HasInterpreter() {
return false
@@ -1427,12 +1288,11 @@ func (ev *Event) GetExecInterpreterFileInUpperLayer() bool {
// GetExecInterpreterFileInode returns the value of the field, resolving if necessary
func (ev *Event) GetExecInterpreterFileInode() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return uint64(0)
}
if ev.Exec.Process == nil {
- return zeroValue
+ return uint64(0)
}
if !ev.Exec.Process.HasInterpreter() {
return uint64(0)
@@ -1442,12 +1302,11 @@ func (ev *Event) GetExecInterpreterFileInode() uint64 {
// GetExecInterpreterFileMode returns the value of the field, resolving if necessary
func (ev *Event) GetExecInterpreterFileMode() uint16 {
- zeroValue := uint16(0)
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return uint16(0)
}
if ev.Exec.Process == nil {
- return zeroValue
+ return uint16(0)
}
if !ev.Exec.Process.HasInterpreter() {
return uint16(0)
@@ -1457,12 +1316,11 @@ func (ev *Event) GetExecInterpreterFileMode() uint16 {
// GetExecInterpreterFileModificationTime returns the value of the field, resolving if necessary
func (ev *Event) GetExecInterpreterFileModificationTime() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return uint64(0)
}
if ev.Exec.Process == nil {
- return zeroValue
+ return uint64(0)
}
if !ev.Exec.Process.HasInterpreter() {
return uint64(0)
@@ -1472,12 +1330,11 @@ func (ev *Event) GetExecInterpreterFileModificationTime() uint64 {
// GetExecInterpreterFileMountId returns the value of the field, resolving if necessary
func (ev *Event) GetExecInterpreterFileMountId() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return uint32(0)
}
if ev.Exec.Process == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.Exec.Process.HasInterpreter() {
return uint32(0)
@@ -1487,12 +1344,11 @@ func (ev *Event) GetExecInterpreterFileMountId() uint32 {
// GetExecInterpreterFileName returns the value of the field, resolving if necessary
func (ev *Event) GetExecInterpreterFileName() string {
- zeroValue := ""
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return ""
}
if ev.Exec.Process == nil {
- return zeroValue
+ return ""
}
if !ev.Exec.Process.HasInterpreter() {
return ""
@@ -1502,24 +1358,22 @@ func (ev *Event) GetExecInterpreterFileName() string {
// GetExecInterpreterFileNameLength returns the value of the field, resolving if necessary
func (ev *Event) GetExecInterpreterFileNameLength() int {
- zeroValue := 0
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return 0
}
if ev.Exec.Process == nil {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exec.Process.LinuxBinprm.FileEvent))
}
// GetExecInterpreterFilePackageName returns the value of the field, resolving if necessary
func (ev *Event) GetExecInterpreterFilePackageName() string {
- zeroValue := ""
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return ""
}
if ev.Exec.Process == nil {
- return zeroValue
+ return ""
}
if !ev.Exec.Process.HasInterpreter() {
return ""
@@ -1529,12 +1383,11 @@ func (ev *Event) GetExecInterpreterFilePackageName() string {
// GetExecInterpreterFilePackageSourceVersion returns the value of the field, resolving if necessary
func (ev *Event) GetExecInterpreterFilePackageSourceVersion() string {
- zeroValue := ""
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return ""
}
if ev.Exec.Process == nil {
- return zeroValue
+ return ""
}
if !ev.Exec.Process.HasInterpreter() {
return ""
@@ -1544,12 +1397,11 @@ func (ev *Event) GetExecInterpreterFilePackageSourceVersion() string {
// GetExecInterpreterFilePackageVersion returns the value of the field, resolving if necessary
func (ev *Event) GetExecInterpreterFilePackageVersion() string {
- zeroValue := ""
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return ""
}
if ev.Exec.Process == nil {
- return zeroValue
+ return ""
}
if !ev.Exec.Process.HasInterpreter() {
return ""
@@ -1559,12 +1411,11 @@ func (ev *Event) GetExecInterpreterFilePackageVersion() string {
// GetExecInterpreterFilePath returns the value of the field, resolving if necessary
func (ev *Event) GetExecInterpreterFilePath() string {
- zeroValue := ""
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return ""
}
if ev.Exec.Process == nil {
- return zeroValue
+ return ""
}
if !ev.Exec.Process.HasInterpreter() {
return ""
@@ -1574,24 +1425,22 @@ func (ev *Event) GetExecInterpreterFilePath() string {
// GetExecInterpreterFilePathLength returns the value of the field, resolving if necessary
func (ev *Event) GetExecInterpreterFilePathLength() int {
- zeroValue := 0
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return 0
}
if ev.Exec.Process == nil {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Exec.Process.LinuxBinprm.FileEvent))
}
// GetExecInterpreterFileRights returns the value of the field, resolving if necessary
func (ev *Event) GetExecInterpreterFileRights() int {
- zeroValue := 0
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return 0
}
if ev.Exec.Process == nil {
- return zeroValue
+ return 0
}
if !ev.Exec.Process.HasInterpreter() {
return 0
@@ -1601,12 +1450,11 @@ func (ev *Event) GetExecInterpreterFileRights() int {
// GetExecInterpreterFileUid returns the value of the field, resolving if necessary
func (ev *Event) GetExecInterpreterFileUid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return uint32(0)
}
if ev.Exec.Process == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.Exec.Process.HasInterpreter() {
return uint32(0)
@@ -1616,12 +1464,11 @@ func (ev *Event) GetExecInterpreterFileUid() uint32 {
// GetExecInterpreterFileUser returns the value of the field, resolving if necessary
func (ev *Event) GetExecInterpreterFileUser() string {
- zeroValue := ""
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return ""
}
if ev.Exec.Process == nil {
- return zeroValue
+ return ""
}
if !ev.Exec.Process.HasInterpreter() {
return ""
@@ -1631,422 +1478,390 @@ func (ev *Event) GetExecInterpreterFileUser() string {
// GetExecIsKworker returns the value of the field, resolving if necessary
func (ev *Event) GetExecIsKworker() bool {
- zeroValue := false
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return false
}
if ev.Exec.Process == nil {
- return zeroValue
+ return false
}
return ev.Exec.Process.PIDContext.IsKworker
}
// GetExecIsThread returns the value of the field, resolving if necessary
func (ev *Event) GetExecIsThread() bool {
- zeroValue := false
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return false
}
if ev.Exec.Process == nil {
- return zeroValue
+ return false
}
return ev.Exec.Process.IsThread
}
// GetExecPid returns the value of the field, resolving if necessary
func (ev *Event) GetExecPid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return uint32(0)
}
if ev.Exec.Process == nil {
- return zeroValue
+ return uint32(0)
}
return ev.Exec.Process.PIDContext.Pid
}
// GetExecPpid returns the value of the field, resolving if necessary
func (ev *Event) GetExecPpid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return uint32(0)
}
if ev.Exec.Process == nil {
- return zeroValue
+ return uint32(0)
}
return ev.Exec.Process.PPid
}
// GetExecTid returns the value of the field, resolving if necessary
func (ev *Event) GetExecTid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return uint32(0)
}
if ev.Exec.Process == nil {
- return zeroValue
+ return uint32(0)
}
return ev.Exec.Process.PIDContext.Tid
}
// GetExecTtyName returns the value of the field, resolving if necessary
func (ev *Event) GetExecTtyName() string {
- zeroValue := ""
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return ""
}
if ev.Exec.Process == nil {
- return zeroValue
+ return ""
}
return ev.Exec.Process.TTYName
}
// GetExecUid returns the value of the field, resolving if necessary
func (ev *Event) GetExecUid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return uint32(0)
}
if ev.Exec.Process == nil {
- return zeroValue
+ return uint32(0)
}
return ev.Exec.Process.Credentials.UID
}
// GetExecUser returns the value of the field, resolving if necessary
func (ev *Event) GetExecUser() string {
- zeroValue := ""
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return ""
}
if ev.Exec.Process == nil {
- return zeroValue
+ return ""
}
return ev.Exec.Process.Credentials.User
}
// GetExecUserSessionK8sGroups returns the value of the field, resolving if necessary
func (ev *Event) GetExecUserSessionK8sGroups() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return []string{}
}
if ev.Exec.Process == nil {
- return zeroValue
+ return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveK8SGroups(ev, &ev.Exec.Process.UserSession)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveK8SGroups(ev, &ev.Exec.Process.UserSession)
}
// GetExecUserSessionK8sUid returns the value of the field, resolving if necessary
func (ev *Event) GetExecUserSessionK8sUid() string {
- zeroValue := ""
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return ""
}
if ev.Exec.Process == nil {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveK8SUID(ev, &ev.Exec.Process.UserSession)
}
// GetExecUserSessionK8sUsername returns the value of the field, resolving if necessary
func (ev *Event) GetExecUserSessionK8sUsername() string {
- zeroValue := ""
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return ""
}
if ev.Exec.Process == nil {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveK8SUsername(ev, &ev.Exec.Process.UserSession)
}
// GetExitArgs returns the value of the field, resolving if necessary
func (ev *Event) GetExitArgs() string {
- zeroValue := ""
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return ""
}
if ev.Exit.Process == nil {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveProcessArgs(ev, ev.Exit.Process)
}
// GetExitArgsFlags returns the value of the field, resolving if necessary
func (ev *Event) GetExitArgsFlags() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return []string{}
}
if ev.Exit.Process == nil {
- return zeroValue
+ return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveProcessArgsFlags(ev, ev.Exit.Process)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveProcessArgsFlags(ev, ev.Exit.Process)
}
// GetExitArgsOptions returns the value of the field, resolving if necessary
func (ev *Event) GetExitArgsOptions() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return []string{}
+ }
+ if ev.Exit.Process == nil {
+ return []string{}
+ }
+ return ev.FieldHandlers.ResolveProcessArgsOptions(ev, ev.Exit.Process)
+}
+
+// GetExitArgsScrubbed returns the value of the field, resolving if necessary
+func (ev *Event) GetExitArgsScrubbed() string {
+ if ev.GetEventType().String() != "exit" {
+ return ""
}
if ev.Exit.Process == nil {
- return zeroValue
+ return ""
}
- resolvedField := ev.FieldHandlers.ResolveProcessArgsOptions(ev, ev.Exit.Process)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveProcessArgsScrubbed(ev, ev.Exit.Process)
}
// GetExitArgsTruncated returns the value of the field, resolving if necessary
func (ev *Event) GetExitArgsTruncated() bool {
- zeroValue := false
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return false
}
if ev.Exit.Process == nil {
- return zeroValue
+ return false
}
return ev.FieldHandlers.ResolveProcessArgsTruncated(ev, ev.Exit.Process)
}
// GetExitArgv returns the value of the field, resolving if necessary
func (ev *Event) GetExitArgv() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return []string{}
}
if ev.Exit.Process == nil {
- return zeroValue
+ return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveProcessArgvScrubbed(ev, ev.Exit.Process)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveProcessArgv(ev, ev.Exit.Process)
}
// GetExitArgv0 returns the value of the field, resolving if necessary
func (ev *Event) GetExitArgv0() string {
- zeroValue := ""
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return ""
}
if ev.Exit.Process == nil {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveProcessArgv0(ev, ev.Exit.Process)
}
-// GetExitCapEffective returns the value of the field, resolving if necessary
-func (ev *Event) GetExitCapEffective() uint64 {
- zeroValue := uint64(0)
+// GetExitArgvScrubbed returns the value of the field, resolving if necessary
+func (ev *Event) GetExitArgvScrubbed() []string {
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return []string{}
}
if ev.Exit.Process == nil {
- return zeroValue
+ return []string{}
}
- return ev.Exit.Process.Credentials.CapEffective
+ return ev.FieldHandlers.ResolveProcessArgvScrubbed(ev, ev.Exit.Process)
+}
+
+// GetExitCapEffective returns the value of the field, resolving if necessary
+func (ev *Event) GetExitCapEffective() uint64 {
+ if ev.GetEventType().String() != "exit" {
+ return uint64(0)
+ }
+ if ev.Exit.Process == nil {
+ return uint64(0)
+ }
+ return ev.Exit.Process.Credentials.CapEffective
}
// GetExitCapPermitted returns the value of the field, resolving if necessary
func (ev *Event) GetExitCapPermitted() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return uint64(0)
}
if ev.Exit.Process == nil {
- return zeroValue
+ return uint64(0)
}
return ev.Exit.Process.Credentials.CapPermitted
}
// GetExitCause returns the value of the field, resolving if necessary
func (ev *Event) GetExitCause() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return uint32(0)
}
return ev.Exit.Cause
}
// GetExitCode returns the value of the field, resolving if necessary
func (ev *Event) GetExitCode() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return uint32(0)
}
return ev.Exit.Code
}
// GetExitComm returns the value of the field, resolving if necessary
func (ev *Event) GetExitComm() string {
- zeroValue := ""
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return ""
}
if ev.Exit.Process == nil {
- return zeroValue
+ return ""
}
return ev.Exit.Process.Comm
}
// GetExitContainerId returns the value of the field, resolving if necessary
func (ev *Event) GetExitContainerId() string {
- zeroValue := ""
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return ""
}
if ev.Exit.Process == nil {
- return zeroValue
+ return ""
}
return ev.Exit.Process.ContainerID
}
// GetExitCreatedAt returns the value of the field, resolving if necessary
func (ev *Event) GetExitCreatedAt() int {
- zeroValue := 0
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return 0
}
if ev.Exit.Process == nil {
- return zeroValue
+ return 0
}
return ev.FieldHandlers.ResolveProcessCreatedAt(ev, ev.Exit.Process)
}
// GetExitEgid returns the value of the field, resolving if necessary
func (ev *Event) GetExitEgid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return uint32(0)
}
if ev.Exit.Process == nil {
- return zeroValue
+ return uint32(0)
}
return ev.Exit.Process.Credentials.EGID
}
// GetExitEgroup returns the value of the field, resolving if necessary
func (ev *Event) GetExitEgroup() string {
- zeroValue := ""
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return ""
}
if ev.Exit.Process == nil {
- return zeroValue
+ return ""
}
return ev.Exit.Process.Credentials.EGroup
}
// GetExitEnvp returns the value of the field, resolving if necessary
-func (ev *Event) GetExitEnvp(desiredKeys map[string]bool) []string {
- zeroValue := []string{}
+func (ev *Event) GetExitEnvp() []string {
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return []string{}
}
if ev.Exit.Process == nil {
- return zeroValue
+ return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveProcessEnvp(ev, ev.Exit.Process)
- resolvedField = filterEnvs(resolvedField, desiredKeys)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveProcessEnvp(ev, ev.Exit.Process)
}
// GetExitEnvs returns the value of the field, resolving if necessary
-func (ev *Event) GetExitEnvs(desiredKeys map[string]bool) []string {
- zeroValue := []string{}
+func (ev *Event) GetExitEnvs() []string {
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return []string{}
}
if ev.Exit.Process == nil {
- return zeroValue
+ return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveProcessEnvs(ev, ev.Exit.Process)
- resolvedField = filterEnvs(resolvedField, desiredKeys)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveProcessEnvs(ev, ev.Exit.Process)
}
// GetExitEnvsTruncated returns the value of the field, resolving if necessary
func (ev *Event) GetExitEnvsTruncated() bool {
- zeroValue := false
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return false
}
if ev.Exit.Process == nil {
- return zeroValue
+ return false
}
return ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, ev.Exit.Process)
}
// GetExitEuid returns the value of the field, resolving if necessary
func (ev *Event) GetExitEuid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return uint32(0)
}
if ev.Exit.Process == nil {
- return zeroValue
+ return uint32(0)
}
return ev.Exit.Process.Credentials.EUID
}
// GetExitEuser returns the value of the field, resolving if necessary
func (ev *Event) GetExitEuser() string {
- zeroValue := ""
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return ""
}
if ev.Exit.Process == nil {
- return zeroValue
+ return ""
}
return ev.Exit.Process.Credentials.EUser
}
// GetExitExecTime returns the value of the field, resolving if necessary
func (ev *Event) GetExitExecTime() time.Time {
- zeroValue := time.Time{}
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return time.Time{}
}
if ev.Exit.Process == nil {
- return zeroValue
+ return time.Time{}
}
return ev.Exit.Process.ExecTime
}
// GetExitExitTime returns the value of the field, resolving if necessary
func (ev *Event) GetExitExitTime() time.Time {
- zeroValue := time.Time{}
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return time.Time{}
}
if ev.Exit.Process == nil {
- return zeroValue
+ return time.Time{}
}
return ev.Exit.Process.ExitTime
}
// GetExitFileChangeTime returns the value of the field, resolving if necessary
func (ev *Event) GetExitFileChangeTime() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return uint64(0)
}
if ev.Exit.Process == nil {
- return zeroValue
+ return uint64(0)
}
if !ev.Exit.Process.IsNotKworker() {
return uint64(0)
@@ -2056,12 +1871,11 @@ func (ev *Event) GetExitFileChangeTime() uint64 {
// GetExitFileFilesystem returns the value of the field, resolving if necessary
func (ev *Event) GetExitFileFilesystem() string {
- zeroValue := ""
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return ""
}
if ev.Exit.Process == nil {
- return zeroValue
+ return ""
}
if !ev.Exit.Process.IsNotKworker() {
return ""
@@ -2071,12 +1885,11 @@ func (ev *Event) GetExitFileFilesystem() string {
// GetExitFileGid returns the value of the field, resolving if necessary
func (ev *Event) GetExitFileGid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return uint32(0)
}
if ev.Exit.Process == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.Exit.Process.IsNotKworker() {
return uint32(0)
@@ -2086,12 +1899,11 @@ func (ev *Event) GetExitFileGid() uint32 {
// GetExitFileGroup returns the value of the field, resolving if necessary
func (ev *Event) GetExitFileGroup() string {
- zeroValue := ""
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return ""
}
if ev.Exit.Process == nil {
- return zeroValue
+ return ""
}
if !ev.Exit.Process.IsNotKworker() {
return ""
@@ -2101,30 +1913,25 @@ func (ev *Event) GetExitFileGroup() string {
// GetExitFileHashes returns the value of the field, resolving if necessary
func (ev *Event) GetExitFileHashes() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return []string{}
}
if ev.Exit.Process == nil {
- return zeroValue
+ return []string{}
}
if !ev.Exit.Process.IsNotKworker() {
return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Exit.Process.FileEvent)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Exit.Process.FileEvent)
}
// GetExitFileInUpperLayer returns the value of the field, resolving if necessary
func (ev *Event) GetExitFileInUpperLayer() bool {
- zeroValue := false
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return false
}
if ev.Exit.Process == nil {
- return zeroValue
+ return false
}
if !ev.Exit.Process.IsNotKworker() {
return false
@@ -2134,12 +1941,11 @@ func (ev *Event) GetExitFileInUpperLayer() bool {
// GetExitFileInode returns the value of the field, resolving if necessary
func (ev *Event) GetExitFileInode() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return uint64(0)
}
if ev.Exit.Process == nil {
- return zeroValue
+ return uint64(0)
}
if !ev.Exit.Process.IsNotKworker() {
return uint64(0)
@@ -2149,12 +1955,11 @@ func (ev *Event) GetExitFileInode() uint64 {
// GetExitFileMode returns the value of the field, resolving if necessary
func (ev *Event) GetExitFileMode() uint16 {
- zeroValue := uint16(0)
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return uint16(0)
}
if ev.Exit.Process == nil {
- return zeroValue
+ return uint16(0)
}
if !ev.Exit.Process.IsNotKworker() {
return uint16(0)
@@ -2164,12 +1969,11 @@ func (ev *Event) GetExitFileMode() uint16 {
// GetExitFileModificationTime returns the value of the field, resolving if necessary
func (ev *Event) GetExitFileModificationTime() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return uint64(0)
}
if ev.Exit.Process == nil {
- return zeroValue
+ return uint64(0)
}
if !ev.Exit.Process.IsNotKworker() {
return uint64(0)
@@ -2179,12 +1983,11 @@ func (ev *Event) GetExitFileModificationTime() uint64 {
// GetExitFileMountId returns the value of the field, resolving if necessary
func (ev *Event) GetExitFileMountId() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return uint32(0)
}
if ev.Exit.Process == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.Exit.Process.IsNotKworker() {
return uint32(0)
@@ -2194,12 +1997,11 @@ func (ev *Event) GetExitFileMountId() uint32 {
// GetExitFileName returns the value of the field, resolving if necessary
func (ev *Event) GetExitFileName() string {
- zeroValue := ""
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return ""
}
if ev.Exit.Process == nil {
- return zeroValue
+ return ""
}
if !ev.Exit.Process.IsNotKworker() {
return ""
@@ -2209,24 +2011,22 @@ func (ev *Event) GetExitFileName() string {
// GetExitFileNameLength returns the value of the field, resolving if necessary
func (ev *Event) GetExitFileNameLength() int {
- zeroValue := 0
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return 0
}
if ev.Exit.Process == nil {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exit.Process.FileEvent))
}
// GetExitFilePackageName returns the value of the field, resolving if necessary
func (ev *Event) GetExitFilePackageName() string {
- zeroValue := ""
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return ""
}
if ev.Exit.Process == nil {
- return zeroValue
+ return ""
}
if !ev.Exit.Process.IsNotKworker() {
return ""
@@ -2236,12 +2036,11 @@ func (ev *Event) GetExitFilePackageName() string {
// GetExitFilePackageSourceVersion returns the value of the field, resolving if necessary
func (ev *Event) GetExitFilePackageSourceVersion() string {
- zeroValue := ""
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return ""
}
if ev.Exit.Process == nil {
- return zeroValue
+ return ""
}
if !ev.Exit.Process.IsNotKworker() {
return ""
@@ -2251,12 +2050,11 @@ func (ev *Event) GetExitFilePackageSourceVersion() string {
// GetExitFilePackageVersion returns the value of the field, resolving if necessary
func (ev *Event) GetExitFilePackageVersion() string {
- zeroValue := ""
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return ""
}
if ev.Exit.Process == nil {
- return zeroValue
+ return ""
}
if !ev.Exit.Process.IsNotKworker() {
return ""
@@ -2266,12 +2064,11 @@ func (ev *Event) GetExitFilePackageVersion() string {
// GetExitFilePath returns the value of the field, resolving if necessary
func (ev *Event) GetExitFilePath() string {
- zeroValue := ""
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return ""
}
if ev.Exit.Process == nil {
- return zeroValue
+ return ""
}
if !ev.Exit.Process.IsNotKworker() {
return ""
@@ -2281,24 +2078,22 @@ func (ev *Event) GetExitFilePath() string {
// GetExitFilePathLength returns the value of the field, resolving if necessary
func (ev *Event) GetExitFilePathLength() int {
- zeroValue := 0
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return 0
}
if ev.Exit.Process == nil {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Exit.Process.FileEvent))
}
// GetExitFileRights returns the value of the field, resolving if necessary
func (ev *Event) GetExitFileRights() int {
- zeroValue := 0
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return 0
}
if ev.Exit.Process == nil {
- return zeroValue
+ return 0
}
if !ev.Exit.Process.IsNotKworker() {
return 0
@@ -2308,12 +2103,11 @@ func (ev *Event) GetExitFileRights() int {
// GetExitFileUid returns the value of the field, resolving if necessary
func (ev *Event) GetExitFileUid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return uint32(0)
}
if ev.Exit.Process == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.Exit.Process.IsNotKworker() {
return uint32(0)
@@ -2323,12 +2117,11 @@ func (ev *Event) GetExitFileUid() uint32 {
// GetExitFileUser returns the value of the field, resolving if necessary
func (ev *Event) GetExitFileUser() string {
- zeroValue := ""
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return ""
}
if ev.Exit.Process == nil {
- return zeroValue
+ return ""
}
if !ev.Exit.Process.IsNotKworker() {
return ""
@@ -2338,96 +2131,88 @@ func (ev *Event) GetExitFileUser() string {
// GetExitForkTime returns the value of the field, resolving if necessary
func (ev *Event) GetExitForkTime() time.Time {
- zeroValue := time.Time{}
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return time.Time{}
}
if ev.Exit.Process == nil {
- return zeroValue
+ return time.Time{}
}
return ev.Exit.Process.ForkTime
}
// GetExitFsgid returns the value of the field, resolving if necessary
func (ev *Event) GetExitFsgid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return uint32(0)
}
if ev.Exit.Process == nil {
- return zeroValue
+ return uint32(0)
}
return ev.Exit.Process.Credentials.FSGID
}
// GetExitFsgroup returns the value of the field, resolving if necessary
func (ev *Event) GetExitFsgroup() string {
- zeroValue := ""
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return ""
}
if ev.Exit.Process == nil {
- return zeroValue
+ return ""
}
return ev.Exit.Process.Credentials.FSGroup
}
// GetExitFsuid returns the value of the field, resolving if necessary
func (ev *Event) GetExitFsuid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return uint32(0)
}
if ev.Exit.Process == nil {
- return zeroValue
+ return uint32(0)
}
return ev.Exit.Process.Credentials.FSUID
}
// GetExitFsuser returns the value of the field, resolving if necessary
func (ev *Event) GetExitFsuser() string {
- zeroValue := ""
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return ""
}
if ev.Exit.Process == nil {
- return zeroValue
+ return ""
}
return ev.Exit.Process.Credentials.FSUser
}
// GetExitGid returns the value of the field, resolving if necessary
func (ev *Event) GetExitGid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return uint32(0)
}
if ev.Exit.Process == nil {
- return zeroValue
+ return uint32(0)
}
return ev.Exit.Process.Credentials.GID
}
// GetExitGroup returns the value of the field, resolving if necessary
func (ev *Event) GetExitGroup() string {
- zeroValue := ""
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return ""
}
if ev.Exit.Process == nil {
- return zeroValue
+ return ""
}
return ev.Exit.Process.Credentials.Group
}
// GetExitInterpreterFileChangeTime returns the value of the field, resolving if necessary
func (ev *Event) GetExitInterpreterFileChangeTime() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return uint64(0)
}
if ev.Exit.Process == nil {
- return zeroValue
+ return uint64(0)
}
if !ev.Exit.Process.HasInterpreter() {
return uint64(0)
@@ -2437,12 +2222,11 @@ func (ev *Event) GetExitInterpreterFileChangeTime() uint64 {
// GetExitInterpreterFileFilesystem returns the value of the field, resolving if necessary
func (ev *Event) GetExitInterpreterFileFilesystem() string {
- zeroValue := ""
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return ""
}
if ev.Exit.Process == nil {
- return zeroValue
+ return ""
}
if !ev.Exit.Process.HasInterpreter() {
return ""
@@ -2452,12 +2236,11 @@ func (ev *Event) GetExitInterpreterFileFilesystem() string {
// GetExitInterpreterFileGid returns the value of the field, resolving if necessary
func (ev *Event) GetExitInterpreterFileGid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return uint32(0)
}
if ev.Exit.Process == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.Exit.Process.HasInterpreter() {
return uint32(0)
@@ -2467,12 +2250,11 @@ func (ev *Event) GetExitInterpreterFileGid() uint32 {
// GetExitInterpreterFileGroup returns the value of the field, resolving if necessary
func (ev *Event) GetExitInterpreterFileGroup() string {
- zeroValue := ""
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return ""
}
if ev.Exit.Process == nil {
- return zeroValue
+ return ""
}
if !ev.Exit.Process.HasInterpreter() {
return ""
@@ -2482,30 +2264,25 @@ func (ev *Event) GetExitInterpreterFileGroup() string {
// GetExitInterpreterFileHashes returns the value of the field, resolving if necessary
func (ev *Event) GetExitInterpreterFileHashes() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return []string{}
}
if ev.Exit.Process == nil {
- return zeroValue
+ return []string{}
}
if !ev.Exit.Process.HasInterpreter() {
return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Exit.Process.LinuxBinprm.FileEvent)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Exit.Process.LinuxBinprm.FileEvent)
}
// GetExitInterpreterFileInUpperLayer returns the value of the field, resolving if necessary
func (ev *Event) GetExitInterpreterFileInUpperLayer() bool {
- zeroValue := false
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return false
}
if ev.Exit.Process == nil {
- return zeroValue
+ return false
}
if !ev.Exit.Process.HasInterpreter() {
return false
@@ -2515,12 +2292,11 @@ func (ev *Event) GetExitInterpreterFileInUpperLayer() bool {
// GetExitInterpreterFileInode returns the value of the field, resolving if necessary
func (ev *Event) GetExitInterpreterFileInode() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return uint64(0)
}
if ev.Exit.Process == nil {
- return zeroValue
+ return uint64(0)
}
if !ev.Exit.Process.HasInterpreter() {
return uint64(0)
@@ -2530,12 +2306,11 @@ func (ev *Event) GetExitInterpreterFileInode() uint64 {
// GetExitInterpreterFileMode returns the value of the field, resolving if necessary
func (ev *Event) GetExitInterpreterFileMode() uint16 {
- zeroValue := uint16(0)
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return uint16(0)
}
if ev.Exit.Process == nil {
- return zeroValue
+ return uint16(0)
}
if !ev.Exit.Process.HasInterpreter() {
return uint16(0)
@@ -2545,12 +2320,11 @@ func (ev *Event) GetExitInterpreterFileMode() uint16 {
// GetExitInterpreterFileModificationTime returns the value of the field, resolving if necessary
func (ev *Event) GetExitInterpreterFileModificationTime() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return uint64(0)
}
if ev.Exit.Process == nil {
- return zeroValue
+ return uint64(0)
}
if !ev.Exit.Process.HasInterpreter() {
return uint64(0)
@@ -2560,12 +2334,11 @@ func (ev *Event) GetExitInterpreterFileModificationTime() uint64 {
// GetExitInterpreterFileMountId returns the value of the field, resolving if necessary
func (ev *Event) GetExitInterpreterFileMountId() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return uint32(0)
}
if ev.Exit.Process == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.Exit.Process.HasInterpreter() {
return uint32(0)
@@ -2575,12 +2348,11 @@ func (ev *Event) GetExitInterpreterFileMountId() uint32 {
// GetExitInterpreterFileName returns the value of the field, resolving if necessary
func (ev *Event) GetExitInterpreterFileName() string {
- zeroValue := ""
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return ""
}
if ev.Exit.Process == nil {
- return zeroValue
+ return ""
}
if !ev.Exit.Process.HasInterpreter() {
return ""
@@ -2590,24 +2362,22 @@ func (ev *Event) GetExitInterpreterFileName() string {
// GetExitInterpreterFileNameLength returns the value of the field, resolving if necessary
func (ev *Event) GetExitInterpreterFileNameLength() int {
- zeroValue := 0
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return 0
}
if ev.Exit.Process == nil {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exit.Process.LinuxBinprm.FileEvent))
}
// GetExitInterpreterFilePackageName returns the value of the field, resolving if necessary
func (ev *Event) GetExitInterpreterFilePackageName() string {
- zeroValue := ""
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return ""
}
if ev.Exit.Process == nil {
- return zeroValue
+ return ""
}
if !ev.Exit.Process.HasInterpreter() {
return ""
@@ -2617,12 +2387,11 @@ func (ev *Event) GetExitInterpreterFilePackageName() string {
// GetExitInterpreterFilePackageSourceVersion returns the value of the field, resolving if necessary
func (ev *Event) GetExitInterpreterFilePackageSourceVersion() string {
- zeroValue := ""
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return ""
}
if ev.Exit.Process == nil {
- return zeroValue
+ return ""
}
if !ev.Exit.Process.HasInterpreter() {
return ""
@@ -2632,12 +2401,11 @@ func (ev *Event) GetExitInterpreterFilePackageSourceVersion() string {
// GetExitInterpreterFilePackageVersion returns the value of the field, resolving if necessary
func (ev *Event) GetExitInterpreterFilePackageVersion() string {
- zeroValue := ""
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return ""
}
if ev.Exit.Process == nil {
- return zeroValue
+ return ""
}
if !ev.Exit.Process.HasInterpreter() {
return ""
@@ -2647,12 +2415,11 @@ func (ev *Event) GetExitInterpreterFilePackageVersion() string {
// GetExitInterpreterFilePath returns the value of the field, resolving if necessary
func (ev *Event) GetExitInterpreterFilePath() string {
- zeroValue := ""
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return ""
}
if ev.Exit.Process == nil {
- return zeroValue
+ return ""
}
if !ev.Exit.Process.HasInterpreter() {
return ""
@@ -2662,24 +2429,22 @@ func (ev *Event) GetExitInterpreterFilePath() string {
// GetExitInterpreterFilePathLength returns the value of the field, resolving if necessary
func (ev *Event) GetExitInterpreterFilePathLength() int {
- zeroValue := 0
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return 0
}
if ev.Exit.Process == nil {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Exit.Process.LinuxBinprm.FileEvent))
}
// GetExitInterpreterFileRights returns the value of the field, resolving if necessary
func (ev *Event) GetExitInterpreterFileRights() int {
- zeroValue := 0
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return 0
}
if ev.Exit.Process == nil {
- return zeroValue
+ return 0
}
if !ev.Exit.Process.HasInterpreter() {
return 0
@@ -2689,12 +2454,11 @@ func (ev *Event) GetExitInterpreterFileRights() int {
// GetExitInterpreterFileUid returns the value of the field, resolving if necessary
func (ev *Event) GetExitInterpreterFileUid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return uint32(0)
}
if ev.Exit.Process == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.Exit.Process.HasInterpreter() {
return uint32(0)
@@ -2704,12 +2468,11 @@ func (ev *Event) GetExitInterpreterFileUid() uint32 {
// GetExitInterpreterFileUser returns the value of the field, resolving if necessary
func (ev *Event) GetExitInterpreterFileUser() string {
- zeroValue := ""
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return ""
}
if ev.Exit.Process == nil {
- return zeroValue
+ return ""
}
if !ev.Exit.Process.HasInterpreter() {
return ""
@@ -2719,1536 +2482,1356 @@ func (ev *Event) GetExitInterpreterFileUser() string {
// GetExitIsKworker returns the value of the field, resolving if necessary
func (ev *Event) GetExitIsKworker() bool {
- zeroValue := false
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return false
}
if ev.Exit.Process == nil {
- return zeroValue
+ return false
}
return ev.Exit.Process.PIDContext.IsKworker
}
// GetExitIsThread returns the value of the field, resolving if necessary
func (ev *Event) GetExitIsThread() bool {
- zeroValue := false
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return false
}
if ev.Exit.Process == nil {
- return zeroValue
+ return false
}
return ev.Exit.Process.IsThread
}
// GetExitPid returns the value of the field, resolving if necessary
func (ev *Event) GetExitPid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return uint32(0)
}
if ev.Exit.Process == nil {
- return zeroValue
+ return uint32(0)
}
return ev.Exit.Process.PIDContext.Pid
}
// GetExitPpid returns the value of the field, resolving if necessary
func (ev *Event) GetExitPpid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return uint32(0)
}
if ev.Exit.Process == nil {
- return zeroValue
+ return uint32(0)
}
return ev.Exit.Process.PPid
}
// GetExitTid returns the value of the field, resolving if necessary
func (ev *Event) GetExitTid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return uint32(0)
}
if ev.Exit.Process == nil {
- return zeroValue
+ return uint32(0)
}
return ev.Exit.Process.PIDContext.Tid
}
// GetExitTtyName returns the value of the field, resolving if necessary
func (ev *Event) GetExitTtyName() string {
- zeroValue := ""
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return ""
}
if ev.Exit.Process == nil {
- return zeroValue
+ return ""
}
return ev.Exit.Process.TTYName
}
// GetExitUid returns the value of the field, resolving if necessary
func (ev *Event) GetExitUid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return uint32(0)
}
if ev.Exit.Process == nil {
- return zeroValue
+ return uint32(0)
}
return ev.Exit.Process.Credentials.UID
}
// GetExitUser returns the value of the field, resolving if necessary
func (ev *Event) GetExitUser() string {
- zeroValue := ""
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return ""
}
if ev.Exit.Process == nil {
- return zeroValue
+ return ""
}
return ev.Exit.Process.Credentials.User
}
// GetExitUserSessionK8sGroups returns the value of the field, resolving if necessary
func (ev *Event) GetExitUserSessionK8sGroups() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return []string{}
}
if ev.Exit.Process == nil {
- return zeroValue
+ return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveK8SGroups(ev, &ev.Exit.Process.UserSession)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveK8SGroups(ev, &ev.Exit.Process.UserSession)
}
// GetExitUserSessionK8sUid returns the value of the field, resolving if necessary
func (ev *Event) GetExitUserSessionK8sUid() string {
- zeroValue := ""
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return ""
}
if ev.Exit.Process == nil {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveK8SUID(ev, &ev.Exit.Process.UserSession)
}
// GetExitUserSessionK8sUsername returns the value of the field, resolving if necessary
func (ev *Event) GetExitUserSessionK8sUsername() string {
- zeroValue := ""
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return ""
}
if ev.Exit.Process == nil {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveK8SUsername(ev, &ev.Exit.Process.UserSession)
}
// GetLinkFileChangeTime returns the value of the field, resolving if necessary
func (ev *Event) GetLinkFileChangeTime() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "link" {
- return zeroValue
+ return uint64(0)
}
return ev.Link.Source.FileFields.CTime
}
// GetLinkFileDestinationChangeTime returns the value of the field, resolving if necessary
func (ev *Event) GetLinkFileDestinationChangeTime() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "link" {
- return zeroValue
+ return uint64(0)
}
return ev.Link.Target.FileFields.CTime
}
// GetLinkFileDestinationFilesystem returns the value of the field, resolving if necessary
func (ev *Event) GetLinkFileDestinationFilesystem() string {
- zeroValue := ""
if ev.GetEventType().String() != "link" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Link.Target)
}
// GetLinkFileDestinationGid returns the value of the field, resolving if necessary
func (ev *Event) GetLinkFileDestinationGid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "link" {
- return zeroValue
+ return uint32(0)
}
return ev.Link.Target.FileFields.GID
}
// GetLinkFileDestinationGroup returns the value of the field, resolving if necessary
func (ev *Event) GetLinkFileDestinationGroup() string {
- zeroValue := ""
if ev.GetEventType().String() != "link" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Link.Target.FileFields)
}
// GetLinkFileDestinationHashes returns the value of the field, resolving if necessary
func (ev *Event) GetLinkFileDestinationHashes() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "link" {
- return zeroValue
+ return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Link.Target)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Link.Target)
}
// GetLinkFileDestinationInUpperLayer returns the value of the field, resolving if necessary
func (ev *Event) GetLinkFileDestinationInUpperLayer() bool {
- zeroValue := false
if ev.GetEventType().String() != "link" {
- return zeroValue
+ return false
}
return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Link.Target.FileFields)
}
// GetLinkFileDestinationInode returns the value of the field, resolving if necessary
func (ev *Event) GetLinkFileDestinationInode() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "link" {
- return zeroValue
+ return uint64(0)
}
return ev.Link.Target.FileFields.PathKey.Inode
}
// GetLinkFileDestinationMode returns the value of the field, resolving if necessary
func (ev *Event) GetLinkFileDestinationMode() uint16 {
- zeroValue := uint16(0)
if ev.GetEventType().String() != "link" {
- return zeroValue
+ return uint16(0)
}
return ev.Link.Target.FileFields.Mode
}
// GetLinkFileDestinationModificationTime returns the value of the field, resolving if necessary
func (ev *Event) GetLinkFileDestinationModificationTime() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "link" {
- return zeroValue
+ return uint64(0)
}
return ev.Link.Target.FileFields.MTime
}
// GetLinkFileDestinationMountId returns the value of the field, resolving if necessary
func (ev *Event) GetLinkFileDestinationMountId() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "link" {
- return zeroValue
+ return uint32(0)
}
return ev.Link.Target.FileFields.PathKey.MountID
}
// GetLinkFileDestinationName returns the value of the field, resolving if necessary
func (ev *Event) GetLinkFileDestinationName() string {
- zeroValue := ""
if ev.GetEventType().String() != "link" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Link.Target)
}
// GetLinkFileDestinationNameLength returns the value of the field, resolving if necessary
func (ev *Event) GetLinkFileDestinationNameLength() int {
- zeroValue := 0
if ev.GetEventType().String() != "link" {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Link.Target))
}
// GetLinkFileDestinationPackageName returns the value of the field, resolving if necessary
func (ev *Event) GetLinkFileDestinationPackageName() string {
- zeroValue := ""
if ev.GetEventType().String() != "link" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolvePackageName(ev, &ev.Link.Target)
}
// GetLinkFileDestinationPackageSourceVersion returns the value of the field, resolving if necessary
func (ev *Event) GetLinkFileDestinationPackageSourceVersion() string {
- zeroValue := ""
if ev.GetEventType().String() != "link" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Link.Target)
}
// GetLinkFileDestinationPackageVersion returns the value of the field, resolving if necessary
func (ev *Event) GetLinkFileDestinationPackageVersion() string {
- zeroValue := ""
if ev.GetEventType().String() != "link" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Link.Target)
}
// GetLinkFileDestinationPath returns the value of the field, resolving if necessary
func (ev *Event) GetLinkFileDestinationPath() string {
- zeroValue := ""
if ev.GetEventType().String() != "link" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFilePath(ev, &ev.Link.Target)
}
// GetLinkFileDestinationPathLength returns the value of the field, resolving if necessary
func (ev *Event) GetLinkFileDestinationPathLength() int {
- zeroValue := 0
if ev.GetEventType().String() != "link" {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Link.Target))
}
// GetLinkFileDestinationRights returns the value of the field, resolving if necessary
func (ev *Event) GetLinkFileDestinationRights() int {
- zeroValue := 0
if ev.GetEventType().String() != "link" {
- return zeroValue
+ return 0
}
return ev.FieldHandlers.ResolveRights(ev, &ev.Link.Target.FileFields)
}
// GetLinkFileDestinationUid returns the value of the field, resolving if necessary
func (ev *Event) GetLinkFileDestinationUid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "link" {
- return zeroValue
+ return uint32(0)
}
return ev.Link.Target.FileFields.UID
}
// GetLinkFileDestinationUser returns the value of the field, resolving if necessary
func (ev *Event) GetLinkFileDestinationUser() string {
- zeroValue := ""
if ev.GetEventType().String() != "link" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Link.Target.FileFields)
}
// GetLinkFileFilesystem returns the value of the field, resolving if necessary
func (ev *Event) GetLinkFileFilesystem() string {
- zeroValue := ""
if ev.GetEventType().String() != "link" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Link.Source)
}
// GetLinkFileGid returns the value of the field, resolving if necessary
func (ev *Event) GetLinkFileGid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "link" {
- return zeroValue
+ return uint32(0)
}
return ev.Link.Source.FileFields.GID
}
// GetLinkFileGroup returns the value of the field, resolving if necessary
func (ev *Event) GetLinkFileGroup() string {
- zeroValue := ""
if ev.GetEventType().String() != "link" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Link.Source.FileFields)
}
// GetLinkFileHashes returns the value of the field, resolving if necessary
func (ev *Event) GetLinkFileHashes() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "link" {
- return zeroValue
+ return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Link.Source)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Link.Source)
}
// GetLinkFileInUpperLayer returns the value of the field, resolving if necessary
func (ev *Event) GetLinkFileInUpperLayer() bool {
- zeroValue := false
if ev.GetEventType().String() != "link" {
- return zeroValue
+ return false
}
return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Link.Source.FileFields)
}
// GetLinkFileInode returns the value of the field, resolving if necessary
func (ev *Event) GetLinkFileInode() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "link" {
- return zeroValue
+ return uint64(0)
}
return ev.Link.Source.FileFields.PathKey.Inode
}
// GetLinkFileMode returns the value of the field, resolving if necessary
func (ev *Event) GetLinkFileMode() uint16 {
- zeroValue := uint16(0)
if ev.GetEventType().String() != "link" {
- return zeroValue
+ return uint16(0)
}
return ev.Link.Source.FileFields.Mode
}
// GetLinkFileModificationTime returns the value of the field, resolving if necessary
func (ev *Event) GetLinkFileModificationTime() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "link" {
- return zeroValue
+ return uint64(0)
}
return ev.Link.Source.FileFields.MTime
}
// GetLinkFileMountId returns the value of the field, resolving if necessary
func (ev *Event) GetLinkFileMountId() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "link" {
- return zeroValue
+ return uint32(0)
}
return ev.Link.Source.FileFields.PathKey.MountID
}
// GetLinkFileName returns the value of the field, resolving if necessary
func (ev *Event) GetLinkFileName() string {
- zeroValue := ""
if ev.GetEventType().String() != "link" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Link.Source)
}
// GetLinkFileNameLength returns the value of the field, resolving if necessary
func (ev *Event) GetLinkFileNameLength() int {
- zeroValue := 0
if ev.GetEventType().String() != "link" {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Link.Source))
}
// GetLinkFilePackageName returns the value of the field, resolving if necessary
func (ev *Event) GetLinkFilePackageName() string {
- zeroValue := ""
if ev.GetEventType().String() != "link" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolvePackageName(ev, &ev.Link.Source)
}
// GetLinkFilePackageSourceVersion returns the value of the field, resolving if necessary
func (ev *Event) GetLinkFilePackageSourceVersion() string {
- zeroValue := ""
if ev.GetEventType().String() != "link" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Link.Source)
}
// GetLinkFilePackageVersion returns the value of the field, resolving if necessary
func (ev *Event) GetLinkFilePackageVersion() string {
- zeroValue := ""
if ev.GetEventType().String() != "link" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Link.Source)
}
// GetLinkFilePath returns the value of the field, resolving if necessary
func (ev *Event) GetLinkFilePath() string {
- zeroValue := ""
if ev.GetEventType().String() != "link" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFilePath(ev, &ev.Link.Source)
}
// GetLinkFilePathLength returns the value of the field, resolving if necessary
func (ev *Event) GetLinkFilePathLength() int {
- zeroValue := 0
if ev.GetEventType().String() != "link" {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Link.Source))
}
// GetLinkFileRights returns the value of the field, resolving if necessary
func (ev *Event) GetLinkFileRights() int {
- zeroValue := 0
if ev.GetEventType().String() != "link" {
- return zeroValue
+ return 0
}
return ev.FieldHandlers.ResolveRights(ev, &ev.Link.Source.FileFields)
}
// GetLinkFileUid returns the value of the field, resolving if necessary
func (ev *Event) GetLinkFileUid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "link" {
- return zeroValue
+ return uint32(0)
}
return ev.Link.Source.FileFields.UID
}
// GetLinkFileUser returns the value of the field, resolving if necessary
func (ev *Event) GetLinkFileUser() string {
- zeroValue := ""
if ev.GetEventType().String() != "link" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Link.Source.FileFields)
}
// GetLinkRetval returns the value of the field, resolving if necessary
func (ev *Event) GetLinkRetval() int64 {
- zeroValue := int64(0)
if ev.GetEventType().String() != "link" {
- return zeroValue
+ return int64(0)
}
return ev.Link.SyscallEvent.Retval
}
// GetLoadModuleArgs returns the value of the field, resolving if necessary
func (ev *Event) GetLoadModuleArgs() string {
- zeroValue := ""
if ev.GetEventType().String() != "load_module" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveModuleArgs(ev, &ev.LoadModule)
}
// GetLoadModuleArgsTruncated returns the value of the field, resolving if necessary
func (ev *Event) GetLoadModuleArgsTruncated() bool {
- zeroValue := false
if ev.GetEventType().String() != "load_module" {
- return zeroValue
+ return false
}
return ev.LoadModule.ArgsTruncated
}
// GetLoadModuleArgv returns the value of the field, resolving if necessary
func (ev *Event) GetLoadModuleArgv() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "load_module" {
- return zeroValue
+ return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveModuleArgv(ev, &ev.LoadModule)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveModuleArgv(ev, &ev.LoadModule)
}
// GetLoadModuleFileChangeTime returns the value of the field, resolving if necessary
func (ev *Event) GetLoadModuleFileChangeTime() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "load_module" {
- return zeroValue
+ return uint64(0)
}
return ev.LoadModule.File.FileFields.CTime
}
// GetLoadModuleFileFilesystem returns the value of the field, resolving if necessary
func (ev *Event) GetLoadModuleFileFilesystem() string {
- zeroValue := ""
if ev.GetEventType().String() != "load_module" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.LoadModule.File)
}
// GetLoadModuleFileGid returns the value of the field, resolving if necessary
func (ev *Event) GetLoadModuleFileGid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "load_module" {
- return zeroValue
+ return uint32(0)
}
return ev.LoadModule.File.FileFields.GID
}
// GetLoadModuleFileGroup returns the value of the field, resolving if necessary
func (ev *Event) GetLoadModuleFileGroup() string {
- zeroValue := ""
if ev.GetEventType().String() != "load_module" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.LoadModule.File.FileFields)
}
// GetLoadModuleFileHashes returns the value of the field, resolving if necessary
func (ev *Event) GetLoadModuleFileHashes() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "load_module" {
- return zeroValue
+ return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.LoadModule.File)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.LoadModule.File)
}
// GetLoadModuleFileInUpperLayer returns the value of the field, resolving if necessary
func (ev *Event) GetLoadModuleFileInUpperLayer() bool {
- zeroValue := false
if ev.GetEventType().String() != "load_module" {
- return zeroValue
+ return false
}
return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.LoadModule.File.FileFields)
}
// GetLoadModuleFileInode returns the value of the field, resolving if necessary
func (ev *Event) GetLoadModuleFileInode() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "load_module" {
- return zeroValue
+ return uint64(0)
}
return ev.LoadModule.File.FileFields.PathKey.Inode
}
// GetLoadModuleFileMode returns the value of the field, resolving if necessary
func (ev *Event) GetLoadModuleFileMode() uint16 {
- zeroValue := uint16(0)
if ev.GetEventType().String() != "load_module" {
- return zeroValue
+ return uint16(0)
}
return ev.LoadModule.File.FileFields.Mode
}
// GetLoadModuleFileModificationTime returns the value of the field, resolving if necessary
func (ev *Event) GetLoadModuleFileModificationTime() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "load_module" {
- return zeroValue
+ return uint64(0)
}
return ev.LoadModule.File.FileFields.MTime
}
// GetLoadModuleFileMountId returns the value of the field, resolving if necessary
func (ev *Event) GetLoadModuleFileMountId() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "load_module" {
- return zeroValue
+ return uint32(0)
}
return ev.LoadModule.File.FileFields.PathKey.MountID
}
// GetLoadModuleFileName returns the value of the field, resolving if necessary
func (ev *Event) GetLoadModuleFileName() string {
- zeroValue := ""
if ev.GetEventType().String() != "load_module" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileBasename(ev, &ev.LoadModule.File)
}
// GetLoadModuleFileNameLength returns the value of the field, resolving if necessary
func (ev *Event) GetLoadModuleFileNameLength() int {
- zeroValue := 0
if ev.GetEventType().String() != "load_module" {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.LoadModule.File))
}
// GetLoadModuleFilePackageName returns the value of the field, resolving if necessary
func (ev *Event) GetLoadModuleFilePackageName() string {
- zeroValue := ""
if ev.GetEventType().String() != "load_module" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolvePackageName(ev, &ev.LoadModule.File)
}
// GetLoadModuleFilePackageSourceVersion returns the value of the field, resolving if necessary
func (ev *Event) GetLoadModuleFilePackageSourceVersion() string {
- zeroValue := ""
if ev.GetEventType().String() != "load_module" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.LoadModule.File)
}
// GetLoadModuleFilePackageVersion returns the value of the field, resolving if necessary
func (ev *Event) GetLoadModuleFilePackageVersion() string {
- zeroValue := ""
if ev.GetEventType().String() != "load_module" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.LoadModule.File)
}
// GetLoadModuleFilePath returns the value of the field, resolving if necessary
func (ev *Event) GetLoadModuleFilePath() string {
- zeroValue := ""
if ev.GetEventType().String() != "load_module" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFilePath(ev, &ev.LoadModule.File)
}
// GetLoadModuleFilePathLength returns the value of the field, resolving if necessary
func (ev *Event) GetLoadModuleFilePathLength() int {
- zeroValue := 0
if ev.GetEventType().String() != "load_module" {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.LoadModule.File))
}
// GetLoadModuleFileRights returns the value of the field, resolving if necessary
func (ev *Event) GetLoadModuleFileRights() int {
- zeroValue := 0
if ev.GetEventType().String() != "load_module" {
- return zeroValue
+ return 0
}
return ev.FieldHandlers.ResolveRights(ev, &ev.LoadModule.File.FileFields)
}
// GetLoadModuleFileUid returns the value of the field, resolving if necessary
func (ev *Event) GetLoadModuleFileUid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "load_module" {
- return zeroValue
+ return uint32(0)
}
return ev.LoadModule.File.FileFields.UID
}
// GetLoadModuleFileUser returns the value of the field, resolving if necessary
func (ev *Event) GetLoadModuleFileUser() string {
- zeroValue := ""
if ev.GetEventType().String() != "load_module" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.LoadModule.File.FileFields)
}
// GetLoadModuleLoadedFromMemory returns the value of the field, resolving if necessary
func (ev *Event) GetLoadModuleLoadedFromMemory() bool {
- zeroValue := false
if ev.GetEventType().String() != "load_module" {
- return zeroValue
+ return false
}
return ev.LoadModule.LoadedFromMemory
}
// GetLoadModuleName returns the value of the field, resolving if necessary
func (ev *Event) GetLoadModuleName() string {
- zeroValue := ""
if ev.GetEventType().String() != "load_module" {
- return zeroValue
+ return ""
}
return ev.LoadModule.Name
}
// GetLoadModuleRetval returns the value of the field, resolving if necessary
func (ev *Event) GetLoadModuleRetval() int64 {
- zeroValue := int64(0)
if ev.GetEventType().String() != "load_module" {
- return zeroValue
+ return int64(0)
}
return ev.LoadModule.SyscallEvent.Retval
}
// GetMkdirFileChangeTime returns the value of the field, resolving if necessary
func (ev *Event) GetMkdirFileChangeTime() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "mkdir" {
- return zeroValue
+ return uint64(0)
}
return ev.Mkdir.File.FileFields.CTime
}
// GetMkdirFileDestinationMode returns the value of the field, resolving if necessary
func (ev *Event) GetMkdirFileDestinationMode() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "mkdir" {
- return zeroValue
+ return uint32(0)
}
return ev.Mkdir.Mode
}
// GetMkdirFileDestinationRights returns the value of the field, resolving if necessary
func (ev *Event) GetMkdirFileDestinationRights() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "mkdir" {
- return zeroValue
+ return uint32(0)
}
return ev.Mkdir.Mode
}
// GetMkdirFileFilesystem returns the value of the field, resolving if necessary
func (ev *Event) GetMkdirFileFilesystem() string {
- zeroValue := ""
if ev.GetEventType().String() != "mkdir" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Mkdir.File)
}
// GetMkdirFileGid returns the value of the field, resolving if necessary
func (ev *Event) GetMkdirFileGid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "mkdir" {
- return zeroValue
+ return uint32(0)
}
return ev.Mkdir.File.FileFields.GID
}
// GetMkdirFileGroup returns the value of the field, resolving if necessary
func (ev *Event) GetMkdirFileGroup() string {
- zeroValue := ""
if ev.GetEventType().String() != "mkdir" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Mkdir.File.FileFields)
}
// GetMkdirFileHashes returns the value of the field, resolving if necessary
func (ev *Event) GetMkdirFileHashes() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "mkdir" {
- return zeroValue
+ return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Mkdir.File)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Mkdir.File)
}
// GetMkdirFileInUpperLayer returns the value of the field, resolving if necessary
func (ev *Event) GetMkdirFileInUpperLayer() bool {
- zeroValue := false
if ev.GetEventType().String() != "mkdir" {
- return zeroValue
+ return false
}
return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Mkdir.File.FileFields)
}
// GetMkdirFileInode returns the value of the field, resolving if necessary
func (ev *Event) GetMkdirFileInode() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "mkdir" {
- return zeroValue
+ return uint64(0)
}
return ev.Mkdir.File.FileFields.PathKey.Inode
}
// GetMkdirFileMode returns the value of the field, resolving if necessary
func (ev *Event) GetMkdirFileMode() uint16 {
- zeroValue := uint16(0)
if ev.GetEventType().String() != "mkdir" {
- return zeroValue
+ return uint16(0)
}
return ev.Mkdir.File.FileFields.Mode
}
// GetMkdirFileModificationTime returns the value of the field, resolving if necessary
func (ev *Event) GetMkdirFileModificationTime() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "mkdir" {
- return zeroValue
+ return uint64(0)
}
return ev.Mkdir.File.FileFields.MTime
}
// GetMkdirFileMountId returns the value of the field, resolving if necessary
func (ev *Event) GetMkdirFileMountId() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "mkdir" {
- return zeroValue
+ return uint32(0)
}
return ev.Mkdir.File.FileFields.PathKey.MountID
}
// GetMkdirFileName returns the value of the field, resolving if necessary
func (ev *Event) GetMkdirFileName() string {
- zeroValue := ""
if ev.GetEventType().String() != "mkdir" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Mkdir.File)
}
// GetMkdirFileNameLength returns the value of the field, resolving if necessary
func (ev *Event) GetMkdirFileNameLength() int {
- zeroValue := 0
if ev.GetEventType().String() != "mkdir" {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Mkdir.File))
}
// GetMkdirFilePackageName returns the value of the field, resolving if necessary
func (ev *Event) GetMkdirFilePackageName() string {
- zeroValue := ""
if ev.GetEventType().String() != "mkdir" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolvePackageName(ev, &ev.Mkdir.File)
}
// GetMkdirFilePackageSourceVersion returns the value of the field, resolving if necessary
func (ev *Event) GetMkdirFilePackageSourceVersion() string {
- zeroValue := ""
if ev.GetEventType().String() != "mkdir" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Mkdir.File)
}
// GetMkdirFilePackageVersion returns the value of the field, resolving if necessary
func (ev *Event) GetMkdirFilePackageVersion() string {
- zeroValue := ""
if ev.GetEventType().String() != "mkdir" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Mkdir.File)
}
// GetMkdirFilePath returns the value of the field, resolving if necessary
func (ev *Event) GetMkdirFilePath() string {
- zeroValue := ""
if ev.GetEventType().String() != "mkdir" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFilePath(ev, &ev.Mkdir.File)
}
// GetMkdirFilePathLength returns the value of the field, resolving if necessary
func (ev *Event) GetMkdirFilePathLength() int {
- zeroValue := 0
if ev.GetEventType().String() != "mkdir" {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Mkdir.File))
}
// GetMkdirFileRights returns the value of the field, resolving if necessary
func (ev *Event) GetMkdirFileRights() int {
- zeroValue := 0
if ev.GetEventType().String() != "mkdir" {
- return zeroValue
+ return 0
}
return ev.FieldHandlers.ResolveRights(ev, &ev.Mkdir.File.FileFields)
}
// GetMkdirFileUid returns the value of the field, resolving if necessary
func (ev *Event) GetMkdirFileUid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "mkdir" {
- return zeroValue
+ return uint32(0)
}
return ev.Mkdir.File.FileFields.UID
}
// GetMkdirFileUser returns the value of the field, resolving if necessary
func (ev *Event) GetMkdirFileUser() string {
- zeroValue := ""
if ev.GetEventType().String() != "mkdir" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Mkdir.File.FileFields)
}
// GetMkdirRetval returns the value of the field, resolving if necessary
func (ev *Event) GetMkdirRetval() int64 {
- zeroValue := int64(0)
if ev.GetEventType().String() != "mkdir" {
- return zeroValue
+ return int64(0)
}
return ev.Mkdir.SyscallEvent.Retval
}
// GetMmapFileChangeTime returns the value of the field, resolving if necessary
func (ev *Event) GetMmapFileChangeTime() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "mmap" {
- return zeroValue
+ return uint64(0)
}
return ev.MMap.File.FileFields.CTime
}
// GetMmapFileFilesystem returns the value of the field, resolving if necessary
func (ev *Event) GetMmapFileFilesystem() string {
- zeroValue := ""
if ev.GetEventType().String() != "mmap" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.MMap.File)
}
// GetMmapFileGid returns the value of the field, resolving if necessary
func (ev *Event) GetMmapFileGid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "mmap" {
- return zeroValue
+ return uint32(0)
}
return ev.MMap.File.FileFields.GID
}
// GetMmapFileGroup returns the value of the field, resolving if necessary
func (ev *Event) GetMmapFileGroup() string {
- zeroValue := ""
if ev.GetEventType().String() != "mmap" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.MMap.File.FileFields)
}
// GetMmapFileHashes returns the value of the field, resolving if necessary
func (ev *Event) GetMmapFileHashes() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "mmap" {
- return zeroValue
+ return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.MMap.File)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.MMap.File)
}
// GetMmapFileInUpperLayer returns the value of the field, resolving if necessary
func (ev *Event) GetMmapFileInUpperLayer() bool {
- zeroValue := false
if ev.GetEventType().String() != "mmap" {
- return zeroValue
+ return false
}
return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.MMap.File.FileFields)
}
// GetMmapFileInode returns the value of the field, resolving if necessary
func (ev *Event) GetMmapFileInode() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "mmap" {
- return zeroValue
+ return uint64(0)
}
return ev.MMap.File.FileFields.PathKey.Inode
}
// GetMmapFileMode returns the value of the field, resolving if necessary
func (ev *Event) GetMmapFileMode() uint16 {
- zeroValue := uint16(0)
if ev.GetEventType().String() != "mmap" {
- return zeroValue
+ return uint16(0)
}
return ev.MMap.File.FileFields.Mode
}
// GetMmapFileModificationTime returns the value of the field, resolving if necessary
func (ev *Event) GetMmapFileModificationTime() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "mmap" {
- return zeroValue
+ return uint64(0)
}
return ev.MMap.File.FileFields.MTime
}
// GetMmapFileMountId returns the value of the field, resolving if necessary
func (ev *Event) GetMmapFileMountId() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "mmap" {
- return zeroValue
+ return uint32(0)
}
return ev.MMap.File.FileFields.PathKey.MountID
}
// GetMmapFileName returns the value of the field, resolving if necessary
func (ev *Event) GetMmapFileName() string {
- zeroValue := ""
if ev.GetEventType().String() != "mmap" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileBasename(ev, &ev.MMap.File)
}
// GetMmapFileNameLength returns the value of the field, resolving if necessary
func (ev *Event) GetMmapFileNameLength() int {
- zeroValue := 0
if ev.GetEventType().String() != "mmap" {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.MMap.File))
}
// GetMmapFilePackageName returns the value of the field, resolving if necessary
func (ev *Event) GetMmapFilePackageName() string {
- zeroValue := ""
if ev.GetEventType().String() != "mmap" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolvePackageName(ev, &ev.MMap.File)
}
// GetMmapFilePackageSourceVersion returns the value of the field, resolving if necessary
func (ev *Event) GetMmapFilePackageSourceVersion() string {
- zeroValue := ""
if ev.GetEventType().String() != "mmap" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.MMap.File)
}
// GetMmapFilePackageVersion returns the value of the field, resolving if necessary
func (ev *Event) GetMmapFilePackageVersion() string {
- zeroValue := ""
if ev.GetEventType().String() != "mmap" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.MMap.File)
}
// GetMmapFilePath returns the value of the field, resolving if necessary
func (ev *Event) GetMmapFilePath() string {
- zeroValue := ""
if ev.GetEventType().String() != "mmap" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFilePath(ev, &ev.MMap.File)
}
// GetMmapFilePathLength returns the value of the field, resolving if necessary
func (ev *Event) GetMmapFilePathLength() int {
- zeroValue := 0
if ev.GetEventType().String() != "mmap" {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.MMap.File))
}
// GetMmapFileRights returns the value of the field, resolving if necessary
func (ev *Event) GetMmapFileRights() int {
- zeroValue := 0
if ev.GetEventType().String() != "mmap" {
- return zeroValue
+ return 0
}
return ev.FieldHandlers.ResolveRights(ev, &ev.MMap.File.FileFields)
}
// GetMmapFileUid returns the value of the field, resolving if necessary
func (ev *Event) GetMmapFileUid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "mmap" {
- return zeroValue
+ return uint32(0)
}
return ev.MMap.File.FileFields.UID
}
// GetMmapFileUser returns the value of the field, resolving if necessary
func (ev *Event) GetMmapFileUser() string {
- zeroValue := ""
if ev.GetEventType().String() != "mmap" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.MMap.File.FileFields)
}
// GetMmapFlags returns the value of the field, resolving if necessary
func (ev *Event) GetMmapFlags() int {
- zeroValue := 0
if ev.GetEventType().String() != "mmap" {
- return zeroValue
+ return 0
}
return ev.MMap.Flags
}
// GetMmapProtection returns the value of the field, resolving if necessary
func (ev *Event) GetMmapProtection() int {
- zeroValue := 0
if ev.GetEventType().String() != "mmap" {
- return zeroValue
+ return 0
}
return ev.MMap.Protection
}
// GetMmapRetval returns the value of the field, resolving if necessary
func (ev *Event) GetMmapRetval() int64 {
- zeroValue := int64(0)
if ev.GetEventType().String() != "mmap" {
- return zeroValue
+ return int64(0)
}
return ev.MMap.SyscallEvent.Retval
}
// GetMountFsType returns the value of the field, resolving if necessary
func (ev *Event) GetMountFsType() string {
- zeroValue := ""
if ev.GetEventType().String() != "mount" {
- return zeroValue
+ return ""
}
return ev.Mount.Mount.FSType
}
// GetMountMountpointPath returns the value of the field, resolving if necessary
func (ev *Event) GetMountMountpointPath() string {
- zeroValue := ""
if ev.GetEventType().String() != "mount" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveMountPointPath(ev, &ev.Mount)
}
// GetMountRetval returns the value of the field, resolving if necessary
func (ev *Event) GetMountRetval() int64 {
- zeroValue := int64(0)
if ev.GetEventType().String() != "mount" {
- return zeroValue
+ return int64(0)
}
return ev.Mount.SyscallEvent.Retval
}
+// GetMountRootPath returns the value of the field, resolving if necessary
+func (ev *Event) GetMountRootPath() string {
+ if ev.GetEventType().String() != "mount" {
+ return ""
+ }
+ return ev.FieldHandlers.ResolveMountRootPath(ev, &ev.Mount)
+}
+
// GetMountSourcePath returns the value of the field, resolving if necessary
func (ev *Event) GetMountSourcePath() string {
- zeroValue := ""
if ev.GetEventType().String() != "mount" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveMountSourcePath(ev, &ev.Mount)
}
// GetMprotectReqProtection returns the value of the field, resolving if necessary
func (ev *Event) GetMprotectReqProtection() int {
- zeroValue := 0
if ev.GetEventType().String() != "mprotect" {
- return zeroValue
+ return 0
}
return ev.MProtect.ReqProtection
}
// GetMprotectRetval returns the value of the field, resolving if necessary
func (ev *Event) GetMprotectRetval() int64 {
- zeroValue := int64(0)
if ev.GetEventType().String() != "mprotect" {
- return zeroValue
+ return int64(0)
}
return ev.MProtect.SyscallEvent.Retval
}
// GetMprotectVmProtection returns the value of the field, resolving if necessary
func (ev *Event) GetMprotectVmProtection() int {
- zeroValue := 0
if ev.GetEventType().String() != "mprotect" {
- return zeroValue
+ return 0
}
return ev.MProtect.VMProtection
}
// GetNetworkDestinationIp returns the value of the field, resolving if necessary
func (ev *Event) GetNetworkDestinationIp() net.IPNet {
- zeroValue := net.IPNet{}
if ev.GetEventType().String() != "dns" {
- return zeroValue
+ return net.IPNet{}
}
return ev.NetworkContext.Destination.IPNet
}
// GetNetworkDestinationPort returns the value of the field, resolving if necessary
func (ev *Event) GetNetworkDestinationPort() uint16 {
- zeroValue := uint16(0)
if ev.GetEventType().String() != "dns" {
- return zeroValue
+ return uint16(0)
}
return ev.NetworkContext.Destination.Port
}
// GetNetworkDeviceIfindex returns the value of the field, resolving if necessary
func (ev *Event) GetNetworkDeviceIfindex() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "dns" {
- return zeroValue
+ return uint32(0)
}
return ev.NetworkContext.Device.IfIndex
}
// GetNetworkDeviceIfname returns the value of the field, resolving if necessary
func (ev *Event) GetNetworkDeviceIfname() string {
- zeroValue := ""
if ev.GetEventType().String() != "dns" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveNetworkDeviceIfName(ev, &ev.NetworkContext.Device)
}
// GetNetworkL3Protocol returns the value of the field, resolving if necessary
func (ev *Event) GetNetworkL3Protocol() uint16 {
- zeroValue := uint16(0)
if ev.GetEventType().String() != "dns" {
- return zeroValue
+ return uint16(0)
}
return ev.NetworkContext.L3Protocol
}
// GetNetworkL4Protocol returns the value of the field, resolving if necessary
func (ev *Event) GetNetworkL4Protocol() uint16 {
- zeroValue := uint16(0)
if ev.GetEventType().String() != "dns" {
- return zeroValue
+ return uint16(0)
}
return ev.NetworkContext.L4Protocol
}
// GetNetworkSize returns the value of the field, resolving if necessary
func (ev *Event) GetNetworkSize() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "dns" {
- return zeroValue
+ return uint32(0)
}
return ev.NetworkContext.Size
}
// GetNetworkSourceIp returns the value of the field, resolving if necessary
func (ev *Event) GetNetworkSourceIp() net.IPNet {
- zeroValue := net.IPNet{}
if ev.GetEventType().String() != "dns" {
- return zeroValue
+ return net.IPNet{}
}
return ev.NetworkContext.Source.IPNet
}
// GetNetworkSourcePort returns the value of the field, resolving if necessary
func (ev *Event) GetNetworkSourcePort() uint16 {
- zeroValue := uint16(0)
if ev.GetEventType().String() != "dns" {
- return zeroValue
+ return uint16(0)
}
return ev.NetworkContext.Source.Port
}
// GetOpenFileChangeTime returns the value of the field, resolving if necessary
func (ev *Event) GetOpenFileChangeTime() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "open" {
- return zeroValue
+ return uint64(0)
}
return ev.Open.File.FileFields.CTime
}
// GetOpenFileDestinationMode returns the value of the field, resolving if necessary
func (ev *Event) GetOpenFileDestinationMode() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "open" {
- return zeroValue
+ return uint32(0)
}
return ev.Open.Mode
}
// GetOpenFileFilesystem returns the value of the field, resolving if necessary
func (ev *Event) GetOpenFileFilesystem() string {
- zeroValue := ""
if ev.GetEventType().String() != "open" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Open.File)
}
// GetOpenFileGid returns the value of the field, resolving if necessary
func (ev *Event) GetOpenFileGid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "open" {
- return zeroValue
+ return uint32(0)
}
return ev.Open.File.FileFields.GID
}
// GetOpenFileGroup returns the value of the field, resolving if necessary
func (ev *Event) GetOpenFileGroup() string {
- zeroValue := ""
if ev.GetEventType().String() != "open" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Open.File.FileFields)
}
// GetOpenFileHashes returns the value of the field, resolving if necessary
func (ev *Event) GetOpenFileHashes() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "open" {
- return zeroValue
+ return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Open.File)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Open.File)
}
// GetOpenFileInUpperLayer returns the value of the field, resolving if necessary
func (ev *Event) GetOpenFileInUpperLayer() bool {
- zeroValue := false
if ev.GetEventType().String() != "open" {
- return zeroValue
+ return false
}
return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Open.File.FileFields)
}
// GetOpenFileInode returns the value of the field, resolving if necessary
func (ev *Event) GetOpenFileInode() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "open" {
- return zeroValue
+ return uint64(0)
}
return ev.Open.File.FileFields.PathKey.Inode
}
// GetOpenFileMode returns the value of the field, resolving if necessary
func (ev *Event) GetOpenFileMode() uint16 {
- zeroValue := uint16(0)
if ev.GetEventType().String() != "open" {
- return zeroValue
+ return uint16(0)
}
return ev.Open.File.FileFields.Mode
}
// GetOpenFileModificationTime returns the value of the field, resolving if necessary
func (ev *Event) GetOpenFileModificationTime() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "open" {
- return zeroValue
+ return uint64(0)
}
return ev.Open.File.FileFields.MTime
}
// GetOpenFileMountId returns the value of the field, resolving if necessary
func (ev *Event) GetOpenFileMountId() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "open" {
- return zeroValue
+ return uint32(0)
}
return ev.Open.File.FileFields.PathKey.MountID
}
// GetOpenFileName returns the value of the field, resolving if necessary
func (ev *Event) GetOpenFileName() string {
- zeroValue := ""
if ev.GetEventType().String() != "open" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Open.File)
}
// GetOpenFileNameLength returns the value of the field, resolving if necessary
func (ev *Event) GetOpenFileNameLength() int {
- zeroValue := 0
if ev.GetEventType().String() != "open" {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Open.File))
}
// GetOpenFilePackageName returns the value of the field, resolving if necessary
func (ev *Event) GetOpenFilePackageName() string {
- zeroValue := ""
if ev.GetEventType().String() != "open" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolvePackageName(ev, &ev.Open.File)
}
// GetOpenFilePackageSourceVersion returns the value of the field, resolving if necessary
func (ev *Event) GetOpenFilePackageSourceVersion() string {
- zeroValue := ""
if ev.GetEventType().String() != "open" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Open.File)
}
// GetOpenFilePackageVersion returns the value of the field, resolving if necessary
func (ev *Event) GetOpenFilePackageVersion() string {
- zeroValue := ""
if ev.GetEventType().String() != "open" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Open.File)
}
// GetOpenFilePath returns the value of the field, resolving if necessary
func (ev *Event) GetOpenFilePath() string {
- zeroValue := ""
if ev.GetEventType().String() != "open" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFilePath(ev, &ev.Open.File)
}
// GetOpenFilePathLength returns the value of the field, resolving if necessary
func (ev *Event) GetOpenFilePathLength() int {
- zeroValue := 0
if ev.GetEventType().String() != "open" {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Open.File))
}
// GetOpenFileRights returns the value of the field, resolving if necessary
func (ev *Event) GetOpenFileRights() int {
- zeroValue := 0
if ev.GetEventType().String() != "open" {
- return zeroValue
+ return 0
}
return ev.FieldHandlers.ResolveRights(ev, &ev.Open.File.FileFields)
}
// GetOpenFileUid returns the value of the field, resolving if necessary
func (ev *Event) GetOpenFileUid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "open" {
- return zeroValue
+ return uint32(0)
}
return ev.Open.File.FileFields.UID
}
// GetOpenFileUser returns the value of the field, resolving if necessary
func (ev *Event) GetOpenFileUser() string {
- zeroValue := ""
if ev.GetEventType().String() != "open" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Open.File.FileFields)
}
// GetOpenFlags returns the value of the field, resolving if necessary
func (ev *Event) GetOpenFlags() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "open" {
- return zeroValue
+ return uint32(0)
}
return ev.Open.Flags
}
// GetOpenRetval returns the value of the field, resolving if necessary
func (ev *Event) GetOpenRetval() int64 {
- zeroValue := int64(0)
if ev.GetEventType().String() != "open" {
- return zeroValue
+ return int64(0)
}
return ev.Open.SyscallEvent.Retval
}
// GetProcessAncestorsArgs returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsArgs() []string {
- zeroValue := []string{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -4265,12 +3848,11 @@ func (ev *Event) GetProcessAncestorsArgs() []string {
// GetProcessAncestorsArgsFlags returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsArgsFlags() []string {
- zeroValue := []string{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -4287,12 +3869,11 @@ func (ev *Event) GetProcessAncestorsArgsFlags() []string {
// GetProcessAncestorsArgsOptions returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsArgsOptions() []string {
- zeroValue := []string{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -4307,14 +3888,34 @@ func (ev *Event) GetProcessAncestorsArgsOptions() []string {
return values
}
+// GetProcessAncestorsArgsScrubbed returns the value of the field, resolving if necessary
+func (ev *Event) GetProcessAncestorsArgsScrubbed() []string {
+ if ev.BaseEvent.ProcessContext == nil {
+ return []string{}
+ }
+ if ev.BaseEvent.ProcessContext.Ancestor == nil {
+ return []string{}
+ }
+ var values []string
+ ctx := eval.NewContext(ev)
+ iterator := &ProcessAncestorsIterator{}
+ ptr := iterator.Front(ctx)
+ for ptr != nil {
+ element := (*ProcessCacheEntry)(ptr)
+ result := ev.FieldHandlers.ResolveProcessArgsScrubbed(ev, &element.ProcessContext.Process)
+ values = append(values, result)
+ ptr = iterator.Next()
+ }
+ return values
+}
+
// GetProcessAncestorsArgsTruncated returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsArgsTruncated() []bool {
- zeroValue := []bool{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []bool{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []bool{}
}
var values []bool
ctx := eval.NewContext(ev)
@@ -4331,12 +3932,11 @@ func (ev *Event) GetProcessAncestorsArgsTruncated() []bool {
// GetProcessAncestorsArgv returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsArgv() []string {
- zeroValue := []string{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -4344,7 +3944,7 @@ func (ev *Event) GetProcessAncestorsArgv() []string {
ptr := iterator.Front(ctx)
for ptr != nil {
element := (*ProcessCacheEntry)(ptr)
- result := ev.FieldHandlers.ResolveProcessArgvScrubbed(ev, &element.ProcessContext.Process)
+ result := ev.FieldHandlers.ResolveProcessArgv(ev, &element.ProcessContext.Process)
values = append(values, result...)
ptr = iterator.Next()
}
@@ -4353,12 +3953,11 @@ func (ev *Event) GetProcessAncestorsArgv() []string {
// GetProcessAncestorsArgv0 returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsArgv0() []string {
- zeroValue := []string{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -4373,14 +3972,34 @@ func (ev *Event) GetProcessAncestorsArgv0() []string {
return values
}
+// GetProcessAncestorsArgvScrubbed returns the value of the field, resolving if necessary
+func (ev *Event) GetProcessAncestorsArgvScrubbed() []string {
+ if ev.BaseEvent.ProcessContext == nil {
+ return []string{}
+ }
+ if ev.BaseEvent.ProcessContext.Ancestor == nil {
+ return []string{}
+ }
+ var values []string
+ ctx := eval.NewContext(ev)
+ iterator := &ProcessAncestorsIterator{}
+ ptr := iterator.Front(ctx)
+ for ptr != nil {
+ element := (*ProcessCacheEntry)(ptr)
+ result := ev.FieldHandlers.ResolveProcessArgvScrubbed(ev, &element.ProcessContext.Process)
+ values = append(values, result...)
