diff --git a/cmd/security-agent/subcommands/runtime/security_profile.go b/cmd/security-agent/subcommands/runtime/security_profile.go
index ff646e0da558f9..93ea59e09124de 100644
--- a/cmd/security-agent/subcommands/runtime/security_profile.go
+++ b/cmd/security-agent/subcommands/runtime/security_profile.go
@@ -158,6 +158,9 @@ func printActivityTreeStats(prefix string, msg *api.ActivityTreeStatsMessage) {
fmt.Printf("%s file_nodes_count: %v\n", prefix, msg.GetFileNodesCount())
fmt.Printf("%s dns_nodes_count: %v\n", prefix, msg.GetDNSNodesCount())
fmt.Printf("%s socket_nodes_count: %v\n", prefix, msg.GetSocketNodesCount())
+ fmt.Printf("%s imds_nodes_count: %v\n", prefix, msg.GetIMDSNodesCount())
+ fmt.Printf("%s syscall_nodes_count: %v\n", prefix, msg.GetSyscallNodesCount())
+ fmt.Printf("%s flow_nodes_count: %v\n", prefix, msg.GetFlowNodesCount())
}
func printSecurityProfileMessage(msg *api.SecurityProfileMessage) {
diff --git a/docs/cloud-workload-security/backend_linux.schema.json b/docs/cloud-workload-security/backend_linux.schema.json
index b6f9cddc6cbb73..6fd69314463eb4 100644
--- a/docs/cloud-workload-security/backend_linux.schema.json
+++ b/docs/cloud-workload-security/backend_linux.schema.json
@@ -605,6 +605,43 @@
],
"description": "FileEventSerializer serializes a file event to JSON"
},
+ "Flow": {
+ "properties": {
+ "l3_protocol": {
+ "type": "string",
+ "description": "l3_protocol is the layer 3 protocol name"
+ },
+ "l4_protocol": {
+ "type": "string",
+ "description": "l4_protocol is the layer 4 protocol name"
+ },
+ "source": {
+ "$ref": "#/$defs/IPPort",
+ "description": "source is the emitter of the network event"
+ },
+ "destination": {
+ "$ref": "#/$defs/IPPort",
+ "description": "destination is the receiver of the network event"
+ },
+ "ingress": {
+ "$ref": "#/$defs/NetworkStats",
+ "description": "ingress holds the network statistics for ingress traffic"
+ },
+ "egress": {
+ "$ref": "#/$defs/NetworkStats",
+ "description": "egress holds the network statistics for egress traffic"
+ }
+ },
+ "additionalProperties": false,
+ "type": "object",
+ "required": [
+ "l3_protocol",
+ "l4_protocol",
+ "source",
+ "destination"
+ ],
+ "description": "FlowSerializer defines a new flow serializer"
+ },
"IMDSEvent": {
"properties": {
"type": {
@@ -889,6 +926,10 @@
"size": {
"type": "integer",
"description": "size is the size in bytes of the network event"
+ },
+ "network_direction": {
+ "type": "string",
+ "description": "network_direction indicates if the packet was captured on ingress or egress"
}
},
"additionalProperties": false,
@@ -898,7 +939,8 @@
"l4_protocol",
"source",
"destination",
- "size"
+ "size",
+ "network_direction"
],
"description": "NetworkContextSerializer serializes the network context to JSON"
},
@@ -926,6 +968,43 @@
],
"description": "NetworkDeviceSerializer serializes the network device context to JSON"
},
+ "NetworkFlowMonitor": {
+ "properties": {
+ "device": {
+ "$ref": "#/$defs/NetworkDevice",
+ "description": "device is the network device on which the event was captured"
+ },
+ "flows_count": {
+ "type": "integer",
+ "description": "flows_count holds the count of flows for this event"
+ },
+ "flows": {
+ "items": {
+ "$ref": "#/$defs/Flow"
+ },
+ "type": "array",
+ "description": "flows is the list of flows with network statistics that were captured"
+ }
+ },
+ "additionalProperties": false,
+ "type": "object",
+ "description": "NetworkFlowMonitorSerializer defines a network monitor event serializer"
+ },
+ "NetworkStats": {
+ "properties": {
+ "data_size": {
+ "type": "integer",
+ "description": "data_size is the total count of bytes sent or received"
+ },
+ "packet_count": {
+ "type": "integer",
+ "description": "packet_count is the total count of packets sent or received"
+ }
+ },
+ "additionalProperties": false,
+ "type": "object",
+ "description": "NetworkStatsSerializer defines a new network stats serializer"
+ },
"PTraceEvent": {
"properties": {
"request": {
@@ -1359,6 +1438,10 @@
"type": "integer",
"description": "size is the size in bytes of the network event"
},
+ "network_direction": {
+ "type": "string",
+ "description": "network_direction indicates if the packet was captured on ingress or egress"
+ },
"tls": {
"$ref": "#/$defs/TLSContext"
}
@@ -1370,7 +1453,8 @@
"l4_protocol",
"source",
"destination",
- "size"
+ "size",
+ "network_direction"
],
"description": "RawPacketSerializer defines a raw packet serializer"
},
@@ -1769,6 +1853,9 @@
},
"packet": {
"$ref": "#/$defs/RawPacket"
+ },
+ "network_flow_monitor": {
+ "$ref": "#/$defs/NetworkFlowMonitor"
}
},
"additionalProperties": false,
diff --git a/docs/cloud-workload-security/linux_expressions.md b/docs/cloud-workload-security/linux_expressions.md
index 7effc494d89f76..f9c71c93c040a9 100644
--- a/docs/cloud-workload-security/linux_expressions.md
+++ b/docs/cloud-workload-security/linux_expressions.md
@@ -550,6 +550,7 @@ A DNS request was sent
| [`network.device.ifname`](#common-networkdevicecontext-ifname-doc) | Interface ifname |
| [`network.l3_protocol`](#common-networkcontext-l3_protocol-doc) | L3 protocol of the network packet |
| [`network.l4_protocol`](#common-networkcontext-l4_protocol-doc) | L4 protocol of the network packet |
+| [`network.network_direction`](#common-networkcontext-network_direction-doc) | Network direction of the network packet |
| [`network.size`](#common-networkcontext-size-doc) | Size in bytes of the network packet |
| [`network.source.ip`](#common-ipportcontext-ip-doc) | IP address |
| [`network.source.is_public`](#common-ipportcontext-is_public-doc) | Whether the IP address belongs to a public network |
@@ -756,6 +757,7 @@ An IMDS event was captured
| [`network.device.ifname`](#common-networkdevicecontext-ifname-doc) | Interface ifname |
| [`network.l3_protocol`](#common-networkcontext-l3_protocol-doc) | L3 protocol of the network packet |
| [`network.l4_protocol`](#common-networkcontext-l4_protocol-doc) | L4 protocol of the network packet |
+| [`network.network_direction`](#common-networkcontext-network_direction-doc) | Network direction of the network packet |
| [`network.size`](#common-networkcontext-size-doc) | Size in bytes of the network packet |
| [`network.source.ip`](#common-ipportcontext-ip-doc) | IP address |
| [`network.source.is_public`](#common-ipportcontext-is_public-doc) | Whether the IP address belongs to a public network |
@@ -977,6 +979,7 @@ A raw network packet captured
| [`packet.filter`](#packet-filter-doc) | pcap filter expression |
| [`packet.l3_protocol`](#common-networkcontext-l3_protocol-doc) | L3 protocol of the network packet |
| [`packet.l4_protocol`](#common-networkcontext-l4_protocol-doc) | L4 protocol of the network packet |
+| [`packet.network_direction`](#common-networkcontext-network_direction-doc) | Network direction of the network packet |
| [`packet.size`](#common-networkcontext-size-doc) | Size in bytes of the network packet |
| [`packet.source.ip`](#common-ipportcontext-ip-doc) | IP address |
| [`packet.source.is_public`](#common-ipportcontext-is_public-doc) | Whether the IP address belongs to a public network |
@@ -2311,6 +2314,18 @@ exec.file.name == "apt"
Matches the execution of any file named apt.
+### `*.network_direction` {#common-networkcontext-network_direction-doc}
+Type: int
+
+Definition: Network direction of the network packet
+
+`*.network_direction` has 2 possible prefixes:
+`network` `packet`
+
+Constants: [Network directions](#network-directions)
+
+
+
### `*.package.name` {#common-fileevent-package-name-doc}
Type: string
@@ -4236,6 +4251,14 @@ Network Address Family constants are the supported network address families.
| `AF_XDP` | all |
| `AF_MAX` | all |
+### `Network directions` {#network-directions}
+Network directions are the supported directions of network packets.
+
+| Name | Architectures |
+| ---- |---------------|
+| `INGRESS` | all |
+| `EGRESS` | all |
+
### `Open flags` {#open-flags}
Open flags are the supported flags for the open syscall.
diff --git a/docs/cloud-workload-security/secl_linux.json b/docs/cloud-workload-security/secl_linux.json
index b4f480879c3edf..d56432d9558f3e 100644
--- a/docs/cloud-workload-security/secl_linux.json
+++ b/docs/cloud-workload-security/secl_linux.json
@@ -1944,6 +1944,11 @@
"definition": "L4 protocol of the network packet",
"property_doc_link": "common-networkcontext-l4_protocol-doc"
},
+ {
+ "name": "network.network_direction",
+ "definition": "Network direction of the network packet",
+ "property_doc_link": "common-networkcontext-network_direction-doc"
+ },
{
"name": "network.size",
"definition": "Size in bytes of the network packet",
@@ -2896,6 +2901,11 @@
"definition": "L4 protocol of the network packet",
"property_doc_link": "common-networkcontext-l4_protocol-doc"
},
+ {
+ "name": "network.network_direction",
+ "definition": "Network direction of the network packet",
+ "property_doc_link": "common-networkcontext-network_direction-doc"
+ },
{
"name": "network.size",
"definition": "Size in bytes of the network packet",
@@ -3602,6 +3612,90 @@
}
]
},
+ {
+ "name": "network_flow_monitor",
+ "definition": "A network monitor event was sent",
+ "type": "Network",
+ "from_agent_version": "7.62",
+ "experimental": false,
+ "properties": [
+ {
+ "name": "network_flow_monitor.device.ifname",
+ "definition": "Interface ifname",
+ "property_doc_link": "common-networkdevicecontext-ifname-doc"
+ },
+ {
+ "name": "network_flow_monitor.flows.destination.ip",
+ "definition": "IP address",
+ "property_doc_link": "common-ipportcontext-ip-doc"
+ },
+ {
+ "name": "network_flow_monitor.flows.destination.is_public",
+ "definition": "Whether the IP address belongs to a public network",
+ "property_doc_link": "common-ipportcontext-is_public-doc"
+ },
+ {
+ "name": "network_flow_monitor.flows.destination.port",
+ "definition": "Port number",
+ "property_doc_link": "common-ipportcontext-port-doc"
+ },
+ {
+ "name": "network_flow_monitor.flows.egress.data_size",
+ "definition": "Amount of data transmitted or received",
+ "property_doc_link": "common-networkstats-data_size-doc"
+ },
+ {
+ "name": "network_flow_monitor.flows.egress.packet_count",
+ "definition": "Count of network packets transmitted or received",
+ "property_doc_link": "common-networkstats-packet_count-doc"
+ },
+ {
+ "name": "network_flow_monitor.flows.ingress.data_size",
+ "definition": "Amount of data transmitted or received",
+ "property_doc_link": "common-networkstats-data_size-doc"
+ },
+ {
+ "name": "network_flow_monitor.flows.ingress.packet_count",
+ "definition": "Count of network packets transmitted or received",
+ "property_doc_link": "common-networkstats-packet_count-doc"
+ },
+ {
+ "name": "network_flow_monitor.flows.l3_protocol",
+ "definition": "L3 protocol of the network packet",
+ "property_doc_link": "network_flow_monitor-flows-l3_protocol-doc"
+ },
+ {
+ "name": "network_flow_monitor.flows.l4_protocol",
+ "definition": "L4 protocol of the network packet",
+ "property_doc_link": "network_flow_monitor-flows-l4_protocol-doc"
+ },
+ {
+ "name": "network_flow_monitor.flows.length",
+ "definition": "Length of the corresponding element",
+ "property_doc_link": "common-string-length-doc"
+ },
+ {
+ "name": "network_flow_monitor.flows.source.ip",
+ "definition": "IP address",
+ "property_doc_link": "common-ipportcontext-ip-doc"
+ },
+ {
+ "name": "network_flow_monitor.flows.source.is_public",
+ "definition": "Whether the IP address belongs to a public network",
+ "property_doc_link": "common-ipportcontext-is_public-doc"
+ },
+ {
+ "name": "network_flow_monitor.flows.source.port",
+ "definition": "Port number",
+ "property_doc_link": "common-ipportcontext-port-doc"
+ },
+ {
+ "name": "network_flow_monitor.flows_count",
+ "definition": "Number of captured network flows",
+ "property_doc_link": "network_flow_monitor-flows_count-doc"
+ }
+ ]
+ },
{
"name": "open",
"definition": "A file was opened",
@@ -3743,7 +3837,7 @@
},
{
"name": "packet",
- "definition": "A raw network packet captured",
+ "definition": "A raw network packet was captured",
"type": "Network",
"from_agent_version": "7.60",
"experimental": false,
@@ -3783,6 +3877,11 @@
"definition": "L4 protocol of the network packet",
"property_doc_link": "common-networkcontext-l4_protocol-doc"
},
+ {
+ "name": "packet.network_direction",
+ "definition": "Network direction of the network packet",
+ "property_doc_link": "common-networkcontext-network_direction-doc"
+ },
{
"name": "packet.size",
"definition": "Size in bytes of the network packet",
@@ -7752,6 +7851,19 @@
"constants_link": "",
"examples": []
},
+ {
+ "name": "*.data_size",
+ "link": "common-networkstats-data_size-doc",
+ "type": "int",
+ "definition": "Amount of data transmitted or received",
+ "prefixes": [
+ "network_flow_monitor.flows.egress",
+ "network_flow_monitor.flows.ingress"
+ ],
+ "constants": "",
+ "constants_link": "",
+ "examples": []
+ },
{
"name": "*.egid",
"link": "common-credentials-egid-doc",
@@ -8294,6 +8406,7 @@
"definition": "Interface ifname",
"prefixes": [
"network.device",
+ "network_flow_monitor.device",
"packet.device"
],
"constants": "",
@@ -8422,6 +8535,8 @@
"connect.addr",
"network.destination",
"network.source",
+ "network_flow_monitor.flows.destination",
+ "network_flow_monitor.flows.source",
"packet.destination",
"packet.source"
],
@@ -8483,6 +8598,8 @@
"connect.addr",
"network.destination",
"network.source",
+ "network_flow_monitor.flows.destination",
+ "network_flow_monitor.flows.source",
"packet.destination",
"packet.source"
],
@@ -8635,6 +8752,7 @@
"mkdir.file.path",
"mmap.file.name",
"mmap.file.path",
+ "network_flow_monitor.flows",
"open.file.name",
"open.file.path",
"process.ancestors",
@@ -8937,6 +9055,19 @@
}
]
},
+ {
+ "name": "*.network_direction",
+ "link": "common-networkcontext-network_direction-doc",
+ "type": "int",
+ "definition": "Network direction of the network packet",
+ "prefixes": [
+ "network",
+ "packet"
+ ],
+ "constants": "Network directions",
+ "constants_link": "network-directions",
+ "examples": []
+ },
{
"name": "*.package.name",
"link": "common-fileevent-package-name-doc",
@@ -9087,6 +9218,19 @@
"constants_link": "",
"examples": []
},
+ {
+ "name": "*.packet_count",
+ "link": "common-networkstats-packet_count-doc",
+ "type": "int",
+ "definition": "Count of network packets transmitted or received",
+ "prefixes": [
+ "network_flow_monitor.flows.egress",
+ "network_flow_monitor.flows.ingress"
+ ],
+ "constants": "",
+ "constants_link": "",
+ "examples": []
+ },
{
"name": "*.path",
"link": "common-fileevent-path-doc",
@@ -9178,6 +9322,8 @@
"connect.addr",
"network.destination",
"network.source",
+ "network_flow_monitor.flows.destination",
+ "network_flow_monitor.flows.source",
"packet.destination",
"packet.source"
],
@@ -10396,6 +10542,42 @@
"constants_link": "virtual-memory-flags",
"examples": []
},
+ {
+ "name": "network_flow_monitor.flows.l3_protocol",
+ "link": "network_flow_monitor-flows-l3_protocol-doc",
+ "type": "int",
+ "definition": "L3 protocol of the network packet",
+ "prefixes": [
+ "network_flow_monitor.flows"
+ ],
+ "constants": "L3 protocols",
+ "constants_link": "l3-protocols",
+ "examples": []
+ },
+ {
+ "name": "network_flow_monitor.flows.l4_protocol",
+ "link": "network_flow_monitor-flows-l4_protocol-doc",
+ "type": "int",
+ "definition": "L4 protocol of the network packet",
+ "prefixes": [
+ "network_flow_monitor.flows"
+ ],
+ "constants": "L4 protocols",
+ "constants_link": "l4-protocols",
+ "examples": []
+ },
+ {
+ "name": "network_flow_monitor.flows_count",
+ "link": "network_flow_monitor-flows_count-doc",
+ "type": "int",
+ "definition": "Number of captured network flows",
+ "prefixes": [
+ "network_flow_monitor"
+ ],
+ "constants": "",
+ "constants_link": "",
+ "examples": []
+ },
{
"name": "open.file.destination.mode",
"link": "open-file-destination-mode-doc",
@@ -14162,6 +14344,21 @@
}
]
},
+ {
+ "name": "Network directions",
+ "link": "network-directions",
+ "description": "Network directions are the supported directions of network packets.",
+ "all": [
+ {
+ "name": "INGRESS",
+ "architecture": "all"
+ },
+ {
+ "name": "EGRESS",
+ "architecture": "all"
+ }
+ ]
+ },
{
"name": "Open flags",
"link": "open-flags",
diff --git a/docs/cloud-workload-security/secl_windows.json b/docs/cloud-workload-security/secl_windows.json
index e8e3f1e601c4e3..f3d94e1496ec0c 100644
--- a/docs/cloud-workload-security/secl_windows.json
+++ b/docs/cloud-workload-security/secl_windows.json
@@ -2318,6 +2318,21 @@
"architecture": "all"
}
]
+ },
+ {
+ "name": "Network directions",
+ "link": "network-directions",
+ "description": "Network directions are the supported directions of network packets.",
+ "all": [
+ {
+ "name": "INGRESS",
+ "architecture": "all"
+ },
+ {
+ "name": "EGRESS",
+ "architecture": "all"
+ }
+ ]
}
]
}
\ No newline at end of file
diff --git a/docs/cloud-workload-security/windows_expressions.md b/docs/cloud-workload-security/windows_expressions.md
index 035c98e380bd81..d79cfbbc743a75 100644
--- a/docs/cloud-workload-security/windows_expressions.md
+++ b/docs/cloud-workload-security/windows_expressions.md
@@ -892,6 +892,14 @@ L4 protocols are the supported Layer 4 protocols.
| `IP_PROTO_MPLS` | all |
| `IP_PROTO_RAW` | all |
+### `Network directions` {#network-directions}
+Network directions are the supported directions of network packets.
+
+| Name | Architectures |
+| ---- |---------------|
+| `INGRESS` | all |
+| `EGRESS` | all |
+
{{< partial name="whats-next/whats-next.html" >}}
diff --git a/pkg/config/setup/system_probe.go b/pkg/config/setup/system_probe.go
index bdc97ee3d902ac..7d3d096bfb1c81 100644
--- a/pkg/config/setup/system_probe.go
+++ b/pkg/config/setup/system_probe.go
@@ -369,6 +369,8 @@ func InitSystemProbeConfig(cfg pkgconfigmodel.Config) {
eventMonitorBindEnvAndSetDefault(cfg, join(evNS, "network.lazy_interface_prefixes"), []string{})
eventMonitorBindEnvAndSetDefault(cfg, join(evNS, "network.classifier_priority"), 10)
eventMonitorBindEnvAndSetDefault(cfg, join(evNS, "network.classifier_handle"), 0)
+ eventMonitorBindEnvAndSetDefault(cfg, join(evNS, "network.flow_monitor.enabled"), false)
+ eventMonitorBindEnvAndSetDefault(cfg, join(evNS, "network.flow_monitor.period"), "10s")
eventMonitorBindEnvAndSetDefault(cfg, join(evNS, "network.raw_classifier_handle"), 0)
eventMonitorBindEnvAndSetDefault(cfg, join(evNS, "event_stream.use_ring_buffer"), true)
eventMonitorBindEnvAndSetDefault(cfg, join(evNS, "event_stream.use_fentry"), false)
diff --git a/pkg/security/ebpf/c/include/constants/custom.h b/pkg/security/ebpf/c/include/constants/custom.h
index 88be17fa3c80b5..17cc5bfa687b87 100644
--- a/pkg/security/ebpf/c/include/constants/custom.h
+++ b/pkg/security/ebpf/c/include/constants/custom.h
@@ -196,4 +196,38 @@ static __attribute__((always_inline)) u64 get_imds_ip() {
#define CGROUP_MANAGER_CRI 4
#define CGROUP_MANAGER_SYSTEMD 5
+#define ACTIVE_FLOWS_MAX_SIZE 128
+
+enum PID_ROUTE_TYPE
+{
+ BIND_ENTRY,
+ PROCFS_ENTRY,
+ FLOW_CLASSIFICATION_ENTRY,
+};
+
+enum FLUSH_NETWORK_STATS_TYPE
+{
+ NETWORK_STATS_TICKER,
+ PID_EXIT,
+ PID_EXEC,
+};
+
+static __attribute__((always_inline)) u64 get_network_monitor_period() {
+ u64 network_monitor_period;
+ LOAD_CONSTANT("network_monitor_period", network_monitor_period);
+ return network_monitor_period;
+}
+
+static __attribute__((always_inline)) u64 is_sk_storage_supported() {
+ u64 is_sk_storage_supported;
+ LOAD_CONSTANT("is_sk_storage_supported", is_sk_storage_supported);
+ return is_sk_storage_supported;
+}
+
+static __attribute__((always_inline)) u64 is_network_flow_monitor_enabled() {
+ u64 is_network_flow_monitor_enabled;
+ LOAD_CONSTANT("is_network_flow_monitor_enabled", is_network_flow_monitor_enabled);
+ return is_network_flow_monitor_enabled;
+}
+
#endif
diff --git a/pkg/security/ebpf/c/include/constants/enums.h b/pkg/security/ebpf/c/include/constants/enums.h
index 4837192476a363..852065b807063f 100644
--- a/pkg/security/ebpf/c/include/constants/enums.h
+++ b/pkg/security/ebpf/c/include/constants/enums.h
@@ -52,6 +52,7 @@ enum event_type
EVENT_LOGIN_UID_WRITE,
EVENT_CGROUP_WRITE,
EVENT_RAW_PACKET,
+ EVENT_NETWORK_FLOW_MONITOR,
EVENT_MAX, // has to be the last one
EVENT_ALL = 0xffffffff // used as a mask for all the events
diff --git a/pkg/security/ebpf/c/include/constants/offsets/network.h b/pkg/security/ebpf/c/include/constants/offsets/network.h
index 495fc0d20452f8..be3d59a2a53537 100644
--- a/pkg/security/ebpf/c/include/constants/offsets/network.h
+++ b/pkg/security/ebpf/c/include/constants/offsets/network.h
@@ -12,12 +12,34 @@ __attribute__((always_inline)) u16 get_family_from_sock_common(struct sock_commo
return family;
}
+__attribute__((always_inline)) u16 get_skc_num_from_sock_common(struct sock_common *sk) {
+ u64 sock_common_skc_num_offset;
+ LOAD_CONSTANT("sock_common_skc_num_offset", sock_common_skc_num_offset);
+
+ u16 skc_num;
+ bpf_probe_read(&skc_num, sizeof(skc_num), (void *)sk + sock_common_skc_num_offset);
+ return htons(skc_num);
+}
+
__attribute__((always_inline)) u64 get_flowi4_saddr_offset() {
u64 flowi4_saddr_offset;
LOAD_CONSTANT("flowi4_saddr_offset", flowi4_saddr_offset);
return flowi4_saddr_offset;
}
+// TODO: needed for l4_protocol resolution, see network/flow.h
+__attribute__((always_inline)) u64 get_flowi4_proto_offset() {
+ u64 flowi4_proto_offset;
+ LOAD_CONSTANT("flowi4_proto_offset", flowi4_proto_offset);
+ return flowi4_proto_offset;
+}
+
+__attribute__((always_inline)) u64 get_flowi6_proto_offset() {
+ u64 flowi6_proto_offset;
+ LOAD_CONSTANT("flowi6_proto_offset", flowi6_proto_offset);
+ return flowi6_proto_offset;
+}
+
__attribute__((always_inline)) u64 get_flowi4_uli_offset() {
u64 flowi4_uli_offset;
LOAD_CONSTANT("flowi4_uli_offset", flowi4_uli_offset);
diff --git a/pkg/security/ebpf/c/include/events_definition.h b/pkg/security/ebpf/c/include/events_definition.h
index ef52f5edcf3862..61ed832032206b 100644
--- a/pkg/security/ebpf/c/include/events_definition.h
+++ b/pkg/security/ebpf/c/include/events_definition.h
@@ -441,4 +441,27 @@ struct on_demand_event_t {
char data[256];
};
+struct raw_packet_event_t {
+ struct kevent_t event;
+ struct process_context_t process;
+ struct span_context_t span;
+ struct container_context_t container;
+ struct network_device_context_t device;
+
+ int len;
+ char data[256];
+};
+
+struct network_flow_monitor_event_t {
+ struct kevent_t event;
+ struct process_context_t process;
+ struct span_context_t span;
+ struct container_context_t container;
+ struct network_device_context_t device;
+
+ u64 flows_count; // keep as u64 to prevent inconsistent verifier output on bounds checks
+ u64 flush_network_stats_type;
+ struct flow_stats_t flows[ACTIVE_FLOWS_MAX_SIZE];
+};
+
#endif
diff --git a/pkg/security/ebpf/c/include/helpers/all.h b/pkg/security/ebpf/c/include/helpers/all.h
index e3a31a2d3229b1..181a3a7aa5b7fe 100644
--- a/pkg/security/ebpf/c/include/helpers/all.h
+++ b/pkg/security/ebpf/c/include/helpers/all.h
@@ -8,14 +8,11 @@
#include "container.h"
#include "dentry_resolver.h"
#include "discaders.h"
-#include "dns.h"
-#include "imds.h"
#include "erpc.h"
#include "events.h"
#include "events_predicates.h"
#include "filesystem.h"
#include "iouring.h"
-#include "network.h"
#include "process.h"
#include "raw_syscalls.h"
#include "selinux.h"
@@ -25,4 +22,11 @@
#include "user_sessions.h"
#include "utils.h"
+#include "network/context.h"
+#include "network/parser.h"
+#include "network/pid_resolver.h"
+#include "network/router.h"
+#include "network/dns.h"
+#include "network/imds.h"
+
#endif
diff --git a/pkg/security/ebpf/c/include/helpers/network/context.h b/pkg/security/ebpf/c/include/helpers/network/context.h
new file mode 100644
index 00000000000000..a62eea4735c7d2
--- /dev/null
+++ b/pkg/security/ebpf/c/include/helpers/network/context.h
@@ -0,0 +1,36 @@
+#ifndef _HELPERS_NETWORK_CONTEXT_H_
+#define _HELPERS_NETWORK_CONTEXT_H_
+
+__attribute__((always_inline)) void fill_network_process_context(struct process_context_t *process, u32 pid, u32 netns) {
+ if (pid >= 0) {
+ process->pid = pid;
+ process->tid = pid;
+ } else {
+ process->pid = 0;
+ process->tid = 0;
+ }
+ process->netns = netns;
+}
+
+__attribute__((always_inline)) void fill_network_process_context_from_pkt(struct process_context_t *process, struct packet_t *pkt) {
+ fill_network_process_context(process, pkt->pid, pkt->translated_ns_flow.netns);
+}
+
+__attribute__((always_inline)) void fill_network_device_context(struct network_device_context_t *device_ctx, u32 netns, u32 ifindex) {
+ device_ctx->netns = netns;
+ device_ctx->ifindex = ifindex;
+}
+
+__attribute__((always_inline)) void fill_network_device_context_from_pkt(struct network_device_context_t *device_ctx, struct __sk_buff *skb, struct packet_t *pkt) {
+ fill_network_device_context(device_ctx, pkt->translated_ns_flow.netns, skb->ifindex);
+}
+
+__attribute__((always_inline)) void fill_network_context(struct network_context_t *net_ctx, struct __sk_buff *skb, struct packet_t *pkt) {
+ net_ctx->size = skb->len;
+ net_ctx->network_direction = pkt->network_direction;
+ net_ctx->flow = pkt->translated_ns_flow.flow;
+
+ fill_network_device_context_from_pkt(&net_ctx->device, skb, pkt);
+}
+
+#endif
diff --git a/pkg/security/ebpf/c/include/helpers/dns.h b/pkg/security/ebpf/c/include/helpers/network/dns.h
similarity index 84%
rename from pkg/security/ebpf/c/include/helpers/dns.h
rename to pkg/security/ebpf/c/include/helpers/network/dns.h
index f6e394fbc08db7..e7e1af3ce99e6c 100644
--- a/pkg/security/ebpf/c/include/helpers/dns.h
+++ b/pkg/security/ebpf/c/include/helpers/network/dns.h
@@ -1,13 +1,14 @@
-#ifndef _HELPERS_DNS_H
-#define _HELPERS_DNS_H
+#ifndef _HELPERS_NETWORK_DNS_H
+#define _HELPERS_NETWORK_DNS_H
#include "constants/enums.h"
-#include "maps.h"
+#include "helpers/activity_dump.h"
+#include "helpers/container.h"
+#include "helpers/process.h"
+
+#include "context.h"
-#include "activity_dump.h"
-#include "container.h"
-#include "network.h"
-#include "process.h"
+#include "maps.h"
__attribute__((always_inline)) struct dns_event_t *get_dns_event() {
u32 key = DNS_EVENT_KEY;
@@ -27,7 +28,7 @@ __attribute__((always_inline)) struct dns_event_t *reset_dns_event(struct __sk_b
evt->event.flags = 0;
// process context
- fill_network_process_context(&evt->process, pkt);
+ fill_network_process_context_from_pkt(&evt->process, pkt);
// network context
fill_network_context(&evt->network, skb, pkt);
diff --git a/pkg/security/ebpf/c/include/helpers/imds.h b/pkg/security/ebpf/c/include/helpers/network/imds.h
similarity index 84%
rename from pkg/security/ebpf/c/include/helpers/imds.h
rename to pkg/security/ebpf/c/include/helpers/network/imds.h
index c53b53c15f9e0f..ea5fe1d087c5da 100644
--- a/pkg/security/ebpf/c/include/helpers/imds.h
+++ b/pkg/security/ebpf/c/include/helpers/network/imds.h
@@ -1,12 +1,12 @@
-#ifndef _HELPERS_IMDS_H
-#define _HELPERS_IMDS_H
+#ifndef _HELPERS_NETWORK_IMDS_H
+#define _HELPERS_NETWORK_IMDS_H
#include "constants/enums.h"
+#include "helpers/container.h"
+#include "helpers/network/context.h"
+#include "helpers/process.h"
#include "maps.h"
-#include "container.h"
-#include "network.h"
-#include "process.h"
__attribute__((always_inline)) struct imds_event_t *get_imds_event() {
u32 key = IMDS_EVENT_KEY;
@@ -24,7 +24,7 @@ __attribute__((always_inline)) struct imds_event_t *reset_imds_event(struct __sk
evt->event.flags = 0;
// process context
- fill_network_process_context(&evt->process, pkt);
+ fill_network_process_context_from_pkt(&evt->process, pkt);
// network context
fill_network_context(&evt->network, skb, pkt);
diff --git a/pkg/security/ebpf/c/include/helpers/network.h b/pkg/security/ebpf/c/include/helpers/network/parser.h
similarity index 60%
rename from pkg/security/ebpf/c/include/helpers/network.h
rename to pkg/security/ebpf/c/include/helpers/network/parser.h
index 21e39e85916547..b5b2de4630a9e2 100644
--- a/pkg/security/ebpf/c/include/helpers/network.h
+++ b/pkg/security/ebpf/c/include/helpers/network/parser.h
@@ -1,40 +1,10 @@
-#ifndef _HELPERS_NETWORK_H_
-#define _HELPERS_NETWORK_H_
+#ifndef _HELPERS_NETWORK_PARSER_H_
+#define _HELPERS_NETWORK_PARSER_H_
#include "constants/custom.h"
#include "constants/macros.h"
#include "maps.h"
-__attribute__((always_inline)) s64 get_flow_pid(struct pid_route_t *key) {
- u32 *value = bpf_map_lookup_elem(&flow_pid, key);
- if (!value) {
- // Try with IP set to 0.0.0.0
- key->addr[0] = 0;
- key->addr[1] = 0;
- value = bpf_map_lookup_elem(&flow_pid, key);
- if (!value) {
- return -1;
- }
- }
-
- return *value;
-}
-
-__attribute__((always_inline)) void flip(struct flow_t *flow) {
- u64 tmp = 0;
- tmp = flow->sport;
- flow->sport = flow->dport;
- flow->dport = tmp;
-
- tmp = flow->saddr[0];
- flow->saddr[0] = flow->daddr[0];
- flow->daddr[0] = tmp;
-
- tmp = flow->saddr[1];
- flow->saddr[1] = flow->daddr[1];
- flow->daddr[1] = tmp;
-}
-
__attribute__((always_inline)) void tc_cursor_init(struct cursor *c, struct __sk_buff *skb) {
c->end = (void *)(long)skb->data_end;
c->pos = (void *)(long)skb->data;
@@ -62,31 +32,6 @@ __attribute__((always_inline)) struct packet_t *reset_packet() {
return get_packet();
}
-__attribute__((always_inline)) void fill_network_process_context(struct process_context_t *process, struct packet_t *pkt) {
- if (pkt->pid >= 0) {
- process->pid = pkt->pid;
- process->tid = pkt->pid;
- } else {
- process->pid = 0;
- process->tid = 0;
- }
- process->netns = pkt->translated_ns_flow.netns;
-}
-
-__attribute__((always_inline)) void fill_network_device_context(struct network_device_context_t *device_ctx, struct __sk_buff *skb, struct packet_t *pkt) {
- device_ctx->netns = pkt->translated_ns_flow.netns;
- device_ctx->ifindex = skb->ifindex;
-}
-
-__attribute__((always_inline)) void fill_network_context(struct network_context_t *net_ctx, struct __sk_buff *skb, struct packet_t *pkt) {
- net_ctx->l3_protocol = htons(pkt->eth.h_proto);
- net_ctx->l4_protocol = pkt->l4_protocol;
- net_ctx->size = skb->len;
- net_ctx->flow = pkt->translated_ns_flow.flow;
-
- fill_network_device_context(&net_ctx->device, skb, pkt);
-}
-
__attribute__((always_inline)) void parse_tuple(struct nf_conntrack_tuple *tuple, struct flow_t *flow) {
flow->sport = tuple->src.u.all;
flow->dport = tuple->dst.u.all;
@@ -109,8 +54,11 @@ __attribute__((always_inline)) struct packet_t * parse_packet(struct __sk_buff *
return NULL;
}
- switch (pkt->eth.h_proto) {
- case htons(ETH_P_IP):
+ pkt->network_direction = direction;
+ pkt->ns_flow.flow.l3_protocol = htons(pkt->eth.h_proto);
+
+ switch (pkt->ns_flow.flow.l3_protocol) {
+ case ETH_P_IP:
// parse IPv4 header
if (!(parse_iphdr(&c, &pkt->ipv4))) {
return NULL;
@@ -124,19 +72,19 @@ __attribute__((always_inline)) struct packet_t * parse_packet(struct __sk_buff *
}
}
- pkt->l4_protocol = pkt->ipv4.protocol;
+ pkt->ns_flow.flow.l4_protocol = pkt->ipv4.protocol;
pkt->ns_flow.flow.saddr[0] = pkt->ipv4.saddr;
pkt->ns_flow.flow.daddr[0] = pkt->ipv4.daddr;
break;
- case htons(ETH_P_IPV6):
+ case ETH_P_IPV6:
// parse IPv6 header
// TODO: handle multiple IPv6 extension headers
if (!(parse_ipv6hdr(&c, &pkt->ipv6))) {
return NULL;
}
- pkt->l4_protocol = pkt->ipv6.nexthdr;
+ pkt->ns_flow.flow.l4_protocol = pkt->ipv6.nexthdr;
pkt->ns_flow.flow.saddr[0] = *(u64 *)&pkt->ipv6.saddr;
pkt->ns_flow.flow.saddr[1] = *((u64 *)(&pkt->ipv6.saddr) + 1);
pkt->ns_flow.flow.daddr[0] = *(u64 *)&pkt->ipv6.daddr;
@@ -148,7 +96,7 @@ __attribute__((always_inline)) struct packet_t * parse_packet(struct __sk_buff *
return NULL;
}
- switch (pkt->l4_protocol) {
+ switch (pkt->ns_flow.flow.l4_protocol) {
case IPPROTO_TCP:
// parse TCP header
if (!(parse_tcphdr(&c, &pkt->tcp))) {
@@ -183,7 +131,6 @@ __attribute__((always_inline)) struct packet_t * parse_packet(struct __sk_buff *
return NULL;
}
- struct pid_route_t pid_route = {};
struct namespaced_flow_t tmp_ns_flow = pkt->ns_flow; // for compatibility with older kernels
pkt->translated_ns_flow = pkt->ns_flow;
@@ -201,25 +148,6 @@ __attribute__((always_inline)) struct packet_t * parse_packet(struct __sk_buff *
// TODO: if nothing was found in the conntrack map, lookup ingress nat rules (nothing to do for egress though)
- // resolve pid
- switch (direction) {
- case EGRESS: {
- pid_route.addr[0] = pkt->translated_ns_flow.flow.saddr[0];
- pid_route.addr[1] = pkt->translated_ns_flow.flow.saddr[1];
- pid_route.port = pkt->translated_ns_flow.flow.sport;
- pid_route.netns = pkt->translated_ns_flow.netns;
- break;
- }
- case INGRESS: {
- pid_route.addr[0] = pkt->translated_ns_flow.flow.daddr[0];
- pid_route.addr[1] = pkt->translated_ns_flow.flow.daddr[1];
- pid_route.port = pkt->translated_ns_flow.flow.dport;
- pid_route.netns = pkt->translated_ns_flow.netns;
- break;
- }
- }
- pkt->pid = get_flow_pid(&pid_route);
-
return pkt;
};
diff --git a/pkg/security/ebpf/c/include/helpers/network/pid_resolver.h b/pkg/security/ebpf/c/include/helpers/network/pid_resolver.h
new file mode 100644
index 00000000000000..e3723bd033079d
--- /dev/null
+++ b/pkg/security/ebpf/c/include/helpers/network/pid_resolver.h
@@ -0,0 +1,48 @@
+#ifndef _HELPERS_NETWORK_PID_RESOLVER_H_
+#define _HELPERS_NETWORK_PID_RESOLVER_H_
+
+#include "maps.h"
+
+__attribute__((always_inline)) s64 get_flow_pid(struct pid_route_t *key) {
+ u32 *value = bpf_map_lookup_elem(&flow_pid, key);
+ if (!value) {
+ // Try with IP set to 0.0.0.0
+ key->addr[0] = 0;
+ key->addr[1] = 0;
+ value = bpf_map_lookup_elem(&flow_pid, key);
+ if (!value) {
+ return -1;
+ }
+ }
+
+ return *value;
+}
+
+__attribute__((always_inline)) void resolve_pid(struct packet_t *pkt) {
+ struct pid_route_t pid_route = {};
+
+ // resolve pid
+ switch (pkt->network_direction) {
+ case EGRESS: {
+ pid_route.addr[0] = pkt->translated_ns_flow.flow.saddr[0];
+ pid_route.addr[1] = pkt->translated_ns_flow.flow.saddr[1];
+ pid_route.port = pkt->translated_ns_flow.flow.sport;
+ pid_route.netns = pkt->translated_ns_flow.netns;
+ break;
+ }
+ case INGRESS: {
+ pid_route.addr[0] = pkt->translated_ns_flow.flow.daddr[0];
+ pid_route.addr[1] = pkt->translated_ns_flow.flow.daddr[1];
+ pid_route.port = pkt->translated_ns_flow.flow.dport;
+ pid_route.netns = pkt->translated_ns_flow.netns;
+ break;
+ }
+ }
+
+ // TODO: l4_protocol should be used to uniquely identify the PID - wait for implementation on security_socket_bind
+ // pid_route.l4_protocol = pkt->translated_ns_flow.flow.l4_protocol;
+
+ pkt->pid = get_flow_pid(&pid_route);
+}
+
+#endif
diff --git a/pkg/security/ebpf/c/include/helpers/network/raw.h b/pkg/security/ebpf/c/include/helpers/network/raw.h
new file mode 100644
index 00000000000000..ac1b520450f89f
--- /dev/null
+++ b/pkg/security/ebpf/c/include/helpers/network/raw.h
@@ -0,0 +1,11 @@
+#ifndef _HELPERS_NETWORK_RAW_H_
+#define _HELPERS_NETWORK_RAW_H_
+
+#include "maps.h"
+
+__attribute__((always_inline)) struct raw_packet_event_t *get_raw_packet_event() {
+ u32 key = 0;
+ return bpf_map_lookup_elem(&raw_packet_event, &key);
+}
+
+#endif
diff --git a/pkg/security/ebpf/c/include/helpers/network/router.h b/pkg/security/ebpf/c/include/helpers/network/router.h
new file mode 100644
index 00000000000000..febe3c2e29ef8c
--- /dev/null
+++ b/pkg/security/ebpf/c/include/helpers/network/router.h
@@ -0,0 +1,27 @@
+#ifndef _HELPERS_NETWORK_ROUTER_H_
+#define _HELPERS_NETWORK_ROUTER_H_
+
+#include "stats.h"
+#include "maps.h"
+
+__attribute__((always_inline)) int route_pkt(struct __sk_buff *skb, struct packet_t *pkt, int direction) {
+ count_pkt(skb, pkt);
+
+ // route DNS requests
+ if (is_event_enabled(EVENT_DNS)) {
+ if (pkt->translated_ns_flow.flow.l4_protocol == IPPROTO_UDP && pkt->translated_ns_flow.flow.dport == htons(53)) {
+ bpf_tail_call_compat(skb, &classifier_router, DNS_REQUEST);
+ }
+ }
+
+ // route IMDS requests
+ if (is_event_enabled(EVENT_IMDS)) {
+ if (pkt->translated_ns_flow.flow.l4_protocol == IPPROTO_TCP && ((pkt->ns_flow.flow.saddr[0] & 0xFFFFFFFF) == get_imds_ip() || (pkt->ns_flow.flow.daddr[0] & 0xFFFFFFFF) == get_imds_ip())) {
+ bpf_tail_call_compat(skb, &classifier_router, IMDS_REQUEST);
+ }
+ }
+
+ return ACT_OK;
+}
+
+#endif
diff --git a/pkg/security/ebpf/c/include/helpers/network/stats.h b/pkg/security/ebpf/c/include/helpers/network/stats.h
new file mode 100644
index 00000000000000..9d9ea057e46ec5
--- /dev/null
+++ b/pkg/security/ebpf/c/include/helpers/network/stats.h
@@ -0,0 +1,205 @@
+#ifndef _HELPERS_NETWORK_STATS_H_
+#define _HELPERS_NETWORK_STATS_H_
+
+#include "context.h"
+#include "utils.h"
+
+__attribute__((always_inline)) struct network_flow_monitor_event_t *get_network_flow_monitor_event() {
+ u32 key = 0;
+ struct network_flow_monitor_event_t *evt = bpf_map_lookup_elem(&network_flow_monitor_event_gen, &key);
+ // __builtin_memset doesn't work here because evt is too large and memset is allocating too much memory
+ return evt;
+}
+
+__attribute__((always_inline)) struct active_flows_t *get_empty_active_flows() {
+ u32 key = 0;
+ return bpf_map_lookup_elem(&active_flows_gen, &key);
+}
+
+__attribute__((always_inline)) int flush_network_stats(u32 pid, struct active_flows_t *entry, void *ctx, u8 type) {
+ u64 now = bpf_ktime_get_ns();
+ struct network_stats_t *stats = NULL;
+ struct namespaced_flow_t ns_flow_tmp = {};
+
+ if (entry == NULL || ctx == NULL) {
+ return 0;
+ }
+
+ if ((type == NETWORK_STATS_TICKER) && (now < entry->last_sent + get_network_monitor_period())) {
+ // we'll flush later, move on
+ return 0;
+ }
+
+ struct network_flow_monitor_event_t *evt = get_network_flow_monitor_event();
+ if (evt == NULL) {
+ // should never happen
+ return 0;
+ }
+ evt->event.flags = EVENT_FLAGS_ACTIVITY_DUMP_SAMPLE;
+
+ // Delete the entry now to try to limit race conditions with exiting processes.