+ ptr = iterator.Next()
+ }
+ return values
+}
+
// GetProcessAncestorsCapEffective returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsCapEffective() []uint64 {
- zeroValue := []uint64{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []uint64{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []uint64{}
}
var values []uint64
ctx := eval.NewContext(ev)
@@ -4397,12 +4016,11 @@ func (ev *Event) GetProcessAncestorsCapEffective() []uint64 {
// GetProcessAncestorsCapPermitted returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsCapPermitted() []uint64 {
- zeroValue := []uint64{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []uint64{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []uint64{}
}
var values []uint64
ctx := eval.NewContext(ev)
@@ -4419,12 +4037,11 @@ func (ev *Event) GetProcessAncestorsCapPermitted() []uint64 {
// GetProcessAncestorsComm returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsComm() []string {
- zeroValue := []string{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -4441,12 +4058,11 @@ func (ev *Event) GetProcessAncestorsComm() []string {
// GetProcessAncestorsContainerId returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsContainerId() []string {
- zeroValue := []string{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -4463,12 +4079,11 @@ func (ev *Event) GetProcessAncestorsContainerId() []string {
// GetProcessAncestorsCreatedAt returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsCreatedAt() []int {
- zeroValue := []int{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []int{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []int{}
}
var values []int
ctx := eval.NewContext(ev)
@@ -4485,12 +4100,11 @@ func (ev *Event) GetProcessAncestorsCreatedAt() []int {
// GetProcessAncestorsEgid returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsEgid() []uint32 {
- zeroValue := []uint32{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []uint32{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []uint32{}
}
var values []uint32
ctx := eval.NewContext(ev)
@@ -4507,12 +4121,11 @@ func (ev *Event) GetProcessAncestorsEgid() []uint32 {
// GetProcessAncestorsEgroup returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsEgroup() []string {
- zeroValue := []string{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -4528,13 +4141,12 @@ func (ev *Event) GetProcessAncestorsEgroup() []string {
}
// GetProcessAncestorsEnvp returns the value of the field, resolving if necessary
-func (ev *Event) GetProcessAncestorsEnvp(desiredKeys map[string]bool) []string {
- zeroValue := []string{}
+func (ev *Event) GetProcessAncestorsEnvp() []string {
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -4543,7 +4155,6 @@ func (ev *Event) GetProcessAncestorsEnvp(desiredKeys map[string]bool) []string {
for ptr != nil {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveProcessEnvp(ev, &element.ProcessContext.Process)
- result = filterEnvs(result, desiredKeys)
values = append(values, result...)
ptr = iterator.Next()
}
@@ -4551,13 +4162,12 @@ func (ev *Event) GetProcessAncestorsEnvp(desiredKeys map[string]bool) []string {
}
// GetProcessAncestorsEnvs returns the value of the field, resolving if necessary
-func (ev *Event) GetProcessAncestorsEnvs(desiredKeys map[string]bool) []string {
- zeroValue := []string{}
+func (ev *Event) GetProcessAncestorsEnvs() []string {
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -4566,7 +4176,6 @@ func (ev *Event) GetProcessAncestorsEnvs(desiredKeys map[string]bool) []string {
for ptr != nil {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveProcessEnvs(ev, &element.ProcessContext.Process)
- result = filterEnvs(result, desiredKeys)
values = append(values, result...)
ptr = iterator.Next()
}
@@ -4575,12 +4184,11 @@ func (ev *Event) GetProcessAncestorsEnvs(desiredKeys map[string]bool) []string {
// GetProcessAncestorsEnvsTruncated returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsEnvsTruncated() []bool {
- zeroValue := []bool{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []bool{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []bool{}
}
var values []bool
ctx := eval.NewContext(ev)
@@ -4597,12 +4205,11 @@ func (ev *Event) GetProcessAncestorsEnvsTruncated() []bool {
// GetProcessAncestorsEuid returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsEuid() []uint32 {
- zeroValue := []uint32{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []uint32{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []uint32{}
}
var values []uint32
ctx := eval.NewContext(ev)
@@ -4619,12 +4226,11 @@ func (ev *Event) GetProcessAncestorsEuid() []uint32 {
// GetProcessAncestorsEuser returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsEuser() []string {
- zeroValue := []string{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -4641,12 +4247,11 @@ func (ev *Event) GetProcessAncestorsEuser() []string {
// GetProcessAncestorsFileChangeTime returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsFileChangeTime() []uint64 {
- zeroValue := []uint64{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []uint64{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []uint64{}
}
var values []uint64
ctx := eval.NewContext(ev)
@@ -4663,12 +4268,11 @@ func (ev *Event) GetProcessAncestorsFileChangeTime() []uint64 {
// GetProcessAncestorsFileFilesystem returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsFileFilesystem() []string {
- zeroValue := []string{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -4685,12 +4289,11 @@ func (ev *Event) GetProcessAncestorsFileFilesystem() []string {
// GetProcessAncestorsFileGid returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsFileGid() []uint32 {
- zeroValue := []uint32{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []uint32{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []uint32{}
}
var values []uint32
ctx := eval.NewContext(ev)
@@ -4707,12 +4310,11 @@ func (ev *Event) GetProcessAncestorsFileGid() []uint32 {
// GetProcessAncestorsFileGroup returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsFileGroup() []string {
- zeroValue := []string{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -4729,12 +4331,11 @@ func (ev *Event) GetProcessAncestorsFileGroup() []string {
// GetProcessAncestorsFileHashes returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsFileHashes() []string {
- zeroValue := []string{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -4751,12 +4352,11 @@ func (ev *Event) GetProcessAncestorsFileHashes() []string {
// GetProcessAncestorsFileInUpperLayer returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsFileInUpperLayer() []bool {
- zeroValue := []bool{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []bool{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []bool{}
}
var values []bool
ctx := eval.NewContext(ev)
@@ -4773,12 +4373,11 @@ func (ev *Event) GetProcessAncestorsFileInUpperLayer() []bool {
// GetProcessAncestorsFileInode returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsFileInode() []uint64 {
- zeroValue := []uint64{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []uint64{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []uint64{}
}
var values []uint64
ctx := eval.NewContext(ev)
@@ -4795,12 +4394,11 @@ func (ev *Event) GetProcessAncestorsFileInode() []uint64 {
// GetProcessAncestorsFileMode returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsFileMode() []uint16 {
- zeroValue := []uint16{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []uint16{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []uint16{}
}
var values []uint16
ctx := eval.NewContext(ev)
@@ -4817,12 +4415,11 @@ func (ev *Event) GetProcessAncestorsFileMode() []uint16 {
// GetProcessAncestorsFileModificationTime returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsFileModificationTime() []uint64 {
- zeroValue := []uint64{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []uint64{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []uint64{}
}
var values []uint64
ctx := eval.NewContext(ev)
@@ -4839,12 +4436,11 @@ func (ev *Event) GetProcessAncestorsFileModificationTime() []uint64 {
// GetProcessAncestorsFileMountId returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsFileMountId() []uint32 {
- zeroValue := []uint32{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []uint32{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []uint32{}
}
var values []uint32
ctx := eval.NewContext(ev)
@@ -4861,12 +4457,11 @@ func (ev *Event) GetProcessAncestorsFileMountId() []uint32 {
// GetProcessAncestorsFileName returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsFileName() []string {
- zeroValue := []string{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -4883,12 +4478,11 @@ func (ev *Event) GetProcessAncestorsFileName() []string {
// GetProcessAncestorsFileNameLength returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsFileNameLength() []int {
- zeroValue := []int{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []int{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []int{}
}
var values []int
ctx := eval.NewContext(ev)
@@ -4905,12 +4499,11 @@ func (ev *Event) GetProcessAncestorsFileNameLength() []int {
// GetProcessAncestorsFilePackageName returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsFilePackageName() []string {
- zeroValue := []string{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -4927,12 +4520,11 @@ func (ev *Event) GetProcessAncestorsFilePackageName() []string {
// GetProcessAncestorsFilePackageSourceVersion returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsFilePackageSourceVersion() []string {
- zeroValue := []string{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -4949,12 +4541,11 @@ func (ev *Event) GetProcessAncestorsFilePackageSourceVersion() []string {
// GetProcessAncestorsFilePackageVersion returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsFilePackageVersion() []string {
- zeroValue := []string{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -4971,12 +4562,11 @@ func (ev *Event) GetProcessAncestorsFilePackageVersion() []string {
// GetProcessAncestorsFilePath returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsFilePath() []string {
- zeroValue := []string{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -4993,12 +4583,11 @@ func (ev *Event) GetProcessAncestorsFilePath() []string {
// GetProcessAncestorsFilePathLength returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsFilePathLength() []int {
- zeroValue := []int{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []int{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []int{}
}
var values []int
ctx := eval.NewContext(ev)
@@ -5015,12 +4604,11 @@ func (ev *Event) GetProcessAncestorsFilePathLength() []int {
// GetProcessAncestorsFileRights returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsFileRights() []int {
- zeroValue := []int{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []int{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []int{}
}
var values []int
ctx := eval.NewContext(ev)
@@ -5037,12 +4625,11 @@ func (ev *Event) GetProcessAncestorsFileRights() []int {
// GetProcessAncestorsFileUid returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsFileUid() []uint32 {
- zeroValue := []uint32{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []uint32{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []uint32{}
}
var values []uint32
ctx := eval.NewContext(ev)
@@ -5059,12 +4646,11 @@ func (ev *Event) GetProcessAncestorsFileUid() []uint32 {
// GetProcessAncestorsFileUser returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsFileUser() []string {
- zeroValue := []string{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -5081,12 +4667,11 @@ func (ev *Event) GetProcessAncestorsFileUser() []string {
// GetProcessAncestorsFsgid returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsFsgid() []uint32 {
- zeroValue := []uint32{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []uint32{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []uint32{}
}
var values []uint32
ctx := eval.NewContext(ev)
@@ -5103,12 +4688,11 @@ func (ev *Event) GetProcessAncestorsFsgid() []uint32 {
// GetProcessAncestorsFsgroup returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsFsgroup() []string {
- zeroValue := []string{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -5125,12 +4709,11 @@ func (ev *Event) GetProcessAncestorsFsgroup() []string {
// GetProcessAncestorsFsuid returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsFsuid() []uint32 {
- zeroValue := []uint32{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []uint32{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []uint32{}
}
var values []uint32
ctx := eval.NewContext(ev)
@@ -5147,12 +4730,11 @@ func (ev *Event) GetProcessAncestorsFsuid() []uint32 {
// GetProcessAncestorsFsuser returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsFsuser() []string {
- zeroValue := []string{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -5169,12 +4751,11 @@ func (ev *Event) GetProcessAncestorsFsuser() []string {
// GetProcessAncestorsGid returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsGid() []uint32 {
- zeroValue := []uint32{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []uint32{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []uint32{}
}
var values []uint32
ctx := eval.NewContext(ev)
@@ -5191,12 +4772,11 @@ func (ev *Event) GetProcessAncestorsGid() []uint32 {
// GetProcessAncestorsGroup returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsGroup() []string {
- zeroValue := []string{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -5213,12 +4793,11 @@ func (ev *Event) GetProcessAncestorsGroup() []string {
// GetProcessAncestorsInterpreterFileChangeTime returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsInterpreterFileChangeTime() []uint64 {
- zeroValue := []uint64{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []uint64{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []uint64{}
}
var values []uint64
ctx := eval.NewContext(ev)
@@ -5235,12 +4814,11 @@ func (ev *Event) GetProcessAncestorsInterpreterFileChangeTime() []uint64 {
// GetProcessAncestorsInterpreterFileFilesystem returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsInterpreterFileFilesystem() []string {
- zeroValue := []string{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -5257,12 +4835,11 @@ func (ev *Event) GetProcessAncestorsInterpreterFileFilesystem() []string {
// GetProcessAncestorsInterpreterFileGid returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsInterpreterFileGid() []uint32 {
- zeroValue := []uint32{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []uint32{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []uint32{}
}
var values []uint32
ctx := eval.NewContext(ev)
@@ -5279,12 +4856,11 @@ func (ev *Event) GetProcessAncestorsInterpreterFileGid() []uint32 {
// GetProcessAncestorsInterpreterFileGroup returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsInterpreterFileGroup() []string {
- zeroValue := []string{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -5301,12 +4877,11 @@ func (ev *Event) GetProcessAncestorsInterpreterFileGroup() []string {
// GetProcessAncestorsInterpreterFileHashes returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsInterpreterFileHashes() []string {
- zeroValue := []string{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -5323,12 +4898,11 @@ func (ev *Event) GetProcessAncestorsInterpreterFileHashes() []string {
// GetProcessAncestorsInterpreterFileInUpperLayer returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsInterpreterFileInUpperLayer() []bool {
- zeroValue := []bool{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []bool{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []bool{}
}
var values []bool
ctx := eval.NewContext(ev)
@@ -5345,12 +4919,11 @@ func (ev *Event) GetProcessAncestorsInterpreterFileInUpperLayer() []bool {
// GetProcessAncestorsInterpreterFileInode returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsInterpreterFileInode() []uint64 {
- zeroValue := []uint64{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []uint64{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []uint64{}
}
var values []uint64
ctx := eval.NewContext(ev)
@@ -5367,12 +4940,11 @@ func (ev *Event) GetProcessAncestorsInterpreterFileInode() []uint64 {
// GetProcessAncestorsInterpreterFileMode returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsInterpreterFileMode() []uint16 {
- zeroValue := []uint16{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []uint16{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []uint16{}
}
var values []uint16
ctx := eval.NewContext(ev)
@@ -5389,12 +4961,11 @@ func (ev *Event) GetProcessAncestorsInterpreterFileMode() []uint16 {
// GetProcessAncestorsInterpreterFileModificationTime returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsInterpreterFileModificationTime() []uint64 {
- zeroValue := []uint64{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []uint64{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []uint64{}
}
var values []uint64
ctx := eval.NewContext(ev)
@@ -5411,12 +4982,11 @@ func (ev *Event) GetProcessAncestorsInterpreterFileModificationTime() []uint64 {
// GetProcessAncestorsInterpreterFileMountId returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsInterpreterFileMountId() []uint32 {
- zeroValue := []uint32{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []uint32{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []uint32{}
}
var values []uint32
ctx := eval.NewContext(ev)
@@ -5433,12 +5003,11 @@ func (ev *Event) GetProcessAncestorsInterpreterFileMountId() []uint32 {
// GetProcessAncestorsInterpreterFileName returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsInterpreterFileName() []string {
- zeroValue := []string{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -5455,12 +5024,11 @@ func (ev *Event) GetProcessAncestorsInterpreterFileName() []string {
// GetProcessAncestorsInterpreterFileNameLength returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsInterpreterFileNameLength() []int {
- zeroValue := []int{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []int{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []int{}
}
var values []int
ctx := eval.NewContext(ev)
@@ -5477,12 +5045,11 @@ func (ev *Event) GetProcessAncestorsInterpreterFileNameLength() []int {
// GetProcessAncestorsInterpreterFilePackageName returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsInterpreterFilePackageName() []string {
- zeroValue := []string{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -5499,12 +5066,11 @@ func (ev *Event) GetProcessAncestorsInterpreterFilePackageName() []string {
// GetProcessAncestorsInterpreterFilePackageSourceVersion returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsInterpreterFilePackageSourceVersion() []string {
- zeroValue := []string{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -5521,12 +5087,11 @@ func (ev *Event) GetProcessAncestorsInterpreterFilePackageSourceVersion() []stri
// GetProcessAncestorsInterpreterFilePackageVersion returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsInterpreterFilePackageVersion() []string {
- zeroValue := []string{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -5543,12 +5108,11 @@ func (ev *Event) GetProcessAncestorsInterpreterFilePackageVersion() []string {
// GetProcessAncestorsInterpreterFilePath returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsInterpreterFilePath() []string {
- zeroValue := []string{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -5565,12 +5129,11 @@ func (ev *Event) GetProcessAncestorsInterpreterFilePath() []string {
// GetProcessAncestorsInterpreterFilePathLength returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsInterpreterFilePathLength() []int {
- zeroValue := []int{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []int{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []int{}
}
var values []int
ctx := eval.NewContext(ev)
@@ -5587,12 +5150,11 @@ func (ev *Event) GetProcessAncestorsInterpreterFilePathLength() []int {
// GetProcessAncestorsInterpreterFileRights returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsInterpreterFileRights() []int {
- zeroValue := []int{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []int{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []int{}
}
var values []int
ctx := eval.NewContext(ev)
@@ -5609,12 +5171,11 @@ func (ev *Event) GetProcessAncestorsInterpreterFileRights() []int {
// GetProcessAncestorsInterpreterFileUid returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsInterpreterFileUid() []uint32 {
- zeroValue := []uint32{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []uint32{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []uint32{}
}
var values []uint32
ctx := eval.NewContext(ev)
@@ -5631,12 +5192,11 @@ func (ev *Event) GetProcessAncestorsInterpreterFileUid() []uint32 {
// GetProcessAncestorsInterpreterFileUser returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsInterpreterFileUser() []string {
- zeroValue := []string{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -5653,12 +5213,11 @@ func (ev *Event) GetProcessAncestorsInterpreterFileUser() []string {
// GetProcessAncestorsIsKworker returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsIsKworker() []bool {
- zeroValue := []bool{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []bool{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []bool{}
}
var values []bool
ctx := eval.NewContext(ev)
@@ -5675,12 +5234,11 @@ func (ev *Event) GetProcessAncestorsIsKworker() []bool {
// GetProcessAncestorsIsThread returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsIsThread() []bool {
- zeroValue := []bool{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []bool{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []bool{}
}
var values []bool
ctx := eval.NewContext(ev)
@@ -5697,12 +5255,11 @@ func (ev *Event) GetProcessAncestorsIsThread() []bool {
// GetProcessAncestorsPid returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsPid() []uint32 {
- zeroValue := []uint32{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []uint32{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []uint32{}
}
var values []uint32
ctx := eval.NewContext(ev)
@@ -5719,12 +5276,11 @@ func (ev *Event) GetProcessAncestorsPid() []uint32 {
// GetProcessAncestorsPpid returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsPpid() []uint32 {
- zeroValue := []uint32{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []uint32{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []uint32{}
}
var values []uint32
ctx := eval.NewContext(ev)
@@ -5741,12 +5297,11 @@ func (ev *Event) GetProcessAncestorsPpid() []uint32 {
// GetProcessAncestorsTid returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsTid() []uint32 {
- zeroValue := []uint32{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []uint32{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []uint32{}
}
var values []uint32
ctx := eval.NewContext(ev)
@@ -5763,12 +5318,11 @@ func (ev *Event) GetProcessAncestorsTid() []uint32 {
// GetProcessAncestorsTtyName returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsTtyName() []string {
- zeroValue := []string{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -5785,12 +5339,11 @@ func (ev *Event) GetProcessAncestorsTtyName() []string {
// GetProcessAncestorsUid returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsUid() []uint32 {
- zeroValue := []uint32{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []uint32{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []uint32{}
}
var values []uint32
ctx := eval.NewContext(ev)
@@ -5807,12 +5360,11 @@ func (ev *Event) GetProcessAncestorsUid() []uint32 {
// GetProcessAncestorsUser returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsUser() []string {
- zeroValue := []string{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -5829,12 +5381,11 @@ func (ev *Event) GetProcessAncestorsUser() []string {
// GetProcessAncestorsUserSessionK8sGroups returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsUserSessionK8sGroups() []string {
- zeroValue := []string{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -5851,12 +5402,11 @@ func (ev *Event) GetProcessAncestorsUserSessionK8sGroups() []string {
// GetProcessAncestorsUserSessionK8sUid returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsUserSessionK8sUid() []string {
- zeroValue := []string{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -5873,12 +5423,11 @@ func (ev *Event) GetProcessAncestorsUserSessionK8sUid() []string {
// GetProcessAncestorsUserSessionK8sUsername returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsUserSessionK8sUsername() []string {
- zeroValue := []string{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -5895,206 +5444,184 @@ func (ev *Event) GetProcessAncestorsUserSessionK8sUsername() []string {
// GetProcessArgs returns the value of the field, resolving if necessary
func (ev *Event) GetProcessArgs() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveProcessArgs(ev, &ev.BaseEvent.ProcessContext.Process)
}
// GetProcessArgsFlags returns the value of the field, resolving if necessary
func (ev *Event) GetProcessArgsFlags() []string {
- zeroValue := []string{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveProcessArgsFlags(ev, &ev.BaseEvent.ProcessContext.Process)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveProcessArgsFlags(ev, &ev.BaseEvent.ProcessContext.Process)
}
// GetProcessArgsOptions returns the value of the field, resolving if necessary
func (ev *Event) GetProcessArgsOptions() []string {
- zeroValue := []string{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
+ }
+ return ev.FieldHandlers.ResolveProcessArgsOptions(ev, &ev.BaseEvent.ProcessContext.Process)
+}
+
+// GetProcessArgsScrubbed returns the value of the field, resolving if necessary
+func (ev *Event) GetProcessArgsScrubbed() string {
+ if ev.BaseEvent.ProcessContext == nil {
+ return ""
}
- resolvedField := ev.FieldHandlers.ResolveProcessArgsOptions(ev, &ev.BaseEvent.ProcessContext.Process)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveProcessArgsScrubbed(ev, &ev.BaseEvent.ProcessContext.Process)
}
// GetProcessArgsTruncated returns the value of the field, resolving if necessary
func (ev *Event) GetProcessArgsTruncated() bool {
- zeroValue := false
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return false
}
return ev.FieldHandlers.ResolveProcessArgsTruncated(ev, &ev.BaseEvent.ProcessContext.Process)
}
// GetProcessArgv returns the value of the field, resolving if necessary
func (ev *Event) GetProcessArgv() []string {
- zeroValue := []string{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveProcessArgvScrubbed(ev, &ev.BaseEvent.ProcessContext.Process)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveProcessArgv(ev, &ev.BaseEvent.ProcessContext.Process)
}
// GetProcessArgv0 returns the value of the field, resolving if necessary
func (ev *Event) GetProcessArgv0() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveProcessArgv0(ev, &ev.BaseEvent.ProcessContext.Process)
}
+// GetProcessArgvScrubbed returns the value of the field, resolving if necessary
+func (ev *Event) GetProcessArgvScrubbed() []string {
+ if ev.BaseEvent.ProcessContext == nil {
+ return []string{}
+ }
+ return ev.FieldHandlers.ResolveProcessArgvScrubbed(ev, &ev.BaseEvent.ProcessContext.Process)
+}
+
// GetProcessCapEffective returns the value of the field, resolving if necessary
func (ev *Event) GetProcessCapEffective() uint64 {
- zeroValue := uint64(0)
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return uint64(0)
}
return ev.BaseEvent.ProcessContext.Process.Credentials.CapEffective
}
// GetProcessCapPermitted returns the value of the field, resolving if necessary
func (ev *Event) GetProcessCapPermitted() uint64 {
- zeroValue := uint64(0)
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return uint64(0)
}
return ev.BaseEvent.ProcessContext.Process.Credentials.CapPermitted
}
// GetProcessComm returns the value of the field, resolving if necessary
func (ev *Event) GetProcessComm() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
return ev.BaseEvent.ProcessContext.Process.Comm
}
// GetProcessContainerId returns the value of the field, resolving if necessary
func (ev *Event) GetProcessContainerId() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
return ev.BaseEvent.ProcessContext.Process.ContainerID
}
// GetProcessCreatedAt returns the value of the field, resolving if necessary
func (ev *Event) GetProcessCreatedAt() int {
- zeroValue := 0
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return 0
}
return ev.FieldHandlers.ResolveProcessCreatedAt(ev, &ev.BaseEvent.ProcessContext.Process)
}
// GetProcessEgid returns the value of the field, resolving if necessary
func (ev *Event) GetProcessEgid() uint32 {
- zeroValue := uint32(0)
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return uint32(0)
}
return ev.BaseEvent.ProcessContext.Process.Credentials.EGID
}
// GetProcessEgroup returns the value of the field, resolving if necessary
func (ev *Event) GetProcessEgroup() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
return ev.BaseEvent.ProcessContext.Process.Credentials.EGroup
}
// GetProcessEnvp returns the value of the field, resolving if necessary
-func (ev *Event) GetProcessEnvp(desiredKeys map[string]bool) []string {
- zeroValue := []string{}
+func (ev *Event) GetProcessEnvp() []string {
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveProcessEnvp(ev, &ev.BaseEvent.ProcessContext.Process)
- resolvedField = filterEnvs(resolvedField, desiredKeys)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveProcessEnvp(ev, &ev.BaseEvent.ProcessContext.Process)
}
// GetProcessEnvs returns the value of the field, resolving if necessary
-func (ev *Event) GetProcessEnvs(desiredKeys map[string]bool) []string {
- zeroValue := []string{}
+func (ev *Event) GetProcessEnvs() []string {
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveProcessEnvs(ev, &ev.BaseEvent.ProcessContext.Process)
- resolvedField = filterEnvs(resolvedField, desiredKeys)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveProcessEnvs(ev, &ev.BaseEvent.ProcessContext.Process)
}
// GetProcessEnvsTruncated returns the value of the field, resolving if necessary
func (ev *Event) GetProcessEnvsTruncated() bool {
- zeroValue := false
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return false
}
return ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, &ev.BaseEvent.ProcessContext.Process)
}
// GetProcessEuid returns the value of the field, resolving if necessary
func (ev *Event) GetProcessEuid() uint32 {
- zeroValue := uint32(0)
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return uint32(0)
}
return ev.BaseEvent.ProcessContext.Process.Credentials.EUID
}
// GetProcessEuser returns the value of the field, resolving if necessary
func (ev *Event) GetProcessEuser() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
return ev.BaseEvent.ProcessContext.Process.Credentials.EUser
}
// GetProcessExecTime returns the value of the field, resolving if necessary
func (ev *Event) GetProcessExecTime() time.Time {
- zeroValue := time.Time{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return time.Time{}
}
return ev.BaseEvent.ProcessContext.Process.ExecTime
}
// GetProcessExitTime returns the value of the field, resolving if necessary
func (ev *Event) GetProcessExitTime() time.Time {
- zeroValue := time.Time{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return time.Time{}
}
return ev.BaseEvent.ProcessContext.Process.ExitTime
}
// GetProcessFileChangeTime returns the value of the field, resolving if necessary
func (ev *Event) GetProcessFileChangeTime() uint64 {
- zeroValue := uint64(0)
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return uint64(0)
}
if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() {
return uint64(0)
@@ -6104,9 +5631,8 @@ func (ev *Event) GetProcessFileChangeTime() uint64 {
// GetProcessFileFilesystem returns the value of the field, resolving if necessary
func (ev *Event) GetProcessFileFilesystem() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() {
return ""
@@ -6116,9 +5642,8 @@ func (ev *Event) GetProcessFileFilesystem() string {
// GetProcessFileGid returns the value of the field, resolving if necessary
func (ev *Event) GetProcessFileGid() uint32 {
- zeroValue := uint32(0)
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() {
return uint32(0)
@@ -6128,9 +5653,8 @@ func (ev *Event) GetProcessFileGid() uint32 {
// GetProcessFileGroup returns the value of the field, resolving if necessary
func (ev *Event) GetProcessFileGroup() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() {
return ""
@@ -6140,24 +5664,19 @@ func (ev *Event) GetProcessFileGroup() string {
// GetProcessFileHashes returns the value of the field, resolving if necessary
func (ev *Event) GetProcessFileHashes() []string {
- zeroValue := []string{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() {
return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent)
}
// GetProcessFileInUpperLayer returns the value of the field, resolving if necessary
func (ev *Event) GetProcessFileInUpperLayer() bool {
- zeroValue := false
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return false
}
if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() {
return false
@@ -6167,9 +5686,8 @@ func (ev *Event) GetProcessFileInUpperLayer() bool {
// GetProcessFileInode returns the value of the field, resolving if necessary
func (ev *Event) GetProcessFileInode() uint64 {
- zeroValue := uint64(0)
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return uint64(0)
}
if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() {
return uint64(0)
@@ -6179,9 +5697,8 @@ func (ev *Event) GetProcessFileInode() uint64 {
// GetProcessFileMode returns the value of the field, resolving if necessary
func (ev *Event) GetProcessFileMode() uint16 {
- zeroValue := uint16(0)
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return uint16(0)
}
if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() {
return uint16(0)
@@ -6191,9 +5708,8 @@ func (ev *Event) GetProcessFileMode() uint16 {
// GetProcessFileModificationTime returns the value of the field, resolving if necessary
func (ev *Event) GetProcessFileModificationTime() uint64 {
- zeroValue := uint64(0)
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return uint64(0)
}
if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() {
return uint64(0)
@@ -6203,9 +5719,8 @@ func (ev *Event) GetProcessFileModificationTime() uint64 {
// GetProcessFileMountId returns the value of the field, resolving if necessary
func (ev *Event) GetProcessFileMountId() uint32 {
- zeroValue := uint32(0)
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() {
return uint32(0)
@@ -6215,9 +5730,8 @@ func (ev *Event) GetProcessFileMountId() uint32 {
// GetProcessFileName returns the value of the field, resolving if necessary
func (ev *Event) GetProcessFileName() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() {
return ""
@@ -6227,18 +5741,16 @@ func (ev *Event) GetProcessFileName() string {
// GetProcessFileNameLength returns the value of the field, resolving if necessary
func (ev *Event) GetProcessFileNameLength() int {
- zeroValue := 0
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent))
}
// GetProcessFilePackageName returns the value of the field, resolving if necessary
func (ev *Event) GetProcessFilePackageName() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() {
return ""
@@ -6248,9 +5760,8 @@ func (ev *Event) GetProcessFilePackageName() string {
// GetProcessFilePackageSourceVersion returns the value of the field, resolving if necessary
func (ev *Event) GetProcessFilePackageSourceVersion() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() {
return ""
@@ -6260,9 +5771,8 @@ func (ev *Event) GetProcessFilePackageSourceVersion() string {
// GetProcessFilePackageVersion returns the value of the field, resolving if necessary
func (ev *Event) GetProcessFilePackageVersion() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() {
return ""
@@ -6272,9 +5782,8 @@ func (ev *Event) GetProcessFilePackageVersion() string {
// GetProcessFilePath returns the value of the field, resolving if necessary
func (ev *Event) GetProcessFilePath() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() {
return ""
@@ -6284,18 +5793,16 @@ func (ev *Event) GetProcessFilePath() string {
// GetProcessFilePathLength returns the value of the field, resolving if necessary
func (ev *Event) GetProcessFilePathLength() int {
- zeroValue := 0
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent))
}
// GetProcessFileRights returns the value of the field, resolving if necessary
func (ev *Event) GetProcessFileRights() int {
- zeroValue := 0
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return 0
}
if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() {
return 0
@@ -6305,9 +5812,8 @@ func (ev *Event) GetProcessFileRights() int {
// GetProcessFileUid returns the value of the field, resolving if necessary
func (ev *Event) GetProcessFileUid() uint32 {
- zeroValue := uint32(0)
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() {
return uint32(0)
@@ -6317,9 +5823,8 @@ func (ev *Event) GetProcessFileUid() uint32 {
// GetProcessFileUser returns the value of the field, resolving if necessary
func (ev *Event) GetProcessFileUser() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() {
return ""
@@ -6329,72 +5834,64 @@ func (ev *Event) GetProcessFileUser() string {
// GetProcessForkTime returns the value of the field, resolving if necessary
func (ev *Event) GetProcessForkTime() time.Time {
- zeroValue := time.Time{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return time.Time{}
}
return ev.BaseEvent.ProcessContext.Process.ForkTime
}
// GetProcessFsgid returns the value of the field, resolving if necessary
func (ev *Event) GetProcessFsgid() uint32 {
- zeroValue := uint32(0)
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return uint32(0)
}
return ev.BaseEvent.ProcessContext.Process.Credentials.FSGID
}
// GetProcessFsgroup returns the value of the field, resolving if necessary
func (ev *Event) GetProcessFsgroup() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
return ev.BaseEvent.ProcessContext.Process.Credentials.FSGroup
}
// GetProcessFsuid returns the value of the field, resolving if necessary
func (ev *Event) GetProcessFsuid() uint32 {
- zeroValue := uint32(0)
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return uint32(0)
}
return ev.BaseEvent.ProcessContext.Process.Credentials.FSUID
}
// GetProcessFsuser returns the value of the field, resolving if necessary
func (ev *Event) GetProcessFsuser() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
return ev.BaseEvent.ProcessContext.Process.Credentials.FSUser
}
// GetProcessGid returns the value of the field, resolving if necessary
func (ev *Event) GetProcessGid() uint32 {
- zeroValue := uint32(0)
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return uint32(0)
}
return ev.BaseEvent.ProcessContext.Process.Credentials.GID
}
// GetProcessGroup returns the value of the field, resolving if necessary
func (ev *Event) GetProcessGroup() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
return ev.BaseEvent.ProcessContext.Process.Credentials.Group
}
// GetProcessInterpreterFileChangeTime returns the value of the field, resolving if necessary
func (ev *Event) GetProcessInterpreterFileChangeTime() uint64 {
- zeroValue := uint64(0)
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return uint64(0)
}
if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() {
return uint64(0)
@@ -6404,9 +5901,8 @@ func (ev *Event) GetProcessInterpreterFileChangeTime() uint64 {
// GetProcessInterpreterFileFilesystem returns the value of the field, resolving if necessary
func (ev *Event) GetProcessInterpreterFileFilesystem() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() {
return ""
@@ -6416,9 +5912,8 @@ func (ev *Event) GetProcessInterpreterFileFilesystem() string {
// GetProcessInterpreterFileGid returns the value of the field, resolving if necessary
func (ev *Event) GetProcessInterpreterFileGid() uint32 {
- zeroValue := uint32(0)
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() {
return uint32(0)
@@ -6428,9 +5923,8 @@ func (ev *Event) GetProcessInterpreterFileGid() uint32 {
// GetProcessInterpreterFileGroup returns the value of the field, resolving if necessary
func (ev *Event) GetProcessInterpreterFileGroup() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() {
return ""
@@ -6440,24 +5934,19 @@ func (ev *Event) GetProcessInterpreterFileGroup() string {
// GetProcessInterpreterFileHashes returns the value of the field, resolving if necessary
func (ev *Event) GetProcessInterpreterFileHashes() []string {
- zeroValue := []string{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() {
return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent)
}
// GetProcessInterpreterFileInUpperLayer returns the value of the field, resolving if necessary
func (ev *Event) GetProcessInterpreterFileInUpperLayer() bool {
- zeroValue := false
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return false
}
if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() {
return false
@@ -6467,9 +5956,8 @@ func (ev *Event) GetProcessInterpreterFileInUpperLayer() bool {
// GetProcessInterpreterFileInode returns the value of the field, resolving if necessary
func (ev *Event) GetProcessInterpreterFileInode() uint64 {
- zeroValue := uint64(0)
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return uint64(0)
}
if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() {
return uint64(0)
@@ -6479,9 +5967,8 @@ func (ev *Event) GetProcessInterpreterFileInode() uint64 {
// GetProcessInterpreterFileMode returns the value of the field, resolving if necessary
func (ev *Event) GetProcessInterpreterFileMode() uint16 {
- zeroValue := uint16(0)
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return uint16(0)
}
if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() {
return uint16(0)
@@ -6491,9 +5978,8 @@ func (ev *Event) GetProcessInterpreterFileMode() uint16 {
// GetProcessInterpreterFileModificationTime returns the value of the field, resolving if necessary
func (ev *Event) GetProcessInterpreterFileModificationTime() uint64 {
- zeroValue := uint64(0)
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return uint64(0)
}
if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() {
return uint64(0)
@@ -6503,9 +5989,8 @@ func (ev *Event) GetProcessInterpreterFileModificationTime() uint64 {
// GetProcessInterpreterFileMountId returns the value of the field, resolving if necessary
func (ev *Event) GetProcessInterpreterFileMountId() uint32 {
- zeroValue := uint32(0)
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() {
return uint32(0)
@@ -6515,9 +6000,8 @@ func (ev *Event) GetProcessInterpreterFileMountId() uint32 {
// GetProcessInterpreterFileName returns the value of the field, resolving if necessary
func (ev *Event) GetProcessInterpreterFileName() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() {
return ""
@@ -6527,18 +6011,16 @@ func (ev *Event) GetProcessInterpreterFileName() string {
// GetProcessInterpreterFileNameLength returns the value of the field, resolving if necessary
func (ev *Event) GetProcessInterpreterFileNameLength() int {
- zeroValue := 0
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent))
}
// GetProcessInterpreterFilePackageName returns the value of the field, resolving if necessary
func (ev *Event) GetProcessInterpreterFilePackageName() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() {
return ""
@@ -6548,9 +6030,8 @@ func (ev *Event) GetProcessInterpreterFilePackageName() string {
// GetProcessInterpreterFilePackageSourceVersion returns the value of the field, resolving if necessary
func (ev *Event) GetProcessInterpreterFilePackageSourceVersion() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() {
return ""
@@ -6560,9 +6041,8 @@ func (ev *Event) GetProcessInterpreterFilePackageSourceVersion() string {
// GetProcessInterpreterFilePackageVersion returns the value of the field, resolving if necessary
func (ev *Event) GetProcessInterpreterFilePackageVersion() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() {
return ""
@@ -6572,9 +6052,8 @@ func (ev *Event) GetProcessInterpreterFilePackageVersion() string {
// GetProcessInterpreterFilePath returns the value of the field, resolving if necessary
func (ev *Event) GetProcessInterpreterFilePath() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() {
return ""
@@ -6584,18 +6063,16 @@ func (ev *Event) GetProcessInterpreterFilePath() string {
// GetProcessInterpreterFilePathLength returns the value of the field, resolving if necessary
func (ev *Event) GetProcessInterpreterFilePathLength() int {
- zeroValue := 0
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent))
}
// GetProcessInterpreterFileRights returns the value of the field, resolving if necessary
func (ev *Event) GetProcessInterpreterFileRights() int {
- zeroValue := 0
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return 0
}
if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() {
return 0
@@ -6605,9 +6082,8 @@ func (ev *Event) GetProcessInterpreterFileRights() int {
// GetProcessInterpreterFileUid returns the value of the field, resolving if necessary
func (ev *Event) GetProcessInterpreterFileUid() uint32 {
- zeroValue := uint32(0)
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() {
return uint32(0)
@@ -6617,9 +6093,8 @@ func (ev *Event) GetProcessInterpreterFileUid() uint32 {
// GetProcessInterpreterFileUser returns the value of the field, resolving if necessary
func (ev *Event) GetProcessInterpreterFileUser() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() {
return ""
@@ -6629,30 +6104,27 @@ func (ev *Event) GetProcessInterpreterFileUser() string {
// GetProcessIsKworker returns the value of the field, resolving if necessary
func (ev *Event) GetProcessIsKworker() bool {
- zeroValue := false
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return false
}
return ev.BaseEvent.ProcessContext.Process.PIDContext.IsKworker
}
// GetProcessIsThread returns the value of the field, resolving if necessary
func (ev *Event) GetProcessIsThread() bool {
- zeroValue := false
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return false
}
return ev.BaseEvent.ProcessContext.Process.IsThread
}
// GetProcessParentArgs returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentArgs() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return ""
@@ -6662,48 +6134,53 @@ func (ev *Event) GetProcessParentArgs() string {
// GetProcessParentArgsFlags returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentArgsFlags() []string {
- zeroValue := []string{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return []string{}
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveProcessArgsFlags(ev, ev.BaseEvent.ProcessContext.Parent)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveProcessArgsFlags(ev, ev.BaseEvent.ProcessContext.Parent)
}
// GetProcessParentArgsOptions returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentArgsOptions() []string {
- zeroValue := []string{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return []string{}
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveProcessArgsOptions(ev, ev.BaseEvent.ProcessContext.Parent)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveProcessArgsOptions(ev, ev.BaseEvent.ProcessContext.Parent)
+}
+
+// GetProcessParentArgsScrubbed returns the value of the field, resolving if necessary
+func (ev *Event) GetProcessParentArgsScrubbed() string {
+ if ev.BaseEvent.ProcessContext == nil {
+ return ""
+ }
+ if ev.BaseEvent.ProcessContext.Parent == nil {
+ return ""
+ }
+ if !ev.BaseEvent.ProcessContext.HasParent() {
+ return ""
+ }
+ return ev.FieldHandlers.ResolveProcessArgsScrubbed(ev, ev.BaseEvent.ProcessContext.Parent)
}
// GetProcessParentArgsTruncated returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentArgsTruncated() bool {
- zeroValue := false
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return false
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return false
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return false
@@ -6713,30 +6190,25 @@ func (ev *Event) GetProcessParentArgsTruncated() bool {
// GetProcessParentArgv returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentArgv() []string {
- zeroValue := []string{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return []string{}
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveProcessArgvScrubbed(ev, ev.BaseEvent.ProcessContext.Parent)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveProcessArgv(ev, ev.BaseEvent.ProcessContext.Parent)
}
// GetProcessParentArgv0 returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentArgv0() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return ""
@@ -6744,14 +6216,27 @@ func (ev *Event) GetProcessParentArgv0() string {
return ev.FieldHandlers.ResolveProcessArgv0(ev, ev.BaseEvent.ProcessContext.Parent)
}
-// GetProcessParentCapEffective returns the value of the field, resolving if necessary
-func (ev *Event) GetProcessParentCapEffective() uint64 {
- zeroValue := uint64(0)
+// GetProcessParentArgvScrubbed returns the value of the field, resolving if necessary
+func (ev *Event) GetProcessParentArgvScrubbed() []string {
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return []string{}
+ }
+ if !ev.BaseEvent.ProcessContext.HasParent() {
+ return []string{}
+ }
+ return ev.FieldHandlers.ResolveProcessArgvScrubbed(ev, ev.BaseEvent.ProcessContext.Parent)
+}
+
+// GetProcessParentCapEffective returns the value of the field, resolving if necessary
+func (ev *Event) GetProcessParentCapEffective() uint64 {
+ if ev.BaseEvent.ProcessContext == nil {
+ return uint64(0)
+ }
+ if ev.BaseEvent.ProcessContext.Parent == nil {
+ return uint64(0)
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return uint64(0)
@@ -6761,12 +6246,11 @@ func (ev *Event) GetProcessParentCapEffective() uint64 {
// GetProcessParentCapPermitted returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentCapPermitted() uint64 {
- zeroValue := uint64(0)
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return uint64(0)
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return uint64(0)
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return uint64(0)
@@ -6776,12 +6260,11 @@ func (ev *Event) GetProcessParentCapPermitted() uint64 {
// GetProcessParentComm returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentComm() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return ""
@@ -6791,12 +6274,11 @@ func (ev *Event) GetProcessParentComm() string {
// GetProcessParentContainerId returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentContainerId() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return ""
@@ -6806,12 +6288,11 @@ func (ev *Event) GetProcessParentContainerId() string {
// GetProcessParentCreatedAt returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentCreatedAt() int {
- zeroValue := 0
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return 0
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return 0
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return 0
@@ -6821,12 +6302,11 @@ func (ev *Event) GetProcessParentCreatedAt() int {
// GetProcessParentEgid returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentEgid() uint32 {
- zeroValue := uint32(0)
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return uint32(0)
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return uint32(0)
@@ -6836,12 +6316,11 @@ func (ev *Event) GetProcessParentEgid() uint32 {
// GetProcessParentEgroup returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentEgroup() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return ""
@@ -6850,51 +6329,40 @@ func (ev *Event) GetProcessParentEgroup() string {
}
// GetProcessParentEnvp returns the value of the field, resolving if necessary
-func (ev *Event) GetProcessParentEnvp(desiredKeys map[string]bool) []string {
- zeroValue := []string{}
+func (ev *Event) GetProcessParentEnvp() []string {
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return []string{}
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveProcessEnvp(ev, ev.BaseEvent.ProcessContext.Parent)
- resolvedField = filterEnvs(resolvedField, desiredKeys)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveProcessEnvp(ev, ev.BaseEvent.ProcessContext.Parent)
}
// GetProcessParentEnvs returns the value of the field, resolving if necessary
-func (ev *Event) GetProcessParentEnvs(desiredKeys map[string]bool) []string {
- zeroValue := []string{}
+func (ev *Event) GetProcessParentEnvs() []string {
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return []string{}
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveProcessEnvs(ev, ev.BaseEvent.ProcessContext.Parent)
- resolvedField = filterEnvs(resolvedField, desiredKeys)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveProcessEnvs(ev, ev.BaseEvent.ProcessContext.Parent)
}
// GetProcessParentEnvsTruncated returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentEnvsTruncated() bool {
- zeroValue := false
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return false
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return false
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return false
@@ -6904,12 +6372,11 @@ func (ev *Event) GetProcessParentEnvsTruncated() bool {
// GetProcessParentEuid returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentEuid() uint32 {
- zeroValue := uint32(0)
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return uint32(0)
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return uint32(0)
@@ -6919,12 +6386,11 @@ func (ev *Event) GetProcessParentEuid() uint32 {
// GetProcessParentEuser returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentEuser() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return ""
@@ -6934,12 +6400,11 @@ func (ev *Event) GetProcessParentEuser() string {
// GetProcessParentFileChangeTime returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentFileChangeTime() uint64 {
- zeroValue := uint64(0)
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return uint64(0)
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return uint64(0)
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return uint64(0)
@@ -6952,12 +6417,11 @@ func (ev *Event) GetProcessParentFileChangeTime() uint64 {
// GetProcessParentFileFilesystem returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentFileFilesystem() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return ""
@@ -6970,12 +6434,11 @@ func (ev *Event) GetProcessParentFileFilesystem() string {
// GetProcessParentFileGid returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentFileGid() uint32 {
- zeroValue := uint32(0)
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return uint32(0)
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return uint32(0)
@@ -6988,12 +6451,11 @@ func (ev *Event) GetProcessParentFileGid() uint32 {
// GetProcessParentFileGroup returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentFileGroup() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return ""
@@ -7006,12 +6468,11 @@ func (ev *Event) GetProcessParentFileGroup() string {
// GetProcessParentFileHashes returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentFileHashes() []string {
- zeroValue := []string{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return []string{}
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return []string{}
@@ -7019,20 +6480,16 @@ func (ev *Event) GetProcessParentFileHashes() []string {
if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() {
return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent)
}
// GetProcessParentFileInUpperLayer returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentFileInUpperLayer() bool {
- zeroValue := false
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return false
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return false
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return false
@@ -7045,12 +6502,11 @@ func (ev *Event) GetProcessParentFileInUpperLayer() bool {
// GetProcessParentFileInode returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentFileInode() uint64 {
- zeroValue := uint64(0)
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return uint64(0)
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return uint64(0)
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return uint64(0)
@@ -7063,12 +6519,11 @@ func (ev *Event) GetProcessParentFileInode() uint64 {
// GetProcessParentFileMode returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentFileMode() uint16 {
- zeroValue := uint16(0)
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return uint16(0)
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return uint16(0)
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return uint16(0)
@@ -7081,12 +6536,11 @@ func (ev *Event) GetProcessParentFileMode() uint16 {
// GetProcessParentFileModificationTime returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentFileModificationTime() uint64 {
- zeroValue := uint64(0)
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return uint64(0)
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return uint64(0)
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return uint64(0)
@@ -7099,12 +6553,11 @@ func (ev *Event) GetProcessParentFileModificationTime() uint64 {
// GetProcessParentFileMountId returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentFileMountId() uint32 {
- zeroValue := uint32(0)
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return uint32(0)
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return uint32(0)
@@ -7117,12 +6570,11 @@ func (ev *Event) GetProcessParentFileMountId() uint32 {
// GetProcessParentFileName returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentFileName() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return ""
@@ -7135,24 +6587,22 @@ func (ev *Event) GetProcessParentFileName() string {
// GetProcessParentFileNameLength returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentFileNameLength() int {
- zeroValue := 0
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return 0
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent))
}
// GetProcessParentFilePackageName returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentFilePackageName() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return ""
@@ -7165,12 +6615,11 @@ func (ev *Event) GetProcessParentFilePackageName() string {
// GetProcessParentFilePackageSourceVersion returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentFilePackageSourceVersion() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return ""
@@ -7183,12 +6632,11 @@ func (ev *Event) GetProcessParentFilePackageSourceVersion() string {
// GetProcessParentFilePackageVersion returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentFilePackageVersion() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return ""
@@ -7201,12 +6649,11 @@ func (ev *Event) GetProcessParentFilePackageVersion() string {
// GetProcessParentFilePath returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentFilePath() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return ""
@@ -7219,24 +6666,22 @@ func (ev *Event) GetProcessParentFilePath() string {
// GetProcessParentFilePathLength returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentFilePathLength() int {
- zeroValue := 0
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return 0
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent))
}
// GetProcessParentFileRights returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentFileRights() int {
- zeroValue := 0
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return 0
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return 0
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return 0
@@ -7249,12 +6694,11 @@ func (ev *Event) GetProcessParentFileRights() int {
// GetProcessParentFileUid returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentFileUid() uint32 {
- zeroValue := uint32(0)
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return uint32(0)
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return uint32(0)
@@ -7267,12 +6711,11 @@ func (ev *Event) GetProcessParentFileUid() uint32 {
// GetProcessParentFileUser returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentFileUser() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return ""
@@ -7285,12 +6728,11 @@ func (ev *Event) GetProcessParentFileUser() string {
// GetProcessParentFsgid returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentFsgid() uint32 {
- zeroValue := uint32(0)
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return uint32(0)
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return uint32(0)
@@ -7300,12 +6742,11 @@ func (ev *Event) GetProcessParentFsgid() uint32 {
// GetProcessParentFsgroup returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentFsgroup() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return ""
@@ -7315,12 +6756,11 @@ func (ev *Event) GetProcessParentFsgroup() string {
// GetProcessParentFsuid returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentFsuid() uint32 {
- zeroValue := uint32(0)
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return uint32(0)
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return uint32(0)
@@ -7330,12 +6770,11 @@ func (ev *Event) GetProcessParentFsuid() uint32 {
// GetProcessParentFsuser returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentFsuser() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return ""
@@ -7345,12 +6784,11 @@ func (ev *Event) GetProcessParentFsuser() string {
// GetProcessParentGid returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentGid() uint32 {
- zeroValue := uint32(0)
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return uint32(0)
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return uint32(0)
@@ -7360,12 +6798,11 @@ func (ev *Event) GetProcessParentGid() uint32 {
// GetProcessParentGroup returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentGroup() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return ""
@@ -7375,12 +6812,11 @@ func (ev *Event) GetProcessParentGroup() string {
// GetProcessParentInterpreterFileChangeTime returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentInterpreterFileChangeTime() uint64 {
- zeroValue := uint64(0)
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return uint64(0)
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return uint64(0)
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return uint64(0)
@@ -7393,12 +6829,11 @@ func (ev *Event) GetProcessParentInterpreterFileChangeTime() uint64 {
// GetProcessParentInterpreterFileFilesystem returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentInterpreterFileFilesystem() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return ""
@@ -7411,12 +6846,11 @@ func (ev *Event) GetProcessParentInterpreterFileFilesystem() string {
// GetProcessParentInterpreterFileGid returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentInterpreterFileGid() uint32 {
- zeroValue := uint32(0)
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return uint32(0)
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return uint32(0)
@@ -7429,12 +6863,11 @@ func (ev *Event) GetProcessParentInterpreterFileGid() uint32 {
// GetProcessParentInterpreterFileGroup returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentInterpreterFileGroup() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return ""
@@ -7447,12 +6880,11 @@ func (ev *Event) GetProcessParentInterpreterFileGroup() string {
// GetProcessParentInterpreterFileHashes returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentInterpreterFileHashes() []string {
- zeroValue := []string{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return []string{}
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return []string{}
@@ -7460,20 +6892,16 @@ func (ev *Event) GetProcessParentInterpreterFileHashes() []string {
if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() {
return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent)
}
// GetProcessParentInterpreterFileInUpperLayer returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentInterpreterFileInUpperLayer() bool {
- zeroValue := false
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return false
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return false
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return false
@@ -7486,12 +6914,11 @@ func (ev *Event) GetProcessParentInterpreterFileInUpperLayer() bool {
// GetProcessParentInterpreterFileInode returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentInterpreterFileInode() uint64 {
- zeroValue := uint64(0)
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return uint64(0)
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return uint64(0)
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return uint64(0)
@@ -7504,12 +6931,11 @@ func (ev *Event) GetProcessParentInterpreterFileInode() uint64 {
// GetProcessParentInterpreterFileMode returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentInterpreterFileMode() uint16 {
- zeroValue := uint16(0)
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return uint16(0)
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return uint16(0)
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return uint16(0)
@@ -7522,12 +6948,11 @@ func (ev *Event) GetProcessParentInterpreterFileMode() uint16 {
// GetProcessParentInterpreterFileModificationTime returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentInterpreterFileModificationTime() uint64 {
- zeroValue := uint64(0)
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return uint64(0)
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return uint64(0)
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return uint64(0)
@@ -7540,12 +6965,11 @@ func (ev *Event) GetProcessParentInterpreterFileModificationTime() uint64 {
// GetProcessParentInterpreterFileMountId returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentInterpreterFileMountId() uint32 {
- zeroValue := uint32(0)
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return uint32(0)
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return uint32(0)
@@ -7558,12 +6982,11 @@ func (ev *Event) GetProcessParentInterpreterFileMountId() uint32 {
// GetProcessParentInterpreterFileName returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentInterpreterFileName() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return ""
@@ -7576,24 +6999,22 @@ func (ev *Event) GetProcessParentInterpreterFileName() string {
// GetProcessParentInterpreterFileNameLength returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentInterpreterFileNameLength() int {
- zeroValue := 0
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return 0
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent))
}
// GetProcessParentInterpreterFilePackageName returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentInterpreterFilePackageName() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return ""
@@ -7606,12 +7027,11 @@ func (ev *Event) GetProcessParentInterpreterFilePackageName() string {
// GetProcessParentInterpreterFilePackageSourceVersion returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentInterpreterFilePackageSourceVersion() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return ""
@@ -7624,12 +7044,11 @@ func (ev *Event) GetProcessParentInterpreterFilePackageSourceVersion() string {
// GetProcessParentInterpreterFilePackageVersion returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentInterpreterFilePackageVersion() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return ""
@@ -7642,12 +7061,11 @@ func (ev *Event) GetProcessParentInterpreterFilePackageVersion() string {
// GetProcessParentInterpreterFilePath returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentInterpreterFilePath() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return ""
@@ -7660,24 +7078,22 @@ func (ev *Event) GetProcessParentInterpreterFilePath() string {
// GetProcessParentInterpreterFilePathLength returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentInterpreterFilePathLength() int {
- zeroValue := 0
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return 0
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent))
}
// GetProcessParentInterpreterFileRights returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentInterpreterFileRights() int {
- zeroValue := 0
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return 0
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return 0
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return 0
@@ -7690,12 +7106,11 @@ func (ev *Event) GetProcessParentInterpreterFileRights() int {
// GetProcessParentInterpreterFileUid returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentInterpreterFileUid() uint32 {
- zeroValue := uint32(0)
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return uint32(0)
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return uint32(0)
@@ -7708,12 +7123,11 @@ func (ev *Event) GetProcessParentInterpreterFileUid() uint32 {
// GetProcessParentInterpreterFileUser returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentInterpreterFileUser() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return ""
@@ -7726,12 +7140,11 @@ func (ev *Event) GetProcessParentInterpreterFileUser() string {
// GetProcessParentIsKworker returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentIsKworker() bool {
- zeroValue := false
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return false
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return false
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return false
@@ -7741,12 +7154,11 @@ func (ev *Event) GetProcessParentIsKworker() bool {
// GetProcessParentIsThread returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentIsThread() bool {
- zeroValue := false
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return false
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return false
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return false
@@ -7756,12 +7168,11 @@ func (ev *Event) GetProcessParentIsThread() bool {
// GetProcessParentPid returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentPid() uint32 {
- zeroValue := uint32(0)
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return uint32(0)
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return uint32(0)
@@ -7771,12 +7182,11 @@ func (ev *Event) GetProcessParentPid() uint32 {
// GetProcessParentPpid returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentPpid() uint32 {
- zeroValue := uint32(0)
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return uint32(0)
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return uint32(0)
@@ -7786,12 +7196,11 @@ func (ev *Event) GetProcessParentPpid() uint32 {
// GetProcessParentTid returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentTid() uint32 {
- zeroValue := uint32(0)
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return uint32(0)
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return uint32(0)
@@ -7801,12 +7210,11 @@ func (ev *Event) GetProcessParentTid() uint32 {
// GetProcessParentTtyName returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentTtyName() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return ""
@@ -7816,12 +7224,11 @@ func (ev *Event) GetProcessParentTtyName() string {
// GetProcessParentUid returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentUid() uint32 {
- zeroValue := uint32(0)
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return uint32(0)
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return uint32(0)
@@ -7831,12 +7238,11 @@ func (ev *Event) GetProcessParentUid() uint32 {
// GetProcessParentUser returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentUser() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return ""
@@ -7846,30 +7252,25 @@ func (ev *Event) GetProcessParentUser() string {
// GetProcessParentUserSessionK8sGroups returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentUserSessionK8sGroups() []string {
- zeroValue := []string{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return []string{}
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveK8SGroups(ev, &ev.BaseEvent.ProcessContext.Parent.UserSession)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveK8SGroups(ev, &ev.BaseEvent.ProcessContext.Parent.UserSession)
}
// GetProcessParentUserSessionK8sUid returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentUserSessionK8sUid() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return ""
@@ -7879,12 +7280,11 @@ func (ev *Event) GetProcessParentUserSessionK8sUid() string {
// GetProcessParentUserSessionK8sUsername returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentUserSessionK8sUsername() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return ""
@@ -7894,117 +7294,102 @@ func (ev *Event) GetProcessParentUserSessionK8sUsername() string {
// GetProcessPid returns the value of the field, resolving if necessary
func (ev *Event) GetProcessPid() uint32 {
- zeroValue := uint32(0)
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return uint32(0)
}
return ev.BaseEvent.ProcessContext.Process.PIDContext.Pid
}
// GetProcessPpid returns the value of the field, resolving if necessary
func (ev *Event) GetProcessPpid() uint32 {
- zeroValue := uint32(0)
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return uint32(0)
}
return ev.BaseEvent.ProcessContext.Process.PPid
}
// GetProcessTid returns the value of the field, resolving if necessary
func (ev *Event) GetProcessTid() uint32 {
- zeroValue := uint32(0)
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return uint32(0)
}
return ev.BaseEvent.ProcessContext.Process.PIDContext.Tid
}
// GetProcessTtyName returns the value of the field, resolving if necessary
func (ev *Event) GetProcessTtyName() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
return ev.BaseEvent.ProcessContext.Process.TTYName
}
// GetProcessUid returns the value of the field, resolving if necessary
func (ev *Event) GetProcessUid() uint32 {
- zeroValue := uint32(0)
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return uint32(0)
}
return ev.BaseEvent.ProcessContext.Process.Credentials.UID
}
// GetProcessUser returns the value of the field, resolving if necessary
func (ev *Event) GetProcessUser() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
return ev.BaseEvent.ProcessContext.Process.Credentials.User
}
// GetProcessUserSessionK8sGroups returns the value of the field, resolving if necessary
func (ev *Event) GetProcessUserSessionK8sGroups() []string {
- zeroValue := []string{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveK8SGroups(ev, &ev.BaseEvent.ProcessContext.Process.UserSession)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveK8SGroups(ev, &ev.BaseEvent.ProcessContext.Process.UserSession)
}
// GetProcessUserSessionK8sUid returns the value of the field, resolving if necessary
func (ev *Event) GetProcessUserSessionK8sUid() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveK8SUID(ev, &ev.BaseEvent.ProcessContext.Process.UserSession)
}
// GetProcessUserSessionK8sUsername returns the value of the field, resolving if necessary
func (ev *Event) GetProcessUserSessionK8sUsername() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveK8SUsername(ev, &ev.BaseEvent.ProcessContext.Process.UserSession)
}
// GetPtraceRequest returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceRequest() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return uint32(0)
}
return ev.PTrace.Request
}
// GetPtraceRetval returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceRetval() int64 {
- zeroValue := int64(0)
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return int64(0)
}
return ev.PTrace.SyscallEvent.Retval
}
// GetPtraceTraceeAncestorsArgs returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsArgs() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -8021,15 +7406,14 @@ func (ev *Event) GetPtraceTraceeAncestorsArgs() []string {
// GetPtraceTraceeAncestorsArgsFlags returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsArgsFlags() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -8046,15 +7430,14 @@ func (ev *Event) GetPtraceTraceeAncestorsArgsFlags() []string {
// GetPtraceTraceeAncestorsArgsOptions returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsArgsOptions() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -8069,17 +7452,40 @@ func (ev *Event) GetPtraceTraceeAncestorsArgsOptions() []string {
return values
}
+// GetPtraceTraceeAncestorsArgsScrubbed returns the value of the field, resolving if necessary
+func (ev *Event) GetPtraceTraceeAncestorsArgsScrubbed() []string {
+ if ev.GetEventType().String() != "ptrace" {
+ return []string{}
+ }
+ if ev.PTrace.Tracee == nil {
+ return []string{}
+ }
+ if ev.PTrace.Tracee.Ancestor == nil {
+ return []string{}
+ }
+ var values []string
+ ctx := eval.NewContext(ev)
+ iterator := &ProcessAncestorsIterator{}
+ ptr := iterator.Front(ctx)
+ for ptr != nil {
+ element := (*ProcessCacheEntry)(ptr)
+ result := ev.FieldHandlers.ResolveProcessArgsScrubbed(ev, &element.ProcessContext.Process)
+ values = append(values, result)
+ ptr = iterator.Next()
+ }
+ return values
+}
+
// GetPtraceTraceeAncestorsArgsTruncated returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsArgsTruncated() []bool {
- zeroValue := []bool{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []bool{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []bool{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []bool{}
}
var values []bool
ctx := eval.NewContext(ev)
@@ -8096,15 +7502,14 @@ func (ev *Event) GetPtraceTraceeAncestorsArgsTruncated() []bool {
// GetPtraceTraceeAncestorsArgv returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsArgv() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -8112,7 +7517,7 @@ func (ev *Event) GetPtraceTraceeAncestorsArgv() []string {
ptr := iterator.Front(ctx)
for ptr != nil {
element := (*ProcessCacheEntry)(ptr)
- result := ev.FieldHandlers.ResolveProcessArgvScrubbed(ev, &element.ProcessContext.Process)
+ result := ev.FieldHandlers.ResolveProcessArgv(ev, &element.ProcessContext.Process)
values = append(values, result...)
ptr = iterator.Next()
}
@@ -8121,15 +7526,14 @@ func (ev *Event) GetPtraceTraceeAncestorsArgv() []string {
// GetPtraceTraceeAncestorsArgv0 returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsArgv0() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -8144,17 +7548,40 @@ func (ev *Event) GetPtraceTraceeAncestorsArgv0() []string {
return values
}
+// GetPtraceTraceeAncestorsArgvScrubbed returns the value of the field, resolving if necessary
+func (ev *Event) GetPtraceTraceeAncestorsArgvScrubbed() []string {
+ if ev.GetEventType().String() != "ptrace" {
+ return []string{}
+ }
+ if ev.PTrace.Tracee == nil {
+ return []string{}
+ }
+ if ev.PTrace.Tracee.Ancestor == nil {
+ return []string{}
+ }
+ var values []string
+ ctx := eval.NewContext(ev)
+ iterator := &ProcessAncestorsIterator{}
+ ptr := iterator.Front(ctx)
+ for ptr != nil {
+ element := (*ProcessCacheEntry)(ptr)
+ result := ev.FieldHandlers.ResolveProcessArgvScrubbed(ev, &element.ProcessContext.Process)
+ values = append(values, result...)
+ ptr = iterator.Next()
+ }
+ return values
+}
+
// GetPtraceTraceeAncestorsCapEffective returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsCapEffective() []uint64 {
- zeroValue := []uint64{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []uint64{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []uint64{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []uint64{}
}
var values []uint64
ctx := eval.NewContext(ev)
@@ -8171,15 +7598,14 @@ func (ev *Event) GetPtraceTraceeAncestorsCapEffective() []uint64 {
// GetPtraceTraceeAncestorsCapPermitted returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsCapPermitted() []uint64 {
- zeroValue := []uint64{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []uint64{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []uint64{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []uint64{}
}
var values []uint64
ctx := eval.NewContext(ev)
@@ -8196,15 +7622,14 @@ func (ev *Event) GetPtraceTraceeAncestorsCapPermitted() []uint64 {
// GetPtraceTraceeAncestorsComm returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsComm() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -8221,15 +7646,14 @@ func (ev *Event) GetPtraceTraceeAncestorsComm() []string {
// GetPtraceTraceeAncestorsContainerId returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsContainerId() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -8246,15 +7670,14 @@ func (ev *Event) GetPtraceTraceeAncestorsContainerId() []string {
// GetPtraceTraceeAncestorsCreatedAt returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsCreatedAt() []int {
- zeroValue := []int{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []int{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []int{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []int{}
}
var values []int
ctx := eval.NewContext(ev)
@@ -8271,15 +7694,14 @@ func (ev *Event) GetPtraceTraceeAncestorsCreatedAt() []int {
// GetPtraceTraceeAncestorsEgid returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsEgid() []uint32 {
- zeroValue := []uint32{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []uint32{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []uint32{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []uint32{}
}
var values []uint32
ctx := eval.NewContext(ev)
@@ -8296,15 +7718,14 @@ func (ev *Event) GetPtraceTraceeAncestorsEgid() []uint32 {
// GetPtraceTraceeAncestorsEgroup returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsEgroup() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -8320,16 +7741,15 @@ func (ev *Event) GetPtraceTraceeAncestorsEgroup() []string {
}
// GetPtraceTraceeAncestorsEnvp returns the value of the field, resolving if necessary
-func (ev *Event) GetPtraceTraceeAncestorsEnvp(desiredKeys map[string]bool) []string {
- zeroValue := []string{}
+func (ev *Event) GetPtraceTraceeAncestorsEnvp() []string {
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -8338,7 +7758,6 @@ func (ev *Event) GetPtraceTraceeAncestorsEnvp(desiredKeys map[string]bool) []str
for ptr != nil {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveProcessEnvp(ev, &element.ProcessContext.Process)
- result = filterEnvs(result, desiredKeys)
values = append(values, result...)
ptr = iterator.Next()
}
@@ -8346,16 +7765,15 @@ func (ev *Event) GetPtraceTraceeAncestorsEnvp(desiredKeys map[string]bool) []str
}
// GetPtraceTraceeAncestorsEnvs returns the value of the field, resolving if necessary
-func (ev *Event) GetPtraceTraceeAncestorsEnvs(desiredKeys map[string]bool) []string {
- zeroValue := []string{}
+func (ev *Event) GetPtraceTraceeAncestorsEnvs() []string {
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -8364,7 +7782,6 @@ func (ev *Event) GetPtraceTraceeAncestorsEnvs(desiredKeys map[string]bool) []str
for ptr != nil {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveProcessEnvs(ev, &element.ProcessContext.Process)
- result = filterEnvs(result, desiredKeys)
values = append(values, result...)
ptr = iterator.Next()
}
@@ -8373,15 +7790,14 @@ func (ev *Event) GetPtraceTraceeAncestorsEnvs(desiredKeys map[string]bool) []str
// GetPtraceTraceeAncestorsEnvsTruncated returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsEnvsTruncated() []bool {
- zeroValue := []bool{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []bool{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []bool{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []bool{}
}
var values []bool
ctx := eval.NewContext(ev)
@@ -8398,15 +7814,14 @@ func (ev *Event) GetPtraceTraceeAncestorsEnvsTruncated() []bool {
// GetPtraceTraceeAncestorsEuid returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsEuid() []uint32 {
- zeroValue := []uint32{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []uint32{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []uint32{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []uint32{}
}
var values []uint32
ctx := eval.NewContext(ev)
@@ -8423,15 +7838,14 @@ func (ev *Event) GetPtraceTraceeAncestorsEuid() []uint32 {
// GetPtraceTraceeAncestorsEuser returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsEuser() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -8448,15 +7862,14 @@ func (ev *Event) GetPtraceTraceeAncestorsEuser() []string {
// GetPtraceTraceeAncestorsFileChangeTime returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsFileChangeTime() []uint64 {
- zeroValue := []uint64{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []uint64{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []uint64{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []uint64{}
}
var values []uint64
ctx := eval.NewContext(ev)
@@ -8473,15 +7886,14 @@ func (ev *Event) GetPtraceTraceeAncestorsFileChangeTime() []uint64 {
// GetPtraceTraceeAncestorsFileFilesystem returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsFileFilesystem() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -8498,15 +7910,14 @@ func (ev *Event) GetPtraceTraceeAncestorsFileFilesystem() []string {
// GetPtraceTraceeAncestorsFileGid returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsFileGid() []uint32 {
- zeroValue := []uint32{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []uint32{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []uint32{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []uint32{}
}
var values []uint32
ctx := eval.NewContext(ev)
@@ -8523,15 +7934,14 @@ func (ev *Event) GetPtraceTraceeAncestorsFileGid() []uint32 {
// GetPtraceTraceeAncestorsFileGroup returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsFileGroup() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -8548,15 +7958,14 @@ func (ev *Event) GetPtraceTraceeAncestorsFileGroup() []string {
// GetPtraceTraceeAncestorsFileHashes returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsFileHashes() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -8573,15 +7982,14 @@ func (ev *Event) GetPtraceTraceeAncestorsFileHashes() []string {
// GetPtraceTraceeAncestorsFileInUpperLayer returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsFileInUpperLayer() []bool {
- zeroValue := []bool{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []bool{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []bool{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []bool{}
}
var values []bool
ctx := eval.NewContext(ev)
@@ -8598,15 +8006,14 @@ func (ev *Event) GetPtraceTraceeAncestorsFileInUpperLayer() []bool {
// GetPtraceTraceeAncestorsFileInode returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsFileInode() []uint64 {
- zeroValue := []uint64{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []uint64{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []uint64{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []uint64{}
}
var values []uint64
ctx := eval.NewContext(ev)
@@ -8623,15 +8030,14 @@ func (ev *Event) GetPtraceTraceeAncestorsFileInode() []uint64 {
// GetPtraceTraceeAncestorsFileMode returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsFileMode() []uint16 {
- zeroValue := []uint16{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []uint16{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []uint16{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []uint16{}
}
var values []uint16
ctx := eval.NewContext(ev)
@@ -8648,15 +8054,14 @@ func (ev *Event) GetPtraceTraceeAncestorsFileMode() []uint16 {
// GetPtraceTraceeAncestorsFileModificationTime returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsFileModificationTime() []uint64 {
- zeroValue := []uint64{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []uint64{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []uint64{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []uint64{}
}
var values []uint64
ctx := eval.NewContext(ev)
@@ -8673,15 +8078,14 @@ func (ev *Event) GetPtraceTraceeAncestorsFileModificationTime() []uint64 {
// GetPtraceTraceeAncestorsFileMountId returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsFileMountId() []uint32 {
- zeroValue := []uint32{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []uint32{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []uint32{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []uint32{}
}
var values []uint32
ctx := eval.NewContext(ev)
@@ -8698,15 +8102,14 @@ func (ev *Event) GetPtraceTraceeAncestorsFileMountId() []uint32 {
// GetPtraceTraceeAncestorsFileName returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsFileName() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -8723,15 +8126,14 @@ func (ev *Event) GetPtraceTraceeAncestorsFileName() []string {
// GetPtraceTraceeAncestorsFileNameLength returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsFileNameLength() []int {
- zeroValue := []int{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []int{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []int{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []int{}
}
var values []int
ctx := eval.NewContext(ev)
@@ -8748,15 +8150,14 @@ func (ev *Event) GetPtraceTraceeAncestorsFileNameLength() []int {
// GetPtraceTraceeAncestorsFilePackageName returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsFilePackageName() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -8773,15 +8174,14 @@ func (ev *Event) GetPtraceTraceeAncestorsFilePackageName() []string {
// GetPtraceTraceeAncestorsFilePackageSourceVersion returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsFilePackageSourceVersion() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -8798,15 +8198,14 @@ func (ev *Event) GetPtraceTraceeAncestorsFilePackageSourceVersion() []string {
// GetPtraceTraceeAncestorsFilePackageVersion returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsFilePackageVersion() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -8823,15 +8222,14 @@ func (ev *Event) GetPtraceTraceeAncestorsFilePackageVersion() []string {
// GetPtraceTraceeAncestorsFilePath returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsFilePath() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -8848,15 +8246,14 @@ func (ev *Event) GetPtraceTraceeAncestorsFilePath() []string {
// GetPtraceTraceeAncestorsFilePathLength returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsFilePathLength() []int {
- zeroValue := []int{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []int{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []int{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []int{}
}
var values []int
ctx := eval.NewContext(ev)
@@ -8873,15 +8270,14 @@ func (ev *Event) GetPtraceTraceeAncestorsFilePathLength() []int {
// GetPtraceTraceeAncestorsFileRights returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsFileRights() []int {
- zeroValue := []int{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []int{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []int{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []int{}
}
var values []int
ctx := eval.NewContext(ev)
@@ -8898,15 +8294,14 @@ func (ev *Event) GetPtraceTraceeAncestorsFileRights() []int {
// GetPtraceTraceeAncestorsFileUid returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsFileUid() []uint32 {
- zeroValue := []uint32{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []uint32{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []uint32{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []uint32{}
}
var values []uint32
ctx := eval.NewContext(ev)
@@ -8923,15 +8318,14 @@ func (ev *Event) GetPtraceTraceeAncestorsFileUid() []uint32 {
// GetPtraceTraceeAncestorsFileUser returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsFileUser() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -8948,15 +8342,14 @@ func (ev *Event) GetPtraceTraceeAncestorsFileUser() []string {
// GetPtraceTraceeAncestorsFsgid returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsFsgid() []uint32 {
- zeroValue := []uint32{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []uint32{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []uint32{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []uint32{}
}
var values []uint32
ctx := eval.NewContext(ev)
@@ -8973,15 +8366,14 @@ func (ev *Event) GetPtraceTraceeAncestorsFsgid() []uint32 {
// GetPtraceTraceeAncestorsFsgroup returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsFsgroup() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -8998,15 +8390,14 @@ func (ev *Event) GetPtraceTraceeAncestorsFsgroup() []string {
// GetPtraceTraceeAncestorsFsuid returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsFsuid() []uint32 {
- zeroValue := []uint32{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []uint32{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []uint32{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []uint32{}
}
var values []uint32
ctx := eval.NewContext(ev)
@@ -9023,15 +8414,14 @@ func (ev *Event) GetPtraceTraceeAncestorsFsuid() []uint32 {
// GetPtraceTraceeAncestorsFsuser returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsFsuser() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -9048,15 +8438,14 @@ func (ev *Event) GetPtraceTraceeAncestorsFsuser() []string {
// GetPtraceTraceeAncestorsGid returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsGid() []uint32 {
- zeroValue := []uint32{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []uint32{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []uint32{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []uint32{}
}
var values []uint32
ctx := eval.NewContext(ev)
@@ -9073,15 +8462,14 @@ func (ev *Event) GetPtraceTraceeAncestorsGid() []uint32 {
// GetPtraceTraceeAncestorsGroup returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsGroup() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -9098,15 +8486,14 @@ func (ev *Event) GetPtraceTraceeAncestorsGroup() []string {
// GetPtraceTraceeAncestorsInterpreterFileChangeTime returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsInterpreterFileChangeTime() []uint64 {
- zeroValue := []uint64{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []uint64{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []uint64{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []uint64{}
}
var values []uint64
ctx := eval.NewContext(ev)
@@ -9123,15 +8510,14 @@ func (ev *Event) GetPtraceTraceeAncestorsInterpreterFileChangeTime() []uint64 {
// GetPtraceTraceeAncestorsInterpreterFileFilesystem returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsInterpreterFileFilesystem() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -9148,15 +8534,14 @@ func (ev *Event) GetPtraceTraceeAncestorsInterpreterFileFilesystem() []string {
// GetPtraceTraceeAncestorsInterpreterFileGid returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsInterpreterFileGid() []uint32 {
- zeroValue := []uint32{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []uint32{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []uint32{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []uint32{}
}
var values []uint32
ctx := eval.NewContext(ev)
@@ -9173,15 +8558,14 @@ func (ev *Event) GetPtraceTraceeAncestorsInterpreterFileGid() []uint32 {
// GetPtraceTraceeAncestorsInterpreterFileGroup returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsInterpreterFileGroup() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -9198,15 +8582,14 @@ func (ev *Event) GetPtraceTraceeAncestorsInterpreterFileGroup() []string {
// GetPtraceTraceeAncestorsInterpreterFileHashes returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsInterpreterFileHashes() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -9223,15 +8606,14 @@ func (ev *Event) GetPtraceTraceeAncestorsInterpreterFileHashes() []string {
// GetPtraceTraceeAncestorsInterpreterFileInUpperLayer returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsInterpreterFileInUpperLayer() []bool {
- zeroValue := []bool{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []bool{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []bool{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []bool{}
}
var values []bool
ctx := eval.NewContext(ev)
@@ -9248,15 +8630,14 @@ func (ev *Event) GetPtraceTraceeAncestorsInterpreterFileInUpperLayer() []bool {
// GetPtraceTraceeAncestorsInterpreterFileInode returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsInterpreterFileInode() []uint64 {
- zeroValue := []uint64{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []uint64{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []uint64{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []uint64{}
}
var values []uint64
ctx := eval.NewContext(ev)
@@ -9273,15 +8654,14 @@ func (ev *Event) GetPtraceTraceeAncestorsInterpreterFileInode() []uint64 {
// GetPtraceTraceeAncestorsInterpreterFileMode returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsInterpreterFileMode() []uint16 {
- zeroValue := []uint16{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []uint16{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []uint16{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []uint16{}
}
var values []uint16
ctx := eval.NewContext(ev)
@@ -9298,15 +8678,14 @@ func (ev *Event) GetPtraceTraceeAncestorsInterpreterFileMode() []uint16 {
// GetPtraceTraceeAncestorsInterpreterFileModificationTime returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsInterpreterFileModificationTime() []uint64 {
- zeroValue := []uint64{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []uint64{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []uint64{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []uint64{}
}
var values []uint64
ctx := eval.NewContext(ev)
@@ -9323,15 +8702,14 @@ func (ev *Event) GetPtraceTraceeAncestorsInterpreterFileModificationTime() []uin
// GetPtraceTraceeAncestorsInterpreterFileMountId returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsInterpreterFileMountId() []uint32 {
- zeroValue := []uint32{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []uint32{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []uint32{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []uint32{}
}
var values []uint32
ctx := eval.NewContext(ev)
@@ -9348,15 +8726,14 @@ func (ev *Event) GetPtraceTraceeAncestorsInterpreterFileMountId() []uint32 {
// GetPtraceTraceeAncestorsInterpreterFileName returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsInterpreterFileName() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -9373,15 +8750,14 @@ func (ev *Event) GetPtraceTraceeAncestorsInterpreterFileName() []string {
// GetPtraceTraceeAncestorsInterpreterFileNameLength returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsInterpreterFileNameLength() []int {
- zeroValue := []int{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []int{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []int{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []int{}
}
var values []int
ctx := eval.NewContext(ev)
@@ -9398,15 +8774,14 @@ func (ev *Event) GetPtraceTraceeAncestorsInterpreterFileNameLength() []int {
// GetPtraceTraceeAncestorsInterpreterFilePackageName returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsInterpreterFilePackageName() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -9423,15 +8798,14 @@ func (ev *Event) GetPtraceTraceeAncestorsInterpreterFilePackageName() []string {
// GetPtraceTraceeAncestorsInterpreterFilePackageSourceVersion returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsInterpreterFilePackageSourceVersion() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -9448,15 +8822,14 @@ func (ev *Event) GetPtraceTraceeAncestorsInterpreterFilePackageSourceVersion() [
// GetPtraceTraceeAncestorsInterpreterFilePackageVersion returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsInterpreterFilePackageVersion() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -9473,15 +8846,14 @@ func (ev *Event) GetPtraceTraceeAncestorsInterpreterFilePackageVersion() []strin
// GetPtraceTraceeAncestorsInterpreterFilePath returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsInterpreterFilePath() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -9498,15 +8870,14 @@ func (ev *Event) GetPtraceTraceeAncestorsInterpreterFilePath() []string {
// GetPtraceTraceeAncestorsInterpreterFilePathLength returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsInterpreterFilePathLength() []int {
- zeroValue := []int{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []int{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []int{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []int{}
}
var values []int
ctx := eval.NewContext(ev)
@@ -9523,15 +8894,14 @@ func (ev *Event) GetPtraceTraceeAncestorsInterpreterFilePathLength() []int {
// GetPtraceTraceeAncestorsInterpreterFileRights returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsInterpreterFileRights() []int {
- zeroValue := []int{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []int{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []int{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []int{}
}
var values []int
ctx := eval.NewContext(ev)
@@ -9548,15 +8918,14 @@ func (ev *Event) GetPtraceTraceeAncestorsInterpreterFileRights() []int {
// GetPtraceTraceeAncestorsInterpreterFileUid returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsInterpreterFileUid() []uint32 {
- zeroValue := []uint32{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []uint32{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []uint32{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []uint32{}
}
var values []uint32
ctx := eval.NewContext(ev)
@@ -9573,15 +8942,14 @@ func (ev *Event) GetPtraceTraceeAncestorsInterpreterFileUid() []uint32 {
// GetPtraceTraceeAncestorsInterpreterFileUser returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsInterpreterFileUser() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -9598,15 +8966,14 @@ func (ev *Event) GetPtraceTraceeAncestorsInterpreterFileUser() []string {
// GetPtraceTraceeAncestorsIsKworker returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsIsKworker() []bool {
- zeroValue := []bool{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []bool{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []bool{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []bool{}
}
var values []bool
ctx := eval.NewContext(ev)
@@ -9623,15 +8990,14 @@ func (ev *Event) GetPtraceTraceeAncestorsIsKworker() []bool {
// GetPtraceTraceeAncestorsIsThread returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsIsThread() []bool {
- zeroValue := []bool{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []bool{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []bool{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []bool{}
}
var values []bool
ctx := eval.NewContext(ev)
@@ -9648,15 +9014,14 @@ func (ev *Event) GetPtraceTraceeAncestorsIsThread() []bool {
// GetPtraceTraceeAncestorsPid returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsPid() []uint32 {
- zeroValue := []uint32{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []uint32{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []uint32{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []uint32{}
}
var values []uint32
ctx := eval.NewContext(ev)
@@ -9673,15 +9038,14 @@ func (ev *Event) GetPtraceTraceeAncestorsPid() []uint32 {
// GetPtraceTraceeAncestorsPpid returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsPpid() []uint32 {
- zeroValue := []uint32{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []uint32{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []uint32{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []uint32{}
}
var values []uint32
ctx := eval.NewContext(ev)
@@ -9698,15 +9062,14 @@ func (ev *Event) GetPtraceTraceeAncestorsPpid() []uint32 {
// GetPtraceTraceeAncestorsTid returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsTid() []uint32 {
- zeroValue := []uint32{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []uint32{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []uint32{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []uint32{}
}
var values []uint32
ctx := eval.NewContext(ev)
@@ -9723,15 +9086,14 @@ func (ev *Event) GetPtraceTraceeAncestorsTid() []uint32 {
// GetPtraceTraceeAncestorsTtyName returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsTtyName() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -9748,15 +9110,14 @@ func (ev *Event) GetPtraceTraceeAncestorsTtyName() []string {
// GetPtraceTraceeAncestorsUid returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsUid() []uint32 {
- zeroValue := []uint32{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []uint32{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []uint32{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []uint32{}
}
var values []uint32
ctx := eval.NewContext(ev)
@@ -9773,15 +9134,14 @@ func (ev *Event) GetPtraceTraceeAncestorsUid() []uint32 {
// GetPtraceTraceeAncestorsUser returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsUser() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -9798,15 +9158,14 @@ func (ev *Event) GetPtraceTraceeAncestorsUser() []string {
// GetPtraceTraceeAncestorsUserSessionK8sGroups returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsUserSessionK8sGroups() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -9823,15 +9182,14 @@ func (ev *Event) GetPtraceTraceeAncestorsUserSessionK8sGroups() []string {
// GetPtraceTraceeAncestorsUserSessionK8sUid returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsUserSessionK8sUid() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -9848,15 +9206,14 @@ func (ev *Event) GetPtraceTraceeAncestorsUserSessionK8sUid() []string {
// GetPtraceTraceeAncestorsUserSessionK8sUsername returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeAncestorsUserSessionK8sUsername() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -9873,269 +9230,253 @@ func (ev *Event) GetPtraceTraceeAncestorsUserSessionK8sUsername() []string {
// GetPtraceTraceeArgs returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeArgs() string {
- zeroValue := ""
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveProcessArgs(ev, &ev.PTrace.Tracee.Process)
}
// GetPtraceTraceeArgsFlags returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeArgsFlags() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveProcessArgsFlags(ev, &ev.PTrace.Tracee.Process)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveProcessArgsFlags(ev, &ev.PTrace.Tracee.Process)
}
// GetPtraceTraceeArgsOptions returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeArgsOptions() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []string{}
+ }
+ if ev.PTrace.Tracee == nil {
+ return []string{}
+ }
+ return ev.FieldHandlers.ResolveProcessArgsOptions(ev, &ev.PTrace.Tracee.Process)
+}
+
+// GetPtraceTraceeArgsScrubbed returns the value of the field, resolving if necessary
+func (ev *Event) GetPtraceTraceeArgsScrubbed() string {
+ if ev.GetEventType().String() != "ptrace" {
+ return ""
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return ""
}
- resolvedField := ev.FieldHandlers.ResolveProcessArgsOptions(ev, &ev.PTrace.Tracee.Process)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveProcessArgsScrubbed(ev, &ev.PTrace.Tracee.Process)
}
// GetPtraceTraceeArgsTruncated returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeArgsTruncated() bool {
- zeroValue := false
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return false
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return false
}
return ev.FieldHandlers.ResolveProcessArgsTruncated(ev, &ev.PTrace.Tracee.Process)
}
// GetPtraceTraceeArgv returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeArgv() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveProcessArgvScrubbed(ev, &ev.PTrace.Tracee.Process)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveProcessArgv(ev, &ev.PTrace.Tracee.Process)
}
// GetPtraceTraceeArgv0 returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeArgv0() string {
- zeroValue := ""
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveProcessArgv0(ev, &ev.PTrace.Tracee.Process)
}
+// GetPtraceTraceeArgvScrubbed returns the value of the field, resolving if necessary
+func (ev *Event) GetPtraceTraceeArgvScrubbed() []string {
+ if ev.GetEventType().String() != "ptrace" {
+ return []string{}
+ }
+ if ev.PTrace.Tracee == nil {
+ return []string{}
+ }
+ return ev.FieldHandlers.ResolveProcessArgvScrubbed(ev, &ev.PTrace.Tracee.Process)
+}
+
// GetPtraceTraceeCapEffective returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeCapEffective() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return uint64(0)
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return uint64(0)
}
return ev.PTrace.Tracee.Process.Credentials.CapEffective
}
// GetPtraceTraceeCapPermitted returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeCapPermitted() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return uint64(0)
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return uint64(0)
}
return ev.PTrace.Tracee.Process.Credentials.CapPermitted
}
// GetPtraceTraceeComm returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeComm() string {
- zeroValue := ""
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return ""
}
return ev.PTrace.Tracee.Process.Comm
}
// GetPtraceTraceeContainerId returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeContainerId() string {
- zeroValue := ""
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return ""
}
return ev.PTrace.Tracee.Process.ContainerID
}
// GetPtraceTraceeCreatedAt returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeCreatedAt() int {
- zeroValue := 0
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return 0
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return 0
}
return ev.FieldHandlers.ResolveProcessCreatedAt(ev, &ev.PTrace.Tracee.Process)
}
// GetPtraceTraceeEgid returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeEgid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return uint32(0)
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return uint32(0)
}
return ev.PTrace.Tracee.Process.Credentials.EGID
}
// GetPtraceTraceeEgroup returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeEgroup() string {
- zeroValue := ""
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return ""
}
return ev.PTrace.Tracee.Process.Credentials.EGroup
}
// GetPtraceTraceeEnvp returns the value of the field, resolving if necessary
-func (ev *Event) GetPtraceTraceeEnvp(desiredKeys map[string]bool) []string {
- zeroValue := []string{}
+func (ev *Event) GetPtraceTraceeEnvp() []string {
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveProcessEnvp(ev, &ev.PTrace.Tracee.Process)
- resolvedField = filterEnvs(resolvedField, desiredKeys)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveProcessEnvp(ev, &ev.PTrace.Tracee.Process)
}
// GetPtraceTraceeEnvs returns the value of the field, resolving if necessary
-func (ev *Event) GetPtraceTraceeEnvs(desiredKeys map[string]bool) []string {
- zeroValue := []string{}
+func (ev *Event) GetPtraceTraceeEnvs() []string {
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveProcessEnvs(ev, &ev.PTrace.Tracee.Process)
- resolvedField = filterEnvs(resolvedField, desiredKeys)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveProcessEnvs(ev, &ev.PTrace.Tracee.Process)
}
// GetPtraceTraceeEnvsTruncated returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeEnvsTruncated() bool {
- zeroValue := false
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return false
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return false
}
return ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, &ev.PTrace.Tracee.Process)
}
// GetPtraceTraceeEuid returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeEuid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return uint32(0)
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return uint32(0)
}
return ev.PTrace.Tracee.Process.Credentials.EUID
}
// GetPtraceTraceeEuser returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeEuser() string {
- zeroValue := ""
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return ""
}
return ev.PTrace.Tracee.Process.Credentials.EUser
}
// GetPtraceTraceeExecTime returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeExecTime() time.Time {
- zeroValue := time.Time{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return time.Time{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return time.Time{}
}
return ev.PTrace.Tracee.Process.ExecTime
}
// GetPtraceTraceeExitTime returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeExitTime() time.Time {
- zeroValue := time.Time{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return time.Time{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return time.Time{}
}
return ev.PTrace.Tracee.Process.ExitTime
}
// GetPtraceTraceeFileChangeTime returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeFileChangeTime() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return uint64(0)
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return uint64(0)
}
if !ev.PTrace.Tracee.Process.IsNotKworker() {
return uint64(0)
@@ -10145,12 +9486,11 @@ func (ev *Event) GetPtraceTraceeFileChangeTime() uint64 {
// GetPtraceTraceeFileFilesystem returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeFileFilesystem() string {
- zeroValue := ""
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return ""
}
if !ev.PTrace.Tracee.Process.IsNotKworker() {
return ""
@@ -10160,12 +9500,11 @@ func (ev *Event) GetPtraceTraceeFileFilesystem() string {
// GetPtraceTraceeFileGid returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeFileGid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return uint32(0)
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.PTrace.Tracee.Process.IsNotKworker() {
return uint32(0)
@@ -10175,12 +9514,11 @@ func (ev *Event) GetPtraceTraceeFileGid() uint32 {
// GetPtraceTraceeFileGroup returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeFileGroup() string {
- zeroValue := ""
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return ""
}
if !ev.PTrace.Tracee.Process.IsNotKworker() {
return ""
@@ -10190,30 +9528,25 @@ func (ev *Event) GetPtraceTraceeFileGroup() string {
// GetPtraceTraceeFileHashes returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeFileHashes() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []string{}
}
if !ev.PTrace.Tracee.Process.IsNotKworker() {
return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.PTrace.Tracee.Process.FileEvent)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.PTrace.Tracee.Process.FileEvent)
}
// GetPtraceTraceeFileInUpperLayer returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeFileInUpperLayer() bool {
- zeroValue := false
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return false
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return false
}
if !ev.PTrace.Tracee.Process.IsNotKworker() {
return false
@@ -10223,12 +9556,11 @@ func (ev *Event) GetPtraceTraceeFileInUpperLayer() bool {
// GetPtraceTraceeFileInode returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeFileInode() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return uint64(0)
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return uint64(0)
}
if !ev.PTrace.Tracee.Process.IsNotKworker() {
return uint64(0)
@@ -10238,12 +9570,11 @@ func (ev *Event) GetPtraceTraceeFileInode() uint64 {
// GetPtraceTraceeFileMode returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeFileMode() uint16 {
- zeroValue := uint16(0)
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return uint16(0)
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return uint16(0)
}
if !ev.PTrace.Tracee.Process.IsNotKworker() {
return uint16(0)
@@ -10253,12 +9584,11 @@ func (ev *Event) GetPtraceTraceeFileMode() uint16 {
// GetPtraceTraceeFileModificationTime returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeFileModificationTime() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return uint64(0)
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return uint64(0)
}
if !ev.PTrace.Tracee.Process.IsNotKworker() {
return uint64(0)
@@ -10268,12 +9598,11 @@ func (ev *Event) GetPtraceTraceeFileModificationTime() uint64 {
// GetPtraceTraceeFileMountId returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeFileMountId() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return uint32(0)
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.PTrace.Tracee.Process.IsNotKworker() {
return uint32(0)
@@ -10283,12 +9612,11 @@ func (ev *Event) GetPtraceTraceeFileMountId() uint32 {
// GetPtraceTraceeFileName returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeFileName() string {
- zeroValue := ""
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return ""
}
if !ev.PTrace.Tracee.Process.IsNotKworker() {
return ""
@@ -10298,24 +9626,22 @@ func (ev *Event) GetPtraceTraceeFileName() string {
// GetPtraceTraceeFileNameLength returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeFileNameLength() int {
- zeroValue := 0
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return 0
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.PTrace.Tracee.Process.FileEvent))
}
// GetPtraceTraceeFilePackageName returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeFilePackageName() string {
- zeroValue := ""
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return ""
}
if !ev.PTrace.Tracee.Process.IsNotKworker() {
return ""
@@ -10325,12 +9651,11 @@ func (ev *Event) GetPtraceTraceeFilePackageName() string {
// GetPtraceTraceeFilePackageSourceVersion returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeFilePackageSourceVersion() string {
- zeroValue := ""
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return ""
}
if !ev.PTrace.Tracee.Process.IsNotKworker() {
return ""
@@ -10340,12 +9665,11 @@ func (ev *Event) GetPtraceTraceeFilePackageSourceVersion() string {
// GetPtraceTraceeFilePackageVersion returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeFilePackageVersion() string {
- zeroValue := ""
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return ""
}
if !ev.PTrace.Tracee.Process.IsNotKworker() {
return ""
@@ -10355,12 +9679,11 @@ func (ev *Event) GetPtraceTraceeFilePackageVersion() string {
// GetPtraceTraceeFilePath returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeFilePath() string {
- zeroValue := ""
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return ""
}
if !ev.PTrace.Tracee.Process.IsNotKworker() {
return ""
@@ -10370,24 +9693,22 @@ func (ev *Event) GetPtraceTraceeFilePath() string {
// GetPtraceTraceeFilePathLength returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeFilePathLength() int {
- zeroValue := 0
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return 0
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.PTrace.Tracee.Process.FileEvent))
}
// GetPtraceTraceeFileRights returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeFileRights() int {
- zeroValue := 0
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return 0
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return 0
}
if !ev.PTrace.Tracee.Process.IsNotKworker() {
return 0
@@ -10397,12 +9718,11 @@ func (ev *Event) GetPtraceTraceeFileRights() int {
// GetPtraceTraceeFileUid returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeFileUid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return uint32(0)
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.PTrace.Tracee.Process.IsNotKworker() {
return uint32(0)
@@ -10412,12 +9732,11 @@ func (ev *Event) GetPtraceTraceeFileUid() uint32 {
// GetPtraceTraceeFileUser returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeFileUser() string {
- zeroValue := ""
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return ""
}
if !ev.PTrace.Tracee.Process.IsNotKworker() {
return ""
@@ -10427,96 +9746,88 @@ func (ev *Event) GetPtraceTraceeFileUser() string {
// GetPtraceTraceeForkTime returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeForkTime() time.Time {
- zeroValue := time.Time{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return time.Time{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return time.Time{}
}
return ev.PTrace.Tracee.Process.ForkTime
}
// GetPtraceTraceeFsgid returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeFsgid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return uint32(0)
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return uint32(0)
}
return ev.PTrace.Tracee.Process.Credentials.FSGID
}
// GetPtraceTraceeFsgroup returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeFsgroup() string {
- zeroValue := ""
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return ""
}
return ev.PTrace.Tracee.Process.Credentials.FSGroup
}
// GetPtraceTraceeFsuid returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeFsuid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return uint32(0)
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return uint32(0)
}
return ev.PTrace.Tracee.Process.Credentials.FSUID
}
// GetPtraceTraceeFsuser returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeFsuser() string {
- zeroValue := ""
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return ""
}
return ev.PTrace.Tracee.Process.Credentials.FSUser
}
// GetPtraceTraceeGid returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeGid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return uint32(0)
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return uint32(0)
}
return ev.PTrace.Tracee.Process.Credentials.GID
}
// GetPtraceTraceeGroup returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeGroup() string {
- zeroValue := ""
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return ""
}
return ev.PTrace.Tracee.Process.Credentials.Group
}
// GetPtraceTraceeInterpreterFileChangeTime returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeInterpreterFileChangeTime() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return uint64(0)
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return uint64(0)
}
if !ev.PTrace.Tracee.Process.HasInterpreter() {
return uint64(0)
@@ -10526,12 +9837,11 @@ func (ev *Event) GetPtraceTraceeInterpreterFileChangeTime() uint64 {
// GetPtraceTraceeInterpreterFileFilesystem returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeInterpreterFileFilesystem() string {
- zeroValue := ""
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return ""
}
if !ev.PTrace.Tracee.Process.HasInterpreter() {
return ""
@@ -10541,12 +9851,11 @@ func (ev *Event) GetPtraceTraceeInterpreterFileFilesystem() string {
// GetPtraceTraceeInterpreterFileGid returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeInterpreterFileGid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return uint32(0)
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.PTrace.Tracee.Process.HasInterpreter() {
return uint32(0)
@@ -10556,12 +9865,11 @@ func (ev *Event) GetPtraceTraceeInterpreterFileGid() uint32 {
// GetPtraceTraceeInterpreterFileGroup returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeInterpreterFileGroup() string {
- zeroValue := ""
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return ""
}
if !ev.PTrace.Tracee.Process.HasInterpreter() {
return ""
@@ -10571,30 +9879,25 @@ func (ev *Event) GetPtraceTraceeInterpreterFileGroup() string {
// GetPtraceTraceeInterpreterFileHashes returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeInterpreterFileHashes() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []string{}
}
if !ev.PTrace.Tracee.Process.HasInterpreter() {
return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent)
}
// GetPtraceTraceeInterpreterFileInUpperLayer returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeInterpreterFileInUpperLayer() bool {
- zeroValue := false
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return false
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return false
}
if !ev.PTrace.Tracee.Process.HasInterpreter() {
return false
@@ -10604,12 +9907,11 @@ func (ev *Event) GetPtraceTraceeInterpreterFileInUpperLayer() bool {
// GetPtraceTraceeInterpreterFileInode returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeInterpreterFileInode() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return uint64(0)
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return uint64(0)
}
if !ev.PTrace.Tracee.Process.HasInterpreter() {
return uint64(0)
@@ -10619,12 +9921,11 @@ func (ev *Event) GetPtraceTraceeInterpreterFileInode() uint64 {
// GetPtraceTraceeInterpreterFileMode returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeInterpreterFileMode() uint16 {
- zeroValue := uint16(0)
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return uint16(0)
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return uint16(0)
}
if !ev.PTrace.Tracee.Process.HasInterpreter() {
return uint16(0)
@@ -10634,12 +9935,11 @@ func (ev *Event) GetPtraceTraceeInterpreterFileMode() uint16 {
// GetPtraceTraceeInterpreterFileModificationTime returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeInterpreterFileModificationTime() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return uint64(0)
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return uint64(0)
}
if !ev.PTrace.Tracee.Process.HasInterpreter() {
return uint64(0)
@@ -10649,12 +9949,11 @@ func (ev *Event) GetPtraceTraceeInterpreterFileModificationTime() uint64 {
// GetPtraceTraceeInterpreterFileMountId returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeInterpreterFileMountId() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return uint32(0)
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.PTrace.Tracee.Process.HasInterpreter() {
return uint32(0)
@@ -10664,12 +9963,11 @@ func (ev *Event) GetPtraceTraceeInterpreterFileMountId() uint32 {
// GetPtraceTraceeInterpreterFileName returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeInterpreterFileName() string {
- zeroValue := ""
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return ""
}
if !ev.PTrace.Tracee.Process.HasInterpreter() {
return ""
@@ -10679,24 +9977,22 @@ func (ev *Event) GetPtraceTraceeInterpreterFileName() string {
// GetPtraceTraceeInterpreterFileNameLength returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeInterpreterFileNameLength() int {
- zeroValue := 0
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return 0
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent))
}
// GetPtraceTraceeInterpreterFilePackageName returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeInterpreterFilePackageName() string {
- zeroValue := ""
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return ""
}
if !ev.PTrace.Tracee.Process.HasInterpreter() {
return ""
@@ -10706,12 +10002,11 @@ func (ev *Event) GetPtraceTraceeInterpreterFilePackageName() string {
// GetPtraceTraceeInterpreterFilePackageSourceVersion returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeInterpreterFilePackageSourceVersion() string {
- zeroValue := ""
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return ""
}
if !ev.PTrace.Tracee.Process.HasInterpreter() {
return ""
@@ -10721,12 +10016,11 @@ func (ev *Event) GetPtraceTraceeInterpreterFilePackageSourceVersion() string {
// GetPtraceTraceeInterpreterFilePackageVersion returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeInterpreterFilePackageVersion() string {
- zeroValue := ""
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return ""
}
if !ev.PTrace.Tracee.Process.HasInterpreter() {
return ""
@@ -10736,12 +10030,11 @@ func (ev *Event) GetPtraceTraceeInterpreterFilePackageVersion() string {
// GetPtraceTraceeInterpreterFilePath returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeInterpreterFilePath() string {
- zeroValue := ""
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return ""
}
if !ev.PTrace.Tracee.Process.HasInterpreter() {
return ""
@@ -10751,24 +10044,22 @@ func (ev *Event) GetPtraceTraceeInterpreterFilePath() string {
// GetPtraceTraceeInterpreterFilePathLength returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeInterpreterFilePathLength() int {
- zeroValue := 0
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return 0
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent))
}
// GetPtraceTraceeInterpreterFileRights returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeInterpreterFileRights() int {
- zeroValue := 0
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return 0
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return 0
}
if !ev.PTrace.Tracee.Process.HasInterpreter() {
return 0
@@ -10778,12 +10069,11 @@ func (ev *Event) GetPtraceTraceeInterpreterFileRights() int {
// GetPtraceTraceeInterpreterFileUid returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeInterpreterFileUid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return uint32(0)
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.PTrace.Tracee.Process.HasInterpreter() {
return uint32(0)
@@ -10793,12 +10083,11 @@ func (ev *Event) GetPtraceTraceeInterpreterFileUid() uint32 {
// GetPtraceTraceeInterpreterFileUser returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeInterpreterFileUser() string {
- zeroValue := ""
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return ""
}
if !ev.PTrace.Tracee.Process.HasInterpreter() {
return ""
@@ -10808,39 +10097,36 @@ func (ev *Event) GetPtraceTraceeInterpreterFileUser() string {
// GetPtraceTraceeIsKworker returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeIsKworker() bool {
- zeroValue := false
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return false
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return false
}
return ev.PTrace.Tracee.Process.PIDContext.IsKworker
}
// GetPtraceTraceeIsThread returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeIsThread() bool {
- zeroValue := false
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return false
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return false
}
return ev.PTrace.Tracee.Process.IsThread
}
// GetPtraceTraceeParentArgs returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentArgs() string {
- zeroValue := ""
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.PTrace.Tracee.HasParent() {
return ""
@@ -10850,57 +10136,65 @@ func (ev *Event) GetPtraceTraceeParentArgs() string {
// GetPtraceTraceeParentArgsFlags returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentArgsFlags() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return []string{}
}
if !ev.PTrace.Tracee.HasParent() {
return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveProcessArgsFlags(ev, ev.PTrace.Tracee.Parent)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveProcessArgsFlags(ev, ev.PTrace.Tracee.Parent)
}
// GetPtraceTraceeParentArgsOptions returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentArgsOptions() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return []string{}
}
if !ev.PTrace.Tracee.HasParent() {
return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveProcessArgsOptions(ev, ev.PTrace.Tracee.Parent)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveProcessArgsOptions(ev, ev.PTrace.Tracee.Parent)
+}
+
+// GetPtraceTraceeParentArgsScrubbed returns the value of the field, resolving if necessary
+func (ev *Event) GetPtraceTraceeParentArgsScrubbed() string {
+ if ev.GetEventType().String() != "ptrace" {
+ return ""
+ }
+ if ev.PTrace.Tracee == nil {
+ return ""
+ }
+ if ev.PTrace.Tracee.Parent == nil {
+ return ""
+ }
+ if !ev.PTrace.Tracee.HasParent() {
+ return ""
+ }
+ return ev.FieldHandlers.ResolveProcessArgsScrubbed(ev, ev.PTrace.Tracee.Parent)
}
// GetPtraceTraceeParentArgsTruncated returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentArgsTruncated() bool {
- zeroValue := false
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return false
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return false
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return false
}
if !ev.PTrace.Tracee.HasParent() {
return false
@@ -10910,36 +10204,31 @@ func (ev *Event) GetPtraceTraceeParentArgsTruncated() bool {
// GetPtraceTraceeParentArgv returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentArgv() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return []string{}
}
if !ev.PTrace.Tracee.HasParent() {
return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveProcessArgvScrubbed(ev, ev.PTrace.Tracee.Parent)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveProcessArgv(ev, ev.PTrace.Tracee.Parent)
}
// GetPtraceTraceeParentArgv0 returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentArgv0() string {
- zeroValue := ""
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.PTrace.Tracee.HasParent() {
return ""
@@ -10947,53 +10236,67 @@ func (ev *Event) GetPtraceTraceeParentArgv0() string {
return ev.FieldHandlers.ResolveProcessArgv0(ev, ev.PTrace.Tracee.Parent)
}
-// GetPtraceTraceeParentCapEffective returns the value of the field, resolving if necessary
-func (ev *Event) GetPtraceTraceeParentCapEffective() uint64 {
- zeroValue := uint64(0)
+// GetPtraceTraceeParentArgvScrubbed returns the value of the field, resolving if necessary
+func (ev *Event) GetPtraceTraceeParentArgvScrubbed() []string {
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return []string{}
}
if !ev.PTrace.Tracee.HasParent() {
- return uint64(0)
+ return []string{}
}
- return ev.PTrace.Tracee.Parent.Credentials.CapEffective
+ return ev.FieldHandlers.ResolveProcessArgvScrubbed(ev, ev.PTrace.Tracee.Parent)
}
-// GetPtraceTraceeParentCapPermitted returns the value of the field, resolving if necessary
-func (ev *Event) GetPtraceTraceeParentCapPermitted() uint64 {
- zeroValue := uint64(0)
+// GetPtraceTraceeParentCapEffective returns the value of the field, resolving if necessary
+func (ev *Event) GetPtraceTraceeParentCapEffective() uint64 {
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return uint64(0)
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return uint64(0)
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return uint64(0)
}
if !ev.PTrace.Tracee.HasParent() {
return uint64(0)
}
- return ev.PTrace.Tracee.Parent.Credentials.CapPermitted
+ return ev.PTrace.Tracee.Parent.Credentials.CapEffective
}
-// GetPtraceTraceeParentComm returns the value of the field, resolving if necessary
+// GetPtraceTraceeParentCapPermitted returns the value of the field, resolving if necessary
+func (ev *Event) GetPtraceTraceeParentCapPermitted() uint64 {
+ if ev.GetEventType().String() != "ptrace" {
+ return uint64(0)
+ }
+ if ev.PTrace.Tracee == nil {
+ return uint64(0)
+ }
+ if ev.PTrace.Tracee.Parent == nil {
+ return uint64(0)
+ }
+ if !ev.PTrace.Tracee.HasParent() {
+ return uint64(0)
+ }
+ return ev.PTrace.Tracee.Parent.Credentials.CapPermitted
+}
+
+// GetPtraceTraceeParentComm returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentComm() string {
- zeroValue := ""
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.PTrace.Tracee.HasParent() {
return ""
@@ -11003,15 +10306,14 @@ func (ev *Event) GetPtraceTraceeParentComm() string {
// GetPtraceTraceeParentContainerId returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentContainerId() string {
- zeroValue := ""
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.PTrace.Tracee.HasParent() {
return ""
@@ -11021,15 +10323,14 @@ func (ev *Event) GetPtraceTraceeParentContainerId() string {
// GetPtraceTraceeParentCreatedAt returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentCreatedAt() int {
- zeroValue := 0
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return 0
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return 0
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return 0
}
if !ev.PTrace.Tracee.HasParent() {
return 0
@@ -11039,15 +10340,14 @@ func (ev *Event) GetPtraceTraceeParentCreatedAt() int {
// GetPtraceTraceeParentEgid returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentEgid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return uint32(0)
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return uint32(0)
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.PTrace.Tracee.HasParent() {
return uint32(0)
@@ -11057,15 +10357,14 @@ func (ev *Event) GetPtraceTraceeParentEgid() uint32 {
// GetPtraceTraceeParentEgroup returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentEgroup() string {
- zeroValue := ""
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.PTrace.Tracee.HasParent() {
return ""
@@ -11074,60 +10373,49 @@ func (ev *Event) GetPtraceTraceeParentEgroup() string {
}
// GetPtraceTraceeParentEnvp returns the value of the field, resolving if necessary
-func (ev *Event) GetPtraceTraceeParentEnvp(desiredKeys map[string]bool) []string {
- zeroValue := []string{}
+func (ev *Event) GetPtraceTraceeParentEnvp() []string {
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return []string{}
}
if !ev.PTrace.Tracee.HasParent() {
return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveProcessEnvp(ev, ev.PTrace.Tracee.Parent)
- resolvedField = filterEnvs(resolvedField, desiredKeys)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveProcessEnvp(ev, ev.PTrace.Tracee.Parent)
}
// GetPtraceTraceeParentEnvs returns the value of the field, resolving if necessary
-func (ev *Event) GetPtraceTraceeParentEnvs(desiredKeys map[string]bool) []string {
- zeroValue := []string{}
+func (ev *Event) GetPtraceTraceeParentEnvs() []string {
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return []string{}
}
if !ev.PTrace.Tracee.HasParent() {
return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveProcessEnvs(ev, ev.PTrace.Tracee.Parent)
- resolvedField = filterEnvs(resolvedField, desiredKeys)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveProcessEnvs(ev, ev.PTrace.Tracee.Parent)
}
// GetPtraceTraceeParentEnvsTruncated returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentEnvsTruncated() bool {
- zeroValue := false
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return false
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return false
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return false
}
if !ev.PTrace.Tracee.HasParent() {
return false
@@ -11137,15 +10425,14 @@ func (ev *Event) GetPtraceTraceeParentEnvsTruncated() bool {
// GetPtraceTraceeParentEuid returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentEuid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return uint32(0)
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return uint32(0)
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.PTrace.Tracee.HasParent() {
return uint32(0)
@@ -11155,15 +10442,14 @@ func (ev *Event) GetPtraceTraceeParentEuid() uint32 {
// GetPtraceTraceeParentEuser returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentEuser() string {
- zeroValue := ""
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.PTrace.Tracee.HasParent() {
return ""
@@ -11173,15 +10459,14 @@ func (ev *Event) GetPtraceTraceeParentEuser() string {
// GetPtraceTraceeParentFileChangeTime returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentFileChangeTime() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return uint64(0)
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return uint64(0)
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return uint64(0)
}
if !ev.PTrace.Tracee.HasParent() {
return uint64(0)
@@ -11194,15 +10479,14 @@ func (ev *Event) GetPtraceTraceeParentFileChangeTime() uint64 {
// GetPtraceTraceeParentFileFilesystem returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentFileFilesystem() string {
- zeroValue := ""
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.PTrace.Tracee.HasParent() {
return ""
@@ -11215,15 +10499,14 @@ func (ev *Event) GetPtraceTraceeParentFileFilesystem() string {
// GetPtraceTraceeParentFileGid returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentFileGid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return uint32(0)
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return uint32(0)
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.PTrace.Tracee.HasParent() {
return uint32(0)
@@ -11236,15 +10519,14 @@ func (ev *Event) GetPtraceTraceeParentFileGid() uint32 {
// GetPtraceTraceeParentFileGroup returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentFileGroup() string {
- zeroValue := ""
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.PTrace.Tracee.HasParent() {
return ""
@@ -11257,15 +10539,14 @@ func (ev *Event) GetPtraceTraceeParentFileGroup() string {
// GetPtraceTraceeParentFileHashes returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentFileHashes() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return []string{}
}
if !ev.PTrace.Tracee.HasParent() {
return []string{}
@@ -11273,23 +10554,19 @@ func (ev *Event) GetPtraceTraceeParentFileHashes() []string {
if !ev.PTrace.Tracee.Parent.IsNotKworker() {
return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.PTrace.Tracee.Parent.FileEvent)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.PTrace.Tracee.Parent.FileEvent)
}
// GetPtraceTraceeParentFileInUpperLayer returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentFileInUpperLayer() bool {
- zeroValue := false
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return false
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return false
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return false
}
if !ev.PTrace.Tracee.HasParent() {
return false
@@ -11302,15 +10579,14 @@ func (ev *Event) GetPtraceTraceeParentFileInUpperLayer() bool {
// GetPtraceTraceeParentFileInode returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentFileInode() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return uint64(0)
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return uint64(0)
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return uint64(0)
}
if !ev.PTrace.Tracee.HasParent() {
return uint64(0)
@@ -11323,15 +10599,14 @@ func (ev *Event) GetPtraceTraceeParentFileInode() uint64 {
// GetPtraceTraceeParentFileMode returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentFileMode() uint16 {
- zeroValue := uint16(0)
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return uint16(0)
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return uint16(0)
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return uint16(0)
}
if !ev.PTrace.Tracee.HasParent() {
return uint16(0)
@@ -11344,15 +10619,14 @@ func (ev *Event) GetPtraceTraceeParentFileMode() uint16 {
// GetPtraceTraceeParentFileModificationTime returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentFileModificationTime() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return uint64(0)
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return uint64(0)
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return uint64(0)
}
if !ev.PTrace.Tracee.HasParent() {
return uint64(0)
@@ -11365,15 +10639,14 @@ func (ev *Event) GetPtraceTraceeParentFileModificationTime() uint64 {
// GetPtraceTraceeParentFileMountId returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentFileMountId() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return uint32(0)
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return uint32(0)
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.PTrace.Tracee.HasParent() {
return uint32(0)
@@ -11386,15 +10659,14 @@ func (ev *Event) GetPtraceTraceeParentFileMountId() uint32 {
// GetPtraceTraceeParentFileName returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentFileName() string {
- zeroValue := ""
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.PTrace.Tracee.HasParent() {
return ""
@@ -11407,30 +10679,28 @@ func (ev *Event) GetPtraceTraceeParentFileName() string {
// GetPtraceTraceeParentFileNameLength returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentFileNameLength() int {
- zeroValue := 0
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return 0
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return 0
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.PTrace.Tracee.Parent.FileEvent))
}
// GetPtraceTraceeParentFilePackageName returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentFilePackageName() string {
- zeroValue := ""
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.PTrace.Tracee.HasParent() {
return ""
@@ -11443,15 +10713,14 @@ func (ev *Event) GetPtraceTraceeParentFilePackageName() string {
// GetPtraceTraceeParentFilePackageSourceVersion returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentFilePackageSourceVersion() string {
- zeroValue := ""
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.PTrace.Tracee.HasParent() {
return ""
@@ -11464,15 +10733,14 @@ func (ev *Event) GetPtraceTraceeParentFilePackageSourceVersion() string {
// GetPtraceTraceeParentFilePackageVersion returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentFilePackageVersion() string {
- zeroValue := ""
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.PTrace.Tracee.HasParent() {
return ""
@@ -11485,15 +10753,14 @@ func (ev *Event) GetPtraceTraceeParentFilePackageVersion() string {
// GetPtraceTraceeParentFilePath returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentFilePath() string {
- zeroValue := ""
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.PTrace.Tracee.HasParent() {
return ""
@@ -11506,30 +10773,28 @@ func (ev *Event) GetPtraceTraceeParentFilePath() string {
// GetPtraceTraceeParentFilePathLength returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentFilePathLength() int {
- zeroValue := 0
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return 0
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return 0
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.PTrace.Tracee.Parent.FileEvent))
}
// GetPtraceTraceeParentFileRights returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentFileRights() int {
- zeroValue := 0
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return 0
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return 0
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return 0
}
if !ev.PTrace.Tracee.HasParent() {
return 0
@@ -11542,15 +10807,14 @@ func (ev *Event) GetPtraceTraceeParentFileRights() int {
// GetPtraceTraceeParentFileUid returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentFileUid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return uint32(0)
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return uint32(0)
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.PTrace.Tracee.HasParent() {
return uint32(0)
@@ -11563,15 +10827,14 @@ func (ev *Event) GetPtraceTraceeParentFileUid() uint32 {
// GetPtraceTraceeParentFileUser returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentFileUser() string {
- zeroValue := ""
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.PTrace.Tracee.HasParent() {
return ""
@@ -11584,15 +10847,14 @@ func (ev *Event) GetPtraceTraceeParentFileUser() string {
// GetPtraceTraceeParentFsgid returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentFsgid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return uint32(0)
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return uint32(0)
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.PTrace.Tracee.HasParent() {
return uint32(0)
@@ -11602,15 +10864,14 @@ func (ev *Event) GetPtraceTraceeParentFsgid() uint32 {
// GetPtraceTraceeParentFsgroup returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentFsgroup() string {
- zeroValue := ""
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.PTrace.Tracee.HasParent() {
return ""
@@ -11620,15 +10881,14 @@ func (ev *Event) GetPtraceTraceeParentFsgroup() string {
// GetPtraceTraceeParentFsuid returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentFsuid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return uint32(0)
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return uint32(0)
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.PTrace.Tracee.HasParent() {
return uint32(0)
@@ -11638,15 +10898,14 @@ func (ev *Event) GetPtraceTraceeParentFsuid() uint32 {
// GetPtraceTraceeParentFsuser returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentFsuser() string {
- zeroValue := ""
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.PTrace.Tracee.HasParent() {
return ""
@@ -11656,15 +10915,14 @@ func (ev *Event) GetPtraceTraceeParentFsuser() string {
// GetPtraceTraceeParentGid returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentGid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return uint32(0)
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return uint32(0)
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.PTrace.Tracee.HasParent() {
return uint32(0)
@@ -11674,15 +10932,14 @@ func (ev *Event) GetPtraceTraceeParentGid() uint32 {
// GetPtraceTraceeParentGroup returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentGroup() string {
- zeroValue := ""
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.PTrace.Tracee.HasParent() {
return ""
@@ -11692,15 +10949,14 @@ func (ev *Event) GetPtraceTraceeParentGroup() string {
// GetPtraceTraceeParentInterpreterFileChangeTime returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentInterpreterFileChangeTime() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return uint64(0)
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return uint64(0)
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return uint64(0)
}
if !ev.PTrace.Tracee.HasParent() {
return uint64(0)
@@ -11713,15 +10969,14 @@ func (ev *Event) GetPtraceTraceeParentInterpreterFileChangeTime() uint64 {
// GetPtraceTraceeParentInterpreterFileFilesystem returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentInterpreterFileFilesystem() string {
- zeroValue := ""
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.PTrace.Tracee.HasParent() {
return ""
@@ -11734,15 +10989,14 @@ func (ev *Event) GetPtraceTraceeParentInterpreterFileFilesystem() string {
// GetPtraceTraceeParentInterpreterFileGid returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentInterpreterFileGid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return uint32(0)
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return uint32(0)
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.PTrace.Tracee.HasParent() {
return uint32(0)
@@ -11755,15 +11009,14 @@ func (ev *Event) GetPtraceTraceeParentInterpreterFileGid() uint32 {
// GetPtraceTraceeParentInterpreterFileGroup returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentInterpreterFileGroup() string {
- zeroValue := ""
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.PTrace.Tracee.HasParent() {
return ""
@@ -11776,15 +11029,14 @@ func (ev *Event) GetPtraceTraceeParentInterpreterFileGroup() string {
// GetPtraceTraceeParentInterpreterFileHashes returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentInterpreterFileHashes() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return []string{}
}
if !ev.PTrace.Tracee.HasParent() {
return []string{}
@@ -11792,23 +11044,19 @@ func (ev *Event) GetPtraceTraceeParentInterpreterFileHashes() []string {
if !ev.PTrace.Tracee.Parent.HasInterpreter() {
return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent)
}
// GetPtraceTraceeParentInterpreterFileInUpperLayer returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentInterpreterFileInUpperLayer() bool {
- zeroValue := false
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return false
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return false
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return false
}
if !ev.PTrace.Tracee.HasParent() {
return false
@@ -11821,15 +11069,14 @@ func (ev *Event) GetPtraceTraceeParentInterpreterFileInUpperLayer() bool {
// GetPtraceTraceeParentInterpreterFileInode returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentInterpreterFileInode() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return uint64(0)
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return uint64(0)
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return uint64(0)
}
if !ev.PTrace.Tracee.HasParent() {
return uint64(0)
@@ -11842,15 +11089,14 @@ func (ev *Event) GetPtraceTraceeParentInterpreterFileInode() uint64 {
// GetPtraceTraceeParentInterpreterFileMode returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentInterpreterFileMode() uint16 {
- zeroValue := uint16(0)
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return uint16(0)
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return uint16(0)
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return uint16(0)
}
if !ev.PTrace.Tracee.HasParent() {
return uint16(0)
@@ -11863,15 +11109,14 @@ func (ev *Event) GetPtraceTraceeParentInterpreterFileMode() uint16 {
// GetPtraceTraceeParentInterpreterFileModificationTime returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentInterpreterFileModificationTime() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return uint64(0)
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return uint64(0)
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return uint64(0)
}
if !ev.PTrace.Tracee.HasParent() {
return uint64(0)
@@ -11884,15 +11129,14 @@ func (ev *Event) GetPtraceTraceeParentInterpreterFileModificationTime() uint64 {
// GetPtraceTraceeParentInterpreterFileMountId returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentInterpreterFileMountId() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return uint32(0)
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return uint32(0)
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.PTrace.Tracee.HasParent() {
return uint32(0)
@@ -11905,15 +11149,14 @@ func (ev *Event) GetPtraceTraceeParentInterpreterFileMountId() uint32 {
// GetPtraceTraceeParentInterpreterFileName returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentInterpreterFileName() string {
- zeroValue := ""
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.PTrace.Tracee.HasParent() {
return ""
@@ -11926,30 +11169,28 @@ func (ev *Event) GetPtraceTraceeParentInterpreterFileName() string {
// GetPtraceTraceeParentInterpreterFileNameLength returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentInterpreterFileNameLength() int {
- zeroValue := 0
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return 0
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return 0
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent))
}
// GetPtraceTraceeParentInterpreterFilePackageName returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentInterpreterFilePackageName() string {
- zeroValue := ""
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.PTrace.Tracee.HasParent() {
return ""
@@ -11962,15 +11203,14 @@ func (ev *Event) GetPtraceTraceeParentInterpreterFilePackageName() string {
// GetPtraceTraceeParentInterpreterFilePackageSourceVersion returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentInterpreterFilePackageSourceVersion() string {
- zeroValue := ""
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.PTrace.Tracee.HasParent() {
return ""
@@ -11983,15 +11223,14 @@ func (ev *Event) GetPtraceTraceeParentInterpreterFilePackageSourceVersion() stri
// GetPtraceTraceeParentInterpreterFilePackageVersion returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentInterpreterFilePackageVersion() string {
- zeroValue := ""
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.PTrace.Tracee.HasParent() {
return ""
@@ -12004,15 +11243,14 @@ func (ev *Event) GetPtraceTraceeParentInterpreterFilePackageVersion() string {
// GetPtraceTraceeParentInterpreterFilePath returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentInterpreterFilePath() string {
- zeroValue := ""
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.PTrace.Tracee.HasParent() {
return ""
@@ -12025,30 +11263,28 @@ func (ev *Event) GetPtraceTraceeParentInterpreterFilePath() string {
// GetPtraceTraceeParentInterpreterFilePathLength returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentInterpreterFilePathLength() int {
- zeroValue := 0
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return 0
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return 0
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent))
}
// GetPtraceTraceeParentInterpreterFileRights returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentInterpreterFileRights() int {
- zeroValue := 0
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return 0
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return 0
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return 0
}
if !ev.PTrace.Tracee.HasParent() {
return 0
@@ -12061,15 +11297,14 @@ func (ev *Event) GetPtraceTraceeParentInterpreterFileRights() int {
// GetPtraceTraceeParentInterpreterFileUid returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentInterpreterFileUid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return uint32(0)
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return uint32(0)
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.PTrace.Tracee.HasParent() {
return uint32(0)
@@ -12082,15 +11317,14 @@ func (ev *Event) GetPtraceTraceeParentInterpreterFileUid() uint32 {
// GetPtraceTraceeParentInterpreterFileUser returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentInterpreterFileUser() string {
- zeroValue := ""
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.PTrace.Tracee.HasParent() {
return ""
@@ -12103,15 +11337,14 @@ func (ev *Event) GetPtraceTraceeParentInterpreterFileUser() string {
// GetPtraceTraceeParentIsKworker returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentIsKworker() bool {
- zeroValue := false
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return false
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return false
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return false
}
if !ev.PTrace.Tracee.HasParent() {
return false
@@ -12121,15 +11354,14 @@ func (ev *Event) GetPtraceTraceeParentIsKworker() bool {
// GetPtraceTraceeParentIsThread returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentIsThread() bool {
- zeroValue := false
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return false
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return false
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return false
}
if !ev.PTrace.Tracee.HasParent() {
return false
@@ -12139,15 +11371,14 @@ func (ev *Event) GetPtraceTraceeParentIsThread() bool {
// GetPtraceTraceeParentPid returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentPid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return uint32(0)
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return uint32(0)
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.PTrace.Tracee.HasParent() {
return uint32(0)
@@ -12157,15 +11388,14 @@ func (ev *Event) GetPtraceTraceeParentPid() uint32 {
// GetPtraceTraceeParentPpid returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentPpid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return uint32(0)
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return uint32(0)
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.PTrace.Tracee.HasParent() {
return uint32(0)
@@ -12175,15 +11405,14 @@ func (ev *Event) GetPtraceTraceeParentPpid() uint32 {
// GetPtraceTraceeParentTid returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentTid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return uint32(0)
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return uint32(0)
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.PTrace.Tracee.HasParent() {
return uint32(0)
@@ -12193,15 +11422,14 @@ func (ev *Event) GetPtraceTraceeParentTid() uint32 {
// GetPtraceTraceeParentTtyName returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentTtyName() string {
- zeroValue := ""
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.PTrace.Tracee.HasParent() {
return ""
@@ -12211,15 +11439,14 @@ func (ev *Event) GetPtraceTraceeParentTtyName() string {
// GetPtraceTraceeParentUid returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentUid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return uint32(0)
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return uint32(0)
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.PTrace.Tracee.HasParent() {
return uint32(0)
@@ -12229,15 +11456,14 @@ func (ev *Event) GetPtraceTraceeParentUid() uint32 {
// GetPtraceTraceeParentUser returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentUser() string {
- zeroValue := ""
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.PTrace.Tracee.HasParent() {
return ""
@@ -12247,36 +11473,31 @@ func (ev *Event) GetPtraceTraceeParentUser() string {
// GetPtraceTraceeParentUserSessionK8sGroups returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentUserSessionK8sGroups() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return []string{}
}
if !ev.PTrace.Tracee.HasParent() {
return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveK8SGroups(ev, &ev.PTrace.Tracee.Parent.UserSession)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveK8SGroups(ev, &ev.PTrace.Tracee.Parent.UserSession)
}
// GetPtraceTraceeParentUserSessionK8sUid returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentUserSessionK8sUid() string {
- zeroValue := ""
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.PTrace.Tracee.HasParent() {
return ""
@@ -12286,15 +11507,14 @@ func (ev *Event) GetPtraceTraceeParentUserSessionK8sUid() string {
// GetPtraceTraceeParentUserSessionK8sUsername returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeParentUserSessionK8sUsername() string {
- zeroValue := ""
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.PTrace.Tracee.HasParent() {
return ""
@@ -12304,1275 +11524,1121 @@ func (ev *Event) GetPtraceTraceeParentUserSessionK8sUsername() string {
// GetPtraceTraceePid returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceePid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return uint32(0)
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return uint32(0)
}
return ev.PTrace.Tracee.Process.PIDContext.Pid
}
// GetPtraceTraceePpid returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceePpid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return uint32(0)
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return uint32(0)
}
return ev.PTrace.Tracee.Process.PPid
}
// GetPtraceTraceeTid returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeTid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return uint32(0)
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return uint32(0)
}
return ev.PTrace.Tracee.Process.PIDContext.Tid
}
// GetPtraceTraceeTtyName returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeTtyName() string {
- zeroValue := ""
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return ""
}
return ev.PTrace.Tracee.Process.TTYName
}
// GetPtraceTraceeUid returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeUid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return uint32(0)
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return uint32(0)
}
return ev.PTrace.Tracee.Process.Credentials.UID
}
// GetPtraceTraceeUser returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeUser() string {
- zeroValue := ""
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return ""
}
return ev.PTrace.Tracee.Process.Credentials.User
}
// GetPtraceTraceeUserSessionK8sGroups returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeUserSessionK8sGroups() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return []string{}
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveK8SGroups(ev, &ev.PTrace.Tracee.Process.UserSession)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveK8SGroups(ev, &ev.PTrace.Tracee.Process.UserSession)
}
// GetPtraceTraceeUserSessionK8sUid returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeUserSessionK8sUid() string {
- zeroValue := ""
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveK8SUID(ev, &ev.PTrace.Tracee.Process.UserSession)
}
// GetPtraceTraceeUserSessionK8sUsername returns the value of the field, resolving if necessary
func (ev *Event) GetPtraceTraceeUserSessionK8sUsername() string {
- zeroValue := ""
if ev.GetEventType().String() != "ptrace" {
- return zeroValue
+ return ""
}
if ev.PTrace.Tracee == nil {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveK8SUsername(ev, &ev.PTrace.Tracee.Process.UserSession)
}
// GetRemovexattrFileChangeTime returns the value of the field, resolving if necessary
func (ev *Event) GetRemovexattrFileChangeTime() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "removexattr" {
- return zeroValue
+ return uint64(0)
}
return ev.RemoveXAttr.File.FileFields.CTime
}
// GetRemovexattrFileDestinationName returns the value of the field, resolving if necessary
func (ev *Event) GetRemovexattrFileDestinationName() string {
- zeroValue := ""
if ev.GetEventType().String() != "removexattr" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveXAttrName(ev, &ev.RemoveXAttr)
}
// GetRemovexattrFileDestinationNamespace returns the value of the field, resolving if necessary
func (ev *Event) GetRemovexattrFileDestinationNamespace() string {
- zeroValue := ""
if ev.GetEventType().String() != "removexattr" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveXAttrNamespace(ev, &ev.RemoveXAttr)
}
// GetRemovexattrFileFilesystem returns the value of the field, resolving if necessary
func (ev *Event) GetRemovexattrFileFilesystem() string {
- zeroValue := ""
if ev.GetEventType().String() != "removexattr" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.RemoveXAttr.File)
}
// GetRemovexattrFileGid returns the value of the field, resolving if necessary
func (ev *Event) GetRemovexattrFileGid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "removexattr" {
- return zeroValue
+ return uint32(0)
}
return ev.RemoveXAttr.File.FileFields.GID
}
// GetRemovexattrFileGroup returns the value of the field, resolving if necessary
func (ev *Event) GetRemovexattrFileGroup() string {
- zeroValue := ""
if ev.GetEventType().String() != "removexattr" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.RemoveXAttr.File.FileFields)
}
// GetRemovexattrFileHashes returns the value of the field, resolving if necessary
func (ev *Event) GetRemovexattrFileHashes() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "removexattr" {
- return zeroValue
+ return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.RemoveXAttr.File)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.RemoveXAttr.File)
}
// GetRemovexattrFileInUpperLayer returns the value of the field, resolving if necessary
func (ev *Event) GetRemovexattrFileInUpperLayer() bool {
- zeroValue := false
if ev.GetEventType().String() != "removexattr" {
- return zeroValue
+ return false
}
return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.RemoveXAttr.File.FileFields)
}
// GetRemovexattrFileInode returns the value of the field, resolving if necessary
func (ev *Event) GetRemovexattrFileInode() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "removexattr" {
- return zeroValue
+ return uint64(0)
}
return ev.RemoveXAttr.File.FileFields.PathKey.Inode
}
// GetRemovexattrFileMode returns the value of the field, resolving if necessary
func (ev *Event) GetRemovexattrFileMode() uint16 {
- zeroValue := uint16(0)
if ev.GetEventType().String() != "removexattr" {
- return zeroValue
+ return uint16(0)
}
return ev.RemoveXAttr.File.FileFields.Mode
}
// GetRemovexattrFileModificationTime returns the value of the field, resolving if necessary
func (ev *Event) GetRemovexattrFileModificationTime() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "removexattr" {
- return zeroValue
+ return uint64(0)
}
return ev.RemoveXAttr.File.FileFields.MTime
}
// GetRemovexattrFileMountId returns the value of the field, resolving if necessary
func (ev *Event) GetRemovexattrFileMountId() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "removexattr" {
- return zeroValue
+ return uint32(0)
}
return ev.RemoveXAttr.File.FileFields.PathKey.MountID
}
// GetRemovexattrFileName returns the value of the field, resolving if necessary
func (ev *Event) GetRemovexattrFileName() string {
- zeroValue := ""
if ev.GetEventType().String() != "removexattr" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileBasename(ev, &ev.RemoveXAttr.File)
}
// GetRemovexattrFileNameLength returns the value of the field, resolving if necessary
func (ev *Event) GetRemovexattrFileNameLength() int {
- zeroValue := 0
if ev.GetEventType().String() != "removexattr" {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.RemoveXAttr.File))
}
// GetRemovexattrFilePackageName returns the value of the field, resolving if necessary
func (ev *Event) GetRemovexattrFilePackageName() string {
- zeroValue := ""
if ev.GetEventType().String() != "removexattr" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolvePackageName(ev, &ev.RemoveXAttr.File)
}
// GetRemovexattrFilePackageSourceVersion returns the value of the field, resolving if necessary
func (ev *Event) GetRemovexattrFilePackageSourceVersion() string {
- zeroValue := ""
if ev.GetEventType().String() != "removexattr" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.RemoveXAttr.File)
}
// GetRemovexattrFilePackageVersion returns the value of the field, resolving if necessary
func (ev *Event) GetRemovexattrFilePackageVersion() string {
- zeroValue := ""
if ev.GetEventType().String() != "removexattr" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.RemoveXAttr.File)
}
// GetRemovexattrFilePath returns the value of the field, resolving if necessary
func (ev *Event) GetRemovexattrFilePath() string {
- zeroValue := ""
if ev.GetEventType().String() != "removexattr" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFilePath(ev, &ev.RemoveXAttr.File)
}
// GetRemovexattrFilePathLength returns the value of the field, resolving if necessary
func (ev *Event) GetRemovexattrFilePathLength() int {
- zeroValue := 0
if ev.GetEventType().String() != "removexattr" {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.RemoveXAttr.File))
}
// GetRemovexattrFileRights returns the value of the field, resolving if necessary
func (ev *Event) GetRemovexattrFileRights() int {
- zeroValue := 0
if ev.GetEventType().String() != "removexattr" {
- return zeroValue
+ return 0
}
return ev.FieldHandlers.ResolveRights(ev, &ev.RemoveXAttr.File.FileFields)
}
// GetRemovexattrFileUid returns the value of the field, resolving if necessary
func (ev *Event) GetRemovexattrFileUid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "removexattr" {
- return zeroValue
+ return uint32(0)
}
return ev.RemoveXAttr.File.FileFields.UID
}
// GetRemovexattrFileUser returns the value of the field, resolving if necessary
func (ev *Event) GetRemovexattrFileUser() string {
- zeroValue := ""
if ev.GetEventType().String() != "removexattr" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.RemoveXAttr.File.FileFields)
}
// GetRemovexattrRetval returns the value of the field, resolving if necessary
func (ev *Event) GetRemovexattrRetval() int64 {
- zeroValue := int64(0)
if ev.GetEventType().String() != "removexattr" {
- return zeroValue
+ return int64(0)
}
return ev.RemoveXAttr.SyscallEvent.Retval
}
// GetRenameFileChangeTime returns the value of the field, resolving if necessary
func (ev *Event) GetRenameFileChangeTime() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "rename" {
- return zeroValue
+ return uint64(0)
}
return ev.Rename.Old.FileFields.CTime
}
// GetRenameFileDestinationChangeTime returns the value of the field, resolving if necessary
func (ev *Event) GetRenameFileDestinationChangeTime() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "rename" {
- return zeroValue
+ return uint64(0)
}
return ev.Rename.New.FileFields.CTime
}
// GetRenameFileDestinationFilesystem returns the value of the field, resolving if necessary
func (ev *Event) GetRenameFileDestinationFilesystem() string {
- zeroValue := ""
if ev.GetEventType().String() != "rename" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Rename.New)
}
// GetRenameFileDestinationGid returns the value of the field, resolving if necessary
func (ev *Event) GetRenameFileDestinationGid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "rename" {
- return zeroValue
+ return uint32(0)
}
return ev.Rename.New.FileFields.GID
}
// GetRenameFileDestinationGroup returns the value of the field, resolving if necessary
func (ev *Event) GetRenameFileDestinationGroup() string {
- zeroValue := ""
if ev.GetEventType().String() != "rename" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Rename.New.FileFields)
}
// GetRenameFileDestinationHashes returns the value of the field, resolving if necessary
func (ev *Event) GetRenameFileDestinationHashes() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "rename" {
- return zeroValue
+ return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Rename.New)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Rename.New)
}
// GetRenameFileDestinationInUpperLayer returns the value of the field, resolving if necessary
func (ev *Event) GetRenameFileDestinationInUpperLayer() bool {
- zeroValue := false
if ev.GetEventType().String() != "rename" {
- return zeroValue
+ return false
}
return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Rename.New.FileFields)
}
// GetRenameFileDestinationInode returns the value of the field, resolving if necessary
func (ev *Event) GetRenameFileDestinationInode() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "rename" {
- return zeroValue
+ return uint64(0)
}
return ev.Rename.New.FileFields.PathKey.Inode
}
// GetRenameFileDestinationMode returns the value of the field, resolving if necessary
func (ev *Event) GetRenameFileDestinationMode() uint16 {
- zeroValue := uint16(0)
if ev.GetEventType().String() != "rename" {
- return zeroValue
+ return uint16(0)
}
return ev.Rename.New.FileFields.Mode
}
// GetRenameFileDestinationModificationTime returns the value of the field, resolving if necessary
func (ev *Event) GetRenameFileDestinationModificationTime() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "rename" {
- return zeroValue
+ return uint64(0)
}
return ev.Rename.New.FileFields.MTime
}
// GetRenameFileDestinationMountId returns the value of the field, resolving if necessary
func (ev *Event) GetRenameFileDestinationMountId() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "rename" {
- return zeroValue
+ return uint32(0)
}
return ev.Rename.New.FileFields.PathKey.MountID
}
// GetRenameFileDestinationName returns the value of the field, resolving if necessary
func (ev *Event) GetRenameFileDestinationName() string {
- zeroValue := ""
if ev.GetEventType().String() != "rename" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Rename.New)
}
// GetRenameFileDestinationNameLength returns the value of the field, resolving if necessary
func (ev *Event) GetRenameFileDestinationNameLength() int {
- zeroValue := 0
if ev.GetEventType().String() != "rename" {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Rename.New))
}
// GetRenameFileDestinationPackageName returns the value of the field, resolving if necessary
func (ev *Event) GetRenameFileDestinationPackageName() string {
- zeroValue := ""
if ev.GetEventType().String() != "rename" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolvePackageName(ev, &ev.Rename.New)
}
// GetRenameFileDestinationPackageSourceVersion returns the value of the field, resolving if necessary
func (ev *Event) GetRenameFileDestinationPackageSourceVersion() string {
- zeroValue := ""
if ev.GetEventType().String() != "rename" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Rename.New)
}
// GetRenameFileDestinationPackageVersion returns the value of the field, resolving if necessary
func (ev *Event) GetRenameFileDestinationPackageVersion() string {
- zeroValue := ""
if ev.GetEventType().String() != "rename" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Rename.New)
}
// GetRenameFileDestinationPath returns the value of the field, resolving if necessary
func (ev *Event) GetRenameFileDestinationPath() string {
- zeroValue := ""
if ev.GetEventType().String() != "rename" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFilePath(ev, &ev.Rename.New)
}
// GetRenameFileDestinationPathLength returns the value of the field, resolving if necessary
func (ev *Event) GetRenameFileDestinationPathLength() int {
- zeroValue := 0
if ev.GetEventType().String() != "rename" {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Rename.New))
}
// GetRenameFileDestinationRights returns the value of the field, resolving if necessary
func (ev *Event) GetRenameFileDestinationRights() int {
- zeroValue := 0
if ev.GetEventType().String() != "rename" {
- return zeroValue
+ return 0
}
return ev.FieldHandlers.ResolveRights(ev, &ev.Rename.New.FileFields)
}
// GetRenameFileDestinationUid returns the value of the field, resolving if necessary
func (ev *Event) GetRenameFileDestinationUid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "rename" {
- return zeroValue
+ return uint32(0)
}
return ev.Rename.New.FileFields.UID
}
// GetRenameFileDestinationUser returns the value of the field, resolving if necessary
func (ev *Event) GetRenameFileDestinationUser() string {
- zeroValue := ""
if ev.GetEventType().String() != "rename" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Rename.New.FileFields)
}
// GetRenameFileFilesystem returns the value of the field, resolving if necessary
func (ev *Event) GetRenameFileFilesystem() string {
- zeroValue := ""
if ev.GetEventType().String() != "rename" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Rename.Old)
}
// GetRenameFileGid returns the value of the field, resolving if necessary
func (ev *Event) GetRenameFileGid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "rename" {
- return zeroValue
+ return uint32(0)
}
return ev.Rename.Old.FileFields.GID
}
// GetRenameFileGroup returns the value of the field, resolving if necessary
func (ev *Event) GetRenameFileGroup() string {
- zeroValue := ""
if ev.GetEventType().String() != "rename" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Rename.Old.FileFields)
}
// GetRenameFileHashes returns the value of the field, resolving if necessary
func (ev *Event) GetRenameFileHashes() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "rename" {
- return zeroValue
+ return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Rename.Old)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Rename.Old)
}
// GetRenameFileInUpperLayer returns the value of the field, resolving if necessary
func (ev *Event) GetRenameFileInUpperLayer() bool {
- zeroValue := false
if ev.GetEventType().String() != "rename" {
- return zeroValue
+ return false
}
return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Rename.Old.FileFields)
}
// GetRenameFileInode returns the value of the field, resolving if necessary
func (ev *Event) GetRenameFileInode() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "rename" {
- return zeroValue
+ return uint64(0)
}
return ev.Rename.Old.FileFields.PathKey.Inode
}
// GetRenameFileMode returns the value of the field, resolving if necessary
func (ev *Event) GetRenameFileMode() uint16 {
- zeroValue := uint16(0)
if ev.GetEventType().String() != "rename" {
- return zeroValue
+ return uint16(0)
}
return ev.Rename.Old.FileFields.Mode
}
// GetRenameFileModificationTime returns the value of the field, resolving if necessary
func (ev *Event) GetRenameFileModificationTime() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "rename" {
- return zeroValue
+ return uint64(0)
}
return ev.Rename.Old.FileFields.MTime
}
// GetRenameFileMountId returns the value of the field, resolving if necessary
func (ev *Event) GetRenameFileMountId() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "rename" {
- return zeroValue
+ return uint32(0)
}
return ev.Rename.Old.FileFields.PathKey.MountID
}
// GetRenameFileName returns the value of the field, resolving if necessary
func (ev *Event) GetRenameFileName() string {
- zeroValue := ""
if ev.GetEventType().String() != "rename" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Rename.Old)
}
// GetRenameFileNameLength returns the value of the field, resolving if necessary
func (ev *Event) GetRenameFileNameLength() int {
- zeroValue := 0
if ev.GetEventType().String() != "rename" {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Rename.Old))
}
// GetRenameFilePackageName returns the value of the field, resolving if necessary
func (ev *Event) GetRenameFilePackageName() string {
- zeroValue := ""
if ev.GetEventType().String() != "rename" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolvePackageName(ev, &ev.Rename.Old)
}
// GetRenameFilePackageSourceVersion returns the value of the field, resolving if necessary
func (ev *Event) GetRenameFilePackageSourceVersion() string {
- zeroValue := ""
if ev.GetEventType().String() != "rename" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Rename.Old)
}
// GetRenameFilePackageVersion returns the value of the field, resolving if necessary
func (ev *Event) GetRenameFilePackageVersion() string {
- zeroValue := ""
if ev.GetEventType().String() != "rename" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Rename.Old)
}
// GetRenameFilePath returns the value of the field, resolving if necessary
func (ev *Event) GetRenameFilePath() string {
- zeroValue := ""
if ev.GetEventType().String() != "rename" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFilePath(ev, &ev.Rename.Old)
}
// GetRenameFilePathLength returns the value of the field, resolving if necessary
func (ev *Event) GetRenameFilePathLength() int {
- zeroValue := 0
if ev.GetEventType().String() != "rename" {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Rename.Old))
}
// GetRenameFileRights returns the value of the field, resolving if necessary
func (ev *Event) GetRenameFileRights() int {
- zeroValue := 0
if ev.GetEventType().String() != "rename" {
- return zeroValue
+ return 0
}
return ev.FieldHandlers.ResolveRights(ev, &ev.Rename.Old.FileFields)
}
// GetRenameFileUid returns the value of the field, resolving if necessary
func (ev *Event) GetRenameFileUid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "rename" {
- return zeroValue
+ return uint32(0)
}
return ev.Rename.Old.FileFields.UID
}
// GetRenameFileUser returns the value of the field, resolving if necessary
func (ev *Event) GetRenameFileUser() string {
- zeroValue := ""
if ev.GetEventType().String() != "rename" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Rename.Old.FileFields)
}
// GetRenameRetval returns the value of the field, resolving if necessary
func (ev *Event) GetRenameRetval() int64 {
- zeroValue := int64(0)
if ev.GetEventType().String() != "rename" {
- return zeroValue
+ return int64(0)
}
return ev.Rename.SyscallEvent.Retval
}
// GetRmdirFileChangeTime returns the value of the field, resolving if necessary
func (ev *Event) GetRmdirFileChangeTime() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "rmdir" {
- return zeroValue
+ return uint64(0)
}
return ev.Rmdir.File.FileFields.CTime
}
// GetRmdirFileFilesystem returns the value of the field, resolving if necessary
func (ev *Event) GetRmdirFileFilesystem() string {
- zeroValue := ""
if ev.GetEventType().String() != "rmdir" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Rmdir.File)
}
// GetRmdirFileGid returns the value of the field, resolving if necessary
func (ev *Event) GetRmdirFileGid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "rmdir" {
- return zeroValue
+ return uint32(0)
}
return ev.Rmdir.File.FileFields.GID
}
// GetRmdirFileGroup returns the value of the field, resolving if necessary
func (ev *Event) GetRmdirFileGroup() string {
- zeroValue := ""
if ev.GetEventType().String() != "rmdir" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Rmdir.File.FileFields)
}
// GetRmdirFileHashes returns the value of the field, resolving if necessary
func (ev *Event) GetRmdirFileHashes() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "rmdir" {
- return zeroValue
+ return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Rmdir.File)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Rmdir.File)
}
// GetRmdirFileInUpperLayer returns the value of the field, resolving if necessary
func (ev *Event) GetRmdirFileInUpperLayer() bool {
- zeroValue := false
if ev.GetEventType().String() != "rmdir" {
- return zeroValue
+ return false
}
return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Rmdir.File.FileFields)
}
// GetRmdirFileInode returns the value of the field, resolving if necessary
func (ev *Event) GetRmdirFileInode() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "rmdir" {
- return zeroValue
+ return uint64(0)
}
return ev.Rmdir.File.FileFields.PathKey.Inode
}
// GetRmdirFileMode returns the value of the field, resolving if necessary
func (ev *Event) GetRmdirFileMode() uint16 {
- zeroValue := uint16(0)
if ev.GetEventType().String() != "rmdir" {
- return zeroValue
+ return uint16(0)
}
return ev.Rmdir.File.FileFields.Mode
}
// GetRmdirFileModificationTime returns the value of the field, resolving if necessary
func (ev *Event) GetRmdirFileModificationTime() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "rmdir" {
- return zeroValue
+ return uint64(0)
}
return ev.Rmdir.File.FileFields.MTime
}
// GetRmdirFileMountId returns the value of the field, resolving if necessary
func (ev *Event) GetRmdirFileMountId() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "rmdir" {
- return zeroValue
+ return uint32(0)
}
return ev.Rmdir.File.FileFields.PathKey.MountID
}
// GetRmdirFileName returns the value of the field, resolving if necessary
func (ev *Event) GetRmdirFileName() string {
- zeroValue := ""
if ev.GetEventType().String() != "rmdir" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Rmdir.File)
}
// GetRmdirFileNameLength returns the value of the field, resolving if necessary
func (ev *Event) GetRmdirFileNameLength() int {
- zeroValue := 0
if ev.GetEventType().String() != "rmdir" {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Rmdir.File))
}
// GetRmdirFilePackageName returns the value of the field, resolving if necessary
func (ev *Event) GetRmdirFilePackageName() string {
- zeroValue := ""
if ev.GetEventType().String() != "rmdir" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolvePackageName(ev, &ev.Rmdir.File)
}
// GetRmdirFilePackageSourceVersion returns the value of the field, resolving if necessary
func (ev *Event) GetRmdirFilePackageSourceVersion() string {
- zeroValue := ""
if ev.GetEventType().String() != "rmdir" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Rmdir.File)
}
// GetRmdirFilePackageVersion returns the value of the field, resolving if necessary
func (ev *Event) GetRmdirFilePackageVersion() string {
- zeroValue := ""
if ev.GetEventType().String() != "rmdir" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Rmdir.File)
}
// GetRmdirFilePath returns the value of the field, resolving if necessary
func (ev *Event) GetRmdirFilePath() string {
- zeroValue := ""
if ev.GetEventType().String() != "rmdir" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFilePath(ev, &ev.Rmdir.File)
}
// GetRmdirFilePathLength returns the value of the field, resolving if necessary
func (ev *Event) GetRmdirFilePathLength() int {
- zeroValue := 0
if ev.GetEventType().String() != "rmdir" {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Rmdir.File))
}
// GetRmdirFileRights returns the value of the field, resolving if necessary
func (ev *Event) GetRmdirFileRights() int {
- zeroValue := 0
if ev.GetEventType().String() != "rmdir" {
- return zeroValue
+ return 0
}
return ev.FieldHandlers.ResolveRights(ev, &ev.Rmdir.File.FileFields)
}
// GetRmdirFileUid returns the value of the field, resolving if necessary
func (ev *Event) GetRmdirFileUid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "rmdir" {
- return zeroValue
+ return uint32(0)
}
return ev.Rmdir.File.FileFields.UID
}
// GetRmdirFileUser returns the value of the field, resolving if necessary
func (ev *Event) GetRmdirFileUser() string {
- zeroValue := ""
if ev.GetEventType().String() != "rmdir" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Rmdir.File.FileFields)
}
// GetRmdirRetval returns the value of the field, resolving if necessary
func (ev *Event) GetRmdirRetval() int64 {
- zeroValue := int64(0)
if ev.GetEventType().String() != "rmdir" {
- return zeroValue
+ return int64(0)
}
return ev.Rmdir.SyscallEvent.Retval
}
// GetSelinuxBoolName returns the value of the field, resolving if necessary
func (ev *Event) GetSelinuxBoolName() string {
- zeroValue := ""
if ev.GetEventType().String() != "selinux" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveSELinuxBoolName(ev, &ev.SELinux)
}
// GetSelinuxBoolState returns the value of the field, resolving if necessary
func (ev *Event) GetSelinuxBoolState() string {
- zeroValue := ""
if ev.GetEventType().String() != "selinux" {
- return zeroValue
+ return ""
}
return ev.SELinux.BoolChangeValue
}
// GetSelinuxBoolCommitState returns the value of the field, resolving if necessary
func (ev *Event) GetSelinuxBoolCommitState() bool {
- zeroValue := false
if ev.GetEventType().String() != "selinux" {
- return zeroValue
+ return false
}
return ev.SELinux.BoolCommitValue
}
// GetSelinuxEnforceStatus returns the value of the field, resolving if necessary
func (ev *Event) GetSelinuxEnforceStatus() string {
- zeroValue := ""
if ev.GetEventType().String() != "selinux" {
- return zeroValue
+ return ""
}
return ev.SELinux.EnforceStatus
}
// GetSetgidEgid returns the value of the field, resolving if necessary
func (ev *Event) GetSetgidEgid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "setgid" {
- return zeroValue
+ return uint32(0)
}
return ev.SetGID.EGID
}
// GetSetgidEgroup returns the value of the field, resolving if necessary
func (ev *Event) GetSetgidEgroup() string {
- zeroValue := ""
if ev.GetEventType().String() != "setgid" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveSetgidEGroup(ev, &ev.SetGID)
}
// GetSetgidFsgid returns the value of the field, resolving if necessary
func (ev *Event) GetSetgidFsgid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "setgid" {
- return zeroValue
+ return uint32(0)
}
return ev.SetGID.FSGID
}
// GetSetgidFsgroup returns the value of the field, resolving if necessary
func (ev *Event) GetSetgidFsgroup() string {
- zeroValue := ""
if ev.GetEventType().String() != "setgid" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveSetgidFSGroup(ev, &ev.SetGID)
}
// GetSetgidGid returns the value of the field, resolving if necessary
func (ev *Event) GetSetgidGid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "setgid" {
- return zeroValue
+ return uint32(0)
}
return ev.SetGID.GID
}
// GetSetgidGroup returns the value of the field, resolving if necessary
func (ev *Event) GetSetgidGroup() string {
- zeroValue := ""
if ev.GetEventType().String() != "setgid" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveSetgidGroup(ev, &ev.SetGID)
}
// GetSetuidEuid returns the value of the field, resolving if necessary
func (ev *Event) GetSetuidEuid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "setuid" {
- return zeroValue
+ return uint32(0)
}
return ev.SetUID.EUID
}
// GetSetuidEuser returns the value of the field, resolving if necessary
func (ev *Event) GetSetuidEuser() string {
- zeroValue := ""
if ev.GetEventType().String() != "setuid" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveSetuidEUser(ev, &ev.SetUID)
}
// GetSetuidFsuid returns the value of the field, resolving if necessary
func (ev *Event) GetSetuidFsuid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "setuid" {
- return zeroValue
+ return uint32(0)
}
return ev.SetUID.FSUID
}
// GetSetuidFsuser returns the value of the field, resolving if necessary
func (ev *Event) GetSetuidFsuser() string {
- zeroValue := ""
if ev.GetEventType().String() != "setuid" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveSetuidFSUser(ev, &ev.SetUID)
}
// GetSetuidUid returns the value of the field, resolving if necessary
func (ev *Event) GetSetuidUid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "setuid" {
- return zeroValue
+ return uint32(0)
}
return ev.SetUID.UID
}
// GetSetuidUser returns the value of the field, resolving if necessary
func (ev *Event) GetSetuidUser() string {
- zeroValue := ""
if ev.GetEventType().String() != "setuid" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveSetuidUser(ev, &ev.SetUID)
}
// GetSetxattrFileChangeTime returns the value of the field, resolving if necessary
func (ev *Event) GetSetxattrFileChangeTime() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "setxattr" {
- return zeroValue
+ return uint64(0)
}
return ev.SetXAttr.File.FileFields.CTime
}
// GetSetxattrFileDestinationName returns the value of the field, resolving if necessary
func (ev *Event) GetSetxattrFileDestinationName() string {
- zeroValue := ""
if ev.GetEventType().String() != "setxattr" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveXAttrName(ev, &ev.SetXAttr)
}
// GetSetxattrFileDestinationNamespace returns the value of the field, resolving if necessary
func (ev *Event) GetSetxattrFileDestinationNamespace() string {
- zeroValue := ""
if ev.GetEventType().String() != "setxattr" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveXAttrNamespace(ev, &ev.SetXAttr)
}
// GetSetxattrFileFilesystem returns the value of the field, resolving if necessary
func (ev *Event) GetSetxattrFileFilesystem() string {
- zeroValue := ""
if ev.GetEventType().String() != "setxattr" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.SetXAttr.File)
}
// GetSetxattrFileGid returns the value of the field, resolving if necessary
func (ev *Event) GetSetxattrFileGid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "setxattr" {
- return zeroValue
+ return uint32(0)
}
return ev.SetXAttr.File.FileFields.GID
}
// GetSetxattrFileGroup returns the value of the field, resolving if necessary
func (ev *Event) GetSetxattrFileGroup() string {
- zeroValue := ""
if ev.GetEventType().String() != "setxattr" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.SetXAttr.File.FileFields)
}
// GetSetxattrFileHashes returns the value of the field, resolving if necessary
func (ev *Event) GetSetxattrFileHashes() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "setxattr" {
- return zeroValue
+ return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.SetXAttr.File)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.SetXAttr.File)
}
// GetSetxattrFileInUpperLayer returns the value of the field, resolving if necessary
func (ev *Event) GetSetxattrFileInUpperLayer() bool {
- zeroValue := false
if ev.GetEventType().String() != "setxattr" {
- return zeroValue
+ return false
}
return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.SetXAttr.File.FileFields)
}
// GetSetxattrFileInode returns the value of the field, resolving if necessary
func (ev *Event) GetSetxattrFileInode() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "setxattr" {
- return zeroValue
+ return uint64(0)
}
return ev.SetXAttr.File.FileFields.PathKey.Inode
}
// GetSetxattrFileMode returns the value of the field, resolving if necessary
func (ev *Event) GetSetxattrFileMode() uint16 {
- zeroValue := uint16(0)
if ev.GetEventType().String() != "setxattr" {
- return zeroValue
+ return uint16(0)
}
return ev.SetXAttr.File.FileFields.Mode
}
// GetSetxattrFileModificationTime returns the value of the field, resolving if necessary
func (ev *Event) GetSetxattrFileModificationTime() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "setxattr" {
- return zeroValue
+ return uint64(0)
}
return ev.SetXAttr.File.FileFields.MTime
}
// GetSetxattrFileMountId returns the value of the field, resolving if necessary
func (ev *Event) GetSetxattrFileMountId() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "setxattr" {
- return zeroValue
+ return uint32(0)
}
return ev.SetXAttr.File.FileFields.PathKey.MountID
}
// GetSetxattrFileName returns the value of the field, resolving if necessary
func (ev *Event) GetSetxattrFileName() string {
- zeroValue := ""
if ev.GetEventType().String() != "setxattr" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileBasename(ev, &ev.SetXAttr.File)
}
// GetSetxattrFileNameLength returns the value of the field, resolving if necessary
func (ev *Event) GetSetxattrFileNameLength() int {
- zeroValue := 0
if ev.GetEventType().String() != "setxattr" {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.SetXAttr.File))
}
// GetSetxattrFilePackageName returns the value of the field, resolving if necessary
func (ev *Event) GetSetxattrFilePackageName() string {
- zeroValue := ""
if ev.GetEventType().String() != "setxattr" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolvePackageName(ev, &ev.SetXAttr.File)
}
// GetSetxattrFilePackageSourceVersion returns the value of the field, resolving if necessary
func (ev *Event) GetSetxattrFilePackageSourceVersion() string {
- zeroValue := ""
if ev.GetEventType().String() != "setxattr" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.SetXAttr.File)
}
// GetSetxattrFilePackageVersion returns the value of the field, resolving if necessary
func (ev *Event) GetSetxattrFilePackageVersion() string {
- zeroValue := ""
if ev.GetEventType().String() != "setxattr" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.SetXAttr.File)
}
// GetSetxattrFilePath returns the value of the field, resolving if necessary
func (ev *Event) GetSetxattrFilePath() string {
- zeroValue := ""
if ev.GetEventType().String() != "setxattr" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFilePath(ev, &ev.SetXAttr.File)
}
// GetSetxattrFilePathLength returns the value of the field, resolving if necessary
func (ev *Event) GetSetxattrFilePathLength() int {
- zeroValue := 0
if ev.GetEventType().String() != "setxattr" {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.SetXAttr.File))
}
// GetSetxattrFileRights returns the value of the field, resolving if necessary
func (ev *Event) GetSetxattrFileRights() int {
- zeroValue := 0
if ev.GetEventType().String() != "setxattr" {
- return zeroValue
+ return 0
}
return ev.FieldHandlers.ResolveRights(ev, &ev.SetXAttr.File.FileFields)
}
// GetSetxattrFileUid returns the value of the field, resolving if necessary
func (ev *Event) GetSetxattrFileUid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "setxattr" {
- return zeroValue
+ return uint32(0)
}
return ev.SetXAttr.File.FileFields.UID
}
// GetSetxattrFileUser returns the value of the field, resolving if necessary
func (ev *Event) GetSetxattrFileUser() string {
- zeroValue := ""
if ev.GetEventType().String() != "setxattr" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.SetXAttr.File.FileFields)
}
// GetSetxattrRetval returns the value of the field, resolving if necessary
func (ev *Event) GetSetxattrRetval() int64 {
- zeroValue := int64(0)
if ev.GetEventType().String() != "setxattr" {
- return zeroValue
+ return int64(0)
}
return ev.SetXAttr.SyscallEvent.Retval
}
// GetSignalPid returns the value of the field, resolving if necessary
func (ev *Event) GetSignalPid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return uint32(0)
}
return ev.Signal.PID
}
// GetSignalRetval returns the value of the field, resolving if necessary
func (ev *Event) GetSignalRetval() int64 {
- zeroValue := int64(0)
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return int64(0)
}
return ev.Signal.SyscallEvent.Retval
}
// GetSignalTargetAncestorsArgs returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsArgs() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -13589,15 +12655,14 @@ func (ev *Event) GetSignalTargetAncestorsArgs() []string {
// GetSignalTargetAncestorsArgsFlags returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsArgsFlags() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -13614,15 +12679,14 @@ func (ev *Event) GetSignalTargetAncestorsArgsFlags() []string {
// GetSignalTargetAncestorsArgsOptions returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsArgsOptions() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -13637,17 +12701,40 @@ func (ev *Event) GetSignalTargetAncestorsArgsOptions() []string {
return values
}
+// GetSignalTargetAncestorsArgsScrubbed returns the value of the field, resolving if necessary
+func (ev *Event) GetSignalTargetAncestorsArgsScrubbed() []string {
+ if ev.GetEventType().String() != "signal" {
+ return []string{}
+ }
+ if ev.Signal.Target == nil {
+ return []string{}
+ }
+ if ev.Signal.Target.Ancestor == nil {
+ return []string{}
+ }
+ var values []string
+ ctx := eval.NewContext(ev)
+ iterator := &ProcessAncestorsIterator{}
+ ptr := iterator.Front(ctx)
+ for ptr != nil {
+ element := (*ProcessCacheEntry)(ptr)
+ result := ev.FieldHandlers.ResolveProcessArgsScrubbed(ev, &element.ProcessContext.Process)
+ values = append(values, result)
+ ptr = iterator.Next()
+ }
+ return values
+}
+
// GetSignalTargetAncestorsArgsTruncated returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsArgsTruncated() []bool {
- zeroValue := []bool{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []bool{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []bool{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []bool{}
}
var values []bool
ctx := eval.NewContext(ev)
@@ -13664,15 +12751,14 @@ func (ev *Event) GetSignalTargetAncestorsArgsTruncated() []bool {
// GetSignalTargetAncestorsArgv returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsArgv() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -13680,7 +12766,7 @@ func (ev *Event) GetSignalTargetAncestorsArgv() []string {
ptr := iterator.Front(ctx)
for ptr != nil {
element := (*ProcessCacheEntry)(ptr)
- result := ev.FieldHandlers.ResolveProcessArgvScrubbed(ev, &element.ProcessContext.Process)
+ result := ev.FieldHandlers.ResolveProcessArgv(ev, &element.ProcessContext.Process)
values = append(values, result...)
ptr = iterator.Next()
}
@@ -13689,15 +12775,14 @@ func (ev *Event) GetSignalTargetAncestorsArgv() []string {
// GetSignalTargetAncestorsArgv0 returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsArgv0() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -13712,17 +12797,40 @@ func (ev *Event) GetSignalTargetAncestorsArgv0() []string {
return values
}
+// GetSignalTargetAncestorsArgvScrubbed returns the value of the field, resolving if necessary
+func (ev *Event) GetSignalTargetAncestorsArgvScrubbed() []string {
+ if ev.GetEventType().String() != "signal" {
+ return []string{}
+ }
+ if ev.Signal.Target == nil {
+ return []string{}
+ }
+ if ev.Signal.Target.Ancestor == nil {
+ return []string{}
+ }
+ var values []string
+ ctx := eval.NewContext(ev)
+ iterator := &ProcessAncestorsIterator{}
+ ptr := iterator.Front(ctx)
+ for ptr != nil {
+ element := (*ProcessCacheEntry)(ptr)
+ result := ev.FieldHandlers.ResolveProcessArgvScrubbed(ev, &element.ProcessContext.Process)
+ values = append(values, result...)