+ // Note that the "worse" that can happen with this race is that we send the same flows twice.
+ bpf_map_delete_elem(&active_flows, &pid);
+
+ // process context
+ fill_network_process_context(&evt->process, pid, entry->netns);
+
+ // network context
+ fill_network_device_context(&evt->device, entry->netns, entry->ifindex);
+
+ struct proc_cache_t *proc_cache_entry = get_proc_cache(pid);
+ if (proc_cache_entry == NULL) {
+ evt->container.container_id[0] = 0;
+ } else {
+ copy_container_id_no_tracing(proc_cache_entry->container.container_id, &evt->container.container_id);
+ evt->container.cgroup_context = proc_cache_entry->container.cgroup_context;
+ }
+
+ evt->flush_network_stats_type = type;
+ evt->flows_count = 0;
+
+#pragma unroll
+ for (int i = 0; i < ACTIVE_FLOWS_MAX_SIZE; i++) {
+ if (i >= entry->cursor) {
+ goto send;
+ }
+ ns_flow_tmp.netns = entry->netns;
+ ns_flow_tmp.flow = entry->flows[i & (ACTIVE_FLOWS_MAX_SIZE - 1)];
+
+ // query the stats
+ stats = bpf_map_lookup_elem(&ns_flow_to_network_stats, &ns_flow_tmp);
+ if (stats != NULL) {
+ // Delete entry now to try to limit race conditions with "count_pkt" with other CPUs.
+ // Note that the "worse" that can happen with this race is that we miss a couple of bytes / packets for the
+ // current flow.
+ bpf_map_delete_elem(&ns_flow_to_network_stats, &ns_flow_tmp);
+
+ evt->flows[evt->flows_count & (ACTIVE_FLOWS_MAX_SIZE - 1)].flow = ns_flow_tmp.flow;
+ evt->flows[evt->flows_count & (ACTIVE_FLOWS_MAX_SIZE - 1)].stats = *stats;
+ } else {
+ // copy only the flow without the stats - better to get at least the flow than nothing at all
+ evt->flows[evt->flows_count & (ACTIVE_FLOWS_MAX_SIZE - 1)].flow = ns_flow_tmp.flow;
+
+#if defined(DEBUG_NETWORK_FLOW)
+ bpf_printk("no stats for sp:%d sa0:%lu sa1:%lu", ns_flow_tmp.flow.sport, ns_flow_tmp.flow.saddr[0], ns_flow_tmp.flow.saddr[1]);
+ bpf_printk(" dp:%d da0:%lu da1:%lu", ns_flow_tmp.flow.dport, ns_flow_tmp.flow.daddr[0], ns_flow_tmp.flow.daddr[1]);
+ bpf_printk(" netns:%lu l3:%d l4:%d", ns_flow_tmp.netns, ns_flow_tmp.flow.l3_protocol, ns_flow_tmp.flow.l4_protocol);
+#endif
+ }
+
+ evt->flows_count += 1;
+ }
+
+send:
+ // send event
+ send_event_with_size_ptr(ctx, EVENT_NETWORK_FLOW_MONITOR, evt, offsetof(struct network_flow_monitor_event_t, flows) + (evt->flows_count & (ACTIVE_FLOWS_MAX_SIZE - 1)) * sizeof(struct flow_stats_t));
+
+#if defined(DEBUG_NETWORK_FLOW)
+ bpf_printk("sent %d (out of %d) flows for pid %d!", evt->flows_count, entry->cursor, pid);
+ bpf_printk(" - type: %d", type);
+#endif
+
+ return 0;
+}
+
+__attribute__((always_inline)) void flush_pid_network_stats(u32 pid, void *ctx, u8 type) {
+ struct active_flows_t *entry = bpf_map_lookup_elem(&active_flows, &pid);
+ flush_network_stats(pid, entry, ctx, type);
+}
+
+__attribute__((always_inline)) void count_pkt(struct __sk_buff *skb, struct packet_t *pkt) {
+ struct namespaced_flow_t ns_flow = pkt->translated_ns_flow;
+ if (pkt->network_direction == INGRESS) {
+ // EGRESS was arbitrarily chosen as "the 5-tuple order for indexing flow statistics".
+ // Reverse ingress flow now
+ flip(&ns_flow.flow);
+ }
+
+ u8 should_register_flow = 0;
+ struct network_stats_t *stats = NULL;
+ struct network_stats_t stats_zero = {};
+ u64 now = bpf_ktime_get_ns();
+ int ret = bpf_map_update_elem(&ns_flow_to_network_stats, &ns_flow, &stats_zero, BPF_NOEXIST);
+ if (ret == 0) {
+ // register flow in active_flows
+ should_register_flow = 1;
+ }
+
+ // lookup the existing (or new) entry (now that it has been created)
+ stats = bpf_map_lookup_elem(&ns_flow_to_network_stats, &ns_flow);
+ if (stats == NULL) {
+ // should never happen, ignore
+ return;
+ }
+
+#if defined(DEBUG_NETWORK_FLOW)
+ bpf_printk("added stats for sp:%d sa0:%lu sa1:%lu", ns_flow.flow.sport, ns_flow.flow.saddr[0], ns_flow.flow.saddr[1]);
+ bpf_printk(" dp:%d da0:%lu da1:%lu", ns_flow.flow.dport, ns_flow.flow.daddr[0], ns_flow.flow.daddr[1]);
+ bpf_printk(" netns:%lu l3:%d l4:%d", ns_flow.netns, ns_flow.flow.l3_protocol, ns_flow.flow.l4_protocol);
+#endif
+
+ // update stats
+ switch (pkt->network_direction) {
+ case EGRESS: {
+ __sync_fetch_and_add(&stats->egress.pkt_count, 1);
+ __sync_fetch_and_add(&stats->egress.data_size, skb->len);
+ break;
+ }
+ case INGRESS: {
+ __sync_fetch_and_add(&stats->ingress.pkt_count, 1);
+ __sync_fetch_and_add(&stats->ingress.data_size, skb->len);
+ break;
+ }
+ }
+
+ if (should_register_flow) {
+ // make sure we hold the spin lock for the active flows entry
+ struct active_flows_spin_lock_t init_value = {};
+ struct active_flows_spin_lock_t *active_flows_lock;
+ bpf_map_update_elem(&active_flows_spin_locks, &pkt->pid, &init_value, BPF_NOEXIST);
+ active_flows_lock = bpf_map_lookup_elem(&active_flows_spin_locks, &pkt->pid);
+ if (active_flows_lock == NULL) {
+ // shouldn't happen, ignore
+ return;
+ }
+
+ struct active_flows_t *entry;
+ struct active_flows_t *zero = get_empty_active_flows();
+ if (zero == NULL) {
+ // should never happen, ignore
+ return;
+ }
+ zero->netns = ns_flow.netns;
+ zero->ifindex = skb->ifindex;
+ zero->last_sent = now;
+
+ // make sure the active_flows entry for the current pid exists
+ ret = bpf_map_update_elem(&active_flows, &pkt->pid, zero, BPF_NOEXIST);
+ if (ret < 0 && ret != -EEXIST) {
+ // no more space in the map, ignore for now
+ return;
+ }
+
+ // lookup active_flows for current pid
+ entry = bpf_map_lookup_elem(&active_flows, &pkt->pid);
+ if (entry == NULL) {
+ // should not happen, ignore
+ return;
+ }
+
+ // is the entry full ?
+ bpf_spin_lock(&active_flows_lock->lock);
+ if (entry->cursor < ACTIVE_FLOWS_MAX_SIZE) {
+ // add new flow to the list
+ entry->flows[entry->cursor & (ACTIVE_FLOWS_MAX_SIZE - 1)] = ns_flow.flow;
+ entry->cursor = entry->cursor + 1;
+ } else {
+ // TODO: send early and reset entry ?
+ // for now, drop the flow.
+ }
+ bpf_spin_unlock(&active_flows_lock->lock);
+ bpf_map_delete_elem(&active_flows_spin_locks, &pkt->pid);
+ }
+}
+
+#endif
diff --git a/pkg/security/ebpf/c/include/helpers/network/utils.h b/pkg/security/ebpf/c/include/helpers/network/utils.h
new file mode 100644
index 00000000000000..66bb1293b0c6ae
--- /dev/null
+++ b/pkg/security/ebpf/c/include/helpers/network/utils.h
@@ -0,0 +1,19 @@
+#ifndef _HELPERS_NETWORK_UTILS_H_
+#define _HELPERS_NETWORK_UTILS_H_
+
+__attribute__((always_inline)) void flip(struct flow_t *flow) {
+ u64 tmp = 0;
+ tmp = flow->sport;
+ flow->sport = flow->dport;
+ flow->dport = tmp;
+
+ tmp = flow->saddr[0];
+ flow->saddr[0] = flow->daddr[0];
+ flow->daddr[0] = tmp;
+
+ tmp = flow->saddr[1];
+ flow->saddr[1] = flow->daddr[1];
+ flow->daddr[1] = tmp;
+}
+
+#endif
diff --git a/pkg/security/ebpf/c/include/hooks/all.h b/pkg/security/ebpf/c/include/hooks/all.h
index 5fc9709eb528c0..3e88f9a3db6703 100644
--- a/pkg/security/ebpf/c/include/hooks/all.h
+++ b/pkg/security/ebpf/c/include/hooks/all.h
@@ -44,7 +44,7 @@
#include "network/imds.h"
#include "network/flow.h"
#include "network/net_device.h"
-#include "network/router.h"
+#include "network/stats_worker.h"
#include "network/tc.h"
#include "network/raw.h"
#endif
diff --git a/pkg/security/ebpf/c/include/hooks/exec.h b/pkg/security/ebpf/c/include/hooks/exec.h
index a99783248c5d9d..01f2abfa952df2 100644
--- a/pkg/security/ebpf/c/include/hooks/exec.h
+++ b/pkg/security/ebpf/c/include/hooks/exec.h
@@ -5,6 +5,7 @@
#include "constants/offsets/filesystem.h"
#include "helpers/filesystem.h"
#include "helpers/syscalls.h"
+#include "helpers/network/stats.h"
#include "constants/fentry_macro.h"
int __attribute__((always_inline)) trace__sys_execveat(ctx_t *ctx, const char *path, const char **argv, const char **env) {
@@ -284,6 +285,11 @@ int hook_do_exit(ctx_t *ctx) {
return 0;
}
+ if (is_network_flow_monitor_enabled()) {
+ // flush network stats
+ flush_pid_network_stats(tgid, ctx, PID_EXIT);
+ }
+
// delete netns entry
bpf_map_delete_elem(&netns_cache, &pid);
@@ -660,6 +666,11 @@ int __attribute__((always_inline)) send_exec_event(ctx_t *ctx) {
u64 now = bpf_ktime_get_ns();
u32 tgid = pid_tgid >> 32;
+ if (is_network_flow_monitor_enabled()) {
+ // flush network stats
+ flush_pid_network_stats(tgid, ctx, PID_EXEC);
+ }
+
bpf_map_delete_elem(&exec_pid_transfer, &tgid);
struct proc_cache_t pc = {
diff --git a/pkg/security/ebpf/c/include/hooks/network/bind.h b/pkg/security/ebpf/c/include/hooks/network/bind.h
index cefaea905d5017..be3fb884460afc 100644
--- a/pkg/security/ebpf/c/include/hooks/network/bind.h
+++ b/pkg/security/ebpf/c/include/hooks/network/bind.h
@@ -64,68 +64,34 @@ HOOK_ENTRY("security_socket_bind")
int hook_security_socket_bind(ctx_t *ctx) {
struct socket *sk = (struct socket *)CTX_PARM1(ctx);
struct sockaddr *address = (struct sockaddr *)CTX_PARM2(ctx);
- struct pid_route_t key = {};
- u16 family = 0;
- u16 protocol = 0;
short socket_type = 0;
+ // fill syscall_cache if necessary
+ struct syscall_cache_t *syscall = peek_syscall(EVENT_BIND);
+ if (!syscall) {
+ return 0;
+ }
+
// Extract IP and port from the sockaddr structure
- bpf_probe_read(&family, sizeof(family), &address->sa_family);
- if (family == AF_INET) {
+ bpf_probe_read(&syscall->bind.family, sizeof(syscall->bind.family), &address->sa_family);
+ if (syscall->bind.family == AF_INET) {
struct sockaddr_in *addr_in = (struct sockaddr_in *)address;
- bpf_probe_read(&key.port, sizeof(addr_in->sin_port), &addr_in->sin_port);
- bpf_probe_read(&key.addr, sizeof(addr_in->sin_addr.s_addr), &addr_in->sin_addr.s_addr);
- } else if (family == AF_INET6) {
+ bpf_probe_read(&syscall->bind.port, sizeof(addr_in->sin_port), &addr_in->sin_port);
+ bpf_probe_read(&syscall->bind.addr, sizeof(addr_in->sin_addr.s_addr), &addr_in->sin_addr.s_addr);
+ } else if (syscall->bind.family == AF_INET6) {
struct sockaddr_in6 *addr_in6 = (struct sockaddr_in6 *)address;
- bpf_probe_read(&key.port, sizeof(addr_in6->sin6_port), &addr_in6->sin6_port);
- bpf_probe_read(&key.addr, sizeof(u64) * 2, (char *)addr_in6 + offsetof(struct sockaddr_in6, sin6_addr));
+ bpf_probe_read(&syscall->bind.port, sizeof(addr_in6->sin6_port), &addr_in6->sin6_port);
+ bpf_probe_read(&syscall->bind.addr, sizeof(u64) * 2, (char *)addr_in6 + offsetof(struct sockaddr_in6, sin6_addr));
}
- bpf_probe_read(&socket_type, sizeof(socket_type), &sk->type);
-
// We only handle TCP and UDP sockets for now
+ bpf_probe_read(&socket_type, sizeof(socket_type), &sk->type);
if (socket_type == SOCK_STREAM) {
- protocol = IPPROTO_TCP;
+ syscall->connect.protocol = IPPROTO_TCP;
} else if (socket_type == SOCK_DGRAM) {
- protocol = IPPROTO_UDP;
+ syscall->connect.protocol = IPPROTO_UDP;
}
- // fill syscall_cache if necessary
- struct syscall_cache_t *syscall = peek_syscall(EVENT_BIND);
- if (syscall) {
- syscall->bind.addr[0] = key.addr[0];
- syscall->bind.addr[1] = key.addr[1];
- syscall->bind.port = key.port;
- syscall->bind.family = family;
- syscall->connect.protocol = protocol;
- }
-
- // past this point we care only about AF_INET and AF_INET6
- if (family != AF_INET && family != AF_INET6) {
- return 0;
- }
-
- // Register service PID
- if (key.port != 0) {
- u64 id = bpf_get_current_pid_tgid();
- u32 tid = (u32)id;
-
- // add netns information
- key.netns = get_netns_from_socket(sk);
- if (key.netns != 0) {
- bpf_map_update_elem(&netns_cache, &tid, &key.netns, BPF_ANY);
- }
-
-#ifndef DO_NOT_USE_TC
- u32 pid = id >> 32;
- bpf_map_update_elem(&flow_pid, &key, &pid, BPF_ANY);
-#endif
-
-#if defined(DEBUG_BIND)
- bpf_printk("# registered (bind) pid:%d", pid);
- bpf_printk("# p:%d a:%d a:%d", key.port, key.addr[0], key.addr[1]);
-#endif
- }
return 0;
}
diff --git a/pkg/security/ebpf/c/include/hooks/network/connect.h b/pkg/security/ebpf/c/include/hooks/network/connect.h
index 65f520dcb3e950..1c278660abdcb0 100644
--- a/pkg/security/ebpf/c/include/hooks/network/connect.h
+++ b/pkg/security/ebpf/c/include/hooks/network/connect.h
@@ -62,48 +62,35 @@ HOOK_ENTRY("security_socket_connect")
int hook_security_socket_connect(ctx_t *ctx) {
struct socket *sk = (struct socket *)CTX_PARM1(ctx);
struct sockaddr *address = (struct sockaddr *)CTX_PARM2(ctx);
- struct pid_route_t key = {};
- u16 family = 0;
- u16 protocol = 0;
short socket_type = 0;
-
+
+ // fill syscall_cache if necessary
+ struct syscall_cache_t *syscall = peek_syscall(EVENT_CONNECT);
+ if (!syscall) {
+ return 0;
+ }
+
// Extract IP and port from the sockaddr structure
- bpf_probe_read(&family, sizeof(family), &address->sa_family);
+ bpf_probe_read(&syscall->connect.family, sizeof(syscall->connect.family), &address->sa_family);
- if (family == AF_INET) {
+ if (syscall->connect.family == AF_INET) {
struct sockaddr_in *addr_in = (struct sockaddr_in *)address;
- bpf_probe_read(&key.port, sizeof(addr_in->sin_port), &addr_in->sin_port);
- bpf_probe_read(&key.addr, sizeof(addr_in->sin_addr.s_addr), &addr_in->sin_addr.s_addr);
- } else if (family == AF_INET6) {
+ bpf_probe_read(&syscall->connect.port, sizeof(addr_in->sin_port), &addr_in->sin_port);
+ bpf_probe_read(&syscall->connect.addr, sizeof(addr_in->sin_addr.s_addr), &addr_in->sin_addr.s_addr);
+ } else if (syscall->connect.family == AF_INET6) {
struct sockaddr_in6 *addr_in6 = (struct sockaddr_in6 *)address;
- bpf_probe_read(&key.port, sizeof(addr_in6->sin6_port), &addr_in6->sin6_port);
- bpf_probe_read(&key.addr, sizeof(u64) * 2, (char *)addr_in6 + offsetof(struct sockaddr_in6, sin6_addr));
+ bpf_probe_read(&syscall->connect.port, sizeof(addr_in6->sin6_port), &addr_in6->sin6_port);
+ bpf_probe_read(&syscall->connect.addr, sizeof(u64) * 2, (char *)addr_in6 + offsetof(struct sockaddr_in6, sin6_addr));
}
bpf_probe_read(&socket_type, sizeof(socket_type), &sk->type);
// We only handle TCP and UDP sockets for now
if (socket_type == SOCK_STREAM) {
- protocol = IPPROTO_TCP;
+ syscall->connect.protocol = IPPROTO_TCP;
} else if (socket_type == SOCK_DGRAM) {
- protocol = IPPROTO_UDP;
+ syscall->connect.protocol = IPPROTO_UDP;
}
-
- // fill syscall_cache if necessary
- struct syscall_cache_t *syscall = peek_syscall(EVENT_CONNECT);
- if (syscall) {
- syscall->connect.addr[0] = key.addr[0];
- syscall->connect.addr[1] = key.addr[1];
- syscall->connect.port = key.port;
- syscall->connect.family = family;
- syscall->connect.protocol = protocol;
- }
-
- // Only handle AF_INET and AF_INET6
- if (family != AF_INET && family != AF_INET6) {
- return 0;
- }
-
return 0;
}
diff --git a/pkg/security/ebpf/c/include/hooks/network/dns.h b/pkg/security/ebpf/c/include/hooks/network/dns.h
index 46fd79393fa7d9..831776d1e964a9 100644
--- a/pkg/security/ebpf/c/include/hooks/network/dns.h
+++ b/pkg/security/ebpf/c/include/hooks/network/dns.h
@@ -1,8 +1,9 @@
#ifndef _HOOKS_NETWORK_DNS_H_
#define _HOOKS_NETWORK_DNS_H_
-#include "helpers/dns.h"
-#include "helpers/network.h"
+#include "helpers/network/dns.h"
+#include "helpers/network/parser.h"
+#include "helpers/network/router.h"
#include "perf_ring.h"
__attribute__((always_inline)) int parse_dns_request(struct __sk_buff *skb, struct packet_t *pkt, struct dns_event_t *evt) {
diff --git a/pkg/security/ebpf/c/include/hooks/network/flow.h b/pkg/security/ebpf/c/include/hooks/network/flow.h
index 22a63a8ff8dd18..0cadb0f02dcb63 100644
--- a/pkg/security/ebpf/c/include/hooks/network/flow.h
+++ b/pkg/security/ebpf/c/include/hooks/network/flow.h
@@ -3,45 +3,108 @@
#include "constants/offsets/network.h"
#include "constants/offsets/netns.h"
-#include "helpers/network.h"
+#include "helpers/network/pid_resolver.h"
+#include "helpers/network/utils.h"
HOOK_ENTRY("security_sk_classify_flow")
int hook_security_sk_classify_flow(ctx_t *ctx) {
struct sock *sk = (struct sock *)CTX_PARM1(ctx);
struct flowi *fl = (struct flowi *)CTX_PARM2(ctx);
struct pid_route_t key = {};
+ struct pid_route_entry_t value = {};
union flowi_uli uli;
- u16 family = get_family_from_sock_common((void *)sk);
- if (family == AF_INET6) {
- bpf_probe_read(&key.addr, sizeof(u64) * 2, (void *)fl + get_flowi6_saddr_offset());
+ // There can be a missmatch between the family of the socket and the family of the flow.
+ // The socket can be of AF_INET6, and yet the flow could be AF_INET.
+ // See https://man7.org/linux/man-pages/man7/ipv6.7.html for more.
+
+ // In our case, this means that we need to "guess" if the flow is AF_INET or AF_INET6 when the socket is AF_INET6.
+ u16 flow_family = get_family_from_sock_common((void *)sk);
+ u16 sk_port = get_skc_num_from_sock_common((void *)sk);
+ if (flow_family == AF_INET6) {
+ // check if the source port of the flow matches with the bound port of the socket
bpf_probe_read(&uli, sizeof(uli), (void *)fl + get_flowi6_uli_offset());
bpf_probe_read(&key.port, sizeof(key.port), &uli.ports.sport);
- } else if (family == AF_INET) {
- bpf_probe_read(&key.addr, sizeof(u32), (void *)fl + get_flowi4_saddr_offset());
+
+ // if they don't match, then this is likely an AF_INET socket
+ if (sk_port != key.port) {
+ flow_family = AF_INET;
+ } else {
+ // this is an AF_INET6 flow
+ bpf_probe_read(&key.addr, sizeof(u64) * 2, (void *)fl + get_flowi6_saddr_offset());
+ // TODO: fill l4_protocol, but wait for implementation on security_socket_bind to be ready first
+ // bpf_probe_read(&key.l4_protocol, 1, (void *)fl + get_flowi6_proto_offset());
+ }
+ }
+ if (flow_family == AF_INET) {
+ // make sure the ports match
bpf_probe_read(&uli, sizeof(uli), (void *)fl + get_flowi4_uli_offset());
bpf_probe_read(&key.port, sizeof(key.port), &uli.ports.sport);
- } else {
+
+ // if they don't match, return now, we don't know how to handle this flow
+ if (sk_port != key.port) {
+ return 0;
+ } else {
+ // This is an AF_INET flow
+ bpf_probe_read(&key.addr, sizeof(u32), (void *)fl + get_flowi4_saddr_offset());
+ // TODO: fill l4_protocol, but wait for implementation on security_socket_bind to be ready first
+ // bpf_probe_read(&key.l4_protocol, 1, (void *)fl + get_flowi4_proto_offset());
+ }
+ }
+ if (flow_family != AF_INET && flow_family != AF_INET6) {
+ // ignore these flows for now
return 0;
}
+ bpf_get_current_comm(&value.comm, sizeof(value.comm));
+
+ // add netns information
+ key.netns = get_netns_from_sock(sk);
+
+#if defined(DEBUG_NETWORK_FLOW)
+ bpf_printk("security_sk_classify_flow");
+ bpf_printk(" p:%d a:%lu a:%lu", key.port, key.addr[0], key.addr[1]);
+#endif
+
+ if (is_sk_storage_supported()) {
+ // check if the socket already has an active flow
+ // This requires kernel v5.11+ (https://github.com/torvalds/linux/commit/8e4597c627fb48f361e2a5b012202cb1b6cbcd5e)
+ struct pid_route_t *existing_route = bpf_sk_storage_get(&sock_active_pid_route, sk, 0, BPF_SK_STORAGE_GET_F_CREATE);
+ if (existing_route != NULL) {
+ if (existing_route->port != 0 || existing_route->addr[0] != 0 || existing_route->addr[1] != 0) {
+
+ #if defined(DEBUG_NETWORK_FLOW)
+ bpf_printk("flushing previous entry p:%d a:%lu a:%lu ...", existing_route->port, existing_route->addr[0], existing_route->addr[1]);
+ #endif
+
+ // delete existing entry
+ bpf_map_delete_elem(&flow_pid, existing_route);
+ existing_route->addr[0] = 0;
+ existing_route->addr[1] = 0;
+ bpf_map_delete_elem(&flow_pid, existing_route);
+ }
+
+ // register the new one in the sock_active_pid_route map
+ *existing_route = key;
+ }
+ }
+
// Register service PID
if (key.port != 0) {
u64 id = bpf_get_current_pid_tgid();
u32 tid = (u32)id;
- u32 pid = id >> 32;
+ value.pid = id >> 32;
+ value.type = FLOW_CLASSIFICATION_ENTRY;
- // add netns information
- key.netns = get_netns_from_sock(sk);
if (key.netns != 0) {
bpf_map_update_elem(&netns_cache, &tid, &key.netns, BPF_ANY);
}
- bpf_map_update_elem(&flow_pid, &key, &pid, BPF_ANY);
+ bpf_map_update_elem(&flow_pid, &key, &value, BPF_ANY);
#if defined(DEBUG_NETWORK_FLOW)
- bpf_printk("# registered (flow) pid:%d netns:%u", pid, key.netns);
- bpf_printk("# p:%d a:%d a:%d", key.port, key.addr[0], key.addr[1]);
+ bpf_printk("# registered (flow) pid:%d netns:%u", value.pid, key.netns);
+ bpf_printk("# p:%d a:%lu a:%lu", key.port, key.addr[0], key.addr[1]);
#endif
}
return 0;
@@ -89,4 +152,293 @@ int hook_nf_nat_packet(ctx_t *ctx) {
return trace_nat_manip_pkt(ct);
}
+__attribute__((always_inline)) void fill_pid_route_from_sflow(struct pid_route_t *route, struct namespaced_flow_t *ns_flow) {
+ route->addr[0] = ns_flow->flow.saddr[0];
+ route->addr[1] = ns_flow->flow.saddr[1];
+ route->port = ns_flow->flow.sport;
+ route->netns = ns_flow->netns;
+}
+
+HOOK_ENTRY("nf_ct_delete")
+int hook_nf_ct_delete(ctx_t *ctx) {
+ struct nf_conn *ct = (struct nf_conn *)CTX_PARM1(ctx);
+ u32 netns = get_netns_from_nf_conn(ct);
+
+ struct nf_conntrack_tuple_hash tuplehash[IP_CT_DIR_MAX];
+ bpf_probe_read(&tuplehash, sizeof(tuplehash), &ct->tuplehash);
+ struct nf_conntrack_tuple *orig_tuple = &tuplehash[IP_CT_DIR_ORIGINAL].tuple;
+ struct nf_conntrack_tuple *reply_tuple = &tuplehash[IP_CT_DIR_REPLY].tuple;
+
+ // parse nat flows
+ struct namespaced_flow_t orig = {
+ .netns = netns,
+ };
+ struct namespaced_flow_t reply = {
+ .netns = netns,
+ };
+ parse_tuple(orig_tuple, &orig.flow);
+ parse_tuple(reply_tuple, &reply.flow);
+
+#if defined(DEBUG_NETWORK_FLOW)
+ bpf_printk("nf_ct_delete");
+ bpf_printk(" - src p:%d a:%lu a:%lu", orig.flow.sport, orig.flow.saddr[0], orig.flow.saddr[1]);
+ bpf_printk(" - dst p:%d a:%lu a:%lu", orig.flow.dport, orig.flow.daddr[0], orig.flow.daddr[1]);
+#endif
+
+ // clean up entries in the conntrack map
+ bpf_map_delete_elem(&conntrack, &reply);
+ flip(&reply.flow);
+ bpf_map_delete_elem(&conntrack, &reply);
+
+ // Between NAT operations and network direction, both `orig` and `reply` could hold entries
+ // in `flow_pid`, clean up all matching non-"BIND_ENTRY" entries.
+ struct pid_route_t route = {};
+
+ // start with orig
+ fill_pid_route_from_sflow(&route, &orig);
+ struct pid_route_entry_t *value = bpf_map_lookup_elem(&flow_pid, &route);
+ if (value != NULL) {
+ if (value->type == FLOW_CLASSIFICATION_ENTRY) {
+ bpf_map_delete_elem(&flow_pid, &route);
+ }
+ } else {
+ // try with no IP
+ route.addr[0] = 0;
+ route.addr[1] = 0;
+ value = bpf_map_lookup_elem(&flow_pid, &route);
+ if (value != NULL) {
+ if (value->type == FLOW_CLASSIFICATION_ENTRY) {
+ bpf_map_delete_elem(&flow_pid, &route);
+ }
+ }
+ }
+
+ // flip orig and try again
+ flip(&orig.flow);
+ fill_pid_route_from_sflow(&route, &orig);
+ value = bpf_map_lookup_elem(&flow_pid, &route);
+ if (value != NULL) {
+ if (value->type == FLOW_CLASSIFICATION_ENTRY) {
+ bpf_map_delete_elem(&flow_pid, &route);
+ }
+ } else {
+ // try with no IP
+ route.addr[0] = 0;
+ route.addr[1] = 0;
+ value = bpf_map_lookup_elem(&flow_pid, &route);
+ if (value != NULL) {
+ if (value->type == FLOW_CLASSIFICATION_ENTRY) {
+ bpf_map_delete_elem(&flow_pid, &route);
+ }
+ }
+ }
+
+ // reply
+ fill_pid_route_from_sflow(&route, &reply);
+ value = bpf_map_lookup_elem(&flow_pid, &route);
+ if (value != NULL) {
+ if (value->type == FLOW_CLASSIFICATION_ENTRY) {
+ bpf_map_delete_elem(&flow_pid, &route);
+ }
+ } else {
+ // try with no IP
+ route.addr[0] = 0;
+ route.addr[1] = 0;
+ value = bpf_map_lookup_elem(&flow_pid, &route);
+ if (value != NULL) {
+ if (value->type == FLOW_CLASSIFICATION_ENTRY) {
+ bpf_map_delete_elem(&flow_pid, &route);
+ }
+ }
+ }
+
+ // flip reply and try again
+ flip(&reply.flow);
+ fill_pid_route_from_sflow(&route, &reply);
+ value = bpf_map_lookup_elem(&flow_pid, &route);
+ if (value != NULL) {
+ if (value->type == FLOW_CLASSIFICATION_ENTRY) {
+ bpf_map_delete_elem(&flow_pid, &route);
+ }
+ } else {
+ // try with no IP
+ route.addr[0] = 0;
+ route.addr[1] = 0;
+ value = bpf_map_lookup_elem(&flow_pid, &route);
+ if (value != NULL) {
+ if (value->type == FLOW_CLASSIFICATION_ENTRY) {
+ bpf_map_delete_elem(&flow_pid, &route);
+ }
+ }
+ }
+
+ return 0;
+}
+
+__attribute__((always_inline)) int handle_sk_release(struct sock *sk, u8 hook) {
+ struct pid_route_t route = {};
+
+ // copy netns
+ route.netns = get_netns_from_sock(sk);
+ if (route.netns == 0) {
+ return 0;
+ }
+
+ // copy port
+ route.port = get_skc_num_from_sock_common((void *)sk);
+
+ // copy ipv4 / ipv6
+ u16 family = get_family_from_sock_common((void *)sk);
+ if (family == AF_INET6) {
+ bpf_probe_read(&route.addr, sizeof(u64) * 2, &sk->__sk_common.skc_v6_rcv_saddr);
+
+#if defined(DEBUG_NETWORK_FLOW)
+ bpf_printk("sk_release hook:%d", hook);
+ bpf_printk(" netns:%u", route.netns);
+ bpf_printk(" v6 p:%d a:%lu a:%lu", route.port, route.addr[0], route.addr[1]);
+#endif
+
+ // clean up flow_pid entry
+ bpf_map_delete_elem(&flow_pid, &route);
+ // also clean up empty entry if it exists
+ route.addr[0] = 0;
+ route.addr[1] = 0;
+ bpf_map_delete_elem(&flow_pid, &route);
+
+ // We might be dealing with an AF_INET traffic over an AF_INET6 socket.
+ // To be sure, clean AF_INET entries as well.