+ ptr = iterator.Next()
+ }
+ return values
+}
+
// GetSignalTargetAncestorsCapEffective returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsCapEffective() []uint64 {
- zeroValue := []uint64{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []uint64{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []uint64{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []uint64{}
}
var values []uint64
ctx := eval.NewContext(ev)
@@ -13739,15 +12847,14 @@ func (ev *Event) GetSignalTargetAncestorsCapEffective() []uint64 {
// GetSignalTargetAncestorsCapPermitted returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsCapPermitted() []uint64 {
- zeroValue := []uint64{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []uint64{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []uint64{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []uint64{}
}
var values []uint64
ctx := eval.NewContext(ev)
@@ -13764,15 +12871,14 @@ func (ev *Event) GetSignalTargetAncestorsCapPermitted() []uint64 {
// GetSignalTargetAncestorsComm returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsComm() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -13789,15 +12895,14 @@ func (ev *Event) GetSignalTargetAncestorsComm() []string {
// GetSignalTargetAncestorsContainerId returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsContainerId() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -13814,15 +12919,14 @@ func (ev *Event) GetSignalTargetAncestorsContainerId() []string {
// GetSignalTargetAncestorsCreatedAt returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsCreatedAt() []int {
- zeroValue := []int{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []int{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []int{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []int{}
}
var values []int
ctx := eval.NewContext(ev)
@@ -13839,15 +12943,14 @@ func (ev *Event) GetSignalTargetAncestorsCreatedAt() []int {
// GetSignalTargetAncestorsEgid returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsEgid() []uint32 {
- zeroValue := []uint32{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []uint32{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []uint32{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []uint32{}
}
var values []uint32
ctx := eval.NewContext(ev)
@@ -13864,15 +12967,14 @@ func (ev *Event) GetSignalTargetAncestorsEgid() []uint32 {
// GetSignalTargetAncestorsEgroup returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsEgroup() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -13888,16 +12990,15 @@ func (ev *Event) GetSignalTargetAncestorsEgroup() []string {
}
// GetSignalTargetAncestorsEnvp returns the value of the field, resolving if necessary
-func (ev *Event) GetSignalTargetAncestorsEnvp(desiredKeys map[string]bool) []string {
- zeroValue := []string{}
+func (ev *Event) GetSignalTargetAncestorsEnvp() []string {
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -13906,7 +13007,6 @@ func (ev *Event) GetSignalTargetAncestorsEnvp(desiredKeys map[string]bool) []str
for ptr != nil {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveProcessEnvp(ev, &element.ProcessContext.Process)
- result = filterEnvs(result, desiredKeys)
values = append(values, result...)
ptr = iterator.Next()
}
@@ -13914,16 +13014,15 @@ func (ev *Event) GetSignalTargetAncestorsEnvp(desiredKeys map[string]bool) []str
}
// GetSignalTargetAncestorsEnvs returns the value of the field, resolving if necessary
-func (ev *Event) GetSignalTargetAncestorsEnvs(desiredKeys map[string]bool) []string {
- zeroValue := []string{}
+func (ev *Event) GetSignalTargetAncestorsEnvs() []string {
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -13932,7 +13031,6 @@ func (ev *Event) GetSignalTargetAncestorsEnvs(desiredKeys map[string]bool) []str
for ptr != nil {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveProcessEnvs(ev, &element.ProcessContext.Process)
- result = filterEnvs(result, desiredKeys)
values = append(values, result...)
ptr = iterator.Next()
}
@@ -13941,15 +13039,14 @@ func (ev *Event) GetSignalTargetAncestorsEnvs(desiredKeys map[string]bool) []str
// GetSignalTargetAncestorsEnvsTruncated returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsEnvsTruncated() []bool {
- zeroValue := []bool{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []bool{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []bool{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []bool{}
}
var values []bool
ctx := eval.NewContext(ev)
@@ -13966,15 +13063,14 @@ func (ev *Event) GetSignalTargetAncestorsEnvsTruncated() []bool {
// GetSignalTargetAncestorsEuid returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsEuid() []uint32 {
- zeroValue := []uint32{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []uint32{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []uint32{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []uint32{}
}
var values []uint32
ctx := eval.NewContext(ev)
@@ -13991,15 +13087,14 @@ func (ev *Event) GetSignalTargetAncestorsEuid() []uint32 {
// GetSignalTargetAncestorsEuser returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsEuser() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -14016,15 +13111,14 @@ func (ev *Event) GetSignalTargetAncestorsEuser() []string {
// GetSignalTargetAncestorsFileChangeTime returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsFileChangeTime() []uint64 {
- zeroValue := []uint64{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []uint64{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []uint64{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []uint64{}
}
var values []uint64
ctx := eval.NewContext(ev)
@@ -14041,15 +13135,14 @@ func (ev *Event) GetSignalTargetAncestorsFileChangeTime() []uint64 {
// GetSignalTargetAncestorsFileFilesystem returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsFileFilesystem() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -14066,15 +13159,14 @@ func (ev *Event) GetSignalTargetAncestorsFileFilesystem() []string {
// GetSignalTargetAncestorsFileGid returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsFileGid() []uint32 {
- zeroValue := []uint32{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []uint32{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []uint32{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []uint32{}
}
var values []uint32
ctx := eval.NewContext(ev)
@@ -14091,15 +13183,14 @@ func (ev *Event) GetSignalTargetAncestorsFileGid() []uint32 {
// GetSignalTargetAncestorsFileGroup returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsFileGroup() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -14116,15 +13207,14 @@ func (ev *Event) GetSignalTargetAncestorsFileGroup() []string {
// GetSignalTargetAncestorsFileHashes returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsFileHashes() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -14141,15 +13231,14 @@ func (ev *Event) GetSignalTargetAncestorsFileHashes() []string {
// GetSignalTargetAncestorsFileInUpperLayer returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsFileInUpperLayer() []bool {
- zeroValue := []bool{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []bool{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []bool{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []bool{}
}
var values []bool
ctx := eval.NewContext(ev)
@@ -14166,15 +13255,14 @@ func (ev *Event) GetSignalTargetAncestorsFileInUpperLayer() []bool {
// GetSignalTargetAncestorsFileInode returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsFileInode() []uint64 {
- zeroValue := []uint64{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []uint64{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []uint64{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []uint64{}
}
var values []uint64
ctx := eval.NewContext(ev)
@@ -14191,15 +13279,14 @@ func (ev *Event) GetSignalTargetAncestorsFileInode() []uint64 {
// GetSignalTargetAncestorsFileMode returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsFileMode() []uint16 {
- zeroValue := []uint16{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []uint16{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []uint16{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []uint16{}
}
var values []uint16
ctx := eval.NewContext(ev)
@@ -14216,15 +13303,14 @@ func (ev *Event) GetSignalTargetAncestorsFileMode() []uint16 {
// GetSignalTargetAncestorsFileModificationTime returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsFileModificationTime() []uint64 {
- zeroValue := []uint64{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []uint64{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []uint64{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []uint64{}
}
var values []uint64
ctx := eval.NewContext(ev)
@@ -14241,15 +13327,14 @@ func (ev *Event) GetSignalTargetAncestorsFileModificationTime() []uint64 {
// GetSignalTargetAncestorsFileMountId returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsFileMountId() []uint32 {
- zeroValue := []uint32{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []uint32{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []uint32{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []uint32{}
}
var values []uint32
ctx := eval.NewContext(ev)
@@ -14266,15 +13351,14 @@ func (ev *Event) GetSignalTargetAncestorsFileMountId() []uint32 {
// GetSignalTargetAncestorsFileName returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsFileName() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -14291,15 +13375,14 @@ func (ev *Event) GetSignalTargetAncestorsFileName() []string {
// GetSignalTargetAncestorsFileNameLength returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsFileNameLength() []int {
- zeroValue := []int{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []int{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []int{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []int{}
}
var values []int
ctx := eval.NewContext(ev)
@@ -14316,15 +13399,14 @@ func (ev *Event) GetSignalTargetAncestorsFileNameLength() []int {
// GetSignalTargetAncestorsFilePackageName returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsFilePackageName() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -14341,15 +13423,14 @@ func (ev *Event) GetSignalTargetAncestorsFilePackageName() []string {
// GetSignalTargetAncestorsFilePackageSourceVersion returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsFilePackageSourceVersion() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -14366,15 +13447,14 @@ func (ev *Event) GetSignalTargetAncestorsFilePackageSourceVersion() []string {
// GetSignalTargetAncestorsFilePackageVersion returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsFilePackageVersion() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -14391,15 +13471,14 @@ func (ev *Event) GetSignalTargetAncestorsFilePackageVersion() []string {
// GetSignalTargetAncestorsFilePath returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsFilePath() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -14416,15 +13495,14 @@ func (ev *Event) GetSignalTargetAncestorsFilePath() []string {
// GetSignalTargetAncestorsFilePathLength returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsFilePathLength() []int {
- zeroValue := []int{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []int{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []int{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []int{}
}
var values []int
ctx := eval.NewContext(ev)
@@ -14441,15 +13519,14 @@ func (ev *Event) GetSignalTargetAncestorsFilePathLength() []int {
// GetSignalTargetAncestorsFileRights returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsFileRights() []int {
- zeroValue := []int{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []int{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []int{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []int{}
}
var values []int
ctx := eval.NewContext(ev)
@@ -14466,15 +13543,14 @@ func (ev *Event) GetSignalTargetAncestorsFileRights() []int {
// GetSignalTargetAncestorsFileUid returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsFileUid() []uint32 {
- zeroValue := []uint32{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []uint32{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []uint32{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []uint32{}
}
var values []uint32
ctx := eval.NewContext(ev)
@@ -14491,15 +13567,14 @@ func (ev *Event) GetSignalTargetAncestorsFileUid() []uint32 {
// GetSignalTargetAncestorsFileUser returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsFileUser() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -14516,15 +13591,14 @@ func (ev *Event) GetSignalTargetAncestorsFileUser() []string {
// GetSignalTargetAncestorsFsgid returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsFsgid() []uint32 {
- zeroValue := []uint32{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []uint32{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []uint32{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []uint32{}
}
var values []uint32
ctx := eval.NewContext(ev)
@@ -14541,15 +13615,14 @@ func (ev *Event) GetSignalTargetAncestorsFsgid() []uint32 {
// GetSignalTargetAncestorsFsgroup returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsFsgroup() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -14566,15 +13639,14 @@ func (ev *Event) GetSignalTargetAncestorsFsgroup() []string {
// GetSignalTargetAncestorsFsuid returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsFsuid() []uint32 {
- zeroValue := []uint32{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []uint32{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []uint32{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []uint32{}
}
var values []uint32
ctx := eval.NewContext(ev)
@@ -14591,15 +13663,14 @@ func (ev *Event) GetSignalTargetAncestorsFsuid() []uint32 {
// GetSignalTargetAncestorsFsuser returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsFsuser() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -14616,15 +13687,14 @@ func (ev *Event) GetSignalTargetAncestorsFsuser() []string {
// GetSignalTargetAncestorsGid returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsGid() []uint32 {
- zeroValue := []uint32{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []uint32{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []uint32{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []uint32{}
}
var values []uint32
ctx := eval.NewContext(ev)
@@ -14641,15 +13711,14 @@ func (ev *Event) GetSignalTargetAncestorsGid() []uint32 {
// GetSignalTargetAncestorsGroup returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsGroup() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -14666,15 +13735,14 @@ func (ev *Event) GetSignalTargetAncestorsGroup() []string {
// GetSignalTargetAncestorsInterpreterFileChangeTime returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsInterpreterFileChangeTime() []uint64 {
- zeroValue := []uint64{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []uint64{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []uint64{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []uint64{}
}
var values []uint64
ctx := eval.NewContext(ev)
@@ -14691,15 +13759,14 @@ func (ev *Event) GetSignalTargetAncestorsInterpreterFileChangeTime() []uint64 {
// GetSignalTargetAncestorsInterpreterFileFilesystem returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsInterpreterFileFilesystem() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -14716,15 +13783,14 @@ func (ev *Event) GetSignalTargetAncestorsInterpreterFileFilesystem() []string {
// GetSignalTargetAncestorsInterpreterFileGid returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsInterpreterFileGid() []uint32 {
- zeroValue := []uint32{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []uint32{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []uint32{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []uint32{}
}
var values []uint32
ctx := eval.NewContext(ev)
@@ -14741,15 +13807,14 @@ func (ev *Event) GetSignalTargetAncestorsInterpreterFileGid() []uint32 {
// GetSignalTargetAncestorsInterpreterFileGroup returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsInterpreterFileGroup() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -14766,15 +13831,14 @@ func (ev *Event) GetSignalTargetAncestorsInterpreterFileGroup() []string {
// GetSignalTargetAncestorsInterpreterFileHashes returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsInterpreterFileHashes() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -14791,15 +13855,14 @@ func (ev *Event) GetSignalTargetAncestorsInterpreterFileHashes() []string {
// GetSignalTargetAncestorsInterpreterFileInUpperLayer returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsInterpreterFileInUpperLayer() []bool {
- zeroValue := []bool{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []bool{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []bool{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []bool{}
}
var values []bool
ctx := eval.NewContext(ev)
@@ -14816,15 +13879,14 @@ func (ev *Event) GetSignalTargetAncestorsInterpreterFileInUpperLayer() []bool {
// GetSignalTargetAncestorsInterpreterFileInode returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsInterpreterFileInode() []uint64 {
- zeroValue := []uint64{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []uint64{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []uint64{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []uint64{}
}
var values []uint64
ctx := eval.NewContext(ev)
@@ -14841,15 +13903,14 @@ func (ev *Event) GetSignalTargetAncestorsInterpreterFileInode() []uint64 {
// GetSignalTargetAncestorsInterpreterFileMode returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsInterpreterFileMode() []uint16 {
- zeroValue := []uint16{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []uint16{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []uint16{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []uint16{}
}
var values []uint16
ctx := eval.NewContext(ev)
@@ -14866,15 +13927,14 @@ func (ev *Event) GetSignalTargetAncestorsInterpreterFileMode() []uint16 {
// GetSignalTargetAncestorsInterpreterFileModificationTime returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsInterpreterFileModificationTime() []uint64 {
- zeroValue := []uint64{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []uint64{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []uint64{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []uint64{}
}
var values []uint64
ctx := eval.NewContext(ev)
@@ -14891,15 +13951,14 @@ func (ev *Event) GetSignalTargetAncestorsInterpreterFileModificationTime() []uin
// GetSignalTargetAncestorsInterpreterFileMountId returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsInterpreterFileMountId() []uint32 {
- zeroValue := []uint32{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []uint32{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []uint32{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []uint32{}
}
var values []uint32
ctx := eval.NewContext(ev)
@@ -14916,15 +13975,14 @@ func (ev *Event) GetSignalTargetAncestorsInterpreterFileMountId() []uint32 {
// GetSignalTargetAncestorsInterpreterFileName returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsInterpreterFileName() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -14941,15 +13999,14 @@ func (ev *Event) GetSignalTargetAncestorsInterpreterFileName() []string {
// GetSignalTargetAncestorsInterpreterFileNameLength returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsInterpreterFileNameLength() []int {
- zeroValue := []int{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []int{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []int{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []int{}
}
var values []int
ctx := eval.NewContext(ev)
@@ -14966,15 +14023,14 @@ func (ev *Event) GetSignalTargetAncestorsInterpreterFileNameLength() []int {
// GetSignalTargetAncestorsInterpreterFilePackageName returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsInterpreterFilePackageName() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -14991,15 +14047,14 @@ func (ev *Event) GetSignalTargetAncestorsInterpreterFilePackageName() []string {
// GetSignalTargetAncestorsInterpreterFilePackageSourceVersion returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsInterpreterFilePackageSourceVersion() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -15016,15 +14071,14 @@ func (ev *Event) GetSignalTargetAncestorsInterpreterFilePackageSourceVersion() [
// GetSignalTargetAncestorsInterpreterFilePackageVersion returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsInterpreterFilePackageVersion() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -15041,15 +14095,14 @@ func (ev *Event) GetSignalTargetAncestorsInterpreterFilePackageVersion() []strin
// GetSignalTargetAncestorsInterpreterFilePath returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsInterpreterFilePath() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -15066,15 +14119,14 @@ func (ev *Event) GetSignalTargetAncestorsInterpreterFilePath() []string {
// GetSignalTargetAncestorsInterpreterFilePathLength returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsInterpreterFilePathLength() []int {
- zeroValue := []int{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []int{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []int{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []int{}
}
var values []int
ctx := eval.NewContext(ev)
@@ -15091,15 +14143,14 @@ func (ev *Event) GetSignalTargetAncestorsInterpreterFilePathLength() []int {
// GetSignalTargetAncestorsInterpreterFileRights returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsInterpreterFileRights() []int {
- zeroValue := []int{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []int{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []int{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []int{}
}
var values []int
ctx := eval.NewContext(ev)
@@ -15116,15 +14167,14 @@ func (ev *Event) GetSignalTargetAncestorsInterpreterFileRights() []int {
// GetSignalTargetAncestorsInterpreterFileUid returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsInterpreterFileUid() []uint32 {
- zeroValue := []uint32{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []uint32{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []uint32{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []uint32{}
}
var values []uint32
ctx := eval.NewContext(ev)
@@ -15141,15 +14191,14 @@ func (ev *Event) GetSignalTargetAncestorsInterpreterFileUid() []uint32 {
// GetSignalTargetAncestorsInterpreterFileUser returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsInterpreterFileUser() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -15166,15 +14215,14 @@ func (ev *Event) GetSignalTargetAncestorsInterpreterFileUser() []string {
// GetSignalTargetAncestorsIsKworker returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsIsKworker() []bool {
- zeroValue := []bool{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []bool{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []bool{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []bool{}
}
var values []bool
ctx := eval.NewContext(ev)
@@ -15191,15 +14239,14 @@ func (ev *Event) GetSignalTargetAncestorsIsKworker() []bool {
// GetSignalTargetAncestorsIsThread returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsIsThread() []bool {
- zeroValue := []bool{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []bool{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []bool{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []bool{}
}
var values []bool
ctx := eval.NewContext(ev)
@@ -15216,15 +14263,14 @@ func (ev *Event) GetSignalTargetAncestorsIsThread() []bool {
// GetSignalTargetAncestorsPid returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsPid() []uint32 {
- zeroValue := []uint32{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []uint32{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []uint32{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []uint32{}
}
var values []uint32
ctx := eval.NewContext(ev)
@@ -15241,15 +14287,14 @@ func (ev *Event) GetSignalTargetAncestorsPid() []uint32 {
// GetSignalTargetAncestorsPpid returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsPpid() []uint32 {
- zeroValue := []uint32{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []uint32{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []uint32{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []uint32{}
}
var values []uint32
ctx := eval.NewContext(ev)
@@ -15266,15 +14311,14 @@ func (ev *Event) GetSignalTargetAncestorsPpid() []uint32 {
// GetSignalTargetAncestorsTid returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsTid() []uint32 {
- zeroValue := []uint32{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []uint32{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []uint32{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []uint32{}
}
var values []uint32
ctx := eval.NewContext(ev)
@@ -15291,15 +14335,14 @@ func (ev *Event) GetSignalTargetAncestorsTid() []uint32 {
// GetSignalTargetAncestorsTtyName returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsTtyName() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -15316,15 +14359,14 @@ func (ev *Event) GetSignalTargetAncestorsTtyName() []string {
// GetSignalTargetAncestorsUid returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsUid() []uint32 {
- zeroValue := []uint32{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []uint32{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []uint32{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []uint32{}
}
var values []uint32
ctx := eval.NewContext(ev)
@@ -15341,15 +14383,14 @@ func (ev *Event) GetSignalTargetAncestorsUid() []uint32 {
// GetSignalTargetAncestorsUser returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsUser() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -15366,15 +14407,14 @@ func (ev *Event) GetSignalTargetAncestorsUser() []string {
// GetSignalTargetAncestorsUserSessionK8sGroups returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsUserSessionK8sGroups() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -15391,15 +14431,14 @@ func (ev *Event) GetSignalTargetAncestorsUserSessionK8sGroups() []string {
// GetSignalTargetAncestorsUserSessionK8sUid returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsUserSessionK8sUid() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -15416,15 +14455,14 @@ func (ev *Event) GetSignalTargetAncestorsUserSessionK8sUid() []string {
// GetSignalTargetAncestorsUserSessionK8sUsername returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetAncestorsUserSessionK8sUsername() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -15441,269 +14479,253 @@ func (ev *Event) GetSignalTargetAncestorsUserSessionK8sUsername() []string {
// GetSignalTargetArgs returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetArgs() string {
- zeroValue := ""
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return ""
}
if ev.Signal.Target == nil {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveProcessArgs(ev, &ev.Signal.Target.Process)
}
// GetSignalTargetArgsFlags returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetArgsFlags() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveProcessArgsFlags(ev, &ev.Signal.Target.Process)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveProcessArgsFlags(ev, &ev.Signal.Target.Process)
}
// GetSignalTargetArgsOptions returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetArgsOptions() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []string{}
+ }
+ if ev.Signal.Target == nil {
+ return []string{}
+ }
+ return ev.FieldHandlers.ResolveProcessArgsOptions(ev, &ev.Signal.Target.Process)
+}
+
+// GetSignalTargetArgsScrubbed returns the value of the field, resolving if necessary
+func (ev *Event) GetSignalTargetArgsScrubbed() string {
+ if ev.GetEventType().String() != "signal" {
+ return ""
}
if ev.Signal.Target == nil {
- return zeroValue
+ return ""
}
- resolvedField := ev.FieldHandlers.ResolveProcessArgsOptions(ev, &ev.Signal.Target.Process)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveProcessArgsScrubbed(ev, &ev.Signal.Target.Process)
}
// GetSignalTargetArgsTruncated returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetArgsTruncated() bool {
- zeroValue := false
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return false
}
if ev.Signal.Target == nil {
- return zeroValue
+ return false
}
return ev.FieldHandlers.ResolveProcessArgsTruncated(ev, &ev.Signal.Target.Process)
}
// GetSignalTargetArgv returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetArgv() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveProcessArgvScrubbed(ev, &ev.Signal.Target.Process)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveProcessArgv(ev, &ev.Signal.Target.Process)
}
// GetSignalTargetArgv0 returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetArgv0() string {
- zeroValue := ""
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return ""
}
if ev.Signal.Target == nil {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveProcessArgv0(ev, &ev.Signal.Target.Process)
}
+// GetSignalTargetArgvScrubbed returns the value of the field, resolving if necessary
+func (ev *Event) GetSignalTargetArgvScrubbed() []string {
+ if ev.GetEventType().String() != "signal" {
+ return []string{}
+ }
+ if ev.Signal.Target == nil {
+ return []string{}
+ }
+ return ev.FieldHandlers.ResolveProcessArgvScrubbed(ev, &ev.Signal.Target.Process)
+}
+
// GetSignalTargetCapEffective returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetCapEffective() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return uint64(0)
}
if ev.Signal.Target == nil {
- return zeroValue
+ return uint64(0)
}
return ev.Signal.Target.Process.Credentials.CapEffective
}
// GetSignalTargetCapPermitted returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetCapPermitted() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return uint64(0)
}
if ev.Signal.Target == nil {
- return zeroValue
+ return uint64(0)
}
return ev.Signal.Target.Process.Credentials.CapPermitted
}
// GetSignalTargetComm returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetComm() string {
- zeroValue := ""
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return ""
}
if ev.Signal.Target == nil {
- return zeroValue
+ return ""
}
return ev.Signal.Target.Process.Comm
}
// GetSignalTargetContainerId returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetContainerId() string {
- zeroValue := ""
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return ""
}
if ev.Signal.Target == nil {
- return zeroValue
+ return ""
}
return ev.Signal.Target.Process.ContainerID
}
// GetSignalTargetCreatedAt returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetCreatedAt() int {
- zeroValue := 0
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return 0
}
if ev.Signal.Target == nil {
- return zeroValue
+ return 0
}
return ev.FieldHandlers.ResolveProcessCreatedAt(ev, &ev.Signal.Target.Process)
}
// GetSignalTargetEgid returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetEgid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return uint32(0)
}
if ev.Signal.Target == nil {
- return zeroValue
+ return uint32(0)
}
return ev.Signal.Target.Process.Credentials.EGID
}
// GetSignalTargetEgroup returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetEgroup() string {
- zeroValue := ""
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return ""
}
if ev.Signal.Target == nil {
- return zeroValue
+ return ""
}
return ev.Signal.Target.Process.Credentials.EGroup
}
// GetSignalTargetEnvp returns the value of the field, resolving if necessary
-func (ev *Event) GetSignalTargetEnvp(desiredKeys map[string]bool) []string {
- zeroValue := []string{}
+func (ev *Event) GetSignalTargetEnvp() []string {
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveProcessEnvp(ev, &ev.Signal.Target.Process)
- resolvedField = filterEnvs(resolvedField, desiredKeys)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveProcessEnvp(ev, &ev.Signal.Target.Process)
}
// GetSignalTargetEnvs returns the value of the field, resolving if necessary
-func (ev *Event) GetSignalTargetEnvs(desiredKeys map[string]bool) []string {
- zeroValue := []string{}
+func (ev *Event) GetSignalTargetEnvs() []string {
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveProcessEnvs(ev, &ev.Signal.Target.Process)
- resolvedField = filterEnvs(resolvedField, desiredKeys)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveProcessEnvs(ev, &ev.Signal.Target.Process)
}
// GetSignalTargetEnvsTruncated returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetEnvsTruncated() bool {
- zeroValue := false
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return false
}
if ev.Signal.Target == nil {
- return zeroValue
+ return false
}
return ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, &ev.Signal.Target.Process)
}
// GetSignalTargetEuid returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetEuid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return uint32(0)
}
if ev.Signal.Target == nil {
- return zeroValue
+ return uint32(0)
}
return ev.Signal.Target.Process.Credentials.EUID
}
// GetSignalTargetEuser returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetEuser() string {
- zeroValue := ""
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return ""
}
if ev.Signal.Target == nil {
- return zeroValue
+ return ""
}
return ev.Signal.Target.Process.Credentials.EUser
}
// GetSignalTargetExecTime returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetExecTime() time.Time {
- zeroValue := time.Time{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return time.Time{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return time.Time{}
}
return ev.Signal.Target.Process.ExecTime
}
// GetSignalTargetExitTime returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetExitTime() time.Time {
- zeroValue := time.Time{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return time.Time{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return time.Time{}
}
return ev.Signal.Target.Process.ExitTime
}
// GetSignalTargetFileChangeTime returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetFileChangeTime() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return uint64(0)
}
if ev.Signal.Target == nil {
- return zeroValue
+ return uint64(0)
}
if !ev.Signal.Target.Process.IsNotKworker() {
return uint64(0)
@@ -15713,12 +14735,11 @@ func (ev *Event) GetSignalTargetFileChangeTime() uint64 {
// GetSignalTargetFileFilesystem returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetFileFilesystem() string {
- zeroValue := ""
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return ""
}
if ev.Signal.Target == nil {
- return zeroValue
+ return ""
}
if !ev.Signal.Target.Process.IsNotKworker() {
return ""
@@ -15728,12 +14749,11 @@ func (ev *Event) GetSignalTargetFileFilesystem() string {
// GetSignalTargetFileGid returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetFileGid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return uint32(0)
}
if ev.Signal.Target == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.Signal.Target.Process.IsNotKworker() {
return uint32(0)
@@ -15743,12 +14763,11 @@ func (ev *Event) GetSignalTargetFileGid() uint32 {
// GetSignalTargetFileGroup returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetFileGroup() string {
- zeroValue := ""
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return ""
}
if ev.Signal.Target == nil {
- return zeroValue
+ return ""
}
if !ev.Signal.Target.Process.IsNotKworker() {
return ""
@@ -15758,30 +14777,25 @@ func (ev *Event) GetSignalTargetFileGroup() string {
// GetSignalTargetFileHashes returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetFileHashes() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []string{}
}
if !ev.Signal.Target.Process.IsNotKworker() {
return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Signal.Target.Process.FileEvent)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Signal.Target.Process.FileEvent)
}
// GetSignalTargetFileInUpperLayer returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetFileInUpperLayer() bool {
- zeroValue := false
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return false
}
if ev.Signal.Target == nil {
- return zeroValue
+ return false
}
if !ev.Signal.Target.Process.IsNotKworker() {
return false
@@ -15791,12 +14805,11 @@ func (ev *Event) GetSignalTargetFileInUpperLayer() bool {
// GetSignalTargetFileInode returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetFileInode() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return uint64(0)
}
if ev.Signal.Target == nil {
- return zeroValue
+ return uint64(0)
}
if !ev.Signal.Target.Process.IsNotKworker() {
return uint64(0)
@@ -15806,12 +14819,11 @@ func (ev *Event) GetSignalTargetFileInode() uint64 {
// GetSignalTargetFileMode returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetFileMode() uint16 {
- zeroValue := uint16(0)
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return uint16(0)
}
if ev.Signal.Target == nil {
- return zeroValue
+ return uint16(0)
}
if !ev.Signal.Target.Process.IsNotKworker() {
return uint16(0)
@@ -15821,12 +14833,11 @@ func (ev *Event) GetSignalTargetFileMode() uint16 {
// GetSignalTargetFileModificationTime returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetFileModificationTime() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return uint64(0)
}
if ev.Signal.Target == nil {
- return zeroValue
+ return uint64(0)
}
if !ev.Signal.Target.Process.IsNotKworker() {
return uint64(0)
@@ -15836,12 +14847,11 @@ func (ev *Event) GetSignalTargetFileModificationTime() uint64 {
// GetSignalTargetFileMountId returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetFileMountId() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return uint32(0)
}
if ev.Signal.Target == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.Signal.Target.Process.IsNotKworker() {
return uint32(0)
@@ -15851,12 +14861,11 @@ func (ev *Event) GetSignalTargetFileMountId() uint32 {
// GetSignalTargetFileName returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetFileName() string {
- zeroValue := ""
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return ""
}
if ev.Signal.Target == nil {
- return zeroValue
+ return ""
}
if !ev.Signal.Target.Process.IsNotKworker() {
return ""
@@ -15866,24 +14875,22 @@ func (ev *Event) GetSignalTargetFileName() string {
// GetSignalTargetFileNameLength returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetFileNameLength() int {
- zeroValue := 0
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return 0
}
if ev.Signal.Target == nil {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Signal.Target.Process.FileEvent))
}
// GetSignalTargetFilePackageName returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetFilePackageName() string {
- zeroValue := ""
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return ""
}
if ev.Signal.Target == nil {
- return zeroValue
+ return ""
}
if !ev.Signal.Target.Process.IsNotKworker() {
return ""
@@ -15893,12 +14900,11 @@ func (ev *Event) GetSignalTargetFilePackageName() string {
// GetSignalTargetFilePackageSourceVersion returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetFilePackageSourceVersion() string {
- zeroValue := ""
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return ""
}
if ev.Signal.Target == nil {
- return zeroValue
+ return ""
}
if !ev.Signal.Target.Process.IsNotKworker() {
return ""
@@ -15908,12 +14914,11 @@ func (ev *Event) GetSignalTargetFilePackageSourceVersion() string {
// GetSignalTargetFilePackageVersion returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetFilePackageVersion() string {
- zeroValue := ""
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return ""
}
if ev.Signal.Target == nil {
- return zeroValue
+ return ""
}
if !ev.Signal.Target.Process.IsNotKworker() {
return ""
@@ -15923,12 +14928,11 @@ func (ev *Event) GetSignalTargetFilePackageVersion() string {
// GetSignalTargetFilePath returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetFilePath() string {
- zeroValue := ""
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return ""
}
if ev.Signal.Target == nil {
- return zeroValue
+ return ""
}
if !ev.Signal.Target.Process.IsNotKworker() {
return ""
@@ -15938,24 +14942,22 @@ func (ev *Event) GetSignalTargetFilePath() string {
// GetSignalTargetFilePathLength returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetFilePathLength() int {
- zeroValue := 0
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return 0
}
if ev.Signal.Target == nil {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Signal.Target.Process.FileEvent))
}
// GetSignalTargetFileRights returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetFileRights() int {
- zeroValue := 0
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return 0
}
if ev.Signal.Target == nil {
- return zeroValue
+ return 0
}
if !ev.Signal.Target.Process.IsNotKworker() {
return 0
@@ -15965,12 +14967,11 @@ func (ev *Event) GetSignalTargetFileRights() int {
// GetSignalTargetFileUid returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetFileUid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return uint32(0)
}
if ev.Signal.Target == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.Signal.Target.Process.IsNotKworker() {
return uint32(0)
@@ -15980,12 +14981,11 @@ func (ev *Event) GetSignalTargetFileUid() uint32 {
// GetSignalTargetFileUser returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetFileUser() string {
- zeroValue := ""
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return ""
}
if ev.Signal.Target == nil {
- return zeroValue
+ return ""
}
if !ev.Signal.Target.Process.IsNotKworker() {
return ""
@@ -15995,96 +14995,88 @@ func (ev *Event) GetSignalTargetFileUser() string {
// GetSignalTargetForkTime returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetForkTime() time.Time {
- zeroValue := time.Time{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return time.Time{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return time.Time{}
}
return ev.Signal.Target.Process.ForkTime
}
// GetSignalTargetFsgid returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetFsgid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return uint32(0)
}
if ev.Signal.Target == nil {
- return zeroValue
+ return uint32(0)
}
return ev.Signal.Target.Process.Credentials.FSGID
}
// GetSignalTargetFsgroup returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetFsgroup() string {
- zeroValue := ""
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return ""
}
if ev.Signal.Target == nil {
- return zeroValue
+ return ""
}
return ev.Signal.Target.Process.Credentials.FSGroup
}
// GetSignalTargetFsuid returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetFsuid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return uint32(0)
}
if ev.Signal.Target == nil {
- return zeroValue
+ return uint32(0)
}
return ev.Signal.Target.Process.Credentials.FSUID
}
// GetSignalTargetFsuser returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetFsuser() string {
- zeroValue := ""
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return ""
}
if ev.Signal.Target == nil {
- return zeroValue
+ return ""
}
return ev.Signal.Target.Process.Credentials.FSUser
}
// GetSignalTargetGid returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetGid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return uint32(0)
}
if ev.Signal.Target == nil {
- return zeroValue
+ return uint32(0)
}
return ev.Signal.Target.Process.Credentials.GID
}
// GetSignalTargetGroup returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetGroup() string {
- zeroValue := ""
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return ""
}
if ev.Signal.Target == nil {
- return zeroValue
+ return ""
}
return ev.Signal.Target.Process.Credentials.Group
}
// GetSignalTargetInterpreterFileChangeTime returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetInterpreterFileChangeTime() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return uint64(0)
}
if ev.Signal.Target == nil {
- return zeroValue
+ return uint64(0)
}
if !ev.Signal.Target.Process.HasInterpreter() {
return uint64(0)
@@ -16094,12 +15086,11 @@ func (ev *Event) GetSignalTargetInterpreterFileChangeTime() uint64 {
// GetSignalTargetInterpreterFileFilesystem returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetInterpreterFileFilesystem() string {
- zeroValue := ""
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return ""
}
if ev.Signal.Target == nil {
- return zeroValue
+ return ""
}
if !ev.Signal.Target.Process.HasInterpreter() {
return ""
@@ -16109,12 +15100,11 @@ func (ev *Event) GetSignalTargetInterpreterFileFilesystem() string {
// GetSignalTargetInterpreterFileGid returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetInterpreterFileGid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return uint32(0)
}
if ev.Signal.Target == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.Signal.Target.Process.HasInterpreter() {
return uint32(0)
@@ -16124,12 +15114,11 @@ func (ev *Event) GetSignalTargetInterpreterFileGid() uint32 {
// GetSignalTargetInterpreterFileGroup returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetInterpreterFileGroup() string {
- zeroValue := ""
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return ""
}
if ev.Signal.Target == nil {
- return zeroValue
+ return ""
}
if !ev.Signal.Target.Process.HasInterpreter() {
return ""
@@ -16139,30 +15128,25 @@ func (ev *Event) GetSignalTargetInterpreterFileGroup() string {
// GetSignalTargetInterpreterFileHashes returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetInterpreterFileHashes() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []string{}
}
if !ev.Signal.Target.Process.HasInterpreter() {
return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Signal.Target.Process.LinuxBinprm.FileEvent)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Signal.Target.Process.LinuxBinprm.FileEvent)
}
// GetSignalTargetInterpreterFileInUpperLayer returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetInterpreterFileInUpperLayer() bool {
- zeroValue := false
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return false
}
if ev.Signal.Target == nil {
- return zeroValue
+ return false
}
if !ev.Signal.Target.Process.HasInterpreter() {
return false
@@ -16172,12 +15156,11 @@ func (ev *Event) GetSignalTargetInterpreterFileInUpperLayer() bool {
// GetSignalTargetInterpreterFileInode returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetInterpreterFileInode() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return uint64(0)
}
if ev.Signal.Target == nil {
- return zeroValue
+ return uint64(0)
}
if !ev.Signal.Target.Process.HasInterpreter() {
return uint64(0)
@@ -16187,12 +15170,11 @@ func (ev *Event) GetSignalTargetInterpreterFileInode() uint64 {
// GetSignalTargetInterpreterFileMode returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetInterpreterFileMode() uint16 {
- zeroValue := uint16(0)
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return uint16(0)
}
if ev.Signal.Target == nil {
- return zeroValue
+ return uint16(0)
}
if !ev.Signal.Target.Process.HasInterpreter() {
return uint16(0)
@@ -16202,12 +15184,11 @@ func (ev *Event) GetSignalTargetInterpreterFileMode() uint16 {
// GetSignalTargetInterpreterFileModificationTime returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetInterpreterFileModificationTime() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return uint64(0)
}
if ev.Signal.Target == nil {
- return zeroValue
+ return uint64(0)
}
if !ev.Signal.Target.Process.HasInterpreter() {
return uint64(0)
@@ -16217,12 +15198,11 @@ func (ev *Event) GetSignalTargetInterpreterFileModificationTime() uint64 {
// GetSignalTargetInterpreterFileMountId returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetInterpreterFileMountId() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return uint32(0)
}
if ev.Signal.Target == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.Signal.Target.Process.HasInterpreter() {
return uint32(0)
@@ -16232,12 +15212,11 @@ func (ev *Event) GetSignalTargetInterpreterFileMountId() uint32 {
// GetSignalTargetInterpreterFileName returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetInterpreterFileName() string {
- zeroValue := ""
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return ""
}
if ev.Signal.Target == nil {
- return zeroValue
+ return ""
}
if !ev.Signal.Target.Process.HasInterpreter() {
return ""
@@ -16247,24 +15226,22 @@ func (ev *Event) GetSignalTargetInterpreterFileName() string {
// GetSignalTargetInterpreterFileNameLength returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetInterpreterFileNameLength() int {
- zeroValue := 0
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return 0
}
if ev.Signal.Target == nil {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Signal.Target.Process.LinuxBinprm.FileEvent))
}
// GetSignalTargetInterpreterFilePackageName returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetInterpreterFilePackageName() string {
- zeroValue := ""
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return ""
}
if ev.Signal.Target == nil {
- return zeroValue
+ return ""
}
if !ev.Signal.Target.Process.HasInterpreter() {
return ""
@@ -16274,12 +15251,11 @@ func (ev *Event) GetSignalTargetInterpreterFilePackageName() string {
// GetSignalTargetInterpreterFilePackageSourceVersion returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetInterpreterFilePackageSourceVersion() string {
- zeroValue := ""
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return ""
}
if ev.Signal.Target == nil {
- return zeroValue
+ return ""
}
if !ev.Signal.Target.Process.HasInterpreter() {
return ""
@@ -16289,12 +15265,11 @@ func (ev *Event) GetSignalTargetInterpreterFilePackageSourceVersion() string {
// GetSignalTargetInterpreterFilePackageVersion returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetInterpreterFilePackageVersion() string {
- zeroValue := ""
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return ""
}
if ev.Signal.Target == nil {
- return zeroValue
+ return ""
}
if !ev.Signal.Target.Process.HasInterpreter() {
return ""
@@ -16304,12 +15279,11 @@ func (ev *Event) GetSignalTargetInterpreterFilePackageVersion() string {
// GetSignalTargetInterpreterFilePath returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetInterpreterFilePath() string {
- zeroValue := ""
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return ""
}
if ev.Signal.Target == nil {
- return zeroValue
+ return ""
}
if !ev.Signal.Target.Process.HasInterpreter() {
return ""
@@ -16319,24 +15293,22 @@ func (ev *Event) GetSignalTargetInterpreterFilePath() string {
// GetSignalTargetInterpreterFilePathLength returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetInterpreterFilePathLength() int {
- zeroValue := 0
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return 0
}
if ev.Signal.Target == nil {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Signal.Target.Process.LinuxBinprm.FileEvent))
}
// GetSignalTargetInterpreterFileRights returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetInterpreterFileRights() int {
- zeroValue := 0
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return 0
}
if ev.Signal.Target == nil {
- return zeroValue
+ return 0
}
if !ev.Signal.Target.Process.HasInterpreter() {
return 0
@@ -16346,12 +15318,11 @@ func (ev *Event) GetSignalTargetInterpreterFileRights() int {
// GetSignalTargetInterpreterFileUid returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetInterpreterFileUid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return uint32(0)
}
if ev.Signal.Target == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.Signal.Target.Process.HasInterpreter() {
return uint32(0)
@@ -16361,12 +15332,11 @@ func (ev *Event) GetSignalTargetInterpreterFileUid() uint32 {
// GetSignalTargetInterpreterFileUser returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetInterpreterFileUser() string {
- zeroValue := ""
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return ""
}
if ev.Signal.Target == nil {
- return zeroValue
+ return ""
}
if !ev.Signal.Target.Process.HasInterpreter() {
return ""
@@ -16376,39 +15346,36 @@ func (ev *Event) GetSignalTargetInterpreterFileUser() string {
// GetSignalTargetIsKworker returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetIsKworker() bool {
- zeroValue := false
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return false
}
if ev.Signal.Target == nil {
- return zeroValue
+ return false
}
return ev.Signal.Target.Process.PIDContext.IsKworker
}
// GetSignalTargetIsThread returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetIsThread() bool {
- zeroValue := false
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return false
}
if ev.Signal.Target == nil {
- return zeroValue
+ return false
}
return ev.Signal.Target.Process.IsThread
}
// GetSignalTargetParentArgs returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentArgs() string {
- zeroValue := ""
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return ""
}
if ev.Signal.Target == nil {
- return zeroValue
+ return ""
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.Signal.Target.HasParent() {
return ""
@@ -16418,57 +15385,65 @@ func (ev *Event) GetSignalTargetParentArgs() string {
// GetSignalTargetParentArgsFlags returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentArgsFlags() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return []string{}
}
if !ev.Signal.Target.HasParent() {
return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveProcessArgsFlags(ev, ev.Signal.Target.Parent)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveProcessArgsFlags(ev, ev.Signal.Target.Parent)
}
// GetSignalTargetParentArgsOptions returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentArgsOptions() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return []string{}
}
if !ev.Signal.Target.HasParent() {
return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveProcessArgsOptions(ev, ev.Signal.Target.Parent)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveProcessArgsOptions(ev, ev.Signal.Target.Parent)
+}
+
+// GetSignalTargetParentArgsScrubbed returns the value of the field, resolving if necessary
+func (ev *Event) GetSignalTargetParentArgsScrubbed() string {
+ if ev.GetEventType().String() != "signal" {
+ return ""
+ }
+ if ev.Signal.Target == nil {
+ return ""
+ }
+ if ev.Signal.Target.Parent == nil {
+ return ""
+ }
+ if !ev.Signal.Target.HasParent() {
+ return ""
+ }
+ return ev.FieldHandlers.ResolveProcessArgsScrubbed(ev, ev.Signal.Target.Parent)
}
// GetSignalTargetParentArgsTruncated returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentArgsTruncated() bool {
- zeroValue := false
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return false
}
if ev.Signal.Target == nil {
- return zeroValue
+ return false
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return false
}
if !ev.Signal.Target.HasParent() {
return false
@@ -16478,36 +15453,31 @@ func (ev *Event) GetSignalTargetParentArgsTruncated() bool {
// GetSignalTargetParentArgv returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentArgv() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return []string{}
}
if !ev.Signal.Target.HasParent() {
return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveProcessArgvScrubbed(ev, ev.Signal.Target.Parent)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveProcessArgv(ev, ev.Signal.Target.Parent)
}
// GetSignalTargetParentArgv0 returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentArgv0() string {
- zeroValue := ""
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return ""
}
if ev.Signal.Target == nil {
- return zeroValue
+ return ""
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.Signal.Target.HasParent() {
return ""
@@ -16515,17 +15485,33 @@ func (ev *Event) GetSignalTargetParentArgv0() string {
return ev.FieldHandlers.ResolveProcessArgv0(ev, ev.Signal.Target.Parent)
}
+// GetSignalTargetParentArgvScrubbed returns the value of the field, resolving if necessary
+func (ev *Event) GetSignalTargetParentArgvScrubbed() []string {
+ if ev.GetEventType().String() != "signal" {
+ return []string{}
+ }
+ if ev.Signal.Target == nil {
+ return []string{}
+ }
+ if ev.Signal.Target.Parent == nil {
+ return []string{}
+ }
+ if !ev.Signal.Target.HasParent() {
+ return []string{}
+ }
+ return ev.FieldHandlers.ResolveProcessArgvScrubbed(ev, ev.Signal.Target.Parent)
+}
+
// GetSignalTargetParentCapEffective returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentCapEffective() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return uint64(0)
}
if ev.Signal.Target == nil {
- return zeroValue
+ return uint64(0)
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return uint64(0)
}
if !ev.Signal.Target.HasParent() {
return uint64(0)
@@ -16535,15 +15521,14 @@ func (ev *Event) GetSignalTargetParentCapEffective() uint64 {
// GetSignalTargetParentCapPermitted returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentCapPermitted() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return uint64(0)
}
if ev.Signal.Target == nil {
- return zeroValue
+ return uint64(0)
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return uint64(0)
}
if !ev.Signal.Target.HasParent() {
return uint64(0)
@@ -16553,15 +15538,14 @@ func (ev *Event) GetSignalTargetParentCapPermitted() uint64 {
// GetSignalTargetParentComm returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentComm() string {
- zeroValue := ""
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return ""
}
if ev.Signal.Target == nil {
- return zeroValue
+ return ""
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.Signal.Target.HasParent() {
return ""
@@ -16571,15 +15555,14 @@ func (ev *Event) GetSignalTargetParentComm() string {
// GetSignalTargetParentContainerId returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentContainerId() string {
- zeroValue := ""
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return ""
}
if ev.Signal.Target == nil {
- return zeroValue
+ return ""
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.Signal.Target.HasParent() {
return ""
@@ -16589,15 +15572,14 @@ func (ev *Event) GetSignalTargetParentContainerId() string {
// GetSignalTargetParentCreatedAt returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentCreatedAt() int {
- zeroValue := 0
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return 0
}
if ev.Signal.Target == nil {
- return zeroValue
+ return 0
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return 0
}
if !ev.Signal.Target.HasParent() {
return 0
@@ -16607,15 +15589,14 @@ func (ev *Event) GetSignalTargetParentCreatedAt() int {
// GetSignalTargetParentEgid returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentEgid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return uint32(0)
}
if ev.Signal.Target == nil {
- return zeroValue
+ return uint32(0)
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.Signal.Target.HasParent() {
return uint32(0)
@@ -16625,15 +15606,14 @@ func (ev *Event) GetSignalTargetParentEgid() uint32 {
// GetSignalTargetParentEgroup returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentEgroup() string {
- zeroValue := ""
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return ""
}
if ev.Signal.Target == nil {
- return zeroValue
+ return ""
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.Signal.Target.HasParent() {
return ""
@@ -16642,60 +15622,49 @@ func (ev *Event) GetSignalTargetParentEgroup() string {
}
// GetSignalTargetParentEnvp returns the value of the field, resolving if necessary
-func (ev *Event) GetSignalTargetParentEnvp(desiredKeys map[string]bool) []string {
- zeroValue := []string{}
+func (ev *Event) GetSignalTargetParentEnvp() []string {
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return []string{}
}
if !ev.Signal.Target.HasParent() {
return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveProcessEnvp(ev, ev.Signal.Target.Parent)
- resolvedField = filterEnvs(resolvedField, desiredKeys)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveProcessEnvp(ev, ev.Signal.Target.Parent)
}
// GetSignalTargetParentEnvs returns the value of the field, resolving if necessary
-func (ev *Event) GetSignalTargetParentEnvs(desiredKeys map[string]bool) []string {
- zeroValue := []string{}
+func (ev *Event) GetSignalTargetParentEnvs() []string {
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return []string{}
}
if !ev.Signal.Target.HasParent() {
return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveProcessEnvs(ev, ev.Signal.Target.Parent)
- resolvedField = filterEnvs(resolvedField, desiredKeys)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveProcessEnvs(ev, ev.Signal.Target.Parent)
}
// GetSignalTargetParentEnvsTruncated returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentEnvsTruncated() bool {
- zeroValue := false
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return false
}
if ev.Signal.Target == nil {
- return zeroValue
+ return false
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return false
}
if !ev.Signal.Target.HasParent() {
return false
@@ -16705,15 +15674,14 @@ func (ev *Event) GetSignalTargetParentEnvsTruncated() bool {
// GetSignalTargetParentEuid returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentEuid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return uint32(0)
}
if ev.Signal.Target == nil {
- return zeroValue
+ return uint32(0)
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.Signal.Target.HasParent() {
return uint32(0)
@@ -16723,15 +15691,14 @@ func (ev *Event) GetSignalTargetParentEuid() uint32 {
// GetSignalTargetParentEuser returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentEuser() string {
- zeroValue := ""
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return ""
}
if ev.Signal.Target == nil {
- return zeroValue
+ return ""
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.Signal.Target.HasParent() {
return ""
@@ -16741,15 +15708,14 @@ func (ev *Event) GetSignalTargetParentEuser() string {
// GetSignalTargetParentFileChangeTime returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentFileChangeTime() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return uint64(0)
}
if ev.Signal.Target == nil {
- return zeroValue
+ return uint64(0)
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return uint64(0)
}
if !ev.Signal.Target.HasParent() {
return uint64(0)
@@ -16762,15 +15728,14 @@ func (ev *Event) GetSignalTargetParentFileChangeTime() uint64 {
// GetSignalTargetParentFileFilesystem returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentFileFilesystem() string {
- zeroValue := ""
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return ""
}
if ev.Signal.Target == nil {
- return zeroValue
+ return ""
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.Signal.Target.HasParent() {
return ""
@@ -16783,15 +15748,14 @@ func (ev *Event) GetSignalTargetParentFileFilesystem() string {
// GetSignalTargetParentFileGid returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentFileGid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return uint32(0)
}
if ev.Signal.Target == nil {
- return zeroValue
+ return uint32(0)
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.Signal.Target.HasParent() {
return uint32(0)
@@ -16804,15 +15768,14 @@ func (ev *Event) GetSignalTargetParentFileGid() uint32 {
// GetSignalTargetParentFileGroup returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentFileGroup() string {
- zeroValue := ""
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return ""
}
if ev.Signal.Target == nil {
- return zeroValue
+ return ""
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.Signal.Target.HasParent() {
return ""
@@ -16825,15 +15788,14 @@ func (ev *Event) GetSignalTargetParentFileGroup() string {
// GetSignalTargetParentFileHashes returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentFileHashes() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return []string{}
}
if !ev.Signal.Target.HasParent() {
return []string{}
@@ -16841,23 +15803,19 @@ func (ev *Event) GetSignalTargetParentFileHashes() []string {
if !ev.Signal.Target.Parent.IsNotKworker() {
return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Signal.Target.Parent.FileEvent)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Signal.Target.Parent.FileEvent)
}
// GetSignalTargetParentFileInUpperLayer returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentFileInUpperLayer() bool {
- zeroValue := false
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return false
}
if ev.Signal.Target == nil {
- return zeroValue
+ return false
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return false
}
if !ev.Signal.Target.HasParent() {
return false
@@ -16870,15 +15828,14 @@ func (ev *Event) GetSignalTargetParentFileInUpperLayer() bool {
// GetSignalTargetParentFileInode returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentFileInode() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return uint64(0)
}
if ev.Signal.Target == nil {
- return zeroValue
+ return uint64(0)
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return uint64(0)
}
if !ev.Signal.Target.HasParent() {
return uint64(0)
@@ -16891,15 +15848,14 @@ func (ev *Event) GetSignalTargetParentFileInode() uint64 {
// GetSignalTargetParentFileMode returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentFileMode() uint16 {
- zeroValue := uint16(0)
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return uint16(0)
}
if ev.Signal.Target == nil {
- return zeroValue
+ return uint16(0)
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return uint16(0)
}
if !ev.Signal.Target.HasParent() {
return uint16(0)
@@ -16912,15 +15868,14 @@ func (ev *Event) GetSignalTargetParentFileMode() uint16 {
// GetSignalTargetParentFileModificationTime returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentFileModificationTime() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return uint64(0)
}
if ev.Signal.Target == nil {
- return zeroValue
+ return uint64(0)
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return uint64(0)
}
if !ev.Signal.Target.HasParent() {
return uint64(0)
@@ -16933,15 +15888,14 @@ func (ev *Event) GetSignalTargetParentFileModificationTime() uint64 {
// GetSignalTargetParentFileMountId returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentFileMountId() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return uint32(0)
}
if ev.Signal.Target == nil {
- return zeroValue
+ return uint32(0)
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.Signal.Target.HasParent() {
return uint32(0)
@@ -16954,15 +15908,14 @@ func (ev *Event) GetSignalTargetParentFileMountId() uint32 {
// GetSignalTargetParentFileName returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentFileName() string {
- zeroValue := ""
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return ""
}
if ev.Signal.Target == nil {
- return zeroValue
+ return ""
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.Signal.Target.HasParent() {
return ""
@@ -16975,30 +15928,28 @@ func (ev *Event) GetSignalTargetParentFileName() string {
// GetSignalTargetParentFileNameLength returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentFileNameLength() int {
- zeroValue := 0
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return 0
}
if ev.Signal.Target == nil {
- return zeroValue
+ return 0
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Signal.Target.Parent.FileEvent))
}
// GetSignalTargetParentFilePackageName returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentFilePackageName() string {
- zeroValue := ""
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return ""
}
if ev.Signal.Target == nil {
- return zeroValue
+ return ""
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.Signal.Target.HasParent() {
return ""
@@ -17011,15 +15962,14 @@ func (ev *Event) GetSignalTargetParentFilePackageName() string {
// GetSignalTargetParentFilePackageSourceVersion returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentFilePackageSourceVersion() string {
- zeroValue := ""
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return ""
}
if ev.Signal.Target == nil {
- return zeroValue
+ return ""
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.Signal.Target.HasParent() {
return ""
@@ -17032,15 +15982,14 @@ func (ev *Event) GetSignalTargetParentFilePackageSourceVersion() string {
// GetSignalTargetParentFilePackageVersion returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentFilePackageVersion() string {
- zeroValue := ""
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return ""
}
if ev.Signal.Target == nil {
- return zeroValue
+ return ""
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.Signal.Target.HasParent() {
return ""
@@ -17053,15 +16002,14 @@ func (ev *Event) GetSignalTargetParentFilePackageVersion() string {
// GetSignalTargetParentFilePath returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentFilePath() string {
- zeroValue := ""
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return ""
}
if ev.Signal.Target == nil {
- return zeroValue
+ return ""
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.Signal.Target.HasParent() {
return ""
@@ -17074,30 +16022,28 @@ func (ev *Event) GetSignalTargetParentFilePath() string {
// GetSignalTargetParentFilePathLength returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentFilePathLength() int {
- zeroValue := 0
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return 0
}
if ev.Signal.Target == nil {
- return zeroValue
+ return 0
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Signal.Target.Parent.FileEvent))
}
// GetSignalTargetParentFileRights returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentFileRights() int {
- zeroValue := 0
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return 0
}
if ev.Signal.Target == nil {
- return zeroValue
+ return 0
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return 0
}
if !ev.Signal.Target.HasParent() {
return 0
@@ -17110,15 +16056,14 @@ func (ev *Event) GetSignalTargetParentFileRights() int {
// GetSignalTargetParentFileUid returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentFileUid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return uint32(0)
}
if ev.Signal.Target == nil {
- return zeroValue
+ return uint32(0)
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.Signal.Target.HasParent() {
return uint32(0)
@@ -17131,15 +16076,14 @@ func (ev *Event) GetSignalTargetParentFileUid() uint32 {
// GetSignalTargetParentFileUser returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentFileUser() string {
- zeroValue := ""
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return ""
}
if ev.Signal.Target == nil {
- return zeroValue
+ return ""
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.Signal.Target.HasParent() {
return ""
@@ -17152,15 +16096,14 @@ func (ev *Event) GetSignalTargetParentFileUser() string {
// GetSignalTargetParentFsgid returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentFsgid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return uint32(0)
}
if ev.Signal.Target == nil {
- return zeroValue
+ return uint32(0)
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.Signal.Target.HasParent() {
return uint32(0)
@@ -17170,15 +16113,14 @@ func (ev *Event) GetSignalTargetParentFsgid() uint32 {
// GetSignalTargetParentFsgroup returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentFsgroup() string {
- zeroValue := ""
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return ""
}
if ev.Signal.Target == nil {
- return zeroValue
+ return ""
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.Signal.Target.HasParent() {
return ""
@@ -17188,15 +16130,14 @@ func (ev *Event) GetSignalTargetParentFsgroup() string {
// GetSignalTargetParentFsuid returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentFsuid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return uint32(0)
}
if ev.Signal.Target == nil {
- return zeroValue
+ return uint32(0)
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.Signal.Target.HasParent() {
return uint32(0)
@@ -17206,15 +16147,14 @@ func (ev *Event) GetSignalTargetParentFsuid() uint32 {
// GetSignalTargetParentFsuser returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentFsuser() string {
- zeroValue := ""
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return ""
}
if ev.Signal.Target == nil {
- return zeroValue
+ return ""
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.Signal.Target.HasParent() {
return ""
@@ -17224,15 +16164,14 @@ func (ev *Event) GetSignalTargetParentFsuser() string {
// GetSignalTargetParentGid returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentGid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return uint32(0)
}
if ev.Signal.Target == nil {
- return zeroValue
+ return uint32(0)
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.Signal.Target.HasParent() {
return uint32(0)
@@ -17242,15 +16181,14 @@ func (ev *Event) GetSignalTargetParentGid() uint32 {
// GetSignalTargetParentGroup returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentGroup() string {
- zeroValue := ""
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return ""
}
if ev.Signal.Target == nil {
- return zeroValue
+ return ""
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.Signal.Target.HasParent() {
return ""
@@ -17260,15 +16198,14 @@ func (ev *Event) GetSignalTargetParentGroup() string {
// GetSignalTargetParentInterpreterFileChangeTime returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentInterpreterFileChangeTime() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return uint64(0)
}
if ev.Signal.Target == nil {
- return zeroValue
+ return uint64(0)
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return uint64(0)
}
if !ev.Signal.Target.HasParent() {
return uint64(0)
@@ -17281,15 +16218,14 @@ func (ev *Event) GetSignalTargetParentInterpreterFileChangeTime() uint64 {
// GetSignalTargetParentInterpreterFileFilesystem returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentInterpreterFileFilesystem() string {
- zeroValue := ""
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return ""
}
if ev.Signal.Target == nil {
- return zeroValue
+ return ""
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.Signal.Target.HasParent() {
return ""
@@ -17302,15 +16238,14 @@ func (ev *Event) GetSignalTargetParentInterpreterFileFilesystem() string {
// GetSignalTargetParentInterpreterFileGid returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentInterpreterFileGid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return uint32(0)
}
if ev.Signal.Target == nil {
- return zeroValue
+ return uint32(0)
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.Signal.Target.HasParent() {
return uint32(0)
@@ -17323,15 +16258,14 @@ func (ev *Event) GetSignalTargetParentInterpreterFileGid() uint32 {
// GetSignalTargetParentInterpreterFileGroup returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentInterpreterFileGroup() string {
- zeroValue := ""
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return ""
}
if ev.Signal.Target == nil {
- return zeroValue
+ return ""
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.Signal.Target.HasParent() {
return ""
@@ -17344,15 +16278,14 @@ func (ev *Event) GetSignalTargetParentInterpreterFileGroup() string {
// GetSignalTargetParentInterpreterFileHashes returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentInterpreterFileHashes() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return []string{}
}
if !ev.Signal.Target.HasParent() {
return []string{}
@@ -17360,23 +16293,19 @@ func (ev *Event) GetSignalTargetParentInterpreterFileHashes() []string {
if !ev.Signal.Target.Parent.HasInterpreter() {
return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Signal.Target.Parent.LinuxBinprm.FileEvent)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Signal.Target.Parent.LinuxBinprm.FileEvent)
}
// GetSignalTargetParentInterpreterFileInUpperLayer returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentInterpreterFileInUpperLayer() bool {
- zeroValue := false
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return false
}
if ev.Signal.Target == nil {
- return zeroValue
+ return false
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return false
}
if !ev.Signal.Target.HasParent() {
return false
@@ -17389,15 +16318,14 @@ func (ev *Event) GetSignalTargetParentInterpreterFileInUpperLayer() bool {
// GetSignalTargetParentInterpreterFileInode returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentInterpreterFileInode() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return uint64(0)
}
if ev.Signal.Target == nil {
- return zeroValue
+ return uint64(0)
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return uint64(0)
}
if !ev.Signal.Target.HasParent() {
return uint64(0)
@@ -17410,15 +16338,14 @@ func (ev *Event) GetSignalTargetParentInterpreterFileInode() uint64 {
// GetSignalTargetParentInterpreterFileMode returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentInterpreterFileMode() uint16 {
- zeroValue := uint16(0)
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return uint16(0)
}
if ev.Signal.Target == nil {
- return zeroValue
+ return uint16(0)
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return uint16(0)
}
if !ev.Signal.Target.HasParent() {
return uint16(0)
@@ -17431,15 +16358,14 @@ func (ev *Event) GetSignalTargetParentInterpreterFileMode() uint16 {
// GetSignalTargetParentInterpreterFileModificationTime returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentInterpreterFileModificationTime() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return uint64(0)
}
if ev.Signal.Target == nil {
- return zeroValue
+ return uint64(0)
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return uint64(0)
}
if !ev.Signal.Target.HasParent() {
return uint64(0)
@@ -17452,15 +16378,14 @@ func (ev *Event) GetSignalTargetParentInterpreterFileModificationTime() uint64 {
// GetSignalTargetParentInterpreterFileMountId returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentInterpreterFileMountId() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return uint32(0)
}
if ev.Signal.Target == nil {
- return zeroValue
+ return uint32(0)
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.Signal.Target.HasParent() {
return uint32(0)
@@ -17473,15 +16398,14 @@ func (ev *Event) GetSignalTargetParentInterpreterFileMountId() uint32 {
// GetSignalTargetParentInterpreterFileName returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentInterpreterFileName() string {
- zeroValue := ""
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return ""
}
if ev.Signal.Target == nil {
- return zeroValue
+ return ""
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.Signal.Target.HasParent() {
return ""
@@ -17494,30 +16418,28 @@ func (ev *Event) GetSignalTargetParentInterpreterFileName() string {
// GetSignalTargetParentInterpreterFileNameLength returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentInterpreterFileNameLength() int {
- zeroValue := 0
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return 0
}
if ev.Signal.Target == nil {
- return zeroValue
+ return 0
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Signal.Target.Parent.LinuxBinprm.FileEvent))
}
// GetSignalTargetParentInterpreterFilePackageName returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentInterpreterFilePackageName() string {
- zeroValue := ""
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return ""
}
if ev.Signal.Target == nil {
- return zeroValue
+ return ""
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.Signal.Target.HasParent() {
return ""
@@ -17530,15 +16452,14 @@ func (ev *Event) GetSignalTargetParentInterpreterFilePackageName() string {
// GetSignalTargetParentInterpreterFilePackageSourceVersion returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentInterpreterFilePackageSourceVersion() string {
- zeroValue := ""
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return ""
}
if ev.Signal.Target == nil {
- return zeroValue
+ return ""
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.Signal.Target.HasParent() {
return ""
@@ -17551,15 +16472,14 @@ func (ev *Event) GetSignalTargetParentInterpreterFilePackageSourceVersion() stri
// GetSignalTargetParentInterpreterFilePackageVersion returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentInterpreterFilePackageVersion() string {
- zeroValue := ""
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return ""
}
if ev.Signal.Target == nil {
- return zeroValue
+ return ""
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.Signal.Target.HasParent() {
return ""
@@ -17572,15 +16492,14 @@ func (ev *Event) GetSignalTargetParentInterpreterFilePackageVersion() string {
// GetSignalTargetParentInterpreterFilePath returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentInterpreterFilePath() string {
- zeroValue := ""
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return ""
}
if ev.Signal.Target == nil {
- return zeroValue
+ return ""
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.Signal.Target.HasParent() {
return ""
@@ -17593,30 +16512,28 @@ func (ev *Event) GetSignalTargetParentInterpreterFilePath() string {
// GetSignalTargetParentInterpreterFilePathLength returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentInterpreterFilePathLength() int {
- zeroValue := 0
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return 0
}
if ev.Signal.Target == nil {
- return zeroValue
+ return 0
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Signal.Target.Parent.LinuxBinprm.FileEvent))
}
// GetSignalTargetParentInterpreterFileRights returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentInterpreterFileRights() int {
- zeroValue := 0
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return 0
}
if ev.Signal.Target == nil {
- return zeroValue
+ return 0
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return 0
}
if !ev.Signal.Target.HasParent() {
return 0
@@ -17629,15 +16546,14 @@ func (ev *Event) GetSignalTargetParentInterpreterFileRights() int {
// GetSignalTargetParentInterpreterFileUid returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentInterpreterFileUid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return uint32(0)
}
if ev.Signal.Target == nil {
- return zeroValue
+ return uint32(0)
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.Signal.Target.HasParent() {
return uint32(0)
@@ -17650,15 +16566,14 @@ func (ev *Event) GetSignalTargetParentInterpreterFileUid() uint32 {
// GetSignalTargetParentInterpreterFileUser returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentInterpreterFileUser() string {
- zeroValue := ""
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return ""
}
if ev.Signal.Target == nil {
- return zeroValue
+ return ""
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.Signal.Target.HasParent() {
return ""
@@ -17671,15 +16586,14 @@ func (ev *Event) GetSignalTargetParentInterpreterFileUser() string {
// GetSignalTargetParentIsKworker returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentIsKworker() bool {
- zeroValue := false
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return false
}
if ev.Signal.Target == nil {
- return zeroValue
+ return false
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return false
}
if !ev.Signal.Target.HasParent() {
return false
@@ -17689,15 +16603,14 @@ func (ev *Event) GetSignalTargetParentIsKworker() bool {
// GetSignalTargetParentIsThread returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentIsThread() bool {
- zeroValue := false
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return false
}
if ev.Signal.Target == nil {
- return zeroValue
+ return false
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return false
}
if !ev.Signal.Target.HasParent() {
return false
@@ -17707,15 +16620,14 @@ func (ev *Event) GetSignalTargetParentIsThread() bool {
// GetSignalTargetParentPid returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentPid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return uint32(0)
}
if ev.Signal.Target == nil {
- return zeroValue
+ return uint32(0)
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.Signal.Target.HasParent() {
return uint32(0)
@@ -17725,15 +16637,14 @@ func (ev *Event) GetSignalTargetParentPid() uint32 {
// GetSignalTargetParentPpid returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentPpid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return uint32(0)
}
if ev.Signal.Target == nil {
- return zeroValue
+ return uint32(0)
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.Signal.Target.HasParent() {
return uint32(0)
@@ -17743,15 +16654,14 @@ func (ev *Event) GetSignalTargetParentPpid() uint32 {
// GetSignalTargetParentTid returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentTid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return uint32(0)
}
if ev.Signal.Target == nil {
- return zeroValue
+ return uint32(0)
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.Signal.Target.HasParent() {
return uint32(0)
@@ -17761,15 +16671,14 @@ func (ev *Event) GetSignalTargetParentTid() uint32 {
// GetSignalTargetParentTtyName returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentTtyName() string {
- zeroValue := ""
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return ""
}
if ev.Signal.Target == nil {
- return zeroValue
+ return ""
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.Signal.Target.HasParent() {
return ""
@@ -17779,15 +16688,14 @@ func (ev *Event) GetSignalTargetParentTtyName() string {
// GetSignalTargetParentUid returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentUid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return uint32(0)
}
if ev.Signal.Target == nil {
- return zeroValue
+ return uint32(0)
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.Signal.Target.HasParent() {
return uint32(0)
@@ -17797,15 +16705,14 @@ func (ev *Event) GetSignalTargetParentUid() uint32 {
// GetSignalTargetParentUser returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentUser() string {
- zeroValue := ""
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return ""
}
if ev.Signal.Target == nil {
- return zeroValue
+ return ""
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.Signal.Target.HasParent() {
return ""
@@ -17815,36 +16722,31 @@ func (ev *Event) GetSignalTargetParentUser() string {
// GetSignalTargetParentUserSessionK8sGroups returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentUserSessionK8sGroups() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return []string{}
}
if !ev.Signal.Target.HasParent() {
return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveK8SGroups(ev, &ev.Signal.Target.Parent.UserSession)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveK8SGroups(ev, &ev.Signal.Target.Parent.UserSession)
}
// GetSignalTargetParentUserSessionK8sUid returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentUserSessionK8sUid() string {
- zeroValue := ""
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return ""
}
if ev.Signal.Target == nil {
- return zeroValue
+ return ""
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.Signal.Target.HasParent() {
return ""
@@ -17854,15 +16756,14 @@ func (ev *Event) GetSignalTargetParentUserSessionK8sUid() string {
// GetSignalTargetParentUserSessionK8sUsername returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetParentUserSessionK8sUsername() string {
- zeroValue := ""
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return ""
}
if ev.Signal.Target == nil {
- return zeroValue
+ return ""
}
if ev.Signal.Target.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.Signal.Target.HasParent() {
return ""
@@ -17872,746 +16773,656 @@ func (ev *Event) GetSignalTargetParentUserSessionK8sUsername() string {
// GetSignalTargetPid returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetPid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return uint32(0)
}
if ev.Signal.Target == nil {
- return zeroValue
+ return uint32(0)
}
return ev.Signal.Target.Process.PIDContext.Pid
}
// GetSignalTargetPpid returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetPpid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return uint32(0)
}
if ev.Signal.Target == nil {
- return zeroValue
+ return uint32(0)
}
return ev.Signal.Target.Process.PPid
}
// GetSignalTargetTid returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetTid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return uint32(0)
}
if ev.Signal.Target == nil {
- return zeroValue
+ return uint32(0)
}
return ev.Signal.Target.Process.PIDContext.Tid
}
// GetSignalTargetTtyName returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetTtyName() string {
- zeroValue := ""
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return ""
}
if ev.Signal.Target == nil {
- return zeroValue
+ return ""
}
return ev.Signal.Target.Process.TTYName
}
// GetSignalTargetUid returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetUid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return uint32(0)
}
if ev.Signal.Target == nil {
- return zeroValue
+ return uint32(0)
}
return ev.Signal.Target.Process.Credentials.UID
}
// GetSignalTargetUser returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetUser() string {
- zeroValue := ""
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return ""
}
if ev.Signal.Target == nil {
- return zeroValue
+ return ""
}
return ev.Signal.Target.Process.Credentials.User
}
// GetSignalTargetUserSessionK8sGroups returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetUserSessionK8sGroups() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return []string{}
}
if ev.Signal.Target == nil {
- return zeroValue
+ return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveK8SGroups(ev, &ev.Signal.Target.Process.UserSession)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveK8SGroups(ev, &ev.Signal.Target.Process.UserSession)
}
// GetSignalTargetUserSessionK8sUid returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetUserSessionK8sUid() string {
- zeroValue := ""
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return ""
}
if ev.Signal.Target == nil {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveK8SUID(ev, &ev.Signal.Target.Process.UserSession)
}
// GetSignalTargetUserSessionK8sUsername returns the value of the field, resolving if necessary
func (ev *Event) GetSignalTargetUserSessionK8sUsername() string {
- zeroValue := ""
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return ""
}
if ev.Signal.Target == nil {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveK8SUsername(ev, &ev.Signal.Target.Process.UserSession)
}
// GetSignalType returns the value of the field, resolving if necessary
func (ev *Event) GetSignalType() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "signal" {
- return zeroValue
+ return uint32(0)
}
return ev.Signal.Type
}
// GetSpliceFileChangeTime returns the value of the field, resolving if necessary
func (ev *Event) GetSpliceFileChangeTime() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "splice" {
- return zeroValue
+ return uint64(0)
}
return ev.Splice.File.FileFields.CTime
}
// GetSpliceFileFilesystem returns the value of the field, resolving if necessary
func (ev *Event) GetSpliceFileFilesystem() string {
- zeroValue := ""
if ev.GetEventType().String() != "splice" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Splice.File)
}
// GetSpliceFileGid returns the value of the field, resolving if necessary
func (ev *Event) GetSpliceFileGid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "splice" {
- return zeroValue
+ return uint32(0)
}
return ev.Splice.File.FileFields.GID
}
// GetSpliceFileGroup returns the value of the field, resolving if necessary
func (ev *Event) GetSpliceFileGroup() string {
- zeroValue := ""
if ev.GetEventType().String() != "splice" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Splice.File.FileFields)
}
// GetSpliceFileHashes returns the value of the field, resolving if necessary
func (ev *Event) GetSpliceFileHashes() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "splice" {
- return zeroValue
+ return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Splice.File)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Splice.File)
}
// GetSpliceFileInUpperLayer returns the value of the field, resolving if necessary
func (ev *Event) GetSpliceFileInUpperLayer() bool {
- zeroValue := false
if ev.GetEventType().String() != "splice" {
- return zeroValue
+ return false
}
return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Splice.File.FileFields)
}
// GetSpliceFileInode returns the value of the field, resolving if necessary
func (ev *Event) GetSpliceFileInode() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "splice" {
- return zeroValue
+ return uint64(0)
}
return ev.Splice.File.FileFields.PathKey.Inode
}
// GetSpliceFileMode returns the value of the field, resolving if necessary
func (ev *Event) GetSpliceFileMode() uint16 {
- zeroValue := uint16(0)
if ev.GetEventType().String() != "splice" {
- return zeroValue
+ return uint16(0)
}
return ev.Splice.File.FileFields.Mode
}
// GetSpliceFileModificationTime returns the value of the field, resolving if necessary
func (ev *Event) GetSpliceFileModificationTime() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "splice" {
- return zeroValue
+ return uint64(0)
}
return ev.Splice.File.FileFields.MTime
}
// GetSpliceFileMountId returns the value of the field, resolving if necessary
func (ev *Event) GetSpliceFileMountId() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "splice" {
- return zeroValue
+ return uint32(0)
}
return ev.Splice.File.FileFields.PathKey.MountID
}
// GetSpliceFileName returns the value of the field, resolving if necessary
func (ev *Event) GetSpliceFileName() string {
- zeroValue := ""
if ev.GetEventType().String() != "splice" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Splice.File)
}
// GetSpliceFileNameLength returns the value of the field, resolving if necessary
func (ev *Event) GetSpliceFileNameLength() int {
- zeroValue := 0
if ev.GetEventType().String() != "splice" {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Splice.File))
}
// GetSpliceFilePackageName returns the value of the field, resolving if necessary
func (ev *Event) GetSpliceFilePackageName() string {
- zeroValue := ""
if ev.GetEventType().String() != "splice" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolvePackageName(ev, &ev.Splice.File)
}
// GetSpliceFilePackageSourceVersion returns the value of the field, resolving if necessary
func (ev *Event) GetSpliceFilePackageSourceVersion() string {
- zeroValue := ""
if ev.GetEventType().String() != "splice" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Splice.File)
}
// GetSpliceFilePackageVersion returns the value of the field, resolving if necessary
func (ev *Event) GetSpliceFilePackageVersion() string {
- zeroValue := ""
if ev.GetEventType().String() != "splice" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Splice.File)
}
// GetSpliceFilePath returns the value of the field, resolving if necessary
func (ev *Event) GetSpliceFilePath() string {
- zeroValue := ""
if ev.GetEventType().String() != "splice" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFilePath(ev, &ev.Splice.File)
}
// GetSpliceFilePathLength returns the value of the field, resolving if necessary
func (ev *Event) GetSpliceFilePathLength() int {
- zeroValue := 0
if ev.GetEventType().String() != "splice" {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Splice.File))
}
// GetSpliceFileRights returns the value of the field, resolving if necessary
func (ev *Event) GetSpliceFileRights() int {
- zeroValue := 0
if ev.GetEventType().String() != "splice" {
- return zeroValue
+ return 0
}
return ev.FieldHandlers.ResolveRights(ev, &ev.Splice.File.FileFields)
}
// GetSpliceFileUid returns the value of the field, resolving if necessary
func (ev *Event) GetSpliceFileUid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "splice" {
- return zeroValue
+ return uint32(0)
}
return ev.Splice.File.FileFields.UID
}
// GetSpliceFileUser returns the value of the field, resolving if necessary
func (ev *Event) GetSpliceFileUser() string {
- zeroValue := ""
if ev.GetEventType().String() != "splice" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Splice.File.FileFields)
}
// GetSplicePipeEntryFlag returns the value of the field, resolving if necessary
func (ev *Event) GetSplicePipeEntryFlag() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "splice" {
- return zeroValue
+ return uint32(0)
}
return ev.Splice.PipeEntryFlag
}
// GetSplicePipeExitFlag returns the value of the field, resolving if necessary
func (ev *Event) GetSplicePipeExitFlag() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "splice" {
- return zeroValue
+ return uint32(0)
}
return ev.Splice.PipeExitFlag
}
// GetSpliceRetval returns the value of the field, resolving if necessary
func (ev *Event) GetSpliceRetval() int64 {
- zeroValue := int64(0)
if ev.GetEventType().String() != "splice" {
- return zeroValue
+ return int64(0)
}
return ev.Splice.SyscallEvent.Retval
}
// GetTimestamp returns the value of the field, resolving if necessary
func (ev *Event) GetTimestamp() time.Time {
- return ev.FieldHandlers.ResolveEventTime(ev)
+ return ev.FieldHandlers.ResolveEventTime(ev, &ev.BaseEvent)
}
// GetUnlinkFileChangeTime returns the value of the field, resolving if necessary
func (ev *Event) GetUnlinkFileChangeTime() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "unlink" {
- return zeroValue
+ return uint64(0)
}
return ev.Unlink.File.FileFields.CTime
}
// GetUnlinkFileFilesystem returns the value of the field, resolving if necessary
func (ev *Event) GetUnlinkFileFilesystem() string {
- zeroValue := ""
if ev.GetEventType().String() != "unlink" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Unlink.File)
}
// GetUnlinkFileGid returns the value of the field, resolving if necessary
func (ev *Event) GetUnlinkFileGid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "unlink" {
- return zeroValue
+ return uint32(0)
}
return ev.Unlink.File.FileFields.GID
}
// GetUnlinkFileGroup returns the value of the field, resolving if necessary
func (ev *Event) GetUnlinkFileGroup() string {
- zeroValue := ""
if ev.GetEventType().String() != "unlink" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Unlink.File.FileFields)
}
// GetUnlinkFileHashes returns the value of the field, resolving if necessary
func (ev *Event) GetUnlinkFileHashes() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "unlink" {
- return zeroValue
+ return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Unlink.File)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Unlink.File)
}
// GetUnlinkFileInUpperLayer returns the value of the field, resolving if necessary
func (ev *Event) GetUnlinkFileInUpperLayer() bool {
- zeroValue := false
if ev.GetEventType().String() != "unlink" {
- return zeroValue
+ return false
}
return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Unlink.File.FileFields)
}
// GetUnlinkFileInode returns the value of the field, resolving if necessary
func (ev *Event) GetUnlinkFileInode() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "unlink" {
- return zeroValue
+ return uint64(0)
}
return ev.Unlink.File.FileFields.PathKey.Inode
}
// GetUnlinkFileMode returns the value of the field, resolving if necessary
func (ev *Event) GetUnlinkFileMode() uint16 {
- zeroValue := uint16(0)
if ev.GetEventType().String() != "unlink" {
- return zeroValue
+ return uint16(0)
}
return ev.Unlink.File.FileFields.Mode
}
// GetUnlinkFileModificationTime returns the value of the field, resolving if necessary
func (ev *Event) GetUnlinkFileModificationTime() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "unlink" {
- return zeroValue
+ return uint64(0)
}
return ev.Unlink.File.FileFields.MTime
}
// GetUnlinkFileMountId returns the value of the field, resolving if necessary
func (ev *Event) GetUnlinkFileMountId() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "unlink" {
- return zeroValue
+ return uint32(0)
}
return ev.Unlink.File.FileFields.PathKey.MountID
}
// GetUnlinkFileName returns the value of the field, resolving if necessary
func (ev *Event) GetUnlinkFileName() string {
- zeroValue := ""
if ev.GetEventType().String() != "unlink" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Unlink.File)
}
// GetUnlinkFileNameLength returns the value of the field, resolving if necessary
func (ev *Event) GetUnlinkFileNameLength() int {
- zeroValue := 0
if ev.GetEventType().String() != "unlink" {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Unlink.File))
}
// GetUnlinkFilePackageName returns the value of the field, resolving if necessary
func (ev *Event) GetUnlinkFilePackageName() string {
- zeroValue := ""
if ev.GetEventType().String() != "unlink" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolvePackageName(ev, &ev.Unlink.File)
}
// GetUnlinkFilePackageSourceVersion returns the value of the field, resolving if necessary
func (ev *Event) GetUnlinkFilePackageSourceVersion() string {
- zeroValue := ""
if ev.GetEventType().String() != "unlink" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Unlink.File)
}
// GetUnlinkFilePackageVersion returns the value of the field, resolving if necessary
func (ev *Event) GetUnlinkFilePackageVersion() string {
- zeroValue := ""
if ev.GetEventType().String() != "unlink" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Unlink.File)
}
// GetUnlinkFilePath returns the value of the field, resolving if necessary
func (ev *Event) GetUnlinkFilePath() string {
- zeroValue := ""
if ev.GetEventType().String() != "unlink" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFilePath(ev, &ev.Unlink.File)
}
// GetUnlinkFilePathLength returns the value of the field, resolving if necessary
func (ev *Event) GetUnlinkFilePathLength() int {
- zeroValue := 0
if ev.GetEventType().String() != "unlink" {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Unlink.File))
}
// GetUnlinkFileRights returns the value of the field, resolving if necessary
func (ev *Event) GetUnlinkFileRights() int {
- zeroValue := 0
if ev.GetEventType().String() != "unlink" {
- return zeroValue
+ return 0
}
return ev.FieldHandlers.ResolveRights(ev, &ev.Unlink.File.FileFields)
}
// GetUnlinkFileUid returns the value of the field, resolving if necessary
func (ev *Event) GetUnlinkFileUid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "unlink" {
- return zeroValue
+ return uint32(0)
}
return ev.Unlink.File.FileFields.UID
}
// GetUnlinkFileUser returns the value of the field, resolving if necessary
func (ev *Event) GetUnlinkFileUser() string {
- zeroValue := ""
if ev.GetEventType().String() != "unlink" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Unlink.File.FileFields)
}
// GetUnlinkFlags returns the value of the field, resolving if necessary
func (ev *Event) GetUnlinkFlags() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "unlink" {
- return zeroValue
+ return uint32(0)
}
return ev.Unlink.Flags
}
// GetUnlinkRetval returns the value of the field, resolving if necessary
func (ev *Event) GetUnlinkRetval() int64 {
- zeroValue := int64(0)
if ev.GetEventType().String() != "unlink" {
- return zeroValue
+ return int64(0)
}
return ev.Unlink.SyscallEvent.Retval
}
// GetUnloadModuleName returns the value of the field, resolving if necessary
func (ev *Event) GetUnloadModuleName() string {
- zeroValue := ""
if ev.GetEventType().String() != "unload_module" {
- return zeroValue
+ return ""
}
return ev.UnloadModule.Name
}
// GetUnloadModuleRetval returns the value of the field, resolving if necessary
func (ev *Event) GetUnloadModuleRetval() int64 {
- zeroValue := int64(0)
if ev.GetEventType().String() != "unload_module" {
- return zeroValue
+ return int64(0)
}
return ev.UnloadModule.SyscallEvent.Retval
}
// GetUtimesFileChangeTime returns the value of the field, resolving if necessary
func (ev *Event) GetUtimesFileChangeTime() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "utimes" {
- return zeroValue
+ return uint64(0)
}
return ev.Utimes.File.FileFields.CTime
}
// GetUtimesFileFilesystem returns the value of the field, resolving if necessary
func (ev *Event) GetUtimesFileFilesystem() string {
- zeroValue := ""
if ev.GetEventType().String() != "utimes" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Utimes.File)
}
// GetUtimesFileGid returns the value of the field, resolving if necessary
func (ev *Event) GetUtimesFileGid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "utimes" {
- return zeroValue
+ return uint32(0)
}
return ev.Utimes.File.FileFields.GID
}
// GetUtimesFileGroup returns the value of the field, resolving if necessary
func (ev *Event) GetUtimesFileGroup() string {
- zeroValue := ""
if ev.GetEventType().String() != "utimes" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Utimes.File.FileFields)
}
// GetUtimesFileHashes returns the value of the field, resolving if necessary
func (ev *Event) GetUtimesFileHashes() []string {
- zeroValue := []string{}
if ev.GetEventType().String() != "utimes" {
- return zeroValue
+ return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Utimes.File)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Utimes.File)
}
// GetUtimesFileInUpperLayer returns the value of the field, resolving if necessary
func (ev *Event) GetUtimesFileInUpperLayer() bool {
- zeroValue := false
if ev.GetEventType().String() != "utimes" {
- return zeroValue
+ return false
}
return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Utimes.File.FileFields)
}
// GetUtimesFileInode returns the value of the field, resolving if necessary
func (ev *Event) GetUtimesFileInode() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "utimes" {
- return zeroValue
+ return uint64(0)
}
return ev.Utimes.File.FileFields.PathKey.Inode
}
// GetUtimesFileMode returns the value of the field, resolving if necessary
func (ev *Event) GetUtimesFileMode() uint16 {
- zeroValue := uint16(0)
if ev.GetEventType().String() != "utimes" {
- return zeroValue
+ return uint16(0)
}
return ev.Utimes.File.FileFields.Mode
}
// GetUtimesFileModificationTime returns the value of the field, resolving if necessary
func (ev *Event) GetUtimesFileModificationTime() uint64 {
- zeroValue := uint64(0)
if ev.GetEventType().String() != "utimes" {
- return zeroValue
+ return uint64(0)
}
return ev.Utimes.File.FileFields.MTime
}
// GetUtimesFileMountId returns the value of the field, resolving if necessary
func (ev *Event) GetUtimesFileMountId() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "utimes" {
- return zeroValue
+ return uint32(0)
}
return ev.Utimes.File.FileFields.PathKey.MountID
}
// GetUtimesFileName returns the value of the field, resolving if necessary
func (ev *Event) GetUtimesFileName() string {
- zeroValue := ""
if ev.GetEventType().String() != "utimes" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Utimes.File)
}
// GetUtimesFileNameLength returns the value of the field, resolving if necessary
func (ev *Event) GetUtimesFileNameLength() int {
- zeroValue := 0
if ev.GetEventType().String() != "utimes" {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Utimes.File))
}
// GetUtimesFilePackageName returns the value of the field, resolving if necessary
func (ev *Event) GetUtimesFilePackageName() string {
- zeroValue := ""
if ev.GetEventType().String() != "utimes" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolvePackageName(ev, &ev.Utimes.File)
}
// GetUtimesFilePackageSourceVersion returns the value of the field, resolving if necessary
func (ev *Event) GetUtimesFilePackageSourceVersion() string {
- zeroValue := ""
if ev.GetEventType().String() != "utimes" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Utimes.File)
}
// GetUtimesFilePackageVersion returns the value of the field, resolving if necessary
func (ev *Event) GetUtimesFilePackageVersion() string {
- zeroValue := ""
if ev.GetEventType().String() != "utimes" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Utimes.File)
}
// GetUtimesFilePath returns the value of the field, resolving if necessary
func (ev *Event) GetUtimesFilePath() string {
- zeroValue := ""
if ev.GetEventType().String() != "utimes" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFilePath(ev, &ev.Utimes.File)
}
// GetUtimesFilePathLength returns the value of the field, resolving if necessary
func (ev *Event) GetUtimesFilePathLength() int {
- zeroValue := 0
if ev.GetEventType().String() != "utimes" {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Utimes.File))
}
// GetUtimesFileRights returns the value of the field, resolving if necessary
func (ev *Event) GetUtimesFileRights() int {
- zeroValue := 0
if ev.GetEventType().String() != "utimes" {
- return zeroValue
+ return 0
}
return ev.FieldHandlers.ResolveRights(ev, &ev.Utimes.File.FileFields)
}
// GetUtimesFileUid returns the value of the field, resolving if necessary
func (ev *Event) GetUtimesFileUid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "utimes" {
- return zeroValue
+ return uint32(0)
}
return ev.Utimes.File.FileFields.UID
}
// GetUtimesFileUser returns the value of the field, resolving if necessary
func (ev *Event) GetUtimesFileUser() string {
- zeroValue := ""
if ev.GetEventType().String() != "utimes" {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Utimes.File.FileFields)
}
// GetUtimesRetval returns the value of the field, resolving if necessary
func (ev *Event) GetUtimesRetval() int64 {
- zeroValue := int64(0)
if ev.GetEventType().String() != "utimes" {
- return zeroValue
+ return int64(0)
}
return ev.Utimes.SyscallEvent.Retval
}
diff --git a/pkg/security/secl/model/field_accessors_windows.go b/pkg/security/secl/model/field_accessors_windows.go
index 244edd70aea1e..81b18240742d2 100644
--- a/pkg/security/secl/model/field_accessors_windows.go
+++ b/pkg/security/secl/model/field_accessors_windows.go
@@ -11,38 +11,31 @@ package model
import (
"github.com/DataDog/datadog-agent/pkg/security/secl/compiler/eval"
- "net"
"time"
)
// GetContainerCreatedAt returns the value of the field, resolving if necessary
func (ev *Event) GetContainerCreatedAt() int {
- zeroValue := 0
if ev.BaseEvent.ContainerContext == nil {
- return zeroValue
+ return 0
}
return ev.FieldHandlers.ResolveContainerCreatedAt(ev, ev.BaseEvent.ContainerContext)
}
// GetContainerId returns the value of the field, resolving if necessary
func (ev *Event) GetContainerId() string {
- zeroValue := ""
if ev.BaseEvent.ContainerContext == nil {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveContainerID(ev, ev.BaseEvent.ContainerContext)
}
// GetContainerTags returns the value of the field, resolving if necessary
func (ev *Event) GetContainerTags() []string {
- zeroValue := []string{}
if ev.BaseEvent.ContainerContext == nil {
- return zeroValue
+ return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveContainerTags(ev, ev.BaseEvent.ContainerContext)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveContainerTags(ev, ev.BaseEvent.ContainerContext)
}
// GetEventTimestamp returns the value of the field, resolving if necessary
@@ -52,421 +45,356 @@ func (ev *Event) GetEventTimestamp() int {
// GetExecCmdline returns the value of the field, resolving if necessary
func (ev *Event) GetExecCmdline() string {
- zeroValue := ""
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return ""
+ }
+ if ev.Exec.Process == nil {
+ return ""
+ }
+ return ev.FieldHandlers.ResolveProcessCmdLine(ev, ev.Exec.Process)
+}
+
+// GetExecCmdlineScrubbed returns the value of the field, resolving if necessary
+func (ev *Event) GetExecCmdlineScrubbed() string {
+ if ev.GetEventType().String() != "exec" {
+ return ""
}
if ev.Exec.Process == nil {
- return zeroValue
+ return ""
}
- return ev.Exec.Process.CmdLine
+ return ev.FieldHandlers.ResolveProcessCmdLineScrubbed(ev, ev.Exec.Process)
}
// GetExecContainerId returns the value of the field, resolving if necessary
func (ev *Event) GetExecContainerId() string {
- zeroValue := ""
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return ""
}
if ev.Exec.Process == nil {
- return zeroValue
+ return ""
}
return ev.Exec.Process.ContainerID
}
// GetExecCreatedAt returns the value of the field, resolving if necessary
func (ev *Event) GetExecCreatedAt() int {
- zeroValue := 0
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return 0
}
if ev.Exec.Process == nil {
- return zeroValue
+ return 0
}
return ev.FieldHandlers.ResolveProcessCreatedAt(ev, ev.Exec.Process)
}
// GetExecEnvp returns the value of the field, resolving if necessary
-func (ev *Event) GetExecEnvp(desiredKeys map[string]bool) []string {
- zeroValue := []string{}
+func (ev *Event) GetExecEnvp() []string {
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return []string{}
}
if ev.Exec.Process == nil {
- return zeroValue
+ return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveProcessEnvp(ev, ev.Exec.Process)
- resolvedField = filterEnvs(resolvedField, desiredKeys)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveProcessEnvp(ev, ev.Exec.Process)
}
// GetExecEnvs returns the value of the field, resolving if necessary
-func (ev *Event) GetExecEnvs(desiredKeys map[string]bool) []string {
- zeroValue := []string{}
+func (ev *Event) GetExecEnvs() []string {
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return []string{}
}
if ev.Exec.Process == nil {
- return zeroValue
+ return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveProcessEnvs(ev, ev.Exec.Process)
- resolvedField = filterEnvs(resolvedField, desiredKeys)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveProcessEnvs(ev, ev.Exec.Process)
}
// GetExecExecTime returns the value of the field, resolving if necessary
func (ev *Event) GetExecExecTime() time.Time {
- zeroValue := time.Time{}
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return time.Time{}
}
if ev.Exec.Process == nil {
- return zeroValue
+ return time.Time{}
}
return ev.Exec.Process.ExecTime
}
// GetExecExitTime returns the value of the field, resolving if necessary
func (ev *Event) GetExecExitTime() time.Time {
- zeroValue := time.Time{}
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return time.Time{}
}
if ev.Exec.Process == nil {
- return zeroValue
+ return time.Time{}
}
return ev.Exec.Process.ExitTime
}
// GetExecFileName returns the value of the field, resolving if necessary
func (ev *Event) GetExecFileName() string {
- zeroValue := ""
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return ""
}
if ev.Exec.Process == nil {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exec.Process.FileEvent)
}
// GetExecFileNameLength returns the value of the field, resolving if necessary
func (ev *Event) GetExecFileNameLength() int {
- zeroValue := 0
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return 0
}
if ev.Exec.Process == nil {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exec.Process.FileEvent))
}
// GetExecFilePath returns the value of the field, resolving if necessary
func (ev *Event) GetExecFilePath() string {
- zeroValue := ""
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return ""
}
if ev.Exec.Process == nil {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFilePath(ev, &ev.Exec.Process.FileEvent)
}
// GetExecFilePathLength returns the value of the field, resolving if necessary
func (ev *Event) GetExecFilePathLength() int {
- zeroValue := 0
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return 0
}
if ev.Exec.Process == nil {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Exec.Process.FileEvent))
}
// GetExecPid returns the value of the field, resolving if necessary
func (ev *Event) GetExecPid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return uint32(0)
}
if ev.Exec.Process == nil {
- return zeroValue
+ return uint32(0)
}
return ev.Exec.Process.PIDContext.Pid
}
// GetExecPpid returns the value of the field, resolving if necessary
func (ev *Event) GetExecPpid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "exec" {
- return zeroValue
+ return uint32(0)
}
if ev.Exec.Process == nil {
- return zeroValue
+ return uint32(0)
}
return ev.Exec.Process.PPid
}
// GetExitCause returns the value of the field, resolving if necessary
func (ev *Event) GetExitCause() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return uint32(0)
}
return ev.Exit.Cause
}
// GetExitCmdline returns the value of the field, resolving if necessary
func (ev *Event) GetExitCmdline() string {
- zeroValue := ""
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return ""
+ }
+ if ev.Exit.Process == nil {
+ return ""
+ }
+ return ev.FieldHandlers.ResolveProcessCmdLine(ev, ev.Exit.Process)
+}
+
+// GetExitCmdlineScrubbed returns the value of the field, resolving if necessary
+func (ev *Event) GetExitCmdlineScrubbed() string {
+ if ev.GetEventType().String() != "exit" {
+ return ""
}
if ev.Exit.Process == nil {
- return zeroValue
+ return ""
}
- return ev.Exit.Process.CmdLine
+ return ev.FieldHandlers.ResolveProcessCmdLineScrubbed(ev, ev.Exit.Process)
}
// GetExitCode returns the value of the field, resolving if necessary
func (ev *Event) GetExitCode() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return uint32(0)
}
return ev.Exit.Code
}
// GetExitContainerId returns the value of the field, resolving if necessary
func (ev *Event) GetExitContainerId() string {
- zeroValue := ""
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return ""
}
if ev.Exit.Process == nil {
- return zeroValue
+ return ""
}
return ev.Exit.Process.ContainerID
}
// GetExitCreatedAt returns the value of the field, resolving if necessary
func (ev *Event) GetExitCreatedAt() int {
- zeroValue := 0
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return 0
}
if ev.Exit.Process == nil {
- return zeroValue
+ return 0
}
return ev.FieldHandlers.ResolveProcessCreatedAt(ev, ev.Exit.Process)
}
// GetExitEnvp returns the value of the field, resolving if necessary
-func (ev *Event) GetExitEnvp(desiredKeys map[string]bool) []string {
- zeroValue := []string{}
+func (ev *Event) GetExitEnvp() []string {
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return []string{}
}
if ev.Exit.Process == nil {
- return zeroValue
+ return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveProcessEnvp(ev, ev.Exit.Process)
- resolvedField = filterEnvs(resolvedField, desiredKeys)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveProcessEnvp(ev, ev.Exit.Process)
}
// GetExitEnvs returns the value of the field, resolving if necessary
-func (ev *Event) GetExitEnvs(desiredKeys map[string]bool) []string {
- zeroValue := []string{}
+func (ev *Event) GetExitEnvs() []string {
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return []string{}
}
if ev.Exit.Process == nil {
- return zeroValue
+ return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveProcessEnvs(ev, ev.Exit.Process)
- resolvedField = filterEnvs(resolvedField, desiredKeys)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveProcessEnvs(ev, ev.Exit.Process)
}
// GetExitExecTime returns the value of the field, resolving if necessary
func (ev *Event) GetExitExecTime() time.Time {
- zeroValue := time.Time{}
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return time.Time{}
}
if ev.Exit.Process == nil {
- return zeroValue
+ return time.Time{}
}
return ev.Exit.Process.ExecTime
}
// GetExitExitTime returns the value of the field, resolving if necessary
func (ev *Event) GetExitExitTime() time.Time {
- zeroValue := time.Time{}
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return time.Time{}
}
if ev.Exit.Process == nil {
- return zeroValue
+ return time.Time{}
}
return ev.Exit.Process.ExitTime
}
// GetExitFileName returns the value of the field, resolving if necessary
func (ev *Event) GetExitFileName() string {
- zeroValue := ""
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return ""
}
if ev.Exit.Process == nil {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exit.Process.FileEvent)
}
// GetExitFileNameLength returns the value of the field, resolving if necessary
func (ev *Event) GetExitFileNameLength() int {
- zeroValue := 0
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return 0
}
if ev.Exit.Process == nil {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exit.Process.FileEvent))
}
// GetExitFilePath returns the value of the field, resolving if necessary
func (ev *Event) GetExitFilePath() string {
- zeroValue := ""
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return ""
}
if ev.Exit.Process == nil {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFilePath(ev, &ev.Exit.Process.FileEvent)
}
// GetExitFilePathLength returns the value of the field, resolving if necessary
func (ev *Event) GetExitFilePathLength() int {
- zeroValue := 0
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return 0
}
if ev.Exit.Process == nil {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Exit.Process.FileEvent))
}
// GetExitPid returns the value of the field, resolving if necessary
func (ev *Event) GetExitPid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return uint32(0)
}
if ev.Exit.Process == nil {
- return zeroValue
+ return uint32(0)
}
return ev.Exit.Process.PIDContext.Pid
}
// GetExitPpid returns the value of the field, resolving if necessary
func (ev *Event) GetExitPpid() uint32 {
- zeroValue := uint32(0)
if ev.GetEventType().String() != "exit" {
- return zeroValue
+ return uint32(0)
}
if ev.Exit.Process == nil {
- return zeroValue
+ return uint32(0)
}
return ev.Exit.Process.PPid
}
-// GetNetworkDestinationIp returns the value of the field, resolving if necessary
-func (ev *Event) GetNetworkDestinationIp() net.IPNet {
- zeroValue := net.IPNet{}
- if ev.GetEventType().String() != "dns" {
- return zeroValue
- }
- return ev.BaseEvent.NetworkContext.Destination.IPNet
-}
-
-// GetNetworkDestinationPort returns the value of the field, resolving if necessary
-func (ev *Event) GetNetworkDestinationPort() uint16 {
- zeroValue := uint16(0)
- if ev.GetEventType().String() != "dns" {
- return zeroValue
- }
- return ev.BaseEvent.NetworkContext.Destination.Port
-}
-
-// GetNetworkL3Protocol returns the value of the field, resolving if necessary
-func (ev *Event) GetNetworkL3Protocol() uint16 {
- zeroValue := uint16(0)
- if ev.GetEventType().String() != "dns" {
- return zeroValue
- }
- return ev.BaseEvent.NetworkContext.L3Protocol
-}
-
-// GetNetworkL4Protocol returns the value of the field, resolving if necessary
-func (ev *Event) GetNetworkL4Protocol() uint16 {
- zeroValue := uint16(0)
- if ev.GetEventType().String() != "dns" {
- return zeroValue
- }
- return ev.BaseEvent.NetworkContext.L4Protocol
-}
-
-// GetNetworkSize returns the value of the field, resolving if necessary
-func (ev *Event) GetNetworkSize() uint32 {
- zeroValue := uint32(0)
- if ev.GetEventType().String() != "dns" {
- return zeroValue
+// GetProcessAncestorsCmdline returns the value of the field, resolving if necessary
+func (ev *Event) GetProcessAncestorsCmdline() []string {
+ if ev.BaseEvent.ProcessContext == nil {
+ return []string{}
}
- return ev.BaseEvent.NetworkContext.Size
-}
-
-// GetNetworkSourceIp returns the value of the field, resolving if necessary
-func (ev *Event) GetNetworkSourceIp() net.IPNet {
- zeroValue := net.IPNet{}
- if ev.GetEventType().String() != "dns" {
- return zeroValue
+ if ev.BaseEvent.ProcessContext.Ancestor == nil {
+ return []string{}
}
- return ev.BaseEvent.NetworkContext.Source.IPNet
-}
-
-// GetNetworkSourcePort returns the value of the field, resolving if necessary
-func (ev *Event) GetNetworkSourcePort() uint16 {
- zeroValue := uint16(0)
- if ev.GetEventType().String() != "dns" {
- return zeroValue
+ var values []string
+ ctx := eval.NewContext(ev)
+ iterator := &ProcessAncestorsIterator{}
+ ptr := iterator.Front(ctx)
+ for ptr != nil {
+ element := (*ProcessCacheEntry)(ptr)
+ result := ev.FieldHandlers.ResolveProcessCmdLine(ev, &element.ProcessContext.Process)
+ values = append(values, result)
+ ptr = iterator.Next()
}
- return ev.BaseEvent.NetworkContext.Source.Port
+ return values
}
-// GetProcessAncestorsCmdline returns the value of the field, resolving if necessary
-func (ev *Event) GetProcessAncestorsCmdline() []string {
- zeroValue := []string{}
+// GetProcessAncestorsCmdlineScrubbed returns the value of the field, resolving if necessary
+func (ev *Event) GetProcessAncestorsCmdlineScrubbed() []string {
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -474,7 +402,7 @@ func (ev *Event) GetProcessAncestorsCmdline() []string {
ptr := iterator.Front(ctx)
for ptr != nil {
element := (*ProcessCacheEntry)(ptr)
- result := element.ProcessContext.Process.CmdLine
+ result := ev.FieldHandlers.ResolveProcessCmdLineScrubbed(ev, &element.ProcessContext.Process)
values = append(values, result)
ptr = iterator.Next()
}
@@ -483,12 +411,11 @@ func (ev *Event) GetProcessAncestorsCmdline() []string {
// GetProcessAncestorsContainerId returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsContainerId() []string {
- zeroValue := []string{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -505,12 +432,11 @@ func (ev *Event) GetProcessAncestorsContainerId() []string {
// GetProcessAncestorsCreatedAt returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsCreatedAt() []int {
- zeroValue := []int{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []int{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []int{}
}
var values []int
ctx := eval.NewContext(ev)
@@ -526,13 +452,12 @@ func (ev *Event) GetProcessAncestorsCreatedAt() []int {
}
// GetProcessAncestorsEnvp returns the value of the field, resolving if necessary
-func (ev *Event) GetProcessAncestorsEnvp(desiredKeys map[string]bool) []string {
- zeroValue := []string{}
+func (ev *Event) GetProcessAncestorsEnvp() []string {
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -541,7 +466,6 @@ func (ev *Event) GetProcessAncestorsEnvp(desiredKeys map[string]bool) []string {
for ptr != nil {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveProcessEnvp(ev, &element.ProcessContext.Process)
- result = filterEnvs(result, desiredKeys)
values = append(values, result...)
ptr = iterator.Next()
}
@@ -549,13 +473,12 @@ func (ev *Event) GetProcessAncestorsEnvp(desiredKeys map[string]bool) []string {
}
// GetProcessAncestorsEnvs returns the value of the field, resolving if necessary
-func (ev *Event) GetProcessAncestorsEnvs(desiredKeys map[string]bool) []string {
- zeroValue := []string{}
+func (ev *Event) GetProcessAncestorsEnvs() []string {
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -564,7 +487,6 @@ func (ev *Event) GetProcessAncestorsEnvs(desiredKeys map[string]bool) []string {
for ptr != nil {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveProcessEnvs(ev, &element.ProcessContext.Process)
- result = filterEnvs(result, desiredKeys)
values = append(values, result...)
ptr = iterator.Next()
}
@@ -573,12 +495,11 @@ func (ev *Event) GetProcessAncestorsEnvs(desiredKeys map[string]bool) []string {
// GetProcessAncestorsFileName returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsFileName() []string {
- zeroValue := []string{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -595,12 +516,11 @@ func (ev *Event) GetProcessAncestorsFileName() []string {
// GetProcessAncestorsFileNameLength returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsFileNameLength() []int {
- zeroValue := []int{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []int{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []int{}
}
var values []int
ctx := eval.NewContext(ev)
@@ -617,12 +537,11 @@ func (ev *Event) GetProcessAncestorsFileNameLength() []int {
// GetProcessAncestorsFilePath returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsFilePath() []string {
- zeroValue := []string{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []string{}
}
var values []string
ctx := eval.NewContext(ev)
@@ -639,12 +558,11 @@ func (ev *Event) GetProcessAncestorsFilePath() []string {
// GetProcessAncestorsFilePathLength returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsFilePathLength() []int {
- zeroValue := []int{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []int{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []int{}
}
var values []int
ctx := eval.NewContext(ev)
@@ -661,12 +579,11 @@ func (ev *Event) GetProcessAncestorsFilePathLength() []int {
// GetProcessAncestorsPid returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsPid() []uint32 {
- zeroValue := []uint32{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []uint32{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []uint32{}
}
var values []uint32
ctx := eval.NewContext(ev)
@@ -683,12 +600,11 @@ func (ev *Event) GetProcessAncestorsPid() []uint32 {
// GetProcessAncestorsPpid returns the value of the field, resolving if necessary
func (ev *Event) GetProcessAncestorsPpid() []uint32 {
- zeroValue := []uint32{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []uint32{}
}
if ev.BaseEvent.ProcessContext.Ancestor == nil {
- return zeroValue
+ return []uint32{}
}
var values []uint32
ctx := eval.NewContext(ev)
@@ -705,134 +621,135 @@ func (ev *Event) GetProcessAncestorsPpid() []uint32 {
// GetProcessCmdline returns the value of the field, resolving if necessary
func (ev *Event) GetProcessCmdline() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
+ }
+ return ev.FieldHandlers.ResolveProcessCmdLine(ev, &ev.BaseEvent.ProcessContext.Process)
+}
+
+// GetProcessCmdlineScrubbed returns the value of the field, resolving if necessary
+func (ev *Event) GetProcessCmdlineScrubbed() string {
+ if ev.BaseEvent.ProcessContext == nil {
+ return ""
}
- return ev.BaseEvent.ProcessContext.Process.CmdLine
+ return ev.FieldHandlers.ResolveProcessCmdLineScrubbed(ev, &ev.BaseEvent.ProcessContext.Process)
}
// GetProcessContainerId returns the value of the field, resolving if necessary
func (ev *Event) GetProcessContainerId() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
return ev.BaseEvent.ProcessContext.Process.ContainerID
}
// GetProcessCreatedAt returns the value of the field, resolving if necessary
func (ev *Event) GetProcessCreatedAt() int {
- zeroValue := 0
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return 0
}
return ev.FieldHandlers.ResolveProcessCreatedAt(ev, &ev.BaseEvent.ProcessContext.Process)
}
// GetProcessEnvp returns the value of the field, resolving if necessary
-func (ev *Event) GetProcessEnvp(desiredKeys map[string]bool) []string {
- zeroValue := []string{}
+func (ev *Event) GetProcessEnvp() []string {
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveProcessEnvp(ev, &ev.BaseEvent.ProcessContext.Process)
- resolvedField = filterEnvs(resolvedField, desiredKeys)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveProcessEnvp(ev, &ev.BaseEvent.ProcessContext.Process)
}
// GetProcessEnvs returns the value of the field, resolving if necessary
-func (ev *Event) GetProcessEnvs(desiredKeys map[string]bool) []string {
- zeroValue := []string{}
+func (ev *Event) GetProcessEnvs() []string {
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveProcessEnvs(ev, &ev.BaseEvent.ProcessContext.Process)
- resolvedField = filterEnvs(resolvedField, desiredKeys)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveProcessEnvs(ev, &ev.BaseEvent.ProcessContext.Process)
}
// GetProcessExecTime returns the value of the field, resolving if necessary
func (ev *Event) GetProcessExecTime() time.Time {
- zeroValue := time.Time{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return time.Time{}
}
return ev.BaseEvent.ProcessContext.Process.ExecTime
}
// GetProcessExitTime returns the value of the field, resolving if necessary
func (ev *Event) GetProcessExitTime() time.Time {
- zeroValue := time.Time{}
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return time.Time{}
}
return ev.BaseEvent.ProcessContext.Process.ExitTime
}
// GetProcessFileName returns the value of the field, resolving if necessary
func (ev *Event) GetProcessFileName() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent)
}
// GetProcessFileNameLength returns the value of the field, resolving if necessary
func (ev *Event) GetProcessFileNameLength() int {
- zeroValue := 0
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent))
}
// GetProcessFilePath returns the value of the field, resolving if necessary
func (ev *Event) GetProcessFilePath() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
return ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent)
}
// GetProcessFilePathLength returns the value of the field, resolving if necessary
func (ev *Event) GetProcessFilePathLength() int {
- zeroValue := 0
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent))
}
// GetProcessParentCmdline returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentCmdline() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
+ }
+ if ev.BaseEvent.ProcessContext.Parent == nil {
+ return ""
+ }
+ if !ev.BaseEvent.ProcessContext.HasParent() {
+ return ""
+ }
+ return ev.FieldHandlers.ResolveProcessCmdLine(ev, ev.BaseEvent.ProcessContext.Parent)
+}
+
+// GetProcessParentCmdlineScrubbed returns the value of the field, resolving if necessary
+func (ev *Event) GetProcessParentCmdlineScrubbed() string {
+ if ev.BaseEvent.ProcessContext == nil {
+ return ""
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return ""
}
- return ev.BaseEvent.ProcessContext.Parent.CmdLine
+ return ev.FieldHandlers.ResolveProcessCmdLineScrubbed(ev, ev.BaseEvent.ProcessContext.Parent)
}
// GetProcessParentContainerId returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentContainerId() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return ""
@@ -842,12 +759,11 @@ func (ev *Event) GetProcessParentContainerId() string {
// GetProcessParentCreatedAt returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentCreatedAt() int {
- zeroValue := 0
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return 0
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return 0
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return 0
@@ -856,51 +772,40 @@ func (ev *Event) GetProcessParentCreatedAt() int {
}
// GetProcessParentEnvp returns the value of the field, resolving if necessary
-func (ev *Event) GetProcessParentEnvp(desiredKeys map[string]bool) []string {
- zeroValue := []string{}
+func (ev *Event) GetProcessParentEnvp() []string {
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return []string{}
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveProcessEnvp(ev, ev.BaseEvent.ProcessContext.Parent)
- resolvedField = filterEnvs(resolvedField, desiredKeys)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveProcessEnvp(ev, ev.BaseEvent.ProcessContext.Parent)
}
// GetProcessParentEnvs returns the value of the field, resolving if necessary
-func (ev *Event) GetProcessParentEnvs(desiredKeys map[string]bool) []string {
- zeroValue := []string{}
+func (ev *Event) GetProcessParentEnvs() []string {
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return []string{}
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return []string{}
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return []string{}
}
- resolvedField := ev.FieldHandlers.ResolveProcessEnvs(ev, ev.BaseEvent.ProcessContext.Parent)
- resolvedField = filterEnvs(resolvedField, desiredKeys)
- fieldCopy := make([]string, len(resolvedField))
- copy(fieldCopy, resolvedField)
- return fieldCopy
+ return ev.FieldHandlers.ResolveProcessEnvs(ev, ev.BaseEvent.ProcessContext.Parent)
}
// GetProcessParentFileName returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentFileName() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return ""
@@ -910,24 +815,22 @@ func (ev *Event) GetProcessParentFileName() string {
// GetProcessParentFileNameLength returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentFileNameLength() int {
- zeroValue := 0
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return 0
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent))
}
// GetProcessParentFilePath returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentFilePath() string {
- zeroValue := ""
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return ""
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return ""
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return ""
@@ -937,24 +840,22 @@ func (ev *Event) GetProcessParentFilePath() string {
// GetProcessParentFilePathLength returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentFilePathLength() int {
- zeroValue := 0
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return 0
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return 0
}
return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent))
}
// GetProcessParentPid returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentPid() uint32 {
- zeroValue := uint32(0)
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return uint32(0)
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return uint32(0)
@@ -964,12 +865,11 @@ func (ev *Event) GetProcessParentPid() uint32 {
// GetProcessParentPpid returns the value of the field, resolving if necessary
func (ev *Event) GetProcessParentPpid() uint32 {
- zeroValue := uint32(0)
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return uint32(0)
}
if ev.BaseEvent.ProcessContext.Parent == nil {
- return zeroValue
+ return uint32(0)
}
if !ev.BaseEvent.ProcessContext.HasParent() {
return uint32(0)
@@ -979,23 +879,21 @@ func (ev *Event) GetProcessParentPpid() uint32 {
// GetProcessPid returns the value of the field, resolving if necessary
func (ev *Event) GetProcessPid() uint32 {
- zeroValue := uint32(0)
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return uint32(0)
}
return ev.BaseEvent.ProcessContext.Process.PIDContext.Pid
}
// GetProcessPpid returns the value of the field, resolving if necessary
func (ev *Event) GetProcessPpid() uint32 {
- zeroValue := uint32(0)
if ev.BaseEvent.ProcessContext == nil {
- return zeroValue
+ return uint32(0)
}
return ev.BaseEvent.ProcessContext.Process.PPid
}
// GetTimestamp returns the value of the field, resolving if necessary
func (ev *Event) GetTimestamp() time.Time {
- return ev.FieldHandlers.ResolveEventTime(ev)
+ return ev.FieldHandlers.ResolveEventTime(ev, &ev.BaseEvent)
}
diff --git a/pkg/security/secl/model/field_handlers_unix.go b/pkg/security/secl/model/field_handlers_unix.go
index bd45e1cfba837..c55a34d3fa9ab 100644
--- a/pkg/security/secl/model/field_handlers_unix.go
+++ b/pkg/security/secl/model/field_handlers_unix.go
@@ -9,6 +9,10 @@
package model
+import (
+ "time"
+)
+
// ResolveFields resolves all the fields associate to the event type. Context fields are automatically resolved.
func (ev *Event) ResolveFields() {
ev.resolveFields(false)
@@ -234,7 +238,6 @@ func (ev *Event) resolveFields(forADs bool) {
_ = ev.FieldHandlers.ResolveChownGID(ev, &ev.Chown)
case "dns":
_ = ev.FieldHandlers.ResolveNetworkDeviceIfName(ev, &ev.NetworkContext.Device)
- _ = ev.FieldHandlers.ResolveNetworkDeviceIfName(ev, &ev.NetworkContext.Device)
case "exec":
if ev.Exec.Process.IsNotKworker() {
_ = ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Exec.Process.FileEvent.FileFields)
@@ -311,6 +314,8 @@ func (ev *Event) resolveFields(forADs bool) {
_ = ev.FieldHandlers.ResolveProcessEnvs(ev, ev.Exec.Process)
_ = ev.FieldHandlers.ResolveProcessEnvp(ev, ev.Exec.Process)
_ = ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, ev.Exec.Process)
+ _ = ev.FieldHandlers.ResolveProcessArgsScrubbed(ev, ev.Exec.Process)
+ _ = ev.FieldHandlers.ResolveProcessArgvScrubbed(ev, ev.Exec.Process)
case "exit":
if ev.Exit.Process.IsNotKworker() {
_ = ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Exit.Process.FileEvent.FileFields)
@@ -387,6 +392,8 @@ func (ev *Event) resolveFields(forADs bool) {
_ = ev.FieldHandlers.ResolveProcessEnvs(ev, ev.Exit.Process)
_ = ev.FieldHandlers.ResolveProcessEnvp(ev, ev.Exit.Process)
_ = ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, ev.Exit.Process)
+ _ = ev.FieldHandlers.ResolveProcessArgsScrubbed(ev, ev.Exit.Process)
+ _ = ev.FieldHandlers.ResolveProcessArgvScrubbed(ev, ev.Exit.Process)
case "link":
_ = ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Link.Source.FileFields)
_ = ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Link.Source.FileFields)
@@ -456,6 +463,7 @@ func (ev *Event) resolveFields(forADs bool) {
case "mount":
_ = ev.FieldHandlers.ResolveMountPointPath(ev, &ev.Mount)
_ = ev.FieldHandlers.ResolveMountSourcePath(ev, &ev.Mount)
+ _ = ev.FieldHandlers.ResolveMountRootPath(ev, &ev.Mount)
case "mprotect":
case "open":
_ = ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Open.File.FileFields)
@@ -546,6 +554,8 @@ func (ev *Event) resolveFields(forADs bool) {
_ = ev.FieldHandlers.ResolveProcessEnvs(ev, &ev.PTrace.Tracee.Process)
_ = ev.FieldHandlers.ResolveProcessEnvp(ev, &ev.PTrace.Tracee.Process)
_ = ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, &ev.PTrace.Tracee.Process)
+ _ = ev.FieldHandlers.ResolveProcessArgsScrubbed(ev, &ev.PTrace.Tracee.Process)
+ _ = ev.FieldHandlers.ResolveProcessArgvScrubbed(ev, &ev.PTrace.Tracee.Process)
if ev.PTrace.Tracee.HasParent() && ev.PTrace.Tracee.Parent.IsNotKworker() {
_ = ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.PTrace.Tracee.Parent.FileEvent.FileFields)
}
@@ -643,6 +653,12 @@ func (ev *Event) resolveFields(forADs bool) {
if ev.PTrace.Tracee.HasParent() {
_ = ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, ev.PTrace.Tracee.Parent)
}
+ if ev.PTrace.Tracee.HasParent() {
+ _ = ev.FieldHandlers.ResolveProcessArgsScrubbed(ev, ev.PTrace.Tracee.Parent)
+ }
+ if ev.PTrace.Tracee.HasParent() {
+ _ = ev.FieldHandlers.ResolveProcessArgvScrubbed(ev, ev.PTrace.Tracee.Parent)
+ }
case "removexattr":
_ = ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.RemoveXAttr.File.FileFields)
_ = ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.RemoveXAttr.File.FileFields)
@@ -797,6 +813,8 @@ func (ev *Event) resolveFields(forADs bool) {
_ = ev.FieldHandlers.ResolveProcessEnvs(ev, &ev.Signal.Target.Process)
_ = ev.FieldHandlers.ResolveProcessEnvp(ev, &ev.Signal.Target.Process)
_ = ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, &ev.Signal.Target.Process)
+ _ = ev.FieldHandlers.ResolveProcessArgsScrubbed(ev, &ev.Signal.Target.Process)
+ _ = ev.FieldHandlers.ResolveProcessArgvScrubbed(ev, &ev.Signal.Target.Process)
if ev.Signal.Target.HasParent() && ev.Signal.Target.Parent.IsNotKworker() {
_ = ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Signal.Target.Parent.FileEvent.FileFields)
}
@@ -894,6 +912,12 @@ func (ev *Event) resolveFields(forADs bool) {
if ev.Signal.Target.HasParent() {
_ = ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, ev.Signal.Target.Parent)
}
+ if ev.Signal.Target.HasParent() {
+ _ = ev.FieldHandlers.ResolveProcessArgsScrubbed(ev, ev.Signal.Target.Parent)
+ }
+ if ev.Signal.Target.HasParent() {
+ _ = ev.FieldHandlers.ResolveProcessArgvScrubbed(ev, ev.Signal.Target.Parent)
+ }
case "splice":
_ = ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Splice.File.FileFields)
_ = ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Splice.File.FileFields)
@@ -944,6 +968,7 @@ type FieldHandlers interface {
ResolveContainerCreatedAt(ev *Event, e *ContainerContext) int
ResolveContainerID(ev *Event, e *ContainerContext) string
ResolveContainerTags(ev *Event, e *ContainerContext) []string
+ ResolveEventTime(ev *Event, e *BaseEvent) time.Time
ResolveEventTimestamp(ev *Event, e *BaseEvent) int
ResolveFileBasename(ev *Event, e *FileEvent) string
ResolveFileFieldsGroup(ev *Event, e *FileFields) string
@@ -958,6 +983,7 @@ type FieldHandlers interface {
ResolveModuleArgs(ev *Event, e *LoadModuleEvent) string
ResolveModuleArgv(ev *Event, e *LoadModuleEvent) []string
ResolveMountPointPath(ev *Event, e *MountEvent) string
+ ResolveMountRootPath(ev *Event, e *MountEvent) string
ResolveMountSourcePath(ev *Event, e *MountEvent) string
ResolveNetworkDeviceIfName(ev *Event, e *NetworkDeviceContext) string
ResolvePackageName(ev *Event, e *FileEvent) string
@@ -966,10 +992,11 @@ type FieldHandlers interface {
ResolveProcessArgs(ev *Event, e *Process) string
ResolveProcessArgsFlags(ev *Event, e *Process) []string
ResolveProcessArgsOptions(ev *Event, e *Process) []string
+ ResolveProcessArgsScrubbed(ev *Event, e *Process) string
ResolveProcessArgsTruncated(ev *Event, e *Process) bool
ResolveProcessArgv(ev *Event, e *Process) []string
- ResolveProcessArgvScrubbed(ev *Event, e *Process) []string
ResolveProcessArgv0(ev *Event, e *Process) string
+ ResolveProcessArgvScrubbed(ev *Event, e *Process) []string
ResolveProcessCreatedAt(ev *Event, e *Process) int
ResolveProcessEnvp(ev *Event, e *Process) []string
ResolveProcessEnvs(ev *Event, e *Process) []string
@@ -1001,6 +1028,9 @@ func (dfh *DefaultFieldHandlers) ResolveContainerID(ev *Event, e *ContainerConte
func (dfh *DefaultFieldHandlers) ResolveContainerTags(ev *Event, e *ContainerContext) []string {
return e.Tags
}
+func (dfh *DefaultFieldHandlers) ResolveEventTime(ev *Event, e *BaseEvent) time.Time {
+ return e.Timestamp
+}
func (dfh *DefaultFieldHandlers) ResolveEventTimestamp(ev *Event, e *BaseEvent) int {
return int(e.TimestampRaw)
}
@@ -1043,6 +1073,9 @@ func (dfh *DefaultFieldHandlers) ResolveModuleArgv(ev *Event, e *LoadModuleEvent
func (dfh *DefaultFieldHandlers) ResolveMountPointPath(ev *Event, e *MountEvent) string {
return e.MountPointPath
}
+func (dfh *DefaultFieldHandlers) ResolveMountRootPath(ev *Event, e *MountEvent) string {
+ return e.MountRootPath
+}
func (dfh *DefaultFieldHandlers) ResolveMountSourcePath(ev *Event, e *MountEvent) string {
return e.MountSourcePath
}
@@ -1063,14 +1096,17 @@ func (dfh *DefaultFieldHandlers) ResolveProcessArgsFlags(ev *Event, e *Process)
func (dfh *DefaultFieldHandlers) ResolveProcessArgsOptions(ev *Event, e *Process) []string {
return e.Argv
}
+func (dfh *DefaultFieldHandlers) ResolveProcessArgsScrubbed(ev *Event, e *Process) string {
+ return e.ArgsScrubbed
+}
func (dfh *DefaultFieldHandlers) ResolveProcessArgsTruncated(ev *Event, e *Process) bool {
return e.ArgsTruncated
}
func (dfh *DefaultFieldHandlers) ResolveProcessArgv(ev *Event, e *Process) []string { return e.Argv }
+func (dfh *DefaultFieldHandlers) ResolveProcessArgv0(ev *Event, e *Process) string { return e.Argv0 }
func (dfh *DefaultFieldHandlers) ResolveProcessArgvScrubbed(ev *Event, e *Process) []string {
- return e.Argv
+ return e.ArgvScrubbed
}
-func (dfh *DefaultFieldHandlers) ResolveProcessArgv0(ev *Event, e *Process) string { return e.Argv0 }
func (dfh *DefaultFieldHandlers) ResolveProcessCreatedAt(ev *Event, e *Process) int {
return int(e.CreatedAt)
}
diff --git a/pkg/security/secl/model/field_handlers_windows.go b/pkg/security/secl/model/field_handlers_windows.go
index abfb2624666ac..38d63c5680825 100644
--- a/pkg/security/secl/model/field_handlers_windows.go
+++ b/pkg/security/secl/model/field_handlers_windows.go
@@ -9,6 +9,10 @@
package model
+import (
+ "time"
+)
+
// ResolveFields resolves all the fields associate to the event type. Context fields are automatically resolved.
func (ev *Event) ResolveFields() {
ev.resolveFields(false)
@@ -26,11 +30,15 @@ func (ev *Event) resolveFields(forADs bool) {
_ = ev.FieldHandlers.ResolveContainerTags(ev, ev.BaseEvent.ContainerContext)
}
_ = ev.FieldHandlers.ResolveEventTimestamp(ev, &ev.BaseEvent)
+ _ = ev.FieldHandlers.ResolveProcessCmdLine(ev, &ev.BaseEvent.ProcessContext.Process)
_ = ev.FieldHandlers.ResolveProcessCreatedAt(ev, &ev.BaseEvent.ProcessContext.Process)
_ = ev.FieldHandlers.ResolveProcessEnvp(ev, &ev.BaseEvent.ProcessContext.Process)
_ = ev.FieldHandlers.ResolveProcessEnvs(ev, &ev.BaseEvent.ProcessContext.Process)
_ = ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent)
_ = ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent)
+ if ev.BaseEvent.ProcessContext.HasParent() {
+ _ = ev.FieldHandlers.ResolveProcessCmdLine(ev, ev.BaseEvent.ProcessContext.Parent)
+ }
if ev.BaseEvent.ProcessContext.HasParent() {
_ = ev.FieldHandlers.ResolveProcessCreatedAt(ev, ev.BaseEvent.ProcessContext.Parent)
}
@@ -48,17 +56,20 @@ func (ev *Event) resolveFields(forADs bool) {
}
// resolve event specific fields
switch ev.GetEventType().String() {
- case "dns":
case "exec":
_ = ev.FieldHandlers.ResolveFilePath(ev, &ev.Exec.Process.FileEvent)
_ = ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exec.Process.FileEvent)
_ = ev.FieldHandlers.ResolveProcessCreatedAt(ev, ev.Exec.Process)
+ _ = ev.FieldHandlers.ResolveProcessCmdLine(ev, ev.Exec.Process)
+ _ = ev.FieldHandlers.ResolveProcessCmdLineScrubbed(ev, ev.Exec.Process)
_ = ev.FieldHandlers.ResolveProcessEnvs(ev, ev.Exec.Process)
_ = ev.FieldHandlers.ResolveProcessEnvp(ev, ev.Exec.Process)
case "exit":
_ = ev.FieldHandlers.ResolveFilePath(ev, &ev.Exit.Process.FileEvent)
_ = ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exit.Process.FileEvent)
_ = ev.FieldHandlers.ResolveProcessCreatedAt(ev, ev.Exit.Process)
+ _ = ev.FieldHandlers.ResolveProcessCmdLine(ev, ev.Exit.Process)
+ _ = ev.FieldHandlers.ResolveProcessCmdLineScrubbed(ev, ev.Exit.Process)
_ = ev.FieldHandlers.ResolveProcessEnvs(ev, ev.Exit.Process)
_ = ev.FieldHandlers.ResolveProcessEnvp(ev, ev.Exit.Process)
}
@@ -68,9 +79,12 @@ type FieldHandlers interface {
ResolveContainerCreatedAt(ev *Event, e *ContainerContext) int
ResolveContainerID(ev *Event, e *ContainerContext) string
ResolveContainerTags(ev *Event, e *ContainerContext) []string
+ ResolveEventTime(ev *Event, e *BaseEvent) time.Time
ResolveEventTimestamp(ev *Event, e *BaseEvent) int
ResolveFileBasename(ev *Event, e *FileEvent) string
ResolveFilePath(ev *Event, e *FileEvent) string
+ ResolveProcessCmdLine(ev *Event, e *Process) string
+ ResolveProcessCmdLineScrubbed(ev *Event, e *Process) string
ResolveProcessCreatedAt(ev *Event, e *Process) int
ResolveProcessEnvp(ev *Event, e *Process) []string
ResolveProcessEnvs(ev *Event, e *Process) []string
@@ -88,6 +102,9 @@ func (dfh *DefaultFieldHandlers) ResolveContainerID(ev *Event, e *ContainerConte
func (dfh *DefaultFieldHandlers) ResolveContainerTags(ev *Event, e *ContainerContext) []string {
return e.Tags
}
+func (dfh *DefaultFieldHandlers) ResolveEventTime(ev *Event, e *BaseEvent) time.Time {
+ return e.Timestamp
+}
func (dfh *DefaultFieldHandlers) ResolveEventTimestamp(ev *Event, e *BaseEvent) int {
return int(e.TimestampRaw)
}
@@ -97,6 +114,12 @@ func (dfh *DefaultFieldHandlers) ResolveFileBasename(ev *Event, e *FileEvent) st
func (dfh *DefaultFieldHandlers) ResolveFilePath(ev *Event, e *FileEvent) string {
return e.PathnameStr
}
+func (dfh *DefaultFieldHandlers) ResolveProcessCmdLine(ev *Event, e *Process) string {
+ return e.CmdLine
+}
+func (dfh *DefaultFieldHandlers) ResolveProcessCmdLineScrubbed(ev *Event, e *Process) string {
+ return e.CmdLineScrubbed
+}
func (dfh *DefaultFieldHandlers) ResolveProcessCreatedAt(ev *Event, e *Process) int {
return int(e.CreatedAt)
}
diff --git a/pkg/security/secl/model/model.go b/pkg/security/secl/model/model.go
index b583e06c10899..e98a0ad19c05f 100644
--- a/pkg/security/secl/model/model.go
+++ b/pkg/security/secl/model/model.go
@@ -171,10 +171,8 @@ type BaseEvent struct {
Rules []*MatchedRule `field:"-"`
// context shared with all events
- SpanContext SpanContext `field:"-" json:"-"`
ProcessContext *ProcessContext `field:"process" event:"*"`
ContainerContext *ContainerContext `field:"container" event:"*"`
- NetworkContext NetworkContext `field:"network" event:"dns"`
SecurityProfileContext SecurityProfileContext `field:"-"`
// internal usage
@@ -287,11 +285,6 @@ func (e *Event) RemoveFromFlags(flag uint32) {
e.Flags ^= flag
}
-// HasProfile returns true if we found a profile for that event
-func (e *Event) HasProfile() bool {
- return e.SecurityProfileContext.Name != ""
-}
-
// GetType returns the event type
func (e *Event) GetType() string {
return EventType(e.Type).String()
@@ -340,7 +333,7 @@ func (e *Event) ResolveProcessCacheEntry() (*ProcessCacheEntry, bool) {
// ResolveEventTime uses the field handler
func (e *Event) ResolveEventTime() time.Time {
- return e.FieldHandlers.ResolveEventTime(e)
+ return e.FieldHandlers.ResolveEventTime(e, &e.BaseEvent)
}
// GetProcessService uses the field handler
@@ -591,9 +584,7 @@ type DNSEvent struct {
type BaseExtraFieldHandlers interface {
ResolveProcessCacheEntry(ev *Event) (*ProcessCacheEntry, bool)
ResolveContainerContext(ev *Event) (*ContainerContext, bool)
- ResolveEventTime(ev *Event) time.Time
GetProcessService(ev *Event) string
- ResolveK8SExtra(ev *Event, ctx *UserSessionContext) map[string][]string
}
// ResolveProcessCacheEntry stub implementation
@@ -606,22 +597,7 @@ func (dfh *DefaultFieldHandlers) ResolveContainerContext(ev *Event) (*ContainerC
return nil, false
}
-// ResolveEventTime stub implementation
-func (dfh *DefaultFieldHandlers) ResolveEventTime(ev *Event) time.Time {
- return ev.Timestamp
-}
-
// GetProcessService stub implementation
func (dfh *DefaultFieldHandlers) GetProcessService(ev *Event) string {
return ""
}
-
-// ResolveHashes resolves the hash of the provided file
-func (dfh *DefaultFieldHandlers) ResolveHashes(eventType EventType, process *Process, file *FileEvent) []string {
- return nil
-}
-
-// ResolveK8SExtra resolves the K8S user session extra field
-func (dfh *DefaultFieldHandlers) ResolveK8SExtra(_ *Event, _ *UserSessionContext) map[string][]string {
- return nil
-}
diff --git a/pkg/security/secl/model/model_unix.go b/pkg/security/secl/model/model_unix.go
index aca678af8b5fc..20fc528dd9eba 100644
--- a/pkg/security/secl/model/model_unix.go
+++ b/pkg/security/secl/model/model_unix.go
@@ -143,9 +143,8 @@ type Event struct {
Async bool `field:"event.async,handler:ResolveAsync" event:"*"` // SECLDoc[event.async] Definition:`True if the syscall was asynchronous`
// context
- SpanContext SpanContext `field:"-" json:"-"`
- NetworkContext NetworkContext `field:"network" event:"dns"`
- SecurityProfileContext SecurityProfileContext `field:"-"`
+ SpanContext SpanContext `field:"-" json:"-"`
+ NetworkContext NetworkContext `field:"network" event:"dns"`
// fim events
Chmod ChmodEvent `field:"chmod" event:"chmod"` // [7.27] [File] A file’s permissions were changed
@@ -284,6 +283,35 @@ func (p *Process) IsNotKworker() bool {
return !p.IsKworker
}
+// GetProcessArgv returns the unscrubbed args of the event as an array. Use with caution.
+func (p *Process) GetProcessArgv() ([]string, bool) {
+ if p.ArgsEntry == nil {
+ return p.Argv, p.ArgsTruncated
+ }
+
+ argv := p.ArgsEntry.Values
+ if len(argv) > 0 {
+ argv = argv[1:]
+ }
+ p.Argv = argv
+ p.ArgsTruncated = p.ArgsTruncated || p.ArgsEntry.Truncated
+ return p.Argv, p.ArgsTruncated
+}
+
+// GetProcessArgv0 returns the first arg of the event and whether the process arguments are truncated
+func (p *Process) GetProcessArgv0() (string, bool) {
+ if p.ArgsEntry == nil {
+ return p.Argv0, p.ArgsTruncated
+ }
+
+ argv := p.ArgsEntry.Values
+ if len(argv) > 0 {
+ p.Argv0 = argv[0]
+ }
+ p.ArgsTruncated = p.ArgsTruncated || p.ArgsEntry.Truncated
+ return p.Argv0, p.ArgsTruncated
+}
+
// LinuxBinprm contains content from the linux_binprm struct, which holds the arguments used for loading binaries
type LinuxBinprm struct {
FileEvent FileEvent `field:"file"`
@@ -328,13 +356,16 @@ type Process struct {
// defined to generate accessors, ArgsTruncated and EnvsTruncated are used during by unmarshaller
Argv0 string `field:"argv0,handler:ResolveProcessArgv0,weight:100"` // SECLDoc[argv0] Definition:`First argument of the process`
- Args string `field:"args,handler:ResolveProcessArgs,weight:100"` // SECLDoc[args] Definition:`Arguments of the process (as a string, excluding argv0)` Example:`exec.args == "-sV -p 22,53,110,143,4564 198.116.0-255.1-127"` Description:`Matches any process with these exact arguments.` Example:`exec.args =~ "* -F * http*"` Description:`Matches any process that has the "-F" argument anywhere before an argument starting with "http".`
- Argv []string `field:"argv,handler:ResolveProcessArgv,weight:100; args_flags,handler:ResolveProcessArgsFlags,opts:helper; args_options,handler:ResolveProcessArgsOptions,opts:helper"` // SECLDoc[argv] Definition:`Arguments of the process (as an array, excluding argv0)` Example:`exec.argv in ["127.0.0.1"]` Description:`Matches any process that has this IP address as one of its arguments.` SECLDoc[args_flags] Definition:`Flags in the process arguments` Example:`exec.args_flags in ["s"] && exec.args_flags in ["V"]` Description:`Matches any process with both "-s" and "-V" flags in its arguments. Also matches "-sV".` SECLDoc[args_options] Definition:`Argument of the process as options` Example:`exec.args_options in ["p=0-1024"]` Description:`Matches any process that has either "-p 0-1024" or "--p=0-1024" in its arguments.`
+ Args string `field:"args,handler:ResolveProcessArgs,weight:500"` // SECLDoc[args] Definition:`Arguments of the process (as a string, excluding argv0)` Example:`exec.args == "-sV -p 22,53,110,143,4564 198.116.0-255.1-127"` Description:`Matches any process with these exact arguments.` Example:`exec.args =~ "* -F * http*"` Description:`Matches any process that has the "-F" argument anywhere before an argument starting with "http".`
+ Argv []string `field:"argv,handler:ResolveProcessArgv,weight:500; args_flags,handler:ResolveProcessArgsFlags,opts:helper; args_options,handler:ResolveProcessArgsOptions,opts:helper"` // SECLDoc[argv] Definition:`Arguments of the process (as an array, excluding argv0)` Example:`exec.argv in ["127.0.0.1"]` Description:`Matches any process that has this IP address as one of its arguments.` SECLDoc[args_flags] Definition:`Flags in the process arguments` Example:`exec.args_flags in ["s"] && exec.args_flags in ["V"]` Description:`Matches any process with both "-s" and "-V" flags in its arguments. Also matches "-sV".` SECLDoc[args_options] Definition:`Argument of the process as options` Example:`exec.args_options in ["p=0-1024"]` Description:`Matches any process that has either "-p 0-1024" or "--p=0-1024" in its arguments.`
ArgsTruncated bool `field:"args_truncated,handler:ResolveProcessArgsTruncated"` // SECLDoc[args_truncated] Definition:`Indicator of arguments truncation`
Envs []string `field:"envs,handler:ResolveProcessEnvs,weight:100"` // SECLDoc[envs] Definition:`Environment variable names of the process`
Envp []string `field:"envp,handler:ResolveProcessEnvp,weight:100"` // SECLDoc[envp] Definition:`Environment variables of the process`
EnvsTruncated bool `field:"envs_truncated,handler:ResolveProcessEnvsTruncated"` // SECLDoc[envs_truncated] Definition:`Indicator of environment variables truncation`
+ ArgsScrubbed string `field:"args_scrubbed,handler:ResolveProcessArgsScrubbed,weight:500,opts:getters_only"`
+ ArgvScrubbed []string `field:"argv_scrubbed,handler:ResolveProcessArgvScrubbed,weight:500,opts:getters_only"`
+
// symlink to the process binary
SymlinkPathnameStr [MaxSymlinks]string `field:"-" json:"-"`
SymlinkBasenameStr string `field:"-" json:"-"`
@@ -507,8 +538,10 @@ type MountEvent struct {
Mount
MountPointPath string `field:"mountpoint.path,handler:ResolveMountPointPath"` // SECLDoc[mountpoint.path] Definition:`Path of the mount point`
MountSourcePath string `field:"source.path,handler:ResolveMountSourcePath"` // SECLDoc[source.path] Definition:`Source path of a bind mount`
+ MountRootPath string `field:"root.path,handler:ResolveMountRootPath"` // SECLDoc[root.path] Definition:`Root path of the mount`
MountPointPathResolutionError error `field:"-"`
MountSourcePathResolutionError error `field:"-"`
+ MountRootPathResolutionError error `field:"-"`
}
// UnshareMountNSEvent represents a mount cloned from a newly created mount namespace
@@ -885,4 +918,15 @@ func (pl *PathLeaf) MarshalBinary() ([]byte, error) {
type ExtraFieldHandlers interface {
BaseExtraFieldHandlers
ResolveHashes(eventType EventType, process *Process, file *FileEvent) []string
+ ResolveK8SExtra(ev *Event, ctx *UserSessionContext) map[string][]string
+}
+
+// ResolveHashes resolves the hash of the provided file
+func (dfh *DefaultFieldHandlers) ResolveHashes(_ EventType, _ *Process, _ *FileEvent) []string {
+ return nil
+}
+
+// ResolveK8SExtra resolves the K8S user session extra field
+func (dfh *DefaultFieldHandlers) ResolveK8SExtra(_ *Event, _ *UserSessionContext) map[string][]string {
+ return nil
}
diff --git a/pkg/security/secl/model/model_windows.go b/pkg/security/secl/model/model_windows.go
index def1417c3f396..cad29d3d1d748 100644
--- a/pkg/security/secl/model/model_windows.go
+++ b/pkg/security/secl/model/model_windows.go
@@ -57,9 +57,11 @@ type Process struct {
ArgsEntry *ArgsEntry `field:"-" json:"-"`
EnvsEntry *EnvsEntry `field:"-" json:"-"`
- CmdLine string `field:"cmdline"` // SECLDoc[cmdline] Definition:`Command line of the process (as a string, excluding argv0)` Example:`exec.args == "-sV -p 22,53,110,143,4564 198.116.0-255.1-127"` Description:`Matches any process with these exact arguments.` Example:`exec.args =~ "* -F * http*"` Description:`Matches any process that has the "-F" argument anywhere before an argument starting with "http".`
- Envs []string `field:"envs,handler:ResolveProcessEnvs,weight:100"` // SECLDoc[envs] Definition:`Environment variable names of the process`
- Envp []string `field:"envp,handler:ResolveProcessEnvp,weight:100"` // SECLDoc[envp] Definition:`Environment variables of the process` // SECLDoc[envp] Definition:`Environment variables of the process`
+ CmdLine string `field:"cmdline,handler:ResolveProcessCmdLine,weight:200"` // SECLDoc[cmdline] Definition:`Command line of the process` Example:`exec.cmdline == "-sV -p 22,53,110,143,4564 198.116.0-255.1-127"` Description:`Matches any process with these exact arguments.` Example:`exec.cmdline =~ "* -F * http*"` Description:`Matches any process that has the "-F" argument anywhere before an argument starting with "http".`
+ CmdLineScrubbed string `field:"cmdline_scrubbed,handler:ResolveProcessCmdLineScrubbed,weight:500,opts:getters_only"`
+
+ Envs []string `field:"envs,handler:ResolveProcessEnvs,weight:100"` // SECLDoc[envs] Definition:`Environment variable names of the process`
+ Envp []string `field:"envp,handler:ResolveProcessEnvp,weight:100"` // SECLDoc[envp] Definition:`Environment variables of the process` // SECLDoc[envp] Definition:`Environment variables of the process`
// cache version
Variables eval.Variables `field:"-" json:"-"`
diff --git a/pkg/security/security_profile/activity_tree/activity_tree.go b/pkg/security/security_profile/activity_tree/activity_tree.go
index e7c89c76eb1ad..86577985a5bc2 100644
--- a/pkg/security/security_profile/activity_tree/activity_tree.go
+++ b/pkg/security/security_profile/activity_tree/activity_tree.go
@@ -224,7 +224,7 @@ func (at *ActivityTree) Debug(w io.Writer) {
}
// ScrubProcessArgsEnvs scrubs and retains process args and envs
-func (at *ActivityTree) ScrubProcessArgsEnvs(resolver *process.Resolver) {
+func (at *ActivityTree) ScrubProcessArgsEnvs(resolver *process.EBPFResolver) {
// iterate through all the process nodes
openList := make([]*ProcessNode, len(at.ProcessNodes))
copy(openList, at.ProcessNodes)
@@ -266,7 +266,7 @@ func (at *ActivityTree) isEventValid(event *model.Event, dryRun bool) (bool, err
}
// Insert inserts the event in the activity tree
-func (at *ActivityTree) Insert(event *model.Event, insertMissingProcesses bool, generationType NodeGenerationType, resolvers *resolvers.Resolvers) (bool, error) {
+func (at *ActivityTree) Insert(event *model.Event, insertMissingProcesses bool, generationType NodeGenerationType, resolvers *resolvers.EBPFResolvers) (bool, error) {
newEntry, err := at.insertEvent(event, false /* !dryRun */, insertMissingProcesses, generationType, resolvers)
if newEntry {
// this doesn't count the exec events which are counted separately
@@ -276,13 +276,13 @@ func (at *ActivityTree) Insert(event *model.Event, insertMissingProcesses bool,
}
// Contains looks up the event in the activity tree
-func (at *ActivityTree) Contains(event *model.Event, insertMissingProcesses bool, generationType NodeGenerationType, resolvers *resolvers.Resolvers) (bool, error) {
+func (at *ActivityTree) Contains(event *model.Event, insertMissingProcesses bool, generationType NodeGenerationType, resolvers *resolvers.EBPFResolvers) (bool, error) {
newEntry, err := at.insertEvent(event, true /* dryRun */, insertMissingProcesses, generationType, resolvers)
return !newEntry, err
}
// insert inserts the event in the activity tree, returns true if the event generated a new entry in the tree
-func (at *ActivityTree) insertEvent(event *model.Event, dryRun bool, insertMissingProcesses bool, generationType NodeGenerationType, resolvers *resolvers.Resolvers) (bool, error) {
+func (at *ActivityTree) insertEvent(event *model.Event, dryRun bool, insertMissingProcesses bool, generationType NodeGenerationType, resolvers *resolvers.EBPFResolvers) (bool, error) {
// sanity check
if generationType == Unknown || generationType > MaxNodeGenerationType {
return false, fmt.Errorf("invalid generation type: %v", generationType)
@@ -448,7 +448,7 @@ func (at *ActivityTree) buildBranchAndLookupCookies(entry *model.ProcessCacheEnt
}
// CreateProcessNode looks up or inserts the provided entry in the tree
-func (at *ActivityTree) CreateProcessNode(entry *model.ProcessCacheEntry, generationType NodeGenerationType, dryRun bool, resolvers *resolvers.Resolvers) (*ProcessNode, bool, error) {
+func (at *ActivityTree) CreateProcessNode(entry *model.ProcessCacheEntry, generationType NodeGenerationType, dryRun bool, resolvers *resolvers.EBPFResolvers) (*ProcessNode, bool, error) {
if entry == nil {
return nil, false, nil
}
@@ -486,7 +486,7 @@ func (at *ActivityTree) CreateProcessNode(entry *model.ProcessCacheEntry, genera
return at.insertBranch(parent, branchToInsert, generationType, dryRun, resolvers)
}
-func (at *ActivityTree) insertBranch(parent ProcessNodeParent, branchToInsert []*model.ProcessCacheEntry, generationType NodeGenerationType, dryRun bool, r *resolvers.Resolvers) (*ProcessNode, bool, error) {
+func (at *ActivityTree) insertBranch(parent ProcessNodeParent, branchToInsert []*model.ProcessCacheEntry, generationType NodeGenerationType, dryRun bool, r *resolvers.EBPFResolvers) (*ProcessNode, bool, error) {
var matchingNode *ProcessNode
var branchIncrement int
var newNode, newNodeFromRebase bool
@@ -536,7 +536,7 @@ func (at *ActivityTree) insertBranch(parent ProcessNodeParent, branchToInsert []
// findBranch2 looks for the provided branch in the list of children. Returns the node that matches the
// first node of the branch and true if a new entry was inserted.
-func (at *ActivityTree) findBranch(parent ProcessNodeParent, branch []*model.ProcessCacheEntry, dryRun bool, generationType NodeGenerationType, resolvers *resolvers.Resolvers) (*ProcessNode, int, bool) {
+func (at *ActivityTree) findBranch(parent ProcessNodeParent, branch []*model.ProcessCacheEntry, dryRun bool, generationType NodeGenerationType, resolvers *resolvers.EBPFResolvers) (*ProcessNode, int, bool) {
for i := len(branch) - 1; i >= 0; i-- {
branchCursor := branch[i]
@@ -612,7 +612,7 @@ func (at *ActivityTree) findBranch(parent ProcessNodeParent, branch []*model.Pro
// rebaseTree rebases the node identified by "nodeIndexToRebase" in the input "tree" onto a newly created branch made of
// "branchToInsert" and appended to "treeToRebaseOnto". New nodes will be tagged with the input "generationType".
// This function returns the top level node, owner of the newly inserted branch that lead to the rebased node
-func (at *ActivityTree) rebaseTree(parent ProcessNodeParent, childIndexToRebase int, newParent ProcessNodeParent, branchToInsert []*model.ProcessCacheEntry, generationType NodeGenerationType, resolvers *resolvers.Resolvers) *ProcessNode {
+func (at *ActivityTree) rebaseTree(parent ProcessNodeParent, childIndexToRebase int, newParent ProcessNodeParent, branchToInsert []*model.ProcessCacheEntry, generationType NodeGenerationType, resolvers *resolvers.EBPFResolvers) *ProcessNode {
if len(branchToInsert) > 1 {
// We know that the entries in "branch" are all "isExecChild = true" nodes, except the top level entry that might be
// a "isExecChild = false" node. Similarly, all the nodes below parent.GetChildren()[childIndexToRebase] must be non
diff --git a/pkg/security/security_profile/activity_tree/activity_tree_graph.go b/pkg/security/security_profile/activity_tree/activity_tree_graph.go
index e3c26d7b47003..c2be7b3bc5709 100644
--- a/pkg/security/security_profile/activity_tree/activity_tree_graph.go
+++ b/pkg/security/security_profile/activity_tree/activity_tree_graph.go
@@ -37,7 +37,7 @@ var (
)
// PrepareGraphData returns a graph from the activity tree
-func (at *ActivityTree) PrepareGraphData(title string, resolver *process.Resolver) utils.Graph {
+func (at *ActivityTree) PrepareGraphData(title string, resolver *process.EBPFResolver) utils.Graph {
data := utils.Graph{
Title: title,
Nodes: make(map[utils.GraphID]*utils.Node),
@@ -50,7 +50,7 @@ func (at *ActivityTree) PrepareGraphData(title string, resolver *process.Resolve
return data
}
-func (at *ActivityTree) prepareProcessNode(p *ProcessNode, data *utils.Graph, resolver *process.Resolver) utils.GraphID {
+func (at *ActivityTree) prepareProcessNode(p *ProcessNode, data *utils.Graph, resolver *process.EBPFResolver) utils.GraphID {
var args string
var argv []string
if resolver != nil {
diff --git a/pkg/security/security_profile/activity_tree/file_node.go b/pkg/security/security_profile/activity_tree/file_node.go
index 4c1cfdd11c39b..67565be114f6d 100644
--- a/pkg/security/security_profile/activity_tree/file_node.go
+++ b/pkg/security/security_profile/activity_tree/file_node.go
@@ -41,7 +41,7 @@ type OpenNode struct {
}
// NewFileNode returns a new FileActivityNode instance
-func NewFileNode(fileEvent *model.FileEvent, event *model.Event, name string, generationType NodeGenerationType, reducedFilePath string, resolvers *resolvers.Resolvers) *FileNode {
+func NewFileNode(fileEvent *model.FileEvent, event *model.Event, name string, generationType NodeGenerationType, reducedFilePath string, resolvers *resolvers.EBPFResolvers) *FileNode {
// call resolver. Safeguard: the process context might be empty if from a snapshot.
if resolvers != nil && fileEvent != nil && event.ProcessContext != nil {
resolvers.HashResolver.ComputeHashesFromEvent(event, fileEvent)
@@ -87,7 +87,7 @@ func (fn *FileNode) enrichFromEvent(event *model.Event) {
return
}
if fn.FirstSeen.IsZero() {
- fn.FirstSeen = event.FieldHandlers.ResolveEventTime(event)
+ fn.FirstSeen = event.ResolveEventTime()
}
fn.MatchedRules = model.AppendMatchedRule(fn.MatchedRules, event.Rules)
@@ -126,7 +126,7 @@ func (fn *FileNode) debug(w io.Writer, prefix string) {
// InsertFileEvent inserts an event in a FileNode. This function returns true if a new entry was added, false if
// the event was dropped.
-func (fn *FileNode) InsertFileEvent(fileEvent *model.FileEvent, event *model.Event, remainingPath string, generationType NodeGenerationType, stats *Stats, dryRun bool, reducedPath string, resolvers *resolvers.Resolvers) bool {
+func (fn *FileNode) InsertFileEvent(fileEvent *model.FileEvent, event *model.Event, remainingPath string, generationType NodeGenerationType, stats *Stats, dryRun bool, reducedPath string, resolvers *resolvers.EBPFResolvers) bool {
currentFn := fn
currentPath := remainingPath
newEntry := false
diff --git a/pkg/security/security_profile/activity_tree/process_node.go b/pkg/security/security_profile/activity_tree/process_node.go
index b7bc7c1b1bcbb..a2c0e190fb678 100644
--- a/pkg/security/security_profile/activity_tree/process_node.go
+++ b/pkg/security/security_profile/activity_tree/process_node.go
@@ -43,7 +43,7 @@ type ProcessNode struct {
}
// NewProcessNode returns a new ProcessNode instance
-func NewProcessNode(entry *model.ProcessCacheEntry, generationType NodeGenerationType, resolvers *resolvers.Resolvers) *ProcessNode {
+func NewProcessNode(entry *model.ProcessCacheEntry, generationType NodeGenerationType, resolvers *resolvers.EBPFResolvers) *ProcessNode {
// call the callback to resolve additional fields before copying them
if resolvers != nil {
resolvers.HashResolver.ComputeHashes(model.ExecEventType, &entry.ProcessContext.Process, &entry.ProcessContext.FileEvent)
@@ -135,7 +135,7 @@ func (pn *ProcessNode) debug(w io.Writer, prefix string) {
}
// scrubAndReleaseArgsEnvs scrubs the process args and envs, and then releases them
-func (pn *ProcessNode) scrubAndReleaseArgsEnvs(resolver *sprocess.Resolver) {
+func (pn *ProcessNode) scrubAndReleaseArgsEnvs(resolver *sprocess.EBPFResolver) {
if pn.Process.ArgsEntry != nil {
resolver.GetProcessArgvScrubbed(&pn.Process)
sprocess.GetProcessArgv0(&pn.Process)
@@ -203,7 +203,7 @@ newSyscallLoop:
// InsertFileEvent inserts the provided file event in the current node. This function returns true if a new entry was
// added, false if the event was dropped.
-func (pn *ProcessNode) InsertFileEvent(fileEvent *model.FileEvent, event *model.Event, generationType NodeGenerationType, stats *Stats, dryRun bool, reducer *PathsReducer, resolvers *resolvers.Resolvers) bool {
+func (pn *ProcessNode) InsertFileEvent(fileEvent *model.FileEvent, event *model.Event, generationType NodeGenerationType, stats *Stats, dryRun bool, reducer *PathsReducer, resolvers *resolvers.EBPFResolvers) bool {
var filePath string
if generationType != Snapshot {
filePath = event.FieldHandlers.ResolveFilePath(event, fileEvent)
diff --git a/pkg/security/security_profile/dump/graph.go b/pkg/security/security_profile/dump/graph.go
index 5acb9ed9e6e23..5a82ce371f5ae 100644
--- a/pkg/security/security_profile/dump/graph.go
+++ b/pkg/security/security_profile/dump/graph.go
@@ -46,7 +46,7 @@ func (ad *ActivityDump) ToGraph() utils.Graph {
defer ad.Unlock()
title := fmt.Sprintf("%s: %s", ad.Metadata.Name, ad.getSelectorStr())
- var resolver *process.Resolver
+ var resolver *process.EBPFResolver
if ad.adm != nil {
resolver = ad.adm.resolvers.ProcessResolver
}
diff --git a/pkg/security/security_profile/dump/manager.go b/pkg/security/security_profile/dump/manager.go
index 92fa8de62af75..e41282975fdff 100644
--- a/pkg/security/security_profile/dump/manager.go
+++ b/pkg/security/security_profile/dump/manager.go
@@ -58,7 +58,7 @@ type ActivityDumpManager struct {
emptyDropped *atomic.Uint64
dropMaxDumpReached *atomic.Uint64
newEvent func() *model.Event
- resolvers *resolvers.Resolvers
+ resolvers *resolvers.EBPFResolvers
kernelVersion *kernel.Version
manager *manager.Manager
dumpHandler ActivityDumpHandler
@@ -252,7 +252,7 @@ func (adm *ActivityDumpManager) HandleActivityDump(dump *api.ActivityDumpStreamM
}
// NewActivityDumpManager returns a new ActivityDumpManager instance
-func NewActivityDumpManager(config *config.Config, statsdClient statsd.ClientInterface, newEvent func() *model.Event, resolvers *resolvers.Resolvers,
+func NewActivityDumpManager(config *config.Config, statsdClient statsd.ClientInterface, newEvent func() *model.Event, resolvers *resolvers.EBPFResolvers,
kernelVersion *kernel.Version, manager *manager.Manager) (*ActivityDumpManager, error) {
tracedPIDs, err := managerhelper.Map(manager, "traced_pids")
if err != nil {
diff --git a/pkg/security/security_profile/profile/manager.go b/pkg/security/security_profile/profile/manager.go
index 6437d2ff3134d..35d0136e2bd2f 100644
--- a/pkg/security/security_profile/profile/manager.go
+++ b/pkg/security/security_profile/profile/manager.go
@@ -121,7 +121,7 @@ type ActivityDumpManager interface {
type SecurityProfileManager struct {
config *config.Config
statsdClient statsd.ClientInterface
- resolvers *resolvers.Resolvers
+ resolvers *resolvers.EBPFResolvers
providers []Provider
activityDumpManager ActivityDumpManager
@@ -143,7 +143,7 @@ type SecurityProfileManager struct {
}
// NewSecurityProfileManager returns a new instance of SecurityProfileManager
-func NewSecurityProfileManager(config *config.Config, statsdClient statsd.ClientInterface, resolvers *resolvers.Resolvers, manager *manager.Manager) (*SecurityProfileManager, error) {
+func NewSecurityProfileManager(config *config.Config, statsdClient statsd.ClientInterface, resolvers *resolvers.EBPFResolvers, manager *manager.Manager) (*SecurityProfileManager, error) {
profileCache, err := simplelru.NewLRU[cgroupModel.WorkloadSelector, *SecurityProfile](config.RuntimeSecurity.SecurityProfileCacheSize, nil)
if err != nil {
return nil, fmt.Errorf("couldn't create security profile cache: %w", err)
@@ -178,7 +178,7 @@ func NewSecurityProfileManager(config *config.Config, statsdClient statsd.Client
if len(config.RuntimeSecurity.SecurityProfileDir) != 0 {
// override the status if autosuppression is enabled
var status model.Status
- if config.RuntimeSecurity.ActivityDumpAutoSuppressionEnabled {
+ if config.RuntimeSecurity.SecurityProfileAutoSuppressionEnabled {
status = model.AnomalyDetection | model.AutoSuppression
}
diff --git a/pkg/security/serializers/serializers_base.go b/pkg/security/serializers/serializers_base.go
index 4c2365ec21232..c8b1f3c0b9d71 100644
--- a/pkg/security/serializers/serializers_base.go
+++ b/pkg/security/serializers/serializers_base.go
@@ -8,7 +8,6 @@
package serializers
import (
- "github.com/DataDog/datadog-agent/pkg/security/resolvers"
"github.com/DataDog/datadog-agent/pkg/security/secl/model"
"github.com/DataDog/datadog-agent/pkg/security/utils"
)
@@ -209,7 +208,7 @@ func newExitEventSerializer(e *model.Event) *ExitEventSerializer {
}
// NewBaseEventSerializer creates a new event serializer based on the event type
-func NewBaseEventSerializer(event *model.Event, resolvers *resolvers.Resolvers) *BaseEventSerializer {
+func NewBaseEventSerializer(event *model.Event) *BaseEventSerializer {
pc := event.ProcessContext
eventType := model.EventType(event.Type)
@@ -218,8 +217,8 @@ func NewBaseEventSerializer(event *model.Event, resolvers *resolvers.Resolvers)
EventContextSerializer: EventContextSerializer{
Name: eventType.String(),
},
- ProcessContextSerializer: newProcessContextSerializer(pc, event, resolvers),
- Date: utils.NewEasyjsonTime(event.FieldHandlers.ResolveEventTime(event)),
+ ProcessContextSerializer: newProcessContextSerializer(pc, event),
+ Date: utils.NewEasyjsonTime(event.ResolveEventTime()),
}
if event.IsAnomalyDetectionEvent() && len(event.Rules) > 0 {
diff --git a/pkg/security/serializers/serializers_linux.go b/pkg/security/serializers/serializers_linux.go
index 846157f6b3e50..ee08063a51a45 100644
--- a/pkg/security/serializers/serializers_linux.go
+++ b/pkg/security/serializers/serializers_linux.go
@@ -18,7 +18,6 @@ import (
"golang.org/x/sys/unix"
"github.com/DataDog/datadog-agent/pkg/security/events"
- "github.com/DataDog/datadog-agent/pkg/security/resolvers"
sprocess "github.com/DataDog/datadog-agent/pkg/security/resolvers/process"
"github.com/DataDog/datadog-agent/pkg/security/secl/compiler/eval"
"github.com/DataDog/datadog-agent/pkg/security/secl/model"
@@ -439,7 +438,7 @@ type MountEventSerializer struct {
// Mount source path
MountSourcePath string `json:"source.path,omitempty"`
// Mount point path error
- MountPointPathResolutionError string `json:"mountpoint.path_error,omitempty"`
+ MountRootPathResolutionError string `json:"mountpoint.path_error,omitempty"`
// Mount source path error
MountSourcePathResolutionError string `json:"source.path_error,omitempty"`
}
@@ -557,10 +556,10 @@ func newCredentialsSerializer(ce *model.Credentials) *CredentialsSerializer {
}
}
-func newProcessSerializer(ps *model.Process, e *model.Event, resolvers *resolvers.Resolvers) *ProcessSerializer {
+func newProcessSerializer(ps *model.Process, e *model.Event) *ProcessSerializer {
if ps.IsNotKworker() {
- argv, argvTruncated := resolvers.ProcessResolver.GetProcessArgvScrubbed(ps)
- envs, EnvsTruncated := resolvers.ProcessResolver.GetProcessEnvs(ps)
+ argv, argvTruncated := e.GetProcessArgvScrubbed(), e.GetProcessArgsTruncated()
+ envs, EnvsTruncated := e.GetProcessEnvs(), e.GetProcessEnvsTruncated()
argv0, _ := sprocess.GetProcessArgv0(ps)
psSerializer := &ProcessSerializer{
@@ -600,15 +599,13 @@ func newProcessSerializer(ps *model.Process, e *model.Event, resolvers *resolver
}
if ps.UserSession.ID != 0 {
- psSerializer.UserSession = newUserSessionContextSerializer(&ps.UserSession, e, resolvers)
+ psSerializer.UserSession = newUserSessionContextSerializer(&ps.UserSession, e)
}
if len(ps.ContainerID) != 0 {
psSerializer.Container = &ContainerContextSerializer{
- ID: ps.ContainerID,
- }
- if cgroup, _ := resolvers.CGroupResolver.GetWorkload(ps.ContainerID); cgroup != nil {
- psSerializer.Container.CreatedAt = getTimeIfNotZero(time.Unix(0, int64(cgroup.CreatedAt)))
+ ID: ps.ContainerID,
+ CreatedAt: getTimeIfNotZero(time.Unix(0, int64(e.GetContainerCreatedAt()))),
}
}
return psSerializer
@@ -625,7 +622,7 @@ func newProcessSerializer(ps *model.Process, e *model.Event, resolvers *resolver
}
}
-func newUserSessionContextSerializer(ctx *model.UserSessionContext, e *model.Event, _ *resolvers.Resolvers) *UserSessionContextSerializer {
+func newUserSessionContextSerializer(ctx *model.UserSessionContext, e *model.Event) *UserSessionContextSerializer {
return &UserSessionContextSerializer{
ID: fmt.Sprintf("%x", ctx.ID),
K8SUsername: e.FieldHandlers.ResolveK8SUsername(e, ctx),
@@ -720,11 +717,11 @@ func newMProtectEventSerializer(e *model.Event) *MProtectEventSerializer {
}
}
-func newPTraceEventSerializer(e *model.Event, resolvers *resolvers.Resolvers) *PTraceEventSerializer {
+func newPTraceEventSerializer(e *model.Event) *PTraceEventSerializer {
return &PTraceEventSerializer{
Request: model.PTraceRequest(e.PTrace.Request).String(),
Address: fmt.Sprintf("0x%x", e.PTrace.Address),
- Tracee: newProcessContextSerializer(e.PTrace.Tracee, e, resolvers),
+ Tracee: newProcessContextSerializer(e.PTrace.Tracee, e),
}
}
@@ -745,11 +742,11 @@ func newUnloadModuleEventSerializer(e *model.Event) *ModuleEventSerializer {
}
}
-func newSignalEventSerializer(e *model.Event, resolvers *resolvers.Resolvers) *SignalEventSerializer {
+func newSignalEventSerializer(e *model.Event) *SignalEventSerializer {
ses := &SignalEventSerializer{
Type: model.Signal(e.Signal.Type).String(),
PID: e.Signal.PID,
- Target: newProcessContextSerializer(e.Signal.Target, e, resolvers),
+ Target: newProcessContextSerializer(e.Signal.Target, e),
}
return ses
}
@@ -769,22 +766,23 @@ func newBindEventSerializer(e *model.Event) *BindEventSerializer {
return bes
}
-func newMountEventSerializer(e *model.Event, resolvers *resolvers.Resolvers) *MountEventSerializer {
+func newMountEventSerializer(e *model.Event) *MountEventSerializer {
fh := e.FieldHandlers
- src, srcErr := resolvers.PathResolver.ResolveMountRoot(e, &e.Mount.Mount)
- dst, dstErr := resolvers.PathResolver.ResolveMountPoint(e, &e.Mount.Mount)
+ //src, srcErr := , e.Mount.MountPointPathResolutionError
+ //resolvers.PathResolver.ResolveMountRoot(e, &e.Mount.Mount)
+ //dst, dstErr := resolvers.PathResolver.ResolveMountPoint(e, &e.Mount.Mount)
mountPointPath := fh.ResolveMountPointPath(e, &e.Mount)
mountSourcePath := fh.ResolveMountSourcePath(e, &e.Mount)
mountSerializer := &MountEventSerializer{
MountPoint: &FileSerializer{
- Path: dst,
+ Path: e.GetMountRootPath(),
MountID: &e.Mount.ParentPathKey.MountID,
Inode: &e.Mount.ParentPathKey.Inode,
},
Root: &FileSerializer{
- Path: src,
+ Path: e.GetMountMountpointPath(),
MountID: &e.Mount.RootPathKey.MountID,
Inode: &e.Mount.RootPathKey.Inode,
},
@@ -797,15 +795,9 @@ func newMountEventSerializer(e *model.Event, resolvers *resolvers.Resolvers) *Mo
MountSourcePath: mountSourcePath,
}
- if srcErr != nil {
- mountSerializer.Root.PathResolutionError = srcErr.Error()
- }
- if dstErr != nil {
- mountSerializer.MountPoint.PathResolutionError = dstErr.Error()
- }
// potential errors retrieved from ResolveMountPointPath and ResolveMountSourcePath
- if e.Mount.MountPointPathResolutionError != nil {
- mountSerializer.MountPointPathResolutionError = e.Mount.MountPointPathResolutionError.Error()
+ if e.Mount.MountRootPathResolutionError != nil {
+ mountSerializer.MountRootPathResolutionError = e.Mount.MountRootPathResolutionError.Error()
}
if e.Mount.MountSourcePathResolutionError != nil {
mountSerializer.MountSourcePathResolutionError = e.Mount.MountSourcePathResolutionError.Error()
@@ -834,13 +826,13 @@ func serializeOutcome(retval int64) string {
}
}
-func newProcessContextSerializer(pc *model.ProcessContext, e *model.Event, resolvers *resolvers.Resolvers) *ProcessContextSerializer {
+func newProcessContextSerializer(pc *model.ProcessContext, e *model.Event) *ProcessContextSerializer {
if pc == nil || pc.Pid == 0 || e == nil {
return nil
}
ps := ProcessContextSerializer{
- ProcessSerializer: newProcessSerializer(&pc.Process, e, resolvers),
+ ProcessSerializer: newProcessSerializer(&pc.Process, e),
}
ctx := eval.NewContext(e)
@@ -856,7 +848,7 @@ func newProcessContextSerializer(pc *model.ProcessContext, e *model.Event, resol
for ptr != nil {
pce := (*model.ProcessCacheEntry)(ptr)
- s := newProcessSerializer(&pce.Process, e, resolvers)
+ s := newProcessSerializer(&pce.Process, e)
ps.Ancestors = append(ps.Ancestors, s)
if first {
@@ -941,8 +933,8 @@ func (e *EventSerializer) MarshalJSON() ([]byte, error) {
}
// MarshalEvent marshal the event
-func MarshalEvent(event *model.Event, probe *resolvers.Resolvers) ([]byte, error) {
- s := NewEventSerializer(event, probe)
+func MarshalEvent(event *model.Event) ([]byte, error) {
+ s := NewEventSerializer(event)
return utils.MarshalEasyJSON(s)
}
@@ -952,9 +944,9 @@ func MarshalCustomEvent(event *events.CustomEvent) ([]byte, error) {
}
// NewEventSerializer creates a new event serializer based on the event type
-func NewEventSerializer(event *model.Event, resolvers *resolvers.Resolvers) *EventSerializer {
+func NewEventSerializer(event *model.Event) *EventSerializer {
s := &EventSerializer{
- BaseEventSerializer: NewBaseEventSerializer(event, resolvers),
+ BaseEventSerializer: NewBaseEventSerializer(event),
UserContextSerializer: newUserContextSerializer(event),
DDContextSerializer: newDDContextSerializer(event),
}
@@ -968,14 +960,10 @@ func NewEventSerializer(event *model.Event, resolvers *resolvers.Resolvers) *Eve
s.SecurityProfileContextSerializer = newSecurityProfileContextSerializer(&event.SecurityProfileContext)
}
- if id := event.FieldHandlers.ResolveContainerID(event, event.ContainerContext); id != "" {
- var creationTime time.Time
- if cgroup, _ := resolvers.CGroupResolver.GetWorkload(id); cgroup != nil {
- creationTime = time.Unix(0, int64(cgroup.CreatedAt))
- }
+ if ctx, exists := event.FieldHandlers.ResolveContainerContext(event); exists {
s.ContainerContextSerializer = &ContainerContextSerializer{
- ID: id,
- CreatedAt: getTimeIfNotZero(creationTime),
+ ID: ctx.ID,
+ CreatedAt: getTimeIfNotZero(time.Unix(0, int64(ctx.CreatedAt))),
}
}
@@ -1073,7 +1061,7 @@ func NewEventSerializer(event *model.Event, resolvers *resolvers.Resolvers) *Eve
}
s.EventContextSerializer.Outcome = serializeOutcome(event.Utimes.Retval)
case model.FileMountEventType:
- s.MountEventSerializer = newMountEventSerializer(event, resolvers)
+ s.MountEventSerializer = newMountEventSerializer(event)
s.EventContextSerializer.Outcome = serializeOutcome(event.Mount.Retval)
case model.FileUmountEventType:
s.FileEventSerializer = &FileEventSerializer{
@@ -1130,7 +1118,7 @@ func NewEventSerializer(event *model.Event, resolvers *resolvers.Resolvers) *Eve
s.MProtectEventSerializer = newMProtectEventSerializer(event)
case model.PTraceEventType:
s.EventContextSerializer.Outcome = serializeOutcome(event.PTrace.Retval)
- s.PTraceEventSerializer = newPTraceEventSerializer(event, resolvers)
+ s.PTraceEventSerializer = newPTraceEventSerializer(event)
case model.LoadModuleEventType:
s.EventContextSerializer.Outcome = serializeOutcome(event.LoadModule.Retval)
if !event.LoadModule.LoadedFromMemory {
@@ -1144,7 +1132,7 @@ func NewEventSerializer(event *model.Event, resolvers *resolvers.Resolvers) *Eve
s.ModuleEventSerializer = newUnloadModuleEventSerializer(event)
case model.SignalEventType:
s.EventContextSerializer.Outcome = serializeOutcome(event.Signal.Retval)
- s.SignalEventSerializer = newSignalEventSerializer(event, resolvers)
+ s.SignalEventSerializer = newSignalEventSerializer(event)
case model.SpliceEventType:
s.EventContextSerializer.Outcome = serializeOutcome(event.Splice.Retval)
s.SpliceEventSerializer = newSpliceEventSerializer(event)
diff --git a/pkg/security/serializers/serializers_linux_easyjson.go b/pkg/security/serializers/serializers_linux_easyjson.go
index 138f5eaf7b7a3..fd93d5c617a4d 100644
--- a/pkg/security/serializers/serializers_linux_easyjson.go
+++ b/pkg/security/serializers/serializers_linux_easyjson.go
@@ -1687,7 +1687,7 @@ func easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers14(
case "source.path":
out.MountSourcePath = string(in.String())
case "mountpoint.path_error":
- out.MountPointPathResolutionError = string(in.String())
+ out.MountRootPathResolutionError = string(in.String())
case "source.path_error":
out.MountSourcePathResolutionError = string(in.String())
default:
@@ -1760,10 +1760,10 @@ func easyjsonDdc0fdbeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers14(
out.RawString(prefix)
out.String(string(in.MountSourcePath))
}
- if in.MountPointPathResolutionError != "" {
+ if in.MountRootPathResolutionError != "" {
const prefix string = ",\"mountpoint.path_error\":"
out.RawString(prefix)
- out.String(string(in.MountPointPathResolutionError))
+ out.String(string(in.MountRootPathResolutionError))
}
if in.MountSourcePathResolutionError != "" {
const prefix string = ",\"source.path_error\":"
diff --git a/pkg/security/serializers/serializers_others.go b/pkg/security/serializers/serializers_others.go
index 5e3614cbc2f1a..296bf4ca362af 100644
--- a/pkg/security/serializers/serializers_others.go
+++ b/pkg/security/serializers/serializers_others.go
@@ -12,7 +12,6 @@ import (
json "encoding/json"
"github.com/DataDog/datadog-agent/pkg/security/events"
- "github.com/DataDog/datadog-agent/pkg/security/resolvers"
"github.com/DataDog/datadog-agent/pkg/security/secl/model"
)
@@ -25,8 +24,8 @@ func (e *EventSerializer) ToJSON() ([]byte, error) {
}
// MarshalEvent marshal the event
-func MarshalEvent(event *model.Event, probe *resolvers.Resolvers) ([]byte, error) {
- s := NewEventSerializer(event, probe)
+func MarshalEvent(event *model.Event) ([]byte, error) {
+ s := NewEventSerializer(event)
return json.Marshal(s)
}
@@ -36,6 +35,6 @@ func MarshalCustomEvent(event *events.CustomEvent) ([]byte, error) {
}
// NewEventSerializer creates a new event serializer based on the event type
-func NewEventSerializer(event *model.Event, resolvers *resolvers.Resolvers) *EventSerializer { //nolint:revive // TODO fix revive unused-parameter
+func NewEventSerializer(_ *model.Event) *EventSerializer {
return nil
}
diff --git a/pkg/security/serializers/serializers_windows.go b/pkg/security/serializers/serializers_windows.go
index b02378f4276b1..7663eb072e30c 100644
--- a/pkg/security/serializers/serializers_windows.go
+++ b/pkg/security/serializers/serializers_windows.go
@@ -9,7 +9,6 @@ import (
"encoding/json"
"github.com/DataDog/datadog-agent/pkg/security/events"
- "github.com/DataDog/datadog-agent/pkg/security/resolvers"
"github.com/DataDog/datadog-agent/pkg/security/secl/compiler/eval"
"github.com/DataDog/datadog-agent/pkg/security/secl/model"
"github.com/DataDog/datadog-agent/pkg/security/utils"
@@ -62,7 +61,7 @@ func newFileSerializer(fe *model.FileEvent, e *model.Event, forceInode ...uint64
}
}
-func newProcessSerializer(ps *model.Process, e *model.Event, resolvers *resolvers.Resolvers) *ProcessSerializer { //nolint:revive // TODO fix revive unused-parameter
+func newProcessSerializer(ps *model.Process, e *model.Event) *ProcessSerializer { //nolint:revive // TODO fix revive unused-parameter
psSerializer := &ProcessSerializer{
ExecTime: getTimeIfNotZero(ps.ExecTime),
ExitTime: getTimeIfNotZero(ps.ExitTime),
@@ -70,7 +69,7 @@ func newProcessSerializer(ps *model.Process, e *model.Event, resolvers *resolver
Pid: ps.Pid,
PPid: getUint32Pointer(&ps.PPid),
Executable: newFileSerializer(&ps.FileEvent, e),
- CmdLine: resolvers.ProcessResolver.GetProcessCmdLineScrubbed(ps),
+ // CmdLine: e.GetProcessCmdLineScrubbed(ps),
}
if len(ps.ContainerID) != 0 {
@@ -81,13 +80,13 @@ func newProcessSerializer(ps *model.Process, e *model.Event, resolvers *resolver
return psSerializer
}
-func newProcessContextSerializer(pc *model.ProcessContext, e *model.Event, resolvers *resolvers.Resolvers) *ProcessContextSerializer {
+func newProcessContextSerializer(pc *model.ProcessContext, e *model.Event) *ProcessContextSerializer {
if pc == nil || pc.Pid == 0 || e == nil {
return nil
}
ps := ProcessContextSerializer{
- ProcessSerializer: newProcessSerializer(&pc.Process, e, resolvers),
+ ProcessSerializer: newProcessSerializer(&pc.Process, e),
}
ctx := eval.NewContext(e)
@@ -100,7 +99,7 @@ func newProcessContextSerializer(pc *model.ProcessContext, e *model.Event, resol
for ptr != nil {
pce := (*model.ProcessCacheEntry)(ptr)
- s := newProcessSerializer(&pce.Process, e, resolvers)
+ s := newProcessSerializer(&pce.Process, e)
ps.Ancestors = append(ps.Ancestors, s)
if first {
@@ -124,8 +123,8 @@ func (e *EventSerializer) ToJSON() ([]byte, error) {
}
// MarshalEvent marshal the event
-func MarshalEvent(event *model.Event, probe *resolvers.Resolvers) ([]byte, error) {
- s := NewEventSerializer(event, probe)
+func MarshalEvent(event *model.Event) ([]byte, error) {
+ s := NewEventSerializer(event)
return json.Marshal(s)
}
@@ -135,8 +134,8 @@ func MarshalCustomEvent(event *events.CustomEvent) ([]byte, error) {
}
// NewEventSerializer creates a new event serializer based on the event type
-func NewEventSerializer(event *model.Event, resolvers *resolvers.Resolvers) *EventSerializer {
+func NewEventSerializer(event *model.Event) *EventSerializer {
return &EventSerializer{
- BaseEventSerializer: NewBaseEventSerializer(event, resolvers),
+ BaseEventSerializer: NewBaseEventSerializer(event),
}
}
diff --git a/pkg/security/tests/cmdwrapper.go b/pkg/security/tests/cmdwrapper.go
index 2ad90d35d0909..434fe7b2457fd 100644
--- a/pkg/security/tests/cmdwrapper.go
+++ b/pkg/security/tests/cmdwrapper.go
@@ -36,7 +36,7 @@ var dockerImageLibrary = map[string][]string{
},
"centos": {
"centos:7",
- "public.ecr.aws/centos/centos:7",
+ "public.ecr.aws/docker/library/centos:7",
},
"alpine": {
"alpine",
diff --git a/pkg/security/tests/dentry_test.go b/pkg/security/tests/dentry_test.go
index 0a717ca066313..a354f4194bbbd 100644
--- a/pkg/security/tests/dentry_test.go
+++ b/pkg/security/tests/dentry_test.go
@@ -16,70 +16,24 @@ import (
"testing"
"github.com/stretchr/testify/assert"
+ "golang.org/x/sys/unix"
- "github.com/DataDog/datadog-agent/pkg/security/ebpf/kernel"
"github.com/DataDog/datadog-agent/pkg/security/metrics"
+ sprobe "github.com/DataDog/datadog-agent/pkg/security/probe"
"github.com/DataDog/datadog-agent/pkg/security/resolvers/dentry"
"github.com/DataDog/datadog-agent/pkg/security/secl/model"
"github.com/DataDog/datadog-agent/pkg/security/secl/rules"
)
-func validateResolution(test *testModule, event *model.Event, testFile string, pathFnc func(model.PathKey, bool) (string, error), parentFnc func(model.PathKey) (model.PathKey, error), nameFnc func(model.PathKey) (string, error)) {
- basename := path.Base(testFile)
-
- // Force an eRPC resolution to refresh the entry with the last generation as lost events may have invalidated the entry
- res, err := pathFnc(event.Open.File.PathKey, true)
- assert.Nil(test.t, err)
- assert.Equal(test.t, basename, path.Base(res))
-
- // there is a potential race here as a lost event can occur between the two resolutions
-
- // check that the path is now available from the cache
- res, err = test.probe.GetResolvers().DentryResolver.ResolveFromCache(event.Open.File.PathKey)
- assert.Nil(test.t, err)
- assert.Equal(test.t, basename, path.Base(res))
-
- kv, err := kernel.NewKernelVersion()
- assert.Nil(test.t, err)
-
- // Parent
- expectedInode := getInode(test.t, path.Dir(testFile))
-
- // the previous path resolution should habe filled the cache
- pathKey, err := test.probe.GetResolvers().DentryResolver.ResolveParentFromCache(event.Open.File.PathKey)
- assert.Nil(test.t, err)
- assert.NotZero(test.t, pathKey.Inode)
-
- // on kernel < 5.0 the cache is populated with internal inode of overlayfs. The stat syscall returns the proper inode, that is why the inodes don't match.