+ family = AF_INET;
+ }
+ if (family == AF_INET) {
+ bpf_probe_read(&route.addr, sizeof(sk->__sk_common.skc_rcv_saddr), &sk->__sk_common.skc_rcv_saddr);
+
+#if defined(DEBUG_NETWORK_FLOW)
+ bpf_printk("sk_release hook:%d", hook);
+ bpf_printk(" netns:%u", route.netns);
+ bpf_printk(" v4 p:%d a:%lu a:%lu", route.port, route.addr[0], route.addr[1]);
+#endif
+
+ // clean up flow_pid entry
+ bpf_map_delete_elem(&flow_pid, &route);
+ // also clean up empty entry if it exists
+ route.addr[0] = 0;
+ route.addr[1] = 0;
+ bpf_map_delete_elem(&flow_pid, &route);
+ }
+ if (family != AF_INET && family != AF_INET6) {
+ // ignore, we don't handle other protocols for now
+ return 0;
+ }
+
+ return 0;
+}
+
+// for kernel-initiated socket cleanup (timeout or error)
+HOOK_ENTRY("sk_common_release")
+int hook_sk_common_release(ctx_t *ctx) {
+ struct sock *sk = (struct sock *)CTX_PARM1(ctx);
+ if (sk == NULL) {
+ return 0;
+ }
+ return handle_sk_release(sk, 1);
+}
+
+// for user-space initiated socket shutdown
+HOOK_ENTRY("inet_shutdown")
+int hook_inet_shutdown(ctx_t *ctx) {
+ struct socket *sock = (struct socket *)CTX_PARM1(ctx);
+ struct sock *sk;
+ bpf_probe_read(&sk, sizeof(sk), &sock->sk);
+ if (sk == NULL) {
+ return 0;
+ }
+
+ return handle_sk_release(sk, 7);
+}
+
+// for user space initiated socket termination
+HOOK_ENTRY("inet_release")
+int hook_inet_release(ctx_t *ctx) {
+ struct socket *sock = (struct socket *)CTX_PARM1(ctx);
+ struct sock *sk;
+ bpf_probe_read(&sk, sizeof(sk), &sock->sk);
+ if (sk == NULL) {
+ return 0;
+ }
+
+ return handle_sk_release(sk, 8);
+}
+
+HOOK_ENTRY("inet_bind")
+int hook_inet_bind(ctx_t *ctx) {
+ struct socket *sock = (struct socket *)CTX_PARM1(ctx);
+ struct inet_bind_args_t args = {};
+ args.sock = sock;
+ u64 pid = bpf_get_current_pid_tgid();
+ bpf_map_update_elem(&inet_bind_args, &pid, &args, BPF_ANY);
+ return 0;
+}
+
+HOOK_EXIT("inet_bind")
+int rethook_inet_bind(ctx_t *ctx) {
+ int ret = CTX_PARMRET(ctx, 3);
+ if (ret < 0) {
+ // we only care about successful bind operations
+ return 0;
+ }
+
+ // fetch inet_bind arguments
+ u64 id = bpf_get_current_pid_tgid();
+ u32 tid = (u32)id;
+ struct inet_bind_args_t *args = bpf_map_lookup_elem(&inet_bind_args, &id);
+ if (args == NULL) {
+ // should never happen, ignore
+ return 0;
+ }
+
+ struct socket *sock = args->sock;
+ if (sock == NULL) {
+ // should never happen, ignore
+ return 0;
+ }
+
+ struct sock *sk;
+ bpf_probe_read(&sk, sizeof(sk), &sock->sk);
+ if (sk == NULL) {
+ return 0;
+ }
+ struct pid_route_t route = {};
+ struct pid_route_entry_t value = {};
+ value.type = BIND_ENTRY;
+
+ // add netns information
+ route.netns = get_netns_from_sock(sk);
+ if (route.netns != 0) {
+ bpf_map_update_elem(&netns_cache, &tid, &route.netns, BPF_ANY);
+ }
+
+ // copy ipv4 / ipv6
+ u16 family = 0;
+ bpf_probe_read(&family, sizeof(family), &sk->__sk_common.skc_family);
+ if (family == AF_INET) {
+ bpf_probe_read(&route.addr, sizeof(sk->__sk_common.skc_rcv_saddr), &sk->__sk_common.skc_rcv_saddr);
+ } else if (family == AF_INET6) {
+ bpf_probe_read(&route.addr, sizeof(u64) * 2, &sk->__sk_common.skc_v6_rcv_saddr);
+ } else {
+ // we don't care about non IPv4 / IPV6 flows
+ return 0;
+ }
+
+ // copy port
+ bpf_probe_read(&route.port, sizeof(route.port), &sk->__sk_common.skc_num);
+ route.port = htons(route.port);
+
+ // Register service PID
+ if (route.port > 0) {
+ value.pid = id >> 32;
+ bpf_map_update_elem(&flow_pid, &route, &value, BPF_ANY);
+ }
+ return 0;
+}
+
#endif
diff --git a/pkg/security/ebpf/c/include/hooks/network/imds.h b/pkg/security/ebpf/c/include/hooks/network/imds.h
index b0b72559bf8ea4..1ca19b7e2e7307 100644
--- a/pkg/security/ebpf/c/include/hooks/network/imds.h
+++ b/pkg/security/ebpf/c/include/hooks/network/imds.h
@@ -1,8 +1,8 @@
#ifndef _HOOKS_NETWORK_IMDS_H_
#define _HOOKS_NETWORK_IMDS_H_
-#include "helpers/imds.h"
-#include "helpers/network.h"
+#include "helpers/network/imds.h"
+#include "helpers/network/parser.h"
#include "perf_ring.h"
SEC("classifier/imds_request")
diff --git a/pkg/security/ebpf/c/include/hooks/network/raw.h b/pkg/security/ebpf/c/include/hooks/network/raw.h
index 6f46f6b4eb1a2e..ad1ce69856f32d 100644
--- a/pkg/security/ebpf/c/include/hooks/network/raw.h
+++ b/pkg/security/ebpf/c/include/hooks/network/raw.h
@@ -1,14 +1,10 @@
#ifndef _HOOKS_NETWORK_RAW_H_
#define _HOOKS_NETWORK_RAW_H_
-#include "helpers/network.h"
+#include "helpers/network/parser.h"
+#include "helpers/network/raw.h"
#include "perf_ring.h"
-__attribute__((always_inline)) struct raw_packet_event_t *get_raw_packet_event() {
- u32 key = 0;
- return bpf_map_lookup_elem(&raw_packet_event, &key);
-}
-
SEC("classifier/raw_packet_sender")
int classifier_raw_packet_sender(struct __sk_buff *skb) {
struct packet_t *pkt = get_packet();
@@ -24,7 +20,7 @@ int classifier_raw_packet_sender(struct __sk_buff *skb) {
}
// process context
- fill_network_process_context(&evt->process, pkt);
+ fill_network_process_context_from_pkt(&evt->process, pkt);
struct proc_cache_t *entry = get_proc_cache(evt->process.pid);
if (entry == NULL) {
@@ -33,7 +29,7 @@ int classifier_raw_packet_sender(struct __sk_buff *skb) {
copy_container_id_no_tracing(entry->container.container_id, &evt->container.container_id);
}
- fill_network_device_context(&evt->device, skb, pkt);
+ fill_network_device_context_from_pkt(&evt->device, skb, pkt);
u32 len = evt->len;
if (len > sizeof(evt->data)) {
diff --git a/pkg/security/ebpf/c/include/hooks/network/router.h b/pkg/security/ebpf/c/include/hooks/network/router.h
index 93cca5f4889ee6..e69de29bb2d1d6 100644
--- a/pkg/security/ebpf/c/include/hooks/network/router.h
+++ b/pkg/security/ebpf/c/include/hooks/network/router.h
@@ -1,26 +0,0 @@
-#ifndef _HOOKS_NETWORK_ROUTER_H_
-#define _HOOKS_NETWORK_ROUTER_H_
-
-#include "helpers/network.h"
-
-__attribute__((always_inline)) int route_pkt(struct __sk_buff *skb, struct packet_t *pkt, int direction) {
- // TODO: l3 / l4 firewall
-
- // route DNS requests
- if (is_event_enabled(EVENT_DNS)) {
- if (pkt->l4_protocol == IPPROTO_UDP && pkt->translated_ns_flow.flow.dport == htons(53)) {
- bpf_tail_call_compat(skb, &classifier_router, DNS_REQUEST);
- }
- }
-
- // route IMDS requests
- if (is_event_enabled(EVENT_IMDS)) {
- if (pkt->l4_protocol == IPPROTO_TCP && ((pkt->ns_flow.flow.saddr[0] & 0xFFFFFFFF) == get_imds_ip() || (pkt->ns_flow.flow.daddr[0] & 0xFFFFFFFF) == get_imds_ip())) {
- bpf_tail_call_compat(skb, &classifier_router, IMDS_REQUEST);
- }
- }
-
- return ACT_OK;
-}
-
-#endif
diff --git a/pkg/security/ebpf/c/include/hooks/network/stats_worker.h b/pkg/security/ebpf/c/include/hooks/network/stats_worker.h
new file mode 100644
index 00000000000000..b0a80b0c8d076f
--- /dev/null
+++ b/pkg/security/ebpf/c/include/hooks/network/stats_worker.h
@@ -0,0 +1,31 @@
+#ifndef _HOOKS_NETWORK_WORKER_H_
+#define _HOOKS_NETWORK_WORKER_H_
+
+struct ctx_holder {
+ struct bpf_perf_event_data *ctx;
+};
+
+static long active_flows_callback_fn(struct bpf_map *map, const void *key, void *value, void *callback_ctx) {
+ u32 pid = *(u32 *)key;
+ struct active_flows_t *entry = (struct active_flows_t *) value;
+ struct bpf_perf_event_data *ctx = ((struct ctx_holder *) callback_ctx)->ctx;
+ return flush_network_stats(pid, entry, ctx, NETWORK_STATS_TICKER);
+}
+
+SEC("perf_event/cpu_clock")
+int network_stats_worker(struct bpf_perf_event_data *ctx)
+{
+ // we want only one worker for network stats
+ if (bpf_get_smp_processor_id() > 0) {
+ return 0;
+ }
+ struct ctx_holder holder = {};
+ holder.ctx = ctx;
+
+ // iterate over the list of active flows, send when need be
+ bpf_for_each_map_elem(&active_flows, &active_flows_callback_fn, &holder, 0);
+
+ return 0;
+};
+
+#endif
diff --git a/pkg/security/ebpf/c/include/hooks/network/tc.h b/pkg/security/ebpf/c/include/hooks/network/tc.h
index 8445905aa3ccfc..5919e1d89885bb 100644
--- a/pkg/security/ebpf/c/include/hooks/network/tc.h
+++ b/pkg/security/ebpf/c/include/hooks/network/tc.h
@@ -1,9 +1,9 @@
#ifndef _HOOKS_NETWORK_TC_H_
#define _HOOKS_NETWORK_TC_H_
-#include "helpers/network.h"
-
-#include "router.h"
+#include "helpers/network/parser.h"
+#include "helpers/network/router.h"
+#include "helpers/network/pid_resolver.h"
#include "raw.h"
SEC("classifier/ingress")
@@ -12,6 +12,7 @@ int classifier_ingress(struct __sk_buff *skb) {
if (!pkt) {
return ACT_OK;
}
+ resolve_pid(pkt);
return route_pkt(skb, pkt, INGRESS);
};
@@ -22,6 +23,7 @@ int classifier_egress(struct __sk_buff *skb) {
if (!pkt) {
return ACT_OK;
}
+ resolve_pid(pkt);
return route_pkt(skb, pkt, EGRESS);
};
@@ -68,6 +70,7 @@ int classifier_raw_packet_ingress(struct __sk_buff *skb) {
if (!pkt) {
return ACT_OK;
}
+ resolve_pid(pkt);
// do not handle packet without process context
if (pkt->pid < 0) {
@@ -93,6 +96,7 @@ int classifier_raw_packet_egress(struct __sk_buff *skb) {
if (!pkt) {
return ACT_OK;
}
+ resolve_pid(pkt);
// do not handle packet without process context
if (pkt->pid < 0) {
diff --git a/pkg/security/ebpf/c/include/hooks/procfs.h b/pkg/security/ebpf/c/include/hooks/procfs.h
index 9dbbfd063dc5f7..db43ea72f40678 100644
--- a/pkg/security/ebpf/c/include/hooks/procfs.h
+++ b/pkg/security/ebpf/c/include/hooks/procfs.h
@@ -4,6 +4,7 @@
#include "constants/custom.h"
#include "constants/offsets/filesystem.h"
#include "constants/offsets/netns.h"
+#include "constants/offsets/network.h"
#include "helpers/filesystem.h"
#include "helpers/utils.h"
@@ -78,6 +79,9 @@ int hook_path_get(ctx_t *ctx) {
struct path *p = (struct path *)CTX_PARM1(ctx);
struct file *sock_file = (void *)p - f_path_offset;
struct pid_route_t route = {};
+ struct pid_route_entry_t value = {};
+ value.pid = *procfs_pid;
+ value.type = PROCFS_ENTRY;
struct socket *sock;
bpf_probe_read(&sock, sizeof(sock), &sock_file->private_data);
@@ -96,23 +100,27 @@ int hook_path_get(ctx_t *ctx) {
return 0;
}
- u16 family = 0;
- bpf_probe_read(&family, sizeof(family), &sk->__sk_common.skc_family);
+ route.port = get_skc_num_from_sock_common((void *)sk);
+ if (route.port == 0) {
+ // without a port we can't do much, leave early
+ return 0;
+ }
+
+ u16 family = get_family_from_sock_common((void *)sk);
+ if (family == AF_INET6) {
+ bpf_probe_read(&route.addr, sizeof(u64) * 2, &sk->__sk_common.skc_v6_rcv_saddr);
+ bpf_map_update_elem(&flow_pid, &route, &value, BPF_ANY);
+
+ // This AF_INET6 socket might also handle AF_INET traffic, store a mapping to AF_INET too
+ family = AF_INET;
+ }
if (family == AF_INET) {
bpf_probe_read(&route.addr, sizeof(sk->__sk_common.skc_rcv_saddr), &sk->__sk_common.skc_rcv_saddr);
- } else if (family == AF_INET6) {
- bpf_probe_read(&route.addr, sizeof(u64) * 2, &sk->__sk_common.skc_v6_rcv_saddr);
+ bpf_map_update_elem(&flow_pid, &route, &value, BPF_ANY);
} else {
+ // ignore unsupported traffic for now
return 0;
}
- bpf_probe_read(&route.port, sizeof(route.port), &sk->__sk_common.skc_num);
- // Calling htons is necessary to support snapshotted bound port. Without it, we're can't properly route incoming
- // traffic to the relevant process.
- route.port = htons(route.port);
-
- // save pid route
- u32 pid = *procfs_pid;
- bpf_map_update_elem(&flow_pid, &route, &pid, BPF_ANY);
#if defined(DEBUG_NETNS)
bpf_printk("path_get netns: %u", route.netns);
diff --git a/pkg/security/ebpf/c/include/maps.h b/pkg/security/ebpf/c/include/maps.h
index d6ab3ceb74dfb9..18764c5702392e 100644
--- a/pkg/security/ebpf/c/include/maps.h
+++ b/pkg/security/ebpf/c/include/maps.h
@@ -7,6 +7,14 @@
#include "constants/enums.h"
#include "structs/all.h"
+#define BPF_SK_MAP(_name, _value_type) \
+ struct { \
+ __uint(type, BPF_MAP_TYPE_SK_STORAGE); \
+ __type(value, _value_type); \
+ __uint(map_flags, BPF_F_NO_PREALLOC); \
+ __type(key, u32); \
+ } _name SEC(".maps");
+
BPF_ARRAY_MAP(path_id, u32, PATH_ID_MAP_SIZE)
BPF_ARRAY_MAP(enabled_events, u64, 1)
BPF_ARRAY_MAP(buffer_selector, u32, 4)
@@ -40,6 +48,7 @@ BPF_HASH_MAP(security_profiles, container_id_t, struct security_profile_t, 1) //
BPF_HASH_MAP(secprofs_syscalls, u64, struct security_profile_syscalls_t, 1) // max entries will be overriden at runtime
BPF_HASH_MAP(auid_approvers, u32, struct event_mask_filter_t, 128)
BPF_HASH_MAP(auid_range_approvers, u32, struct u32_range_filter_t, EVENT_MAX)
+BPF_HASH_MAP(active_flows_spin_locks, u32, struct active_flows_spin_lock_t, 1) // max entry will be overridden at runtime
BPF_LRU_MAP(activity_dump_rate_limiters, u64, struct activity_dump_rate_limiter_ctx, 1) // max entries will be overridden at runtime
BPF_LRU_MAP(mount_ref, u32, struct mount_ref_t, 64000)
@@ -54,8 +63,8 @@ BPF_LRU_MAP(exec_pid_transfer, u32, u64, 512)
BPF_LRU_MAP(netns_cache, u32, u32, 40960)
BPF_LRU_MAP(span_tls, u32, struct span_tls_t, 4096)
BPF_LRU_MAP(inode_discarders, struct inode_discarder_t, struct inode_discarder_params_t, 4096)
-BPF_LRU_MAP(flow_pid, struct pid_route_t, u32, 10240)
-BPF_LRU_MAP(conntrack, struct namespaced_flow_t, struct namespaced_flow_t, 4096)
+BPF_LRU_MAP(flow_pid, struct pid_route_t, struct pid_route_entry_t, 10240)
+BPF_LRU_MAP(conntrack, struct namespaced_flow_t, struct namespaced_flow_t, 4096) // TODO: size should be updated dynamically with "nf_conntrack_max"
BPF_LRU_MAP(io_uring_ctx_pid, void *, u64, 2048)
BPF_LRU_MAP(veth_state_machine, u64, struct veth_state_t, 1024)
BPF_LRU_MAP(veth_devices, struct device_ifindex_t, struct device_t, 1024)
@@ -65,11 +74,16 @@ BPF_LRU_MAP(syscall_table, struct syscall_table_key_t, u8, 50)
BPF_LRU_MAP(kill_list, u32, u32, 32)
BPF_LRU_MAP(user_sessions, struct user_session_key_t, struct user_session_t, 1024)
BPF_LRU_MAP(dentry_resolver_inputs, u64, struct dentry_resolver_input_t, 256)
+BPF_LRU_MAP(ns_flow_to_network_stats, struct namespaced_flow_t, struct network_stats_t, 4096) // TODO: size should be updated dynamically with "nf_conntrack_max"
+BPF_LRU_MAP(active_flows, u32, struct active_flows_t, 1) // max entries will be overridden at runtime
+BPF_LRU_MAP(inet_bind_args, u64, struct inet_bind_args_t, 1) // max entries will be overridden at runtime
BPF_LRU_MAP_FLAGS(tasks_in_coredump, u64, u8, 64, BPF_F_NO_COMMON_LRU)
BPF_LRU_MAP_FLAGS(syscalls, u64, struct syscall_cache_t, 1, BPF_F_NO_COMMON_LRU) // max entries will be overridden at runtime
BPF_LRU_MAP_FLAGS(pathnames, struct path_key_t, struct path_leaf_t, 1, BPF_F_NO_COMMON_LRU) // edited
+BPF_SK_MAP(sock_active_pid_route, struct pid_route_t);
+
BPF_PERCPU_ARRAY_MAP(dr_erpc_state, struct dr_erpc_state_t, 1)
BPF_PERCPU_ARRAY_MAP(cgroup_tracing_event_gen, struct cgroup_tracing_event_t, EVENT_GEN_SIZE)
BPF_PERCPU_ARRAY_MAP(cgroup_prefix, cgroup_prefix_t, 1)
@@ -89,6 +103,8 @@ BPF_PERCPU_ARRAY_MAP(selinux_write_buffer, struct selinux_write_buffer_t, 1)
BPF_PERCPU_ARRAY_MAP(is_new_kthread, u32, 1)
BPF_PERCPU_ARRAY_MAP(syscalls_stats, struct syscalls_stats_t, EVENT_MAX)
BPF_PERCPU_ARRAY_MAP(raw_packet_event, struct raw_packet_event_t, 1)
+BPF_PERCPU_ARRAY_MAP(network_flow_monitor_event_gen, struct network_flow_monitor_event_t, 1)
+BPF_PERCPU_ARRAY_MAP(active_flows_gen, struct active_flows_t, 1)
BPF_PERCPU_ARRAY_MAP(raw_packet_enabled, u32, 1)
BPF_PROG_ARRAY(args_envs_progs, 3)
diff --git a/pkg/security/ebpf/c/include/structs/network.h b/pkg/security/ebpf/c/include/structs/network.h
index c2c2293e046738..b1cb45ce09cfd2 100644
--- a/pkg/security/ebpf/c/include/structs/network.h
+++ b/pkg/security/ebpf/c/include/structs/network.h
@@ -5,6 +5,16 @@ struct pid_route_t {
u64 addr[2];
u32 netns;
u16 port;
+ // TODO: wait for implementation on security_socket_bind to be ready first
+ // u16 l4_protocol;
+};
+
+struct pid_route_entry_t {
+ u32 pid;
+ u32 type;
+ char comm[16];
+ u16 family;
+ u16 dport;
};
struct flow_t {
@@ -12,7 +22,23 @@ struct flow_t {
u64 daddr[2];
u16 sport;
u16 dport;
- u32 padding;
+ u16 l4_protocol;
+ u16 l3_protocol;
+};
+
+struct network_counters_t {
+ u64 data_size;
+ u64 pkt_count;
+};
+
+struct network_stats_t {
+ struct network_counters_t ingress;
+ struct network_counters_t egress;
+};
+
+struct flow_stats_t {
+ struct flow_t flow;
+ struct network_stats_t stats;
};
struct namespaced_flow_t {
@@ -20,6 +46,23 @@ struct namespaced_flow_t {
u32 netns;
};
+struct active_flows_t {
+ struct flow_t flows[ACTIVE_FLOWS_MAX_SIZE];
+
+ u64 last_sent;
+ u32 netns;
+ u32 ifindex;
+ u32 cursor;
+};
+
+struct active_flows_spin_lock_t {
+ struct bpf_spin_lock lock;
+};
+
+struct inet_bind_args_t {
+ struct socket *sock;
+};
+
struct device_t {
char name[16];
u32 netns;
@@ -66,7 +109,7 @@ struct packet_t {
u32 offset;
s64 pid;
u32 payload_len;
- u16 l4_protocol;
+ u32 network_direction;
};
struct network_device_context_t {
@@ -79,19 +122,7 @@ struct network_context_t {
struct flow_t flow;
u32 size;
- u16 l3_protocol;
- u16 l4_protocol;
-};
-
-struct raw_packet_event_t {
- struct kevent_t event;
- struct process_context_t process;
- struct span_context_t span;
- struct container_context_t container;
- struct network_device_context_t device;
-
- int len;
- char data[256];
+ u32 network_direction;
};
#endif
diff --git a/pkg/security/ebpf/c/include/tests/raw_packet_test.h b/pkg/security/ebpf/c/include/tests/raw_packet_test.h
index a00f55225b6ea8..0e06bb53b569ea 100644
--- a/pkg/security/ebpf/c/include/tests/raw_packet_test.h
+++ b/pkg/security/ebpf/c/include/tests/raw_packet_test.h
@@ -1,7 +1,7 @@
#ifndef _RAW_PACKET_TEST_H
#define _RAW_PACKET_TEST_H
-#include "helpers/network.h"
+#include "helpers/network/raw.h"
#include "baloum.h"
SEC("test/raw_packet_tail_calls")
diff --git a/pkg/security/ebpf/kernel/kernel.go b/pkg/security/ebpf/kernel/kernel.go
index 7ff8ef846ac9e4..a28db1e7bcd07a 100644
--- a/pkg/security/ebpf/kernel/kernel.go
+++ b/pkg/security/ebpf/kernel/kernel.go
@@ -328,6 +328,52 @@ func (k *Version) HaveRingBuffers() bool {
return features.HaveMapType(ebpf.RingBuf) == nil
}
+// HasSKStorage returns true if the kernel supports SK_STORAGE maps
+// See https://github.com/torvalds/linux/commit/6ac99e8f23d4b10258406ca0dd7bffca5f31da9d
+func (k *Version) HasSKStorage() bool {
+ if features.HaveMapType(ebpf.SkStorage) == nil {
+ return true
+ }
+
+ return k.Code != 0 && k.Code > Kernel5_2
+}
+
+// HasSKStorageInTracingPrograms returns true if the kernel supports SK_STORAGE maps in tracing programs
+// See https://github.com/torvalds/linux/commit/8e4597c627fb48f361e2a5b012202cb1b6cbcd5e
+func (k *Version) HasSKStorageInTracingPrograms() bool {
+ if !k.HasSKStorage() {
+ return false
+ }
+
+ if !k.HaveFentrySupport() {
+ return false
+ }
+
+ if features.HaveProgramHelper(ebpf.Tracing, asm.FnSkStorageGet) == nil {
+ return true
+ }
+ return k.Code != 0 && k.Code > Kernel5_11
+}
+
+// IsMapValuesToMapHelpersAllowed returns true if the kernel supports passing map values to map helpers
+// See https://github.com/torvalds/linux/commit/d71962f3e627b5941804036755c844fabfb65ff5
+func (k *Version) IsMapValuesToMapHelpersAllowed() bool {
+ return k.Code != 0 && k.Code > Kernel4_18
+}
+
+// HasBPFForEachMapElemHelper returns true if the kernel support the bpf_for_each_map_elem helper
+// See https://github.com/torvalds/linux/commit/69c087ba6225b574afb6e505b72cb75242a3d844
+func (k *Version) HasBPFForEachMapElemHelper() bool {
+ if !k.HaveFentrySupport() {
+ return false
+ }
+
+ if features.HaveProgramHelper(ebpf.Tracing, asm.FnForEachMapElem) == nil {
+ return true
+ }
+ return k.Code != 0 && k.Code > Kernel5_13
+}
+
// HavePIDLinkStruct returns whether the kernel uses the pid_link struct, which was removed in 4.19
func (k *Version) HavePIDLinkStruct() bool {
return k.Code != 0 && k.Code < Kernel4_19 && !k.IsRH8Kernel()
diff --git a/pkg/security/ebpf/probes/all.go b/pkg/security/ebpf/probes/all.go
index 770d883b64dd7a..7999ff76ab7dd0 100644
--- a/pkg/security/ebpf/probes/all.go
+++ b/pkg/security/ebpf/probes/all.go
@@ -82,6 +82,7 @@ func AllProbes(fentry bool) []*manager.Probe {
allProbes = append(allProbes, getSyscallMonitorProbes()...)
allProbes = append(allProbes, getChdirProbes(fentry)...)
allProbes = append(allProbes, GetOnDemandProbes()...)
+ allProbes = append(allProbes, GetPerfEventProbes()...)
allProbes = append(allProbes,
&manager.Probe{
@@ -135,6 +136,13 @@ func AllMaps() []*manager.Map {
}
}
+// AllSKStorageMaps returns the list of SKStorage map section names
+func AllSKStorageMaps() []string {
+ return []string{
+ "sock_active_pid_route",
+ }
+}
+
func getMaxEntries(numCPU int, min int, max int) uint32 {
maxEntries := int(math.Min(float64(max), float64(min*numCPU)/4))
if maxEntries < min {
@@ -177,7 +185,18 @@ func AllMapSpecEditors(numCPU int, opts MapSpecEditorOpts) map[string]manager.Ma
MaxEntries: procPidCacheMaxEntries,
EditorFlag: manager.EditMaxEntries,
},
-
+ "active_flows": {
+ MaxEntries: procPidCacheMaxEntries,
+ EditorFlag: manager.EditMaxEntries,
+ },
+ "active_flows_spin_locks": {
+ MaxEntries: procPidCacheMaxEntries,
+ EditorFlag: manager.EditMaxEntries,
+ },
+ "inet_bind_args": {
+ MaxEntries: procPidCacheMaxEntries,
+ EditorFlag: manager.EditMaxEntries,
+ },
"activity_dumps_config": {
MaxEntries: model.MaxTracedCgroupsCount,
EditorFlag: manager.EditMaxEntries,
diff --git a/pkg/security/ebpf/probes/event_types.go b/pkg/security/ebpf/probes/event_types.go
index b70447dba6a595..63eeb425faf4f4 100644
--- a/pkg/security/ebpf/probes/event_types.go
+++ b/pkg/security/ebpf/probes/event_types.go
@@ -22,6 +22,7 @@ func NetworkNFNatSelectors() []manager.ProbesSelector {
&manager.OneOf{Selectors: []manager.ProbesSelector{
kprobeOrFentry("nf_nat_manip_pkt"),
kprobeOrFentry("nf_nat_packet"),
+ kprobeOrFentry("nf_ct_delete"),
}},
}
}
@@ -43,6 +44,10 @@ func NetworkSelectors() []manager.ProbesSelector {
kprobeOrFentry("security_socket_bind"),
kprobeOrFentry("security_socket_connect"),
kprobeOrFentry("security_sk_classify_flow"),
+ kprobeOrFentry("inet_release"),
+ kprobeOrFentry("inet_shutdown"),
+ kprobeOrFentry("inet_bind"),
+ kprobeOrFentry("sk_common_release"),
kprobeOrFentry("path_get"),
kprobeOrFentry("proc_fd_link"),
}},
@@ -465,10 +470,22 @@ func GetSelectorsPerEventType(fentry bool) map[eval.EventType][]manager.ProbesSe
&manager.OneOf{Selectors: ExpandSyscallProbesSelector(SecurityAgentUID, "chdir", fentry, EntryAndExit)},
&manager.OneOf{Selectors: ExpandSyscallProbesSelector(SecurityAgentUID, "fchdir", fentry, EntryAndExit)},
},
+
+ "network_flow_monitor": {
+ // perf_event probes
+ &manager.AllOf{Selectors: []manager.ProbesSelector{
+ &manager.ProbeSelector{
+ ProbeIdentificationPair: manager.ProbeIdentificationPair{
+ UID: SecurityAgentUID,
+ EBPFFuncName: "network_stats_worker",
+ },
+ },
+ }},
+ },
}
// Add probes required to track network interfaces and map network flows to processes
- // networkEventTypes: dns, imds, packet
+ // networkEventTypes: dns, imds, packet, network_monitor
networkEventTypes := model.GetEventTypePerCategory(model.NetworkCategory)[model.NetworkCategory]
for _, networkEventType := range networkEventTypes {
selectorsPerEventTypeStore[networkEventType] = []manager.ProbesSelector{
diff --git a/pkg/security/ebpf/probes/flow.go b/pkg/security/ebpf/probes/flow.go
index c09c741c572ad1..07170d14e97120 100644
--- a/pkg/security/ebpf/probes/flow.go
+++ b/pkg/security/ebpf/probes/flow.go
@@ -18,6 +18,30 @@ func getFlowProbes() []*manager.Probe {
EBPFFuncName: "hook_security_sk_classify_flow",
},
},
+ {
+ ProbeIdentificationPair: manager.ProbeIdentificationPair{
+ UID: SecurityAgentUID,
+ EBPFFuncName: "hook_inet_release",
+ },
+ },
+ {
+ ProbeIdentificationPair: manager.ProbeIdentificationPair{
+ UID: SecurityAgentUID,
+ EBPFFuncName: "hook_sk_common_release",
+ },
+ },
+ {
+ ProbeIdentificationPair: manager.ProbeIdentificationPair{
+ UID: SecurityAgentUID,
+ EBPFFuncName: "hook_inet_shutdown",
+ },
+ },
+ {
+ ProbeIdentificationPair: manager.ProbeIdentificationPair{
+ UID: SecurityAgentUID,
+ EBPFFuncName: "hook_inet_bind",
+ },
+ },
{
ProbeIdentificationPair: manager.ProbeIdentificationPair{
UID: SecurityAgentUID,
@@ -30,6 +54,12 @@ func getFlowProbes() []*manager.Probe {
EBPFFuncName: "hook_nf_nat_packet",
},
},
+ {
+ ProbeIdentificationPair: manager.ProbeIdentificationPair{
+ UID: SecurityAgentUID,
+ EBPFFuncName: "hook_nf_ct_delete",
+ },
+ },
{
ProbeIdentificationPair: manager.ProbeIdentificationPair{
UID: SecurityAgentUID,
diff --git a/pkg/security/ebpf/probes/perf_event.go b/pkg/security/ebpf/probes/perf_event.go
new file mode 100644
index 00000000000000..5b9f766d82ec56
--- /dev/null
+++ b/pkg/security/ebpf/probes/perf_event.go
@@ -0,0 +1,30 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2016-present Datadog, Inc.
+
+//go:build linux
+
+// Package probes holds probes related files
+package probes
+
+import (
+ manager "github.com/DataDog/ebpf-manager"
+ "golang.org/x/sys/unix"
+)
+
+// GetPerfEventProbes returns the list of perf event Probes
+func GetPerfEventProbes() []*manager.Probe {
+ return []*manager.Probe{
+ {
+ ProbeIdentificationPair: manager.ProbeIdentificationPair{
+ UID: SecurityAgentUID,
+ EBPFFuncName: "network_stats_worker",
+ },
+ SampleFrequency: 1,
+ PerfEventType: unix.PERF_TYPE_SOFTWARE,
+ PerfEventConfig: unix.PERF_COUNT_SW_CPU_CLOCK,
+ PerfEventCPUCount: 1,
+ },
+ }
+}
diff --git a/pkg/security/probe/config/config.go b/pkg/security/probe/config/config.go
index c312bbdea31816..0f9430bac1bf04 100644
--- a/pkg/security/probe/config/config.go
+++ b/pkg/security/probe/config/config.go
@@ -121,6 +121,12 @@ type Config struct {
// RawNetworkClassifierHandle defines the handle at which CWS should insert its Raw TC classifiers.
RawNetworkClassifierHandle uint16
+ // NetworkFlowMonitorEnabled defines if the network flow monitor should be enabled.
+ NetworkFlowMonitorEnabled bool
+
+ // NetworkFlowMonitorPeriod defines the period at which collected flows should flushed to user space.