- if event.Open.File.Filesystem != model.OverlayFS || kv.Code > kernel.Kernel5_0 {
- assert.Equal(test.t, expectedInode, pathKey.Inode)
- }
-
- parentKey, err := parentFnc(event.Open.File.PathKey)
- assert.Nil(test.t, err)
- assert.NotZero(test.t, parentKey.Inode)
- assert.Equal(test.t, pathKey.Inode, parentKey.Inode)
-
- // Basename
- // the previous path resolution should have filled the cache
- expectedName, err := test.probe.GetResolvers().DentryResolver.ResolveNameFromCache(event.Open.File.PathKey)
- assert.Nil(test.t, err)
- assert.Equal(test.t, expectedName, basename)
-
- expectedName, err = nameFnc(event.Open.File.PathKey)
- assert.Nil(test.t, err)
- assert.Equal(test.t, expectedName, basename)
-}
-
-func TestDentryResolutionERPC(t *testing.T) {
+func TestDentryPathERPC(t *testing.T) {
// generate a basename up to the current limit of the agent
var basename string
for i := 0; i < model.MaxSegmentLength; i++ {
basename += "a"
}
rule := &rules.RuleDefinition{
- ID: "test_erpc_rule",
- Expression: fmt.Sprintf(`open.file.path == "{{.Root}}/parent/%s" && open.flags & O_CREAT != 0`, basename),
+ ID: "test_erpc_path_rule",
+ Expression: fmt.Sprintf(`open.flags & (O_CREAT|O_NOCTTY|O_NOFOLLOW) != 0 && process.file.name == "testsuite"`),
}
test, err := newTestModule(t, nil, []*rules.RuleDefinition{rule}, withStaticOpts(testOpts{disableMapDentryResolution: true}))
@@ -88,6 +42,11 @@ func TestDentryResolutionERPC(t *testing.T) {
}
defer test.Close()
+ p, ok := test.probe.PlatformProbe.(*sprobe.EBPFProbe)
+ if !ok {
+ t.Skip("not supported")
+ }
+
testFile, _, err := test.Path("parent/" + basename)
if err != nil {
t.Fatal(err)
@@ -100,11 +59,27 @@ func TestDentryResolutionERPC(t *testing.T) {
defer os.RemoveAll(dir)
test.WaitSignal(t, func() error {
- _, err = os.Create(testFile)
- return err
+ file, err := os.OpenFile(testFile, os.O_CREATE|unix.O_NOCTTY|unix.O_NOFOLLOW, 0666)
+ if err != nil {
+ return err
+ }
+ file.Close()
+ return nil
}, func(event *model.Event, rule *rules.Rule) {
- assertTriggeredRule(t, rule, "test_erpc_rule")
+ assertTriggeredRule(t, rule, "test_erpc_path_rule")
+ basename := path.Base(testFile)
+
+ res, err := p.Resolvers.DentryResolver.Resolve(event.Open.File.PathKey, true)
+ assert.Nil(test.t, err)
+ assert.Equal(test.t, basename, path.Base(res))
+
+ // check that the path is now available from the cache
+ res, err = p.Resolvers.DentryResolver.ResolveFromCache(event.Open.File.PathKey)
+ assert.Nil(test.t, err)
+ assert.Equal(test.t, basename, path.Base(res))
+
+ // check stats
test.eventMonitor.SendStats()
key := metrics.MetricDentryResolverHits + ":" + metrics.ERPCTag
@@ -112,24 +87,18 @@ func TestDentryResolutionERPC(t *testing.T) {
key = metrics.MetricDentryResolverHits + ":" + metrics.KernelMapsTag
assert.Empty(t, test.statsdClient.Get(key))
-
- validateResolution(test, event, testFile,
- test.probe.GetResolvers().DentryResolver.ResolveFromERPC,
- test.probe.GetResolvers().DentryResolver.ResolveParentFromERPC,
- test.probe.GetResolvers().DentryResolver.ResolveNameFromERPC,
- )
})
}
-func TestDentryResolutionMap(t *testing.T) {
+func TestDentryPathMap(t *testing.T) {
// generate a basename up to the current limit of the agent
var basename string
for i := 0; i < model.MaxSegmentLength; i++ {
basename += "a"
}
rule := &rules.RuleDefinition{
- ID: "test_map_rule",
- Expression: fmt.Sprintf(`open.file.path == "{{.Root}}/parent/%s" && open.flags & O_CREAT != 0`, basename),
+ ID: "test_map_path_rule",
+ Expression: fmt.Sprintf(`open.flags & (O_CREAT|O_NOCTTY|O_NOFOLLOW) != 0 && process.file.name == "testsuite"`),
}
test, err := newTestModule(t, nil, []*rules.RuleDefinition{rule}, withStaticOpts(testOpts{disableERPCDentryResolution: true}))
@@ -138,105 +107,108 @@ func TestDentryResolutionMap(t *testing.T) {
}
defer test.Close()
+ p, ok := test.probe.PlatformProbe.(*sprobe.EBPFProbe)
+ if !ok {
+ t.Skip("not supported")
+ }
+
testFile, _, err := test.Path("parent/" + basename)
if err != nil {
t.Fatal(err)
}
- defer os.Remove(testFile)
dir := path.Dir(testFile)
if err := os.MkdirAll(dir, 0777); err != nil {
t.Fatalf("failed to create directory: %s", err)
}
- defer os.Remove(dir)
+ defer os.RemoveAll(dir)
test.WaitSignal(t, func() error {
- _, err := os.Create(testFile)
+ file, err := os.OpenFile(testFile, os.O_CREATE|unix.O_NOCTTY|unix.O_NOFOLLOW, 0666)
if err != nil {
return err
}
+ file.Close()
return nil
}, func(event *model.Event, rule *rules.Rule) {
- assertTriggeredRule(t, rule, "test_map_rule")
+ assertTriggeredRule(t, rule, "test_map_path_rule")
- test.eventMonitor.SendStats()
+ basename := path.Base(testFile)
- key := metrics.MetricDentryResolverHits + ":" + metrics.KernelMapsTag
- assert.NotEmpty(t, test.statsdClient.Get(key))
+ res, err := p.Resolvers.DentryResolver.Resolve(event.Open.File.PathKey, true)
+ assert.Nil(test.t, err)
+ assert.Equal(test.t, basename, path.Base(res))
+
+ // check that the path is now available from the cache
+ res, err = p.Resolvers.DentryResolver.ResolveFromCache(event.Open.File.PathKey)
+ assert.Nil(test.t, err)
+ assert.Equal(test.t, basename, path.Base(res))
+
+ // check stats
+ test.eventMonitor.SendStats()
- key = metrics.MetricDentryResolverHits + ":" + metrics.ERPCTag
+ key := metrics.MetricDentryResolverHits + ":" + metrics.ERPCTag
assert.Empty(t, test.statsdClient.Get(key))
- validateResolution(test, event, testFile,
- test.probe.GetResolvers().DentryResolver.ResolveFromMap,
- test.probe.GetResolvers().DentryResolver.ResolveParentFromMap,
- test.probe.GetResolvers().DentryResolver.ResolveNameFromMap,
- )
+ key = metrics.MetricDentryResolverHits + ":" + metrics.KernelMapsTag
+ assert.NotEmpty(t, test.statsdClient.Get(key))
})
}
-func BenchmarkERPCDentryResolutionSegment(b *testing.B) {
+func TestDentryName(t *testing.T) {
+ // generate a basename up to the current limit of the agent
+ var basename string
+ for i := 0; i < model.MaxSegmentLength; i++ {
+ basename += "a"
+ }
rule := &rules.RuleDefinition{
- ID: "test_rule",
- Expression: `open.file.path == "{{.Root}}/aa/bb/cc/dd/ee" && open.flags & O_CREAT != 0`,
+ ID: "test_dentry_name_rule",
+ Expression: fmt.Sprintf(`open.flags & (O_CREAT|O_NOCTTY|O_NOFOLLOW) != 0 && process.file.name == "testsuite"`),
}
- test, err := newTestModule(b, nil, []*rules.RuleDefinition{rule}, withStaticOpts(testOpts{disableMapDentryResolution: true}))
+ test, err := newTestModule(t, nil, []*rules.RuleDefinition{rule})
if err != nil {
- b.Fatal(err)
+ t.Fatal(err)
}
defer test.Close()
- testFile, _, err := test.Path("aa/bb/cc/dd/ee")
- if err != nil {
- b.Fatal(err)
+ p, ok := test.probe.PlatformProbe.(*sprobe.EBPFProbe)
+ if !ok {
+ t.Skip("not supported")
}
- _ = os.MkdirAll(path.Dir(testFile), 0755)
- defer os.Remove(testFile)
-
- var pathKey model.PathKey
-
- err = test.GetSignal(b, func() error {
- fd, err := syscall.Open(testFile, syscall.O_CREAT, 0755)
- if err != nil {
- return err
- }
- return syscall.Close(fd)
- }, func(event *model.Event, _ *rules.Rule) {
- pathKey = event.Open.File.PathKey
- })
- if err != nil {
- b.Fatal(err)
- }
-
- // create a new dentry resolver to avoid concurrent map access errors
- resolver, err := dentry.NewResolver(test.probe.Config.Probe, test.probe.StatsdClient, test.probe.Erpc)
+ testFile, _, err := test.Path("parent/" + basename)
if err != nil {
- b.Fatal(err)
+ t.Fatal(err)
}
- if err := resolver.Start(test.probe.Manager); err != nil {
- b.Fatal(err)
- }
- name, err := resolver.ResolveNameFromERPC(pathKey)
- if err != nil {
- b.Fatal(err)
+ dir := path.Dir(testFile)
+ if err := os.MkdirAll(dir, 0777); err != nil {
+ t.Fatalf("failed to create directory: %s", err)
}
- b.Log(name)
+ defer os.RemoveAll(dir)
- b.ResetTimer()
- for n := 0; n < b.N; n++ {
- name, err = resolver.ResolveNameFromERPC(pathKey)
+ test.WaitSignal(t, func() error {
+ file, err := os.OpenFile(testFile, os.O_CREATE|unix.O_NOCTTY|unix.O_NOFOLLOW, 0666)
if err != nil {
- b.Fatal(err)
- }
- if len(name) == 0 || len(name) > 0 && name[0] == 0 {
- b.Log("couldn't resolve segment")
+ return err
}
- }
+ file.Close()
+ return nil
+ }, func(event *model.Event, rule *rules.Rule) {
+ assertTriggeredRule(t, rule, "test_dentry_name_rule")
- test.Close()
+ basename := path.Base(testFile)
+
+ // check that the path is now available from the cache
+ res := p.Resolvers.DentryResolver.ResolveName(event.Open.File.PathKey)
+ assert.Equal(test.t, basename, res)
+
+ // check that the path is now available from the cache
+ res, err = p.Resolvers.DentryResolver.ResolveNameFromCache(event.Open.File.PathKey)
+ assert.Nil(test.t, err)
+ assert.Equal(test.t, basename, path.Base(res))
+ })
}
func BenchmarkERPCDentryResolutionPath(b *testing.B) {
@@ -251,6 +223,11 @@ func BenchmarkERPCDentryResolutionPath(b *testing.B) {
}
defer test.Close()
+ p, ok := test.probe.PlatformProbe.(*sprobe.EBPFProbe)
+ if !ok {
+ b.Skip("not supported")
+ }
+
testFile, _, err := test.Path("aa/bb/cc/dd/ee")
if err != nil {
b.Fatal(err)
@@ -275,12 +252,12 @@ func BenchmarkERPCDentryResolutionPath(b *testing.B) {
}
// create a new dentry resolver to avoid concurrent map access errors
- resolver, err := dentry.NewResolver(test.probe.Config.Probe, test.probe.StatsdClient, test.probe.Erpc)
+ resolver, err := dentry.NewResolver(test.probe.Config.Probe, test.probe.StatsdClient, p.Erpc)
if err != nil {
b.Fatal(err)
}
- if err := resolver.Start(test.probe.Manager); err != nil {
+ if err := resolver.Start(p.Manager); err != nil {
b.Fatal(err)
}
f, err := resolver.ResolveFromERPC(pathKey, true)
@@ -315,6 +292,11 @@ func BenchmarkMapDentryResolutionSegment(b *testing.B) {
}
defer test.Close()
+ p, ok := test.probe.PlatformProbe.(*sprobe.EBPFProbe)
+ if !ok {
+ b.Skip("not supported")
+ }
+
testFile, _, err := test.Path("aa/bb/cc/dd/ee")
if err != nil {
b.Fatal(err)
@@ -339,12 +321,12 @@ func BenchmarkMapDentryResolutionSegment(b *testing.B) {
}
// create a new dentry resolver to avoid concurrent map access errors
- resolver, err := dentry.NewResolver(test.probe.Config.Probe, test.probe.StatsdClient, test.probe.Erpc)
+ resolver, err := dentry.NewResolver(test.probe.Config.Probe, test.probe.StatsdClient, p.Erpc)
if err != nil {
b.Fatal(err)
}
- if err := resolver.Start(test.probe.Manager); err != nil {
+ if err := resolver.Start(p.Manager); err != nil {
b.Fatal(err)
}
name, err := resolver.ResolveNameFromMap(pathKey)
@@ -379,6 +361,11 @@ func BenchmarkMapDentryResolutionPath(b *testing.B) {
}
defer test.Close()
+ p, ok := test.probe.PlatformProbe.(*sprobe.EBPFProbe)
+ if !ok {
+ b.Skip("not supported")
+ }
+
testFile, _, err := test.Path("aa/bb/cc/dd/ee")
if err != nil {
b.Fatal(err)
@@ -402,12 +389,12 @@ func BenchmarkMapDentryResolutionPath(b *testing.B) {
}
// create a new dentry resolver to avoid concurrent map access errors
- resolver, err := dentry.NewResolver(test.probe.Config.Probe, test.probe.StatsdClient, test.probe.Erpc)
+ resolver, err := dentry.NewResolver(test.probe.Config.Probe, test.probe.StatsdClient, p.Erpc)
if err != nil {
b.Fatal(err)
}
- if err := resolver.Start(test.probe.Manager); err != nil {
+ if err := resolver.Start(p.Manager); err != nil {
b.Fatal(err)
}
f, err := resolver.ResolveFromMap(pathKey, true)
diff --git a/pkg/security/tests/kernel_module_test.go b/pkg/security/tests/kernel_module_test.go
index 377094b21aa02..a27ca2c37090c 100644
--- a/pkg/security/tests/kernel_module_test.go
+++ b/pkg/security/tests/kernel_module_test.go
@@ -188,15 +188,15 @@ func TestLoadModule(t *testing.T) {
},
{
ID: "test_load_module_with_params",
- Expression: fmt.Sprintf(`load_module.name == "%s" && load_module.argv in ["toto=1"]`, testModuleName),
+ Expression: fmt.Sprintf(`load_module.name == "%s" && load_module.argv in ["cifs_max_pending=2"]`, testModuleName),
},
{
ID: "test_load_module_with_truncated_params",
- Expression: fmt.Sprintf(`load_module.name == "%s" && load_module.argv in ["Lorem"]`, testModuleName),
+ Expression: fmt.Sprintf(`load_module.name == "%s" && load_module.argv in [r"CIFSMaxBufSize=.*"]`, testModuleName),
},
{
ID: "test_load_module_with_params_from_memory",
- Expression: fmt.Sprintf(`load_module.name == "%s" && load_module.argv in ["toto=5"] && load_module.loaded_from_memory == true`, testModuleName),
+ Expression: fmt.Sprintf(`load_module.name == "%s" && load_module.argv in ["cifs_min_rcv=6"] && load_module.loaded_from_memory == true`, testModuleName),
},
}
@@ -261,13 +261,13 @@ func TestLoadModule(t *testing.T) {
}
defer f.Close()
- if err = unix.FinitModule(int(f.Fd()), "toto=1 toto=2 toto=3", 0); err != nil {
+ if err = unix.FinitModule(int(f.Fd()), "cifs_max_pending=2 cifs_min_small=2", 0); err != nil {
return fmt.Errorf("couldn't insert module: %w", err)
}
return unix.DeleteModule(testModuleName, 0)
}, func(event *model.Event, r *rules.Rule) {
assert.Equal(t, "test_load_module_with_params", r.ID, "wrong rule triggered")
- assertFieldEqual(t, event, "load_module.args", "toto=1 toto=2 toto=3")
+ assertFieldEqual(t, event, "load_module.args", "cifs_max_pending=2 cifs_min_small=2")
assertFieldEqual(t, event, "load_module.loaded_from_memory", false)
assertFieldEqual(t, event, "load_module.args_truncated", false)
test.validateLoadModuleSchema(t, event)
@@ -281,14 +281,14 @@ func TestLoadModule(t *testing.T) {
return fmt.Errorf("couldn't load module content: %w", err)
}
- if err = unix.InitModule(module, "toto=5"); err != nil {
+ if err = unix.InitModule(module, "cifs_min_rcv=6"); err != nil {
return fmt.Errorf("couldn't insert module: %w", err)
}
return unix.DeleteModule(testModuleName, 0)
}, func(event *model.Event, r *rules.Rule) {
assert.Equal(t, "test_load_module_with_params_from_memory", r.ID, "wrong rule triggered")
- assertFieldEqual(t, event, "load_module.argv", []string{"toto=5"})
+ assertFieldEqual(t, event, "load_module.argv", []string{"cifs_min_rcv=6"})
assertFieldEqual(t, event, "load_module.loaded_from_memory", true)
assertFieldEqual(t, event, "load_module.args_truncated", false)
test.validateLoadModuleSchema(t, event)
@@ -296,21 +296,26 @@ func TestLoadModule(t *testing.T) {
})
t.Run("load_module_with_truncated_params", func(t *testing.T) {
+ var args []string
+ for i := 0; i != 10; i++ {
+ args = append(args, fmt.Sprintf("CIFSMaxBufSize=%d", 8192+i))
+ }
+
test.WaitSignal(t, func() error {
module, err := os.ReadFile(modulePath)
if err != nil {
return fmt.Errorf("couldn't load module content: %w", err)
}
- if err = unix.InitModule(module, "Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis in luctus quam. Nam purus risus, varius non massa bibendum, sollicitudin"); err != nil {
+ if err = unix.InitModule(module, strings.Join(args, " ")); err != nil {
return fmt.Errorf("couldn't insert module: %w", err)
}
return unix.DeleteModule(testModuleName, 0)
}, func(event *model.Event, r *rules.Rule) {
assert.Equal(t, "test_load_module_with_truncated_params", r.ID, "wrong rule triggered")
- assertFieldEqual(t, event, "load_module.argv", []string{"Lorem", "ipsum", "dolor", "sit", "amet,", "consectetur", "adipiscing", "elit.", "Duis", "in", "luctus", "quam.", "Nam", "purus", "risus,", "varius", "non", "massa", "bibendum,"})
- assertFieldEqual(t, event, "load_module.args", "Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis in luctus quam. Nam purus risus, varius non massa bibendum,")
+ assertFieldEqual(t, event, "load_module.argv", args[0:6])
+ assertFieldEqual(t, event, "load_module.args", strings.Join(args[0:6], " "))
assertFieldEqual(t, event, "load_module.loaded_from_memory", true)
assertFieldEqual(t, event, "load_module.args_truncated", true)
test.validateLoadModuleSchema(t, event)
diff --git a/pkg/security/tests/module_tester.go b/pkg/security/tests/module_tester.go
index 76029ad01ed33..4da4c8f83a17a 100644
--- a/pkg/security/tests/module_tester.go
+++ b/pkg/security/tests/module_tester.go
@@ -525,7 +525,7 @@ func assertFieldStringArrayIndexedOneOf(tb *testing.T, e *model.Event, field str
//nolint:deadcode,unused
func validateProcessContextLineage(tb testing.TB, event *model.Event, probe *sprobe.Probe) {
- eventJSON, err := serializers.MarshalEvent(event, probe.GetResolvers())
+ eventJSON, err := serializers.MarshalEvent(event)
if err != nil {
tb.Errorf("failed to marshal event: %v", err)
return
@@ -614,7 +614,7 @@ func validateProcessContextSECL(tb testing.TB, event *model.Event, probe *sprobe
valid := nameFieldValid && pathFieldValid
if !valid {
- eventJSON, err := serializers.MarshalEvent(event, probe.GetResolvers())
+ eventJSON, err := serializers.MarshalEvent(event)
if err != nil {
tb.Errorf("failed to marshal event: %v", err)
return
@@ -676,8 +676,8 @@ func validateProcessContext(tb testing.TB, event *model.Event, probe *sprobe.Pro
//nolint:deadcode,unused
func validateEvent(tb testing.TB, validate func(event *model.Event, rule *rules.Rule), probe *sprobe.Probe) func(event *model.Event, rule *rules.Rule) {
return func(event *model.Event, rule *rules.Rule) {
- validateProcessContext(tb, event, probe)
validate(event, rule)
+ validateProcessContext(tb, event, probe)
}
}
@@ -955,7 +955,7 @@ func newTestModule(t testing.TB, macroDefs []*rules.MacroDefinition, ruleDefs []
}
if ruleDefs != nil && logStatusMetrics {
- t.Logf("%s entry stats: %s\n", t.Name(), GetStatusMetrics(testMod.probe))
+ t.Logf("%s entry stats: %s\n", t.Name(), GetEBPFStatusMetrics(testMod.probe))
}
return testMod, nil
} else if testMod != nil {
@@ -1028,7 +1028,7 @@ func newTestModule(t testing.TB, macroDefs []*rules.MacroDefinition, ruleDefs []
return nil, err
}
- testMod.probe.AddNewNotifyDiscarderPushedCallback(testMod.NotifyDiscarderPushedCallback)
+ testMod.probe.AddDiscarderPushedCallback(testMod.NotifyDiscarderPushedCallback)
if err := testMod.eventMonitor.Init(); err != nil {
return nil, fmt.Errorf("failed to init module: %w", err)
@@ -1036,7 +1036,12 @@ func newTestModule(t testing.TB, macroDefs []*rules.MacroDefinition, ruleDefs []
kv, _ := kernel.NewKernelVersion()
- if os.Getenv("DD_TESTS_RUNTIME_COMPILED") == "1" && secconfig.Probe.RuntimeCompilationEnabled && !testMod.eventMonitor.Probe.IsRuntimeCompiled() && !kv.IsSuseKernel() {
+ var isRuntimeCompiled bool
+ if p, ok := testMod.eventMonitor.Probe.PlatformProbe.(*probe.EBPFProbe); ok {
+ isRuntimeCompiled = p.IsRuntimeCompiled()
+ }
+
+ if os.Getenv("DD_TESTS_RUNTIME_COMPILED") == "1" && secconfig.Probe.RuntimeCompilationEnabled && !isRuntimeCompiled && !kv.IsSuseKernel() {
return nil, errors.New("failed to runtime compile module")
}
@@ -1064,7 +1069,7 @@ func newTestModule(t testing.TB, macroDefs []*rules.MacroDefinition, ruleDefs []
}
if logStatusMetrics {
- t.Logf("%s entry stats: %s\n", t.Name(), GetStatusMetrics(testMod.probe))
+ t.Logf("%s entry stats: %s\n", t.Name(), GetEBPFStatusMetrics(testMod.probe))
}
return testMod, nil
@@ -1197,7 +1202,7 @@ func (tm *testModule) GetEventDiscarder(tb testing.TB, action func() error, cb o
//nolint:deadcode,unused
func (tm *testModule) marshalEvent(ev *model.Event) (string, error) {
- b, err := serializers.MarshalEvent(ev, tm.probe.GetResolvers())
+ b, err := serializers.MarshalEvent(ev)
return string(b), err
}
@@ -1210,12 +1215,18 @@ func (tm *testModule) debugEvent(ev *model.Event) string {
return string(b)
}
-// GetStatusMetrics returns a string representation of the perf buffer monitor metrics
-func GetStatusMetrics(probe *sprobe.Probe) string {
+// GetEBPFStatusMetrics returns a string representation of the perf buffer monitor metrics
+func GetEBPFStatusMetrics(probe *sprobe.Probe) string {
if probe == nil {
return ""
}
- monitors := probe.GetMonitors()
+
+ p, ok := probe.PlatformProbe.(*sprobe.EBPFProbe)
+ if !ok {
+ return ""
+ }
+
+ monitors := p.GetMonitors()
if monitors == nil {
return ""
}
@@ -1262,7 +1273,7 @@ func (tm *testModule) NewTimeoutError() ErrTimeout {
var msg strings.Builder
msg.WriteString("timeout, details: ")
- msg.WriteString(GetStatusMetrics(tm.probe))
+ msg.WriteString(GetEBPFStatusMetrics(tm.probe))
msg.WriteString(spew.Sdump(ddebpf.GetProbeStats()))
events := tm.ruleEngine.StopEventCollector()
@@ -1672,7 +1683,7 @@ func (tm *testModule) Close() {
tm.statsdClient.Flush()
if logStatusMetrics {
- tm.t.Logf("%s exit stats: %s\n", tm.t.Name(), GetStatusMetrics(tm.probe))
+ tm.t.Logf("%s exit stats: %s\n", tm.t.Name(), GetEBPFStatusMetrics(tm.probe))
}
if withProfile {
@@ -1894,11 +1905,16 @@ func checkKernelCompatibility(tb testing.TB, why string, skipCheck func(kv *kern
}
func (tm *testModule) StartActivityDumpComm(comm string, outputDir string, formats []string) ([]string, error) {
- managers := tm.probe.GetProfileManagers()
+ p, ok := tm.probe.PlatformProbe.(*sprobe.EBPFProbe)
+ if !ok {
+ return nil, errors.New("not supported")
+ }
+
+ managers := p.GetProfileManagers()
if managers == nil {
- return nil, errors.New("No monitor")
+ return nil, errors.New("no manager")
}
- p := &api.ActivityDumpParams{
+ params := &api.ActivityDumpParams{
Comm: comm,
Timeout: "1m",
DifferentiateArgs: true,
@@ -1910,7 +1926,7 @@ func (tm *testModule) StartActivityDumpComm(comm string, outputDir string, forma
RemoteStorageCompression: false,
},
}
- mess, err := managers.DumpActivity(p)
+ mess, err := managers.DumpActivity(params)
if err != nil || mess == nil || len(mess.Storage) < 1 {
return nil, fmt.Errorf("failed to start activity dump: err:%v message:%v len:%v", err, mess, len(mess.Storage))
}
@@ -1923,16 +1939,21 @@ func (tm *testModule) StartActivityDumpComm(comm string, outputDir string, forma
}
func (tm *testModule) StopActivityDump(name, containerID, comm string) error {
- managers := tm.probe.GetProfileManagers()
+ p, ok := tm.probe.PlatformProbe.(*sprobe.EBPFProbe)
+ if !ok {
+ return errors.New("not supported")
+ }
+
+ managers := p.GetProfileManagers()
if managers == nil {
- return errors.New("No monitor")
+ return errors.New("no manager")
}
- p := &api.ActivityDumpStopParams{
+ params := &api.ActivityDumpStopParams{
Name: name,
ContainerID: containerID,
Comm: comm,
}
- _, err := managers.StopActivityDump(p)
+ _, err := managers.StopActivityDump(params)
if err != nil {
return err
}
@@ -1947,12 +1968,17 @@ type activityDumpIdentifier struct {
}
func (tm *testModule) ListActivityDumps() ([]*activityDumpIdentifier, error) {
- managers := tm.probe.GetProfileManagers()
+ p, ok := tm.probe.PlatformProbe.(*sprobe.EBPFProbe)
+ if !ok {
+ return nil, errors.New("not supported")
+ }
+
+ managers := p.GetProfileManagers()
if managers == nil {
return nil, errors.New("No monitor")
}
- p := &api.ActivityDumpListParams{}
- mess, err := managers.ListActivityDumps(p)
+ params := &api.ActivityDumpListParams{}
+ mess, err := managers.ListActivityDumps(params)
if err != nil || mess == nil {
return nil, err
}
@@ -1980,7 +2006,12 @@ func (tm *testModule) ListActivityDumps() ([]*activityDumpIdentifier, error) {
}
func (tm *testModule) DecodeActivityDump(path string) (*dump.ActivityDump, error) {
- managers := tm.probe.GetProfileManagers()
+ p, ok := tm.probe.PlatformProbe.(*sprobe.EBPFProbe)
+ if !ok {
+ return nil, errors.New("not supported")
+ }
+
+ managers := p.GetProfileManagers()
if managers == nil {
return nil, errors.New("No monitor")
}
@@ -2121,7 +2152,12 @@ func (tm *testModule) addAllEventTypesOnDump(dockerInstance *dockerCmdWrapper, i
//nolint:deadcode,unused
func (tm *testModule) triggerLoadControllerReducer(dockerInstance *dockerCmdWrapper, id *activityDumpIdentifier) {
- managers := tm.probe.GetProfileManagers()
+ p, ok := tm.probe.PlatformProbe.(*sprobe.EBPFProbe)
+ if !ok {
+ return
+ }
+
+ managers := p.GetProfileManagers()
if managers == nil {
return
}
@@ -2369,9 +2405,14 @@ func (tm *testModule) GetADSelector(dumpID *activityDumpIdentifier) (*cgroupMode
}
func (tm *testModule) SetProfileStatus(selector *cgroupModel.WorkloadSelector, newStatus model.Status) error {
- managers := tm.probe.GetProfileManagers()
+ p, ok := tm.probe.PlatformProbe.(*sprobe.EBPFProbe)
+ if !ok {
+ return errors.New("not supported")
+ }
+
+ managers := p.GetProfileManagers()
if managers == nil {
- return errors.New("No monitor")
+ return errors.New("no manager")
}
spm := managers.GetSecurityProfileManager()
diff --git a/pkg/security/tests/mount_test.go b/pkg/security/tests/mount_test.go
index 90b2a6ff3d50a..5ba4d448aa7a5 100644
--- a/pkg/security/tests/mount_test.go
+++ b/pkg/security/tests/mount_test.go
@@ -21,6 +21,7 @@ import (
"github.com/stretchr/testify/assert"
"golang.org/x/sys/unix"
+ sprobe "github.com/DataDog/datadog-agent/pkg/security/probe"
"github.com/DataDog/datadog-agent/pkg/security/secl/model"
"github.com/DataDog/datadog-agent/pkg/security/secl/rules"
"github.com/DataDog/datadog-agent/pkg/security/utils"
@@ -324,6 +325,11 @@ func TestMountSnapshot(t *testing.T) {
}
defer test.Close()
+ p, ok := test.probe.PlatformProbe.(*sprobe.EBPFProbe)
+ if !ok {
+ t.Skip("not supported")
+ }
+
tmpfsMountB, bindMountB, err := createHierarchy(rootB)
if err != nil {
t.Fatal(err)
@@ -331,7 +337,7 @@ func TestMountSnapshot(t *testing.T) {
defer tmpfsMountB.unmount(0)
defer bindMountB.unmount(0)
- mountResolver := test.probe.GetResolvers().MountResolver
+ mountResolver := p.Resolvers.MountResolver
pid := utils.Getpid()
mounts, err := kernel.ParseMountInfoFile(int32(pid))
diff --git a/pkg/security/tests/network_device_test.go b/pkg/security/tests/network_device_test.go
index 15f2359396380..3a51c8746c023 100644
--- a/pkg/security/tests/network_device_test.go
+++ b/pkg/security/tests/network_device_test.go
@@ -24,6 +24,7 @@ import (
"github.com/DataDog/datadog-agent/pkg/config"
"github.com/DataDog/datadog-agent/pkg/security/ebpf/kernel"
+ sprobe "github.com/DataDog/datadog-agent/pkg/security/probe"
"github.com/DataDog/datadog-agent/pkg/security/secl/model"
"github.com/DataDog/datadog-agent/pkg/security/secl/rules"
"github.com/DataDog/datadog-agent/pkg/security/utils"
@@ -211,10 +212,15 @@ func TestTCFilters(t *testing.T) {
t.Error("Ingress tc classifier does not exist")
}
if !egressExists {
- t.Fatalf("Egress tc classifier does not exist")
+ t.Fatal("Egress tc classifier does not exist")
}
- if err := test.probe.Manager.CleanupNetworkNamespace(nsid); err != nil {
+ p, ok := test.probe.PlatformProbe.(*sprobe.EBPFProbe)
+ if !ok {
+ t.Fatal("not supported")
+ }
+
+ if err := p.Manager.CleanupNetworkNamespace(nsid); err != nil {
t.Fatal(err)
}
diff --git a/pkg/security/tests/process_test.go b/pkg/security/tests/process_test.go
index 46e312f9b21df..94fe815aba3cd 100644
--- a/pkg/security/tests/process_test.go
+++ b/pkg/security/tests/process_test.go
@@ -31,6 +31,7 @@ import (
"github.com/DataDog/datadog-agent/pkg/config"
"github.com/DataDog/datadog-agent/pkg/security/ebpf/kernel"
+ sprobe "github.com/DataDog/datadog-agent/pkg/security/probe"
"github.com/DataDog/datadog-agent/pkg/security/probe/constantfetch"
"github.com/avast/retry-go/v4"
@@ -1323,6 +1324,11 @@ func TestProcessExecExit(t *testing.T) {
}
defer test.Close()
+ p, ok := test.probe.PlatformProbe.(*sprobe.EBPFProbe)
+ if !ok {
+ t.Skip("not supported")
+ }
+
var execPid uint32
err = test.GetProbeEvent(func() error {
@@ -1367,8 +1373,7 @@ func TestProcessExecExit(t *testing.T) {
// make sure that the process cache entry of the process was properly deleted from the cache
err = retry.Do(func() error {
- resolvers := test.probe.GetResolvers()
- entry := resolvers.ProcessResolver.Get(execPid)
+ entry := p.Resolvers.ProcessResolver.Get(execPid)
if entry != nil {
return errors.New("the process cache entry was not deleted from the user space cache")
}
@@ -1992,6 +1997,11 @@ chmod 755 pyscript.py
}
defer testModule.Close()
+ p, ok := testModule.probe.PlatformProbe.(*sprobe.EBPFProbe)
+ if !ok {
+ t.Skip("not supported")
+ }
+
for _, test := range tests {
testModule.Run(t, test.name, func(t *testing.T, kind wrapperType, cmdFunc func(cmd string, args []string, envs []string) *exec.Cmd) {
scriptLocation := fmt.Sprintf("/tmp/%s", test.scriptName)
@@ -2009,7 +2019,7 @@ chmod 755 pyscript.py
}
t.Logf(string(output))
- offsets, _ := testModule.probe.GetOffsetConstants()
+ offsets, _ := p.GetOffsetConstants()
t.Logf("%s: %+v\n", constantfetch.OffsetNameLinuxBinprmStructFile, offsets[constantfetch.OffsetNameLinuxBinprmStructFile])
return nil
@@ -2035,6 +2045,11 @@ func TestProcessResolution(t *testing.T) {
}
defer test.Close()
+ p, ok := test.probe.PlatformProbe.(*sprobe.EBPFProbe)
+ if !ok {
+ t.Skip("not supported")
+ }
+
syscallTester, err := loadSyscallTester(t, test, "syscall_tester")
if err != nil {
t.Fatal(err)
@@ -2087,7 +2102,7 @@ func TestProcessResolution(t *testing.T) {
}
inode := uint64(value.(int))
- resolvers := test.probe.GetResolvers()
+ resolver := p.Resolvers.ProcessResolver
// compare only few fields as the hierarchy fields(pointers, etc) are modified by the resolution function calls
equals := func(t *testing.T, entry1, entry2 *model.ProcessCacheEntry) {
@@ -2105,12 +2120,12 @@ func TestProcessResolution(t *testing.T) {
assert.Greater(t, time.Second, entry1.ForkTime.Sub(entry2.ForkTime).Abs())
}
- cacheEntry := resolvers.ProcessResolver.ResolveFromCache(pid, pid, inode)
+ cacheEntry := resolver.ResolveFromCache(pid, pid, inode)
if cacheEntry == nil {
t.Errorf("not able to resolve the entry")
}
- mapsEntry := resolvers.ProcessResolver.ResolveFromKernelMaps(pid, pid, inode)
+ mapsEntry := resolver.ResolveFromKernelMaps(pid, pid, inode)
if mapsEntry == nil {
t.Errorf("not able to resolve the entry")
}
@@ -2119,7 +2134,7 @@ func TestProcessResolution(t *testing.T) {
// This makes use of the cache and do not parse /proc
// it still checks the ResolveFromProcfs returns the correct entry
- procEntry := resolvers.ProcessResolver.ResolveFromProcfs(pid)
+ procEntry := resolver.ResolveFromProcfs(pid)
if procEntry == nil {
t.Fatalf("not able to resolve the entry")
}
diff --git a/pkg/security/tests/sbom_test.go b/pkg/security/tests/sbom_test.go
index e964b885be5f6..d26f32aaeb97f 100644
--- a/pkg/security/tests/sbom_test.go
+++ b/pkg/security/tests/sbom_test.go
@@ -15,6 +15,7 @@ import (
"github.com/avast/retry-go/v4"
+ sprobe "github.com/DataDog/datadog-agent/pkg/security/probe"
"github.com/DataDog/datadog-agent/pkg/security/secl/model"
"github.com/DataDog/datadog-agent/pkg/security/secl/rules"
)
@@ -33,6 +34,11 @@ func TestSBOM(t *testing.T) {
}
defer test.Close()
+ p, ok := test.probe.PlatformProbe.(*sprobe.EBPFProbe)
+ if !ok {
+ t.Skip("not supported")
+ }
+
dockerWrapper, err := newDockerCmdWrapper(test.Root(), test.Root(), "ubuntu")
if err != nil {
t.Skip("Skipping sbom tests: Docker not available")
@@ -43,7 +49,7 @@ func TestSBOM(t *testing.T) {
dockerWrapper.Run(t, "package-rule", func(t *testing.T, kind wrapperType, cmdFunc func(bin string, args, env []string) *exec.Cmd) {
test.WaitSignal(t, func() error {
retry.Do(func() error {
- sbom := test.probe.GetResolvers().SBOMResolver.GetWorkload(dockerWrapper.containerID)
+ sbom := p.Resolvers.SBOMResolver.GetWorkload(dockerWrapper.containerID)
if sbom == nil {
return fmt.Errorf("failed to find SBOM for '%s'", dockerWrapper.containerID)
}
diff --git a/pkg/security/tests/schemas/selinux.schema.json b/pkg/security/tests/schemas/selinux.schema.json
index e2d72e3b2d79e..5cff42b712ef4 100644
--- a/pkg/security/tests/schemas/selinux.schema.json
+++ b/pkg/security/tests/schemas/selinux.schema.json
@@ -96,42 +96,6 @@
]
}
},
- "allOf": [
- {
- "if": {
- "properties": {
- "file": {
- "type": "object",
- "required": [
- "container_path"
- ]
- }
- }
- },
- "then": {
- "required": [
- "container"
- ]
- }
- },
- {
- "if": {
- "required": [
- "container"
- ]
- },
- "then": {
- "properties": {
- "file": {
- "type": "object",
- "required": [
- "container_path"
- ]
- }
- }
- }
- }
- ],
"required": [
"selinux"
]
diff --git a/pkg/security/tests/selinux_test.go b/pkg/security/tests/selinux_test.go
index 5780a34797932..ae2cabcc4217d 100644
--- a/pkg/security/tests/selinux_test.go
+++ b/pkg/security/tests/selinux_test.go
@@ -150,6 +150,10 @@ func TestSELinux(t *testing.T) {
}
func TestSELinuxCommitBools(t *testing.T) {
+ if !isSELinuxEnabled() {
+ t.Skipf("SELinux is not available, skipping tests")
+ }
+
ruleset := []*rules.RuleDefinition{
{
ID: "test_selinux_commit_bools",
@@ -163,10 +167,6 @@ func TestSELinuxCommitBools(t *testing.T) {
}
defer test.Close()
- if !isSELinuxEnabled() {
- t.Skipf("SELinux is not available, skipping tests")
- }
-
savedBoolValue, err := getBoolValue(TestBoolName)
if err != nil {
t.Fatalf("failed to save bool state: %v", err)
diff --git a/pkg/security/tests/serializers_test.go b/pkg/security/tests/serializers_test.go
index 77eeaf4fbfaff..e13ad56cd84db 100644
--- a/pkg/security/tests/serializers_test.go
+++ b/pkg/security/tests/serializers_test.go
@@ -61,7 +61,7 @@ func fetchRealisticEventSerializerInner(tb testing.TB) *serializers.EventSeriali
assert.Equal(tb, "open", event.GetType(), "wrong event type")
})
- return serializers.NewEventSerializer(workingEvent, test.probe.GetResolvers())
+ return serializers.NewEventSerializer(workingEvent)
}
func BenchmarkSerializersEasyJson(b *testing.B) {
diff --git a/pkg/security/tests/stress_test.go b/pkg/security/tests/stress_test.go
index 705b5827a5b46..db6172d6900cb 100644
--- a/pkg/security/tests/stress_test.go
+++ b/pkg/security/tests/stress_test.go
@@ -17,6 +17,7 @@ import (
"testing"
"time"
+ sprobe "github.com/DataDog/datadog-agent/pkg/security/probe"
"github.com/DataDog/datadog-agent/pkg/security/secl/model"
"github.com/DataDog/datadog-agent/pkg/security/secl/rules"
)
@@ -41,6 +42,11 @@ func stressOpen(t *testing.T, rule *rules.RuleDefinition, pathname string, size
}
defer test.Close()
+ p, ok := test.probe.PlatformProbe.(*sprobe.EBPFProbe)
+ if !ok {
+ t.Skip("not supported")
+ }
+
testFolder, _, err := test.Path(path.Dir(pathname))
if err != nil {
t.Fatal(err)
@@ -53,7 +59,8 @@ func stressOpen(t *testing.T, rule *rules.RuleDefinition, pathname string, size
t.Fatal(err)
}
- eventStreamMonitor := test.probe.GetMonitors().GetEventStreamMonitor()
+ eventStreamMonitor := p.GetMonitors().GetEventStreamMonitor()
+
eventStreamMonitor.GetAndResetLostCount("events", -1)
eventStreamMonitor.GetKernelLostCount("events", -1, model.MaxKernelEventType)
@@ -183,6 +190,11 @@ func stressExec(t *testing.T, rule *rules.RuleDefinition, pathname string, execu
}
defer test.Close()
+ p, ok := test.probe.PlatformProbe.(*sprobe.EBPFProbe)
+ if !ok {
+ t.Skip("not supported")
+ }
+
testFolder, _, err := test.Path(path.Dir(pathname))
if err != nil {
t.Fatal(err)
@@ -195,7 +207,7 @@ func stressExec(t *testing.T, rule *rules.RuleDefinition, pathname string, execu
t.Fatal(err)
}
- eventStreamMonitor := test.probe.GetMonitors().GetEventStreamMonitor()
+ eventStreamMonitor := p.GetMonitors().GetEventStreamMonitor()
eventStreamMonitor.GetAndResetLostCount("events", -1)
eventStreamMonitor.GetKernelLostCount("events", -1, model.MaxKernelEventType)
diff --git a/pkg/security/tests/usergroup_test.go b/pkg/security/tests/usergroup_test.go
index 19336177f9081..c52d43a8a62ba 100644
--- a/pkg/security/tests/usergroup_test.go
+++ b/pkg/security/tests/usergroup_test.go
@@ -17,6 +17,10 @@ import (
)
func TestUserGroup(t *testing.T) {
+ if testEnvironment == DockerEnvironment {
+ t.Skip("Skip test spawning docker containers on docker")
+ }
+
ruleDefs := []*rules.RuleDefinition{
{
ID: "test_rule_user",
@@ -118,31 +122,32 @@ func TestUserGroup(t *testing.T) {
defer test.Close()
for _, distroTest := range distroTests {
- dockerWrapper, err := newDockerCmdWrapper(test.Root(), test.Root(), distroTest.name)
- if err != nil {
- t.Skipf("Skipping user group tests: Docker not available: %s", err)
- return
- }
+ t.Run(distroTest.name, func(t *testing.T) {
+ dockerWrapper, err := newDockerCmdWrapper(test.Root(), test.Root(), distroTest.name)
+ if err != nil {
+ t.Fatal(err)
+ }
- if _, err := dockerWrapper.start(); err != nil {
- t.Fatal(err)
- }
- defer dockerWrapper.stop()
+ if _, err := dockerWrapper.start(); err != nil {
+ t.Fatal(err)
+ }
+ defer dockerWrapper.stop()
- for _, testCommand := range distroTest.testCommands {
- i := 0
- dockerWrapper.RunTest(t, distroTest.name+"-"+testCommand.name, func(t *testing.T, kind wrapperType, cmdFunc func(bin string, args, env []string) *exec.Cmd) {
- test.WaitSignals(t, func() error {
- return cmdFunc(testCommand.cmd[0], testCommand.cmd[1:], nil).Run()
- }, func(event *model.Event, rule *rules.Rule) error {
- assertTriggeredRule(t, rule, testCommand.rules[i])
- i++
- if i < len(testCommand.rules) {
- return errSkipEvent
- }
- return nil
+ for _, testCommand := range distroTest.testCommands {
+ i := 0
+ dockerWrapper.RunTest(t, testCommand.name, func(t *testing.T, kind wrapperType, cmdFunc func(bin string, args, env []string) *exec.Cmd) {
+ test.WaitSignals(t, func() error {
+ return cmdFunc(testCommand.cmd[0], testCommand.cmd[1:], nil).Run()
+ }, func(event *model.Event, rule *rules.Rule) error {
+ assertTriggeredRule(t, rule, testCommand.rules[i])
+ i++
+ if i < len(testCommand.rules) {
+ return errSkipEvent
+ }
+ return nil
+ })
})
- })
- }
+ }
+ })
}
}
diff --git a/pkg/security/utils/hostname.go b/pkg/security/utils/hostname.go
index 7fc716f2dac44..a23bec4708b23 100644
--- a/pkg/security/utils/hostname.go
+++ b/pkg/security/utils/hostname.go
@@ -14,6 +14,7 @@ import (
pbgo "github.com/DataDog/datadog-agent/pkg/proto/pbgo/core"
"github.com/DataDog/datadog-agent/pkg/util/grpc"
+ "github.com/DataDog/datadog-agent/pkg/util/hostname"
"github.com/DataDog/datadog-agent/pkg/util/log"
)
@@ -54,3 +55,18 @@ func GetHostnameWithContext(ctx context.Context) (string, error) {
}, retry.LastErrorOnly(true), retry.Attempts(maxAttempts), retry.Context(ctx))
return hostname, err
}
+
+// GetHostnameWithContextAndFallback attempts to acquire a hostname by connecting to the
+// core agent's gRPC endpoints extending the given context, or falls back to local resolution
+func GetHostnameWithContextAndFallback(ctx context.Context) (string, error) {
+ hostnameDetected, err := GetHostnameWithContext(ctx)
+ if err != nil {
+ log.Warnf("Could not resolve hostname from core-agent: %v", err)
+ hostnameDetected, err = hostname.Get(ctx)
+ if err != nil {
+ return "", err
+ }
+ }
+ log.Infof("Hostname is: %s", hostnameDetected)
+ return hostnameDetected, nil
+}
diff --git a/pkg/serverless/appsec/appsec_test.go b/pkg/serverless/appsec/appsec_test.go
index e87d447149dcd..253a59f79cc0e 100644
--- a/pkg/serverless/appsec/appsec_test.go
+++ b/pkg/serverless/appsec/appsec_test.go
@@ -8,6 +8,7 @@ package appsec
import (
"encoding/json"
"fmt"
+ "os"
"strconv"
"testing"
@@ -16,6 +17,10 @@ import (
"github.com/stretchr/testify/require"
)
+func init() {
+ os.Setenv("DD_APPSEC_WAF_TIMEOUT", "1m")
+}
+
func TestNew(t *testing.T) {
for _, appsecEnabled := range []bool{true, false} {
appsecEnabledStr := strconv.FormatBool(appsecEnabled)
@@ -50,7 +55,6 @@ func TestMonitor(t *testing.T) {
t.Run("events-detection", func(t *testing.T) {
t.Setenv("DD_SERVERLESS_APPSEC_ENABLED", "true")
- t.Setenv("DD_APPSEC_WAF_TIMEOUT", "2s")
asm, err := newAppSec()
require.NoError(t, err)
defer asm.Close()
@@ -78,7 +82,6 @@ func TestMonitor(t *testing.T) {
t.Setenv("DD_API_SECURITY_REQUEST_SAMPLE_RATE", "1.0")
t.Setenv("DD_EXPERIMENTAL_API_SECURITY_ENABLED", "true")
t.Setenv("DD_SERVERLESS_APPSEC_ENABLED", "true")
- t.Setenv("DD_APPSEC_WAF_TIMEOUT", "2s")
asm, err := newAppSec()
require.NoError(t, err)
defer asm.Close()
diff --git a/pkg/serverless/appsec/httpsec/proxy_test.go b/pkg/serverless/appsec/httpsec/proxy_test.go
index 4ebb71585f529..78addd5af1a71 100644
--- a/pkg/serverless/appsec/httpsec/proxy_test.go
+++ b/pkg/serverless/appsec/httpsec/proxy_test.go
@@ -20,6 +20,10 @@ import (
"github.com/stretchr/testify/require"
)
+func init() {
+ os.Setenv("DD_APPSEC_WAF_TIMEOUT", "1m")
+}
+
func TestProxyLifecycleProcessor(t *testing.T) {
t.Setenv("DD_SERVERLESS_APPSEC_ENABLED", "true")
lp, err := appsec.New()
diff --git a/pkg/status/apm/apm.go b/pkg/status/apm/apm.go
new file mode 100644
index 0000000000000..e5576ded12793
--- /dev/null
+++ b/pkg/status/apm/apm.go
@@ -0,0 +1,59 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2016-present Datadog, Inc.
+
+// Package apm fetch information about the apm agent.
+// This will, in time, be migrated to the apm agent component.
+package apm
+
+import (
+ "encoding/json"
+ "fmt"
+ "net/http"
+ "sync"
+
+ apiutil "github.com/DataDog/datadog-agent/pkg/api/util"
+ "github.com/DataDog/datadog-agent/pkg/config"
+)
+
+// httpClients should be reused instead of created as needed. They keep cached TCP connections
+// that may leak otherwise
+var (
+ httpClient *http.Client
+ clientInitOnce sync.Once
+)
+
+func client() *http.Client {
+ clientInitOnce.Do(func() {
+ httpClient = apiutil.GetClient(false)
+ })
+
+ return httpClient
+}
+
+// GetAPMStatus returns a set of key/value pairs summarizing the status of the trace-agent.
+// If the status can not be obtained for any reason, the returned map will contain an "error"
+// key with an explanation.
+func GetAPMStatus() map[string]interface{} {
+ port := config.Datadog.GetInt("apm_config.debug.port")
+
+ c := client()
+ url := fmt.Sprintf("http://localhost:%d/debug/vars", port)
+ resp, err := apiutil.DoGet(c, url, apiutil.CloseConnection)
+ if err != nil {
+ return map[string]interface{}{
+ "port": port,
+ "error": err.Error(),
+ }
+ }
+
+ status := make(map[string]interface{})
+ if err := json.Unmarshal(resp, &status); err != nil {
+ return map[string]interface{}{
+ "port": port,
+ "error": err.Error(),
+ }
+ }
+ return status
+}
diff --git a/pkg/status/render/fixtures/agent_status.text b/pkg/status/render/fixtures/agent_status.text
new file mode 100755
index 0000000000000..ba1b6c3e5b044
--- /dev/null
+++ b/pkg/status/render/fixtures/agent_status.text
@@ -0,0 +1,515 @@
+
+==============
+Agent (vx.y.z)
+==============
+
+ Status date: 2022-12-20 22:52:01.796 UTC (1671576721796)
+ Agent start: 2022-12-20 19:21:27.793 UTC (1671564087793)
+ Pid: 12136
+ Go Version: go1.18.8
+ Python Version: 3.8.14
+ Build arch: amd64
+ Agent flavor: agent
+ Check Runners: 4
+ Log Level: INFO
+
+ Paths
+ =====
+ Config File: /etc/datadog-agent/datadog.yaml
+ conf.d: /etc/datadog-agent/conf.d
+ checks.d: /etc/datadog-agent/checks.d
+
+ Clocks
+ ======
+ NTP offset: 35µs
+ System time: 2022-12-20 22:52:01.796 UTC (1671576721796)
+
+ Host Info
+ =========
+ bootTime: 2022-12-20 19:19:03 UTC (1671563943000)
+ hostId: d23fb05c-2393-9a7a-fbf3-92cd755df12a
+ kernelArch: x86_64
+ kernelVersion: 5.10.133+
+ os: linux
+ platform: cos
+ platformVersion: 97
+ procs: 211
+ uptime: 2m37s
+ virtualizationRole: guest
+
+ Hostnames
+ =========
+ cluster-name: dd-sandbox
+ host_aliases: [gke-dd-sandbox-bits-8943422b-5wpg-dd-sandbox gke-dd-sandbox-bits-8943422b-5wpg.c.datadog-sandbox.internal gke-dd-sandbox-bits-8943422b-5wpg.datadog-sandbox]
+ hostname: gke-dd-sandbox-bits-8943422b-5wpg.c.datadog-sandbox.internal
+ socket-fqdn: dd-datadog-c4kcx
+ socket-hostname: dd-datadog-c4kcx
+ host tags:
+ cluster_name:dd-sandbox
+ kube_cluster_name:dd-sandbox
+ zone:asia-northeast1-a
+ internal-hostname:gke-dd-sandbox-bits-8943422b-5wpg.c.datadog-sandbox.internal
+ instance-id:90825865558996083
+ project:datadog-sandbox
+ numeric_project_id:958371799887
+ cluster-name:dd-sandbox
+ cluster-uid:3d6b7737edf6489fb1927577e24e8b0e314e6826aa3e47fa9b2eae419f261013
+ cluster-location:asia-northeast1
+ hostname provider: gce
+ unused hostname providers:
+ 'hostname' configuration/environment: hostname is empty
+ 'hostname_file' configuration/environment: 'hostname_file' configuration is not enabled
+ fargate: agent is not runnning on Fargate
+
+ Metadata
+ ========
+ agent_version: x.y.z
+ cloud_provider: GCP
+ config_apm_dd_url:
+ config_dd_url:
+ config_logs_dd_url:
+ config_logs_socks5_proxy_address:
+ config_no_proxy: []
+ config_process_dd_url:
+ config_proxy_http:
+ config_proxy_https:
+ config_site:
+ feature_apm_enabled: false
+ feature_cspm_enabled: false
+ feature_cws_enabled: false
+ feature_logs_enabled: true
+ feature_networks_enabled: false
+ feature_networks_http_enabled: false
+ feature_networks_https_enabled: false
+ feature_otlp_enabled: false
+ feature_process_enabled: false
+ feature_processes_container_enabled: true
+ flavor: agent
+ hostname_source: gce
+ install_method_installer_version: datadog-3.6.4
+ install_method_tool: helm
+ install_method_tool_version: Helm
+ logs_transport: TCP
+
+=========
+Collector
+=========
+
+ Running Checks
+ ==============
+
+ cilium (2.3.0)
+ --------------
+ Instance ID: cilium:bac99095d52d45c [ERROR]
+ Configuration Source: file:/etc/datadog-agent/conf.d/cilium.d/auto_conf.yaml
+ Total Runs: 842
+ Metric Samples: Last Run: 0, Total: 0
+ Events: Last Run: 0, Total: 0
+ Service Checks: Last Run: 1, Total: 842
+ Average Execution Time : 8ms
+ Last Execution Date : 2022-12-20 22:51:54 UTC (1671576714000)
+ Last Successful Execution Date : Never
+ Error: HTTPConnectionPool(host='10.146.15.207', port=9090): Max retries exceeded with url: /metrics (Caused by NewConnectionError(': Failed to establish a new connection: [Errno 111] Connection refused'))
+ Traceback (most recent call last):
+ File "/opt/datadog-agent/embedded/lib/python3.8/site-packages/urllib3/connection.py", line 174, in _new_conn
+ conn = connection.create_connection(
+ File "/opt/datadog-agent/embedded/lib/python3.8/site-packages/urllib3/util/connection.py", line 95, in create_connection
+ raise err
+ File "/opt/datadog-agent/embedded/lib/python3.8/site-packages/urllib3/util/connection.py", line 85, in create_connection
+ sock.connect(sa)
+ ConnectionRefusedError: [Errno 111] Connection refused
+
+ During handling of the above exception, another exception occurred:
+
+ Traceback (most recent call last):
+ File "/opt/datadog-agent/embedded/lib/python3.8/site-packages/urllib3/connectionpool.py", line 703, in urlopen
+ httplib_response = self._make_request(
+ File "/opt/datadog-agent/embedded/lib/python3.8/site-packages/urllib3/connectionpool.py", line 398, in _make_request
+ conn.request(method, url, **httplib_request_kw)
+ File "/opt/datadog-agent/embedded/lib/python3.8/site-packages/urllib3/connection.py", line 239, in request
+ super(HTTPConnection, self).request(method, url, body=body, headers=headers)
+ File "/opt/datadog-agent/embedded/lib/python3.8/http/client.py", line 1256, in request
+ self._send_request(method, url, body, headers, encode_chunked)
+ File "/opt/datadog-agent/embedded/lib/python3.8/http/client.py", line 1302, in _send_request
+ self.endheaders(body, encode_chunked=encode_chunked)
+ File "/opt/datadog-agent/embedded/lib/python3.8/http/client.py", line 1251, in endheaders
+ self._send_output(message_body, encode_chunked=encode_chunked)
+ File "/opt/datadog-agent/embedded/lib/python3.8/http/client.py", line 1011, in _send_output
+ self.send(msg)
+ File "/opt/datadog-agent/embedded/lib/python3.8/http/client.py", line 951, in send
+ self.connect()
+ File "/opt/datadog-agent/embedded/lib/python3.8/site-packages/urllib3/connection.py", line 205, in connect
+ conn = self._new_conn()
+ File "/opt/datadog-agent/embedded/lib/python3.8/site-packages/urllib3/connection.py", line 186, in _new_conn
+ raise NewConnectionError(
+ urllib3.exceptions.NewConnectionError: : Failed to establish a new connection: [Errno 111] Connection refused
+
+ During handling of the above exception, another exception occurred:
+
+ Traceback (most recent call last):
+ File "/opt/datadog-agent/embedded/lib/python3.8/site-packages/requests/adapters.py", line 489, in send
+ resp = conn.urlopen(
+ File "/opt/datadog-agent/embedded/lib/python3.8/site-packages/urllib3/connectionpool.py", line 787, in urlopen
+ retries = retries.increment(
+ File "/opt/datadog-agent/embedded/lib/python3.8/site-packages/urllib3/util/retry.py", line 592, in increment
+ raise MaxRetryError(_pool, url, error or ResponseError(cause))
+ urllib3.exceptions.MaxRetryError: HTTPConnectionPool(host='10.146.15.207', port=9090): Max retries exceeded with url: /metrics (Caused by NewConnectionError(': Failed to establish a new connection: [Errno 111] Connection refused'))
+
+ During handling of the above exception, another exception occurred:
+
+ Traceback (most recent call last):
+ File "/opt/datadog-agent/embedded/lib/python3.8/site-packages/datadog_checks/base/checks/base.py", line 1122, in run
+ self.check(instance)
+ File "/opt/datadog-agent/embedded/lib/python3.8/site-packages/datadog_checks/base/checks/openmetrics/base_check.py", line 142, in check
+ self.process(scraper_config)
+ File "/opt/datadog-agent/embedded/lib/python3.8/site-packages/datadog_checks/base/checks/openmetrics/mixins.py", line 573, in process
+ for metric in self.scrape_metrics(scraper_config):
+ File "/opt/datadog-agent/embedded/lib/python3.8/site-packages/datadog_checks/base/checks/openmetrics/mixins.py", line 500, in scrape_metrics
+ response = self.poll(scraper_config)
+ File "/opt/datadog-agent/embedded/lib/python3.8/site-packages/datadog_checks/base/checks/openmetrics/mixins.py", line 837, in poll
+ response = self.send_request(endpoint, scraper_config, headers)
+ File "/opt/datadog-agent/embedded/lib/python3.8/site-packages/datadog_checks/base/checks/openmetrics/mixins.py", line 863, in send_request
+ return http_handler.get(endpoint, stream=True, **kwargs)
+ File "/opt/datadog-agent/embedded/lib/python3.8/site-packages/datadog_checks/base/utils/http.py", line 356, in get
+ return self._request('get', url, options)
+ File "/opt/datadog-agent/embedded/lib/python3.8/site-packages/datadog_checks/base/utils/http.py", line 420, in _request
+ response = self.make_request_aia_chasing(request_method, method, url, new_options, persist)
+ File "/opt/datadog-agent/embedded/lib/python3.8/site-packages/datadog_checks/base/utils/http.py", line 426, in make_request_aia_chasing
+ response = request_method(url, **new_options)
+ File "/opt/datadog-agent/embedded/lib/python3.8/site-packages/requests/api.py", line 73, in get
+ return request("get", url, params=params, **kwargs)
+ File "/opt/datadog-agent/embedded/lib/python3.8/site-packages/requests/api.py", line 59, in request
+ return session.request(method=method, url=url, **kwargs)
+ File "/opt/datadog-agent/embedded/lib/python3.8/site-packages/requests/sessions.py", line 587, in request
+ resp = self.send(prep, **send_kwargs)
+ File "/opt/datadog-agent/embedded/lib/python3.8/site-packages/requests/sessions.py", line 701, in send
+ r = adapter.send(request, **kwargs)
+ File "/opt/datadog-agent/embedded/lib/python3.8/site-packages/requests/adapters.py", line 565, in send
+ raise ConnectionError(e, request=request)
+ requests.exceptions.ConnectionError: HTTPConnectionPool(host='10.146.15.207', port=9090): Max retries exceeded with url: /metrics (Caused by NewConnectionError(': Failed to establish a new connection: [Errno 111] Connection refused'))
+
+ datadog_cluster_agent (2.4.0)
+ -----------------------------
+ Instance ID: datadog_cluster_agent:4b0f56c49d48c92e [OK]
+ Configuration Source: file:/etc/datadog-agent/conf.d/datadog_cluster_agent.d/auto_conf.yaml
+ Total Runs: 842
+ Metric Samples: Last Run: 125, Total: 104,832
+ Events: Last Run: 0, Total: 0
+ Service Checks: Last Run: 1, Total: 842
+ Average Execution Time : 29ms
+ Last Execution Date : 2022-12-20 22:52:01 UTC (1671576721000)
+ Last Successful Execution Date : 2022-12-20 22:52:01 UTC (1671576721000)
+
+ Instance ID: datadog_cluster_agent:79dc7329a0398f09 [OK]
+ Configuration Source: file:/etc/datadog-agent/conf.d/datadog_cluster_agent.d/auto_conf.yaml
+ Total Runs: 838
+ Metric Samples: Last Run: 61, Total: 50,672
+ Events: Last Run: 0, Total: 0
+ Service Checks: Last Run: 1, Total: 838
+ Average Execution Time : 25ms
+ Last Execution Date : 2022-12-20 22:51:59 UTC (1671576719000)
+ Last Successful Execution Date : 2022-12-20 22:51:59 UTC (1671576719000)
+
+
+ network (2.9.2)
+ ---------------
+ Instance ID: network:d884b5186b651429 [OK]
+ Configuration Source: file:/etc/datadog-agent/conf.d/network.d/conf.yaml.default
+ Total Runs: 841
+ Metric Samples: Last Run: 174, Total: 146,334
+ Events: Last Run: 0, Total: 0
+ Service Checks: Last Run: 0, Total: 0
+ Average Execution Time : 6ms
+ Last Execution Date : 2022-12-20 22:51:48 UTC (1671576708000)
+ Last Successful Execution Date : 2022-12-20 22:51:48 UTC (1671576708000)
+
+ Check Initialization Errors
+ ===========================
+
+
+ postgres (13.1.0)
+ -----------------
+
+ instance 0:
+
+ could not invoke 'postgres' python check constructor. New constructor API returned:
+Traceback (most recent call last):
+ File "/opt/datadog-agent/embedded/lib/python3.8/site-packages/datadog_checks/postgres/postgres.py", line 62, in __init__
+ self._config = PostgresConfig(self.instance)
+ File "/opt/datadog-agent/embedded/lib/python3.8/site-packages/datadog_checks/postgres/config.py", line 35, in __init__
+ raise ConfigurationError('Please specify a user to connect to Postgres.')
+datadog_checks.base.errors.ConfigurationError: Please specify a user to connect to Postgres.
+Deprecated constructor API returned:
+__init__() got an unexpected keyword argument 'agentConfig'
+ Loading Errors
+ ==============
+ postgres
+ --------
+ Core Check Loader:
+ Check postgres not found in Catalog
+
+ JMX Check Loader:
+ check is not a jmx check, or unable to determine if it's so
+
+ Python Check Loader:
+ could not configure check instance for python check postgres: could not invoke 'postgres' python check constructor. New constructor API returned:
+Traceback (most recent call last):
+ File "/opt/datadog-agent/embedded/lib/python3.8/site-packages/datadog_checks/postgres/postgres.py", line 62, in __init__
+ self._config = PostgresConfig(self.instance)
+ File "/opt/datadog-agent/embedded/lib/python3.8/site-packages/datadog_checks/postgres/config.py", line 35, in __init__
+ raise ConfigurationError('Please specify a user to connect to Postgres.')
+datadog_checks.base.errors.ConfigurationError: Please specify a user to connect to Postgres.
+Deprecated constructor API returned:
+__init__() got an unexpected keyword argument 'agentConfig'
+
+========
+JMXFetch
+========
+
+ Information
+ ==================
+ Initialized checks
+ ==================
+ no checks
+
+ Failed checks
+ =============
+ no checks
+
+=========
+Forwarder
+=========
+
+ Transactions
+ ============
+ Cluster: 0
+ ClusterRole: 0
+ ClusterRoleBinding: 0
+ CronJob: 0
+ DaemonSet: 0
+ Deployment: 0
+ Dropped: 0
+ HighPriorityQueueFull: 0
+ Ingress: 0
+ Job: 0
+ Namespace: 0
+ Node: 0
+ PersistentVolume: 0
+ PersistentVolumeClaim: 0
+ Pod: 0
+ ReplicaSet: 0
+ Requeued: 0
+ Retried: 0
+ RetryQueueSize: 0
+ Role: 0
+ RoleBinding: 0
+ Service: 0
+ ServiceAccount: 0
+ StatefulSet: 0
+
+ Transaction Successes
+ =====================
+ Total number: 1775
+ Successes By Endpoint:
+ check_run_v1: 841
+ intake: 72
+ metadata_v1: 21
+ series_v2: 841
+
+ On-disk storage
+ ===============
+ On-disk storage is disabled. Configure `forwarder_storage_max_size_in_bytes` to enable it.
+
+ API Keys status
+ ===============
+ API key ending with 841ae: API Key valid
+
+==========
+Endpoints
+==========
+ https://app.datadoghq.com - API Key ending with:
+ - 841ae
+
+==========
+Logs Agent
+==========
+
+ Reliable: Sending uncompressed logs in SSL encrypted TCP to agent-intake.logs.datadoghq.com on port 10516
+
+ You are currently sending Logs to Datadog through TCP (either because logs_config.force_use_tcp or logs_config.socks5_proxy_address is set or the HTTP connectivity test has failed). To benefit from increased reliability and better network performances, we strongly encourage switching over to compressed HTTPS which is now the default protocol.
+
+ BytesSent: 1.8474997e+07
+ EncodedBytesSent: 1.8474997e+07
+ LogsProcessed: 10438
+ LogsSent: 10438
+ ============
+ Integrations
+ ============
+
+ kube-system/pdcsi-node-vmxbk/gce-pd-driver
+ ------------------------------------------
+ - Type: file
+ Identifier: 401a8645147ae8ef2baf2a5187c22b61554a64c5e0800b481c7a6a6e2e5e9d53
+ Path: /var/log/pods/kube-system_pdcsi-node-vmxbk_8194ece2-46dd-495e-9220-3a6b88fa4d61/gce-pd-driver/*.log
+ Service: gcp-compute-persistent-disk-csi-driver
+ Source: gcp-compute-persistent-disk-csi-driver
+ Status: OK
+ 1 files tailed out of 1 files matching
+ Inputs:
+ /var/log/pods/kube-system_pdcsi-node-vmxbk_8194ece2-46dd-495e-9220-3a6b88fa4d61/gce-pd-driver/0.log
+
+ kube-system/l7-default-backend-6dc845c45d-xlnmh/default-http-backend
+ --------------------------------------------------------------------
+ - Type: file
+ Identifier: 0f23fbf70ab6cb8063cacb65bf7c7472a6e4062838764cac256439070942f161
+ Path: /var/log/pods/kube-system_l7-default-backend-6dc845c45d-xlnmh_85840891-57e7-4fd4-8c1d-9a7ec5227614/default-http-backend/*.log
+ Service: ingress-gce-404-server-with-metrics
+ Source: ingress-gce-404-server-with-metrics
+ Status: OK
+ 1 files tailed out of 1 files matching
+ Inputs:
+ /var/log/pods/kube-system_l7-default-backend-6dc845c45d-xlnmh_85840891-57e7-4fd4-8c1d-9a7ec5227614/default-http-backend/0.log
+
+
+
+=============
+Process Agent
+=============
+
+ Version: x.y.z
+ Status date: 2022-12-20 22:52:01.802 UTC (1671576721802)
+ Process Agent Start: 2022-12-20 19:21:28.069 UTC (1671564088069)
+ Pid: 12223
+ Go Version: go1.18.8
+ Build arch: amd64
+ Log Level: INFO
+ Enabled Checks: [container rtcontainer pod]
+ Allocated Memory: 35,295,544 bytes
+ Hostname: gke-dd-sandbox-bits-8943422b-5wpg.c.datadog-sandbox.internal
+ System Probe Process Module Status: Not running
+ Process Language Detection Enabled: False
+
+ =================
+ Process Endpoints
+ =================
+ https://process.datadoghq.com - API Key ending with:
+ - 841ae
+
+ =========
+ Collector
+ =========
+ Last collection time: 2022-12-20 22:51:56
+ Docker socket:
+ Number of processes: 0
+ Number of containers: 25
+ Process Queue length: 0
+ RTProcess Queue length: 0
+ Connections Queue length: 0
+ Event Queue length: 0
+ Pod Queue length: 0
+ Process Bytes enqueued: 0
+ RTProcess Bytes enqueued: 0
+ Connections Bytes enqueued: 0
+ Event Bytes enqueued: 0
+ Pod Bytes enqueued: 0
+ Drop Check Payloads: []
+
+ ==========
+ Extractors
+ ==========
+
+ Workloadmeta
+ ============
+ Cache size:
+ Stale diffs discarded:
+ Diffs dropped:
+
+=========
+APM Agent
+=========
+ Status: Running
+ Pid: 12174
+ Uptime: 12633 seconds
+ Mem alloc: 9,203,488 bytes
+ Hostname: gke-dd-sandbox-bits-8943422b-5wpg.c.datadog-sandbox.internal
+ Receiver: 0.0.0.0:8126
+ Endpoints:
+ https://trace.agent.datadoghq.com
+
+ Receiver (previous minute)
+ ==========================
+ No traces received in the previous minute.
+
+
+ Writer (previous minute)
+ ========================
+ Traces: 0 payloads, 0 traces, 0 events, 0 bytes
+ Stats: 0 payloads, 0 stats buckets, 0 bytes
+
+==========
+Aggregator
+==========
+ Checks Metric Sample: 3,800,535
+ Dogstatsd Metric Sample: 136,758
+ Event: 1
+ Events Flushed: 1
+ Number Of Flushes: 841
+ Series Flushed: 3,224,651
+ Service Check: 25,700
+ Service Checks Flushed: 26,509
+
+=========
+DogStatsD
+=========
+ Event Packets: 0
+ Event Parse Errors: 0
+ Metric Packets: 136,757
+ Metric Parse Errors: 0
+ Service Check Packets: 0
+ Service Check Parse Errors: 0
+ Udp Bytes: 21,336,530
+ Udp Packet Reading Errors: 0
+ Udp Packets: 76,232
+ Uds Bytes: 0
+ Uds Origin Detection Errors: 0
+ Uds Packet Reading Errors: 0
+ Uds Packets: 1
+ Unterminated Metric Errors: 0
+
+Tip: For troubleshooting, enable 'dogstatsd_metrics_stats_enable' in the main datadog.yaml file to generate Dogstatsd logs. Once 'dogstatsd_metrics_stats_enable' is enabled, users can also use 'dogstatsd-stats' command to get visibility of the latest collected metrics.
+=====================
+Datadog Cluster Agent
+=====================
+
+ - Datadog Cluster Agent endpoint detected: https://10.122.58.252:5005
+ Successfully connected to the Datadog Cluster Agent.
+ - Running: x.y.z+commit.9b0b54b
+==========
+SNMP Traps
+==========
+ Packets: 0
+ Packets Auth Errors: 0
+=============
+Autodiscovery
+=============
+ Enabled Features
+ ================
+ containerd
+ cri
+ docker
+ kubernetes
+
+====================
+Remote Configuration
+====================
+
+ Remote Configuration is disabled
+
+
+====
+OTLP
+====
+
+ Status: Not enabled
+ Collector status: Not running
+
\ No newline at end of file
diff --git a/pkg/status/render/fixtures/check_stats.json b/pkg/status/render/fixtures/check_stats.json
new file mode 100644
index 0000000000000..ab6a327cef73e
--- /dev/null
+++ b/pkg/status/render/fixtures/check_stats.json
@@ -0,0 +1,539 @@
+{
+ "pyLoaderStats": {
+ "ConfigureErrors": {},
+ "Py3Warnings": {}
+ },
+ "pythonInit": {
+ "Errors": [
+ "could not initialize rtloader: error initializing string utils: No module named 'yaml'"
+ ]
+ },
+ "python_version": "n/a",
+ "remoteConfiguration": {
+ "apiKeyScoped": "false",
+ "lastError": "",
+ "orgEnabled": "false"
+ },
+ "runnerStats": {
+ "Checks": {
+ "cpu": {
+ "cpu": {
+ "AverageExecutionTime": 0,
+ "CheckConfigSource": "file:/opt/datadog-agent/etc/conf.d/cpu.d/conf.yaml.default",
+ "CheckID": "cpu",
+ "CheckName": "cpu",
+ "CheckVersion": "",
+ "EventPlatformEvents": {},
+ "Events": 0,
+ "ExecutionTimes": [
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 1,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0
+ ],
+ "HistogramBuckets": 0,
+ "LastError": "",
+ "LastExecutionTime": 0,
+ "LastSuccessDate": 1701259541,
+ "LastWarnings": [],
+ "MetricSamples": 8,
+ "ServiceChecks": 0,
+ "TotalErrors": 0,
+ "TotalEventPlatformEvents": {},
+ "TotalEvents": 0,
+ "TotalHistogramBuckets": 0,
+ "TotalMetricSamples": 985,
+ "TotalRuns": 124,
+ "TotalServiceChecks": 0,
+ "TotalWarnings": 0,
+ "UpdateTimestamp": 1701259541
+ }
+ },
+ "disk": {
+ "disk": {
+ "AverageExecutionTime": 1,
+ "CheckConfigSource": "file:/opt/datadog-agent/etc/conf.d/disk.d/conf.yaml.default",
+ "CheckID": "disk",
+ "CheckName": "disk",
+ "CheckVersion": "",
+ "EventPlatformEvents": {},
+ "Events": 0,
+ "ExecutionTimes": [
+ 0,
+ 2,
+ 0,
+ 0,
+ 4,
+ 1,
+ 1,
+ 1,
+ 2,
+ 1,
+ 4,
+ 1,
+ 1,
+ 2,
+ 3,
+ 1,
+ 2,
+ 1,
+ 1,
+ 0,
+ 2,
+ 2,
+ 4,
+ 2,
+ 3,
+ 1,
+ 2,
+ 2,
+ 2,
+ 2,
+ 2,
+ 1
+ ],
+ "HistogramBuckets": 0,
+ "LastError": "",
+ "LastExecutionTime": 2,
+ "LastSuccessDate": 1701259533,
+ "LastWarnings": [],
+ "MetricSamples": 84,
+ "ServiceChecks": 0,
+ "TotalErrors": 0,
+ "TotalEventPlatformEvents": {},
+ "TotalEvents": 0,
+ "TotalHistogramBuckets": 0,
+ "TotalMetricSamples": 10332,
+ "TotalRuns": 123,
+ "TotalServiceChecks": 0,
+ "TotalWarnings": 0,
+ "UpdateTimestamp": 1701259533
+ }
+ },
+ "file_handle": {
+ "file_handle": {
+ "AverageExecutionTime": 0,
+ "CheckConfigSource": "file:/Users/gustavo.caso/go/src/github.com/DataDog/datadog-agent/bin/agent/dist/conf.d/file_handle.d/conf.yaml.default",
+ "CheckID": "file_handle",
+ "CheckName": "file_handle",
+ "CheckVersion": "",
+ "EventPlatformEvents": {},
+ "Events": 0,
+ "ExecutionTimes": [
+ 0,
+ 0,
+ 1,
+ 0,
+ 1,
+ 0,
+ 0,
+ 1,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 1,
+ 1,
+ 0,
+ 0,
+ 5,
+ 0,
+ 1,
+ 0,
+ 0,
+ 0,
+ 1,
+ 0,
+ 1,
+ 2,
+ 1,
+ 0,
+ 0
+ ],
+ "HistogramBuckets": 0,
+ "LastError": "open /proc/sys/fs/file-nr: no such file or directory",
+ "LastExecutionTime": 0,
+ "LastSuccessDate": 0,
+ "LastWarnings": [],
+ "MetricSamples": 0,
+ "ServiceChecks": 0,
+ "TotalErrors": 123,
+ "TotalEventPlatformEvents": {},
+ "TotalEvents": 0,
+ "TotalHistogramBuckets": 0,
+ "TotalMetricSamples": 0,
+ "TotalRuns": 123,
+ "TotalServiceChecks": 0,
+ "TotalWarnings": 0,
+ "UpdateTimestamp": 1701259538
+ }
+ },
+ "io": {
+ "io": {
+ "AverageExecutionTime": 0,
+ "CheckConfigSource": "file:/opt/datadog-agent/etc/conf.d/io.d/conf.yaml.default",
+ "CheckID": "io",
+ "CheckName": "io",
+ "CheckVersion": "",
+ "EventPlatformEvents": {},
+ "Events": 0,
+ "ExecutionTimes": [
+ 1,
+ 1,
+ 0,
+ 0,
+ 1,
+ 1,
+ 1,
+ 1,
+ 2,
+ 1,
+ 1,
+ 1,
+ 0,
+ 0,
+ 0,
+ 0,
+ 1,
+ 0,
+ 1,
+ 0,
+ 1,
+ 0,
+ 0,
+ 4,
+ 1,
+ 0,
+ 1,
+ 1,
+ 0,
+ 1,
+ 1,
+ 1
+ ],
+ "HistogramBuckets": 0,
+ "LastError": "",
+ "LastExecutionTime": 1,
+ "LastSuccessDate": 1701259540,
+ "LastWarnings": [],
+ "MetricSamples": 15,
+ "ServiceChecks": 0,
+ "TotalErrors": 0,
+ "TotalEventPlatformEvents": {},
+ "TotalEvents": 0,
+ "TotalHistogramBuckets": 0,
+ "TotalMetricSamples": 1836,
+ "TotalRuns": 123,
+ "TotalServiceChecks": 0,
+ "TotalWarnings": 0,
+ "UpdateTimestamp": 1701259540
+ }
+ },
+ "load": {
+ "load": {
+ "AverageExecutionTime": 0,
+ "CheckConfigSource": "file:/opt/datadog-agent/etc/conf.d/load.d/conf.yaml.default",
+ "CheckID": "load",
+ "CheckName": "load",
+ "CheckVersion": "",
+ "EventPlatformEvents": {},
+ "Events": 0,
+ "ExecutionTimes": [
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 1,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0
+ ],
+ "HistogramBuckets": 0,
+ "LastError": "",
+ "LastExecutionTime": 0,
+ "LastSuccessDate": 1701259532,
+ "LastWarnings": [],
+ "MetricSamples": 6,
+ "ServiceChecks": 0,
+ "TotalErrors": 0,
+ "TotalEventPlatformEvents": {},
+ "TotalEvents": 0,
+ "TotalHistogramBuckets": 0,
+ "TotalMetricSamples": 738,
+ "TotalRuns": 123,
+ "TotalServiceChecks": 0,
+ "TotalWarnings": 0,
+ "UpdateTimestamp": 1701259532
+ }
+ },
+ "memory": {
+ "memory": {
+ "AverageExecutionTime": 0,
+ "CheckConfigSource": "file:/opt/datadog-agent/etc/conf.d/memory.d/conf.yaml.default",
+ "CheckID": "memory",
+ "CheckName": "memory",
+ "CheckVersion": "",
+ "EventPlatformEvents": {},
+ "Events": 0,
+ "ExecutionTimes": [
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 1,
+ 0,
+ 0,
+ 1,
+ 0,
+ 0,
+ 0,
+ 0
+ ],
+ "HistogramBuckets": 0,
+ "LastError": "",
+ "LastExecutionTime": 0,
+ "LastSuccessDate": 1701259539,
+ "LastWarnings": [],
+ "MetricSamples": 11,
+ "ServiceChecks": 0,
+ "TotalErrors": 0,
+ "TotalEventPlatformEvents": {},
+ "TotalEvents": 0,
+ "TotalHistogramBuckets": 0,
+ "TotalMetricSamples": 1353,
+ "TotalRuns": 123,
+ "TotalServiceChecks": 0,
+ "TotalWarnings": 0,
+ "UpdateTimestamp": 1701259539
+ }
+ },
+ "ntp": {
+ "ntp:3c427a42a70bbf8": {
+ "AverageExecutionTime": 172,
+ "CheckConfigSource": "file:/opt/datadog-agent/etc/conf.d/ntp.d/conf.yaml.default",
+ "CheckID": "ntp:3c427a42a70bbf8",
+ "CheckName": "ntp",
+ "CheckVersion": "",
+ "EventPlatformEvents": {},
+ "Events": 0,
+ "ExecutionTimes": [
+ 143,
+ 187,
+ 186,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0
+ ],
+ "HistogramBuckets": 0,
+ "LastError": "",
+ "LastExecutionTime": 186,
+ "LastSuccessDate": 1701259498,
+ "LastWarnings": [],
+ "MetricSamples": 1,
+ "ServiceChecks": 1,
+ "TotalErrors": 0,
+ "TotalEventPlatformEvents": {},
+ "TotalEvents": 0,
+ "TotalHistogramBuckets": 0,
+ "TotalMetricSamples": 3,
+ "TotalRuns": 3,
+ "TotalServiceChecks": 3,
+ "TotalWarnings": 0,
+ "UpdateTimestamp": 1701259498
+ }
+ },
+ "uptime": {
+ "uptime": {
+ "AverageExecutionTime": 0,
+ "CheckConfigSource": "file:/opt/datadog-agent/etc/conf.d/uptime.d/conf.yaml.default",
+ "CheckID": "uptime",
+ "CheckName": "uptime",
+ "CheckVersion": "",
+ "EventPlatformEvents": {},
+ "Events": 0,
+ "ExecutionTimes": [
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 1,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0
+ ],
+ "HistogramBuckets": 0,
+ "LastError": "",
+ "LastExecutionTime": 0,
+ "LastSuccessDate": 1701259546,
+ "LastWarnings": [],
+ "MetricSamples": 1,
+ "ServiceChecks": 0,
+ "TotalErrors": 0,
+ "TotalEventPlatformEvents": {},
+ "TotalEvents": 0,
+ "TotalHistogramBuckets": 0,
+ "TotalMetricSamples": 124,
+ "TotalRuns": 124,
+ "TotalServiceChecks": 0,
+ "TotalWarnings": 0,
+ "UpdateTimestamp": 1701259546
+ }
+ }
+ },
+ "Errors": 123,
+ "Running": {
+ "container_image": "2023-11-29T12:34:55+01:00",
+ "container_lifecycle": "2023-11-29T12:34:55+01:00"
+ },
+ "RunningChecks": 2,
+ "Runs": 866,
+ "Workers": {
+ "Count": 6,
+ "Instances": {
+ "worker_1": {
+ "Utilization": 1
+ },
+ "worker_2": {
+ "Utilization": 1
+ },
+ "worker_3": {
+ "Utilization": 0
+ },
+ "worker_4": {
+ "Utilization": 0
+ },
+ "worker_5": {
+ "Utilization": 0
+ },
+ "worker_6": {
+ "Utilization": 0
+ }
+ }
+ }
+ }
+}
diff --git a/pkg/status/render/fixtures/check_stats.text b/pkg/status/render/fixtures/check_stats.text
new file mode 100755
index 0000000000000..c7cf3e7084b9c
--- /dev/null
+++ b/pkg/status/render/fixtures/check_stats.text
@@ -0,0 +1,115 @@
+=========
+Collector
+=========
+ Error initializing Python
+ =========================
+ - could not initialize rtloader: error initializing string utils: No module named 'yaml'
+
+
+ Running Checks
+ ==============
+
+ cpu
+ ---
+ Instance ID: cpu [OK]
+ Configuration Source: file:/opt/datadog-agent/etc/conf.d/cpu.d/conf.yaml.default
+ Total Runs: 124
+ Metric Samples: Last Run: 8, Total: 985
+ Events: Last Run: 0, Total: 0
+ Service Checks: Last Run: 0, Total: 0
+ Average Execution Time : 0s
+ Last Execution Date : 2023-11-29 12:05:41 UTC (1701259541000)
+ Last Successful Execution Date : 2023-11-29 12:05:41 UTC (1701259541000)
+
+
+ disk
+ ----
+ Instance ID: disk [OK]
+ Configuration Source: file:/opt/datadog-agent/etc/conf.d/disk.d/conf.yaml.default
+ Total Runs: 123
+ Metric Samples: Last Run: 84, Total: 10,332
+ Events: Last Run: 0, Total: 0
+ Service Checks: Last Run: 0, Total: 0
+ Average Execution Time : 1ms
+ Last Execution Date : 2023-11-29 12:05:33 UTC (1701259533000)
+ Last Successful Execution Date : 2023-11-29 12:05:33 UTC (1701259533000)
+
+
+ file_handle
+ -----------
+ Instance ID: file_handle [ERROR]
+ Configuration Source: file:/Users/gustavo.caso/go/src/github.com/DataDog/datadog-agent/bin/agent/dist/conf.d/file_handle.d/conf.yaml.default
+ Total Runs: 123
+ Metric Samples: Last Run: 0, Total: 0
+ Events: Last Run: 0, Total: 0
+ Service Checks: Last Run: 0, Total: 0
+ Average Execution Time : 0s
+ Last Execution Date : 2023-11-29 12:05:38 UTC (1701259538000)
+ Last Successful Execution Date : Never
+ Error: open /proc/sys/fs/file-nr: no such file or directory
+ No traceback
+
+ io
+ --
+ Instance ID: io [OK]
+ Configuration Source: file:/opt/datadog-agent/etc/conf.d/io.d/conf.yaml.default
+ Total Runs: 123
+ Metric Samples: Last Run: 15, Total: 1,836
+ Events: Last Run: 0, Total: 0
+ Service Checks: Last Run: 0, Total: 0
+ Average Execution Time : 0s
+ Last Execution Date : 2023-11-29 12:05:40 UTC (1701259540000)
+ Last Successful Execution Date : 2023-11-29 12:05:40 UTC (1701259540000)
+
+
+ load
+ ----
+ Instance ID: load [OK]
+ Configuration Source: file:/opt/datadog-agent/etc/conf.d/load.d/conf.yaml.default
+ Total Runs: 123
+ Metric Samples: Last Run: 6, Total: 738
+ Events: Last Run: 0, Total: 0
+ Service Checks: Last Run: 0, Total: 0
+ Average Execution Time : 0s
+ Last Execution Date : 2023-11-29 12:05:32 UTC (1701259532000)
+ Last Successful Execution Date : 2023-11-29 12:05:32 UTC (1701259532000)
+
+
+ memory
+ ------
+ Instance ID: memory [OK]
+ Configuration Source: file:/opt/datadog-agent/etc/conf.d/memory.d/conf.yaml.default
+ Total Runs: 123
+ Metric Samples: Last Run: 11, Total: 1,353
+ Events: Last Run: 0, Total: 0
+ Service Checks: Last Run: 0, Total: 0
+ Average Execution Time : 0s
+ Last Execution Date : 2023-11-29 12:05:39 UTC (1701259539000)
+ Last Successful Execution Date : 2023-11-29 12:05:39 UTC (1701259539000)
+
+
+ ntp
+ ---
+ Instance ID: ntp:3c427a42a70bbf8 [OK]
+ Configuration Source: file:/opt/datadog-agent/etc/conf.d/ntp.d/conf.yaml.default
+ Total Runs: 3
+ Metric Samples: Last Run: 1, Total: 3
+ Events: Last Run: 0, Total: 0
+ Service Checks: Last Run: 1, Total: 3
+ Average Execution Time : 172ms
+ Last Execution Date : 2023-11-29 12:04:58 UTC (1701259498000)
+ Last Successful Execution Date : 2023-11-29 12:04:58 UTC (1701259498000)
+
+
+ uptime
+ ------
+ Instance ID: uptime [OK]
+ Configuration Source: file:/opt/datadog-agent/etc/conf.d/uptime.d/conf.yaml.default
+ Total Runs: 124
+ Metric Samples: Last Run: 1, Total: 124
+ Events: Last Run: 0, Total: 0
+ Service Checks: Last Run: 0, Total: 0
+ Average Execution Time : 0s
+ Last Execution Date : 2023-11-29 12:05:46 UTC (1701259546000)
+ Last Successful Execution Date : 2023-11-29 12:05:46 UTC (1701259546000)
+
diff --git a/pkg/status/render/fixtures/cluster_agent_status.json b/pkg/status/render/fixtures/cluster_agent_status.json
new file mode 100644
index 0000000000000..c1415f2fb8291
--- /dev/null
+++ b/pkg/status/render/fixtures/cluster_agent_status.json
@@ -0,0 +1,730 @@
+{
+ "adEnabledFeatures": {},
+ "admissionWebhook": {
+ "Error": "temporary failure in apiserver, will retry later: try delay not elapsed yet"
+ },
+ "agent_metadata": {},
+ "agent_start_nano": 1701185796319735000,
+ "aggregatorStats": {
+ "ChecksHistogramBucketMetricSample": 0,
+ "ChecksMetricSample": 0,
+ "DogstatsdContexts": 0,
+ "DogstatsdContextsByMtype": {
+ "Count": 0,
+ "Counter": 0,
+ "Distribution": 0,
+ "Gauge": 0,
+ "Histogram": 0,
+ "Historate": 0,
+ "MonotonicCount": 0,
+ "Rate": 0,
+ "Set": 0
+ },
+ "DogstatsdMetricSample": 0,
+ "Event": 0,
+ "EventPlatformEvents": {},
+ "EventPlatformEventsErrors": {},
+ "EventsFlushErrors": 0,
+ "EventsFlushed": 0,
+ "Flush": {
+ "ChecksMetricSampleFlushTime": {
+ "FlushIndex": 12,
+ "Flushes": [
+ 1768375,
+ 2815000,
+ 8566000,
+ 1876667,
+ 1271833,
+ 2088333,
+ 1546667,
+ 436833,
+ 2543250,
+ 2415959,
+ 1499292,
+ 2315875,
+ 1433541,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0
+ ],
+ "LastFlush": 1433541,
+ "Name": "ChecksMetricSampleFlushTime"
+ },
+ "EventFlushTime": {
+ "FlushIndex": -1,
+ "Flushes": [
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0
+ ],
+ "LastFlush": 0,
+ "Name": "EventFlushTime"
+ },
+ "MainFlushTime": {
+ "FlushIndex": 12,
+ "Flushes": [
+ 1784125,
+ 2821542,
+ 8623750,
+ 1885750,
+ 1277792,
+ 2093125,
+ 1551875,
+ 444375,
+ 2555167,
+ 2428709,
+ 1508584,
+ 2322458,
+ 1441916,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0
+ ],
+ "LastFlush": 1441916,
+ "Name": "MainFlushTime"
+ },
+ "ManifestsTime": {
+ "FlushIndex": -1,
+ "Flushes": [
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0
+ ],
+ "LastFlush": 0,
+ "Name": "ManifestsTime"
+ },
+ "MetricSketchFlushTime": {
+ "FlushIndex": -1,
+ "Flushes": [
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0
+ ],
+ "LastFlush": 0,
+ "Name": "MetricSketchFlushTime"
+ },
+ "ServiceCheckFlushTime": {
+ "FlushIndex": 12,
+ "Flushes": [
+ 2210709,
+ 1744708,
+ 9220916,
+ 1271000,
+ 1261292,
+ 1699291,
+ 1536875,
+ 585291,
+ 2765334,
+ 2870625,
+ 1489667,
+ 2283125,
+ 1386500,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0
+ ],
+ "LastFlush": 1386500,
+ "Name": "ServiceCheckFlushTime"
+ }
+ },
+ "FlushCount": {
+ "Events": {
+ "FlushIndex": -1,
+ "Flushes": [
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0
+ ],
+ "LastFlush": 0,
+ "Name": "Events"
+ },
+ "Manifests": {
+ "FlushIndex": -1,
+ "Flushes": [
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0
+ ],
+ "LastFlush": 0,
+ "Name": "Manifests"
+ },
+ "Series": {
+ "FlushIndex": 12,
+ "Flushes": [
+ 2,
+ 2,
+ 2,
+ 2,
+ 2,
+ 2,
+ 2,
+ 2,
+ 2,
+ 2,
+ 2,
+ 2,
+ 2,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0
+ ],
+ "LastFlush": 2,
+ "Name": "Series"
+ },
+ "ServiceChecks": {
+ "FlushIndex": 12,
+ "Flushes": [
+ 1,
+ 1,
+ 1,
+ 1,
+ 1,
+ 1,
+ 1,
+ 1,
+ 1,
+ 1,
+ 1,
+ 1,
+ 1,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0
+ ],
+ "LastFlush": 1,
+ "Name": "ServiceChecks"
+ },
+ "Sketches": {
+ "FlushIndex": -1,
+ "Flushes": [
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0
+ ],
+ "LastFlush": 0,
+ "Name": "Sketches"
+ }
+ },
+ "HostnameUpdate": 0,
+ "MetricTags": {
+ "Series": {
+ "Above100": 0,
+ "Above90": 0
+ },
+ "Sketches": {
+ "Above100": 0,
+ "Above90": 0
+ }
+ },
+ "NumberOfFlush": 13,
+ "OrchestratorManifests": 0,
+ "OrchestratorManifestsErrors": 0,
+ "OrchestratorMetadata": 0,
+ "OrchestratorMetadataErrors": 0,
+ "SeriesFlushErrors": 0,
+ "SeriesFlushed": 26,
+ "ServiceCheck": 0,
+ "ServiceCheckFlushErrors": 0,
+ "ServiceCheckFlushed": 13,
+ "SketchesFlushErrors": 0,
+ "SketchesFlushed": 0
+ },
+ "autoConfigStats": {
+ "ConfigErrors": {},
+ "ResolveWarnings": {}
+ },
+ "build_arch": "arm64",
+ "checkSchedulerStats": {
+ "LoaderErrors": {},
+ "RunErrors": {}
+ },
+ "complianceChecks": null,
+ "conf_file": "dev/dist/datadog.yaml",
+ "config": {
+ "confd_path": "/opt/datadog-agent/etc/conf.d",
+ "log_level": "info"
+ },
+ "custommetrics": {
+ "Error": "temporary failure in apiserver, will retry later: try delay not elapsed yet"
+ },
+ "dogstatsdStats": {
+ "UdpBytes": 0,
+ "UdpPacketReadingErrors": 0,
+ "UdpPackets": 0,
+ "UdsBytes": 0,
+ "UdsOriginDetectionErrors": 0,
+ "UdsPacketReadingErrors": 0,
+ "UdsPackets": 0
+ },
+ "endpointsInfos": {
+ "https://app.datadoghq.eu": [
+ "72724"
+ ]
+ },
+ "externalmetrics": {},
+ "filterErrors": {},
+ "flavor": "cluster_agent",
+ "forwarderStats": {
+ "APIKeyFailure": {},
+ "APIKeyStatus": {},
+ "FileStorage": {
+ "CurrentSizeInBytes": 0,
+ "DeserializeCount": 0,
+ "DeserializeErrorsCount": 0,
+ "DeserializeTransactionsCount": 0,
+ "FileSize": 0,
+ "FilesCount": 0,
+ "FilesRemovedCount": 0,
+ "PointsDroppedCount": 0,
+ "SerializeCount": 0,
+ "StartupReloadedRetryFilesCount": 0
+ },
+ "RemovalPolicy": {
+ "FilesFromUnknownDomainCount": 0,
+ "NewRemovalPolicyCount": 0,
+ "OutdatedFilesCount": 0,
+ "RegisteredDomainCount": 0
+ },
+ "TransactionContainer": {
+ "CurrentMemSizeInBytes": 0,
+ "ErrorsCount": 0,
+ "PointsDroppedCount": 0,
+ "TransactionsCount": 0,
+ "TransactionsDroppedCount": 0
+ },
+ "Transactions": {
+ "Cluster": 0,
+ "ClusterRole": 0,
+ "ClusterRoleBinding": 0,
+ "ConnectionEvents": {
+ "ConnectSuccess": 1,
+ "DNSSuccess": 1
+ },
+ "CronJob": 0,
+ "CustomResource": 0,
+ "CustomResourceDefinition": 0,
+ "DaemonSet": 0,
+ "Deployment": 0,
+ "Dropped": 0,
+ "DroppedByEndpoint": {},
+ "Errors": 0,
+ "ErrorsByType": {
+ "ConnectionErrors": 0,
+ "DNSErrors": 0,
+ "SentRequestErrors": 0,
+ "TLSErrors": 0,
+ "WroteRequestErrors": 0
+ },
+ "HTTPErrors": 0,
+ "HTTPErrorsByCode": {},
+ "HighPriorityQueueFull": 0,
+ "HorizontalPodAutoscaler": 0,
+ "Ingress": 0,
+ "InputBytesByEndpoint": {
+ "check_run_v1": 1672,
+ "series_v2": 2456
+ },
+ "InputCountByEndpoint": {
+ "check_run_v1": 13,
+ "series_v2": 13
+ },
+ "Job": 0,
+ "Namespace": 0,
+ "Node": 0,
+ "OrchestratorManifest": 0,
+ "PersistentVolume": 0,
+ "PersistentVolumeClaim": 0,
+ "Pod": 0,
+ "ReplicaSet": 0,
+ "Requeued": 0,
+ "RequeuedByEndpoint": {},
+ "Retried": 0,
+ "RetriedByEndpoint": {},
+ "RetryQueueSize": 0,
+ "Role": 0,
+ "RoleBinding": 0,
+ "Service": 0,
+ "ServiceAccount": 0,
+ "StatefulSet": 0,
+ "Success": 26,
+ "SuccessByEndpoint": {
+ "check_run_v1": 13,
+ "connections": 0,
+ "container": 0,
+ "events_v2": 0,
+ "host_metadata_v2": 0,
+ "intake": 0,
+ "orchestrator": 0,
+ "process": 0,
+ "rtcontainer": 0,
+ "rtprocess": 0,
+ "series_v1": 0,
+ "series_v2": 13,
+ "services_checks_v2": 0,
+ "sketches_v1": 0,
+ "sketches_v2": 0,
+ "validate_v1": 0
+ },
+ "SuccessBytesByEndpoint": {
+ "check_run_v1": 1672,
+ "series_v2": 2456
+ },
+ "VerticalPodAutoscaler": 0
+ }
+ },
+ "go_version": "go1.20.11",
+ "hostnameStats": {
+ "errors": {
+ "'hostname' configuration/environment": "hostname is empty",
+ "'hostname_file' configuration/environment": "'hostname_file' configuration is not enabled",
+ "aws": "not retrieving hostname from AWS: the host is not an ECS instance and other providers already retrieve non-default hostnames",
+ "azure": "azure_hostname_style is set to 'os'",
+ "container": "the agent is not containerized",
+ "fargate": "agent is not runnning on Fargate",
+ "fqdn": "'hostname_fqdn' configuration is not enabled",
+ "gce": "unable to retrieve hostname from GCE: GCE metadata API error: Get \"http://169.254.169.254/computeMetadata/v1/instance/hostname\": context deadline exceeded (Client.Timeout exceeded while awaiting headers)"
+ },
+ "provider": "os"
+ },
+ "inventories": {},
+ "leaderelection": {
+ "error": "temporary failure in apiserver, will retry later: try delay not elapsed yet",
+ "status": "Failing"
+ },
+ "metadata": {
+ "os": "darwin",
+ "agent-flavor": "cluster_agent",
+ "python": "n/a",
+ "systemStats": {
+ "cpuCores": 10,
+ "machine": "arm64",
+ "platform": "darwin",
+ "pythonV": "n/a",
+ "processor": "Apple M1 Max",
+ "macV": [
+ "13.6.2",
+ [
+ "",
+ "",
+ ""
+ ],
+ "arm64"
+ ],
+ "nixV": [
+ "",
+ "",
+ ""
+ ],
+ "fbsdV": [
+ "",
+ "",
+ ""
+ ],
+ "winV": [
+ "",
+ "",
+ ""
+ ]
+ },
+ "meta": {
+ "socket-hostname": "COMP-VQHPF4W6GY",
+ "timezones": [
+ "CET"
+ ],
+ "socket-fqdn": "COMP-VQHPF4W6GY",
+ "ec2-hostname": "",
+ "hostname": "COMP-VQHPF4W6GY",
+ "host_aliases": [],
+ "instance-id": ""
+ },
+ "host-tags": {
+ "system": []
+ },
+ "network": null,
+ "logs": {
+ "transport": "",
+ "auto_multi_line_detection_enabled": false
+ },
+ "install-method": {
+ "tool": null,
+ "tool_version": "undefined",
+ "installer_version": null
+ },
+ "proxy-info": {
+ "no-proxy-nonexact-match": false,
+ "proxy-behavior-changed": false,
+ "no-proxy-nonexact-match-explicitly-set": false
+ },
+ "otlp": {
+ "enabled": false
+ }
+ },
+ "ntpOffset": 0,
+ "pid": 73895,
+ "pyLoaderStats": null,
+ "pythonInit": null,
+ "runnerStats": {
+ "Checks": {},
+ "Running": {},
+ "Workers": {
+ "Count": 0,
+ "Instances": {}
+ }
+ },
+ "time_nano": 1701186004251999000,
+ "version": "7.50.0-devel+git.813.61fc133"
+}
diff --git a/pkg/status/render/fixtures/cluster_agent_status.text b/pkg/status/render/fixtures/cluster_agent_status.text
new file mode 100755
index 0000000000000..a13e26583d7fe
--- /dev/null
+++ b/pkg/status/render/fixtures/cluster_agent_status.text
@@ -0,0 +1,123 @@
+
+=====================================================
+Datadog Cluster Agent (v7.50.0-devel+git.813.61fc133)
+=====================================================
+
+ Status date: 2023-11-28 15:40:04.251 UTC (1701186004251)
+ Agent start: 2023-11-28 15:36:36.319 UTC (1701185796319)
+ Pid: 73895
+ Go Version: go1.20.11
+ Build arch: arm64
+ Agent flavor: cluster_agent
+ Log Level: info
+
+ Paths
+ =====
+ Config File: dev/dist/datadog.yaml
+ conf.d: /opt/datadog-agent/etc/conf.d
+
+ Clocks
+ ======
+ System time: 2023-11-28 15:40:04.251 UTC (1701186004251)
+
+ Hostnames
+ =========
+ hostname: COMP-VQHPF4W6GY
+ socket-fqdn: COMP-VQHPF4W6GY
+ socket-hostname: COMP-VQHPF4W6GY
+ hostname provider: os
+ unused hostname providers:
+ 'hostname' configuration/environment: hostname is empty
+ 'hostname_file' configuration/environment: 'hostname_file' configuration is not enabled
+ aws: not retrieving hostname from AWS: the host is not an ECS instance and other providers already retrieve non-default hostnames
+ azure: azure_hostname_style is set to 'os'
+ container: the agent is not containerized
+ fargate: agent is not runnning on Fargate
+ fqdn: 'hostname_fqdn' configuration is not enabled
+ gce: unable to retrieve hostname from GCE: GCE metadata API error: Get "http://169.254.169.254/computeMetadata/v1/instance/hostname": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
+
+ Metadata
+ ========
+
+Leader Election
+===============
+ Leader Election Status: Failing
+ Error: temporary failure in apiserver, will retry later: try delay not elapsed yet
+
+
+Custom Metrics Server
+=====================
+ Error: temporary failure in apiserver, will retry later: try delay not elapsed yet
+
+Admission Controller
+====================
+ Error: temporary failure in apiserver, will retry later: try delay not elapsed yet
+
+
+=========
+Collector
+=========
+
+ Running Checks
+ ==============
+ No checks have run yet
+
+=========
+Forwarder
+=========
+
+ Transactions
+ ============
+ Cluster: 0
+ ClusterRole: 0
+ ClusterRoleBinding: 0
+ CronJob: 0
+ CustomResource: 0
+ CustomResourceDefinition: 0
+ DaemonSet: 0
+ Deployment: 0
+ Dropped: 0
+ HighPriorityQueueFull: 0
+ HorizontalPodAutoscaler: 0
+ Ingress: 0
+ Job: 0
+ Namespace: 0
+ Node: 0
+ OrchestratorManifest: 0
+ PersistentVolume: 0
+ PersistentVolumeClaim: 0
+ Pod: 0
+ ReplicaSet: 0
+ Requeued: 0
+ Retried: 0
+ RetryQueueSize: 0
+ Role: 0
+ RoleBinding: 0
+ Service: 0
+ ServiceAccount: 0
+ StatefulSet: 0
+ VerticalPodAutoscaler: 0
+
+ Transaction Successes
+ =====================
+ Total number: 26
+ Successes By Endpoint:
+ check_run_v1: 13
+ series_v2: 13
+
+ On-disk storage
+ ===============
+ On-disk storage is disabled. Configure `forwarder_storage_max_size_in_bytes` to enable it.
+
+==========
+Endpoints
+==========
+ https://app.datadoghq.eu - API Key ending with:
+ - 72724
+
+==========
+Logs Agent
+==========
+
+
+
diff --git a/pkg/status/render/fixtures/process_agent_status.json b/pkg/status/render/fixtures/process_agent_status.json
new file mode 100644
index 0000000000000..7d256b9b4430f
--- /dev/null
+++ b/pkg/status/render/fixtures/process_agent_status.json
@@ -0,0 +1,129 @@
+{
+ "processAgentStatus": {
+ "core": {
+ "build_arch": "arm64",
+ "config": {
+ "log_level": "info"
+ },
+ "go_version": "go1.20.10",
+ "metadata": {
+ "agent-flavor": "process_agent",
+ "container-meta": {
+ "docker_swarm": "inactive",
+ "docker_version": "24.0.6"
+ },
+ "host-tags": {
+ "system": []
+ },
+ "install-method": {
+ "installer_version": "docker",
+ "tool": "docker",
+ "tool_version": "docker"
+ },
+ "logs": {
+ "auto_multi_line_detection_enabled": false,
+ "transport": ""
+ },
+ "meta": {
+ "ec2-hostname": "",
+ "host_aliases": [],
+ "hostname": "docker-desktop",
+ "instance-id": "",
+ "socket-fqdn": "52254030ab59",
+ "socket-hostname": "52254030ab59",
+ "timezones": [
+ "UTC"
+ ]
+ },
+ "network": null,
+ "os": "linux",
+ "otlp": {
+ "enabled": false
+ },
+ "proxy-info": {
+ "no-proxy-nonexact-match": false,
+ "no-proxy-nonexact-match-explicitly-set": false,
+ "proxy-behavior-changed": false
+ },
+ "python": "n/a",
+ "systemStats": {
+ "cpuCores": 1,
+ "fbsdV": [
+ "",
+ "",
+ ""
+ ],
+ "macV": [
+ "",
+ "",
+ ""
+ ],
+ "machine": "arm64",
+ "nixV": [
+ "ubuntu",
+ "23.04",
+ ""
+ ],
+ "platform": "linux",
+ "processor": "",
+ "pythonV": "n/a",
+ "winV": [
+ "",
+ "",
+ ""
+ ]
+ }
+ },
+ "version": "7.49.1"
+ },
+ "date": 1701254547319371000,
+ "expvars": {
+ "connections_queue_bytes": 0,
+ "connections_queue_size": 0,
+ "container_count": 1,
+ "container_id": "52254030ab598053a03b9bd474ac11d72486f640def81fc7be38ed3a5e864df3",
+ "docker_socket": "/var/run/docker.sock",
+ "drop_check_payloads": [],
+ "enabled_checks": [
+ "rtcontainer",
+ "container",
+ "process_discovery"
+ ],
+ "endpoints": {
+ "https://process.datadoghq.eu": [
+ "72724"
+ ]
+ },
+ "event_queue_bytes": 0,
+ "event_queue_size": 0,
+ "language_detection_enabled": false,
+ "last_collect_time": "2023-11-29 10:42:25",
+ "log_file": "",
+ "memstats": {
+ "alloc": 14060976
+ },
+ "pid": 23863,
+ "pod_queue_bytes": 0,
+ "pod_queue_size": 0,
+ "process_count": 0,
+ "process_queue_bytes": 0,
+ "process_queue_size": 0,
+ "proxy_url": "",
+ "rtprocess_queue_bytes": 0,
+ "rtprocess_queue_size": 0,
+ "system_probe_process_module_enabled": false,
+ "uptime": 1494,
+ "uptime_nano": 1701253052422544600,
+ "version": {
+ "BuildDate": "",
+ "GitBranch": "",
+ "GitCommit": "",
+ "GoVersion": "",
+ "Version": ""
+ },
+ "workloadmeta_extractor_cache_size": 0,
+ "workloadmeta_extractor_diffs_dropped": 0,
+ "workloadmeta_extractor_stale_diffs": 0
+ }
+ }
+}
diff --git a/pkg/status/render/fixtures/process_agent_status.text b/pkg/status/render/fixtures/process_agent_status.text
new file mode 100755
index 0000000000000..583358471eab3
--- /dev/null
+++ b/pkg/status/render/fixtures/process_agent_status.text
@@ -0,0 +1,52 @@
+
+=============
+Process Agent
+=============
+
+ Version: 7.49.1
+ Status date: 2023-11-29 10:42:27.319 UTC (1701254547319)
+ Process Agent Start: 2023-11-29 10:17:32.422 UTC (1701253052422)
+ Pid: 23863
+ Go Version: go1.20.10
+ Build arch: arm64
+ Log Level: info
+ Enabled Checks: [rtcontainer container process_discovery]
+ Allocated Memory: 14,060,976 bytes
+ Hostname: docker-desktop
+ System Probe Process Module Status: Not running
+ Process Language Detection Enabled: False
+
+ =================
+ Process Endpoints
+ =================
+ https://process.datadoghq.eu - API Key ending with:
+ - 72724
+
+ =========
+ Collector
+ =========
+ Last collection time: 2023-11-29 10:42:25
+ Docker socket: /var/run/docker.sock
+ Number of processes: 0
+ Number of containers: 1
+ Process Queue length: 0
+ RTProcess Queue length: 0
+ Connections Queue length: 0
+ Event Queue length: 0
+ Pod Queue length: 0
+ Process Bytes enqueued: 0
+ RTProcess Bytes enqueued: 0
+ Connections Bytes enqueued: 0
+ Event Bytes enqueued: 0
+ Pod Bytes enqueued: 0
+ Drop Check Payloads: []
+
+ ==========
+ Extractors
+ ==========
+
+ Workloadmeta
+ ============
+ Cache size: 0
+ Stale diffs discarded: 0
+ Diffs dropped: 0
diff --git a/pkg/status/render/fixtures/security_agent_status.json b/pkg/status/render/fixtures/security_agent_status.json
new file mode 100644
index 0000000000000..8141515e06686
--- /dev/null
+++ b/pkg/status/render/fixtures/security_agent_status.json
@@ -0,0 +1,913 @@
+{
+ "JMXStartupError": {
+ "LastError": "",
+ "Timestamp": 0
+ },
+ "JMXStatus": {
+ "info": null,
+ "checks": {
+ "initialized_checks": null,
+ "failed_checks": null
+ },
+ "timestamp": 0,
+ "errors": 0
+ },
+ "NoProxyChanged": [],
+ "NoProxyIgnoredWarningMap": [],
+ "NoProxyUsedInFuture": [],
+ "TransportWarnings": false,
+ "adEnabledFeatures": {
+ "docker": {}
+ },
+ "agent_metadata": {},
+ "agent_start_nano": 1701253052392961884,
+ "aggregatorStats": {
+ "ChecksHistogramBucketMetricSample": 0,
+ "ChecksMetricSample": 0,
+ "DogstatsdContexts": 0,
+ "DogstatsdContextsByMtype": {
+ "Count": 0,
+ "Counter": 0,
+ "Distribution": 0,
+ "Gauge": 0,
+ "Histogram": 0,
+ "Historate": 0,
+ "MonotonicCount": 0,
+ "Rate": 0,
+ "Set": 0
+ },
+ "DogstatsdMetricSample": 1,
+ "Event": 1,
+ "EventPlatformEvents": {},
+ "EventPlatformEventsErrors": {},
+ "EventsFlushErrors": 0,
+ "EventsFlushed": 1,
+ "Flush": {
+ "ChecksMetricSampleFlushTime": {
+ "FlushIndex": 2,
+ "Flushes": [
+ 16788292,
+ 1413375,
+ 7895666,
+ 3688167,
+ 16294166,
+ 1701875,
+ 1876083,
+ 3225208,
+ 496750,
+ 6249583,
+ 1440334,
+ 11195917,
+ 1185875,
+ 1397916,
+ 323500,
+ 268083,
+ 5228292,
+ 3378500,
+ 12369292,
+ 8481500,
+ 4424875,
+ 225959,
+ 254208,
+ 1949792,
+ 3177625,
+ 14756875,
+ 1911209,
+ 554875,
+ 299833,
+ 743208,
+ 5745083,
+ 8526000
+ ],
+ "LastFlush": 7895666,
+ "Name": "ChecksMetricSampleFlushTime"
+ },
+ "EventFlushTime": {
+ "FlushIndex": 0,
+ "Flushes": [
+ 25612834,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0
+ ],
+ "LastFlush": 25612834,
+ "Name": "EventFlushTime"
+ },
+ "MainFlushTime": {
+ "FlushIndex": 2,
+ "Flushes": [
+ 16800625,
+ 1419417,
+ 7902958,
+ 3772542,
+ 16330083,
+ 1708667,
+ 1886833,
+ 3233291,
+ 500125,
+ 6261083,
+ 1451209,
+ 11205125,
+ 1190875,
+ 1404375,
+ 326208,
+ 272041,
+ 5237375,
+ 3387417,
+ 12374625,
+ 8489875,
+ 4432375,
+ 228500,
+ 256291,
+ 1956625,
+ 3186084,
+ 14763833,
+ 1918084,
+ 561375,
+ 302625,
+ 748875,
+ 5869291,
+ 8536917
+ ],
+ "LastFlush": 7902958,
+ "Name": "MainFlushTime"
+ },
+ "ManifestsTime": {
+ "FlushIndex": -1,
+ "Flushes": [
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0
+ ],
+ "LastFlush": 0,
+ "Name": "ManifestsTime"
+ },
+ "MetricSketchFlushTime": {
+ "FlushIndex": -1,
+ "Flushes": [
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0
+ ],
+ "LastFlush": 0,
+ "Name": "MetricSketchFlushTime"
+ },
+ "ServiceCheckFlushTime": {
+ "FlushIndex": 2,
+ "Flushes": [
+ 16755959,
+ 716125,
+ 1058750,
+ 3396125,
+ 14984125,
+ 1017458,
+ 1895166,
+ 1522583,
+ 489291,
+ 5937542,
+ 1782250,
+ 12991542,
+ 1182167,
+ 660208,
+ 329416,
+ 258583,
+ 9008542,
+ 721042,
+ 4216334,
+ 5173959,
+ 2696000,
+ 235709,
+ 262208,
+ 1185875,
+ 723959,
+ 14414875,
+ 959334,
+ 531292,
+ 314541,
+ 771208,
+ 900041,
+ 3754917
+ ],
+ "LastFlush": 1058750,
+ "Name": "ServiceCheckFlushTime"
+ }
+ },
+ "FlushCount": {
+ "Events": {
+ "FlushIndex": 0,
+ "Flushes": [
+ 1,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0
+ ],
+ "LastFlush": 1,
+ "Name": "Events"
+ },
+ "Manifests": {
+ "FlushIndex": -1,
+ "Flushes": [
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0
+ ],
+ "LastFlush": 0,
+ "Name": "Manifests"
+ },
+ "Series": {
+ "FlushIndex": 2,
+ "Flushes": [
+ 2,
+ 2,
+ 2,
+ 2,
+ 2,
+ 2,
+ 2,
+ 2,
+ 2,
+ 2,
+ 2,
+ 2,
+ 2,
+ 2,
+ 2,
+ 2,
+ 2,
+ 2,
+ 2,
+ 2,
+ 2,
+ 2,
+ 2,
+ 2,
+ 2,
+ 2,
+ 2,
+ 2,
+ 2,
+ 2,
+ 2,
+ 2
+ ],
+ "LastFlush": 2,
+ "Name": "Series"
+ },
+ "ServiceChecks": {
+ "FlushIndex": 2,
+ "Flushes": [
+ 1,
+ 1,
+ 1,
+ 1,
+ 1,
+ 1,
+ 1,
+ 1,
+ 1,
+ 1,
+ 1,
+ 1,
+ 1,
+ 1,
+ 1,
+ 1,
+ 1,
+ 1,
+ 1,
+ 1,
+ 1,
+ 1,
+ 1,
+ 1,
+ 1,
+ 1,
+ 1,
+ 1,
+ 1,
+ 1,
+ 1,
+ 1
+ ],
+ "LastFlush": 1,
+ "Name": "ServiceChecks"
+ },
+ "Sketches": {
+ "FlushIndex": -1,
+ "Flushes": [
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0
+ ],
+ "LastFlush": 0,
+ "Name": "Sketches"
+ }
+ },
+ "HostnameUpdate": 0,
+ "MetricTags": {
+ "Series": {
+ "Above100": 0,
+ "Above90": 0
+ },
+ "Sketches": {
+ "Above100": 0,
+ "Above90": 0
+ }
+ },
+ "NumberOfFlush": 99,
+ "OrchestratorManifests": 0,
+ "OrchestratorManifestsErrors": 0,
+ "OrchestratorMetadata": 0,
+ "OrchestratorMetadataErrors": 0,
+ "SeriesFlushErrors": 0,
+ "SeriesFlushed": 199,
+ "ServiceCheck": 0,
+ "ServiceCheckFlushErrors": 0,
+ "ServiceCheckFlushed": 99,
+ "SketchesFlushErrors": 0,
+ "SketchesFlushed": 0
+ },
+ "autoConfigStats": {
+ "ConfigErrors": {},
+ "ResolveWarnings": {}
+ },
+ "build_arch": "arm64",
+ "checkSchedulerStats": {
+ "LoaderErrors": {},
+ "RunErrors": {}
+ },
+ "complianceChecks": null,
+ "conf_file": "/etc/datadog-agent/datadog.yaml",
+ "config": {
+ "additional_checksd": "/etc/datadog-agent/checks.d",
+ "confd_path": "/etc/datadog-agent/conf.d",
+ "fips_enabled": "false",
+ "fips_local_address": "localhost",
+ "fips_port_range_start": "9803",
+ "log_file": "",
+ "log_level": "info"
+ },
+ "endpointsInfos": {
+ "https://app.datadoghq.eu": [
+ "72724"
+ ]
+ },
+ "filterErrors": {},
+ "flavor": "security_agent",
+ "forwarderStats": {
+ "APIKeyFailure": {},
+ "APIKeyStatus": {
+ "API key ending with 72724": "API Key valid"
+ },
+ "FileStorage": {
+ "CurrentSizeInBytes": 0,
+ "DeserializeCount": 0,
+ "DeserializeErrorsCount": 0,
+ "DeserializeTransactionsCount": 0,
+ "FileSize": 0,
+ "FilesCount": 0,
+ "FilesRemovedCount": 0,
+ "PointsDroppedCount": 0,
+ "SerializeCount": 0,
+ "StartupReloadedRetryFilesCount": 0
+ },
+ "RemovalPolicy": {
+ "FilesFromUnknownDomainCount": 0,
+ "NewRemovalPolicyCount": 0,
+ "OutdatedFilesCount": 0,
+ "RegisteredDomainCount": 0
+ },
+ "TransactionContainer": {
+ "CurrentMemSizeInBytes": 0,
+ "ErrorsCount": 0,
+ "PointsDroppedCount": 0,
+ "TransactionsCount": 0,
+ "TransactionsDroppedCount": 0
+ },
+ "Transactions": {
+ "Cluster": 0,
+ "ClusterRole": 0,
+ "ClusterRoleBinding": 0,
+ "ConnectionEvents": {
+ "ConnectSuccess": 1,
+ "DNSSuccess": 1
+ },
+ "CronJob": 0,
+ "CustomResource": 0,
+ "CustomResourceDefinition": 0,
+ "DaemonSet": 0,
+ "Deployment": 0,
+ "Dropped": 0,
+ "DroppedByEndpoint": {},
+ "Errors": 0,
+ "ErrorsByType": {
+ "ConnectionErrors": 0,
+ "DNSErrors": 0,
+ "SentRequestErrors": 0,
+ "TLSErrors": 0,
+ "WroteRequestErrors": 0
+ },
+ "HTTPErrors": 0,
+ "HTTPErrorsByCode": {},
+ "HighPriorityQueueFull": 0,
+ "HorizontalPodAutoscaler": 0,
+ "Ingress": 0,
+ "InputBytesByEndpoint": {
+ "check_run_v1": 11727,
+ "intake": 188,
+ "series_v2": 16457
+ },
+ "InputCountByEndpoint": {
+ "check_run_v1": 99,
+ "intake": 1,
+ "series_v2": 99
+ },
+ "Job": 0,
+ "Namespace": 0,
+ "Node": 0,
+ "OrchestratorManifest": 0,
+ "PersistentVolume": 0,
+ "PersistentVolumeClaim": 0,
+ "Pod": 0,
+ "ReplicaSet": 0,
+ "Requeued": 0,
+ "RequeuedByEndpoint": {},
+ "Retried": 0,
+ "RetriedByEndpoint": {},
+ "RetryQueueSize": 0,
+ "Role": 0,
+ "RoleBinding": 0,
+ "Service": 0,
+ "ServiceAccount": 0,
+ "StatefulSet": 0,
+ "Success": 199,
+ "SuccessByEndpoint": {
+ "check_run_v1": 99,
+ "connections": 0,
+ "container": 0,
+ "events_v2": 0,
+ "host_metadata_v2": 0,
+ "intake": 1,
+ "orchestrator": 0,
+ "process": 0,
+ "rtcontainer": 0,
+ "rtprocess": 0,
+ "series_v1": 0,
+ "series_v2": 99,
+ "services_checks_v2": 0,
+ "sketches_v1": 0,
+ "sketches_v2": 0,
+ "validate_v1": 0
+ },
+ "SuccessBytesByEndpoint": {
+ "check_run_v1": 11727,
+ "intake": 188,
+ "series_v2": 16457
+ },
+ "VerticalPodAutoscaler": 0
+ }
+ },
+ "go_version": "go1.20.10",
+ "hostTags": [],
+ "hostinfo": {
+ "hostname": "52254030ab59",
+ "uptime": 2436,
+ "bootTime": 1701252098,
+ "procs": 210,
+ "os": "linux",
+ "platform": "ubuntu",
+ "platformFamily": "debian",
+ "platformVersion": "23.04",
+ "kernelVersion": "6.4.16-linuxkit",
+ "kernelArch": "aarch64",
+ "virtualizationSystem": "docker",
+ "virtualizationRole": "guest",
+ "hostId": "1714f7df-2eef-4fcc-9477-476137cc9918"
+ },
+ "hostnameStats": {
+ "errors": {
+ "'hostname' configuration/environment": "hostname is empty",
+ "'hostname_file' configuration/environment": "'hostname_file' configuration is not enabled",
+ "aws": "not retrieving hostname from AWS: the host is not an ECS instance and other providers already retrieve non-default hostnames",
+ "azure": "azure_hostname_style is set to 'os'",
+ "fargate": "agent is not runnning on Fargate",
+ "fqdn": "FQDN hostname is not usable",
+ "gce": "unable to retrieve hostname from GCE: GCE metadata API error: Get \"http://169.254.169.254/computeMetadata/v1/instance/hostname\": dial tcp 169.254.169.254:80: connect: connection refused",
+ "os": "OS hostname is not usable"
+ },
+ "provider": "container"
+ },
+ "inventories": {},
+ "logsStats": {
+ "is_running": false,
+ "endpoints": null,
+ "metrics": null,
+ "process_file_stats": null,
+ "integrations": null,
+ "tailers": null,
+ "errors": null,
+ "warnings": null,
+ "use_http": false
+ },
+ "metadata": {
+ "os": "linux",
+ "agent-flavor": "security_agent",
+ "python": "n/a",
+ "systemStats": {
+ "cpuCores": 1,
+ "machine": "arm64",
+ "platform": "linux",
+ "pythonV": "n/a",
+ "processor": "",
+ "macV": [
+ "",
+ "",
+ ""
+ ],
+ "nixV": [
+ "ubuntu",
+ "23.04",
+ ""
+ ],
+ "fbsdV": [
+ "",
+ "",
+ ""
+ ],
+ "winV": [
+ "",
+ "",
+ ""
+ ]
+ },
+ "meta": {
+ "socket-hostname": "52254030ab59",
+ "timezones": [
+ "UTC"
+ ],
+ "socket-fqdn": "52254030ab59",
+ "ec2-hostname": "",
+ "hostname": "docker-desktop",
+ "host_aliases": [],
+ "instance-id": ""
+ },
+ "host-tags": {
+ "system": []
+ },
+ "container-meta": {
+ "docker_swarm": "inactive",
+ "docker_version": "24.0.6"
+ },
+ "network": null,
+ "logs": {
+ "transport": "",
+ "auto_multi_line_detection_enabled": false
+ },
+ "install-method": {
+ "tool": "docker",
+ "tool_version": "docker",
+ "installer_version": "docker"
+ },
+ "proxy-info": {
+ "no-proxy-nonexact-match": false,
+ "proxy-behavior-changed": false,
+ "no-proxy-nonexact-match-explicitly-set": false
+ },
+ "otlp": {
+ "enabled": false
+ }
+ },
+ "otlp": {},
+ "pid": 23865,
+ "processAgentStatus": {
+ "core": {
+ "build_arch": "arm64",
+ "config": {
+ "log_level": "info"
+ },
+ "go_version": "go1.20.10",
+ "metadata": {
+ "agent-flavor": "process_agent",
+ "container-meta": {
+ "docker_swarm": "inactive",
+ "docker_version": "24.0.6"
+ },
+ "host-tags": {
+ "system": []
+ },
+ "install-method": {
+ "installer_version": "docker",
+ "tool": "docker",
+ "tool_version": "docker"
+ },
+ "logs": {
+ "auto_multi_line_detection_enabled": false,
+ "transport": ""
+ },
+ "meta": {
+ "ec2-hostname": "",
+ "host_aliases": [],
+ "hostname": "docker-desktop",
+ "instance-id": "",
+ "socket-fqdn": "52254030ab59",
+ "socket-hostname": "52254030ab59",
+ "timezones": [
+ "UTC"
+ ]
+ },
+ "network": null,
+ "os": "linux",
+ "otlp": {
+ "enabled": false
+ },
+ "proxy-info": {
+ "no-proxy-nonexact-match": false,
+ "no-proxy-nonexact-match-explicitly-set": false,
+ "proxy-behavior-changed": false
+ },
+ "python": "n/a",
+ "systemStats": {
+ "cpuCores": 1,
+ "fbsdV": [
+ "",
+ "",
+ ""
+ ],
+ "macV": [
+ "",
+ "",
+ ""
+ ],
+ "machine": "arm64",
+ "nixV": [
+ "ubuntu",
+ "23.04",
+ ""
+ ],
+ "platform": "linux",
+ "processor": "",
+ "pythonV": "n/a",
+ "winV": [
+ "",
+ "",
+ ""
+ ]
+ }
+ },
+ "version": "7.49.1"
+ },
+ "date": 1701254547319371000,
+ "expvars": {
+ "connections_queue_bytes": 0,
+ "connections_queue_size": 0,
+ "container_count": 1,
+ "container_id": "52254030ab598053a03b9bd474ac11d72486f640def81fc7be38ed3a5e864df3",
+ "docker_socket": "/var/run/docker.sock",
+ "drop_check_payloads": [],
+ "enabled_checks": [
+ "rtcontainer",
+ "container",
+ "process_discovery"
+ ],
+ "endpoints": {
+ "https://process.datadoghq.eu": [
+ "72724"
+ ]
+ },
+ "event_queue_bytes": 0,
+ "event_queue_size": 0,
+ "language_detection_enabled": false,
+ "last_collect_time": "2023-11-29 10:42:25",
+ "log_file": "",
+ "memstats": {
+ "alloc": 14060976
+ },
+ "pid": 23863,
+ "pod_queue_bytes": 0,
+ "pod_queue_size": 0,
+ "process_count": 0,
+ "process_queue_bytes": 0,
+ "process_queue_size": 0,
+ "proxy_url": "",
+ "rtprocess_queue_bytes": 0,
+ "rtprocess_queue_size": 0,
+ "system_probe_process_module_enabled": false,
+ "uptime": 1494,
+ "uptime_nano": 1701253052422544600,
+ "version": {
+ "BuildDate": "",
+ "GitBranch": "",
+ "GitCommit": "",
+ "GoVersion": "",
+ "Version": ""
+ },
+ "workloadmeta_extractor_cache_size": 0,
+ "workloadmeta_extractor_diffs_dropped": 0,
+ "workloadmeta_extractor_stale_diffs": 0
+ }
+ },
+ "pyLoaderStats": null,
+ "pythonInit": null,
+ "python_version": "n/a",
+ "remoteConfiguration": {},
+ "runnerStats": {
+ "Checks": {},
+ "Running": {},
+ "Workers": {
+ "Count": 0,
+ "Instances": {}
+ }
+ },
+ "runtimeSecurityStatus": {
+ "activityDumpReceived": 0,
+ "connected": false,
+ "endpoints": [
+ "Reliable: Sending compressed logs in HTTPS to runtime-security-http-intake.logs.datadoghq.eu on port 443"
+ ],
+ "eventReceived": 0
+ },
+ "snmpTrapsStats": {
+ "metrics": {
+ "Packets": 0,
+ "PacketsAuthErrors": 0
+ }
+ },
+ "systemProbeStats": {
+ "Errors": "System Probe is not supported on this system"
+ },
+ "time_nano": 1701254547317708590,
+ "verbose": false,
+ "version": "7.49.1"
+}
diff --git a/pkg/status/render/fixtures/security_agent_status.text b/pkg/status/render/fixtures/security_agent_status.text
new file mode 100755
index 0000000000000..e73e0a7ebea6f
--- /dev/null
+++ b/pkg/status/render/fixtures/security_agent_status.text
@@ -0,0 +1,79 @@
+
+================================
+Datadog Security Agent (v7.49.1)
+================================
+
+ Status date: 2023-11-29 10:42:27.317 UTC (1701254547317)
+ Agent start: 2023-11-29 10:17:32.392 UTC (1701253052392)
+ Pid: 23865
+ Go Version: go1.20.10
+ Python Version: n/a
+ Build arch: arm64
+ Agent flavor: security_agent
+ Log Level: info
+
+ Paths
+ =====
+ Config File: /etc/datadog-agent/datadog.yaml
+ conf.d: /etc/datadog-agent/conf.d
+ checks.d: /etc/datadog-agent/checks.d
+
+ Clocks
+ ======
+ System time: 2023-11-29 10:42:27.317 UTC (1701254547317)
+
+ Host Info
+ =========
+ bootTime: 2023-11-29 10:01:38 UTC (1701252098000)
+ hostId: 1714f7df-2eef-4fcc-9477-476137cc9918
+ kernelArch: aarch64
+ kernelVersion: 6.4.16-linuxkit
+ os: linux
+ platform: ubuntu
+ platformFamily: debian
+ platformVersion: 23.04
+ procs: 210
+ uptime: 40m36s
+ virtualizationRole: guest
+ virtualizationSystem: docker
+
+ Hostnames
+ =========
+ hostname: docker-desktop
+ socket-fqdn: 52254030ab59
+ socket-hostname: 52254030ab59
+ hostname provider: container
+ unused hostname providers:
+ 'hostname' configuration/environment: hostname is empty
+ 'hostname_file' configuration/environment: 'hostname_file' configuration is not enabled
+ aws: not retrieving hostname from AWS: the host is not an ECS instance and other providers already retrieve non-default hostnames
+ azure: azure_hostname_style is set to 'os'
+ fargate: agent is not runnning on Fargate
+ fqdn: FQDN hostname is not usable
+ gce: unable to retrieve hostname from GCE: GCE metadata API error: Get "http://169.254.169.254/computeMetadata/v1/instance/hostname": dial tcp 169.254.169.254:80: connect: connection refused
+ os: OS hostname is not usable
+
+ Metadata
+ ========
+
+================
+Runtime Security
+================
+
+ Reliable: Sending compressed logs in HTTPS to runtime-security-http-intake.logs.datadoghq.eu on port 443
+ Connected: false
+ Events received: 0
+
+ Self Tests
+ ==========
+
+ Last execution:
+
+ Succeeded: none
+
+ Failed: none
+==========
+Compliance
+==========
+
+ Not enabled
diff --git a/pkg/status/render/render_test.go b/pkg/status/render/render_test.go
index 850922e8dece7..1de9262e3ad35 100644
--- a/pkg/status/render/render_test.go
+++ b/pkg/status/render/render_test.go
@@ -6,27 +6,84 @@
package render
import (
+ "fmt"
"os"
+ "strings"
"testing"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
-func TestFormatStatus(t *testing.T) {
- agentJSON, err := os.ReadFile("fixtures/agent_status.json")
- require.NoError(t, err)
+func TestFormat(t *testing.T) {
+ originalTZ := os.Getenv("TZ")
+ os.Setenv("TZ", "UTC")
+ defer func() {
+ os.Setenv("TZ", originalTZ)
+ }()
+
const statusRenderErrors = "Status render errors"
- t.Run("render errors", func(t *testing.T) {
- actual, err := FormatStatus([]byte{})
- require.NoError(t, err)
- assert.Contains(t, actual, statusRenderErrors)
- })
+ tests := []struct {
+ name string
+ formatFunction func([]byte) (string, error)
+ jsonFile string
+ resultFile string
+ }{
+ {
+ name: "Core status",
+ formatFunction: FormatStatus,
+ jsonFile: "fixtures/agent_status.json",
+ resultFile: "fixtures/agent_status.text",
+ },
+ {
+ name: "Cluster Agent Status",
+ formatFunction: FormatDCAStatus,
+ jsonFile: "fixtures/cluster_agent_status.json",
+ resultFile: "fixtures/cluster_agent_status.text",
+ },
+ {
+ name: "Security Agent Status",
+ formatFunction: FormatSecurityAgentStatus,
+ jsonFile: "fixtures/security_agent_status.json",
+ resultFile: "fixtures/security_agent_status.text",
+ },
+ {
+ name: "Process Agent Status",
+ formatFunction: FormatProcessAgentStatus,
+ jsonFile: "fixtures/process_agent_status.json",
+ resultFile: "fixtures/process_agent_status.text",
+ },
+ {
+ name: "Check Stats",
+ formatFunction: FormatCheckStats,
+ jsonFile: "fixtures/check_stats.json",
+ resultFile: "fixtures/check_stats.text",
+ },
+ }
- t.Run("no render errors", func(t *testing.T) {
- actual, err := FormatStatus(agentJSON)
+ for _, tt := range tests {
+ jsonBytes, err := os.ReadFile(tt.jsonFile)
require.NoError(t, err)
- assert.NotContains(t, actual, statusRenderErrors)
- })
+ expectedOutput, err := os.ReadFile(tt.resultFile)
+ require.NoError(t, err)
+
+ t.Run(fmt.Sprintf("%s: render errors", tt.name), func(t *testing.T) {
+ output, err := tt.formatFunction([]byte{})
+ require.NoError(t, err)
+ assert.Contains(t, output, statusRenderErrors)
+ })
+
+ t.Run(fmt.Sprintf("%s: no render errors", tt.name), func(t *testing.T) {
+ output, err := tt.formatFunction(jsonBytes)
+ require.NoError(t, err)
+
+ // We replace windows line break by linux so the tests pass on every OS
+ result := strings.Replace(string(expectedOutput), "\r\n", "\n", -1)
+ output = strings.Replace(output, "\r\n", "\n", -1)
+
+ assert.Equal(t, output, result)
+ assert.NotContains(t, output, statusRenderErrors)
+ })
+ }
}
diff --git a/pkg/status/render/templates/autodiscovery.tmpl b/pkg/status/render/templates/autodiscovery.tmpl
index f4f03edbc81b6..3ff340819ac6e 100644
--- a/pkg/status/render/templates/autodiscovery.tmpl
+++ b/pkg/status/render/templates/autodiscovery.tmpl
@@ -7,7 +7,7 @@ NOTE: Changes made to this template should be reflected on the following templat
=============
Autodiscovery
=============
-{{- with .adEnabledFeatures -}}
+{{- with .adEnabledFeatures}}
Enabled Features
================
{{- range $feature, $empty := . }}
diff --git a/pkg/status/status.go b/pkg/status/status.go
index 21696dc0ac489..a3f86b0c6cabb 100644
--- a/pkg/status/status.go
+++ b/pkg/status/status.go
@@ -30,6 +30,7 @@ import (
"github.com/DataDog/datadog-agent/pkg/config/utils"
logsStatus "github.com/DataDog/datadog-agent/pkg/logs/status"
"github.com/DataDog/datadog-agent/pkg/snmp/traps"
+ "github.com/DataDog/datadog-agent/pkg/status/apm"
"github.com/DataDog/datadog-agent/pkg/status/collector"
"github.com/DataDog/datadog-agent/pkg/status/jmx"
"github.com/DataDog/datadog-agent/pkg/status/otlp"
@@ -82,6 +83,7 @@ func GetStatus(verbose bool, invAgent inventoryagent.Component) (map[string]inte
}
stats["processAgentStatus"] = GetProcessAgentStatus()
+ stats["apmStats"] = apm.GetAPMStatus()
if !config.Datadog.GetBool("no_proxy_nonexact_match") {
stats["TransportWarnings"] = httputils.GetNumberOfWarnings() > 0
diff --git a/pkg/util/winutil/crashreport/crashreport.go b/pkg/util/crashreport/crashreport.go
similarity index 100%
rename from pkg/util/winutil/crashreport/crashreport.go
rename to pkg/util/crashreport/crashreport.go
diff --git a/pkg/util/winutil/pdhutil/README.md b/pkg/util/pdhutil/README.md
similarity index 100%
rename from pkg/util/winutil/pdhutil/README.md
rename to pkg/util/pdhutil/README.md
diff --git a/pkg/util/winutil/pdhutil/pdh.go b/pkg/util/pdhutil/pdh.go
similarity index 100%
rename from pkg/util/winutil/pdhutil/pdh.go
rename to pkg/util/pdhutil/pdh.go
diff --git a/pkg/util/winutil/pdhutil/pdh_386.go b/pkg/util/pdhutil/pdh_386.go
similarity index 100%
rename from pkg/util/winutil/pdhutil/pdh_386.go
rename to pkg/util/pdhutil/pdh_386.go
diff --git a/pkg/util/winutil/pdhutil/pdh_amd64.go b/pkg/util/pdhutil/pdh_amd64.go
similarity index 100%
rename from pkg/util/winutil/pdhutil/pdh_amd64.go
rename to pkg/util/pdhutil/pdh_amd64.go
diff --git a/pkg/util/winutil/pdhutil/pdhcounter.go b/pkg/util/pdhutil/pdhcounter.go
similarity index 100%
rename from pkg/util/winutil/pdhutil/pdhcounter.go
rename to pkg/util/pdhutil/pdhcounter.go
diff --git a/pkg/util/winutil/pdhutil/pdhformatter.go b/pkg/util/pdhutil/pdhformatter.go
similarity index 100%
rename from pkg/util/winutil/pdhutil/pdhformatter.go
rename to pkg/util/pdhutil/pdhformatter.go
diff --git a/pkg/util/winutil/pdhutil/pdhhelper.go b/pkg/util/pdhutil/pdhhelper.go
similarity index 98%
rename from pkg/util/winutil/pdhutil/pdhhelper.go
rename to pkg/util/pdhutil/pdhhelper.go
index 67b9457c8e806..ed5ad9c3a9b65 100644
--- a/pkg/util/winutil/pdhutil/pdhhelper.go
+++ b/pkg/util/pdhutil/pdhhelper.go
@@ -87,7 +87,9 @@ func refreshPdhObjectCache(forceRefresh bool) (didrefresh bool, err error) {
// log errors and warnings but will decrease the time before the failing
// counters have a chance to initialize successfully.
+ //revive:disable:redefines-builtin-id
var len uint32
+ //revive:enable:redefines-builtin-id
refreshInterval := config.Datadog.GetInt("windows_counter_refresh_interval")
if refreshInterval == 0 {
@@ -191,7 +193,9 @@ func pdhMakeCounterPath(machine string, object string, instance string, counter
if counter != "" {
elems.countername = uintptr(unsafe.Pointer(windows.StringToUTF16Ptr(counter)))
}
+ //revive:disable:redefines-builtin-id
var len uint32
+ //revive:enable:redefines-builtin-id
r, _, _ := procPdhMakeCounterPath.Call(
uintptr(unsafe.Pointer(&elems)),
uintptr(0),
diff --git a/pkg/util/winutil/pdhutil/pdhmocks_windows.go b/pkg/util/pdhutil/pdhmocks_windows.go
similarity index 100%
rename from pkg/util/winutil/pdhutil/pdhmocks_windows.go
rename to pkg/util/pdhutil/pdhmocks_windows.go
diff --git a/pkg/util/winutil/pdhutil/testdata_windows.go b/pkg/util/pdhutil/testdata_windows.go
similarity index 100%
rename from pkg/util/winutil/pdhutil/testdata_windows.go
rename to pkg/util/pdhutil/testdata_windows.go
diff --git a/pkg/util/winutil/doc.go b/pkg/util/winutil/doc.go
new file mode 100644
index 0000000000000..c8dcb386d54ec
--- /dev/null
+++ b/pkg/util/winutil/doc.go
@@ -0,0 +1,8 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2018-present Datadog, Inc.
+//go:build !windows
+
+// Package winutil - Windows utility functions
+package winutil
diff --git a/pkg/util/winutil/etw/etw-utils.go b/pkg/util/winutil/etw/etw-utils.go
index dfcbc1801e444..ea190cd395e7a 100644
--- a/pkg/util/winutil/etw/etw-utils.go
+++ b/pkg/util/winutil/etw/etw-utils.go
@@ -10,15 +10,12 @@ package etw
import (
"bytes"
"fmt"
- "net/netip"
"reflect"
"strconv"
"time"
"unsafe"
"golang.org/x/sys/windows"
-
- "github.com/DataDog/datadog-agent/pkg/network/driver"
)
/*
@@ -294,36 +291,3 @@ func skipASCIIString(data []byte, offset int) (nextOffset int, valFound bool, fo
return (offset + termZeroIdx + 1), true, (offset + termZeroIdx + 1)
}
-
-func ip4format(ip [16]uint8) string {
- ipObj := netip.AddrFrom4(*(*[4]byte)(ip[:4]))
- return ipObj.String()
-}
-
-func ip6format(ip [16]uint8) string {
- ipObj := netip.AddrFrom16(ip)
- return ipObj.String()
-}
-
-func ipAndPortFromTup(tup driver.ConnTupleType, local bool) ([16]uint8, uint16) {
- if local {
- return tup.LocalAddr, tup.LocalPort
- }
- return tup.RemoteAddr, tup.RemotePort
-}
-
-// IPFormat takes a binary ip representation and returns a string type
-func IPFormat(tup driver.ConnTupleType, local bool) string {
- ip, port := ipAndPortFromTup(tup, local)
-
- if tup.Family == 2 {
- // IPv4
- return fmt.Sprintf("%v:%v", ip4format(ip), port)
- } else if tup.Family == 23 {
- // IPv6
- return fmt.Sprintf("[%v]:%v", ip6format(ip), port)
- } else {
- // everything else
- return ""
- }
-}
diff --git a/pkg/util/winutil/go.mod b/pkg/util/winutil/go.mod
new file mode 100644
index 0000000000000..cc15cbb63a824
--- /dev/null
+++ b/pkg/util/winutil/go.mod
@@ -0,0 +1,25 @@
+module github.com/DataDog/datadog-agent/pkg/util/winutil
+
+go 1.20
+
+replace (
+ github.com/DataDog/datadog-agent/pkg/util/log => ../log/
+ github.com/DataDog/datadog-agent/pkg/util/scrubber => ../scrubber/
+)
+
+require (
+ github.com/DataDog/datadog-agent/pkg/util/log v0.0.0-00010101000000-000000000000
+ github.com/cihub/seelog v0.0.0-20170130134532-f561c5e57575
+ github.com/fsnotify/fsnotify v1.7.0
+ github.com/stretchr/testify v1.8.4
+ go.uber.org/atomic v1.11.0
+ golang.org/x/sys v0.14.0
+)
+
+require (
+ github.com/DataDog/datadog-agent/pkg/util/scrubber v0.50.0-rc.4 // indirect
+ github.com/davecgh/go-spew v1.1.1 // indirect
+ github.com/pmezard/go-difflib v1.0.0 // indirect
+ gopkg.in/yaml.v2 v2.4.0 // indirect
+ gopkg.in/yaml.v3 v3.0.1 // indirect
+)
diff --git a/pkg/util/winutil/go.sum b/pkg/util/winutil/go.sum
new file mode 100644
index 0000000000000..c25f42a430cbe
--- /dev/null
+++ b/pkg/util/winutil/go.sum
@@ -0,0 +1,20 @@
+github.com/cihub/seelog v0.0.0-20170130134532-f561c5e57575 h1:kHaBemcxl8o/pQ5VM1c8PVE1PubbNx3mjUr09OqWGCs=
+github.com/cihub/seelog v0.0.0-20170130134532-f561c5e57575/go.mod h1:9d6lWj8KzO/fd/NrVaLscBKmPigpZpn5YawRPw+e3Yo=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
+github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
+go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
+golang.org/x/sys v0.14.0 h1:Vz7Qs629MkJkGyHxUlRHizWJRG2j8fbQKjELVSNhy7Q=
+golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
+gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
diff --git a/releasenotes-dca/notes/add-isolate-command-to-clusterchecks-53ece6c3fbf2720c.yaml b/releasenotes-dca/notes/add-isolate-command-to-clusterchecks-53ece6c3fbf2720c.yaml
new file mode 100644
index 0000000000000..cc22686bdd20d
--- /dev/null
+++ b/releasenotes-dca/notes/add-isolate-command-to-clusterchecks-53ece6c3fbf2720c.yaml
@@ -0,0 +1,7 @@
+---
+features:
+ - |
+ Add isolate command to clusterchecks to make it easier to pinpoint
+ a check that that is causing high CPU/memory usage. Command can be
+ run in the cluster agent with:
+ `datadog-cluster-agent clusterchecks isolate --checkID=`
diff --git a/releasenotes/notes/csm-events-hostname-42359b25de381a90.yaml b/releasenotes/notes/csm-events-hostname-42359b25de381a90.yaml
new file mode 100644
index 0000000000000..4a62235019b64
--- /dev/null
+++ b/releasenotes/notes/csm-events-hostname-42359b25de381a90.yaml
@@ -0,0 +1,5 @@
+---
+fixes:
+ - |
+ CWS/CSPM: Fixes the hostname value attached to CWS and CSPM events, which in rare cases
+ the security agent computed incorrectly.
diff --git a/releasenotes/notes/file-check-on-darwin-ea525cc9369307a4.yaml b/releasenotes/notes/file-check-on-darwin-ea525cc9369307a4.yaml
new file mode 100644
index 0000000000000..c0a8ca03a195c
--- /dev/null
+++ b/releasenotes/notes/file-check-on-darwin-ea525cc9369307a4.yaml
@@ -0,0 +1,11 @@
+# Each section from every release note are combined when the
+# CHANGELOG.rst is rendered. So the text needs to be worded so that
+# it does not depend on any information only available in another
+# section. This may mean repeating some details, but each section
+# must be readable independently of the other.
+#
+# Each section note must be formatted as reStructuredText.
+---
+fixes:
+ - |
+ Fix `file_handle` core check on Darwin by using `sysctl` system call.
diff --git a/releasenotes/notes/fix-tracer-agent-forwards-remote-config-errors-1e939be195e6db67.yaml b/releasenotes/notes/fix-tracer-agent-forwards-remote-config-errors-1e939be195e6db67.yaml
new file mode 100644
index 0000000000000..4d8884d5f042d
--- /dev/null
+++ b/releasenotes/notes/fix-tracer-agent-forwards-remote-config-errors-1e939be195e6db67.yaml
@@ -0,0 +1,5 @@
+---
+fixes:
+ - |
+ APM: Fixed trace-agent not forwarding errors from remote configuration and reporting them all as 500s
+
diff --git a/releasenotes/notes/oracle-activity-samples-optimization-70b4b39291a6cd11.yaml b/releasenotes/notes/oracle-activity-samples-optimization-70b4b39291a6cd11.yaml
new file mode 100644
index 0000000000000..a1c1c920e8131
--- /dev/null
+++ b/releasenotes/notes/oracle-activity-samples-optimization-70b4b39291a6cd11.yaml
@@ -0,0 +1,11 @@
+# Each section from every release note are combined when the
+# CHANGELOG.rst is rendered. So the text needs to be worded so that
+# it does not depend on any information only available in another
+# section. This may mean repeating some details, but each section
+# must be readable independently of the other.
+#
+# Each section note must be formatted as reStructuredText.
+---
+enhancements:
+ - |
+ Improved performance of the activity sampling query on RDS and Oracle Cloud databases.
diff --git a/releasenotes/notes/oracle-missing-tags-8e25d3d3b5041354.yaml b/releasenotes/notes/oracle-missing-tags-8e25d3d3b5041354.yaml
new file mode 100644
index 0000000000000..fff3a24bbf6b3
--- /dev/null
+++ b/releasenotes/notes/oracle-missing-tags-8e25d3d3b5041354.yaml
@@ -0,0 +1,11 @@
+# Each section from every release note are combined when the
+# CHANGELOG.rst is rendered. So the text needs to be worded so that
+# it does not depend on any information only available in another
+# section. This may mean repeating some details, but each section
+# must be readable independently of the other.
+#
+# Each section note must be formatted as reStructuredText.
+---
+fixes:
+ - |
+ Bug fix for missing tags.
diff --git a/repository.datadog.yml b/repository.datadog.yml
index 4b26ee0d56d4a..d029388b323a6 100644
--- a/repository.datadog.yml
+++ b/repository.datadog.yml
@@ -4,6 +4,6 @@ kind: mergequeue
enable: true
merge_method: squash
workflow_type: speculative
-speculative_max_depth: 1
+speculative_max_depth: 3
wait_for_check_timeout_in_minutes: 240
gitlab_jobs_retry_enable: true
diff --git a/tasks/__init__.py b/tasks/__init__.py
index aac3f4393071e..82554f9f2711d 100644
--- a/tasks/__init__.py
+++ b/tasks/__init__.py
@@ -18,6 +18,7 @@
epforwarder,
github_tasks,
kmt,
+ modules,
msi,
new_e2e_tests,
package,
@@ -117,6 +118,7 @@
ns.add_task(fuzz)
ns.add_task(go_fix)
ns.add_task(build_messagetable)
+ns.add_task(modules.go_work)
ns.add_task(get_modified_packages)
ns.add_task(send_unit_tests_stats)
diff --git a/tasks/agent.py b/tasks/agent.py
index 5bf5cd6ddf175..35dc52fe29ab3 100644
--- a/tasks/agent.py
+++ b/tasks/agent.py
@@ -493,23 +493,27 @@ def _windows_integration_tests(ctx, race=False, go_mod="mod", arch="x64"):
tests = [
{
# Run eventlog tests with the Windows API, which depend on the EventLog service
- 'prefix': './pkg/util/winutil/eventlog/...',
+ "dir": "./pkg/util/winutil/",
+ 'prefix': './eventlog/...',
'extra_args': '-evtapi Windows',
},
{
# Run eventlog tailer tests with the Windows API, which depend on the EventLog service
+ "dir": ".",
'prefix': './pkg/logs/tailers/windowsevent/...',
'extra_args': '-evtapi Windows',
},
{
# Run eventlog check tests with the Windows API, which depend on the EventLog service
+ "dir": ".",
'prefix': './pkg/collector/corechecks/windows_event_log/...',
'extra_args': '-evtapi Windows',
},
]
for test in tests:
- ctx.run(f"{go_cmd} {test['prefix']} {test['extra_args']}")
+ with ctx.cd(f"{test['dir']}"):
+ ctx.run(f"{go_cmd} {test['prefix']} {test['extra_args']}")
def _linux_integration_tests(ctx, race=False, remote_docker=False, go_mod="mod", arch="x64"):
diff --git a/tasks/components.py b/tasks/components.py
index 5a25f9171a4d3..71430efcc2f53 100644
--- a/tasks/components.py
+++ b/tasks/components.py
@@ -138,7 +138,7 @@ def get_components_and_bundles(ctx):
def make_components_md(bundles):
- pkg_root = 'github.com/DataDog/dd-agent-comp-experiments/'
+ pkg_root = 'github.com/DataDog/datadog-agent/'
yield '# Agent Components'
yield ''
yield ''
diff --git a/tasks/fuzz.py b/tasks/fuzz.py
index 9f8f023f309d8..3f7b437890ffe 100644
--- a/tasks/fuzz.py
+++ b/tasks/fuzz.py
@@ -15,7 +15,7 @@ def fuzz(ctx, fuzztime="10s"):
"""
for directory, func in search_fuzz_tests(os.getcwd()):
with ctx.cd(directory):
- cmd = f'go test -v . -run={func} -fuzz={func} -fuzztime={fuzztime}'
+ cmd = f'go test -v . -run={func} -fuzz={func}$ -fuzztime={fuzztime}'
ctx.run(cmd)
diff --git a/tasks/github_tasks.py b/tasks/github_tasks.py
index 26832abda6927..e2a7815ebbfff 100644
--- a/tasks/github_tasks.py
+++ b/tasks/github_tasks.py
@@ -14,7 +14,7 @@
from .utils import DEFAULT_BRANCH
-def _trigger_macos_workflow(release, destination, retry_download, retry_interval, **kwargs):
+def _trigger_macos_workflow(release, destination=None, retry_download=0, retry_interval=0, **kwargs):
github_action_ref = _get_release_json_value(f'{release}::MACOS_BUILD_VERSION')
run = trigger_macos_workflow(
@@ -29,7 +29,8 @@ def _trigger_macos_workflow(release, destination, retry_download, retry_interval
print_workflow_conclusion(workflow_conclusion, workflow_url)
- download_with_retry(download_artifacts, run, destination, retry_download, retry_interval)
+ if destination:
+ download_with_retry(download_artifacts, run, destination, retry_download, retry_interval)
if workflow_conclusion != "success":
raise Exit(code=1)
@@ -91,6 +92,23 @@ def trigger_macos_test(
)
+@task
+def trigger_macos_lint(
+ _,
+ datadog_agent_ref=DEFAULT_BRANCH,
+ release_version="nightly-a7",
+ python_runtimes="3",
+ version_cache=None,
+):
+ _trigger_macos_workflow(
+ release_version,
+ workflow_name="lint.yaml",
+ datadog_agent_ref=datadog_agent_ref,
+ python_runtimes=python_runtimes,
+ version_cache_file_content=version_cache,
+ )
+
+
@task
def lint_codeowner(_):
"""
diff --git a/tasks/libs/pipeline_notifications.py b/tasks/libs/pipeline_notifications.py
index eb078ee38edca..41081f47f58e4 100644
--- a/tasks/libs/pipeline_notifications.py
+++ b/tasks/libs/pipeline_notifications.py
@@ -67,7 +67,7 @@
"@datadog/windows-agent": "WINA",
"@datadog/windows-kernel-integrations": "WKINT",
"@datadog/opentelemetry": "OTEL",
- "@datadog/agent-e2e-testing": "AETT",
+ "@datadog/agent-e2e-testing": "APL",
"@datadog/software-integrity-and-trust": "SINT",
"@datadog/single-machine-performance": "SMP",
"@datadog/agent-integrations": "AI",
diff --git a/tasks/modules.py b/tasks/modules.py
index 9f853d4d61cff..47430c9030b6e 100644
--- a/tasks/modules.py
+++ b/tasks/modules.py
@@ -4,6 +4,10 @@
import sys
from contextlib import contextmanager
+from invoke import Context, task
+
+from tasks.libs.common.color import color_message
+
FORBIDDEN_CODECOV_FLAG_CHARS = re.compile(r'[^\w\.\-]')
@@ -156,6 +160,8 @@ def dependency_path(self, agent_version):
"pkg/tagset": GoModule("pkg/tagset", independent=True),
"pkg/metrics": GoModule("pkg/metrics", independent=True),
"pkg/telemetry": GoModule("pkg/telemetry", independent=True),
+ "comp/core/flare/types": GoModule("comp/core/flare/types", independent=True),
+ "comp/core/secrets": GoModule("comp/core/secrets", independent=True),
"comp/core/telemetry": GoModule("comp/core/telemetry", independent=True),
"pkg/config/model": GoModule("pkg/config/model", independent=True),
"pkg/config/env": GoModule("pkg/config/env", independent=True),
@@ -182,6 +188,7 @@ def dependency_path(self, agent_version):
"pkg/util/statstracker": GoModule("pkg/util/statstracker", independent=True),
"pkg/util/system/socket": GoModule("pkg/util/system/socket", independent=True),
"pkg/util/testutil": GoModule("pkg/util/testutil", independent=True),
+ "pkg/util/winutil": GoModule("pkg/util/winutil", independent=True),
"pkg/version": GoModule("pkg/version", independent=True),
"pkg/networkdevice/profile": GoModule("pkg/networkdevice/profile", independent=True),
"pkg/collector/check/defaults": GoModule("pkg/collector/check/defaults", independent=True),
@@ -235,3 +242,40 @@ def generate_dummy_package(ctx, folder):
finally:
# delete test_folder to avoid FileExistsError while running this task again
ctx.run(f"rm -rf ./{folder}")
+
+
+@task
+def go_work(_: Context):
+ """
+ Create a go.work file using the module list contained in DEFAULT_MODULES
+ and the go version contained in the file .go-version.