+ NetworkFlowMonitorPeriod time.Duration
+
// ProcessConsumerEnabled defines if the process-agent wants to receive kernel events
ProcessConsumerEnabled bool
@@ -173,6 +179,8 @@ func NewConfig() (*Config, error) {
NetworkClassifierPriority: uint16(getInt("network.classifier_priority")),
NetworkClassifierHandle: uint16(getInt("network.classifier_handle")),
RawNetworkClassifierHandle: uint16(getInt("network.raw_classifier_handle")),
+ NetworkFlowMonitorPeriod: getDuration("network.flow_monitor.period"),
+ NetworkFlowMonitorEnabled: getBool("network.flow_monitor.enabled"),
EventStreamUseRingBuffer: getBool("event_stream.use_ring_buffer"),
EventStreamBufferSize: getInt("event_stream.buffer_size"),
EventStreamUseFentry: getEventStreamFentryValue(),
@@ -313,6 +321,15 @@ func getInt(key string) int {
return pkgconfigsetup.SystemProbe().GetInt(newKey)
}
+func getDuration(key string) time.Duration {
+ deprecatedKey, newKey := getAllKeys(key)
+ if pkgconfigsetup.SystemProbe().IsSet(deprecatedKey) {
+ log.Warnf("%s has been deprecated: please set %s instead", deprecatedKey, newKey)
+ return pkgconfigsetup.SystemProbe().GetDuration(deprecatedKey)
+ }
+ return pkgconfigsetup.SystemProbe().GetDuration(newKey)
+}
+
func getString(key string) string {
deprecatedKey, newKey := getAllKeys(key)
if pkgconfigsetup.SystemProbe().IsSet(deprecatedKey) {
diff --git a/pkg/security/probe/constantfetch/constant_names.go b/pkg/security/probe/constantfetch/constant_names.go
index 2feab9c5e0402c..fd4926fcecc6b6 100644
--- a/pkg/security/probe/constantfetch/constant_names.go
+++ b/pkg/security/probe/constantfetch/constant_names.go
@@ -82,11 +82,16 @@ const (
OffsetNameSocketStructSK = "socket_sock_offset"
OffsetNameNFConnStructCTNet = "nf_conn_ct_net_offset"
OffsetNameSockCommonStructSKCFamily = "sock_common_skc_family_offset"
+ OffsetNameSockCommonStructSKCNum = "sock_common_skc_num_offset"
OffsetNameFlowI4StructSADDR = "flowi4_saddr_offset"
OffsetNameFlowI6StructSADDR = "flowi6_saddr_offset"
OffsetNameFlowI4StructULI = "flowi4_uli_offset"
OffsetNameFlowI6StructULI = "flowi6_uli_offset"
+ // TODO: needed for l4_protocol resolution, see network/flow.h
+ OffsetNameFlowI4StructProto = "flowi4_proto_offset"
+ OffsetNameFlowI6StructProto = "flowi6_proto_offset"
+
// Interpreter constants
OffsetNameLinuxBinprmStructFile = "binprm_file_offset"
diff --git a/pkg/security/probe/constantfetch/fallback.go b/pkg/security/probe/constantfetch/fallback.go
index 531edb59c29d34..751b2c303f7fee 100644
--- a/pkg/security/probe/constantfetch/fallback.go
+++ b/pkg/security/probe/constantfetch/fallback.go
@@ -113,8 +113,15 @@ func (f *FallbackConstantFetcher) appendRequest(id string) {
value = getNFConnCTNetOffset(f.kernelVersion)
case OffsetNameSockCommonStructSKCFamily:
value = getSockCommonSKCFamilyOffset(f.kernelVersion)
+ case OffsetNameSockCommonStructSKCNum:
+ value = getSockCommonSKCNumOffset(f.kernelVersion)
case OffsetNameFlowI4StructSADDR:
value = getFlowi4SAddrOffset(f.kernelVersion)
+ // TODO: needed for l4_protocol resolution, see network/flow.h
+ //case OffsetNameFlowI4StructProto:
+ // value = getFlowi4ProtoOffset(f.kernelVersion)
+ //case OffsetNameFlowI6StructProto:
+ // value = getFlowi6ProtoOffset(f.kernelVersion)
case OffsetNameFlowI6StructSADDR:
value = getFlowi6SAddrOffset(f.kernelVersion)
case OffsetNameFlowI4StructULI:
@@ -806,6 +813,10 @@ func getNFConnCTNetOffset(kv *kernel.Version) uint64 {
}
}
+func getSockCommonSKCNumOffset(_ *kernel.Version) uint64 {
+ return 14
+}
+
func getSockCommonSKCFamilyOffset(_ *kernel.Version) uint64 {
return 16
}
@@ -834,6 +845,16 @@ func getFlowi4SAddrOffset(kv *kernel.Version) uint64 {
return offset
}
+//nolint:deadcode,unused
+func getFlowi4ProtoOffset(kv *kernel.Version) uint64 {
+ return 18
+}
+
+//nolint:deadcode,unused
+func getFlowi6ProtoOffset(kv *kernel.Version) uint64 {
+ return 18
+}
+
func getFlowi4ULIOffset(kv *kernel.Version) uint64 {
return getFlowi4SAddrOffset(kv) + 8
}
diff --git a/pkg/security/probe/probe.go b/pkg/security/probe/probe.go
index 52fd27e3508c8d..b3bf1e45369c70 100644
--- a/pkg/security/probe/probe.go
+++ b/pkg/security/probe/probe.go
@@ -424,6 +424,11 @@ func (p *Probe) IsNetworkRawPacketEnabled() bool {
return p.IsNetworkEnabled() && p.Config.Probe.NetworkRawPacketEnabled
}
+// IsNetworkFlowMonitorEnabled returns whether the network flow monitor is enabled
+func (p *Probe) IsNetworkFlowMonitorEnabled() bool {
+ return p.IsNetworkEnabled() && p.Config.Probe.NetworkFlowMonitorEnabled
+}
+
// IsActivityDumpEnabled returns whether activity dump is enabled
func (p *Probe) IsActivityDumpEnabled() bool {
return p.Config.RuntimeSecurity.ActivityDumpEnabled
diff --git a/pkg/security/probe/probe_ebpf.go b/pkg/security/probe/probe_ebpf.go
index f06cbe8fa45aea..984e863fe1c34f 100644
--- a/pkg/security/probe/probe_ebpf.go
+++ b/pkg/security/probe/probe_ebpf.go
@@ -249,6 +249,16 @@ func (p *EBPFProbe) sanityChecks() error {
p.config.Probe.NetworkRawPacketEnabled = false
}
+ if p.config.Probe.NetworkFlowMonitorEnabled && !p.config.Probe.NetworkEnabled {
+ seclog.Warnf("The network flow monitor feature of CWS requires event_monitoring_config.network.enabled to be true, setting event_monitoring_config.network.flow_monitor.enabled to false")
+ p.config.Probe.NetworkFlowMonitorEnabled = false
+ }
+
+ if p.config.Probe.NetworkFlowMonitorEnabled && (!p.kernelVersion.IsMapValuesToMapHelpersAllowed() || !p.kernelVersion.HasBPFForEachMapElemHelper()) {
+ seclog.Warnf("The network flow monitor feature of CWS requires a more recent kernel (at least 5.13) with support for SK storage in Tracing programs and the bpf_for_each_elem map helper, setting event_monitoring_config.network.flow_monitor.enabled to false")
+ p.config.Probe.NetworkFlowMonitorEnabled = false
+ }
+
return nil
}
@@ -648,7 +658,7 @@ func (p *EBPFProbe) unmarshalContexts(data []byte, event *model.Event) (int, err
}
func eventWithNoProcessContext(eventType model.EventType) bool {
- return eventType == model.DNSEventType || eventType == model.IMDSEventType || eventType == model.RawPacketEventType || eventType == model.LoadModuleEventType || eventType == model.UnloadModuleEventType
+ return eventType == model.DNSEventType || eventType == model.IMDSEventType || eventType == model.RawPacketEventType || eventType == model.LoadModuleEventType || eventType == model.UnloadModuleEventType || eventType == model.NetworkFlowMonitorEventType
}
func (p *EBPFProbe) unmarshalProcessCacheEntry(ev *model.Event, data []byte) (int, error) {
@@ -1234,6 +1244,11 @@ func (p *EBPFProbe) handleEvent(CPU int, data []byte) {
seclog.Errorf("failed to decode RawPacket event: %s (offset %d, len %d)", err, offset, len(data))
return
}
+ case model.NetworkFlowMonitorEventType:
+ if _, err = event.NetworkFlowMonitor.UnmarshalBinary(data[offset:]); err != nil {
+ seclog.Errorf("failed to decode NetworkFlowMonitor event: %s (offset %d, len %d)", err, offset, len(data))
+ return
+ }
case model.BindEventType:
if _, err = event.Bind.UnmarshalBinary(data[offset:]); err != nil {
seclog.Errorf("failed to decode bind event: %s (offset %d, len %d)", err, offset, len(data))
@@ -1281,6 +1296,14 @@ func (p *EBPFProbe) handleEvent(CPU int, data []byte) {
// flush pending actions
p.processKiller.FlushPendingReports()
p.fileHasher.FlushPendingReports()
+
+ if event.GetEventType() == model.NetworkFlowMonitorEventType && event.PIDContext.Pid == 0 {
+ fmt.Printf("New flows ! interface: %s, flows_count: %d, type: %d\n", event.NetworkFlowMonitor.Device.IfName, event.NetworkFlowMonitor.FlowsCount, event.NetworkFlowMonitor.FlushNetworkStatsType)
+ eventJSON, err := serializers.MarshalEvent(event, nil)
+ if err == nil {
+ fmt.Printf("%s\n", eventJSON)
+ }
+ }
}
// AddDiscarderPushedCallback add a callback to the list of func that have to be called when a discarder is pushed to kernel
@@ -1438,6 +1461,8 @@ func (p *EBPFProbe) validEventTypeForConfig(eventType string) bool {
return p.probe.IsNetworkEnabled()
case "packet":
return p.probe.IsNetworkRawPacketEnabled()
+ case "network_flow_monitor":
+ return p.probe.IsNetworkFlowMonitorEnabled()
}
return true
}
@@ -2138,6 +2163,18 @@ func NewEBPFProbe(probe *Probe, config *config.Config, opts Opts) (*EBPFProbe, e
Name: "syscall_monitor_event_period",
Value: uint64(config.RuntimeSecurity.ActivityDumpSyscallMonitorPeriod.Nanoseconds()),
},
+ manager.ConstantEditor{
+ Name: "network_monitor_period",
+ Value: uint64(config.Probe.NetworkFlowMonitorPeriod.Nanoseconds()),
+ },
+ manager.ConstantEditor{
+ Name: "is_sk_storage_supported",
+ Value: utils.BoolTouint64(p.useFentry && p.kernelVersion.HasSKStorageInTracingPrograms()),
+ },
+ manager.ConstantEditor{
+ Name: "is_network_flow_monitor_enabled",
+ Value: utils.BoolTouint64(p.config.Probe.NetworkFlowMonitorEnabled),
+ },
manager.ConstantEditor{
Name: "send_signal",
Value: utils.BoolTouint64(p.kernelVersion.SupportBPFSendSignal()),
@@ -2198,6 +2235,11 @@ func NewEBPFProbe(probe *Probe, config *config.Config, opts Opts) (*EBPFProbe, e
p.managerOptions.ExcludedFunctions = append(p.managerOptions.ExcludedFunctions, probes.GetRawPacketTCProgramFunctions()...)
}
+ if !p.kernelVersion.HasSKStorage() {
+ // prevent SK Storage map from being loaded
+ p.managerOptions.ExcludedMaps = append(p.managerOptions.ExcludedMaps, probes.AllSKStorageMaps()...)
+ }
+
if p.useFentry {
afBasedExcluder, err := newAvailableFunctionsBasedExcluder()
if err != nil {
@@ -2502,9 +2544,14 @@ func AppendProbeRequestsToFetcher(constantFetcher constantfetch.ConstantFetcher,
constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameDeviceStructNdNet, "struct net_device", "nd_net", "linux/netdevice.h")
constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameSockCommonStructSKCNet, "struct sock_common", "skc_net", "net/sock.h")
constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameSockCommonStructSKCFamily, "struct sock_common", "skc_family", "net/sock.h")
+ constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameSockCommonStructSKCNum, "struct sock_common", "skc_num", "net/sock.h")
constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameFlowI4StructSADDR, "struct flowi4", "saddr", "net/flow.h")
+ // TODO: needed for l4_protocol resolution, see network/flow.h
+ // constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameFlowI4StructProto, "struct flowi4", "flowi4_proto", "net/flow.h")
constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameFlowI4StructULI, "struct flowi4", "uli", "net/flow.h")
constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameFlowI6StructSADDR, "struct flowi6", "saddr", "net/flow.h")
+ // TODO: needed for l4_protocol resolution, see network/flow.h
+ // constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameFlowI6StructProto, "struct flowi6", "flowi6_proto", "net/flow.h")
constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameFlowI6StructULI, "struct flowi6", "uli", "net/flow.h")
constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameSocketStructSK, "struct socket", "sk", "linux/net.h")
diff --git a/pkg/security/proto/api/api.pb.go b/pkg/security/proto/api/api.pb.go
index e8fd80f24c5c89..01ba7855089bf0 100644
--- a/pkg/security/proto/api/api.pb.go
+++ b/pkg/security/proto/api/api.pb.go
@@ -2596,6 +2596,9 @@ type ActivityTreeStatsMessage struct {
DNSNodesCount int64 `protobuf:"varint,3,opt,name=DNSNodesCount,proto3" json:"DNSNodesCount,omitempty"`
SocketNodesCount int64 `protobuf:"varint,4,opt,name=SocketNodesCount,proto3" json:"SocketNodesCount,omitempty"`
ApproximateSize int64 `protobuf:"varint,5,opt,name=ApproximateSize,proto3" json:"ApproximateSize,omitempty"`
+ IMDSNodesCount int64 `protobuf:"varint,6,opt,name=IMDSNodesCount,proto3" json:"IMDSNodesCount,omitempty"`
+ SyscallNodesCount int64 `protobuf:"varint,7,opt,name=SyscallNodesCount,proto3" json:"SyscallNodesCount,omitempty"`
+ FlowNodesCount int64 `protobuf:"varint,8,opt,name=FlowNodesCount,proto3" json:"FlowNodesCount,omitempty"`
}
func (x *ActivityTreeStatsMessage) Reset() {
@@ -2665,6 +2668,27 @@ func (x *ActivityTreeStatsMessage) GetApproximateSize() int64 {
return 0
}
+func (x *ActivityTreeStatsMessage) GetIMDSNodesCount() int64 {
+ if x != nil {
+ return x.IMDSNodesCount
+ }
+ return 0
+}
+
+func (x *ActivityTreeStatsMessage) GetSyscallNodesCount() int64 {
+ if x != nil {
+ return x.SyscallNodesCount
+ }
+ return 0
+}
+
+func (x *ActivityTreeStatsMessage) GetFlowNodesCount() int64 {
+ if x != nil {
+ return x.FlowNodesCount
+ }
+ return 0
+}
+
type EventTypeState struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
@@ -3451,7 +3475,7 @@ var file_pkg_security_proto_api_api_proto_rawDesc = []byte{
0x0b, 0x43, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x49, 0x44, 0x18, 0x01, 0x20, 0x01,
0x28, 0x09, 0x52, 0x0b, 0x43, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x49, 0x44, 0x12,
0x12, 0x0a, 0x04, 0x54, 0x61, 0x67, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x04, 0x54,
- 0x61, 0x67, 0x73, 0x22, 0xec, 0x01, 0x0a, 0x18, 0x41, 0x63, 0x74, 0x69, 0x76, 0x69, 0x74, 0x79,
+ 0x61, 0x67, 0x73, 0x22, 0xea, 0x02, 0x0a, 0x18, 0x41, 0x63, 0x74, 0x69, 0x76, 0x69, 0x74, 0x79,
0x54, 0x72, 0x65, 0x65, 0x53, 0x74, 0x61, 0x74, 0x73, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65,
0x12, 0x2c, 0x0a, 0x11, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x4e, 0x6f, 0x64, 0x65, 0x73,
0x43, 0x6f, 0x75, 0x6e, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x11, 0x50, 0x72, 0x6f,
@@ -3466,185 +3490,193 @@ var file_pkg_security_proto_api_api_proto_rawDesc = []byte{
0x64, 0x65, 0x73, 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x12, 0x28, 0x0a, 0x0f, 0x41, 0x70, 0x70, 0x72,
0x6f, 0x78, 0x69, 0x6d, 0x61, 0x74, 0x65, 0x53, 0x69, 0x7a, 0x65, 0x18, 0x05, 0x20, 0x01, 0x28,
0x03, 0x52, 0x0f, 0x41, 0x70, 0x70, 0x72, 0x6f, 0x78, 0x69, 0x6d, 0x61, 0x74, 0x65, 0x53, 0x69,
- 0x7a, 0x65, 0x22, 0x6e, 0x0a, 0x10, 0x65, 0x76, 0x65, 0x6e, 0x74, 0x5f, 0x74, 0x79, 0x70, 0x65,
- 0x5f, 0x73, 0x74, 0x61, 0x74, 0x65, 0x12, 0x2a, 0x0a, 0x11, 0x6c, 0x61, 0x73, 0x74, 0x5f, 0x61,
- 0x6e, 0x6f, 0x6d, 0x61, 0x6c, 0x79, 0x5f, 0x6e, 0x61, 0x6e, 0x6f, 0x18, 0x01, 0x20, 0x01, 0x28,
- 0x04, 0x52, 0x0f, 0x6c, 0x61, 0x73, 0x74, 0x41, 0x6e, 0x6f, 0x6d, 0x61, 0x6c, 0x79, 0x4e, 0x61,
- 0x6e, 0x6f, 0x12, 0x2e, 0x0a, 0x13, 0x65, 0x76, 0x65, 0x6e, 0x74, 0x5f, 0x70, 0x72, 0x6f, 0x66,
- 0x69, 0x6c, 0x65, 0x5f, 0x73, 0x74, 0x61, 0x74, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52,
- 0x11, 0x65, 0x76, 0x65, 0x6e, 0x74, 0x50, 0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65, 0x53, 0x74, 0x61,
- 0x74, 0x65, 0x22, 0x9b, 0x02, 0x0a, 0x15, 0x50, 0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65, 0x43, 0x6f,
- 0x6e, 0x74, 0x65, 0x78, 0x74, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x12, 0x1d, 0x0a, 0x0a,
- 0x66, 0x69, 0x72, 0x73, 0x74, 0x5f, 0x73, 0x65, 0x65, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x04,
- 0x52, 0x09, 0x66, 0x69, 0x72, 0x73, 0x74, 0x53, 0x65, 0x65, 0x6e, 0x12, 0x1b, 0x0a, 0x09, 0x6c,
- 0x61, 0x73, 0x74, 0x5f, 0x73, 0x65, 0x65, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x04, 0x52, 0x08,
- 0x6c, 0x61, 0x73, 0x74, 0x53, 0x65, 0x65, 0x6e, 0x12, 0x58, 0x0a, 0x10, 0x65, 0x76, 0x65, 0x6e,
- 0x74, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x5f, 0x73, 0x74, 0x61, 0x74, 0x65, 0x18, 0x03, 0x20, 0x03,
- 0x28, 0x0b, 0x32, 0x2e, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x50, 0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65,
- 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x2e, 0x45,
- 0x76, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70, 0x65, 0x53, 0x74, 0x61, 0x74, 0x65, 0x45, 0x6e, 0x74,
- 0x72, 0x79, 0x52, 0x0e, 0x65, 0x76, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70, 0x65, 0x53, 0x74, 0x61,
- 0x74, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x74, 0x61, 0x67, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x09,
- 0x52, 0x04, 0x74, 0x61, 0x67, 0x73, 0x1a, 0x58, 0x0a, 0x13, 0x45, 0x76, 0x65, 0x6e, 0x74, 0x54,
- 0x79, 0x70, 0x65, 0x53, 0x74, 0x61, 0x74, 0x65, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a,
- 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12,
- 0x2b, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x15,
- 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x65, 0x76, 0x65, 0x6e, 0x74, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x5f,
- 0x73, 0x74, 0x61, 0x74, 0x65, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01,
- 0x22, 0xa0, 0x06, 0x0a, 0x16, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x50, 0x72, 0x6f,
- 0x66, 0x69, 0x6c, 0x65, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x12, 0x26, 0x0a, 0x0e, 0x4c,
- 0x6f, 0x61, 0x64, 0x65, 0x64, 0x49, 0x6e, 0x4b, 0x65, 0x72, 0x6e, 0x65, 0x6c, 0x18, 0x01, 0x20,
- 0x01, 0x28, 0x08, 0x52, 0x0e, 0x4c, 0x6f, 0x61, 0x64, 0x65, 0x64, 0x49, 0x6e, 0x4b, 0x65, 0x72,
- 0x6e, 0x65, 0x6c, 0x12, 0x38, 0x0a, 0x17, 0x4c, 0x6f, 0x61, 0x64, 0x65, 0x64, 0x49, 0x6e, 0x4b,
- 0x65, 0x72, 0x6e, 0x65, 0x6c, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x18, 0x02,
- 0x20, 0x01, 0x28, 0x09, 0x52, 0x17, 0x4c, 0x6f, 0x61, 0x64, 0x65, 0x64, 0x49, 0x6e, 0x4b, 0x65,
- 0x72, 0x6e, 0x65, 0x6c, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x12, 0x38, 0x0a,
- 0x08, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32,
- 0x1c, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x57, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x53, 0x65,
- 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x52, 0x08, 0x53,
- 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x12, 0x24, 0x0a, 0x0d, 0x50, 0x72, 0x6f, 0x66, 0x69,
- 0x6c, 0x65, 0x43, 0x6f, 0x6f, 0x6b, 0x69, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x04, 0x52, 0x0d,
- 0x50, 0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65, 0x43, 0x6f, 0x6f, 0x6b, 0x69, 0x65, 0x12, 0x1e, 0x0a,
- 0x0a, 0x45, 0x76, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70, 0x65, 0x73, 0x18, 0x05, 0x20, 0x03, 0x28,
- 0x09, 0x52, 0x0a, 0x45, 0x76, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70, 0x65, 0x73, 0x12, 0x4a, 0x0a,
- 0x0d, 0x4c, 0x61, 0x73, 0x74, 0x41, 0x6e, 0x6f, 0x6d, 0x61, 0x6c, 0x69, 0x65, 0x73, 0x18, 0x06,
- 0x20, 0x03, 0x28, 0x0b, 0x32, 0x20, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x4c, 0x61, 0x73, 0x74, 0x41,
- 0x6e, 0x6f, 0x6d, 0x61, 0x6c, 0x79, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x4d,
- 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x42, 0x02, 0x18, 0x01, 0x52, 0x0d, 0x4c, 0x61, 0x73, 0x74,
- 0x41, 0x6e, 0x6f, 0x6d, 0x61, 0x6c, 0x69, 0x65, 0x73, 0x12, 0x32, 0x0a, 0x09, 0x49, 0x6e, 0x73,
- 0x74, 0x61, 0x6e, 0x63, 0x65, 0x73, 0x18, 0x07, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x61,
- 0x70, 0x69, 0x2e, 0x49, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x4d, 0x65, 0x73, 0x73, 0x61,
- 0x67, 0x65, 0x52, 0x09, 0x49, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x73, 0x12, 0x1a, 0x0a,
- 0x06, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x08, 0x20, 0x01, 0x28, 0x09, 0x42, 0x02, 0x18,
- 0x01, 0x52, 0x06, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x1c, 0x0a, 0x07, 0x56, 0x65, 0x72,
- 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x09, 0x20, 0x01, 0x28, 0x09, 0x42, 0x02, 0x18, 0x01, 0x52, 0x07,
- 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x30, 0x0a, 0x08, 0x4d, 0x65, 0x74, 0x61, 0x64,
- 0x61, 0x74, 0x61, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x61, 0x70, 0x69, 0x2e,
- 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x52,
- 0x08, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x16, 0x0a, 0x04, 0x54, 0x61, 0x67,
- 0x73, 0x18, 0x0b, 0x20, 0x03, 0x28, 0x09, 0x42, 0x02, 0x18, 0x01, 0x52, 0x04, 0x54, 0x61, 0x67,
- 0x73, 0x12, 0x33, 0x0a, 0x05, 0x53, 0x74, 0x61, 0x74, 0x73, 0x18, 0x0c, 0x20, 0x01, 0x28, 0x0b,
- 0x32, 0x1d, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x41, 0x63, 0x74, 0x69, 0x76, 0x69, 0x74, 0x79, 0x54,
- 0x72, 0x65, 0x65, 0x53, 0x74, 0x61, 0x74, 0x73, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x52,
- 0x05, 0x53, 0x74, 0x61, 0x74, 0x73, 0x12, 0x2e, 0x0a, 0x12, 0x50, 0x72, 0x6f, 0x66, 0x69, 0x6c,
- 0x65, 0x47, 0x6c, 0x6f, 0x62, 0x61, 0x6c, 0x53, 0x74, 0x61, 0x74, 0x65, 0x18, 0x0d, 0x20, 0x01,
- 0x28, 0x09, 0x52, 0x12, 0x50, 0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65, 0x47, 0x6c, 0x6f, 0x62, 0x61,
- 0x6c, 0x53, 0x74, 0x61, 0x74, 0x65, 0x12, 0x5b, 0x0a, 0x10, 0x70, 0x72, 0x6f, 0x66, 0x69, 0x6c,
- 0x65, 0x5f, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x73, 0x18, 0x0e, 0x20, 0x03, 0x28, 0x0b,
- 0x32, 0x30, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x50,
- 0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x2e, 0x50, 0x72,
- 0x6f, 0x66, 0x69, 0x6c, 0x65, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x73, 0x45, 0x6e, 0x74,
- 0x72, 0x79, 0x52, 0x0f, 0x70, 0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65, 0x43, 0x6f, 0x6e, 0x74, 0x65,
- 0x78, 0x74, 0x73, 0x1a, 0x5e, 0x0a, 0x14, 0x50, 0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65, 0x43, 0x6f,
- 0x6e, 0x74, 0x65, 0x78, 0x74, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b,
- 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x30, 0x0a,
- 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x61,
- 0x70, 0x69, 0x2e, 0x50, 0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x78,
- 0x74, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a,
- 0x02, 0x38, 0x01, 0x22, 0x3f, 0x0a, 0x19, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x50,
- 0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65, 0x4c, 0x69, 0x73, 0x74, 0x50, 0x61, 0x72, 0x61, 0x6d, 0x73,
- 0x12, 0x22, 0x0a, 0x0c, 0x49, 0x6e, 0x63, 0x6c, 0x75, 0x64, 0x65, 0x43, 0x61, 0x63, 0x68, 0x65,
- 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0c, 0x49, 0x6e, 0x63, 0x6c, 0x75, 0x64, 0x65, 0x43,
- 0x61, 0x63, 0x68, 0x65, 0x22, 0x6b, 0x0a, 0x1a, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79,
- 0x50, 0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65, 0x4c, 0x69, 0x73, 0x74, 0x4d, 0x65, 0x73, 0x73, 0x61,
- 0x67, 0x65, 0x12, 0x37, 0x0a, 0x08, 0x50, 0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65, 0x73, 0x18, 0x01,
- 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x53, 0x65, 0x63, 0x75, 0x72,
- 0x69, 0x74, 0x79, 0x50, 0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67,
- 0x65, 0x52, 0x08, 0x50, 0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65, 0x73, 0x12, 0x14, 0x0a, 0x05, 0x45,
- 0x72, 0x72, 0x6f, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x45, 0x72, 0x72, 0x6f,
- 0x72, 0x22, 0x55, 0x0a, 0x19, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x50, 0x72, 0x6f,
- 0x66, 0x69, 0x6c, 0x65, 0x53, 0x61, 0x76, 0x65, 0x50, 0x61, 0x72, 0x61, 0x6d, 0x73, 0x12, 0x38,
- 0x0a, 0x08, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b,
- 0x32, 0x1c, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x57, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x53,
- 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x52, 0x08,
- 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x22, 0x46, 0x0a, 0x1a, 0x53, 0x65, 0x63, 0x75,
- 0x72, 0x69, 0x74, 0x79, 0x50, 0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65, 0x53, 0x61, 0x76, 0x65, 0x4d,
- 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x45, 0x72, 0x72, 0x6f, 0x72, 0x18,
- 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x45, 0x72, 0x72, 0x6f, 0x72, 0x12, 0x12, 0x0a, 0x04,
- 0x46, 0x69, 0x6c, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x46, 0x69, 0x6c, 0x65,
- 0x32, 0x8a, 0x0a, 0x0a, 0x0e, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x4d, 0x6f, 0x64,
- 0x75, 0x6c, 0x65, 0x12, 0x3f, 0x0a, 0x09, 0x47, 0x65, 0x74, 0x45, 0x76, 0x65, 0x6e, 0x74, 0x73,
- 0x12, 0x13, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x47, 0x65, 0x74, 0x45, 0x76, 0x65, 0x6e, 0x74, 0x50,
- 0x61, 0x72, 0x61, 0x6d, 0x73, 0x1a, 0x19, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x53, 0x65, 0x63, 0x75,
- 0x72, 0x69, 0x74, 0x79, 0x45, 0x76, 0x65, 0x6e, 0x74, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65,
- 0x22, 0x00, 0x30, 0x01, 0x12, 0x57, 0x0a, 0x10, 0x44, 0x75, 0x6d, 0x70, 0x50, 0x72, 0x6f, 0x63,
- 0x65, 0x73, 0x73, 0x43, 0x61, 0x63, 0x68, 0x65, 0x12, 0x1b, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x44,
- 0x75, 0x6d, 0x70, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x43, 0x61, 0x63, 0x68, 0x65, 0x50,
- 0x61, 0x72, 0x61, 0x6d, 0x73, 0x1a, 0x24, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x53, 0x65, 0x63, 0x75,
- 0x72, 0x69, 0x74, 0x79, 0x44, 0x75, 0x6d, 0x70, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x43,
- 0x61, 0x63, 0x68, 0x65, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, 0x3f, 0x0a,
- 0x09, 0x47, 0x65, 0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x14, 0x2e, 0x61, 0x70, 0x69,
- 0x2e, 0x47, 0x65, 0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x50, 0x61, 0x72, 0x61, 0x6d, 0x73,
- 0x1a, 0x1a, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x43,
- 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, 0x30,
- 0x0a, 0x09, 0x47, 0x65, 0x74, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x14, 0x2e, 0x61, 0x70,
- 0x69, 0x2e, 0x47, 0x65, 0x74, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x50, 0x61, 0x72, 0x61, 0x6d,
- 0x73, 0x1a, 0x0b, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x22, 0x00,
- 0x12, 0x4b, 0x0a, 0x0b, 0x52, 0x75, 0x6e, 0x53, 0x65, 0x6c, 0x66, 0x54, 0x65, 0x73, 0x74, 0x12,
- 0x16, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x52, 0x75, 0x6e, 0x53, 0x65, 0x6c, 0x66, 0x54, 0x65, 0x73,
- 0x74, 0x50, 0x61, 0x72, 0x61, 0x6d, 0x73, 0x1a, 0x22, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x53, 0x65,
- 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x53, 0x65, 0x6c, 0x66, 0x54, 0x65, 0x73, 0x74, 0x52, 0x65,
- 0x73, 0x75, 0x6c, 0x74, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, 0x55, 0x0a,
- 0x10, 0x47, 0x65, 0x74, 0x52, 0x75, 0x6c, 0x65, 0x53, 0x65, 0x74, 0x52, 0x65, 0x70, 0x6f, 0x72,
- 0x74, 0x12, 0x1b, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x47, 0x65, 0x74, 0x52, 0x75, 0x6c, 0x65, 0x53,
- 0x65, 0x74, 0x52, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x50, 0x61, 0x72, 0x61, 0x6d, 0x73, 0x1a, 0x22,
- 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x47, 0x65, 0x74, 0x52, 0x75, 0x6c, 0x65, 0x53, 0x65, 0x74, 0x52,
- 0x65, 0x70, 0x6f, 0x72, 0x74, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x4d, 0x65, 0x73, 0x73, 0x61,
- 0x67, 0x65, 0x22, 0x00, 0x12, 0x4f, 0x0a, 0x0e, 0x52, 0x65, 0x6c, 0x6f, 0x61, 0x64, 0x50, 0x6f,
- 0x6c, 0x69, 0x63, 0x69, 0x65, 0x73, 0x12, 0x19, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x52, 0x65, 0x6c,
- 0x6f, 0x61, 0x64, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x69, 0x65, 0x73, 0x50, 0x61, 0x72, 0x61, 0x6d,
- 0x73, 0x1a, 0x20, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x52, 0x65, 0x6c, 0x6f, 0x61, 0x64, 0x50, 0x6f,
- 0x6c, 0x69, 0x63, 0x69, 0x65, 0x73, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x4d, 0x65, 0x73, 0x73,
- 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, 0x5b, 0x0a, 0x14, 0x44, 0x75, 0x6d, 0x70, 0x4e, 0x65, 0x74,
- 0x77, 0x6f, 0x72, 0x6b, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x12, 0x1f, 0x2e,
- 0x61, 0x70, 0x69, 0x2e, 0x44, 0x75, 0x6d, 0x70, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x4e,
- 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x50, 0x61, 0x72, 0x61, 0x6d, 0x73, 0x1a, 0x20,
- 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x44, 0x75, 0x6d, 0x70, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b,
- 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65,
- 0x22, 0x00, 0x12, 0x49, 0x0a, 0x0e, 0x44, 0x75, 0x6d, 0x70, 0x44, 0x69, 0x73, 0x63, 0x61, 0x72,
- 0x64, 0x65, 0x72, 0x73, 0x12, 0x19, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x44, 0x75, 0x6d, 0x70, 0x44,
- 0x69, 0x73, 0x63, 0x61, 0x72, 0x64, 0x65, 0x72, 0x73, 0x50, 0x61, 0x72, 0x61, 0x6d, 0x73, 0x1a,
- 0x1a, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x44, 0x75, 0x6d, 0x70, 0x44, 0x69, 0x73, 0x63, 0x61, 0x72,
- 0x64, 0x65, 0x72, 0x73, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, 0x43, 0x0a,
- 0x0c, 0x44, 0x75, 0x6d, 0x70, 0x41, 0x63, 0x74, 0x69, 0x76, 0x69, 0x74, 0x79, 0x12, 0x17, 0x2e,
- 0x61, 0x70, 0x69, 0x2e, 0x41, 0x63, 0x74, 0x69, 0x76, 0x69, 0x74, 0x79, 0x44, 0x75, 0x6d, 0x70,
- 0x50, 0x61, 0x72, 0x61, 0x6d, 0x73, 0x1a, 0x18, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x41, 0x63, 0x74,
- 0x69, 0x76, 0x69, 0x74, 0x79, 0x44, 0x75, 0x6d, 0x70, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65,
- 0x22, 0x00, 0x12, 0x50, 0x0a, 0x11, 0x4c, 0x69, 0x73, 0x74, 0x41, 0x63, 0x74, 0x69, 0x76, 0x69,
- 0x74, 0x79, 0x44, 0x75, 0x6d, 0x70, 0x73, 0x12, 0x1b, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x41, 0x63,
- 0x74, 0x69, 0x76, 0x69, 0x74, 0x79, 0x44, 0x75, 0x6d, 0x70, 0x4c, 0x69, 0x73, 0x74, 0x50, 0x61,
- 0x72, 0x61, 0x6d, 0x73, 0x1a, 0x1c, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x41, 0x63, 0x74, 0x69, 0x76,
- 0x69, 0x74, 0x79, 0x44, 0x75, 0x6d, 0x70, 0x4c, 0x69, 0x73, 0x74, 0x4d, 0x65, 0x73, 0x73, 0x61,
- 0x67, 0x65, 0x22, 0x00, 0x12, 0x4f, 0x0a, 0x10, 0x53, 0x74, 0x6f, 0x70, 0x41, 0x63, 0x74, 0x69,
- 0x76, 0x69, 0x74, 0x79, 0x44, 0x75, 0x6d, 0x70, 0x12, 0x1b, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x41,
- 0x63, 0x74, 0x69, 0x76, 0x69, 0x74, 0x79, 0x44, 0x75, 0x6d, 0x70, 0x53, 0x74, 0x6f, 0x70, 0x50,
- 0x61, 0x72, 0x61, 0x6d, 0x73, 0x1a, 0x1c, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x41, 0x63, 0x74, 0x69,
- 0x76, 0x69, 0x74, 0x79, 0x44, 0x75, 0x6d, 0x70, 0x53, 0x74, 0x6f, 0x70, 0x4d, 0x65, 0x73, 0x73,
- 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, 0x55, 0x0a, 0x12, 0x54, 0x72, 0x61, 0x6e, 0x73, 0x63, 0x6f,
- 0x64, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1d, 0x2e, 0x61, 0x70,
- 0x69, 0x2e, 0x54, 0x72, 0x61, 0x6e, 0x73, 0x63, 0x6f, 0x64, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71,
- 0x75, 0x65, 0x73, 0x74, 0x50, 0x61, 0x72, 0x61, 0x6d, 0x73, 0x1a, 0x1e, 0x2e, 0x61, 0x70, 0x69,
- 0x2e, 0x54, 0x72, 0x61, 0x6e, 0x73, 0x63, 0x6f, 0x64, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75,
- 0x65, 0x73, 0x74, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, 0x5a, 0x0a, 0x15,
- 0x47, 0x65, 0x74, 0x41, 0x63, 0x74, 0x69, 0x76, 0x69, 0x74, 0x79, 0x44, 0x75, 0x6d, 0x70, 0x53,
- 0x74, 0x72, 0x65, 0x61, 0x6d, 0x12, 0x1d, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x41, 0x63, 0x74, 0x69,
- 0x76, 0x69, 0x74, 0x79, 0x44, 0x75, 0x6d, 0x70, 0x53, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x50, 0x61,
- 0x72, 0x61, 0x6d, 0x73, 0x1a, 0x1e, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x41, 0x63, 0x74, 0x69, 0x76,
- 0x69, 0x74, 0x79, 0x44, 0x75, 0x6d, 0x70, 0x53, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x4d, 0x65, 0x73,
- 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x30, 0x01, 0x12, 0x59, 0x0a, 0x14, 0x4c, 0x69, 0x73, 0x74,
- 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x50, 0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65, 0x73,
- 0x12, 0x1e, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x50,
- 0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65, 0x4c, 0x69, 0x73, 0x74, 0x50, 0x61, 0x72, 0x61, 0x6d, 0x73,
- 0x1a, 0x1f, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x50,
- 0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65, 0x4c, 0x69, 0x73, 0x74, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67,
- 0x65, 0x22, 0x00, 0x12, 0x58, 0x0a, 0x13, 0x53, 0x61, 0x76, 0x65, 0x53, 0x65, 0x63, 0x75, 0x72,
- 0x69, 0x74, 0x79, 0x50, 0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65, 0x12, 0x1e, 0x2e, 0x61, 0x70, 0x69,
- 0x2e, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x50, 0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65,
- 0x53, 0x61, 0x76, 0x65, 0x50, 0x61, 0x72, 0x61, 0x6d, 0x73, 0x1a, 0x1f, 0x2e, 0x61, 0x70, 0x69,
- 0x2e, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x50, 0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65,
- 0x53, 0x61, 0x76, 0x65, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x42, 0x18, 0x5a,
- 0x16, 0x70, 0x6b, 0x67, 0x2f, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x70, 0x72,
- 0x6f, 0x74, 0x6f, 0x2f, 0x61, 0x70, 0x69, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+ 0x7a, 0x65, 0x12, 0x26, 0x0a, 0x0e, 0x49, 0x4d, 0x44, 0x53, 0x4e, 0x6f, 0x64, 0x65, 0x73, 0x43,
+ 0x6f, 0x75, 0x6e, 0x74, 0x18, 0x06, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0e, 0x49, 0x4d, 0x44, 0x53,
+ 0x4e, 0x6f, 0x64, 0x65, 0x73, 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x12, 0x2c, 0x0a, 0x11, 0x53, 0x79,
+ 0x73, 0x63, 0x61, 0x6c, 0x6c, 0x4e, 0x6f, 0x64, 0x65, 0x73, 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x18,
+ 0x07, 0x20, 0x01, 0x28, 0x03, 0x52, 0x11, 0x53, 0x79, 0x73, 0x63, 0x61, 0x6c, 0x6c, 0x4e, 0x6f,
+ 0x64, 0x65, 0x73, 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x12, 0x26, 0x0a, 0x0e, 0x46, 0x6c, 0x6f, 0x77,
+ 0x4e, 0x6f, 0x64, 0x65, 0x73, 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x18, 0x08, 0x20, 0x01, 0x28, 0x03,
+ 0x52, 0x0e, 0x46, 0x6c, 0x6f, 0x77, 0x4e, 0x6f, 0x64, 0x65, 0x73, 0x43, 0x6f, 0x75, 0x6e, 0x74,
+ 0x22, 0x6e, 0x0a, 0x10, 0x65, 0x76, 0x65, 0x6e, 0x74, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x5f, 0x73,
+ 0x74, 0x61, 0x74, 0x65, 0x12, 0x2a, 0x0a, 0x11, 0x6c, 0x61, 0x73, 0x74, 0x5f, 0x61, 0x6e, 0x6f,
+ 0x6d, 0x61, 0x6c, 0x79, 0x5f, 0x6e, 0x61, 0x6e, 0x6f, 0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52,
+ 0x0f, 0x6c, 0x61, 0x73, 0x74, 0x41, 0x6e, 0x6f, 0x6d, 0x61, 0x6c, 0x79, 0x4e, 0x61, 0x6e, 0x6f,
+ 0x12, 0x2e, 0x0a, 0x13, 0x65, 0x76, 0x65, 0x6e, 0x74, 0x5f, 0x70, 0x72, 0x6f, 0x66, 0x69, 0x6c,
+ 0x65, 0x5f, 0x73, 0x74, 0x61, 0x74, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x11, 0x65,
+ 0x76, 0x65, 0x6e, 0x74, 0x50, 0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65, 0x53, 0x74, 0x61, 0x74, 0x65,
+ 0x22, 0x9b, 0x02, 0x0a, 0x15, 0x50, 0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65, 0x43, 0x6f, 0x6e, 0x74,
+ 0x65, 0x78, 0x74, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x12, 0x1d, 0x0a, 0x0a, 0x66, 0x69,
+ 0x72, 0x73, 0x74, 0x5f, 0x73, 0x65, 0x65, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x09,
+ 0x66, 0x69, 0x72, 0x73, 0x74, 0x53, 0x65, 0x65, 0x6e, 0x12, 0x1b, 0x0a, 0x09, 0x6c, 0x61, 0x73,
+ 0x74, 0x5f, 0x73, 0x65, 0x65, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x04, 0x52, 0x08, 0x6c, 0x61,
+ 0x73, 0x74, 0x53, 0x65, 0x65, 0x6e, 0x12, 0x58, 0x0a, 0x10, 0x65, 0x76, 0x65, 0x6e, 0x74, 0x5f,
+ 0x74, 0x79, 0x70, 0x65, 0x5f, 0x73, 0x74, 0x61, 0x74, 0x65, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b,
+ 0x32, 0x2e, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x50, 0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65, 0x43, 0x6f,
+ 0x6e, 0x74, 0x65, 0x78, 0x74, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x2e, 0x45, 0x76, 0x65,
+ 0x6e, 0x74, 0x54, 0x79, 0x70, 0x65, 0x53, 0x74, 0x61, 0x74, 0x65, 0x45, 0x6e, 0x74, 0x72, 0x79,
+ 0x52, 0x0e, 0x65, 0x76, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70, 0x65, 0x53, 0x74, 0x61, 0x74, 0x65,
+ 0x12, 0x12, 0x0a, 0x04, 0x74, 0x61, 0x67, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x09, 0x52, 0x04,
+ 0x74, 0x61, 0x67, 0x73, 0x1a, 0x58, 0x0a, 0x13, 0x45, 0x76, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70,
+ 0x65, 0x53, 0x74, 0x61, 0x74, 0x65, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b,
+ 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x2b, 0x0a,
+ 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x15, 0x2e, 0x61,
+ 0x70, 0x69, 0x2e, 0x65, 0x76, 0x65, 0x6e, 0x74, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x5f, 0x73, 0x74,
+ 0x61, 0x74, 0x65, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0xa0,
+ 0x06, 0x0a, 0x16, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x50, 0x72, 0x6f, 0x66, 0x69,
+ 0x6c, 0x65, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x12, 0x26, 0x0a, 0x0e, 0x4c, 0x6f, 0x61,
+ 0x64, 0x65, 0x64, 0x49, 0x6e, 0x4b, 0x65, 0x72, 0x6e, 0x65, 0x6c, 0x18, 0x01, 0x20, 0x01, 0x28,
+ 0x08, 0x52, 0x0e, 0x4c, 0x6f, 0x61, 0x64, 0x65, 0x64, 0x49, 0x6e, 0x4b, 0x65, 0x72, 0x6e, 0x65,
+ 0x6c, 0x12, 0x38, 0x0a, 0x17, 0x4c, 0x6f, 0x61, 0x64, 0x65, 0x64, 0x49, 0x6e, 0x4b, 0x65, 0x72,
+ 0x6e, 0x65, 0x6c, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x18, 0x02, 0x20, 0x01,
+ 0x28, 0x09, 0x52, 0x17, 0x4c, 0x6f, 0x61, 0x64, 0x65, 0x64, 0x49, 0x6e, 0x4b, 0x65, 0x72, 0x6e,
+ 0x65, 0x6c, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x12, 0x38, 0x0a, 0x08, 0x53,
+ 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1c, 0x2e,
+ 0x61, 0x70, 0x69, 0x2e, 0x57, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x53, 0x65, 0x6c, 0x65,
+ 0x63, 0x74, 0x6f, 0x72, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x52, 0x08, 0x53, 0x65, 0x6c,
+ 0x65, 0x63, 0x74, 0x6f, 0x72, 0x12, 0x24, 0x0a, 0x0d, 0x50, 0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65,
+ 0x43, 0x6f, 0x6f, 0x6b, 0x69, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x04, 0x52, 0x0d, 0x50, 0x72,
+ 0x6f, 0x66, 0x69, 0x6c, 0x65, 0x43, 0x6f, 0x6f, 0x6b, 0x69, 0x65, 0x12, 0x1e, 0x0a, 0x0a, 0x45,
+ 0x76, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70, 0x65, 0x73, 0x18, 0x05, 0x20, 0x03, 0x28, 0x09, 0x52,
+ 0x0a, 0x45, 0x76, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70, 0x65, 0x73, 0x12, 0x4a, 0x0a, 0x0d, 0x4c,
+ 0x61, 0x73, 0x74, 0x41, 0x6e, 0x6f, 0x6d, 0x61, 0x6c, 0x69, 0x65, 0x73, 0x18, 0x06, 0x20, 0x03,
+ 0x28, 0x0b, 0x32, 0x20, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x4c, 0x61, 0x73, 0x74, 0x41, 0x6e, 0x6f,
+ 0x6d, 0x61, 0x6c, 0x79, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x4d, 0x65, 0x73,
+ 0x73, 0x61, 0x67, 0x65, 0x42, 0x02, 0x18, 0x01, 0x52, 0x0d, 0x4c, 0x61, 0x73, 0x74, 0x41, 0x6e,
+ 0x6f, 0x6d, 0x61, 0x6c, 0x69, 0x65, 0x73, 0x12, 0x32, 0x0a, 0x09, 0x49, 0x6e, 0x73, 0x74, 0x61,
+ 0x6e, 0x63, 0x65, 0x73, 0x18, 0x07, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x61, 0x70, 0x69,
+ 0x2e, 0x49, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65,
+ 0x52, 0x09, 0x49, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x73, 0x12, 0x1a, 0x0a, 0x06, 0x53,
+ 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x08, 0x20, 0x01, 0x28, 0x09, 0x42, 0x02, 0x18, 0x01, 0x52,
+ 0x06, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x1c, 0x0a, 0x07, 0x56, 0x65, 0x72, 0x73, 0x69,
+ 0x6f, 0x6e, 0x18, 0x09, 0x20, 0x01, 0x28, 0x09, 0x42, 0x02, 0x18, 0x01, 0x52, 0x07, 0x56, 0x65,
+ 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x30, 0x0a, 0x08, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74,
+ 0x61, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x4d, 0x65,
+ 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x52, 0x08, 0x4d,
+ 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x16, 0x0a, 0x04, 0x54, 0x61, 0x67, 0x73, 0x18,
+ 0x0b, 0x20, 0x03, 0x28, 0x09, 0x42, 0x02, 0x18, 0x01, 0x52, 0x04, 0x54, 0x61, 0x67, 0x73, 0x12,
+ 0x33, 0x0a, 0x05, 0x53, 0x74, 0x61, 0x74, 0x73, 0x18, 0x0c, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1d,
+ 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x41, 0x63, 0x74, 0x69, 0x76, 0x69, 0x74, 0x79, 0x54, 0x72, 0x65,
+ 0x65, 0x53, 0x74, 0x61, 0x74, 0x73, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x52, 0x05, 0x53,
+ 0x74, 0x61, 0x74, 0x73, 0x12, 0x2e, 0x0a, 0x12, 0x50, 0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65, 0x47,
+ 0x6c, 0x6f, 0x62, 0x61, 0x6c, 0x53, 0x74, 0x61, 0x74, 0x65, 0x18, 0x0d, 0x20, 0x01, 0x28, 0x09,
+ 0x52, 0x12, 0x50, 0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65, 0x47, 0x6c, 0x6f, 0x62, 0x61, 0x6c, 0x53,
+ 0x74, 0x61, 0x74, 0x65, 0x12, 0x5b, 0x0a, 0x10, 0x70, 0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65, 0x5f,
+ 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x73, 0x18, 0x0e, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x30,
+ 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x50, 0x72, 0x6f,
+ 0x66, 0x69, 0x6c, 0x65, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x2e, 0x50, 0x72, 0x6f, 0x66,
+ 0x69, 0x6c, 0x65, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79,
+ 0x52, 0x0f, 0x70, 0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74,
+ 0x73, 0x1a, 0x5e, 0x0a, 0x14, 0x50, 0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65, 0x43, 0x6f, 0x6e, 0x74,
+ 0x65, 0x78, 0x74, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79,
+ 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x30, 0x0a, 0x05, 0x76,
+ 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x61, 0x70, 0x69,
+ 0x2e, 0x50, 0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x4d,
+ 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38,
+ 0x01, 0x22, 0x3f, 0x0a, 0x19, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x50, 0x72, 0x6f,
+ 0x66, 0x69, 0x6c, 0x65, 0x4c, 0x69, 0x73, 0x74, 0x50, 0x61, 0x72, 0x61, 0x6d, 0x73, 0x12, 0x22,
+ 0x0a, 0x0c, 0x49, 0x6e, 0x63, 0x6c, 0x75, 0x64, 0x65, 0x43, 0x61, 0x63, 0x68, 0x65, 0x18, 0x01,
+ 0x20, 0x01, 0x28, 0x08, 0x52, 0x0c, 0x49, 0x6e, 0x63, 0x6c, 0x75, 0x64, 0x65, 0x43, 0x61, 0x63,
+ 0x68, 0x65, 0x22, 0x6b, 0x0a, 0x1a, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x50, 0x72,
+ 0x6f, 0x66, 0x69, 0x6c, 0x65, 0x4c, 0x69, 0x73, 0x74, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65,
+ 0x12, 0x37, 0x0a, 0x08, 0x50, 0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03,
+ 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74,
+ 0x79, 0x50, 0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x52,
+ 0x08, 0x50, 0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65, 0x73, 0x12, 0x14, 0x0a, 0x05, 0x45, 0x72, 0x72,
+ 0x6f, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x45, 0x72, 0x72, 0x6f, 0x72, 0x22,
+ 0x55, 0x0a, 0x19, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x50, 0x72, 0x6f, 0x66, 0x69,
+ 0x6c, 0x65, 0x53, 0x61, 0x76, 0x65, 0x50, 0x61, 0x72, 0x61, 0x6d, 0x73, 0x12, 0x38, 0x0a, 0x08,
+ 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1c,
+ 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x57, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x53, 0x65, 0x6c,
+ 0x65, 0x63, 0x74, 0x6f, 0x72, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x52, 0x08, 0x53, 0x65,
+ 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x22, 0x46, 0x0a, 0x1a, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69,
+ 0x74, 0x79, 0x50, 0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65, 0x53, 0x61, 0x76, 0x65, 0x4d, 0x65, 0x73,
+ 0x73, 0x61, 0x67, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x45, 0x72, 0x72, 0x6f, 0x72, 0x18, 0x01, 0x20,
+ 0x01, 0x28, 0x09, 0x52, 0x05, 0x45, 0x72, 0x72, 0x6f, 0x72, 0x12, 0x12, 0x0a, 0x04, 0x46, 0x69,
+ 0x6c, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x46, 0x69, 0x6c, 0x65, 0x32, 0x8a,
+ 0x0a, 0x0a, 0x0e, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x4d, 0x6f, 0x64, 0x75, 0x6c,
+ 0x65, 0x12, 0x3f, 0x0a, 0x09, 0x47, 0x65, 0x74, 0x45, 0x76, 0x65, 0x6e, 0x74, 0x73, 0x12, 0x13,
+ 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x47, 0x65, 0x74, 0x45, 0x76, 0x65, 0x6e, 0x74, 0x50, 0x61, 0x72,
+ 0x61, 0x6d, 0x73, 0x1a, 0x19, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69,
+ 0x74, 0x79, 0x45, 0x76, 0x65, 0x6e, 0x74, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00,
+ 0x30, 0x01, 0x12, 0x57, 0x0a, 0x10, 0x44, 0x75, 0x6d, 0x70, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73,
+ 0x73, 0x43, 0x61, 0x63, 0x68, 0x65, 0x12, 0x1b, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x44, 0x75, 0x6d,
+ 0x70, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x43, 0x61, 0x63, 0x68, 0x65, 0x50, 0x61, 0x72,
+ 0x61, 0x6d, 0x73, 0x1a, 0x24, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69,
+ 0x74, 0x79, 0x44, 0x75, 0x6d, 0x70, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x43, 0x61, 0x63,
+ 0x68, 0x65, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, 0x3f, 0x0a, 0x09, 0x47,
+ 0x65, 0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x14, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x47,
+ 0x65, 0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x50, 0x61, 0x72, 0x61, 0x6d, 0x73, 0x1a, 0x1a,
+ 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x43, 0x6f, 0x6e,
+ 0x66, 0x69, 0x67, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, 0x30, 0x0a, 0x09,
+ 0x47, 0x65, 0x74, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x14, 0x2e, 0x61, 0x70, 0x69, 0x2e,
+ 0x47, 0x65, 0x74, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x50, 0x61, 0x72, 0x61, 0x6d, 0x73, 0x1a,
+ 0x0b, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x22, 0x00, 0x12, 0x4b,
+ 0x0a, 0x0b, 0x52, 0x75, 0x6e, 0x53, 0x65, 0x6c, 0x66, 0x54, 0x65, 0x73, 0x74, 0x12, 0x16, 0x2e,
+ 0x61, 0x70, 0x69, 0x2e, 0x52, 0x75, 0x6e, 0x53, 0x65, 0x6c, 0x66, 0x54, 0x65, 0x73, 0x74, 0x50,
+ 0x61, 0x72, 0x61, 0x6d, 0x73, 0x1a, 0x22, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x53, 0x65, 0x63, 0x75,
+ 0x72, 0x69, 0x74, 0x79, 0x53, 0x65, 0x6c, 0x66, 0x54, 0x65, 0x73, 0x74, 0x52, 0x65, 0x73, 0x75,
+ 0x6c, 0x74, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, 0x55, 0x0a, 0x10, 0x47,
+ 0x65, 0x74, 0x52, 0x75, 0x6c, 0x65, 0x53, 0x65, 0x74, 0x52, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x12,
+ 0x1b, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x47, 0x65, 0x74, 0x52, 0x75, 0x6c, 0x65, 0x53, 0x65, 0x74,
+ 0x52, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x50, 0x61, 0x72, 0x61, 0x6d, 0x73, 0x1a, 0x22, 0x2e, 0x61,
+ 0x70, 0x69, 0x2e, 0x47, 0x65, 0x74, 0x52, 0x75, 0x6c, 0x65, 0x53, 0x65, 0x74, 0x52, 0x65, 0x70,
+ 0x6f, 0x72, 0x74, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65,
+ 0x22, 0x00, 0x12, 0x4f, 0x0a, 0x0e, 0x52, 0x65, 0x6c, 0x6f, 0x61, 0x64, 0x50, 0x6f, 0x6c, 0x69,
+ 0x63, 0x69, 0x65, 0x73, 0x12, 0x19, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x52, 0x65, 0x6c, 0x6f, 0x61,
+ 0x64, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x69, 0x65, 0x73, 0x50, 0x61, 0x72, 0x61, 0x6d, 0x73, 0x1a,
+ 0x20, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x52, 0x65, 0x6c, 0x6f, 0x61, 0x64, 0x50, 0x6f, 0x6c, 0x69,
+ 0x63, 0x69, 0x65, 0x73, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67,
+ 0x65, 0x22, 0x00, 0x12, 0x5b, 0x0a, 0x14, 0x44, 0x75, 0x6d, 0x70, 0x4e, 0x65, 0x74, 0x77, 0x6f,
+ 0x72, 0x6b, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x12, 0x1f, 0x2e, 0x61, 0x70,
+ 0x69, 0x2e, 0x44, 0x75, 0x6d, 0x70, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x4e, 0x61, 0x6d,
+ 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x50, 0x61, 0x72, 0x61, 0x6d, 0x73, 0x1a, 0x20, 0x2e, 0x61,
+ 0x70, 0x69, 0x2e, 0x44, 0x75, 0x6d, 0x70, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x4e, 0x61,
+ 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00,
+ 0x12, 0x49, 0x0a, 0x0e, 0x44, 0x75, 0x6d, 0x70, 0x44, 0x69, 0x73, 0x63, 0x61, 0x72, 0x64, 0x65,
+ 0x72, 0x73, 0x12, 0x19, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x44, 0x75, 0x6d, 0x70, 0x44, 0x69, 0x73,
+ 0x63, 0x61, 0x72, 0x64, 0x65, 0x72, 0x73, 0x50, 0x61, 0x72, 0x61, 0x6d, 0x73, 0x1a, 0x1a, 0x2e,
+ 0x61, 0x70, 0x69, 0x2e, 0x44, 0x75, 0x6d, 0x70, 0x44, 0x69, 0x73, 0x63, 0x61, 0x72, 0x64, 0x65,
+ 0x72, 0x73, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, 0x43, 0x0a, 0x0c, 0x44,
+ 0x75, 0x6d, 0x70, 0x41, 0x63, 0x74, 0x69, 0x76, 0x69, 0x74, 0x79, 0x12, 0x17, 0x2e, 0x61, 0x70,
+ 0x69, 0x2e, 0x41, 0x63, 0x74, 0x69, 0x76, 0x69, 0x74, 0x79, 0x44, 0x75, 0x6d, 0x70, 0x50, 0x61,
+ 0x72, 0x61, 0x6d, 0x73, 0x1a, 0x18, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x41, 0x63, 0x74, 0x69, 0x76,
+ 0x69, 0x74, 0x79, 0x44, 0x75, 0x6d, 0x70, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00,
+ 0x12, 0x50, 0x0a, 0x11, 0x4c, 0x69, 0x73, 0x74, 0x41, 0x63, 0x74, 0x69, 0x76, 0x69, 0x74, 0x79,
+ 0x44, 0x75, 0x6d, 0x70, 0x73, 0x12, 0x1b, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x41, 0x63, 0x74, 0x69,
+ 0x76, 0x69, 0x74, 0x79, 0x44, 0x75, 0x6d, 0x70, 0x4c, 0x69, 0x73, 0x74, 0x50, 0x61, 0x72, 0x61,
+ 0x6d, 0x73, 0x1a, 0x1c, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x41, 0x63, 0x74, 0x69, 0x76, 0x69, 0x74,
+ 0x79, 0x44, 0x75, 0x6d, 0x70, 0x4c, 0x69, 0x73, 0x74, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65,
+ 0x22, 0x00, 0x12, 0x4f, 0x0a, 0x10, 0x53, 0x74, 0x6f, 0x70, 0x41, 0x63, 0x74, 0x69, 0x76, 0x69,
+ 0x74, 0x79, 0x44, 0x75, 0x6d, 0x70, 0x12, 0x1b, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x41, 0x63, 0x74,
+ 0x69, 0x76, 0x69, 0x74, 0x79, 0x44, 0x75, 0x6d, 0x70, 0x53, 0x74, 0x6f, 0x70, 0x50, 0x61, 0x72,
+ 0x61, 0x6d, 0x73, 0x1a, 0x1c, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x41, 0x63, 0x74, 0x69, 0x76, 0x69,
+ 0x74, 0x79, 0x44, 0x75, 0x6d, 0x70, 0x53, 0x74, 0x6f, 0x70, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67,
+ 0x65, 0x22, 0x00, 0x12, 0x55, 0x0a, 0x12, 0x54, 0x72, 0x61, 0x6e, 0x73, 0x63, 0x6f, 0x64, 0x69,
+ 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1d, 0x2e, 0x61, 0x70, 0x69, 0x2e,
+ 0x54, 0x72, 0x61, 0x6e, 0x73, 0x63, 0x6f, 0x64, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65,
+ 0x73, 0x74, 0x50, 0x61, 0x72, 0x61, 0x6d, 0x73, 0x1a, 0x1e, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x54,
+ 0x72, 0x61, 0x6e, 0x73, 0x63, 0x6f, 0x64, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
+ 0x74, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, 0x5a, 0x0a, 0x15, 0x47, 0x65,
+ 0x74, 0x41, 0x63, 0x74, 0x69, 0x76, 0x69, 0x74, 0x79, 0x44, 0x75, 0x6d, 0x70, 0x53, 0x74, 0x72,
+ 0x65, 0x61, 0x6d, 0x12, 0x1d, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x41, 0x63, 0x74, 0x69, 0x76, 0x69,
+ 0x74, 0x79, 0x44, 0x75, 0x6d, 0x70, 0x53, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x50, 0x61, 0x72, 0x61,
+ 0x6d, 0x73, 0x1a, 0x1e, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x41, 0x63, 0x74, 0x69, 0x76, 0x69, 0x74,
+ 0x79, 0x44, 0x75, 0x6d, 0x70, 0x53, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x4d, 0x65, 0x73, 0x73, 0x61,
+ 0x67, 0x65, 0x22, 0x00, 0x30, 0x01, 0x12, 0x59, 0x0a, 0x14, 0x4c, 0x69, 0x73, 0x74, 0x53, 0x65,
+ 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x50, 0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65, 0x73, 0x12, 0x1e,
+ 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x50, 0x72, 0x6f,
+ 0x66, 0x69, 0x6c, 0x65, 0x4c, 0x69, 0x73, 0x74, 0x50, 0x61, 0x72, 0x61, 0x6d, 0x73, 0x1a, 0x1f,
+ 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x50, 0x72, 0x6f,
+ 0x66, 0x69, 0x6c, 0x65, 0x4c, 0x69, 0x73, 0x74, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22,
+ 0x00, 0x12, 0x58, 0x0a, 0x13, 0x53, 0x61, 0x76, 0x65, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74,
+ 0x79, 0x50, 0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65, 0x12, 0x1e, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x53,
+ 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x50, 0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65, 0x53, 0x61,
+ 0x76, 0x65, 0x50, 0x61, 0x72, 0x61, 0x6d, 0x73, 0x1a, 0x1f, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x53,
+ 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x50, 0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65, 0x53, 0x61,
+ 0x76, 0x65, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x42, 0x18, 0x5a, 0x16, 0x70,
+ 0x6b, 0x67, 0x2f, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x70, 0x72, 0x6f, 0x74,
+ 0x6f, 0x2f, 0x61, 0x70, 0x69, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
}
var (
diff --git a/pkg/security/proto/api/api.proto b/pkg/security/proto/api/api.proto
index 7032834f238c30..0045a6ce2f960d 100644
--- a/pkg/security/proto/api/api.proto
+++ b/pkg/security/proto/api/api.proto
@@ -244,6 +244,9 @@ message ActivityTreeStatsMessage {
int64 DNSNodesCount = 3;
int64 SocketNodesCount = 4;
int64 ApproximateSize = 5;
+ int64 IMDSNodesCount = 6;
+ int64 SyscallNodesCount = 7;
+ int64 FlowNodesCount = 8;
}
message event_type_state {
diff --git a/pkg/security/proto/api/api_vtproto.pb.go b/pkg/security/proto/api/api_vtproto.pb.go
index 8ebccda5994a0d..b03a89f07ce171 100644
--- a/pkg/security/proto/api/api_vtproto.pb.go
+++ b/pkg/security/proto/api/api_vtproto.pb.go
@@ -2373,6 +2373,21 @@ func (m *ActivityTreeStatsMessage) MarshalToSizedBufferVT(dAtA []byte) (int, err
i -= len(m.unknownFields)
copy(dAtA[i:], m.unknownFields)
}
+ if m.FlowNodesCount != 0 {
+ i = protohelpers.EncodeVarint(dAtA, i, uint64(m.FlowNodesCount))
+ i--
+ dAtA[i] = 0x40
+ }
+ if m.SyscallNodesCount != 0 {
+ i = protohelpers.EncodeVarint(dAtA, i, uint64(m.SyscallNodesCount))
+ i--
+ dAtA[i] = 0x38
+ }
+ if m.IMDSNodesCount != 0 {
+ i = protohelpers.EncodeVarint(dAtA, i, uint64(m.IMDSNodesCount))
+ i--
+ dAtA[i] = 0x30
+ }
if m.ApproximateSize != 0 {
i = protohelpers.EncodeVarint(dAtA, i, uint64(m.ApproximateSize))
i--
@@ -3782,6 +3797,15 @@ func (m *ActivityTreeStatsMessage) SizeVT() (n int) {
if m.ApproximateSize != 0 {
n += 1 + protohelpers.SizeOfVarint(uint64(m.ApproximateSize))
}
+ if m.IMDSNodesCount != 0 {
+ n += 1 + protohelpers.SizeOfVarint(uint64(m.IMDSNodesCount))
+ }
+ if m.SyscallNodesCount != 0 {
+ n += 1 + protohelpers.SizeOfVarint(uint64(m.SyscallNodesCount))
+ }
+ if m.FlowNodesCount != 0 {
+ n += 1 + protohelpers.SizeOfVarint(uint64(m.FlowNodesCount))
+ }
n += len(m.unknownFields)
return n
}
@@ -9616,6 +9640,63 @@ func (m *ActivityTreeStatsMessage) UnmarshalVT(dAtA []byte) error {
break
}
}
+ case 6:
+ if wireType != 0 {
+ return fmt.Errorf("proto: wrong wireType = %d for field IMDSNodesCount", wireType)
+ }
+ m.IMDSNodesCount = 0
+ for shift := uint(0); ; shift += 7 {
+ if shift >= 64 {
+ return protohelpers.ErrIntOverflow
+ }
+ if iNdEx >= l {
+ return io.ErrUnexpectedEOF
+ }
+ b := dAtA[iNdEx]
+ iNdEx++
+ m.IMDSNodesCount |= int64(b&0x7F) << shift
+ if b < 0x80 {
+ break
+ }
+ }
+ case 7:
+ if wireType != 0 {
+ return fmt.Errorf("proto: wrong wireType = %d for field SyscallNodesCount", wireType)
+ }
+ m.SyscallNodesCount = 0
+ for shift := uint(0); ; shift += 7 {
+ if shift >= 64 {
+ return protohelpers.ErrIntOverflow
+ }
+ if iNdEx >= l {
+ return io.ErrUnexpectedEOF
+ }
+ b := dAtA[iNdEx]
+ iNdEx++
+ m.SyscallNodesCount |= int64(b&0x7F) << shift
+ if b < 0x80 {
+ break
+ }
+ }
+ case 8:
+ if wireType != 0 {
+ return fmt.Errorf("proto: wrong wireType = %d for field FlowNodesCount", wireType)
+ }
+ m.FlowNodesCount = 0
+ for shift := uint(0); ; shift += 7 {
+ if shift >= 64 {
+ return protohelpers.ErrIntOverflow
+ }
+ if iNdEx >= l {
+ return io.ErrUnexpectedEOF
+ }
+ b := dAtA[iNdEx]
+ iNdEx++
+ m.FlowNodesCount |= int64(b&0x7F) << shift
+ if b < 0x80 {
+ break
+ }
+ }
default:
iNdEx = preIndex
skippy, err := protohelpers.Skip(dAtA[iNdEx:])
diff --git a/pkg/security/rules/engine.go b/pkg/security/rules/engine.go
index ffb73244b6c2db..5f7d6a888dc6a7 100644
--- a/pkg/security/rules/engine.go
+++ b/pkg/security/rules/engine.go
@@ -487,6 +487,8 @@ func (e *RuleEngine) getEventTypeEnabled() map[eval.EventType]bool {
switch eventType {
case model.RawPacketEventType.String():
enabled[eventType] = e.probe.IsNetworkRawPacketEnabled()
+ case model.NetworkFlowMonitorEventType.String():
+ enabled[eventType] = e.probe.IsNetworkFlowMonitorEnabled()
default:
enabled[eventType] = true
}
diff --git a/pkg/security/secl/compiler/eval/context.go b/pkg/security/secl/compiler/eval/context.go
index 038a24634b353d..d56b550fc8831e 100644
--- a/pkg/security/secl/compiler/eval/context.go
+++ b/pkg/security/secl/compiler/eval/context.go
@@ -7,6 +7,7 @@
package eval
import (
+ "net"
"sync"
"time"
)
@@ -23,6 +24,7 @@ type Context struct {
// cache available across all the evaluations
StringCache map[string][]string
+ IPNetCache map[string][]net.IPNet
IntCache map[string][]int
BoolCache map[string][]bool
@@ -34,7 +36,7 @@ type Context struct {
now time.Time
- CachedAncestorsCount int
+ AncestorsCounters map[string]int
resolvedFields []string
}
@@ -58,11 +60,12 @@ func (c *Context) Reset() {
c.now = time.Time{}
clear(c.StringCache)
+ clear(c.IPNetCache)
clear(c.IntCache)
clear(c.BoolCache)
clear(c.Registers)
clear(c.RegisterCache)
- c.CachedAncestorsCount = 0
+ clear(c.AncestorsCounters)
clear(c.resolvedFields)
}
@@ -74,12 +77,14 @@ func (c *Context) GetResolvedFields() []string {
// NewContext return a new Context
func NewContext(evt Event) *Context {
return &Context{
- Event: evt,
- StringCache: make(map[string][]string),
- IntCache: make(map[string][]int),
- BoolCache: make(map[string][]bool),
- Registers: make(map[RegisterID]int),
- RegisterCache: make(map[RegisterID]*RegisterCacheEntry),
+ Event: evt,
+ StringCache: make(map[string][]string),
+ IPNetCache: make(map[string][]net.IPNet),
+ IntCache: make(map[string][]int),
+ BoolCache: make(map[string][]bool),
+ Registers: make(map[RegisterID]int),
+ RegisterCache: make(map[RegisterID]*RegisterCacheEntry),
+ AncestorsCounters: make(map[string]int),
}
}
diff --git a/pkg/security/secl/compiler/generators/accessors/accessors.go b/pkg/security/secl/compiler/generators/accessors/accessors.go
index 7dad3100588ae6..6b9b8d48f9ef45 100644
--- a/pkg/security/secl/compiler/generators/accessors/accessors.go
+++ b/pkg/security/secl/compiler/generators/accessors/accessors.go
@@ -756,9 +756,9 @@ func formatBuildTags(buildTags string) []string {
return formattedBuildTags
}
-func newField(allFields map[string]*common.StructField, field *common.StructField) string {
+func newField(allFields map[string]*common.StructField, inputField *common.StructField) string {
var fieldPath, result string
- for _, node := range strings.Split(field.Name, ".") {
+ for _, node := range strings.Split(inputField.Name, ".") {
if fieldPath != "" {
fieldPath += "." + node
} else {
@@ -768,6 +768,8 @@ func newField(allFields map[string]*common.StructField, field *common.StructFiel
if field, ok := allFields[fieldPath]; ok {
if field.IsOrigTypePtr {
result += fmt.Sprintf("if ev.%s == nil { ev.%s = &%s{} }\n", field.Name, field.Name, field.OrigType)
+ } else if field.IsArray && fieldPath != inputField.Name {
+ result += fmt.Sprintf("if len(ev.%s) == 0 { ev.%s = append(ev.%s, %s{}) }\n", field.Name, field.Name, field.Name, field.OrigType)
}
}
}
@@ -775,6 +777,25 @@ func newField(allFields map[string]*common.StructField, field *common.StructFiel
return result
}
+func buildFirstAccessor(allFields map[string]*common.StructField, inputField *common.StructField) string {
+ var fieldPath string
+ for _, node := range strings.Split(inputField.Name, ".") {
+ if fieldPath != "" {
+ fieldPath += "." + node
+ } else {
+ fieldPath = node
+ }
+
+ if field, ok := allFields[fieldPath]; ok {
+ if field.IsArray && fieldPath != inputField.Name {
+ fieldPath += "[0]"
+ }
+ }
+ }
+
+ return "ev." + fieldPath
+}
+
func generatePrefixNilChecks(allFields map[string]*common.StructField, returnType string, field *common.StructField) string {
var fieldPath, result string
for _, node := range strings.Split(field.Name, ".") {
@@ -845,7 +866,7 @@ func getDefaultValueOfType(returnType string) string {
return "false"
} else if baseType == "net.IPNet" {
if isArray {
- return "&eval.CIDRValues{}"
+ return "[]net.IPNet{}"
}
return "net.IPNet{}"
} else if baseType == "time.Time" {
@@ -995,6 +1016,7 @@ var funcMap = map[string]interface{}{
"TrimSuffix": strings.TrimSuffix,
"HasPrefix": strings.HasPrefix,
"NewField": newField,
+ "BuildFirstAccessor": buildFirstAccessor,
"GeneratePrefixNilChecks": generatePrefixNilChecks,
"GetFieldHandler": getFieldHandler,
"FieldADPrint": fieldADPrint,
diff --git a/pkg/security/secl/compiler/generators/accessors/accessors.tmpl b/pkg/security/secl/compiler/generators/accessors/accessors.tmpl
index 4829db9985f8ad..17640ddcd5aae6 100644
--- a/pkg/security/secl/compiler/generators/accessors/accessors.tmpl
+++ b/pkg/security/secl/compiler/generators/accessors/accessors.tmpl
@@ -140,11 +140,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
{{if $Field.GetArrayPrefix}}
{{$AncestorFunc = "newAncestorsIteratorArray"}}
{{end}}
- results = {{$AncestorFunc}}(iterator, ctx, {{$Event}}, func(ev *Event, pce *ProcessCacheEntry) {{$Field.GetArrayPrefix}}{{$Field.ReturnType}} {
+ results = {{$AncestorFunc}}(iterator, field, ctx, {{$Event}}, func(ev *Event, current *{{$Field.Iterator.OrigType}}) {{$Field.GetArrayPrefix}}{{$Field.ReturnType}} {
{{range $Check := $Checks}}
{{if $Field.Iterator.Name | HasPrefix $Check}}
{{$SubName := $Field.Iterator.Name | TrimPrefix $Check}}
- {{$Check = $SubName | printf "pce%s"}}
+ {{$Check = $SubName | printf "current%s"}}
if !{{$Check}}() {
{{if $Field.GetArrayPrefix}}
return nil
@@ -157,11 +157,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
{{$SubName := $Field.Iterator.Name | TrimPrefix $Field.Name}}
- {{$Return := $SubName | printf "pce%s"}}
+ {{$Return := $SubName | printf "current%s"}}
{{if $Field.Handler }}
{{$SubName = $Field.Iterator.Name | TrimPrefix $Field.Prefix}}
{{$Handler := $Field.Iterator.Name | TrimPrefix $Field.Handler}}
- {{$Return = print "ev.FieldHandlers." $Handler "(ev, &pce" $SubName ")"}}
+ {{$Return = print "ev.FieldHandlers." $Handler "(ev, ¤t" $SubName ")"}}
{{end}}
{{if eq $Field.ReturnType "int"}}
@@ -181,7 +181,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
},
{{- else}}
{{- $ReturnType := $Field.ReturnType}}
- EvalFnc: func(ctx *eval.Context) {{$Field.GetArrayPrefix}}{{$ReturnType}} {
+ EvalFnc: func(ctx *eval.Context) {{- if not $Field.IsIterator}}{{$Field.GetArrayPrefix}}{{end}}{{$ReturnType}} {
ctx.AppendResolvedField(field)
{{- if not (and $Field.IsLength $Field.IsIterator)}}
ev := ctx.Event.(*Event)
@@ -333,7 +333,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
values = append(values, result...)
{{end}}
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
@@ -452,7 +452,7 @@ func (ev *Event) SetFieldValue(field eval.Field, value interface{}) error {
{{end}}
{{end}}
- {{$FieldName := $Field.Name | printf "ev.%s"}}
+ {{$FieldName := $Field | BuildFirstAccessor $.AllFields}}
case "{{$Name}}":
{{- $Field | NewField $.AllFields}}
{{if $Field.IsLength}}
diff --git a/pkg/security/secl/compiler/generators/accessors/common/types.go b/pkg/security/secl/compiler/generators/accessors/common/types.go
index 3e9f3ebef05f68..36a3a3ed01cbf7 100644
--- a/pkg/security/secl/compiler/generators/accessors/common/types.go
+++ b/pkg/security/secl/compiler/generators/accessors/common/types.go
@@ -91,8 +91,8 @@ func (sf *StructField) GetEvaluatorType() string {
}
} else if sf.ReturnType == "net.IPNet" {
evaluatorType = "eval.CIDREvaluator"
- if sf.IsArray {
- evaluatorType = "eval.CIDRValuesEvaluator"
+ if sf.Iterator != nil || sf.IsArray {
+ evaluatorType = "eval.CIDRArrayEvaluator"
}
} else {
evaluatorType = "eval.StringEvaluator"
@@ -155,6 +155,8 @@ func (sf *StructField) GetCacheName() string {
return "IntCache"
case "bool":
return "BoolCache"
+ case "net.IPNet":
+ return "IPNetCache"
default:
panic(fmt.Sprintf("no cache name defined for return type '%s'", sf.ReturnType))
}
diff --git a/pkg/security/secl/compiler/generators/accessors/field_accessors.tmpl b/pkg/security/secl/compiler/generators/accessors/field_accessors.tmpl
index 02eff112541d77..529fb8c4df9e3d 100644
--- a/pkg/security/secl/compiler/generators/accessors/field_accessors.tmpl
+++ b/pkg/security/secl/compiler/generators/accessors/field_accessors.tmpl
@@ -33,7 +33,7 @@ import (
{{$accessorReturnType = $Field.ReturnType}}
{{ end }}
-{{ if or (and $Field.Iterator (not $Field.IsIterator)) ($Field.IsArray) }}
+{{ if or (and $Field.Iterator (not $Field.IsIterator)) (and $Field.IsArray (not $Field.IsIterator)) }}
{{$accessorReturnType = $accessorReturnType | printf "[]%s" }}
{{ end }}
@@ -92,7 +92,7 @@ func (ev *Event) Get{{$pascalCaseName}}() {{ $accessorReturnType }} {
values = append(values, result...)