+ If there is already a go.work file, it is renamed go.work.backup and a warning is printed.
+ """
+ from semver import Version
+
+ print(
+ color_message(
+ "WARNING: Using a go.work file is not supported and can cause weird errors "
+ "when compiling the agent or running tests.\n"
+ "Remember to export GOWORK=off to avoid these issues.\n",
+ "orange",
+ ),
+ file=sys.stderr,
+ )
+
+ # read go version from the .go-version file, removing the bugfix part of the version
+
+ with open(".go-version") as f:
+ go_version = Version.parse(f.read().strip())
+ go_version = f"{go_version.major}.{go_version.minor}"
+
+ if os.path.exists("go.work"):
+ print("go.work already exists. Renaming to go.work.backup")
+ os.rename("go.work", "go.work.backup")
+
+ with open("go.work", "w") as f:
+ f.write(f"go {go_version}\n\nuse (\n")
+ for mod in DEFAULT_MODULES.values():
+ prefix = "" if mod.condition() else "//"
+ f.write(f"\t{prefix}{mod.path}\n")
+ f.write(")\n")
diff --git a/tasks/new_e2e_tests.py b/tasks/new_e2e_tests.py
index d4294372ec81c..c136430277a8f 100644
--- a/tasks/new_e2e_tests.py
+++ b/tasks/new_e2e_tests.py
@@ -45,6 +45,8 @@ def run(
osversion="",
platform="",
arch="",
+ flavor="",
+ major_version="",
cws_supported_osversion="",
keep_stacks=False,
cache=False,
@@ -91,7 +93,7 @@ def run(
test_run_arg = f"-run {test_run_name}"
cmd = f'gotestsum --format {gotestsum_format} '
- cmd += '{junit_file_flag} --packages="{packages}" -- -ldflags="-X {REPO_PATH}/test/new-e2e/tests/containers.GitCommit={commit}" {verbose} -mod={go_mod} -vet=off -timeout {timeout} -tags {go_build_tags} {nocache} {run} {skip} {coverage_opt} {test_run_arg} -args {osversion} {platform} {arch} {cws_supported_osversion} {keep_stacks}'
+ cmd += '{junit_file_flag} --packages="{packages}" -- -ldflags="-X {REPO_PATH}/test/new-e2e/tests/containers.GitCommit={commit}" {verbose} -mod={go_mod} -vet=off -timeout {timeout} -tags "{go_build_tags}" {nocache} {run} {skip} {coverage_opt} {test_run_arg} -args {osversion} {platform} {major_version} {arch} {flavor} {cws_supported_osversion} {keep_stacks}'
args = {
"go_mod": "mod",
@@ -107,6 +109,8 @@ def run(
"osversion": f"-osversion {osversion}" if osversion else '',
"platform": f"-platform {platform}" if platform else '',
"arch": f"-arch {arch}" if arch else '',
+ "flavor": f"-flavor {flavor}" if flavor else '',
+ "major_version": f"-major-version {major_version}" if major_version else '',
"cws_supported_osversion": f"-cws-supported-osversion {cws_supported_osversion}"
if cws_supported_osversion
else '',
diff --git a/tasks/release.py b/tasks/release.py
index 30f44f3679a49..e8fd6a2663f26 100644
--- a/tasks/release.py
+++ b/tasks/release.py
@@ -18,7 +18,7 @@
from .libs.common.user_interactions import yes_no_question
from .libs.version import Version
from .modules import DEFAULT_MODULES
-from .pipeline import run
+from .pipeline import edit_schedule, run
from .utils import (
DEFAULT_BRANCH,
GITHUB_REPO_NAME,
@@ -37,6 +37,12 @@
UNFREEZE_REPO_AGENT = "datadog-agent"
UNFREEZE_REPOS = [UNFREEZE_REPO_AGENT, "omnibus-software", "omnibus-ruby", "datadog-agent-macos-build"]
+RELEASE_JSON_FIELDS_TO_UPDATE = [
+ "INTEGRATIONS_CORE_VERSION",
+ "OMNIBUS_SOFTWARE_VERSION",
+ "OMNIBUS_RUBY_VERSION",
+ "MACOS_BUILD_VERSION",
+]
@task
@@ -766,9 +772,13 @@ def __get_force_option(force: bool) -> str:
return force_option
-def __tag_single_module(ctx, module, agent_version, commit, push, force_option):
+def __tag_single_module(ctx, module, agent_version, commit, push, force_option, devel):
"""Tag a given module."""
for tag in module.tag(agent_version):
+
+ if devel:
+ tag += "-devel"
+
ok = try_git_command(
ctx,
f"git tag -m {tag} {tag} {commit}{force_option}",
@@ -783,7 +793,7 @@ def __tag_single_module(ctx, module, agent_version, commit, push, force_option):
@task
-def tag_modules(ctx, agent_version, commit="HEAD", verify=True, push=True, force=False):
+def tag_modules(ctx, agent_version, commit="HEAD", verify=True, push=True, force=False, devel=False):
"""
Create tags for Go nested modules for a given Datadog Agent version.
The version should be given as an Agent 7 version.
@@ -792,6 +802,7 @@ def tag_modules(ctx, agent_version, commit="HEAD", verify=True, push=True, force
* --verify checks for correctness on the Agent version (on by default).
* --push will push the tags to the origin remote (on by default).
* --force will allow the task to overwrite existing tags. Needed to move existing tags (off by default).
+ * --devel will create -devel tags (used after creation of the release branch)
Examples:
inv -e release.tag-modules 7.27.0 # Create tags and push them to origin
@@ -806,13 +817,13 @@ def tag_modules(ctx, agent_version, commit="HEAD", verify=True, push=True, force
for module in DEFAULT_MODULES.values():
# Skip main module; this is tagged at tag_version via __tag_single_module.
if module.should_tag and module.path != ".":
- __tag_single_module(ctx, module, agent_version, commit, push, force_option)
+ __tag_single_module(ctx, module, agent_version, commit, push, force_option, devel)
print(f"Created module tags for version {agent_version}")
@task
-def tag_version(ctx, agent_version, commit="HEAD", verify=True, push=True, force=False):
+def tag_version(ctx, agent_version, commit="HEAD", verify=True, push=True, force=False, devel=False):
"""
Create tags for a given Datadog Agent version.
The version should be given as an Agent 7 version.
@@ -821,6 +832,7 @@ def tag_version(ctx, agent_version, commit="HEAD", verify=True, push=True, force
* --verify checks for correctness on the Agent version (on by default).
* --push will push the tags to the origin remote (on by default).
* --force will allow the task to overwrite existing tags. Needed to move existing tags (off by default).
+ * --devel will create -devel tags (used after creation of the release branch)
Examples:
inv -e release.tag-version 7.27.0 # Create tags and push them to origin
@@ -832,10 +844,16 @@ def tag_version(ctx, agent_version, commit="HEAD", verify=True, push=True, force
# Always tag the main module
force_option = __get_force_option(force)
- __tag_single_module(ctx, DEFAULT_MODULES["."], agent_version, commit, push, force_option)
+ __tag_single_module(ctx, DEFAULT_MODULES["."], agent_version, commit, push, force_option, devel)
print(f"Created tags for version {agent_version}")
+@task
+def tag_devel(ctx, agent_version, commit="HEAD", verify=True, push=True, force=False):
+ tag_version(ctx, agent_version, commit, verify, push, force, devel=True)
+ tag_modules(ctx, agent_version, commit, verify, push, force, devel=True)
+
+
def current_version(ctx, major_version) -> Version:
return _create_version_from_match(VERSION_RE.search(get_version(ctx, major_version=major_version)))
@@ -1232,7 +1250,7 @@ def _get_release_json_value(key):
return release_json
-def create_release_branch(ctx, repo, release_branch, base_directory="~/dd", upstream="origin"):
+def create_and_update_release_branch(ctx, repo, release_branch, base_directory="~/dd", upstream="origin"):
# Perform branch out in all required repositories
with ctx.cd(f"{base_directory}/{repo}"):
# Step 1 - Create a local branch out from the default branch
@@ -1245,11 +1263,31 @@ def create_release_branch(ctx, repo, release_branch, base_directory="~/dd", upst
ctx.run(f"git checkout -b {release_branch}")
if repo == UNFREEZE_REPO_AGENT:
+ # Step 1.1 - In datadog-agent repo update base_branch and nightly builds entries
rj = _load_release_json()
+
rj["base_branch"] = release_branch
+
+ for nightly in ["nightly", "nightly-a7"]:
+ for field in RELEASE_JSON_FIELDS_TO_UPDATE:
+ rj[nightly][field] = f"{release_branch}"
+
_save_release_json(rj)
- ctx.run("git add release.json")
- ok = try_git_command(ctx, f"git commit -m 'Set base_branch to {release_branch}'")
+
+ # Step 1.2 - In datadog-agent repo update gitlab-ci.yaml jobs
+ with open(".gitlab-ci.yml", "r") as gl:
+ file_content = gl.readlines()
+
+ with open(".gitlab-ci.yml", "w") as gl:
+ for line in file_content:
+ if re.search(r"compare_to: main", line):
+ gl.write(line.replace("main", f"{release_branch}"))
+ else:
+ gl.write(line)
+
+ # Step 1.3 - Commit new changes
+ ctx.run("git add release.json .gitlab-ci.yml")
+ ok = try_git_command(ctx, f"git commit -m 'Update release.json and .gitlab-ci.yml with {release_branch}'")
if not ok:
raise Exit(
color_message(
@@ -1274,13 +1312,13 @@ def create_release_branch(ctx, repo, release_branch, base_directory="~/dd", upst
@task(help={'upstream': "Remote repository name (default 'origin')"})
-def unfreeze(ctx, base_directory="~/dd", major_versions="6,7", upstream="origin", redo=False):
+def unfreeze(ctx, base_directory="~/dd", major_versions="6,7", upstream="origin"):
"""
Performs set of tasks required for the main branch unfreeze during the agent release cycle.
That includes:
- - creates a release branch in datadog-agent, omnibus-ruby and omnibus-software repositories,
- - pushes an empty commit on the datadog-agent main branch,
- - creates devel tags in the datadog-agent repository on the empty commit from the last step.
+ - creates a release branch in datadog-agent, datadog-agent-macos, omnibus-ruby and omnibus-software repositories,
+ - updates release.json on new datadog-agent branch to point to newly created release branches in nightly section
+ - updates entries in .gitlab-ci.yml which depend on local branch name
Notes:
base_directory - path to the directory where dd repos are cloned, defaults to ~/dd, but can be overwritten.
@@ -1300,7 +1338,6 @@ def unfreeze(ctx, base_directory="~/dd", major_versions="6,7", upstream="origin"
# Strings with proper branch/tag names
release_branch = current.branch()
- devel_tag = str(next)
# Step 0: checks
@@ -1317,47 +1354,30 @@ def unfreeze(ctx, base_directory="~/dd", major_versions="6,7", upstream="origin"
):
raise Exit(color_message("Aborting.", "red"), code=1)
- # Step 1: Create release branch
for repo in UNFREEZE_REPOS:
- create_release_branch(ctx, repo, release_branch, base_directory=base_directory)
+ create_and_update_release_branch(ctx, repo, release_branch, base_directory=base_directory, upstream=upstream)
- print(color_message("Creating empty commit for devel tags", "bold"))
- with ctx.cd(f"{base_directory}/datadog-agent"):
- ctx.run("git checkout main")
- ok = try_git_command(ctx, "git commit --allow-empty -m 'Empty commit for next release devel tags'")
- if not ok:
- raise Exit(
- color_message(
- "Could not create commit. Please commit manually, push the commit manually to the main branch.",
- "red",
- ),
- code=1,
- )
- print(color_message("Pushing new commit", "bold"))
- res = ctx.run(f"git push {upstream}", warn=True)
- if res.exited is None or res.exited > 0:
- raise Exit(
- color_message(
- f"Could not push commit to the upstream '{upstream}'. Please push it manually.",
- "red",
- ),
- code=1,
- )
-
- # Step 3: Create tags for next version
- print(color_message(f"Creating devel tags for agent version(s) {list_major_versions}", "bold"))
- print(
- color_message("If commit signing is enabled, you will have to make sure each tag gets properly signed.", "bold")
- )
-
- tag_version(ctx, devel_tag, tag_modules=False, push=True, force=redo)
+def _update_last_stable(_, version, major_versions="6,7"):
+ """
+ Updates the last_release field(s) of release.json
+ """
+ release_json = _load_release_json()
+ list_major_versions = parse_major_versions(major_versions)
+ # If the release isn't a RC, update the last stable release field
+ for major in list_major_versions:
+ version.major = major
+ release_json['last_stable'][str(major)] = str(version)
+ _save_release_json(release_json)
@task
-def update_last_stable(_, major_versions="6,7"):
+def cleanup(ctx):
"""
- Updates the last_release field(s) of release.json
+ Perform the post release cleanup steps
+ Currently this:
+ - Updates the scheduled nightly pipeline to target the new stable branch
+ - Updates the release.json last_stable fields
"""
gh = GithubAPI('datadog/datadog-agent')
latest_release = gh.latest_release()
@@ -1365,14 +1385,8 @@ def update_last_stable(_, major_versions="6,7"):
if not match:
raise Exit(f'Unexpected version fetched from github {latest_release}', code=1)
version = _create_version_from_match(match)
-
- release_json = _load_release_json()
- list_major_versions = parse_major_versions(major_versions)
- # If the release isn't a RC, update the last stable release field
- for major in list_major_versions:
- version.major = major
- release_json['last_stable'][str(major)] = str(version)
- _save_release_json(release_json)
+ _update_last_stable(ctx, version)
+ edit_schedule(ctx, 2555, ref=version.branch())
@task
diff --git a/tasks/security_agent.py b/tasks/security_agent.py
index a573ac657b19b..5978a076baf4c 100644
--- a/tasks/security_agent.py
+++ b/tasks/security_agent.py
@@ -697,6 +697,11 @@ def generate_cws_proto(ctx):
f"protoc -I. {plugin_opts} --go_out=paths=source_relative:. --go-vtproto_out=. --go-vtproto_opt=features=marshal+unmarshal+size --go-grpc_out=paths=source_relative:. pkg/security/proto/api/api.proto"
)
+ # EBPFLESS
+ ctx.run(
+ f"protoc -I. {plugin_opts} --go_out=paths=source_relative:. --go-vtproto_out=. --go-vtproto_opt=features=marshal+unmarshal+size --go-grpc_out=paths=source_relative:. pkg/security/proto/ebpfless/service.proto"
+ )
+
for path in glob.glob("pkg/security/**/*.pb.go", recursive=True):
print(f"replacing protoc version in {path}")
with open(path) as f:
diff --git a/tasks/unit-tests/testdata/fake_gitlab-ci.yml b/tasks/unit-tests/testdata/fake_gitlab-ci.yml
index 44a2db553df03..2b54fe1966c6b 100644
--- a/tasks/unit-tests/testdata/fake_gitlab-ci.yml
+++ b/tasks/unit-tests/testdata/fake_gitlab-ci.yml
@@ -906,6 +906,7 @@ workflow:
- test/kitchen/site-cookbooks/dd-system-probe-check/**/*
- test/kitchen/test/integration/system-probe-test/**/*
- test/kitchen/test/integration/win-sysprobe-test/**/*
+ - .gitlab/functional_test/system_probe_windows.yml
- .gitlab/functional_test_sysprobe/system_probe.yml
- .gitlab/kernel_version_testing/system_probe.yml
- test/new-e2e/system-probe/**/*
diff --git a/test/new-e2e/go.mod b/test/new-e2e/go.mod
index 4e7fa0db8059c..f7ec0801f565b 100644
--- a/test/new-e2e/go.mod
+++ b/test/new-e2e/go.mod
@@ -22,7 +22,7 @@ require (
// `TEST_INFRA_DEFINITIONS_BUILDIMAGES` matches the commit sha in the module version
// Example: github.com/DataDog/test-infra-definitions v0.0.0-YYYYMMDDHHmmSS-0123456789AB
// => TEST_INFRA_DEFINITIONS_BUILDIMAGES: 0123456789AB
- github.com/DataDog/test-infra-definitions v0.0.0-20231122132756-2edaabddf28b
+ github.com/DataDog/test-infra-definitions v0.0.0-20231129092443-a60850d5606e
github.com/aws/aws-sdk-go-v2 v1.22.1
github.com/aws/aws-sdk-go-v2/config v1.18.40
github.com/aws/aws-sdk-go-v2/service/ec2 v1.130.0
@@ -35,7 +35,7 @@ require (
github.com/google/uuid v1.3.1
github.com/kr/pretty v0.3.1
github.com/pkg/sftp v1.13.6
- github.com/pulumi/pulumi/sdk/v3 v3.83.0
+ github.com/pulumi/pulumi/sdk/v3 v3.84.0
github.com/samber/lo v1.38.1
github.com/sethvargo/go-retry v0.2.4
github.com/stretchr/testify v1.8.5-0.20231013065317-89920137cdfa
@@ -162,10 +162,10 @@ require (
github.com/pkg/term v1.1.0 // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
github.com/pulumi/pulumi-aws/sdk/v5 v5.42.0 // indirect
- github.com/pulumi/pulumi-awsx/sdk v1.0.5 // indirect
- github.com/pulumi/pulumi-command/sdk v0.9.0 // indirect
+ github.com/pulumi/pulumi-awsx/sdk v1.0.6 // indirect
+ github.com/pulumi/pulumi-command/sdk v0.9.2 // indirect
github.com/pulumi/pulumi-docker/sdk/v3 v3.6.1 // indirect
- github.com/pulumi/pulumi-eks/sdk v1.0.2 // indirect
+ github.com/pulumi/pulumi-eks/sdk v1.0.4 // indirect
github.com/pulumi/pulumi-kubernetes/sdk/v3 v3.30.2 // indirect
github.com/pulumi/pulumi-libvirt/sdk v0.4.0 // indirect
// pulumi-random v4.14.0 uses GO 1.21:
@@ -203,7 +203,7 @@ require (
golang.org/x/tools v0.11.0 // indirect
google.golang.org/appengine v1.6.7 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20230731190214-cbb8c96f2d6d // indirect
- google.golang.org/grpc v1.57.0 // indirect
+ google.golang.org/grpc v1.57.1 // indirect
google.golang.org/protobuf v1.31.0 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
@@ -222,3 +222,5 @@ require (
sigs.k8s.io/yaml v1.3.0 // indirect
sourcegraph.com/sourcegraph/appdash v0.0.0-20211028080628-e2786a622600 // indirect
)
+
+require github.com/pulumi/pulumi-tls/sdk/v4 v4.10.0 // indirect
diff --git a/test/new-e2e/go.sum b/test/new-e2e/go.sum
index aae5c8269c8fa..c5f52da5f7155 100644
--- a/test/new-e2e/go.sum
+++ b/test/new-e2e/go.sum
@@ -12,8 +12,8 @@ github.com/DataDog/datadog-api-client-go/v2 v2.15.0 h1:5UVON1xs6Lul4d6R5TmLDqqSJ
github.com/DataDog/datadog-api-client-go/v2 v2.15.0/go.mod h1:ZG8wS+y2rUmkRDJZQq7Og7EAPFPage+7vXcmuah2I9o=
github.com/DataDog/mmh3 v0.0.0-20200805151601-30884ca2197a h1:m9REhmyaWD5YJ0P53ygRHxKKo+KM+nw+zz0hEdKztMo=
github.com/DataDog/mmh3 v0.0.0-20200805151601-30884ca2197a/go.mod h1:SvsjzyJlSg0rKsqYgdcFxeEVflx3ZNAyFfkUHP0TxXg=
-github.com/DataDog/test-infra-definitions v0.0.0-20231122132756-2edaabddf28b h1:QadnsziPvqo8SIX6jfDKcLKZM64WuDPD87/uwThSgeE=
-github.com/DataDog/test-infra-definitions v0.0.0-20231122132756-2edaabddf28b/go.mod h1:eyJ09i8Y8Ofu1gsfNJzL6VtIbLY0MR1atqxsculv4Lo=
+github.com/DataDog/test-infra-definitions v0.0.0-20231129092443-a60850d5606e h1:yVjfUFnwtxqppiAnlQbQcGt6wQ9hqaRoI72+HP690OE=
+github.com/DataDog/test-infra-definitions v0.0.0-20231129092443-a60850d5606e/go.mod h1:P6FDz6Iyki8kX1WoDln5U+3kVLC+QzRi7FIzauuZ6jM=
github.com/DataDog/zstd v1.5.2 h1:vUG4lAyuPCXO0TLbXvPv7EB7cNK1QV/luu55UHLrrn8=
github.com/DataDog/zstd v1.5.2/go.mod h1:g4AWEaM3yOg3HYfnJ3YIawPnVdXJh9QME85blwSAmyw=
github.com/DataDog/zstd_0 v0.0.0-20210310093942-586c1286621f h1:5Vuo4niPKFkfwW55jV4vY0ih3VQ9RaQqeqY67fvRn8A=
@@ -437,15 +437,15 @@ github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40T
github.com/pulumi/pulumi-aws/sdk/v5 v5.31.0/go.mod h1:axXtUAYEclH+SVqr/QmWFzMfJchxrrPiyMrywCcMF9A=
github.com/pulumi/pulumi-aws/sdk/v5 v5.42.0 h1:QdJvPoUklXdNL8faCOuCrv7qmMNp68jiewbGH8ZboUU=
github.com/pulumi/pulumi-aws/sdk/v5 v5.42.0/go.mod h1:qFeKTFSNIlMHotu9ntOWFjJBHtCiUhJeaiUB/0nVwXk=
-github.com/pulumi/pulumi-awsx/sdk v1.0.5 h1:9iGZYh1tkZb7Op2TpuYiAY4Tflt4U9332K2QvuZj4G4=
-github.com/pulumi/pulumi-awsx/sdk v1.0.5/go.mod h1:3oPWzeHq0zMg70zF4B/4pkQsR5QEF08+Td63hfhwCok=
+github.com/pulumi/pulumi-awsx/sdk v1.0.6 h1:oUan8VgA/pqEmbS2vXhh5Zbn7Lhs6yX5bPMzM03QuMI=
+github.com/pulumi/pulumi-awsx/sdk v1.0.6/go.mod h1:2H8uPHxZbfsIg9qr6yAfiIuvNnhBUqyhxw/8mXNLDFg=
github.com/pulumi/pulumi-azure-native-sdk v1.104.0 h1:vyD4PvKSOkwL1z9WTis3ZE9XC73UM/7AyMNek4Vm1+E=
-github.com/pulumi/pulumi-command/sdk v0.9.0 h1:YD2MMFO6caMiaBc+DIXwcGXsvuxsU2f2n3zLapltslE=
-github.com/pulumi/pulumi-command/sdk v0.9.0/go.mod h1:jZaG2y3ZXEtsFKarNVva7jhAWCiaDgZMbKPfcetlA8o=
+github.com/pulumi/pulumi-command/sdk v0.9.2 h1:2siCFR8pS2sSwXkeWiLrprGEtBL54FsHTzdyl125UuI=
+github.com/pulumi/pulumi-command/sdk v0.9.2/go.mod h1:VeUXTI/iTgKVjRChRJbLRlBVGxAH+uymscfwzBC2VqY=
github.com/pulumi/pulumi-docker/sdk/v3 v3.6.1 h1:plWLn9O6u80Vr37LoCsckyobBfcrdTU9cERor72QjqA=
github.com/pulumi/pulumi-docker/sdk/v3 v3.6.1/go.mod h1:N4Yu4c49QErfucPt9Y/fGmpTryRqc0VfhyKHsGR9/g8=
-github.com/pulumi/pulumi-eks/sdk v1.0.2 h1:Kg+AwcuME7adnFiIDZogdAf//vIGDmhGP6PHL7lddEc=
-github.com/pulumi/pulumi-eks/sdk v1.0.2/go.mod h1:UwT4cRUztFr1//bOp0ACe3Cb3HOzRlX8sYz1psPWHHM=
+github.com/pulumi/pulumi-eks/sdk v1.0.4 h1:j2tul6k0oZHDQwHU+75Jo8Qe4neYxv2hNpo5uanywrQ=
+github.com/pulumi/pulumi-eks/sdk v1.0.4/go.mod h1:eSRoTIxvvu+uyc4tXo//TCsE9qD/DUx+OSLiyZvRB/A=
github.com/pulumi/pulumi-kubernetes/sdk/v3 v3.17.0/go.mod h1:w+Y1d8uqc+gv7JYWLF4rfzvTsIIHR1SCL+GG6sX1xMM=
github.com/pulumi/pulumi-kubernetes/sdk/v3 v3.30.2 h1:xJu48+RW+BHHnKtBni6Vj5vKqOEgCzdZAysGbh6tVM0=
github.com/pulumi/pulumi-kubernetes/sdk/v3 v3.30.2/go.mod h1:7yCJFC/jnUwFs566f0FAY2iAzc4G1mQP8H6K+40FK4Y=
@@ -453,10 +453,12 @@ github.com/pulumi/pulumi-libvirt/sdk v0.4.0 h1:wq1Ox8FRKQ1kc2DPq3m5DGQgZEhE7kp4m
github.com/pulumi/pulumi-libvirt/sdk v0.4.0/go.mod h1:tjjyDajp6Pb1pRCdaIugknIfzxw3Prev3o/k2nade+I=
github.com/pulumi/pulumi-random/sdk/v4 v4.13.4 h1:g3jdktE5L5IDrOw4OiB+yhgxSw0okRPJnyV6PlIzTEQ=
github.com/pulumi/pulumi-random/sdk/v4 v4.13.4/go.mod h1:cFlJw0eQnqN+62QpITEF9M08gVyzNCeXrKRsuJptFak=
+github.com/pulumi/pulumi-tls/sdk/v4 v4.10.0 h1:4MC0GyEomAjEZJPXEzBZpZ4+TOUg5WE77k38tMDIvS0=
+github.com/pulumi/pulumi-tls/sdk/v4 v4.10.0/go.mod h1:tNXsM/+RsiVVmBdzJMOOp6gMoi3sPko5u0FKdiei+cE=
github.com/pulumi/pulumi/sdk/v3 v3.16.0/go.mod h1:252ou/zAU1g6E8iTwe2Y9ht7pb5BDl2fJlOuAgZCHiA=
github.com/pulumi/pulumi/sdk/v3 v3.50.1/go.mod h1:tqQ4z9ocyM/UI2VQ7ZReWR3w6dF5ffEozoHipOMcDh4=
-github.com/pulumi/pulumi/sdk/v3 v3.83.0 h1:Qjek0K/GaHYAMahMR5m5v/JWQuWg6eG0M/7swy9Ls8U=
-github.com/pulumi/pulumi/sdk/v3 v3.83.0/go.mod h1:RMilNNVMlmK1h4Nl/qylb9vzbgh4F3mufZoUOnPy98o=
+github.com/pulumi/pulumi/sdk/v3 v3.84.0 h1:/vCRj6ATGVZw4pFmG7pZgjlKUcnbbnb9vmlqd+OpdXo=
+github.com/pulumi/pulumi/sdk/v3 v3.84.0/go.mod h1:RMilNNVMlmK1h4Nl/qylb9vzbgh4F3mufZoUOnPy98o=
github.com/rivo/uniseg v0.1.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
github.com/rivo/uniseg v0.4.4 h1:8TfxU8dW6PdqD27gjM8MVNuicgxIjxpm4K7x4jp8sis=
@@ -737,8 +739,8 @@ google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyac
google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk=
-google.golang.org/grpc v1.57.0 h1:kfzNeI/klCGD2YPMUlaGNT3pxvYfga7smW3Vth8Zsiw=
-google.golang.org/grpc v1.57.0/go.mod h1:Sd+9RMTACXwmub0zcNY2c4arhtrbBYD1AUHI/dt16Mo=
+google.golang.org/grpc v1.57.1 h1:upNTNqv0ES+2ZOOqACwVtS3Il8M12/+Hz41RCPzAjQg=
+google.golang.org/grpc v1.57.1/go.mod h1:Sd+9RMTACXwmub0zcNY2c4arhtrbBYD1AUHI/dt16Mo=
google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
diff --git a/test/new-e2e/pkg/utils/e2e/client/agent.go b/test/new-e2e/pkg/utils/e2e/client/agent.go
index 2edb3460c2628..ea2e871fb9e9b 100644
--- a/test/new-e2e/pkg/utils/e2e/client/agent.go
+++ b/test/new-e2e/pkg/utils/e2e/client/agent.go
@@ -58,11 +58,4 @@ type Agent interface {
// Retries every 100 ms up to timeout.
// Returns error on failure.
waitForReadyTimeout(timeout time.Duration) error
-
- // WaitAgentLogs waits for the agent log corresponding to the pattern
- // agent-name can be: datadog-agent, system-probe, security-agent
- // pattern: is the log that we are looking for
- // Retries every 500 ms up to timeout.
- // Returns error on failure.
- WaitAgentLogs(agentName string, pattern string) error
}
diff --git a/test/new-e2e/pkg/utils/e2e/client/agent_cmd_runner.go b/test/new-e2e/pkg/utils/e2e/client/agent_cmd_runner.go
index 6366dee03cd95..216c84084a9cf 100644
--- a/test/new-e2e/pkg/utils/e2e/client/agent_cmd_runner.go
+++ b/test/new-e2e/pkg/utils/e2e/client/agent_cmd_runner.go
@@ -7,7 +7,6 @@ package client
import (
"errors"
- "fmt"
"strings"
"testing"
"time"
@@ -158,22 +157,3 @@ func (agent *agentCommandRunner) waitForReadyTimeout(timeout time.Duration) erro
}, backoff.WithMaxRetries(backoff.NewConstantBackOff(interval), uint64(maxRetries)))
return err
}
-
-// WaitAgentLogs waits for the agent log corresponding to the pattern
-// agent-name can be: datadog-agent, system-probe, security-agent
-// pattern: is the log that we are looking for
-// Retries every 500 ms up to timeout.
-// Returns error on failure.
-func (agent *agentCommandRunner) WaitAgentLogs(agentName string, pattern string) error {
- err := backoff.Retry(func() error {
- output, err := agent.executeAgentCmdWithError([]string{fmt.Sprintf("cat /var/log/datadog/%s.log", agentName)})
- if err != nil {
- return err
- }
- if strings.Contains(output, pattern) {
- return nil
- }
- return errors.New("no log found")
- }, backoff.WithMaxRetries(backoff.NewConstantBackOff(500*time.Millisecond), 60))
- return err
-}
diff --git a/test/new-e2e/pkg/utils/infra/stack_manager.go b/test/new-e2e/pkg/utils/infra/stack_manager.go
index ae79321270848..8f12645b53e53 100644
--- a/test/new-e2e/pkg/utils/infra/stack_manager.go
+++ b/test/new-e2e/pkg/utils/infra/stack_manager.go
@@ -248,14 +248,9 @@ func buildWorkspace(ctx context.Context, profile runner.Profile, stackName strin
Description: pulumi.StringRef("E2E Test inline project"),
StackConfigDir: stackName,
Config: map[string]workspace.ProjectConfigType{
- // We should always disable default providers
- // Disabling all known except AWS due to https://github.com/pulumi/pulumi-eks/pull/886
+ // Always disable
"pulumi:disable-default-providers": {
- Value: []string{"kubernetes", "azure-native", "awsx", "eks"},
- },
- // Required in CI due to https://github.com/pulumi/pulumi-eks/pull/886
- "aws:skipMetadataApiCheck": {
- Value: "false",
+ Value: []string{"*"},
},
},
}
diff --git a/test/new-e2e/system-probe/config/vmconfig-arm64.json b/test/new-e2e/system-probe/config/vmconfig-arm64.json
index 1565b3d59f9ef..045a20eda7380 100644
--- a/test/new-e2e/system-probe/config/vmconfig-arm64.json
+++ b/test/new-e2e/system-probe/config/vmconfig-arm64.json
@@ -67,9 +67,14 @@
"image_source": "https://dd-agent-omnibus.s3.amazonaws.com/kernel-version-testing/rootfs/master/debian-12-generic-arm64.qcow2.xz"
},
{
- "dir": "CentOS-7-aarch64-GenericCloud-2211.qcow2",
+ "dir": "centos-7.9-arm64.qcow2",
"tag": "centos_79",
- "image_source": "https://dd-agent-omnibus.s3.amazonaws.com/kernel-version-testing/rootfs/master/CentOS-7-aarch64-GenericCloud-2211.qcow2.xz"
+ "image_source": "https://dd-agent-omnibus.s3.amazonaws.com/kernel-version-testing/rootfs/master/centos-7.9-arm64.qcow2.xz"
+ },
+ {
+ "dir": "centos-8-arm64.qcow2",
+ "tag": "centos_8",
+ "image_source": "https://dd-agent-omnibus.s3.amazonaws.com/kernel-version-testing/rootfs/master/centos-8-arm64.qcow2.xz"
}
],
"machine": "virt",
diff --git a/test/new-e2e/system-probe/config/vmconfig-x64.json b/test/new-e2e/system-probe/config/vmconfig-x64.json
index 510ce5665b08d..39ac353d57072 100644
--- a/test/new-e2e/system-probe/config/vmconfig-x64.json
+++ b/test/new-e2e/system-probe/config/vmconfig-x64.json
@@ -72,9 +72,14 @@
"image_source": "https://dd-agent-omnibus.s3.amazonaws.com/kernel-version-testing/rootfs/master/debian-12-generic-amd64.qcow2.xz"
},
{
- "dir": "CentOS-7-x86_64-GenericCloud-2211.qcow2",
+ "dir": "centos-7.9-x86_64.qcow2",
"tag": "centos_79",
- "image_source": "https://dd-agent-omnibus.s3.amazonaws.com/kernel-version-testing/rootfs/master/CentOS-7-x86_64-GenericCloud-2211.qcow2.xz"
+ "image_source": "https://dd-agent-omnibus.s3.amazonaws.com/kernel-version-testing/rootfs/master/centos-7.9-x86_64.qcow2.xz"
+ },
+ {
+ "dir": "centos-8-x86_64.qcow2",
+ "tag": "centos_8",
+ "image_source": "https://dd-agent-omnibus.s3.amazonaws.com/kernel-version-testing/rootfs/master/centos-8-x86_64.qcow2.xz"
}
],
"vcpu": [
diff --git a/test/new-e2e/system-probe/system-probe-test-env.go b/test/new-e2e/system-probe/system-probe-test-env.go
index 0841428ba4d45..c3a7002d37d7b 100644
--- a/test/new-e2e/system-probe/system-probe-test-env.go
+++ b/test/new-e2e/system-probe/system-probe-test-env.go
@@ -228,7 +228,9 @@ func NewTestEnv(name, x86InstanceType, armInstanceType string, opts *SystemProbe
}, opts.FailOnMissing)
if err != nil {
return handleScenarioFailure(err, func(possibleError handledError) {
- if possibleError.errorType == insufficientCapacityError {
+ // handle the following errors by trying in a different availability zone
+ if possibleError.errorType == insufficientCapacityError ||
+ possibleError.errorType == ec2StateChangeTimeoutError {
currentAZ++
}
})
diff --git a/test/new-e2e/tests/agent-platform/common/agent_behaviour.go b/test/new-e2e/tests/agent-platform/common/agent_behaviour.go
index 9c70da51cb487..79d5ce4af7698 100644
--- a/test/new-e2e/tests/agent-platform/common/agent_behaviour.go
+++ b/test/new-e2e/tests/agent-platform/common/agent_behaviour.go
@@ -58,6 +58,20 @@ func CheckAgentBehaviour(t *testing.T, client *TestClient) {
})
}
+// CheckDogstatdAgentBehaviour runs tests to check the agent behave properly with dogstatsd
+func CheckDogstatdAgentBehaviour(t *testing.T, client *TestClient) {
+ t.Run("dogstatsd service running", func(tt *testing.T) {
+ _, err := client.SvcManager.Status("datadog-dogstatsd")
+ require.NoError(tt, err, "dogstatsd service should be running")
+ })
+
+ t.Run("dogstatsd config file exists", func(tt *testing.T) {
+ _, err := client.FileManager.FileExists(fmt.Sprintf("%s/%s", client.Helper.GetConfigFolder(), "dogstatsd.yaml"))
+ require.NoError(tt, err, "dogstatsd config file should be present")
+ })
+
+}
+
// CheckAgentStops runs tests to check the agent can stop properly
func CheckAgentStops(t *testing.T, client *TestClient) {
t.Run("stops", func(tt *testing.T) {
@@ -90,6 +104,33 @@ func CheckAgentStops(t *testing.T, client *TestClient) {
})
}
+// CheckDogstatsdAgentStops runs tests to check the agent can stop properly
+func CheckDogstatsdAgentStops(t *testing.T, client *TestClient) {
+ t.Run("stops", func(tt *testing.T) {
+ _, err := client.SvcManager.Stop("datadog-dogstatsd")
+ require.NoError(tt, err)
+
+ _, err = client.SvcManager.Status("datadog-dogstatsd")
+ require.Error(tt, err, "datadog-dogstatsd service should be stopped")
+ })
+
+ t.Run("no running processes", func(tt *testing.T) {
+ dogstatsdProcesses := []string{"datadog-dogstatsd"}
+ for _, process := range dogstatsdProcesses {
+ _, err := client.VMClient.ExecuteWithError(fmt.Sprintf("pgrep -f %s", process))
+ require.Error(tt, err, fmt.Sprintf("process %s should not be running", process))
+ }
+ })
+
+ t.Run("starts after stop", func(tt *testing.T) {
+ _, err := client.SvcManager.Start("datadog-dogstatsd")
+ require.NoError(tt, err)
+
+ _, err = client.SvcManager.Status("datadog-dogstatsd")
+ require.NoError(tt, err, "datadog-dogstatsd should be running")
+ })
+}
+
// CheckAgentRestarts runs tests to check the agent can restart properly
func CheckAgentRestarts(t *testing.T, client *TestClient) {
@@ -116,6 +157,32 @@ func CheckAgentRestarts(t *testing.T, client *TestClient) {
})
}
+// CheckDogstatsdAgentRestarts runs tests to check the agent can restart properly
+func CheckDogstatsdAgentRestarts(t *testing.T, client *TestClient) {
+
+ t.Run("restart when stopped", func(tt *testing.T) {
+ _, err := client.SvcManager.Stop("datadog-dogstatsd")
+ require.NoError(tt, err)
+
+ _, err = client.SvcManager.Restart("datadog-dogstatsd")
+ require.NoError(tt, err)
+
+ _, err = client.SvcManager.Status("datadog-dogstatsd")
+ require.NoError(tt, err, "datadog-dogstatsd should restart when stopped")
+ })
+
+ t.Run("restart when running", func(tt *testing.T) {
+ _, err := client.SvcManager.Start("datadog-dogstatsd")
+ require.NoError(tt, err)
+
+ _, err = client.SvcManager.Restart("datadog-dogstatsd")
+ require.NoError(tt, err)
+
+ _, err = client.SvcManager.Status("datadog-dogstatsd")
+ require.NoError(tt, err, "datadog-dogstatsd should restart when running")
+ })
+}
+
// CheckAgentPython runs tests to check the agent use the correct python version
func CheckAgentPython(t *testing.T, client *TestClient, version string) {
t.Run(fmt.Sprintf("set python version %s and restarts", version), func(tt *testing.T) {
diff --git a/test/new-e2e/tests/agent-platform/common/agent_install.go b/test/new-e2e/tests/agent-platform/common/agent_install.go
index 59060591f26fa..0586df80bc564 100644
--- a/test/new-e2e/tests/agent-platform/common/agent_install.go
+++ b/test/new-e2e/tests/agent-platform/common/agent_install.go
@@ -19,7 +19,7 @@ func CheckInstallation(t *testing.T, client *TestClient) {
t.Run("example config file", func(tt *testing.T) {
- exampleFilePath := client.Helper.GetConfigFolder() + "datadog.yaml.example"
+ exampleFilePath := client.Helper.GetConfigFolder() + fmt.Sprintf("%s.example", client.Helper.GetConfigFileName())
_, err := client.FileManager.FileExists(exampleFilePath)
require.NoError(tt, err, "Example config file should be present")
@@ -46,7 +46,7 @@ func CheckInstallation(t *testing.T, client *TestClient) {
func CheckInstallationInstallScript(t *testing.T, client *TestClient) {
t.Run("site config attribute", func(tt *testing.T) {
- configFilePath := client.Helper.GetConfigFolder() + "datadog.yaml"
+ configFilePath := client.Helper.GetConfigFolder() + client.Helper.GetConfigFileName()
var configYAML map[string]any
config, err := client.FileManager.ReadFile(configFilePath)
@@ -78,15 +78,15 @@ func CheckInstallationInstallScript(t *testing.T, client *TestClient) {
}
// CheckUninstallation runs check to see if the agent uninstall properly
-func CheckUninstallation(t *testing.T, client *TestClient) {
+func CheckUninstallation(t *testing.T, client *TestClient, packageName string) {
t.Run("remove the agent", func(tt *testing.T) {
- _, err := client.PkgManager.Remove("datadog-agent")
+ _, err := client.PkgManager.Remove(packageName)
require.NoError(tt, err, "should uninstall the agent")
})
t.Run("no agent process running", func(tt *testing.T) {
- agentProcesses := []string{"datadog-agent", "system-probe", "security-agent"}
+ agentProcesses := []string{client.Helper.GetServiceName(), "system-probe", "security-agent"}
for _, process := range agentProcesses {
_, err := client.VMClient.ExecuteWithError(fmt.Sprintf("pgrep -f %s", process))
require.Error(tt, err, fmt.Sprintf("process %s should not be running", process))
diff --git a/test/new-e2e/tests/agent-platform/common/helper/unix.go b/test/new-e2e/tests/agent-platform/common/helper/unix.go
index 42bd9cf5bdfe5..81ac9cc8e3329 100644
--- a/test/new-e2e/tests/agent-platform/common/helper/unix.go
+++ b/test/new-e2e/tests/agent-platform/common/helper/unix.go
@@ -6,9 +6,13 @@
// Package helper implement interfaces to get some information that can be OS specific
package helper
+import "github.com/DataDog/datadog-agent/test/new-e2e/tests/agent-platform/common"
+
// Unix implement helper function for Unix distributions
type Unix struct{}
+var _ common.Helper = (*Unix)(nil)
+
// NewUnixHelper create a new instance of Unix helper
func NewUnixHelper() *Unix { return &Unix{} }
@@ -20,3 +24,32 @@ func (u *Unix) GetConfigFolder() string { return "/etc/datadog-agent/" }
// GetBinaryPath return the datadog-agent binary path
func (u *Unix) GetBinaryPath() string { return "/usr/bin/datadog-agent" }
+
+// GetConfigFileName return the config file name
+func (u *Unix) GetConfigFileName() string { return "datadog.yaml" }
+
+// GetServiceName return the service name
+func (u *Unix) GetServiceName() string { return "datadog-agent" }
+
+// UnixDogstatsd implement helper function for Dogstatsd on Unix distributions
+type UnixDogstatsd struct{}
+
+var _ common.Helper = (*UnixDogstatsd)(nil)
+
+// NewUnixDogstatsdHelper create a new instance of Unix helper for dogstatsd
+func NewUnixDogstatsdHelper() *UnixDogstatsd { return &UnixDogstatsd{} }
+
+// GetInstallFolder return the install folder path
+func (u *UnixDogstatsd) GetInstallFolder() string { return "/opt/datadog-dogstatsd/" }
+
+// GetConfigFolder return the config folder path
+func (u *UnixDogstatsd) GetConfigFolder() string { return "/etc/datadog-dogstatsd/" }
+
+// GetBinaryPath return the datadog-agent binary path
+func (u *UnixDogstatsd) GetBinaryPath() string { return "/usr/bin/datadog-dogstatsd" }
+
+// GetConfigFileName return the config file name
+func (u *UnixDogstatsd) GetConfigFileName() string { return "dogstatsd.yaml" }
+
+// GetServiceName return the service name
+func (u *UnixDogstatsd) GetServiceName() string { return "datadog-dogstatsd" }
diff --git a/test/new-e2e/tests/agent-platform/common/pkg-manager/yum.go b/test/new-e2e/tests/agent-platform/common/pkg-manager/yum.go
new file mode 100644
index 0000000000000..59712a1156ba4
--- /dev/null
+++ b/test/new-e2e/tests/agent-platform/common/pkg-manager/yum.go
@@ -0,0 +1,25 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2016-present Datadog, Inc.
+
+package pkgmanager
+
+import (
+ e2eClient "github.com/DataDog/datadog-agent/test/new-e2e/pkg/utils/e2e/client"
+)
+
+// YumPackageManager struct for the Yum package manager
+type YumPackageManager struct {
+ vmClient e2eClient.VM
+}
+
+// NewYumPackageManager return yum package manager
+func NewYumPackageManager(vmClient e2eClient.VM) *YumPackageManager {
+ return &YumPackageManager{vmClient: vmClient}
+}
+
+// Remove executes remove command from yum
+func (s *YumPackageManager) Remove(pkg string) (string, error) {
+ return s.vmClient.ExecuteWithError("sudo yum remove -y " + pkg)
+}
diff --git a/test/new-e2e/tests/agent-platform/common/test_client.go b/test/new-e2e/tests/agent-platform/common/test_client.go
index 4a3df56de3eac..18505d7e1da43 100644
--- a/test/new-e2e/tests/agent-platform/common/test_client.go
+++ b/test/new-e2e/tests/agent-platform/common/test_client.go
@@ -43,6 +43,8 @@ type Helper interface {
GetInstallFolder() string
GetConfigFolder() string
GetBinaryPath() string
+ GetConfigFileName() string
+ GetServiceName() string
}
func getServiceManager(vmClient e2eClient.VM) ServiceManager {
@@ -56,6 +58,10 @@ func getPackageManager(vmClient e2eClient.VM) PackageManager {
if _, err := vmClient.ExecuteWithError("command -v apt"); err == nil {
return pkgmanager.NewAptPackageManager(vmClient)
}
+
+ if _, err := vmClient.ExecuteWithError("command -v yum"); err == nil {
+ return pkgmanager.NewYumPackageManager(vmClient)
+ }
return nil
}
diff --git a/test/new-e2e/tests/agent-platform/install-script/install_script_test.go b/test/new-e2e/tests/agent-platform/install-script/install_script_test.go
index e73699fc19bc5..0dd15c909d838 100644
--- a/test/new-e2e/tests/agent-platform/install-script/install_script_test.go
+++ b/test/new-e2e/tests/agent-platform/install-script/install_script_test.go
@@ -32,7 +32,9 @@ import (
var osVersion = flag.String("osversion", "", "os version to test")
var platform = flag.String("platform", "", "platform to test")
var cwsSupportedOsVersion = flag.String("cws-supported-osversion", "", "list of os where CWS is supported")
-var architecture = flag.String("arch", "", "architecture to test (x86_64, arm64))")
+var architecture = flag.String("arch", "x86_64", "architecture to test (x86_64, arm64))")
+var flavor = flag.String("flavor", "datadog-agent", "flavor to test (datadog-agent, datadog-iot-agent, datadog-dogstatsd, datadog-fips-proxy, datadog-heroku-agent)")
+var majorVersion = flag.String("major-version", "7", "major version to test (6, 7)")
type installScriptSuite struct {
e2e.Suite[e2e.VMEnv]
@@ -74,36 +76,95 @@ func TestInstallScript(t *testing.T) {
}
}
- t.Run(fmt.Sprintf("test install script on %s %s", osVers, *architecture), func(tt *testing.T) {
+ t.Run(fmt.Sprintf("test install script on %s %s %s agent %s", osVers, *architecture, *flavor, *majorVersion), func(tt *testing.T) {
tt.Parallel()
fmt.Printf("Testing %s", osVers)
- e2e.Run(tt, &installScriptSuite{cwsSupported: cwsSupported}, e2e.EC2VMStackDef(ec2params.WithImageName(platformJSON[*platform][*architecture][osVers], archMapping[*architecture], osMapping[*platform])), params.WithStackName(fmt.Sprintf("install-script-test-%v-%v-%s", os.Getenv("CI_PIPELINE_ID"), osVers, *architecture)))
+ e2e.Run(tt, &installScriptSuite{cwsSupported: cwsSupported}, e2e.EC2VMStackDef(ec2params.WithImageName(platformJSON[*platform][*architecture][osVers], archMapping[*architecture], osMapping[*platform])), params.WithStackName(fmt.Sprintf("install-script-test-%v-%v-%s-%s-%v", os.Getenv("CI_PIPELINE_ID"), osVers, *architecture, *flavor, *majorVersion)))
})
}
}
func (is *installScriptSuite) TestInstallAgent() {
+ switch *flavor {
+ case "datadog-agent":
+ is.AgentTest("datadog-agent")
+ case "datadog-heroku-agent":
+ is.AgentTest("datadog-heroku-agent")
+ case "datadog-iot-agent":
+ is.IotAgentTest()
+ case "datadog-dogstatsd":
+ is.DogstatsdAgentTest()
+ }
+}
+
+func (is *installScriptSuite) AgentTest(flavor string) {
fileManager := filemanager.NewUnixFileManager(is.Env().VM)
- unixHelper := helpers.NewUnixHelper()
+
vm := is.Env().VM.(*client.PulumiStackVM)
agentClient, err := client.NewAgentClient(is.T(), vm, vm.GetOS(), false)
require.NoError(is.T(), err)
+
+ unixHelper := helpers.NewUnixHelper()
client := common.NewTestClient(is.Env().VM, agentClient, fileManager, unixHelper)
- install.Unix(is.T(), client, installparams.WithArch(*architecture))
+ install.Unix(is.T(), client, installparams.WithArch(*architecture), installparams.WithFlavor(flavor), installparams.WithMajorVersion(*majorVersion))
common.CheckInstallation(is.T(), client)
common.CheckAgentBehaviour(is.T(), client)
common.CheckAgentStops(is.T(), client)
common.CheckAgentRestarts(is.T(), client)
common.CheckIntegrationInstall(is.T(), client)
+ if *majorVersion == "6" {
+ common.CheckAgentPython(is.T(), client, "2")
+ }
common.CheckAgentPython(is.T(), client, "3")
common.CheckApmEnabled(is.T(), client)
common.CheckApmDisabled(is.T(), client)
- if is.cwsSupported {
+ if flavor == "datadog-agent" && is.cwsSupported {
common.CheckCWSBehaviour(is.T(), client)
}
common.CheckInstallationInstallScript(is.T(), client)
- common.CheckUninstallation(is.T(), client)
+ common.CheckUninstallation(is.T(), client, flavor)
+
+}
+
+func (is *installScriptSuite) IotAgentTest() {
+ fileManager := filemanager.NewUnixFileManager(is.Env().VM)
+
+ vm := is.Env().VM.(*client.PulumiStackVM)
+ agentClient, err := client.NewAgentClient(is.T(), vm, vm.GetOS(), false)
+ require.NoError(is.T(), err)
+
+ unixHelper := helpers.NewUnixHelper()
+ client := common.NewTestClient(is.Env().VM, agentClient, fileManager, unixHelper)
+
+ install.Unix(is.T(), client, installparams.WithArch(*architecture), installparams.WithFlavor(*flavor))
+ common.CheckInstallation(is.T(), client)
+ common.CheckAgentBehaviour(is.T(), client)
+ common.CheckAgentStops(is.T(), client)
+ common.CheckAgentRestarts(is.T(), client)
+
+ common.CheckInstallationInstallScript(is.T(), client)
+ common.CheckUninstallation(is.T(), client, "datadog-iot-agent")
+}
+
+func (is *installScriptSuite) DogstatsdAgentTest() {
+ fileManager := filemanager.NewUnixFileManager(is.Env().VM)
+
+ vm := is.Env().VM.(*client.PulumiStackVM)
+ agentClient, err := client.NewAgentClient(is.T(), vm, vm.GetOS(), false)
+ require.NoError(is.T(), err)
+
+ unixHelper := helpers.NewUnixDogstatsdHelper()
+ client := common.NewTestClient(is.Env().VM, agentClient, fileManager, unixHelper)
+
+ install.Unix(is.T(), client, installparams.WithArch(*architecture), installparams.WithFlavor(*flavor))
+
+ common.CheckInstallation(is.T(), client)
+ common.CheckDogstatdAgentBehaviour(is.T(), client)
+ common.CheckDogstatsdAgentStops(is.T(), client)
+ common.CheckDogstatsdAgentRestarts(is.T(), client)
+ common.CheckInstallationInstallScript(is.T(), client)
+ common.CheckUninstallation(is.T(), client, "datadog-dogstatsd")
}
diff --git a/test/new-e2e/tests/agent-platform/install/install.go b/test/new-e2e/tests/agent-platform/install/install.go
index e9a359697f8f5..e6d73cf7abe76 100644
--- a/test/new-e2e/tests/agent-platform/install/install.go
+++ b/test/new-e2e/tests/agent-platform/install/install.go
@@ -21,6 +21,7 @@ func Unix(t *testing.T, client *common.TestClient, options ...installparams.Opti
params := installparams.NewParams(options...)
commandLine := ""
+
if params.PipelineID != "" {
testEnvVars := []string{}
testEnvVars = append(testEnvVars, "TESTING_APT_URL=apttesting.datad0g.com")
@@ -36,8 +37,12 @@ func Unix(t *testing.T, client *common.TestClient, options ...installparams.Opti
commandLine = fmt.Sprintf("DD_AGENT_MAJOR_VERSION=%s", params.MajorVersion)
}
+ if params.Flavor != "" {
+ commandLine += fmt.Sprintf(" DD_AGENT_FLAVOR=%s ", params.Flavor)
+ }
+
t.Run("Installing the agent", func(tt *testing.T) {
- cmd := fmt.Sprintf(`DD_API_KEY="aaaaaaaaaa" %v DD_SITE="datadoghq.eu" bash -c "$(curl -L https://s3.amazonaws.com/dd-agent/scripts/install_script_agent7.sh)"`, commandLine)
+ cmd := fmt.Sprintf(`DD_API_KEY="aaaaaaaaaa" %v DD_SITE="datadoghq.eu" bash -c "$(curl -L https://s3.amazonaws.com/dd-agent/scripts/install_script_agent%v.sh)"`, commandLine, params.MajorVersion)
output, err := client.VMClient.ExecuteWithError(cmd)
tt.Log(output)
require.NoError(tt, err, "agent installation should not return any error: ", err)
diff --git a/test/new-e2e/tests/agent-platform/install/installparams/install_params.go b/test/new-e2e/tests/agent-platform/install/installparams/install_params.go
index dc136bfd84da2..b70b1c911b854 100644
--- a/test/new-e2e/tests/agent-platform/install/installparams/install_params.go
+++ b/test/new-e2e/tests/agent-platform/install/installparams/install_params.go
@@ -19,6 +19,7 @@ type Params struct {
PipelineID string
MajorVersion string
Arch string
+ Flavor string
}
// Option alias to a functional option changing a given Params instance
@@ -54,3 +55,10 @@ func WithArch(arch string) Option {
p.Arch = arch
}
}
+
+// WithFlavor specify the flavor to use when installing the agent
+func WithFlavor(flavor string) Option {
+ return func(p *Params) {
+ p.Flavor = flavor
+ }
+}
diff --git a/test/new-e2e/tests/agent-platform/platforms/platforms.json b/test/new-e2e/tests/agent-platform/platforms/platforms.json
index f76961cd49a50..4f086ca81f654 100644
--- a/test/new-e2e/tests/agent-platform/platforms/platforms.json
+++ b/test/new-e2e/tests/agent-platform/platforms/platforms.json
@@ -1,7 +1,7 @@
{
"debian": {
"x86_64": {
- "debian-9": "ami-0272fcfb8ca47d813",
+ "debian-9": "ami-099d228beefd189f5",
"debian-10": "ami-041540a5c191757a0",
"debian-11": "ami-09e24b0cfe072ecef",
"debian-12": "ami-06db4d78cb1d3bbf9"
@@ -11,5 +11,19 @@
"debian-11": "ami-03ea090ddd75eb738",
"debian-12": "ami-02aab8d5301cb8d68"
}
+ },
+ "amazonlinux": {
+ "x86_64": {
+ "amazonlinux2-4-14": "ami-038b3df3312ddf25d",
+ "amazonlinux2-5-10": "ami-06a0cd9728546d178",
+ "amazonlinux2022-5-15": "ami-0309aede310b9cc1f",
+ "amazonlinux2023": "ami-0889a44b331db0194"
+ },
+ "arm64": {
+ "amazonlinux2-4-14": "ami-090230ed0c6b13c74",
+ "amazonlinux2-5-10": "ami-09e51988f56677f44",
+ "amazonlinux2022-5-15": "ami-0a8495f6303122235",
+ "amazonlinux2023": "ami-08fc6fb8ad2e794bb"
+ }
}
}
diff --git a/test/new-e2e/tests/agent-shared-components/forwarder/nss_failover_test.go b/test/new-e2e/tests/agent-shared-components/forwarder/nss_failover_test.go
index 3664c914be38b..e25bc212bf7ff 100644
--- a/test/new-e2e/tests/agent-shared-components/forwarder/nss_failover_test.go
+++ b/test/new-e2e/tests/agent-shared-components/forwarder/nss_failover_test.go
@@ -31,6 +31,7 @@ import (
fi "github.com/DataDog/datadog-agent/test/fakeintake/client"
"github.com/DataDog/datadog-agent/test/new-e2e/pkg/utils/e2e"
"github.com/DataDog/datadog-agent/test/new-e2e/pkg/utils/e2e/client"
+ "github.com/DataDog/datadog-agent/test/new-e2e/pkg/utils/e2e/params"
)
type multiFakeIntakeEnv struct {
@@ -109,21 +110,7 @@ type multiFakeIntakeSuite struct {
}
func TestMultiFakeintakeSuite(t *testing.T) {
- e2e.Run(t, &multiFakeIntakeSuite{}, multiFakeintakeStackDef())
-}
-
-// SetupSuite waits for both fakeintakes to be ready before running tests.
-func (v *multiFakeIntakeSuite) SetupSuite() {
- v.Suite.SetupSuite() // need to call the original definition of SetupSuite
-
- fakeintake1 := v.Env().Fakeintake1
- fakeintake2 := v.Env().Fakeintake2
-
- // Wait for the fakeintakes to be ready to avoid 503
- require.EventuallyWithT(v.T(), func(c *assert.CollectT) {
- assert.NoError(c, fakeintake1.GetServerHealth())
- assert.NoError(c, fakeintake2.GetServerHealth())
- }, intakeMaxWaitTime, intakeTick)
+ e2e.Run(t, &multiFakeIntakeSuite{}, multiFakeintakeStackDef(), params.WithStackName("mystack000"))
}
// TestNSSFailover tests that the agent correctly picks-up an NSS change of the intake.
@@ -165,7 +152,6 @@ func (v *multiFakeIntakeSuite) TestNSSFailover() {
v.UpdateEnv(multiFakeintakeStackDef(agentOptions...))
// check that fakeintake1 is used as intake and not fakeintake2
- v.T().Logf("checking that the agent contacts main intake at %s", fakeintake1IP)
v.requireIntakeIsUsed(v.Env().Fakeintake1, intakeMaxWaitTime, intakeTick)
v.requireIntakeNotUsed(v.Env().Fakeintake2, intakeMaxWaitTime, intakeTick)
@@ -175,7 +161,6 @@ func (v *multiFakeIntakeSuite) TestNSSFailover() {
setHostEntry(v.T(), v.Env().VM, intakeName, fakeintake2IP)
// check that fakeintake2 is used as intake and not fakeintake1
- v.T().Logf("checking that the agent contacts fallback intake at %s", fakeintake2IP)
intakeMaxWaitTime := connectionResetInterval*time.Second + intakeMaxWaitTime
v.requireIntakeIsUsed(v.Env().Fakeintake2, intakeMaxWaitTime, intakeTick)
v.requireIntakeNotUsed(v.Env().Fakeintake1, intakeMaxWaitTime, intakeTick)
@@ -204,6 +189,7 @@ func (v *multiFakeIntakeSuite) requireIntakeIsUsed(intake *client.Fakeintake, in
assert.NoError(t, err)
}
+ v.T().Logf("checking that the agent contacts intake at %s", intake.URL())
require.EventuallyWithT(v.T(), checkFn, intakeMaxWaitTime, intakeTick)
}
@@ -228,7 +214,8 @@ func (v *multiFakeIntakeSuite) requireIntakeNotUsed(intake *client.Fakeintake, i
assert.Empty(t, stats)
}
- require.EventuallyWithT(v.T(), checkFn, intakeMaxWaitTime, intakeTick+intakeUnusedWaitTime)
+ v.T().Logf("checking that the agent doesn't contact intake at %s", intake.URL())
+ require.EventuallyWithT(v.T(), checkFn, intakeMaxWaitTime, intakeTick)
}
// setHostEntry adds an entry in /etc/hosts for the given hostname and hostIP
diff --git a/test/new-e2e/tests/agent-subcommands/flare/flare_common_test.go b/test/new-e2e/tests/agent-subcommands/flare/flare_common_test.go
index 0d77396c32cd0..473697c806dd5 100644
--- a/test/new-e2e/tests/agent-subcommands/flare/flare_common_test.go
+++ b/test/new-e2e/tests/agent-subcommands/flare/flare_common_test.go
@@ -9,13 +9,12 @@ package flare
import (
_ "embed"
"testing"
- "time"
+
+ "github.com/stretchr/testify/require"
"github.com/DataDog/datadog-agent/test/fakeintake/client/flare"
"github.com/DataDog/datadog-agent/test/new-e2e/pkg/utils/e2e"
"github.com/DataDog/datadog-agent/test/new-e2e/pkg/utils/e2e/client"
- "github.com/stretchr/testify/assert"
- "github.com/stretchr/testify/require"
)
type baseFlareSuite struct {
@@ -39,11 +38,6 @@ func (v *baseFlareSuite) TestFlareDefaultFiles() {
}
func requestAgentFlareAndFetchFromFakeIntake(t *testing.T, agent client.Agent, fakeintake *client.Fakeintake, flareArgs ...client.AgentArgsOption) flare.Flare {
- // Wait for the fakeintake to be ready to avoid 503 when sending the flare
- assert.EventuallyWithT(t, func(c *assert.CollectT) {
- assert.NoError(c, fakeintake.Client.GetServerHealth())
- }, 5*time.Minute, 20*time.Second)
-
_ = agent.Flare(flareArgs...)
flare, err := fakeintake.Client.GetLatestFlare()
diff --git a/test/new-e2e/tests/containers/ecs_test.go b/test/new-e2e/tests/containers/ecs_test.go
index 78b050d052d03..a351237a799a4 100644
--- a/test/new-e2e/tests/containers/ecs_test.go
+++ b/test/new-e2e/tests/containers/ecs_test.go
@@ -202,6 +202,24 @@ func (suite *ecsSuite) TestNginx() {
Service: "apps-nginx-server",
},
Expect: testLogExpectArgs{
+ Tags: &[]string{
+ `^cluster_name:` + regexp.QuoteMeta(suite.ecsClusterName) + `$`,
+ `^container_id:`,
+ `^container_name:ecs-.*-nginx-ec2-`,
+ `^docker_image:ghcr.io/datadog/apps-nginx-server:main$`,
+ `^ecs_cluster_name:` + regexp.QuoteMeta(suite.ecsClusterName) + `$`,
+ `^ecs_container_name:nginx$`,
+ `^git.commit.sha:`, // org.opencontainers.image.revision docker image label
+ `^git.repository_url:https://github.com/DataDog/test-infra-definitions$`, // org.opencontainers.image.source docker image label
+ `^image_id:sha256:`,
+ `^image_name:ghcr.io/datadog/apps-nginx-server$`,
+ `^image_tag:main$`,
+ `^short_image:apps-nginx-server$`,
+ `^task_arn:arn:`,
+ `^task_family:.*-nginx-ec2$`,
+ `^task_name:.*-nginx-ec2$`,
+ `^task_version:[[:digit:]]+$`,
+ },
Message: `GET / HTTP/1\.1`,
},
})
@@ -242,6 +260,22 @@ func (suite *ecsSuite) TestRedis() {
Service: "redis",
},
Expect: testLogExpectArgs{
+ Tags: &[]string{
+ `^cluster_name:` + regexp.QuoteMeta(suite.ecsClusterName) + `$`,
+ `^container_id:`,
+ `^container_name:ecs-.*-redis-ec2-`,
+ `^docker_image:redis:latest$`,
+ `^ecs_cluster_name:` + regexp.QuoteMeta(suite.ecsClusterName) + `$`,
+ `^ecs_container_name:redis$`,
+ `^image_id:sha256:`,
+ `^image_name:redis$`,
+ `^image_tag:latest$`,
+ `^short_image:redis$`,
+ `^task_arn:arn:`,
+ `^task_family:.*-redis-ec2$`,
+ `^task_name:.*-redis-ec2$`,
+ `^task_version:[[:digit:]]+$`,
+ },
Message: `oO0OoO0OoO0Oo Redis is starting oO0OoO0OoO0Oo`,
},
})
diff --git a/test/new-e2e/tests/containers/k8s_test.go b/test/new-e2e/tests/containers/k8s_test.go
index ac72a955cdbf8..452a37c0965b7 100644
--- a/test/new-e2e/tests/containers/k8s_test.go
+++ b/test/new-e2e/tests/containers/k8s_test.go
@@ -78,9 +78,26 @@ func (suite *k8sSuite) TearDownSuite() {
// and to have the following tests with a smaller timeout.
//
// Inside a testify test suite, tests are executed in alphabetical order.
-// The 00 in Test00UpAndRunning is here to guarantee that this test, waiting for the agent pods to be ready
+// The 00 in Test00UpAndRunning is here to guarantee that this test, waiting for the agent pods to be ready,
// is run first.
func (suite *k8sSuite) Test00UpAndRunning() {
+ suite.testUpAndRunning(5 * time.Minute)
+}
+
+// An agent restart (because of a health probe failure or because of a OOM kill for ex.)
+// can cause a completely random failure on a completely random test.
+// A metric can be fully missing if the agent is restarted when the metric is checked.
+// Only a subset of tags can be missing if the agent has just restarted, but not all the
+// collectors have finished to feed workload meta and the tagger.
+// So, checking if any agent has restarted during the tests can be valuable for investigations.
+//
+// Inside a testify test suite, tests are executed in alphabetical order.
+// The ZZ in TestZZUpAndRunning is here to guarantee that this test, is run last.
+func (suite *k8sSuite) TestZZUpAndRunning() {
+ suite.testUpAndRunning(1 * time.Minute)
+}
+
+func (suite *k8sSuite) testUpAndRunning(waitFor time.Duration) {
ctx := context.Background()
suite.Run("agent pods are ready and not restarting", func() {
@@ -156,9 +173,12 @@ func (suite *k8sSuite) Test00UpAndRunning() {
}
}
}
- }, 5*time.Minute, 10*time.Second, "Not all agents eventually became ready in time.")
+ }, waitFor, 10*time.Second, "Not all agents eventually became ready in time.")
})
+}
+func (suite *k8sSuite) TestVersion() {
+ ctx := context.Background()
versionExtractor := regexp.MustCompile(`Commit: ([[:xdigit:]]+)`)
for _, tt := range []struct {
@@ -198,10 +218,15 @@ func (suite *k8sSuite) Test00UpAndRunning() {
suite.Emptyf(stderr, "Standard error of `agent version` should be empty,")
match := versionExtractor.FindStringSubmatch(stdout)
if suite.Equalf(2, len(match), "'Commit' not found in the output of `agent version`.") {
- if len(GitCommit) == 10 && len(match[1]) == 7 {
- suite.Equalf(GitCommit[:7], match[1], "Agent isn’t running the expected version")
- } else {
- suite.Equalf(GitCommit, match[1], "Agent isn’t running the expected version")
+ if suite.Greaterf(len(GitCommit), 6, "Couldn’t guess the expected version of the agent.") &&
+ suite.Greaterf(len(match[1]), 6, "Couldn’t find the version of the agent.") {
+
+ size2compare := len(GitCommit)
+ if len(match[1]) < size2compare {
+ size2compare = len(match[1])
+ }
+
+ suite.Equalf(GitCommit[:size2compare], match[1][:size2compare], "Agent isn’t running the expected version")
}
}
}
@@ -223,7 +248,7 @@ func (suite *k8sSuite) TestNginx() {
`^container_name:nginx$`,
`^display_container_name:nginx`,
`^git\.commit\.sha:`, // org.opencontainers.image.revision docker image label
- `^git\.repository_url:https://github\.com/DataDog/test-infra-definitions$`, // org.opencontainers.image.source docker image label
+ `^git\.repository_url:https://github\.com/DataDog/test-infra-definitions$`, // org.opencontainers.image.source docker image label
`^image_id:ghcr\.io/datadog/apps-nginx-server@sha256:`,
`^image_name:ghcr\.io/datadog/apps-nginx-server$`,
`^image_tag:main$`,
@@ -288,6 +313,29 @@ func (suite *k8sSuite) TestNginx() {
Service: "apps-nginx-server",
},
Expect: testLogExpectArgs{
+ Tags: &[]string{
+ `^container_id:`,
+ `^container_name:nginx$`,
+ `^dirname:/var/log/pods/workload-nginx_nginx-`,
+ `^display_container_name:nginx`,
+ `^filename:[[:digit:]]+.log$`,
+ `^git\.commit\.sha:`, // org.opencontainers.image.revision docker image label
+ `^git\.repository_url:https://github\.com/DataDog/test-infra-definitions$`, // org.opencontainers.image.source docker image label
+ `^image_id:ghcr.io/datadog/apps-nginx-server@sha256:`,
+ `^image_name:ghcr.io/datadog/apps-nginx-server$`,
+ `^image_tag:main$`,
+ `^kube_container_name:nginx$`,
+ `^kube_deployment:nginx$`,
+ `^kube_namespace:workload-nginx$`,
+ `^kube_ownerref_kind:replicaset$`,
+ `^kube_ownerref_name:nginx-[[:alnum:]]+$`,
+ `^kube_qos:Burstable$`,
+ `^kube_replica_set:nginx-[[:alnum:]]+$`,
+ `^kube_service:nginx$`,
+ `^pod_name:nginx-[[:alnum:]]+-[[:alnum:]]+$`,
+ `^pod_phase:running$`,
+ `^short_image:apps-nginx-server$`,
+ },
Message: `GET / HTTP/1\.1`,
},
})
@@ -358,6 +406,27 @@ func (suite *k8sSuite) TestRedis() {
Service: "redis",
},
Expect: testLogExpectArgs{
+ Tags: &[]string{
+ `^container_id:`,
+ `^container_name:redis$`,
+ `^dirname:/var/log/pods/workload-redis_redis-`,
+ `^display_container_name:redis`,
+ `^filename:[[:digit:]]+.log$`,
+ `^image_id:docker.io/library/redis@sha256:`,
+ `^image_name:redis$`,
+ `^image_tag:latest$`,
+ `^kube_container_name:redis$`,
+ `^kube_deployment:redis$`,
+ `^kube_namespace:workload-redis$`,
+ `^kube_ownerref_kind:replicaset$`,
+ `^kube_ownerref_name:redis-[[:alnum:]]+$`,
+ `^kube_qos:Burstable$`,
+ `^kube_replica_set:redis-[[:alnum:]]+$`,
+ `^kube_service:redis$`,
+ `^pod_name:redis-[[:alnum:]]+-[[:alnum:]]+$`,
+ `^pod_phase:running$`,
+ `^short_image:redis$`,
+ },
Message: `oO0OoO0OoO0Oo Redis is starting oO0OoO0OoO0Oo`,
},
})
diff --git a/test/new-e2e/tests/cws/config/e2e-system-probe.yaml b/test/new-e2e/tests/cws/config/e2e-system-probe.yaml
index 1345b623f037a..31e438063b8f6 100644
--- a/test/new-e2e/tests/cws/config/e2e-system-probe.yaml
+++ b/test/new-e2e/tests/cws/config/e2e-system-probe.yaml
@@ -1,7 +1,6 @@
system_probe_config:
- enabled: true
log_level: trace
runtime_security_config:
enabled: true
log_patterns:
- - module.APIServer.*"
\ No newline at end of file
+ - module.APIServer.*"
diff --git a/test/new-e2e/tests/cws/e2e_cws_test.go b/test/new-e2e/tests/cws/e2e_cws_test.go
index 6a4d888ed4c63..ed29149b127cf 100644
--- a/test/new-e2e/tests/cws/e2e_cws_test.go
+++ b/test/new-e2e/tests/cws/e2e_cws_test.go
@@ -7,12 +7,14 @@ package cws
import (
_ "embed"
+ "errors"
"fmt"
"strconv"
"strings"
"testing"
"time"
+ "github.com/cenkalti/backoff"
"github.com/google/uuid"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
@@ -27,7 +29,7 @@ import (
type agentSuite struct {
e2e.Suite[e2e.AgentEnv]
- apiClient cws.MyAPIClient
+ apiClient *cws.APIClient
signalRuleID string
agentRuleID string
dirname string
@@ -48,7 +50,6 @@ var systemProbeConfig string
var securityAgentConfig string
func TestAgentSuite(t *testing.T) {
-
e2e.Run(t, &agentSuite{}, e2e.AgentStackDef(
e2e.WithVMParams(ec2params.WithName("cws-e2e-tests")),
e2e.WithAgentParams(
@@ -60,19 +61,18 @@ func TestAgentSuite(t *testing.T) {
}
func (a *agentSuite) SetupSuite() {
-
// Create temporary directory
tempDir := a.Env().VM.Execute("mktemp -d")
a.dirname = strings.TrimSuffix(tempDir, "\n")
a.filename = fmt.Sprintf("%s/secret", a.dirname)
a.testID = uuid.NewString()[:4]
a.desc = fmt.Sprintf("e2e test rule %s", a.testID)
- a.agentRuleName = fmt.Sprintf("e2e_agent_rule_%s", a.testID)
+ a.agentRuleName = fmt.Sprintf("new_e2e_agent_rule_%s", a.testID)
a.Suite.SetupSuite()
+ a.apiClient = cws.NewAPIClient()
}
func (a *agentSuite) TearDownSuite() {
-
if len(a.signalRuleID) != 0 {
a.apiClient.DeleteSignalRule(a.signalRuleID)
}
@@ -84,8 +84,6 @@ func (a *agentSuite) TearDownSuite() {
}
func (a *agentSuite) TestOpenSignal() {
- a.apiClient = cws.NewAPIClient()
-
// Create CWS Agent rule
rule := fmt.Sprintf("open.file.path == \"%s\"", a.filename)
res, err := a.apiClient.CreateCWSAgentRule(a.agentRuleName, a.desc, rule)
@@ -102,11 +100,11 @@ func (a *agentSuite) TestOpenSignal() {
assert.Equal(a.T(), isReady, true, "Agent should be ready")
// Check if system-probe has started
- err = a.Env().Agent.WaitAgentLogs("system-probe", cws.SystemProbeStartLog)
+ err = a.waitAgentLogs("system-probe", cws.SystemProbeStartLog)
require.NoError(a.T(), err, "system-probe could not start")
// Check if security-agent has started
- err = a.Env().Agent.WaitAgentLogs("security-agent", cws.SecurityStartLog)
+ err = a.waitAgentLogs("security-agent", cws.SecurityStartLog)
require.NoError(a.T(), err, "security-agent could not start")
// Download policies
@@ -117,7 +115,7 @@ func (a *agentSuite) TestOpenSignal() {
require.NoError(a.T(), err, "Could not get APP KEY")
a.EventuallyWithT(func(c *assert.CollectT) {
- policies := a.Env().VM.Execute(fmt.Sprintf("DD_APP_KEY=%s DD_API_KEY=%s DD_SITE=datadoghq.com %s runtime policy download", appKey, apiKey, cws.SecurityAgentPath))
+ policies := a.Env().VM.Execute(fmt.Sprintf("DD_APP_KEY=%s DD_API_KEY=%s %s runtime policy download", appKey, apiKey, cws.SecurityAgentPath))
assert.NotEmpty(c, policies, "should not be empty")
a.policies = policies
}, 5*time.Minute, 10*time.Second)
@@ -145,7 +143,7 @@ func (a *agentSuite) TestOpenSignal() {
a.Env().VM.Execute(fmt.Sprintf("touch %s", a.filename))
// Check agent event
- err = a.Env().Agent.WaitAgentLogs("security-agent", "Successfully posted payload to")
+ err = a.waitAgentLogs("security-agent", "Successfully posted payload to")
require.NoError(a.T(), err, "could not send payload")
// Check app signal
@@ -156,3 +154,17 @@ func (a *agentSuite) TestOpenSignal() {
assert.Contains(a.T(), agentContext["rule_id"], a.agentRuleName, "unable to find tag")
}
+
+func (a *agentSuite) waitAgentLogs(agentName string, pattern string) error {
+ err := backoff.Retry(func() error {
+ output, err := a.Env().VM.ExecuteWithError(fmt.Sprintf("cat /var/log/datadog/%s.log", agentName))
+ if err != nil {
+ return err
+ }
+ if strings.Contains(output, pattern) {
+ return nil
+ }
+ return errors.New("no log found")
+ }, backoff.WithMaxRetries(backoff.NewConstantBackOff(500*time.Millisecond), 60))
+ return err
+}
diff --git a/test/new-e2e/tests/cws/lib/app.go b/test/new-e2e/tests/cws/lib/app.go
index 284cc17acf6b4..d4ab53996e3f1 100644
--- a/test/new-e2e/tests/cws/lib/app.go
+++ b/test/new-e2e/tests/cws/lib/app.go
@@ -15,14 +15,14 @@ import (
"github.com/DataDog/datadog-api-client-go/api/v2/datadog"
)
-// MyAPIClient represents the datadog API context
-type MyAPIClient struct {
+// APIClient represents the datadog API context
+type APIClient struct {
api *datadog.APIClient
ctx context.Context
}
// NewAPIClient initialise a client with the API and APP keys
-func NewAPIClient() MyAPIClient {
+func NewAPIClient() *APIClient {
apiKey, _ := runner.GetProfile().SecretStore().Get(parameters.APIKey)
appKey, _ := runner.GetProfile().SecretStore().Get(parameters.APPKey)
ctx := context.WithValue(
@@ -40,15 +40,14 @@ func NewAPIClient() MyAPIClient {
cfg := datadog.NewConfiguration()
- apiClient := MyAPIClient{
+ return &APIClient{
api: datadog.NewAPIClient(cfg),
ctx: ctx,
}
- return apiClient
}
// GetAppLog returns the logs corresponding to the query
-func (c MyAPIClient) GetAppLog(query string) (*datadog.LogsListResponse, error) {
+func (c *APIClient) GetAppLog(query string) (*datadog.LogsListResponse, error) {
sort := datadog.LOGSSORT_TIMESTAMP_ASCENDING
body := datadog.LogsListRequest{
@@ -75,7 +74,7 @@ func (c MyAPIClient) GetAppLog(query string) (*datadog.LogsListResponse, error)
}
// GetAppSignal returns the signal corresponding to the query
-func (c MyAPIClient) GetAppSignal(query string) (*datadog.SecurityMonitoringSignalsListResponse, error) {
+func (c *APIClient) GetAppSignal(query string) (*datadog.SecurityMonitoringSignalsListResponse, error) {
now := time.Now().UTC()
queryFrom := now.Add(-15 * time.Minute)
sort := datadog.SECURITYMONITORINGSIGNALSSORT_TIMESTAMP_ASCENDING
@@ -105,7 +104,7 @@ func (c MyAPIClient) GetAppSignal(query string) (*datadog.SecurityMonitoringSign
}
// CreateCwsSignalRule creates a cws signal rule
-func (c MyAPIClient) CreateCwsSignalRule(name string, msg string, agentRuleID string, tags []string) (*datadog.SecurityMonitoringRuleResponse, error) {
+func (c *APIClient) CreateCwsSignalRule(name string, msg string, agentRuleID string, tags []string) (*datadog.SecurityMonitoringRuleResponse, error) {
if tags == nil {
tags = []string{}
}
@@ -157,8 +156,7 @@ func (c MyAPIClient) CreateCwsSignalRule(name string, msg string, agentRuleID st
}
// CreateCWSAgentRule creates a cws agent rule
-func (c MyAPIClient) CreateCWSAgentRule(name string, msg string, secl string) (*datadog.CloudWorkloadSecurityAgentRuleResponse, error) {
-
+func (c *APIClient) CreateCWSAgentRule(name string, msg string, secl string) (*datadog.CloudWorkloadSecurityAgentRuleResponse, error) {
body := datadog.CloudWorkloadSecurityAgentRuleCreateRequest{
Data: datadog.CloudWorkloadSecurityAgentRuleCreateData{
Attributes: datadog.CloudWorkloadSecurityAgentRuleCreateAttributes{
@@ -180,13 +178,13 @@ func (c MyAPIClient) CreateCWSAgentRule(name string, msg string, secl string) (*
}
// DeleteSignalRule deletes a signal rule
-func (c MyAPIClient) DeleteSignalRule(ruleID string) error {
+func (c *APIClient) DeleteSignalRule(ruleID string) error {
_, err := c.api.SecurityMonitoringApi.DeleteSecurityMonitoringRule(c.ctx, ruleID)
return err
}
// DeleteAgentRule deletes an agent rule
-func (c MyAPIClient) DeleteAgentRule(ruleID string) error {
+func (c *APIClient) DeleteAgentRule(ruleID string) error {
_, err := c.api.CloudWorkloadSecurityApi.DeleteCloudWorkloadSecurityAgentRule(c.ctx, ruleID)
return err
}
diff --git a/test/new-e2e/tests/cws/lib/const.go b/test/new-e2e/tests/cws/lib/const.go
index 8dba4b4819a66..aec74bda98d00 100644
--- a/test/new-e2e/tests/cws/lib/const.go
+++ b/test/new-e2e/tests/cws/lib/const.go
@@ -16,5 +16,5 @@ const (
SecurityAgentPath = "/opt/datadog-agent/embedded/bin/security-agent"
// PoliciesPath is the path of the default runtime security policies
- PoliciesPath = "/etc/datadog-agent/runtime-security.d/default.policy"
+ PoliciesPath = "/etc/datadog-agent/runtime-security.d/test.policy"
)
diff --git a/test/new-e2e/tests/cws/lib/logs.go b/test/new-e2e/tests/cws/lib/logs.go
index f60d5bd8fef3a..eb949f3f70ad8 100644
--- a/test/new-e2e/tests/cws/lib/logs.go
+++ b/test/new-e2e/tests/cws/lib/logs.go
@@ -15,7 +15,7 @@ import (
)
// WaitAppLogs waits for the app log corresponding to the query
-func WaitAppLogs(apiClient MyAPIClient, query string) (*datadog.LogAttributes, error) {
+func WaitAppLogs(apiClient *APIClient, query string) (*datadog.LogAttributes, error) {
query = fmt.Sprintf("host:cws-new-e2e-test-host %s", query)
var resp *datadog.LogAttributes
err := backoff.Retry(func() error {
@@ -33,7 +33,7 @@ func WaitAppLogs(apiClient MyAPIClient, query string) (*datadog.LogAttributes, e
}
// WaitAppSignal waits for the signal corresponding to the query
-func WaitAppSignal(apiClient MyAPIClient, query string) (*datadog.SecurityMonitoringSignalAttributes, error) {
+func WaitAppSignal(apiClient *APIClient, query string) (*datadog.SecurityMonitoringSignalAttributes, error) {
var resp *datadog.SecurityMonitoringSignalAttributes
err := backoff.Retry(func() error {
tmpResp, err := apiClient.GetAppSignal(query)