{{end}}
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
diff --git a/pkg/security/secl/model/accessors_unix.go b/pkg/security/secl/model/accessors_unix.go
index 7b0b0331602292..c24186147f8913 100644
--- a/pkg/security/secl/model/accessors_unix.go
+++ b/pkg/security/secl/model/accessors_unix.go
@@ -38,6 +38,7 @@ func (m *Model) GetEventTypes() []eval.EventType {
eval.EventType("mmap"),
eval.EventType("mount"),
eval.EventType("mprotect"),
+ eval.EventType("network_flow_monitor"),
eval.EventType("ondemand"),
eval.EventType("open"),
eval.EventType("packet"),
@@ -70,6 +71,8 @@ func (m *Model) GetFieldRestrictions(field eval.Field) []eval.EventType {
return []eval.EventType{"dns", "imds"}
case "network.l4_protocol":
return []eval.EventType{"dns", "imds"}
+ case "network.network_direction":
+ return []eval.EventType{"dns", "imds"}
case "network.size":
return []eval.EventType{"dns", "imds"}
case "network.source.ip":
@@ -4623,6 +4626,16 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
Field: field,
Weight: eval.FunctionWeight,
}, nil
+ case "network.network_direction":
+ return &eval.IntEvaluator{
+ EvalFnc: func(ctx *eval.Context) int {
+ ctx.AppendResolvedField(field)
+ ev := ctx.Event.(*Event)
+ return int(ev.NetworkContext.NetworkDirection)
+ },
+ Field: field,
+ Weight: eval.FunctionWeight,
+ }, nil
case "network.size":
return &eval.IntEvaluator{
EvalFnc: func(ctx *eval.Context) int {
@@ -4663,6 +4676,362 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
Field: field,
Weight: eval.FunctionWeight,
}, nil
+ case "network_flow_monitor.device.ifname":
+ return &eval.StringEvaluator{
+ EvalFnc: func(ctx *eval.Context) string {
+ ctx.AppendResolvedField(field)
+ ev := ctx.Event.(*Event)
+ return ev.FieldHandlers.ResolveNetworkDeviceIfName(ev, &ev.NetworkFlowMonitor.Device)
+ },
+ Field: field,
+ Weight: eval.HandlerWeight,
+ }, nil
+ case "network_flow_monitor.flows.destination.ip":
+ return &eval.CIDRArrayEvaluator{
+ EvalFnc: func(ctx *eval.Context) []net.IPNet {
+ ctx.AppendResolvedField(field)
+ if result, ok := ctx.IPNetCache[field]; ok {
+ return result
+ }
+ var results []net.IPNet
+ iterator := &FlowsIterator{}
+ if regID != "" {
+ value := iterator.At(ctx, regID, ctx.Registers[regID])
+ if value == nil {
+ return results
+ }
+ element := *value
+ result := element.Destination.IPNet
+ results = append(results, result)
+ return results
+ }
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *Flow) net.IPNet {
+ return current.Destination.IPNet
+ })
+ ctx.IPNetCache[field] = results
+ return results
+ }, Field: field,
+ Weight: eval.IteratorWeight,
+ }, nil
+ case "network_flow_monitor.flows.destination.is_public":
+ return &eval.BoolArrayEvaluator{
+ EvalFnc: func(ctx *eval.Context) []bool {
+ ctx.AppendResolvedField(field)
+ ev := ctx.Event.(*Event)
+ if result, ok := ctx.BoolCache[field]; ok {
+ return result
+ }
+ var results []bool
+ iterator := &FlowsIterator{}
+ if regID != "" {
+ value := iterator.At(ctx, regID, ctx.Registers[regID])
+ if value == nil {
+ return results
+ }
+ element := *value
+ result := ev.FieldHandlers.ResolveIsIPPublic(ev, &element.Destination)
+ results = append(results, result)
+ return results
+ }
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *Flow) bool {
+ return ev.FieldHandlers.ResolveIsIPPublic(ev, ¤t.Destination)
+ })
+ ctx.BoolCache[field] = results
+ return results
+ }, Field: field,
+ Weight: eval.IteratorWeight,
+ }, nil
+ case "network_flow_monitor.flows.destination.port":
+ return &eval.IntArrayEvaluator{
+ EvalFnc: func(ctx *eval.Context) []int {
+ ctx.AppendResolvedField(field)
+ if result, ok := ctx.IntCache[field]; ok {
+ return result
+ }
+ var results []int
+ iterator := &FlowsIterator{}
+ if regID != "" {
+ value := iterator.At(ctx, regID, ctx.Registers[regID])
+ if value == nil {
+ return results
+ }
+ element := *value
+ result := int(element.Destination.Port)
+ results = append(results, result)
+ return results
+ }
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *Flow) int {
+ return int(current.Destination.Port)
+ })
+ ctx.IntCache[field] = results
+ return results
+ }, Field: field,
+ Weight: eval.IteratorWeight,
+ }, nil
+ case "network_flow_monitor.flows.egress.data_size":
+ return &eval.IntArrayEvaluator{
+ EvalFnc: func(ctx *eval.Context) []int {
+ ctx.AppendResolvedField(field)
+ if result, ok := ctx.IntCache[field]; ok {
+ return result
+ }
+ var results []int
+ iterator := &FlowsIterator{}
+ if regID != "" {
+ value := iterator.At(ctx, regID, ctx.Registers[regID])
+ if value == nil {
+ return results
+ }
+ element := *value
+ result := int(element.Egress.DataSize)
+ results = append(results, result)
+ return results
+ }
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *Flow) int {
+ return int(current.Egress.DataSize)
+ })
+ ctx.IntCache[field] = results
+ return results
+ }, Field: field,
+ Weight: eval.IteratorWeight,
+ }, nil
+ case "network_flow_monitor.flows.egress.packet_count":
+ return &eval.IntArrayEvaluator{
+ EvalFnc: func(ctx *eval.Context) []int {
+ ctx.AppendResolvedField(field)
+ if result, ok := ctx.IntCache[field]; ok {
+ return result
+ }
+ var results []int
+ iterator := &FlowsIterator{}
+ if regID != "" {
+ value := iterator.At(ctx, regID, ctx.Registers[regID])
+ if value == nil {
+ return results
+ }
+ element := *value
+ result := int(element.Egress.PacketCount)
+ results = append(results, result)
+ return results
+ }
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *Flow) int {
+ return int(current.Egress.PacketCount)
+ })
+ ctx.IntCache[field] = results
+ return results
+ }, Field: field,
+ Weight: eval.IteratorWeight,
+ }, nil
+ case "network_flow_monitor.flows.ingress.data_size":
+ return &eval.IntArrayEvaluator{
+ EvalFnc: func(ctx *eval.Context) []int {
+ ctx.AppendResolvedField(field)
+ if result, ok := ctx.IntCache[field]; ok {
+ return result
+ }
+ var results []int
+ iterator := &FlowsIterator{}
+ if regID != "" {
+ value := iterator.At(ctx, regID, ctx.Registers[regID])
+ if value == nil {
+ return results
+ }
+ element := *value
+ result := int(element.Ingress.DataSize)
+ results = append(results, result)
+ return results
+ }
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *Flow) int {
+ return int(current.Ingress.DataSize)
+ })
+ ctx.IntCache[field] = results
+ return results
+ }, Field: field,
+ Weight: eval.IteratorWeight,
+ }, nil
+ case "network_flow_monitor.flows.ingress.packet_count":
+ return &eval.IntArrayEvaluator{
+ EvalFnc: func(ctx *eval.Context) []int {
+ ctx.AppendResolvedField(field)
+ if result, ok := ctx.IntCache[field]; ok {
+ return result
+ }
+ var results []int
+ iterator := &FlowsIterator{}
+ if regID != "" {
+ value := iterator.At(ctx, regID, ctx.Registers[regID])
+ if value == nil {
+ return results
+ }
+ element := *value
+ result := int(element.Ingress.PacketCount)
+ results = append(results, result)
+ return results
+ }
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *Flow) int {
+ return int(current.Ingress.PacketCount)
+ })
+ ctx.IntCache[field] = results
+ return results
+ }, Field: field,
+ Weight: eval.IteratorWeight,
+ }, nil
+ case "network_flow_monitor.flows.l3_protocol":
+ return &eval.IntArrayEvaluator{
+ EvalFnc: func(ctx *eval.Context) []int {
+ ctx.AppendResolvedField(field)
+ if result, ok := ctx.IntCache[field]; ok {
+ return result
+ }
+ var results []int
+ iterator := &FlowsIterator{}
+ if regID != "" {
+ value := iterator.At(ctx, regID, ctx.Registers[regID])
+ if value == nil {
+ return results
+ }
+ element := *value
+ result := int(element.L3Protocol)
+ results = append(results, result)
+ return results
+ }
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *Flow) int {
+ return int(current.L3Protocol)
+ })
+ ctx.IntCache[field] = results
+ return results
+ }, Field: field,
+ Weight: eval.IteratorWeight,
+ }, nil
+ case "network_flow_monitor.flows.l4_protocol":
+ return &eval.IntArrayEvaluator{
+ EvalFnc: func(ctx *eval.Context) []int {
+ ctx.AppendResolvedField(field)
+ if result, ok := ctx.IntCache[field]; ok {
+ return result
+ }
+ var results []int
+ iterator := &FlowsIterator{}
+ if regID != "" {
+ value := iterator.At(ctx, regID, ctx.Registers[regID])
+ if value == nil {
+ return results
+ }
+ element := *value
+ result := int(element.L4Protocol)
+ results = append(results, result)
+ return results
+ }
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *Flow) int {
+ return int(current.L4Protocol)
+ })
+ ctx.IntCache[field] = results
+ return results
+ }, Field: field,
+ Weight: eval.IteratorWeight,
+ }, nil
+ case "network_flow_monitor.flows.length":
+ return &eval.IntEvaluator{
+ EvalFnc: func(ctx *eval.Context) int {
+ ctx.AppendResolvedField(field)
+ iterator := &FlowsIterator{}
+ return iterator.Len(ctx)
+ },
+ Field: field,
+ Weight: eval.IteratorWeight,
+ }, nil
+ case "network_flow_monitor.flows.source.ip":
+ return &eval.CIDRArrayEvaluator{
+ EvalFnc: func(ctx *eval.Context) []net.IPNet {
+ ctx.AppendResolvedField(field)
+ if result, ok := ctx.IPNetCache[field]; ok {
+ return result
+ }
+ var results []net.IPNet
+ iterator := &FlowsIterator{}
+ if regID != "" {
+ value := iterator.At(ctx, regID, ctx.Registers[regID])
+ if value == nil {
+ return results
+ }
+ element := *value
+ result := element.Source.IPNet
+ results = append(results, result)
+ return results
+ }
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *Flow) net.IPNet {
+ return current.Source.IPNet
+ })
+ ctx.IPNetCache[field] = results
+ return results
+ }, Field: field,
+ Weight: eval.IteratorWeight,
+ }, nil
+ case "network_flow_monitor.flows.source.is_public":
+ return &eval.BoolArrayEvaluator{
+ EvalFnc: func(ctx *eval.Context) []bool {
+ ctx.AppendResolvedField(field)
+ ev := ctx.Event.(*Event)
+ if result, ok := ctx.BoolCache[field]; ok {
+ return result
+ }
+ var results []bool
+ iterator := &FlowsIterator{}
+ if regID != "" {
+ value := iterator.At(ctx, regID, ctx.Registers[regID])
+ if value == nil {
+ return results
+ }
+ element := *value
+ result := ev.FieldHandlers.ResolveIsIPPublic(ev, &element.Source)
+ results = append(results, result)
+ return results
+ }
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *Flow) bool {
+ return ev.FieldHandlers.ResolveIsIPPublic(ev, ¤t.Source)
+ })
+ ctx.BoolCache[field] = results
+ return results
+ }, Field: field,
+ Weight: eval.IteratorWeight,
+ }, nil
+ case "network_flow_monitor.flows.source.port":
+ return &eval.IntArrayEvaluator{
+ EvalFnc: func(ctx *eval.Context) []int {
+ ctx.AppendResolvedField(field)
+ if result, ok := ctx.IntCache[field]; ok {
+ return result
+ }
+ var results []int
+ iterator := &FlowsIterator{}
+ if regID != "" {
+ value := iterator.At(ctx, regID, ctx.Registers[regID])
+ if value == nil {
+ return results
+ }
+ element := *value
+ result := int(element.Source.Port)
+ results = append(results, result)
+ return results
+ }
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *Flow) int {
+ return int(current.Source.Port)
+ })
+ ctx.IntCache[field] = results
+ return results
+ }, Field: field,
+ Weight: eval.IteratorWeight,
+ }, nil
+ case "network_flow_monitor.flows_count":
+ return &eval.IntEvaluator{
+ EvalFnc: func(ctx *eval.Context) int {
+ ctx.AppendResolvedField(field)
+ ev := ctx.Event.(*Event)
+ return int(ev.NetworkFlowMonitor.FlowsCount)
+ },
+ Field: field,
+ Weight: eval.FunctionWeight,
+ }, nil
case "ondemand.arg1.str":
return &eval.StringEvaluator{
EvalFnc: func(ctx *eval.Context) string {
@@ -5088,6 +5457,16 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
Field: field,
Weight: eval.FunctionWeight,
}, nil
+ case "packet.network_direction":
+ return &eval.IntEvaluator{
+ EvalFnc: func(ctx *eval.Context) int {
+ ctx.AppendResolvedField(field)
+ ev := ctx.Event.(*Event)
+ return int(ev.RawPacket.NetworkContext.NetworkDirection)
+ },
+ Field: field,
+ Weight: eval.FunctionWeight,
+ }, nil
case "packet.size":
return &eval.IntEvaluator{
EvalFnc: func(ctx *eval.Context) int {
@@ -5158,8 +5537,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- return ev.FieldHandlers.ResolveProcessArgs(ev, &pce.ProcessContext.Process)
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ return ev.FieldHandlers.ResolveProcessArgs(ev, ¤t.ProcessContext.Process)
})
ctx.StringCache[field] = results
return results
@@ -5186,8 +5565,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result...)
return results
}
- results = newAncestorsIteratorArray(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) []string {
- return ev.FieldHandlers.ResolveProcessArgsFlags(ev, &pce.ProcessContext.Process)
+ results = newAncestorsIteratorArray(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) []string {
+ return ev.FieldHandlers.ResolveProcessArgsFlags(ev, ¤t.ProcessContext.Process)
})
ctx.StringCache[field] = results
return results
@@ -5214,8 +5593,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result...)
return results
}
- results = newAncestorsIteratorArray(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) []string {
- return ev.FieldHandlers.ResolveProcessArgsOptions(ev, &pce.ProcessContext.Process)
+ results = newAncestorsIteratorArray(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) []string {
+ return ev.FieldHandlers.ResolveProcessArgsOptions(ev, ¤t.ProcessContext.Process)
})
ctx.StringCache[field] = results
return results
@@ -5242,8 +5621,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) bool {
- return ev.FieldHandlers.ResolveProcessArgsTruncated(ev, &pce.ProcessContext.Process)
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) bool {
+ return ev.FieldHandlers.ResolveProcessArgsTruncated(ev, ¤t.ProcessContext.Process)
})
ctx.BoolCache[field] = results
return results
@@ -5270,8 +5649,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result...)
return results
}
- results = newAncestorsIteratorArray(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) []string {
- return ev.FieldHandlers.ResolveProcessArgv(ev, &pce.ProcessContext.Process)
+ results = newAncestorsIteratorArray(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) []string {
+ return ev.FieldHandlers.ResolveProcessArgv(ev, ¤t.ProcessContext.Process)
})
ctx.StringCache[field] = results
return results
@@ -5298,8 +5677,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- return ev.FieldHandlers.ResolveProcessArgv0(ev, &pce.ProcessContext.Process)
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ return ev.FieldHandlers.ResolveProcessArgv0(ev, ¤t.ProcessContext.Process)
})
ctx.StringCache[field] = results
return results
@@ -5325,8 +5704,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- return int(pce.ProcessContext.Process.Credentials.AUID)
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ return int(current.ProcessContext.Process.Credentials.AUID)
})
ctx.IntCache[field] = results
return results
@@ -5352,8 +5731,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- return int(pce.ProcessContext.Process.Credentials.CapEffective)
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ return int(current.ProcessContext.Process.Credentials.CapEffective)
})
ctx.IntCache[field] = results
return results
@@ -5379,8 +5758,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- return int(pce.ProcessContext.Process.Credentials.CapPermitted)
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ return int(current.ProcessContext.Process.Credentials.CapPermitted)
})
ctx.IntCache[field] = results
return results
@@ -5406,8 +5785,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- return int(pce.ProcessContext.Process.CGroup.CGroupFile.Inode)
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ return int(current.ProcessContext.Process.CGroup.CGroupFile.Inode)
})
ctx.IntCache[field] = results
return results
@@ -5433,8 +5812,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- return int(pce.ProcessContext.Process.CGroup.CGroupFile.MountID)
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ return int(current.ProcessContext.Process.CGroup.CGroupFile.MountID)
})
ctx.IntCache[field] = results
return results
@@ -5461,8 +5840,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- return ev.FieldHandlers.ResolveCGroupID(ev, &pce.ProcessContext.Process.CGroup)
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ return ev.FieldHandlers.ResolveCGroupID(ev, ¤t.ProcessContext.Process.CGroup)
})
ctx.StringCache[field] = results
return results
@@ -5489,8 +5868,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- return ev.FieldHandlers.ResolveCGroupManager(ev, &pce.ProcessContext.Process.CGroup)
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ return ev.FieldHandlers.ResolveCGroupManager(ev, ¤t.ProcessContext.Process.CGroup)
})
ctx.StringCache[field] = results
return results
@@ -5517,8 +5896,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) int {
- return int(ev.FieldHandlers.ResolveCGroupVersion(ev, &pce.ProcessContext.Process.CGroup))
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) int {
+ return int(ev.FieldHandlers.ResolveCGroupVersion(ev, ¤t.ProcessContext.Process.CGroup))
})
ctx.IntCache[field] = results
return results
@@ -5544,8 +5923,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) string {
- return pce.ProcessContext.Process.Comm
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) string {
+ return current.ProcessContext.Process.Comm
})
ctx.StringCache[field] = results
return results
@@ -5572,8 +5951,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- return ev.FieldHandlers.ResolveProcessContainerID(ev, &pce.ProcessContext.Process)
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ return ev.FieldHandlers.ResolveProcessContainerID(ev, ¤t.ProcessContext.Process)
})
ctx.StringCache[field] = results
return results
@@ -5600,8 +5979,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) int {
- return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, &pce.ProcessContext.Process))
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) int {
+ return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, ¤t.ProcessContext.Process))
})
ctx.IntCache[field] = results
return results
@@ -5627,8 +6006,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- return int(pce.ProcessContext.Process.Credentials.EGID)
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ return int(current.ProcessContext.Process.Credentials.EGID)
})
ctx.IntCache[field] = results
return results
@@ -5654,8 +6033,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) string {
- return pce.ProcessContext.Process.Credentials.EGroup
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) string {
+ return current.ProcessContext.Process.Credentials.EGroup
})
ctx.StringCache[field] = results
return results
@@ -5682,8 +6061,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result...)
return results
}
- results = newAncestorsIteratorArray(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) []string {
- return ev.FieldHandlers.ResolveProcessEnvp(ev, &pce.ProcessContext.Process)
+ results = newAncestorsIteratorArray(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) []string {
+ return ev.FieldHandlers.ResolveProcessEnvp(ev, ¤t.ProcessContext.Process)
})
ctx.StringCache[field] = results
return results
@@ -5710,8 +6089,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result...)
return results
}
- results = newAncestorsIteratorArray(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) []string {
- return ev.FieldHandlers.ResolveProcessEnvs(ev, &pce.ProcessContext.Process)
+ results = newAncestorsIteratorArray(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) []string {
+ return ev.FieldHandlers.ResolveProcessEnvs(ev, ¤t.ProcessContext.Process)
})
ctx.StringCache[field] = results
return results
@@ -5738,8 +6117,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) bool {
- return ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, &pce.ProcessContext.Process)
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) bool {
+ return ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, ¤t.ProcessContext.Process)
})
ctx.BoolCache[field] = results
return results
@@ -5765,8 +6144,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- return int(pce.ProcessContext.Process.Credentials.EUID)
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ return int(current.ProcessContext.Process.Credentials.EUID)
})
ctx.IntCache[field] = results
return results
@@ -5792,8 +6171,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) string {
- return pce.ProcessContext.Process.Credentials.EUser
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) string {
+ return current.ProcessContext.Process.Credentials.EUser
})
ctx.StringCache[field] = results
return results
@@ -5822,11 +6201,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- if !pce.ProcessContext.Process.IsNotKworker() {
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ if !current.ProcessContext.Process.IsNotKworker() {
return 0
}
- return int(pce.ProcessContext.Process.FileEvent.FileFields.CTime)
+ return int(current.ProcessContext.Process.FileEvent.FileFields.CTime)
})
ctx.IntCache[field] = results
return results
@@ -5856,11 +6235,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- if !pce.ProcessContext.Process.IsNotKworker() {
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ if !current.ProcessContext.Process.IsNotKworker() {
return ""
}
- return ev.FieldHandlers.ResolveFileFilesystem(ev, &pce.ProcessContext.Process.FileEvent)
+ return ev.FieldHandlers.ResolveFileFilesystem(ev, ¤t.ProcessContext.Process.FileEvent)
})
ctx.StringCache[field] = results
return results
@@ -5889,11 +6268,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- if !pce.ProcessContext.Process.IsNotKworker() {
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ if !current.ProcessContext.Process.IsNotKworker() {
return 0
}
- return int(pce.ProcessContext.Process.FileEvent.FileFields.GID)
+ return int(current.ProcessContext.Process.FileEvent.FileFields.GID)
})
ctx.IntCache[field] = results
return results
@@ -5923,11 +6302,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- if !pce.ProcessContext.Process.IsNotKworker() {
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ if !current.ProcessContext.Process.IsNotKworker() {
return ""
}
- return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &pce.ProcessContext.Process.FileEvent.FileFields)
+ return ev.FieldHandlers.ResolveFileFieldsGroup(ev, ¤t.ProcessContext.Process.FileEvent.FileFields)
})
ctx.StringCache[field] = results
return results
@@ -5957,11 +6336,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result...)
return results
}
- results = newAncestorsIteratorArray(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) []string {
- if !pce.ProcessContext.Process.IsNotKworker() {
+ results = newAncestorsIteratorArray(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) []string {
+ if !current.ProcessContext.Process.IsNotKworker() {
return nil
}
- return ev.FieldHandlers.ResolveHashesFromEvent(ev, &pce.ProcessContext.Process.FileEvent)
+ return ev.FieldHandlers.ResolveHashesFromEvent(ev, ¤t.ProcessContext.Process.FileEvent)
})
ctx.StringCache[field] = results
return results
@@ -5991,11 +6370,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) bool {
- if !pce.ProcessContext.Process.IsNotKworker() {
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) bool {
+ if !current.ProcessContext.Process.IsNotKworker() {
return false
}
- return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &pce.ProcessContext.Process.FileEvent.FileFields)
+ return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, ¤t.ProcessContext.Process.FileEvent.FileFields)
})
ctx.BoolCache[field] = results
return results
@@ -6024,11 +6403,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- if !pce.ProcessContext.Process.IsNotKworker() {
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ if !current.ProcessContext.Process.IsNotKworker() {
return 0
}
- return int(pce.ProcessContext.Process.FileEvent.FileFields.PathKey.Inode)
+ return int(current.ProcessContext.Process.FileEvent.FileFields.PathKey.Inode)
})
ctx.IntCache[field] = results
return results
@@ -6057,11 +6436,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- if !pce.ProcessContext.Process.IsNotKworker() {
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ if !current.ProcessContext.Process.IsNotKworker() {
return 0
}
- return int(pce.ProcessContext.Process.FileEvent.FileFields.Mode)
+ return int(current.ProcessContext.Process.FileEvent.FileFields.Mode)
})
ctx.IntCache[field] = results
return results
@@ -6090,11 +6469,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- if !pce.ProcessContext.Process.IsNotKworker() {
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ if !current.ProcessContext.Process.IsNotKworker() {
return 0
}
- return int(pce.ProcessContext.Process.FileEvent.FileFields.MTime)
+ return int(current.ProcessContext.Process.FileEvent.FileFields.MTime)
})
ctx.IntCache[field] = results
return results
@@ -6123,11 +6502,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- if !pce.ProcessContext.Process.IsNotKworker() {
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ if !current.ProcessContext.Process.IsNotKworker() {
return 0
}
- return int(pce.ProcessContext.Process.FileEvent.FileFields.PathKey.MountID)
+ return int(current.ProcessContext.Process.FileEvent.FileFields.PathKey.MountID)
})
ctx.IntCache[field] = results
return results
@@ -6158,11 +6537,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- if !pce.ProcessContext.Process.IsNotKworker() {
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ if !current.ProcessContext.Process.IsNotKworker() {
return ""
}
- return ev.FieldHandlers.ResolveFileBasename(ev, &pce.ProcessContext.Process.FileEvent)
+ return ev.FieldHandlers.ResolveFileBasename(ev, ¤t.ProcessContext.Process.FileEvent)
})
ctx.StringCache[field] = results
return results
@@ -6190,8 +6569,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) int {
- return len(ev.FieldHandlers.ResolveFileBasename(ev, &pce.ProcessContext.Process.FileEvent))
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) int {
+ return len(ev.FieldHandlers.ResolveFileBasename(ev, ¤t.ProcessContext.Process.FileEvent))
})
ctx.IntCache[field] = results
return results
@@ -6221,11 +6600,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- if !pce.ProcessContext.Process.IsNotKworker() {
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ if !current.ProcessContext.Process.IsNotKworker() {
return ""
}
- return ev.FieldHandlers.ResolvePackageName(ev, &pce.ProcessContext.Process.FileEvent)
+ return ev.FieldHandlers.ResolvePackageName(ev, ¤t.ProcessContext.Process.FileEvent)
})
ctx.StringCache[field] = results
return results
@@ -6255,11 +6634,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- if !pce.ProcessContext.Process.IsNotKworker() {
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ if !current.ProcessContext.Process.IsNotKworker() {
return ""
}
- return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &pce.ProcessContext.Process.FileEvent)
+ return ev.FieldHandlers.ResolvePackageSourceVersion(ev, ¤t.ProcessContext.Process.FileEvent)
})
ctx.StringCache[field] = results
return results
@@ -6289,11 +6668,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- if !pce.ProcessContext.Process.IsNotKworker() {
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ if !current.ProcessContext.Process.IsNotKworker() {
return ""
}
- return ev.FieldHandlers.ResolvePackageVersion(ev, &pce.ProcessContext.Process.FileEvent)
+ return ev.FieldHandlers.ResolvePackageVersion(ev, ¤t.ProcessContext.Process.FileEvent)
})
ctx.StringCache[field] = results
return results
@@ -6324,11 +6703,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- if !pce.ProcessContext.Process.IsNotKworker() {
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ if !current.ProcessContext.Process.IsNotKworker() {
return ""
}
- return ev.FieldHandlers.ResolveFilePath(ev, &pce.ProcessContext.Process.FileEvent)
+ return ev.FieldHandlers.ResolveFilePath(ev, ¤t.ProcessContext.Process.FileEvent)
})
ctx.StringCache[field] = results
return results
@@ -6356,8 +6735,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) int {
- return len(ev.FieldHandlers.ResolveFilePath(ev, &pce.ProcessContext.Process.FileEvent))
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) int {
+ return len(ev.FieldHandlers.ResolveFilePath(ev, ¤t.ProcessContext.Process.FileEvent))
})
ctx.IntCache[field] = results
return results
@@ -6387,11 +6766,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) int {
- if !pce.ProcessContext.Process.IsNotKworker() {
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) int {
+ if !current.ProcessContext.Process.IsNotKworker() {
return 0
}
- return int(ev.FieldHandlers.ResolveRights(ev, &pce.ProcessContext.Process.FileEvent.FileFields))
+ return int(ev.FieldHandlers.ResolveRights(ev, ¤t.ProcessContext.Process.FileEvent.FileFields))
})
ctx.IntCache[field] = results
return results
@@ -6420,11 +6799,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- if !pce.ProcessContext.Process.IsNotKworker() {
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ if !current.ProcessContext.Process.IsNotKworker() {
return 0
}
- return int(pce.ProcessContext.Process.FileEvent.FileFields.UID)
+ return int(current.ProcessContext.Process.FileEvent.FileFields.UID)
})
ctx.IntCache[field] = results
return results
@@ -6454,11 +6833,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- if !pce.ProcessContext.Process.IsNotKworker() {
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ if !current.ProcessContext.Process.IsNotKworker() {
return ""
}
- return ev.FieldHandlers.ResolveFileFieldsUser(ev, &pce.ProcessContext.Process.FileEvent.FileFields)
+ return ev.FieldHandlers.ResolveFileFieldsUser(ev, ¤t.ProcessContext.Process.FileEvent.FileFields)
})
ctx.StringCache[field] = results
return results
@@ -6484,8 +6863,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- return int(pce.ProcessContext.Process.Credentials.FSGID)
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ return int(current.ProcessContext.Process.Credentials.FSGID)
})
ctx.IntCache[field] = results
return results
@@ -6511,8 +6890,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) string {
- return pce.ProcessContext.Process.Credentials.FSGroup
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) string {
+ return current.ProcessContext.Process.Credentials.FSGroup
})
ctx.StringCache[field] = results
return results
@@ -6538,8 +6917,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- return int(pce.ProcessContext.Process.Credentials.FSUID)
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ return int(current.ProcessContext.Process.Credentials.FSUID)
})
ctx.IntCache[field] = results
return results
@@ -6565,8 +6944,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) string {
- return pce.ProcessContext.Process.Credentials.FSUser
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) string {
+ return current.ProcessContext.Process.Credentials.FSUser
})
ctx.StringCache[field] = results
return results
@@ -6592,8 +6971,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- return int(pce.ProcessContext.Process.Credentials.GID)
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ return int(current.ProcessContext.Process.Credentials.GID)
})
ctx.IntCache[field] = results
return results
@@ -6619,8 +6998,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) string {
- return pce.ProcessContext.Process.Credentials.Group
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) string {
+ return current.ProcessContext.Process.Credentials.Group
})
ctx.StringCache[field] = results
return results
@@ -6649,11 +7028,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- if !pce.ProcessContext.Process.HasInterpreter() {
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ if !current.ProcessContext.Process.HasInterpreter() {
return 0
}
- return int(pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.CTime)
+ return int(current.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.CTime)
})
ctx.IntCache[field] = results
return results
@@ -6683,11 +7062,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- if !pce.ProcessContext.Process.HasInterpreter() {
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ if !current.ProcessContext.Process.HasInterpreter() {
return ""
}
- return ev.FieldHandlers.ResolveFileFilesystem(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent)
+ return ev.FieldHandlers.ResolveFileFilesystem(ev, ¤t.ProcessContext.Process.LinuxBinprm.FileEvent)
})
ctx.StringCache[field] = results
return results
@@ -6716,11 +7095,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- if !pce.ProcessContext.Process.HasInterpreter() {
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ if !current.ProcessContext.Process.HasInterpreter() {
return 0
}
- return int(pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.GID)
+ return int(current.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.GID)
})
ctx.IntCache[field] = results
return results
@@ -6750,11 +7129,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- if !pce.ProcessContext.Process.HasInterpreter() {
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ if !current.ProcessContext.Process.HasInterpreter() {
return ""
}
- return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields)
+ return ev.FieldHandlers.ResolveFileFieldsGroup(ev, ¤t.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields)
})
ctx.StringCache[field] = results
return results
@@ -6784,11 +7163,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result...)
return results
}
- results = newAncestorsIteratorArray(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) []string {
- if !pce.ProcessContext.Process.HasInterpreter() {
+ results = newAncestorsIteratorArray(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) []string {
+ if !current.ProcessContext.Process.HasInterpreter() {
return nil
}
- return ev.FieldHandlers.ResolveHashesFromEvent(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent)
+ return ev.FieldHandlers.ResolveHashesFromEvent(ev, ¤t.ProcessContext.Process.LinuxBinprm.FileEvent)
})
ctx.StringCache[field] = results
return results
@@ -6818,11 +7197,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) bool {
- if !pce.ProcessContext.Process.HasInterpreter() {
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) bool {
+ if !current.ProcessContext.Process.HasInterpreter() {
return false
}
- return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields)
+ return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, ¤t.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields)
})
ctx.BoolCache[field] = results
return results
@@ -6851,11 +7230,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- if !pce.ProcessContext.Process.HasInterpreter() {
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ if !current.ProcessContext.Process.HasInterpreter() {
return 0
}
- return int(pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode)
+ return int(current.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode)
})
ctx.IntCache[field] = results
return results
@@ -6884,11 +7263,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- if !pce.ProcessContext.Process.HasInterpreter() {
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ if !current.ProcessContext.Process.HasInterpreter() {
return 0
}
- return int(pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.Mode)
+ return int(current.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.Mode)
})
ctx.IntCache[field] = results
return results
@@ -6917,11 +7296,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- if !pce.ProcessContext.Process.HasInterpreter() {
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ if !current.ProcessContext.Process.HasInterpreter() {
return 0
}
- return int(pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.MTime)
+ return int(current.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.MTime)
})
ctx.IntCache[field] = results
return results
@@ -6950,11 +7329,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- if !pce.ProcessContext.Process.HasInterpreter() {
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ if !current.ProcessContext.Process.HasInterpreter() {
return 0
}
- return int(pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID)
+ return int(current.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID)
})
ctx.IntCache[field] = results
return results
@@ -6985,11 +7364,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- if !pce.ProcessContext.Process.HasInterpreter() {
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ if !current.ProcessContext.Process.HasInterpreter() {
return ""
}
- return ev.FieldHandlers.ResolveFileBasename(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent)
+ return ev.FieldHandlers.ResolveFileBasename(ev, ¤t.ProcessContext.Process.LinuxBinprm.FileEvent)
})
ctx.StringCache[field] = results
return results
@@ -7017,8 +7396,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) int {
- return len(ev.FieldHandlers.ResolveFileBasename(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent))
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) int {
+ return len(ev.FieldHandlers.ResolveFileBasename(ev, ¤t.ProcessContext.Process.LinuxBinprm.FileEvent))
})
ctx.IntCache[field] = results
return results
@@ -7048,11 +7427,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- if !pce.ProcessContext.Process.HasInterpreter() {
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ if !current.ProcessContext.Process.HasInterpreter() {
return ""
}
- return ev.FieldHandlers.ResolvePackageName(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent)
+ return ev.FieldHandlers.ResolvePackageName(ev, ¤t.ProcessContext.Process.LinuxBinprm.FileEvent)
})
ctx.StringCache[field] = results
return results
@@ -7082,11 +7461,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- if !pce.ProcessContext.Process.HasInterpreter() {
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ if !current.ProcessContext.Process.HasInterpreter() {
return ""
}
- return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent)
+ return ev.FieldHandlers.ResolvePackageSourceVersion(ev, ¤t.ProcessContext.Process.LinuxBinprm.FileEvent)
})
ctx.StringCache[field] = results
return results
@@ -7116,11 +7495,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- if !pce.ProcessContext.Process.HasInterpreter() {
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ if !current.ProcessContext.Process.HasInterpreter() {
return ""
}
- return ev.FieldHandlers.ResolvePackageVersion(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent)
+ return ev.FieldHandlers.ResolvePackageVersion(ev, ¤t.ProcessContext.Process.LinuxBinprm.FileEvent)
})
ctx.StringCache[field] = results
return results
@@ -7151,11 +7530,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- if !pce.ProcessContext.Process.HasInterpreter() {
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ if !current.ProcessContext.Process.HasInterpreter() {
return ""
}
- return ev.FieldHandlers.ResolveFilePath(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent)
+ return ev.FieldHandlers.ResolveFilePath(ev, ¤t.ProcessContext.Process.LinuxBinprm.FileEvent)
})
ctx.StringCache[field] = results
return results
@@ -7183,8 +7562,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) int {
- return len(ev.FieldHandlers.ResolveFilePath(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent))
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) int {
+ return len(ev.FieldHandlers.ResolveFilePath(ev, ¤t.ProcessContext.Process.LinuxBinprm.FileEvent))
})
ctx.IntCache[field] = results
return results
@@ -7214,11 +7593,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) int {
- if !pce.ProcessContext.Process.HasInterpreter() {
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) int {
+ if !current.ProcessContext.Process.HasInterpreter() {
return 0
}
- return int(ev.FieldHandlers.ResolveRights(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields))
+ return int(ev.FieldHandlers.ResolveRights(ev, ¤t.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields))
})
ctx.IntCache[field] = results
return results
@@ -7247,11 +7626,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- if !pce.ProcessContext.Process.HasInterpreter() {
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ if !current.ProcessContext.Process.HasInterpreter() {
return 0
}
- return int(pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.UID)
+ return int(current.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.UID)
})
ctx.IntCache[field] = results
return results
@@ -7281,11 +7660,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- if !pce.ProcessContext.Process.HasInterpreter() {
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ if !current.ProcessContext.Process.HasInterpreter() {
return ""
}
- return ev.FieldHandlers.ResolveFileFieldsUser(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields)
+ return ev.FieldHandlers.ResolveFileFieldsUser(ev, ¤t.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields)
})
ctx.StringCache[field] = results
return results
@@ -7311,8 +7690,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) bool {
- return pce.ProcessContext.Process.IsExec
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) bool {
+ return current.ProcessContext.Process.IsExec
})
ctx.BoolCache[field] = results
return results
@@ -7338,8 +7717,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) bool {
- return pce.ProcessContext.Process.PIDContext.IsKworker
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) bool {
+ return current.ProcessContext.Process.PIDContext.IsKworker
})
ctx.BoolCache[field] = results
return results
@@ -7366,8 +7745,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) bool {
- return ev.FieldHandlers.ResolveProcessIsThread(ev, &pce.ProcessContext.Process)
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) bool {
+ return ev.FieldHandlers.ResolveProcessIsThread(ev, ¤t.ProcessContext.Process)
})
ctx.BoolCache[field] = results
return results
@@ -7403,8 +7782,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- return int(pce.ProcessContext.Process.PIDContext.Pid)
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ return int(current.ProcessContext.Process.PIDContext.Pid)
})
ctx.IntCache[field] = results
return results
@@ -7430,8 +7809,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- return int(pce.ProcessContext.Process.PPid)
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ return int(current.ProcessContext.Process.PPid)
})
ctx.IntCache[field] = results
return results
@@ -7457,8 +7836,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- return int(pce.ProcessContext.Process.PIDContext.Tid)
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ return int(current.ProcessContext.Process.PIDContext.Tid)
})
ctx.IntCache[field] = results
return results
@@ -7484,8 +7863,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) string {
- return pce.ProcessContext.Process.TTYName
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) string {
+ return current.ProcessContext.Process.TTYName
})
ctx.StringCache[field] = results
return results
@@ -7511,8 +7890,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- return int(pce.ProcessContext.Process.Credentials.UID)
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ return int(current.ProcessContext.Process.Credentials.UID)
})
ctx.IntCache[field] = results
return results
@@ -7538,8 +7917,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) string {
- return pce.ProcessContext.Process.Credentials.User
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) string {
+ return current.ProcessContext.Process.Credentials.User
})
ctx.StringCache[field] = results
return results
@@ -7566,8 +7945,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result...)
return results
}
- results = newAncestorsIteratorArray(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) []string {
- return ev.FieldHandlers.ResolveK8SGroups(ev, &pce.ProcessContext.Process.UserSession)
+ results = newAncestorsIteratorArray(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) []string {
+ return ev.FieldHandlers.ResolveK8SGroups(ev, ¤t.ProcessContext.Process.UserSession)
})
ctx.StringCache[field] = results
return results
@@ -7594,8 +7973,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- return ev.FieldHandlers.ResolveK8SUID(ev, &pce.ProcessContext.Process.UserSession)
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ return ev.FieldHandlers.ResolveK8SUID(ev, ¤t.ProcessContext.Process.UserSession)
})
ctx.StringCache[field] = results
return results
@@ -7622,8 +8001,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- return ev.FieldHandlers.ResolveK8SUsername(ev, &pce.ProcessContext.Process.UserSession)
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ return ev.FieldHandlers.ResolveK8SUsername(ev, ¤t.ProcessContext.Process.UserSession)
})
ctx.StringCache[field] = results
return results
@@ -9776,8 +10155,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- return ev.FieldHandlers.ResolveProcessArgs(ev, &pce.ProcessContext.Process)
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ return ev.FieldHandlers.ResolveProcessArgs(ev, ¤t.ProcessContext.Process)
})
ctx.StringCache[field] = results
return results
@@ -9804,8 +10183,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result...)
return results
}
- results = newAncestorsIteratorArray(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) []string {
- return ev.FieldHandlers.ResolveProcessArgsFlags(ev, &pce.ProcessContext.Process)
+ results = newAncestorsIteratorArray(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) []string {
+ return ev.FieldHandlers.ResolveProcessArgsFlags(ev, ¤t.ProcessContext.Process)
})
ctx.StringCache[field] = results
return results
@@ -9832,8 +10211,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result...)
return results
}
- results = newAncestorsIteratorArray(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) []string {
- return ev.FieldHandlers.ResolveProcessArgsOptions(ev, &pce.ProcessContext.Process)
+ results = newAncestorsIteratorArray(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) []string {
+ return ev.FieldHandlers.ResolveProcessArgsOptions(ev, ¤t.ProcessContext.Process)
})
ctx.StringCache[field] = results
return results
@@ -9860,8 +10239,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) bool {
- return ev.FieldHandlers.ResolveProcessArgsTruncated(ev, &pce.ProcessContext.Process)
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) bool {
+ return ev.FieldHandlers.ResolveProcessArgsTruncated(ev, ¤t.ProcessContext.Process)
})
ctx.BoolCache[field] = results
return results
@@ -9888,8 +10267,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result...)
return results
}
- results = newAncestorsIteratorArray(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) []string {
- return ev.FieldHandlers.ResolveProcessArgv(ev, &pce.ProcessContext.Process)
+ results = newAncestorsIteratorArray(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) []string {
+ return ev.FieldHandlers.ResolveProcessArgv(ev, ¤t.ProcessContext.Process)
})
ctx.StringCache[field] = results
return results
@@ -9916,8 +10295,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- return ev.FieldHandlers.ResolveProcessArgv0(ev, &pce.ProcessContext.Process)
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ return ev.FieldHandlers.ResolveProcessArgv0(ev, ¤t.ProcessContext.Process)
})
ctx.StringCache[field] = results
return results
@@ -9943,8 +10322,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- return int(pce.ProcessContext.Process.Credentials.AUID)
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ return int(current.ProcessContext.Process.Credentials.AUID)
})
ctx.IntCache[field] = results
return results
@@ -9970,8 +10349,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- return int(pce.ProcessContext.Process.Credentials.CapEffective)
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ return int(current.ProcessContext.Process.Credentials.CapEffective)
})
ctx.IntCache[field] = results
return results
@@ -9997,8 +10376,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- return int(pce.ProcessContext.Process.Credentials.CapPermitted)
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ return int(current.ProcessContext.Process.Credentials.CapPermitted)
})
ctx.IntCache[field] = results
return results
@@ -10024,8 +10403,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- return int(pce.ProcessContext.Process.CGroup.CGroupFile.Inode)
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ return int(current.ProcessContext.Process.CGroup.CGroupFile.Inode)
})
ctx.IntCache[field] = results
return results
@@ -10051,8 +10430,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- return int(pce.ProcessContext.Process.CGroup.CGroupFile.MountID)
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ return int(current.ProcessContext.Process.CGroup.CGroupFile.MountID)
})
ctx.IntCache[field] = results
return results
@@ -10079,8 +10458,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- return ev.FieldHandlers.ResolveCGroupID(ev, &pce.ProcessContext.Process.CGroup)
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ return ev.FieldHandlers.ResolveCGroupID(ev, ¤t.ProcessContext.Process.CGroup)
})
ctx.StringCache[field] = results
return results
@@ -10107,8 +10486,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- return ev.FieldHandlers.ResolveCGroupManager(ev, &pce.ProcessContext.Process.CGroup)
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ return ev.FieldHandlers.ResolveCGroupManager(ev, ¤t.ProcessContext.Process.CGroup)
})
ctx.StringCache[field] = results
return results
@@ -10135,8 +10514,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) int {
- return int(ev.FieldHandlers.ResolveCGroupVersion(ev, &pce.ProcessContext.Process.CGroup))
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) int {
+ return int(ev.FieldHandlers.ResolveCGroupVersion(ev, ¤t.ProcessContext.Process.CGroup))
})
ctx.IntCache[field] = results
return results
@@ -10162,8 +10541,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) string {
- return pce.ProcessContext.Process.Comm
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) string {
+ return current.ProcessContext.Process.Comm
})
ctx.StringCache[field] = results
return results
@@ -10190,8 +10569,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- return ev.FieldHandlers.ResolveProcessContainerID(ev, &pce.ProcessContext.Process)
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ return ev.FieldHandlers.ResolveProcessContainerID(ev, ¤t.ProcessContext.Process)
})
ctx.StringCache[field] = results
return results
@@ -10218,8 +10597,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) int {
- return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, &pce.ProcessContext.Process))
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) int {
+ return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, ¤t.ProcessContext.Process))
})
ctx.IntCache[field] = results
return results
@@ -10245,8 +10624,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- return int(pce.ProcessContext.Process.Credentials.EGID)
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ return int(current.ProcessContext.Process.Credentials.EGID)
})
ctx.IntCache[field] = results
return results
@@ -10272,8 +10651,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) string {
- return pce.ProcessContext.Process.Credentials.EGroup
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) string {
+ return current.ProcessContext.Process.Credentials.EGroup
})
ctx.StringCache[field] = results
return results
@@ -10300,8 +10679,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result...)
return results
}
- results = newAncestorsIteratorArray(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) []string {
- return ev.FieldHandlers.ResolveProcessEnvp(ev, &pce.ProcessContext.Process)
+ results = newAncestorsIteratorArray(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) []string {
+ return ev.FieldHandlers.ResolveProcessEnvp(ev, ¤t.ProcessContext.Process)
})
ctx.StringCache[field] = results
return results
@@ -10328,8 +10707,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result...)
return results
}
- results = newAncestorsIteratorArray(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) []string {
- return ev.FieldHandlers.ResolveProcessEnvs(ev, &pce.ProcessContext.Process)
+ results = newAncestorsIteratorArray(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) []string {
+ return ev.FieldHandlers.ResolveProcessEnvs(ev, ¤t.ProcessContext.Process)
})
ctx.StringCache[field] = results
return results
@@ -10356,8 +10735,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) bool {
- return ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, &pce.ProcessContext.Process)
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) bool {
+ return ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, ¤t.ProcessContext.Process)
})
ctx.BoolCache[field] = results
return results
@@ -10383,8 +10762,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- return int(pce.ProcessContext.Process.Credentials.EUID)
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ return int(current.ProcessContext.Process.Credentials.EUID)
})
ctx.IntCache[field] = results
return results
@@ -10410,8 +10789,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) string {
- return pce.ProcessContext.Process.Credentials.EUser
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) string {
+ return current.ProcessContext.Process.Credentials.EUser
})
ctx.StringCache[field] = results
return results
@@ -10440,11 +10819,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- if !pce.ProcessContext.Process.IsNotKworker() {
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ if !current.ProcessContext.Process.IsNotKworker() {
return 0
}
- return int(pce.ProcessContext.Process.FileEvent.FileFields.CTime)
+ return int(current.ProcessContext.Process.FileEvent.FileFields.CTime)
})
ctx.IntCache[field] = results
return results
@@ -10474,11 +10853,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- if !pce.ProcessContext.Process.IsNotKworker() {
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ if !current.ProcessContext.Process.IsNotKworker() {
return ""
}
- return ev.FieldHandlers.ResolveFileFilesystem(ev, &pce.ProcessContext.Process.FileEvent)
+ return ev.FieldHandlers.ResolveFileFilesystem(ev, ¤t.ProcessContext.Process.FileEvent)
})
ctx.StringCache[field] = results
return results
@@ -10507,11 +10886,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- if !pce.ProcessContext.Process.IsNotKworker() {
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ if !current.ProcessContext.Process.IsNotKworker() {
return 0
}
- return int(pce.ProcessContext.Process.FileEvent.FileFields.GID)
+ return int(current.ProcessContext.Process.FileEvent.FileFields.GID)
})
ctx.IntCache[field] = results
return results
@@ -10541,11 +10920,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- if !pce.ProcessContext.Process.IsNotKworker() {
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ if !current.ProcessContext.Process.IsNotKworker() {
return ""
}
- return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &pce.ProcessContext.Process.FileEvent.FileFields)
+ return ev.FieldHandlers.ResolveFileFieldsGroup(ev, ¤t.ProcessContext.Process.FileEvent.FileFields)
})
ctx.StringCache[field] = results
return results
@@ -10575,11 +10954,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result...)
return results
}
- results = newAncestorsIteratorArray(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) []string {
- if !pce.ProcessContext.Process.IsNotKworker() {
+ results = newAncestorsIteratorArray(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) []string {
+ if !current.ProcessContext.Process.IsNotKworker() {
return nil
}
- return ev.FieldHandlers.ResolveHashesFromEvent(ev, &pce.ProcessContext.Process.FileEvent)
+ return ev.FieldHandlers.ResolveHashesFromEvent(ev, ¤t.ProcessContext.Process.FileEvent)
})
ctx.StringCache[field] = results
return results
@@ -10609,11 +10988,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) bool {
- if !pce.ProcessContext.Process.IsNotKworker() {
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) bool {
+ if !current.ProcessContext.Process.IsNotKworker() {
return false
}
- return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &pce.ProcessContext.Process.FileEvent.FileFields)
+ return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, ¤t.ProcessContext.Process.FileEvent.FileFields)
})
ctx.BoolCache[field] = results
return results
@@ -10642,11 +11021,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- if !pce.ProcessContext.Process.IsNotKworker() {
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ if !current.ProcessContext.Process.IsNotKworker() {
return 0
}
- return int(pce.ProcessContext.Process.FileEvent.FileFields.PathKey.Inode)
+ return int(current.ProcessContext.Process.FileEvent.FileFields.PathKey.Inode)
})
ctx.IntCache[field] = results
return results
@@ -10675,11 +11054,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- if !pce.ProcessContext.Process.IsNotKworker() {
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ if !current.ProcessContext.Process.IsNotKworker() {
return 0
}
- return int(pce.ProcessContext.Process.FileEvent.FileFields.Mode)
+ return int(current.ProcessContext.Process.FileEvent.FileFields.Mode)
})
ctx.IntCache[field] = results
return results
@@ -10708,11 +11087,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- if !pce.ProcessContext.Process.IsNotKworker() {
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ if !current.ProcessContext.Process.IsNotKworker() {
return 0
}
- return int(pce.ProcessContext.Process.FileEvent.FileFields.MTime)
+ return int(current.ProcessContext.Process.FileEvent.FileFields.MTime)
})
ctx.IntCache[field] = results
return results
@@ -10741,11 +11120,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- if !pce.ProcessContext.Process.IsNotKworker() {
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ if !current.ProcessContext.Process.IsNotKworker() {
return 0
}
- return int(pce.ProcessContext.Process.FileEvent.FileFields.PathKey.MountID)
+ return int(current.ProcessContext.Process.FileEvent.FileFields.PathKey.MountID)
})
ctx.IntCache[field] = results
return results
@@ -10776,11 +11155,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- if !pce.ProcessContext.Process.IsNotKworker() {
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ if !current.ProcessContext.Process.IsNotKworker() {
return ""
}
- return ev.FieldHandlers.ResolveFileBasename(ev, &pce.ProcessContext.Process.FileEvent)
+ return ev.FieldHandlers.ResolveFileBasename(ev, ¤t.ProcessContext.Process.FileEvent)
})
ctx.StringCache[field] = results
return results
@@ -10808,8 +11187,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) int {
- return len(ev.FieldHandlers.ResolveFileBasename(ev, &pce.ProcessContext.Process.FileEvent))
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) int {
+ return len(ev.FieldHandlers.ResolveFileBasename(ev, ¤t.ProcessContext.Process.FileEvent))
})
ctx.IntCache[field] = results
return results
@@ -10839,11 +11218,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- if !pce.ProcessContext.Process.IsNotKworker() {
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ if !current.ProcessContext.Process.IsNotKworker() {
return ""
}
- return ev.FieldHandlers.ResolvePackageName(ev, &pce.ProcessContext.Process.FileEvent)
+ return ev.FieldHandlers.ResolvePackageName(ev, ¤t.ProcessContext.Process.FileEvent)
})
ctx.StringCache[field] = results
return results
@@ -10873,11 +11252,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- if !pce.ProcessContext.Process.IsNotKworker() {
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ if !current.ProcessContext.Process.IsNotKworker() {
return ""
}
- return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &pce.ProcessContext.Process.FileEvent)
+ return ev.FieldHandlers.ResolvePackageSourceVersion(ev, ¤t.ProcessContext.Process.FileEvent)
})
ctx.StringCache[field] = results
return results
@@ -10907,11 +11286,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- if !pce.ProcessContext.Process.IsNotKworker() {
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ if !current.ProcessContext.Process.IsNotKworker() {
return ""
}
- return ev.FieldHandlers.ResolvePackageVersion(ev, &pce.ProcessContext.Process.FileEvent)
+ return ev.FieldHandlers.ResolvePackageVersion(ev, ¤t.ProcessContext.Process.FileEvent)
})
ctx.StringCache[field] = results
return results
@@ -10942,11 +11321,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- if !pce.ProcessContext.Process.IsNotKworker() {
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ if !current.ProcessContext.Process.IsNotKworker() {
return ""
}
- return ev.FieldHandlers.ResolveFilePath(ev, &pce.ProcessContext.Process.FileEvent)
+ return ev.FieldHandlers.ResolveFilePath(ev, ¤t.ProcessContext.Process.FileEvent)
})
ctx.StringCache[field] = results
return results
@@ -10974,8 +11353,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) int {
- return len(ev.FieldHandlers.ResolveFilePath(ev, &pce.ProcessContext.Process.FileEvent))
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) int {
+ return len(ev.FieldHandlers.ResolveFilePath(ev, ¤t.ProcessContext.Process.FileEvent))
})
ctx.IntCache[field] = results
return results
@@ -11005,11 +11384,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) int {
- if !pce.ProcessContext.Process.IsNotKworker() {
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) int {
+ if !current.ProcessContext.Process.IsNotKworker() {
return 0
}
- return int(ev.FieldHandlers.ResolveRights(ev, &pce.ProcessContext.Process.FileEvent.FileFields))
+ return int(ev.FieldHandlers.ResolveRights(ev, ¤t.ProcessContext.Process.FileEvent.FileFields))
})
ctx.IntCache[field] = results
return results
@@ -11038,11 +11417,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- if !pce.ProcessContext.Process.IsNotKworker() {
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ if !current.ProcessContext.Process.IsNotKworker() {
return 0
}
- return int(pce.ProcessContext.Process.FileEvent.FileFields.UID)
+ return int(current.ProcessContext.Process.FileEvent.FileFields.UID)
})
ctx.IntCache[field] = results
return results
@@ -11072,11 +11451,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- if !pce.ProcessContext.Process.IsNotKworker() {
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ if !current.ProcessContext.Process.IsNotKworker() {
return ""
}
- return ev.FieldHandlers.ResolveFileFieldsUser(ev, &pce.ProcessContext.Process.FileEvent.FileFields)
+ return ev.FieldHandlers.ResolveFileFieldsUser(ev, ¤t.ProcessContext.Process.FileEvent.FileFields)
})
ctx.StringCache[field] = results
return results
@@ -11102,8 +11481,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- return int(pce.ProcessContext.Process.Credentials.FSGID)
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ return int(current.ProcessContext.Process.Credentials.FSGID)
})
ctx.IntCache[field] = results
return results
@@ -11129,8 +11508,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) string {
- return pce.ProcessContext.Process.Credentials.FSGroup
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) string {
+ return current.ProcessContext.Process.Credentials.FSGroup
})
ctx.StringCache[field] = results
return results
@@ -11156,8 +11535,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- return int(pce.ProcessContext.Process.Credentials.FSUID)
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ return int(current.ProcessContext.Process.Credentials.FSUID)
})
ctx.IntCache[field] = results
return results
@@ -11183,8 +11562,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) string {
- return pce.ProcessContext.Process.Credentials.FSUser
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) string {
+ return current.ProcessContext.Process.Credentials.FSUser
})
ctx.StringCache[field] = results
return results
@@ -11210,8 +11589,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- return int(pce.ProcessContext.Process.Credentials.GID)
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ return int(current.ProcessContext.Process.Credentials.GID)
})
ctx.IntCache[field] = results
return results
@@ -11237,8 +11616,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) string {
- return pce.ProcessContext.Process.Credentials.Group
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) string {
+ return current.ProcessContext.Process.Credentials.Group
})
ctx.StringCache[field] = results
return results
@@ -11267,11 +11646,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- if !pce.ProcessContext.Process.HasInterpreter() {
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ if !current.ProcessContext.Process.HasInterpreter() {
return 0
}
- return int(pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.CTime)
+ return int(current.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.CTime)
})
ctx.IntCache[field] = results
return results
@@ -11301,11 +11680,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- if !pce.ProcessContext.Process.HasInterpreter() {
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ if !current.ProcessContext.Process.HasInterpreter() {
return ""
}
- return ev.FieldHandlers.ResolveFileFilesystem(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent)
+ return ev.FieldHandlers.ResolveFileFilesystem(ev, ¤t.ProcessContext.Process.LinuxBinprm.FileEvent)
})
ctx.StringCache[field] = results
return results
@@ -11334,11 +11713,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- if !pce.ProcessContext.Process.HasInterpreter() {
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ if !current.ProcessContext.Process.HasInterpreter() {
return 0
}
- return int(pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.GID)
+ return int(current.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.GID)
})
ctx.IntCache[field] = results
return results
@@ -11368,11 +11747,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- if !pce.ProcessContext.Process.HasInterpreter() {
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ if !current.ProcessContext.Process.HasInterpreter() {
return ""
}
- return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields)
+ return ev.FieldHandlers.ResolveFileFieldsGroup(ev, ¤t.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields)
})
ctx.StringCache[field] = results
return results
@@ -11402,11 +11781,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result...)
return results
}
- results = newAncestorsIteratorArray(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) []string {
- if !pce.ProcessContext.Process.HasInterpreter() {
+ results = newAncestorsIteratorArray(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) []string {
+ if !current.ProcessContext.Process.HasInterpreter() {
return nil
}
- return ev.FieldHandlers.ResolveHashesFromEvent(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent)
+ return ev.FieldHandlers.ResolveHashesFromEvent(ev, ¤t.ProcessContext.Process.LinuxBinprm.FileEvent)
})
ctx.StringCache[field] = results
return results
@@ -11436,11 +11815,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) bool {
- if !pce.ProcessContext.Process.HasInterpreter() {
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) bool {
+ if !current.ProcessContext.Process.HasInterpreter() {
return false
}
- return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields)
+ return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, ¤t.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields)
})
ctx.BoolCache[field] = results
return results
@@ -11469,11 +11848,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- if !pce.ProcessContext.Process.HasInterpreter() {
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ if !current.ProcessContext.Process.HasInterpreter() {
return 0
}
- return int(pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode)
+ return int(current.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode)
})
ctx.IntCache[field] = results
return results
@@ -11502,11 +11881,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- if !pce.ProcessContext.Process.HasInterpreter() {
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ if !current.ProcessContext.Process.HasInterpreter() {
return 0
}
- return int(pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.Mode)
+ return int(current.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.Mode)
})
ctx.IntCache[field] = results
return results
@@ -11535,11 +11914,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- if !pce.ProcessContext.Process.HasInterpreter() {
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ if !current.ProcessContext.Process.HasInterpreter() {
return 0
}
- return int(pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.MTime)
+ return int(current.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.MTime)
})
ctx.IntCache[field] = results
return results
@@ -11568,11 +11947,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- if !pce.ProcessContext.Process.HasInterpreter() {
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ if !current.ProcessContext.Process.HasInterpreter() {
return 0
}
- return int(pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID)
+ return int(current.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID)
})
ctx.IntCache[field] = results
return results
@@ -11603,11 +11982,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- if !pce.ProcessContext.Process.HasInterpreter() {
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ if !current.ProcessContext.Process.HasInterpreter() {
return ""
}
- return ev.FieldHandlers.ResolveFileBasename(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent)
+ return ev.FieldHandlers.ResolveFileBasename(ev, ¤t.ProcessContext.Process.LinuxBinprm.FileEvent)
})
ctx.StringCache[field] = results
return results
@@ -11635,8 +12014,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) int {
- return len(ev.FieldHandlers.ResolveFileBasename(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent))
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) int {
+ return len(ev.FieldHandlers.ResolveFileBasename(ev, ¤t.ProcessContext.Process.LinuxBinprm.FileEvent))
})
ctx.IntCache[field] = results
return results
@@ -11666,11 +12045,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- if !pce.ProcessContext.Process.HasInterpreter() {
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ if !current.ProcessContext.Process.HasInterpreter() {
return ""
}
- return ev.FieldHandlers.ResolvePackageName(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent)
+ return ev.FieldHandlers.ResolvePackageName(ev, ¤t.ProcessContext.Process.LinuxBinprm.FileEvent)
})
ctx.StringCache[field] = results
return results
@@ -11700,11 +12079,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- if !pce.ProcessContext.Process.HasInterpreter() {
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ if !current.ProcessContext.Process.HasInterpreter() {
return ""
}
- return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent)
+ return ev.FieldHandlers.ResolvePackageSourceVersion(ev, ¤t.ProcessContext.Process.LinuxBinprm.FileEvent)
})
ctx.StringCache[field] = results
return results
@@ -11734,11 +12113,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- if !pce.ProcessContext.Process.HasInterpreter() {
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ if !current.ProcessContext.Process.HasInterpreter() {
return ""
}
- return ev.FieldHandlers.ResolvePackageVersion(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent)
+ return ev.FieldHandlers.ResolvePackageVersion(ev, ¤t.ProcessContext.Process.LinuxBinprm.FileEvent)
})
ctx.StringCache[field] = results
return results
@@ -11769,11 +12148,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- if !pce.ProcessContext.Process.HasInterpreter() {
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ if !current.ProcessContext.Process.HasInterpreter() {
return ""
}
- return ev.FieldHandlers.ResolveFilePath(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent)
+ return ev.FieldHandlers.ResolveFilePath(ev, ¤t.ProcessContext.Process.LinuxBinprm.FileEvent)
})
ctx.StringCache[field] = results
return results
@@ -11801,8 +12180,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) int {
- return len(ev.FieldHandlers.ResolveFilePath(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent))
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) int {
+ return len(ev.FieldHandlers.ResolveFilePath(ev, ¤t.ProcessContext.Process.LinuxBinprm.FileEvent))
})
ctx.IntCache[field] = results
return results
@@ -11832,11 +12211,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) int {
- if !pce.ProcessContext.Process.HasInterpreter() {
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) int {
+ if !current.ProcessContext.Process.HasInterpreter() {
return 0
}
- return int(ev.FieldHandlers.ResolveRights(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields))
+ return int(ev.FieldHandlers.ResolveRights(ev, ¤t.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields))
})
ctx.IntCache[field] = results
return results
@@ -11865,11 +12244,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- if !pce.ProcessContext.Process.HasInterpreter() {
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ if !current.ProcessContext.Process.HasInterpreter() {
return 0
}
- return int(pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.UID)
+ return int(current.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.UID)
})
ctx.IntCache[field] = results
return results
@@ -11899,11 +12278,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- if !pce.ProcessContext.Process.HasInterpreter() {
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ if !current.ProcessContext.Process.HasInterpreter() {
return ""
}
- return ev.FieldHandlers.ResolveFileFieldsUser(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields)
+ return ev.FieldHandlers.ResolveFileFieldsUser(ev, ¤t.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields)
})
ctx.StringCache[field] = results
return results
@@ -11929,8 +12308,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) bool {
- return pce.ProcessContext.Process.IsExec
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) bool {
+ return current.ProcessContext.Process.IsExec
})
ctx.BoolCache[field] = results
return results
@@ -11956,8 +12335,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) bool {
- return pce.ProcessContext.Process.PIDContext.IsKworker
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) bool {
+ return current.ProcessContext.Process.PIDContext.IsKworker
})
ctx.BoolCache[field] = results
return results
@@ -11984,8 +12363,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) bool {
- return ev.FieldHandlers.ResolveProcessIsThread(ev, &pce.ProcessContext.Process)
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) bool {
+ return ev.FieldHandlers.ResolveProcessIsThread(ev, ¤t.ProcessContext.Process)
})
ctx.BoolCache[field] = results
return results
@@ -12021,8 +12400,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- return int(pce.ProcessContext.Process.PIDContext.Pid)
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ return int(current.ProcessContext.Process.PIDContext.Pid)
})
ctx.IntCache[field] = results
return results
@@ -12048,8 +12427,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- return int(pce.ProcessContext.Process.PPid)
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ return int(current.ProcessContext.Process.PPid)
})
ctx.IntCache[field] = results
return results
@@ -12075,8 +12454,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- return int(pce.ProcessContext.Process.PIDContext.Tid)
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ return int(current.ProcessContext.Process.PIDContext.Tid)
})
ctx.IntCache[field] = results
return results
@@ -12102,8 +12481,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) string {
- return pce.ProcessContext.Process.TTYName
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) string {
+ return current.ProcessContext.Process.TTYName
})
ctx.StringCache[field] = results
return results
@@ -12129,8 +12508,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- return int(pce.ProcessContext.Process.Credentials.UID)
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ return int(current.ProcessContext.Process.Credentials.UID)
})
ctx.IntCache[field] = results
return results
@@ -12156,8 +12535,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) string {
- return pce.ProcessContext.Process.Credentials.User
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) string {
+ return current.ProcessContext.Process.Credentials.User
})
ctx.StringCache[field] = results
return results
@@ -12184,8 +12563,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result...)
return results
}
- results = newAncestorsIteratorArray(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) []string {
- return ev.FieldHandlers.ResolveK8SGroups(ev, &pce.ProcessContext.Process.UserSession)
+ results = newAncestorsIteratorArray(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) []string {
+ return ev.FieldHandlers.ResolveK8SGroups(ev, ¤t.ProcessContext.Process.UserSession)
})
ctx.StringCache[field] = results
return results
@@ -12212,8 +12591,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- return ev.FieldHandlers.ResolveK8SUID(ev, &pce.ProcessContext.Process.UserSession)
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ return ev.FieldHandlers.ResolveK8SUID(ev, ¤t.ProcessContext.Process.UserSession)
})
ctx.StringCache[field] = results
return results
@@ -12240,8 +12619,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- return ev.FieldHandlers.ResolveK8SUsername(ev, &pce.ProcessContext.Process.UserSession)
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ return ev.FieldHandlers.ResolveK8SUsername(ev, ¤t.ProcessContext.Process.UserSession)
})
ctx.StringCache[field] = results
return results
@@ -15674,8 +16053,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- return ev.FieldHandlers.ResolveProcessArgs(ev, &pce.ProcessContext.Process)
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ return ev.FieldHandlers.ResolveProcessArgs(ev, ¤t.ProcessContext.Process)
})
ctx.StringCache[field] = results
return results
@@ -15702,8 +16081,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result...)
return results
}
- results = newAncestorsIteratorArray(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) []string {
- return ev.FieldHandlers.ResolveProcessArgsFlags(ev, &pce.ProcessContext.Process)
+ results = newAncestorsIteratorArray(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) []string {
+ return ev.FieldHandlers.ResolveProcessArgsFlags(ev, ¤t.ProcessContext.Process)
})
ctx.StringCache[field] = results
return results
@@ -15730,8 +16109,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result...)
return results
}
- results = newAncestorsIteratorArray(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) []string {
- return ev.FieldHandlers.ResolveProcessArgsOptions(ev, &pce.ProcessContext.Process)
+ results = newAncestorsIteratorArray(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) []string {
+ return ev.FieldHandlers.ResolveProcessArgsOptions(ev, ¤t.ProcessContext.Process)
})
ctx.StringCache[field] = results
return results
@@ -15758,8 +16137,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) bool {
- return ev.FieldHandlers.ResolveProcessArgsTruncated(ev, &pce.ProcessContext.Process)
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) bool {
+ return ev.FieldHandlers.ResolveProcessArgsTruncated(ev, ¤t.ProcessContext.Process)
})
ctx.BoolCache[field] = results
return results
@@ -15786,8 +16165,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result...)
return results
}
- results = newAncestorsIteratorArray(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) []string {
- return ev.FieldHandlers.ResolveProcessArgv(ev, &pce.ProcessContext.Process)
+ results = newAncestorsIteratorArray(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) []string {
+ return ev.FieldHandlers.ResolveProcessArgv(ev, ¤t.ProcessContext.Process)
})
ctx.StringCache[field] = results
return results
@@ -15814,8 +16193,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- return ev.FieldHandlers.ResolveProcessArgv0(ev, &pce.ProcessContext.Process)
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ return ev.FieldHandlers.ResolveProcessArgv0(ev, ¤t.ProcessContext.Process)
})
ctx.StringCache[field] = results
return results
@@ -15841,8 +16220,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- return int(pce.ProcessContext.Process.Credentials.AUID)
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ return int(current.ProcessContext.Process.Credentials.AUID)
})
ctx.IntCache[field] = results
return results
@@ -15868,8 +16247,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- return int(pce.ProcessContext.Process.Credentials.CapEffective)
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ return int(current.ProcessContext.Process.Credentials.CapEffective)
})
ctx.IntCache[field] = results
return results
@@ -15895,8 +16274,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- return int(pce.ProcessContext.Process.Credentials.CapPermitted)
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ return int(current.ProcessContext.Process.Credentials.CapPermitted)
})
ctx.IntCache[field] = results
return results
@@ -15922,8 +16301,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- return int(pce.ProcessContext.Process.CGroup.CGroupFile.Inode)
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ return int(current.ProcessContext.Process.CGroup.CGroupFile.Inode)
})
ctx.IntCache[field] = results
return results
@@ -15949,8 +16328,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- return int(pce.ProcessContext.Process.CGroup.CGroupFile.MountID)
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ return int(current.ProcessContext.Process.CGroup.CGroupFile.MountID)
})
ctx.IntCache[field] = results
return results
@@ -15977,8 +16356,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- return ev.FieldHandlers.ResolveCGroupID(ev, &pce.ProcessContext.Process.CGroup)
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ return ev.FieldHandlers.ResolveCGroupID(ev, ¤t.ProcessContext.Process.CGroup)
})
ctx.StringCache[field] = results
return results
@@ -16005,8 +16384,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- return ev.FieldHandlers.ResolveCGroupManager(ev, &pce.ProcessContext.Process.CGroup)
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ return ev.FieldHandlers.ResolveCGroupManager(ev, ¤t.ProcessContext.Process.CGroup)
})
ctx.StringCache[field] = results
return results
@@ -16033,8 +16412,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) int {
- return int(ev.FieldHandlers.ResolveCGroupVersion(ev, &pce.ProcessContext.Process.CGroup))
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) int {
+ return int(ev.FieldHandlers.ResolveCGroupVersion(ev, ¤t.ProcessContext.Process.CGroup))
})
ctx.IntCache[field] = results
return results
@@ -16060,8 +16439,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) string {
- return pce.ProcessContext.Process.Comm
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) string {
+ return current.ProcessContext.Process.Comm
})
ctx.StringCache[field] = results
return results
@@ -16088,8 +16467,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- return ev.FieldHandlers.ResolveProcessContainerID(ev, &pce.ProcessContext.Process)
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ return ev.FieldHandlers.ResolveProcessContainerID(ev, ¤t.ProcessContext.Process)
})
ctx.StringCache[field] = results
return results
@@ -16116,8 +16495,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) int {
- return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, &pce.ProcessContext.Process))
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) int {
+ return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, ¤t.ProcessContext.Process))
})
ctx.IntCache[field] = results
return results
@@ -16143,8 +16522,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- return int(pce.ProcessContext.Process.Credentials.EGID)
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ return int(current.ProcessContext.Process.Credentials.EGID)
})
ctx.IntCache[field] = results
return results
@@ -16170,8 +16549,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) string {
- return pce.ProcessContext.Process.Credentials.EGroup
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) string {
+ return current.ProcessContext.Process.Credentials.EGroup
})
ctx.StringCache[field] = results
return results
@@ -16198,8 +16577,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result...)
return results
}
- results = newAncestorsIteratorArray(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) []string {
- return ev.FieldHandlers.ResolveProcessEnvp(ev, &pce.ProcessContext.Process)
+ results = newAncestorsIteratorArray(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) []string {
+ return ev.FieldHandlers.ResolveProcessEnvp(ev, ¤t.ProcessContext.Process)
})
ctx.StringCache[field] = results
return results
@@ -16226,8 +16605,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result...)
return results
}
- results = newAncestorsIteratorArray(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) []string {
- return ev.FieldHandlers.ResolveProcessEnvs(ev, &pce.ProcessContext.Process)
+ results = newAncestorsIteratorArray(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) []string {
+ return ev.FieldHandlers.ResolveProcessEnvs(ev, ¤t.ProcessContext.Process)
})
ctx.StringCache[field] = results
return results
@@ -16254,8 +16633,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) bool {
- return ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, &pce.ProcessContext.Process)
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) bool {
+ return ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, ¤t.ProcessContext.Process)
})
ctx.BoolCache[field] = results
return results
@@ -16281,8 +16660,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- return int(pce.ProcessContext.Process.Credentials.EUID)
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ return int(current.ProcessContext.Process.Credentials.EUID)
})
ctx.IntCache[field] = results
return results
@@ -16308,8 +16687,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) string {
- return pce.ProcessContext.Process.Credentials.EUser
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) string {
+ return current.ProcessContext.Process.Credentials.EUser
})
ctx.StringCache[field] = results
return results
@@ -16338,11 +16717,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- if !pce.ProcessContext.Process.IsNotKworker() {
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ if !current.ProcessContext.Process.IsNotKworker() {
return 0
}
- return int(pce.ProcessContext.Process.FileEvent.FileFields.CTime)
+ return int(current.ProcessContext.Process.FileEvent.FileFields.CTime)
})
ctx.IntCache[field] = results
return results
@@ -16372,11 +16751,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- if !pce.ProcessContext.Process.IsNotKworker() {
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ if !current.ProcessContext.Process.IsNotKworker() {
return ""
}
- return ev.FieldHandlers.ResolveFileFilesystem(ev, &pce.ProcessContext.Process.FileEvent)
+ return ev.FieldHandlers.ResolveFileFilesystem(ev, ¤t.ProcessContext.Process.FileEvent)
})
ctx.StringCache[field] = results
return results
@@ -16405,11 +16784,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- if !pce.ProcessContext.Process.IsNotKworker() {
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ if !current.ProcessContext.Process.IsNotKworker() {
return 0
}
- return int(pce.ProcessContext.Process.FileEvent.FileFields.GID)
+ return int(current.ProcessContext.Process.FileEvent.FileFields.GID)
})
ctx.IntCache[field] = results
return results
@@ -16439,11 +16818,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- if !pce.ProcessContext.Process.IsNotKworker() {
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ if !current.ProcessContext.Process.IsNotKworker() {
return ""
}
- return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &pce.ProcessContext.Process.FileEvent.FileFields)
+ return ev.FieldHandlers.ResolveFileFieldsGroup(ev, ¤t.ProcessContext.Process.FileEvent.FileFields)
})
ctx.StringCache[field] = results
return results
@@ -16473,11 +16852,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result...)
return results
}
- results = newAncestorsIteratorArray(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) []string {
- if !pce.ProcessContext.Process.IsNotKworker() {
+ results = newAncestorsIteratorArray(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) []string {
+ if !current.ProcessContext.Process.IsNotKworker() {
return nil
}
- return ev.FieldHandlers.ResolveHashesFromEvent(ev, &pce.ProcessContext.Process.FileEvent)
+ return ev.FieldHandlers.ResolveHashesFromEvent(ev, ¤t.ProcessContext.Process.FileEvent)
})
ctx.StringCache[field] = results
return results
@@ -16507,11 +16886,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) bool {
- if !pce.ProcessContext.Process.IsNotKworker() {
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) bool {
+ if !current.ProcessContext.Process.IsNotKworker() {
return false
}
- return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &pce.ProcessContext.Process.FileEvent.FileFields)
+ return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, ¤t.ProcessContext.Process.FileEvent.FileFields)
})
ctx.BoolCache[field] = results
return results
@@ -16540,11 +16919,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- if !pce.ProcessContext.Process.IsNotKworker() {
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ if !current.ProcessContext.Process.IsNotKworker() {
return 0
}
- return int(pce.ProcessContext.Process.FileEvent.FileFields.PathKey.Inode)
+ return int(current.ProcessContext.Process.FileEvent.FileFields.PathKey.Inode)
})
ctx.IntCache[field] = results
return results
@@ -16573,11 +16952,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- if !pce.ProcessContext.Process.IsNotKworker() {
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ if !current.ProcessContext.Process.IsNotKworker() {
return 0
}
- return int(pce.ProcessContext.Process.FileEvent.FileFields.Mode)
+ return int(current.ProcessContext.Process.FileEvent.FileFields.Mode)
})
ctx.IntCache[field] = results
return results
@@ -16606,11 +16985,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- if !pce.ProcessContext.Process.IsNotKworker() {
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ if !current.ProcessContext.Process.IsNotKworker() {
return 0
}
- return int(pce.ProcessContext.Process.FileEvent.FileFields.MTime)
+ return int(current.ProcessContext.Process.FileEvent.FileFields.MTime)
})
ctx.IntCache[field] = results
return results
@@ -16639,11 +17018,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- if !pce.ProcessContext.Process.IsNotKworker() {
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ if !current.ProcessContext.Process.IsNotKworker() {
return 0
}
- return int(pce.ProcessContext.Process.FileEvent.FileFields.PathKey.MountID)
+ return int(current.ProcessContext.Process.FileEvent.FileFields.PathKey.MountID)
})
ctx.IntCache[field] = results
return results
@@ -16674,11 +17053,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- if !pce.ProcessContext.Process.IsNotKworker() {
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ if !current.ProcessContext.Process.IsNotKworker() {
return ""
}
- return ev.FieldHandlers.ResolveFileBasename(ev, &pce.ProcessContext.Process.FileEvent)
+ return ev.FieldHandlers.ResolveFileBasename(ev, ¤t.ProcessContext.Process.FileEvent)
})
ctx.StringCache[field] = results
return results
@@ -16706,8 +17085,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) int {
- return len(ev.FieldHandlers.ResolveFileBasename(ev, &pce.ProcessContext.Process.FileEvent))
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) int {
+ return len(ev.FieldHandlers.ResolveFileBasename(ev, ¤t.ProcessContext.Process.FileEvent))
})
ctx.IntCache[field] = results
return results
@@ -16737,11 +17116,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- if !pce.ProcessContext.Process.IsNotKworker() {
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ if !current.ProcessContext.Process.IsNotKworker() {
return ""
}
- return ev.FieldHandlers.ResolvePackageName(ev, &pce.ProcessContext.Process.FileEvent)
+ return ev.FieldHandlers.ResolvePackageName(ev, ¤t.ProcessContext.Process.FileEvent)
})
ctx.StringCache[field] = results
return results
@@ -16771,11 +17150,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- if !pce.ProcessContext.Process.IsNotKworker() {
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ if !current.ProcessContext.Process.IsNotKworker() {
return ""
}
- return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &pce.ProcessContext.Process.FileEvent)
+ return ev.FieldHandlers.ResolvePackageSourceVersion(ev, ¤t.ProcessContext.Process.FileEvent)
})
ctx.StringCache[field] = results
return results
@@ -16805,11 +17184,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- if !pce.ProcessContext.Process.IsNotKworker() {
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ if !current.ProcessContext.Process.IsNotKworker() {
return ""
}
- return ev.FieldHandlers.ResolvePackageVersion(ev, &pce.ProcessContext.Process.FileEvent)
+ return ev.FieldHandlers.ResolvePackageVersion(ev, ¤t.ProcessContext.Process.FileEvent)
})
ctx.StringCache[field] = results
return results
@@ -16840,11 +17219,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- if !pce.ProcessContext.Process.IsNotKworker() {
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ if !current.ProcessContext.Process.IsNotKworker() {
return ""
}
- return ev.FieldHandlers.ResolveFilePath(ev, &pce.ProcessContext.Process.FileEvent)
+ return ev.FieldHandlers.ResolveFilePath(ev, ¤t.ProcessContext.Process.FileEvent)
})
ctx.StringCache[field] = results
return results
@@ -16872,8 +17251,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) int {
- return len(ev.FieldHandlers.ResolveFilePath(ev, &pce.ProcessContext.Process.FileEvent))
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) int {
+ return len(ev.FieldHandlers.ResolveFilePath(ev, ¤t.ProcessContext.Process.FileEvent))
})
ctx.IntCache[field] = results
return results
@@ -16903,11 +17282,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) int {
- if !pce.ProcessContext.Process.IsNotKworker() {
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) int {
+ if !current.ProcessContext.Process.IsNotKworker() {
return 0
}
- return int(ev.FieldHandlers.ResolveRights(ev, &pce.ProcessContext.Process.FileEvent.FileFields))
+ return int(ev.FieldHandlers.ResolveRights(ev, ¤t.ProcessContext.Process.FileEvent.FileFields))
})
ctx.IntCache[field] = results
return results
@@ -16936,11 +17315,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- if !pce.ProcessContext.Process.IsNotKworker() {
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ if !current.ProcessContext.Process.IsNotKworker() {
return 0
}
- return int(pce.ProcessContext.Process.FileEvent.FileFields.UID)
+ return int(current.ProcessContext.Process.FileEvent.FileFields.UID)
})
ctx.IntCache[field] = results
return results
@@ -16970,11 +17349,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- if !pce.ProcessContext.Process.IsNotKworker() {
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ if !current.ProcessContext.Process.IsNotKworker() {
return ""
}
- return ev.FieldHandlers.ResolveFileFieldsUser(ev, &pce.ProcessContext.Process.FileEvent.FileFields)
+ return ev.FieldHandlers.ResolveFileFieldsUser(ev, ¤t.ProcessContext.Process.FileEvent.FileFields)
})
ctx.StringCache[field] = results
return results
@@ -17000,8 +17379,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- return int(pce.ProcessContext.Process.Credentials.FSGID)
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ return int(current.ProcessContext.Process.Credentials.FSGID)
})
ctx.IntCache[field] = results
return results
@@ -17027,8 +17406,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) string {
- return pce.ProcessContext.Process.Credentials.FSGroup
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) string {
+ return current.ProcessContext.Process.Credentials.FSGroup
})
ctx.StringCache[field] = results
return results
@@ -17054,8 +17433,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- return int(pce.ProcessContext.Process.Credentials.FSUID)
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ return int(current.ProcessContext.Process.Credentials.FSUID)
})
ctx.IntCache[field] = results
return results
@@ -17081,8 +17460,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) string {
- return pce.ProcessContext.Process.Credentials.FSUser
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) string {
+ return current.ProcessContext.Process.Credentials.FSUser
})
ctx.StringCache[field] = results
return results
@@ -17108,8 +17487,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- return int(pce.ProcessContext.Process.Credentials.GID)
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ return int(current.ProcessContext.Process.Credentials.GID)
})
ctx.IntCache[field] = results
return results
@@ -17135,8 +17514,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) string {
- return pce.ProcessContext.Process.Credentials.Group
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) string {
+ return current.ProcessContext.Process.Credentials.Group
})
ctx.StringCache[field] = results
return results
@@ -17165,11 +17544,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- if !pce.ProcessContext.Process.HasInterpreter() {
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ if !current.ProcessContext.Process.HasInterpreter() {
return 0
}
- return int(pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.CTime)
+ return int(current.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.CTime)
})
ctx.IntCache[field] = results
return results
@@ -17199,11 +17578,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- if !pce.ProcessContext.Process.HasInterpreter() {
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ if !current.ProcessContext.Process.HasInterpreter() {
return ""
}
- return ev.FieldHandlers.ResolveFileFilesystem(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent)
+ return ev.FieldHandlers.ResolveFileFilesystem(ev, ¤t.ProcessContext.Process.LinuxBinprm.FileEvent)
})
ctx.StringCache[field] = results
return results
@@ -17232,11 +17611,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- if !pce.ProcessContext.Process.HasInterpreter() {
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ if !current.ProcessContext.Process.HasInterpreter() {
return 0
}
- return int(pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.GID)
+ return int(current.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.GID)
})
ctx.IntCache[field] = results
return results
@@ -17266,11 +17645,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- if !pce.ProcessContext.Process.HasInterpreter() {
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ if !current.ProcessContext.Process.HasInterpreter() {
return ""
}
- return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields)
+ return ev.FieldHandlers.ResolveFileFieldsGroup(ev, ¤t.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields)
})
ctx.StringCache[field] = results
return results
@@ -17300,11 +17679,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result...)
return results
}
- results = newAncestorsIteratorArray(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) []string {
- if !pce.ProcessContext.Process.HasInterpreter() {
+ results = newAncestorsIteratorArray(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) []string {
+ if !current.ProcessContext.Process.HasInterpreter() {
return nil
}
- return ev.FieldHandlers.ResolveHashesFromEvent(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent)
+ return ev.FieldHandlers.ResolveHashesFromEvent(ev, ¤t.ProcessContext.Process.LinuxBinprm.FileEvent)
})
ctx.StringCache[field] = results
return results
@@ -17334,11 +17713,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) bool {
- if !pce.ProcessContext.Process.HasInterpreter() {
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) bool {
+ if !current.ProcessContext.Process.HasInterpreter() {
return false
}
- return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields)
+ return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, ¤t.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields)
})
ctx.BoolCache[field] = results
return results
@@ -17367,11 +17746,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- if !pce.ProcessContext.Process.HasInterpreter() {
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ if !current.ProcessContext.Process.HasInterpreter() {
return 0
}
- return int(pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode)
+ return int(current.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode)
})
ctx.IntCache[field] = results
return results
@@ -17400,11 +17779,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- if !pce.ProcessContext.Process.HasInterpreter() {
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ if !current.ProcessContext.Process.HasInterpreter() {
return 0
}
- return int(pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.Mode)
+ return int(current.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.Mode)
})
ctx.IntCache[field] = results
return results
@@ -17433,11 +17812,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- if !pce.ProcessContext.Process.HasInterpreter() {
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ if !current.ProcessContext.Process.HasInterpreter() {
return 0
}
- return int(pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.MTime)
+ return int(current.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.MTime)
})
ctx.IntCache[field] = results
return results
@@ -17466,11 +17845,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- if !pce.ProcessContext.Process.HasInterpreter() {
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ if !current.ProcessContext.Process.HasInterpreter() {
return 0
}
- return int(pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID)
+ return int(current.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID)
})
ctx.IntCache[field] = results
return results
@@ -17501,11 +17880,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- if !pce.ProcessContext.Process.HasInterpreter() {
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ if !current.ProcessContext.Process.HasInterpreter() {
return ""
}
- return ev.FieldHandlers.ResolveFileBasename(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent)
+ return ev.FieldHandlers.ResolveFileBasename(ev, ¤t.ProcessContext.Process.LinuxBinprm.FileEvent)
})
ctx.StringCache[field] = results
return results
@@ -17533,8 +17912,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) int {
- return len(ev.FieldHandlers.ResolveFileBasename(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent))
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) int {
+ return len(ev.FieldHandlers.ResolveFileBasename(ev, ¤t.ProcessContext.Process.LinuxBinprm.FileEvent))
})
ctx.IntCache[field] = results
return results
@@ -17564,11 +17943,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- if !pce.ProcessContext.Process.HasInterpreter() {
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ if !current.ProcessContext.Process.HasInterpreter() {
return ""
}
- return ev.FieldHandlers.ResolvePackageName(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent)
+ return ev.FieldHandlers.ResolvePackageName(ev, ¤t.ProcessContext.Process.LinuxBinprm.FileEvent)
})
ctx.StringCache[field] = results
return results
@@ -17598,11 +17977,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- if !pce.ProcessContext.Process.HasInterpreter() {
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ if !current.ProcessContext.Process.HasInterpreter() {
return ""
}
- return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent)
+ return ev.FieldHandlers.ResolvePackageSourceVersion(ev, ¤t.ProcessContext.Process.LinuxBinprm.FileEvent)
})
ctx.StringCache[field] = results
return results
@@ -17632,11 +18011,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- if !pce.ProcessContext.Process.HasInterpreter() {
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ if !current.ProcessContext.Process.HasInterpreter() {
return ""
}
- return ev.FieldHandlers.ResolvePackageVersion(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent)
+ return ev.FieldHandlers.ResolvePackageVersion(ev, ¤t.ProcessContext.Process.LinuxBinprm.FileEvent)
})
ctx.StringCache[field] = results
return results
@@ -17667,11 +18046,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- if !pce.ProcessContext.Process.HasInterpreter() {
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ if !current.ProcessContext.Process.HasInterpreter() {
return ""
}
- return ev.FieldHandlers.ResolveFilePath(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent)
+ return ev.FieldHandlers.ResolveFilePath(ev, ¤t.ProcessContext.Process.LinuxBinprm.FileEvent)
})
ctx.StringCache[field] = results
return results
@@ -17699,8 +18078,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) int {
- return len(ev.FieldHandlers.ResolveFilePath(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent))
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) int {
+ return len(ev.FieldHandlers.ResolveFilePath(ev, ¤t.ProcessContext.Process.LinuxBinprm.FileEvent))
})
ctx.IntCache[field] = results
return results
@@ -17730,11 +18109,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) int {
- if !pce.ProcessContext.Process.HasInterpreter() {
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) int {
+ if !current.ProcessContext.Process.HasInterpreter() {
return 0
}
- return int(ev.FieldHandlers.ResolveRights(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields))
+ return int(ev.FieldHandlers.ResolveRights(ev, ¤t.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields))
})
ctx.IntCache[field] = results
return results
@@ -17763,11 +18142,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- if !pce.ProcessContext.Process.HasInterpreter() {
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ if !current.ProcessContext.Process.HasInterpreter() {
return 0
}
- return int(pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.UID)
+ return int(current.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.UID)
})
ctx.IntCache[field] = results
return results
@@ -17797,11 +18176,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- if !pce.ProcessContext.Process.HasInterpreter() {
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ if !current.ProcessContext.Process.HasInterpreter() {
return ""
}
- return ev.FieldHandlers.ResolveFileFieldsUser(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields)
+ return ev.FieldHandlers.ResolveFileFieldsUser(ev, ¤t.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields)
})
ctx.StringCache[field] = results
return results
@@ -17827,8 +18206,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) bool {
- return pce.ProcessContext.Process.IsExec
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) bool {
+ return current.ProcessContext.Process.IsExec
})
ctx.BoolCache[field] = results
return results
@@ -17854,8 +18233,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) bool {
- return pce.ProcessContext.Process.PIDContext.IsKworker
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) bool {
+ return current.ProcessContext.Process.PIDContext.IsKworker
})
ctx.BoolCache[field] = results
return results
@@ -17882,8 +18261,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) bool {
- return ev.FieldHandlers.ResolveProcessIsThread(ev, &pce.ProcessContext.Process)
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) bool {
+ return ev.FieldHandlers.ResolveProcessIsThread(ev, ¤t.ProcessContext.Process)
})
ctx.BoolCache[field] = results
return results
@@ -17919,8 +18298,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- return int(pce.ProcessContext.Process.PIDContext.Pid)
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ return int(current.ProcessContext.Process.PIDContext.Pid)
})
ctx.IntCache[field] = results
return results
@@ -17946,8 +18325,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- return int(pce.ProcessContext.Process.PPid)
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ return int(current.ProcessContext.Process.PPid)
})
ctx.IntCache[field] = results
return results
@@ -17973,8 +18352,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- return int(pce.ProcessContext.Process.PIDContext.Tid)
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ return int(current.ProcessContext.Process.PIDContext.Tid)
})
ctx.IntCache[field] = results
return results
@@ -18000,8 +18379,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) string {
- return pce.ProcessContext.Process.TTYName
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) string {
+ return current.ProcessContext.Process.TTYName
})
ctx.StringCache[field] = results
return results
@@ -18027,8 +18406,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- return int(pce.ProcessContext.Process.Credentials.UID)
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ return int(current.ProcessContext.Process.Credentials.UID)
})
ctx.IntCache[field] = results
return results
@@ -18054,8 +18433,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) string {
- return pce.ProcessContext.Process.Credentials.User
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) string {
+ return current.ProcessContext.Process.Credentials.User
})
ctx.StringCache[field] = results
return results
@@ -18082,8 +18461,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result...)
return results
}
- results = newAncestorsIteratorArray(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) []string {
- return ev.FieldHandlers.ResolveK8SGroups(ev, &pce.ProcessContext.Process.UserSession)
+ results = newAncestorsIteratorArray(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) []string {
+ return ev.FieldHandlers.ResolveK8SGroups(ev, ¤t.ProcessContext.Process.UserSession)
})
ctx.StringCache[field] = results
return results
@@ -18110,8 +18489,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- return ev.FieldHandlers.ResolveK8SUID(ev, &pce.ProcessContext.Process.UserSession)
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ return ev.FieldHandlers.ResolveK8SUID(ev, ¤t.ProcessContext.Process.UserSession)
})
ctx.StringCache[field] = results
return results
@@ -18138,8 +18517,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- return ev.FieldHandlers.ResolveK8SUsername(ev, &pce.ProcessContext.Process.UserSession)
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ return ev.FieldHandlers.ResolveK8SUsername(ev, ¤t.ProcessContext.Process.UserSession)
})
ctx.StringCache[field] = results
return results
@@ -21426,10 +21805,26 @@ func (ev *Event) GetFields() []eval.Field {
"network.device.ifname",
"network.l3_protocol",
"network.l4_protocol",
+ "network.network_direction",
"network.size",
"network.source.ip",
"network.source.is_public",
"network.source.port",
+ "network_flow_monitor.device.ifname",
+ "network_flow_monitor.flows.destination.ip",
+ "network_flow_monitor.flows.destination.is_public",
+ "network_flow_monitor.flows.destination.port",
+ "network_flow_monitor.flows.egress.data_size",
+ "network_flow_monitor.flows.egress.packet_count",
+ "network_flow_monitor.flows.ingress.data_size",
+ "network_flow_monitor.flows.ingress.packet_count",
+ "network_flow_monitor.flows.l3_protocol",
+ "network_flow_monitor.flows.l4_protocol",
+ "network_flow_monitor.flows.length",
+ "network_flow_monitor.flows.source.ip",
+ "network_flow_monitor.flows.source.is_public",
+ "network_flow_monitor.flows.source.port",
+ "network_flow_monitor.flows_count",
"ondemand.arg1.str",
"ondemand.arg1.uint",
"ondemand.arg2.str",
@@ -21472,6 +21867,7 @@ func (ev *Event) GetFields() []eval.Field {
"packet.filter",
"packet.l3_protocol",
"packet.l4_protocol",
+ "packet.network_direction",
"packet.size",
"packet.source.ip",
"packet.source.is_public",
@@ -23499,6 +23895,8 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
return int(ev.NetworkContext.L3Protocol), nil
case "network.l4_protocol":
return int(ev.NetworkContext.L4Protocol), nil
+ case "network.network_direction":
+ return int(ev.NetworkContext.NetworkDirection), nil
case "network.size":
return int(ev.NetworkContext.Size), nil
case "network.source.ip":
@@ -23507,6 +23905,158 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
return ev.FieldHandlers.ResolveIsIPPublic(ev, &ev.NetworkContext.Source), nil
case "network.source.port":
return int(ev.NetworkContext.Source.Port), nil
+ case "network_flow_monitor.device.ifname":
+ return ev.FieldHandlers.ResolveNetworkDeviceIfName(ev, &ev.NetworkFlowMonitor.Device), nil
+ case "network_flow_monitor.flows.destination.ip":
+ var values []net.IPNet
+ ctx := eval.NewContext(ev)
+ iterator := &FlowsIterator{}
+ ptr := iterator.Front(ctx)
+ for ptr != nil {
+ element := *ptr
+ result := element.Destination.IPNet
+ values = append(values, result)
+ ptr = iterator.Next(ctx)
+ }
+ return values, nil
+ case "network_flow_monitor.flows.destination.is_public":
+ var values []bool
+ ctx := eval.NewContext(ev)
+ iterator := &FlowsIterator{}
+ ptr := iterator.Front(ctx)
+ for ptr != nil {
+ element := *ptr
+ result := ev.FieldHandlers.ResolveIsIPPublic(ev, &element.Destination)
+ values = append(values, result)
+ ptr = iterator.Next(ctx)
+ }
+ return values, nil
+ case "network_flow_monitor.flows.destination.port":
+ var values []int
+ ctx := eval.NewContext(ev)
+ iterator := &FlowsIterator{}
+ ptr := iterator.Front(ctx)
+ for ptr != nil {
+ element := *ptr
+ result := int(element.Destination.Port)
+ values = append(values, result)
+ ptr = iterator.Next(ctx)
+ }
+ return values, nil
+ case "network_flow_monitor.flows.egress.data_size":
+ var values []int
+ ctx := eval.NewContext(ev)
+ iterator := &FlowsIterator{}
+ ptr := iterator.Front(ctx)
+ for ptr != nil {
+ element := *ptr
+ result := int(element.Egress.DataSize)
+ values = append(values, result)
+ ptr = iterator.Next(ctx)
+ }
+ return values, nil
+ case "network_flow_monitor.flows.egress.packet_count":
+ var values []int
+ ctx := eval.NewContext(ev)
+ iterator := &FlowsIterator{}
+ ptr := iterator.Front(ctx)
+ for ptr != nil {
+ element := *ptr
+ result := int(element.Egress.PacketCount)
+ values = append(values, result)
+ ptr = iterator.Next(ctx)
+ }
+ return values, nil
+ case "network_flow_monitor.flows.ingress.data_size":
+ var values []int
+ ctx := eval.NewContext(ev)
+ iterator := &FlowsIterator{}
+ ptr := iterator.Front(ctx)
+ for ptr != nil {
+ element := *ptr
+ result := int(element.Ingress.DataSize)
+ values = append(values, result)
+ ptr = iterator.Next(ctx)
+ }
+ return values, nil
+ case "network_flow_monitor.flows.ingress.packet_count":
+ var values []int
+ ctx := eval.NewContext(ev)
+ iterator := &FlowsIterator{}
+ ptr := iterator.Front(ctx)
+ for ptr != nil {
+ element := *ptr
+ result := int(element.Ingress.PacketCount)
+ values = append(values, result)
+ ptr = iterator.Next(ctx)
+ }
+ return values, nil
+ case "network_flow_monitor.flows.l3_protocol":
+ var values []int
+ ctx := eval.NewContext(ev)
+ iterator := &FlowsIterator{}
+ ptr := iterator.Front(ctx)
+ for ptr != nil {
+ element := *ptr
+ result := int(element.L3Protocol)
+ values = append(values, result)
+ ptr = iterator.Next(ctx)
+ }
+ return values, nil
+ case "network_flow_monitor.flows.l4_protocol":
+ var values []int
+ ctx := eval.NewContext(ev)
+ iterator := &FlowsIterator{}
+ ptr := iterator.Front(ctx)
+ for ptr != nil {
+ element := *ptr
+ result := int(element.L4Protocol)
+ values = append(values, result)
+ ptr = iterator.Next(ctx)
+ }
+ return values, nil
+ case "network_flow_monitor.flows.length":
+ ctx := eval.NewContext(ev)
+ iterator := &FlowsIterator{}
+ return iterator.Len(ctx), nil
+ case "network_flow_monitor.flows.source.ip":
+ var values []net.IPNet
+ ctx := eval.NewContext(ev)
+ iterator := &FlowsIterator{}
+ ptr := iterator.Front(ctx)
+ for ptr != nil {
+ element := *ptr
+ result := element.Source.IPNet
+ values = append(values, result)
+ ptr = iterator.Next(ctx)
+ }
+ return values, nil
+ case "network_flow_monitor.flows.source.is_public":
+ var values []bool
+ ctx := eval.NewContext(ev)
+ iterator := &FlowsIterator{}
+ ptr := iterator.Front(ctx)
+ for ptr != nil {
+ element := *ptr
+ result := ev.FieldHandlers.ResolveIsIPPublic(ev, &element.Source)
+ values = append(values, result)
+ ptr = iterator.Next(ctx)
+ }
+ return values, nil
+ case "network_flow_monitor.flows.source.port":
+ var values []int
+ ctx := eval.NewContext(ev)
+ iterator := &FlowsIterator{}
+ ptr := iterator.Front(ctx)
+ for ptr != nil {
+ element := *ptr
+ result := int(element.Source.Port)
+ values = append(values, result)
+ ptr = iterator.Next(ctx)
+ }
+ return values, nil
+ case "network_flow_monitor.flows_count":
+ return int(ev.NetworkFlowMonitor.FlowsCount), nil
case "ondemand.arg1.str":
return ev.FieldHandlers.ResolveOnDemandArg1Str(ev, &ev.OnDemand), nil
case "ondemand.arg1.uint":
@@ -23591,6 +24141,8 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
return int(ev.RawPacket.NetworkContext.L3Protocol), nil
case "packet.l4_protocol":
return int(ev.RawPacket.NetworkContext.L4Protocol), nil
+ case "packet.network_direction":
+ return int(ev.RawPacket.NetworkContext.NetworkDirection), nil
case "packet.size":
return int(ev.RawPacket.NetworkContext.Size), nil
case "packet.source.ip":
@@ -23610,7 +24162,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveProcessArgs(ev, &element.ProcessContext.Process)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.args_flags":
@@ -23622,7 +24174,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveProcessArgsFlags(ev, &element.ProcessContext.Process)
values = append(values, result...)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.args_options":
@@ -23634,7 +24186,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveProcessArgsOptions(ev, &element.ProcessContext.Process)
values = append(values, result...)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.args_truncated":
@@ -23646,7 +24198,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveProcessArgsTruncated(ev, &element.ProcessContext.Process)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.argv":
@@ -23658,7 +24210,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveProcessArgv(ev, &element.ProcessContext.Process)
values = append(values, result...)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.argv0":
@@ -23670,7 +24222,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveProcessArgv0(ev, &element.ProcessContext.Process)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.auid":
@@ -23682,7 +24234,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.Credentials.AUID)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.cap_effective":
@@ -23694,7 +24246,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.Credentials.CapEffective)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.cap_permitted":
@@ -23706,7 +24258,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.Credentials.CapPermitted)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.cgroup.file.inode":
@@ -23718,7 +24270,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.CGroup.CGroupFile.Inode)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.cgroup.file.mount_id":
@@ -23730,7 +24282,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.CGroup.CGroupFile.MountID)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.cgroup.id":
@@ -23742,7 +24294,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveCGroupID(ev, &element.ProcessContext.Process.CGroup)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.cgroup.manager":
@@ -23754,7 +24306,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveCGroupManager(ev, &element.ProcessContext.Process.CGroup)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.cgroup.version":
@@ -23766,7 +24318,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveCGroupVersion(ev, &element.ProcessContext.Process.CGroup)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.comm":
@@ -23778,7 +24330,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := element.ProcessContext.Process.Comm
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.container.id":
@@ -23790,7 +24342,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveProcessContainerID(ev, &element.ProcessContext.Process)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.created_at":
@@ -23802,7 +24354,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, &element.ProcessContext.Process))
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.egid":
@@ -23814,7 +24366,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.Credentials.EGID)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.egroup":
@@ -23826,7 +24378,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := element.ProcessContext.Process.Credentials.EGroup
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.envp":
@@ -23838,7 +24390,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveProcessEnvp(ev, &element.ProcessContext.Process)
values = append(values, result...)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.envs":
@@ -23850,7 +24402,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveProcessEnvs(ev, &element.ProcessContext.Process)
values = append(values, result...)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.envs_truncated":
@@ -23862,7 +24414,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, &element.ProcessContext.Process)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.euid":
@@ -23874,7 +24426,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.Credentials.EUID)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.euser":
@@ -23886,7 +24438,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := element.ProcessContext.Process.Credentials.EUser
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.file.change_time":
@@ -23898,7 +24450,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.FileEvent.FileFields.CTime)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.file.filesystem":
@@ -23910,7 +24462,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveFileFilesystem(ev, &element.ProcessContext.Process.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.file.gid":
@@ -23922,7 +24474,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.FileEvent.FileFields.GID)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.file.group":
@@ -23934,7 +24486,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveFileFieldsGroup(ev, &element.ProcessContext.Process.FileEvent.FileFields)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.file.hashes":
@@ -23946,7 +24498,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveHashesFromEvent(ev, &element.ProcessContext.Process.FileEvent)
values = append(values, result...)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.file.in_upper_layer":
@@ -23958,7 +24510,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &element.ProcessContext.Process.FileEvent.FileFields)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.file.inode":
@@ -23970,7 +24522,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.FileEvent.FileFields.PathKey.Inode)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.file.mode":
@@ -23982,7 +24534,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.FileEvent.FileFields.Mode)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.file.modification_time":
@@ -23994,7 +24546,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.FileEvent.FileFields.MTime)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.file.mount_id":
@@ -24006,7 +24558,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.FileEvent.FileFields.PathKey.MountID)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.file.name":
@@ -24018,7 +24570,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.file.name.length":
@@ -24032,7 +24584,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolvePackageName(ev, &element.ProcessContext.Process.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.file.package.source_version":
@@ -24044,7 +24596,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolvePackageSourceVersion(ev, &element.ProcessContext.Process.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.file.package.version":
@@ -24056,7 +24608,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolvePackageVersion(ev, &element.ProcessContext.Process.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.file.path":
@@ -24068,7 +24620,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.file.path.length":
@@ -24082,7 +24634,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(ev.FieldHandlers.ResolveRights(ev, &element.ProcessContext.Process.FileEvent.FileFields))
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.file.uid":
@@ -24094,7 +24646,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.FileEvent.FileFields.UID)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.file.user":
@@ -24106,7 +24658,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveFileFieldsUser(ev, &element.ProcessContext.Process.FileEvent.FileFields)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.fsgid":
@@ -24118,7 +24670,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.Credentials.FSGID)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.fsgroup":
@@ -24130,7 +24682,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := element.ProcessContext.Process.Credentials.FSGroup
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.fsuid":
@@ -24142,7 +24694,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.Credentials.FSUID)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.fsuser":
@@ -24154,7 +24706,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := element.ProcessContext.Process.Credentials.FSUser
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.gid":
@@ -24166,7 +24718,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.Credentials.GID)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.group":
@@ -24178,7 +24730,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := element.ProcessContext.Process.Credentials.Group
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.interpreter.file.change_time":
@@ -24190,7 +24742,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.CTime)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.interpreter.file.filesystem":
@@ -24202,7 +24754,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveFileFilesystem(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.interpreter.file.gid":
@@ -24214,7 +24766,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.GID)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.interpreter.file.group":
@@ -24226,7 +24778,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveFileFieldsGroup(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.interpreter.file.hashes":
@@ -24238,7 +24790,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveHashesFromEvent(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent)
values = append(values, result...)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.interpreter.file.in_upper_layer":
@@ -24250,7 +24802,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.interpreter.file.inode":
@@ -24262,7 +24814,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.interpreter.file.mode":
@@ -24274,7 +24826,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.Mode)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.interpreter.file.modification_time":
@@ -24286,7 +24838,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.MTime)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.interpreter.file.mount_id":
@@ -24298,7 +24850,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.interpreter.file.name":
@@ -24310,7 +24862,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.interpreter.file.name.length":
@@ -24324,7 +24876,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolvePackageName(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.interpreter.file.package.source_version":
@@ -24336,7 +24888,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolvePackageSourceVersion(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.interpreter.file.package.version":
@@ -24348,7 +24900,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolvePackageVersion(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.interpreter.file.path":
@@ -24360,7 +24912,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.interpreter.file.path.length":
@@ -24374,7 +24926,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(ev.FieldHandlers.ResolveRights(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields))
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.interpreter.file.uid":
@@ -24386,7 +24938,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.UID)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.interpreter.file.user":
@@ -24398,7 +24950,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveFileFieldsUser(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.is_exec":
@@ -24410,7 +24962,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := element.ProcessContext.Process.IsExec
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.is_kworker":
@@ -24422,7 +24974,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := element.ProcessContext.Process.PIDContext.IsKworker
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.is_thread":
@@ -24434,7 +24986,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveProcessIsThread(ev, &element.ProcessContext.Process)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.length":
@@ -24450,7 +25002,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.PIDContext.Pid)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.ppid":
@@ -24462,7 +25014,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.PPid)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.tid":
@@ -24474,7 +25026,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.PIDContext.Tid)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.tty_name":
@@ -24486,7 +25038,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := element.ProcessContext.Process.TTYName
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.uid":
@@ -24498,7 +25050,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.Credentials.UID)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.user":
@@ -24510,7 +25062,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := element.ProcessContext.Process.Credentials.User
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.user_session.k8s_groups":
@@ -24522,7 +25074,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveK8SGroups(ev, &element.ProcessContext.Process.UserSession)
values = append(values, result...)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.user_session.k8s_uid":
@@ -24534,7 +25086,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveK8SUID(ev, &element.ProcessContext.Process.UserSession)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.user_session.k8s_username":
@@ -24546,7 +25098,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveK8SUsername(ev, &element.ProcessContext.Process.UserSession)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.args":
@@ -25340,7 +25892,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveProcessArgs(ev, &element.ProcessContext.Process)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.args_flags":
@@ -25352,7 +25904,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveProcessArgsFlags(ev, &element.ProcessContext.Process)
values = append(values, result...)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.args_options":
@@ -25364,7 +25916,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveProcessArgsOptions(ev, &element.ProcessContext.Process)
values = append(values, result...)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.args_truncated":
@@ -25376,7 +25928,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveProcessArgsTruncated(ev, &element.ProcessContext.Process)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.argv":
@@ -25388,7 +25940,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveProcessArgv(ev, &element.ProcessContext.Process)
values = append(values, result...)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.argv0":
@@ -25400,7 +25952,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveProcessArgv0(ev, &element.ProcessContext.Process)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.auid":
@@ -25412,7 +25964,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.Credentials.AUID)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.cap_effective":
@@ -25424,7 +25976,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.Credentials.CapEffective)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.cap_permitted":
@@ -25436,7 +25988,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.Credentials.CapPermitted)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.cgroup.file.inode":
@@ -25448,7 +26000,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.CGroup.CGroupFile.Inode)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.cgroup.file.mount_id":
@@ -25460,7 +26012,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.CGroup.CGroupFile.MountID)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.cgroup.id":
@@ -25472,7 +26024,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveCGroupID(ev, &element.ProcessContext.Process.CGroup)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.cgroup.manager":
@@ -25484,7 +26036,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveCGroupManager(ev, &element.ProcessContext.Process.CGroup)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.cgroup.version":
@@ -25496,7 +26048,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveCGroupVersion(ev, &element.ProcessContext.Process.CGroup)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.comm":
@@ -25508,7 +26060,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := element.ProcessContext.Process.Comm
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.container.id":
@@ -25520,7 +26072,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveProcessContainerID(ev, &element.ProcessContext.Process)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.created_at":
@@ -25532,7 +26084,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, &element.ProcessContext.Process))
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.egid":
@@ -25544,7 +26096,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.Credentials.EGID)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.egroup":
@@ -25556,7 +26108,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := element.ProcessContext.Process.Credentials.EGroup
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.envp":
@@ -25568,7 +26120,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveProcessEnvp(ev, &element.ProcessContext.Process)
values = append(values, result...)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.envs":
@@ -25580,7 +26132,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveProcessEnvs(ev, &element.ProcessContext.Process)
values = append(values, result...)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.envs_truncated":
@@ -25592,7 +26144,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, &element.ProcessContext.Process)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.euid":
@@ -25604,7 +26156,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.Credentials.EUID)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.euser":
@@ -25616,7 +26168,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := element.ProcessContext.Process.Credentials.EUser
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.file.change_time":
@@ -25628,7 +26180,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.FileEvent.FileFields.CTime)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.file.filesystem":
@@ -25640,7 +26192,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveFileFilesystem(ev, &element.ProcessContext.Process.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.file.gid":
@@ -25652,7 +26204,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.FileEvent.FileFields.GID)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.file.group":
@@ -25664,7 +26216,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveFileFieldsGroup(ev, &element.ProcessContext.Process.FileEvent.FileFields)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.file.hashes":
@@ -25676,7 +26228,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveHashesFromEvent(ev, &element.ProcessContext.Process.FileEvent)
values = append(values, result...)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.file.in_upper_layer":
@@ -25688,7 +26240,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &element.ProcessContext.Process.FileEvent.FileFields)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.file.inode":
@@ -25700,7 +26252,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.FileEvent.FileFields.PathKey.Inode)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.file.mode":
@@ -25712,7 +26264,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.FileEvent.FileFields.Mode)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.file.modification_time":
@@ -25724,7 +26276,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.FileEvent.FileFields.MTime)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.file.mount_id":
@@ -25736,7 +26288,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.FileEvent.FileFields.PathKey.MountID)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.file.name":
@@ -25748,7 +26300,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.file.name.length":
@@ -25762,7 +26314,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolvePackageName(ev, &element.ProcessContext.Process.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.file.package.source_version":
@@ -25774,7 +26326,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolvePackageSourceVersion(ev, &element.ProcessContext.Process.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.file.package.version":
@@ -25786,7 +26338,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolvePackageVersion(ev, &element.ProcessContext.Process.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.file.path":
@@ -25798,7 +26350,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.file.path.length":
@@ -25812,7 +26364,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(ev.FieldHandlers.ResolveRights(ev, &element.ProcessContext.Process.FileEvent.FileFields))
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.file.uid":
@@ -25824,7 +26376,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.FileEvent.FileFields.UID)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.file.user":
@@ -25836,7 +26388,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveFileFieldsUser(ev, &element.ProcessContext.Process.FileEvent.FileFields)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.fsgid":
@@ -25848,7 +26400,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.Credentials.FSGID)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.fsgroup":
@@ -25860,7 +26412,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := element.ProcessContext.Process.Credentials.FSGroup
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.fsuid":
@@ -25872,7 +26424,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.Credentials.FSUID)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.fsuser":
@@ -25884,7 +26436,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := element.ProcessContext.Process.Credentials.FSUser
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.gid":
@@ -25896,7 +26448,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.Credentials.GID)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.group":
@@ -25908,7 +26460,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := element.ProcessContext.Process.Credentials.Group
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.interpreter.file.change_time":
@@ -25920,7 +26472,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.CTime)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.interpreter.file.filesystem":
@@ -25932,7 +26484,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveFileFilesystem(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.interpreter.file.gid":
@@ -25944,7 +26496,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.GID)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.interpreter.file.group":
@@ -25956,7 +26508,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveFileFieldsGroup(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.interpreter.file.hashes":
@@ -25968,7 +26520,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveHashesFromEvent(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent)
values = append(values, result...)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.interpreter.file.in_upper_layer":
@@ -25980,7 +26532,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.interpreter.file.inode":
@@ -25992,7 +26544,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.interpreter.file.mode":
@@ -26004,7 +26556,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.Mode)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.interpreter.file.modification_time":
@@ -26016,7 +26568,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.MTime)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.interpreter.file.mount_id":
@@ -26028,7 +26580,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.interpreter.file.name":
@@ -26040,7 +26592,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.interpreter.file.name.length":
@@ -26054,7 +26606,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolvePackageName(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.interpreter.file.package.source_version":
@@ -26066,7 +26618,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolvePackageSourceVersion(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.interpreter.file.package.version":
@@ -26078,7 +26630,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolvePackageVersion(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.interpreter.file.path":
@@ -26090,7 +26642,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.interpreter.file.path.length":
@@ -26104,7 +26656,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(ev.FieldHandlers.ResolveRights(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields))
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.interpreter.file.uid":
@@ -26116,7 +26668,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.UID)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.interpreter.file.user":
@@ -26128,7 +26680,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveFileFieldsUser(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.is_exec":
@@ -26140,7 +26692,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := element.ProcessContext.Process.IsExec
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.is_kworker":
@@ -26152,7 +26704,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := element.ProcessContext.Process.PIDContext.IsKworker
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.is_thread":
@@ -26164,7 +26716,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveProcessIsThread(ev, &element.ProcessContext.Process)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.length":
@@ -26180,7 +26732,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.PIDContext.Pid)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.ppid":
@@ -26192,7 +26744,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.PPid)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.tid":
@@ -26204,7 +26756,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.PIDContext.Tid)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.tty_name":
@@ -26216,7 +26768,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := element.ProcessContext.Process.TTYName
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.uid":
@@ -26228,7 +26780,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.Credentials.UID)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.user":
@@ -26240,7 +26792,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := element.ProcessContext.Process.Credentials.User
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.user_session.k8s_groups":
@@ -26252,7 +26804,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveK8SGroups(ev, &element.ProcessContext.Process.UserSession)
values = append(values, result...)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.user_session.k8s_uid":
@@ -26264,7 +26816,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveK8SUID(ev, &element.ProcessContext.Process.UserSession)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.ancestors.user_session.k8s_username":
@@ -26276,7 +26828,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveK8SUsername(ev, &element.ProcessContext.Process.UserSession)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "ptrace.tracee.args":
@@ -27322,7 +27874,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveProcessArgs(ev, &element.ProcessContext.Process)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.args_flags":
@@ -27334,7 +27886,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveProcessArgsFlags(ev, &element.ProcessContext.Process)
values = append(values, result...)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.args_options":
@@ -27346,7 +27898,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveProcessArgsOptions(ev, &element.ProcessContext.Process)
values = append(values, result...)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.args_truncated":
@@ -27358,7 +27910,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveProcessArgsTruncated(ev, &element.ProcessContext.Process)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.argv":
@@ -27370,7 +27922,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveProcessArgv(ev, &element.ProcessContext.Process)
values = append(values, result...)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.argv0":
@@ -27382,7 +27934,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveProcessArgv0(ev, &element.ProcessContext.Process)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.auid":
@@ -27394,7 +27946,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.Credentials.AUID)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.cap_effective":
@@ -27406,7 +27958,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.Credentials.CapEffective)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.cap_permitted":
@@ -27418,7 +27970,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.Credentials.CapPermitted)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.cgroup.file.inode":
@@ -27430,7 +27982,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.CGroup.CGroupFile.Inode)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.cgroup.file.mount_id":
@@ -27442,7 +27994,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.CGroup.CGroupFile.MountID)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.cgroup.id":
@@ -27454,7 +28006,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveCGroupID(ev, &element.ProcessContext.Process.CGroup)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.cgroup.manager":
@@ -27466,7 +28018,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveCGroupManager(ev, &element.ProcessContext.Process.CGroup)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.cgroup.version":
@@ -27478,7 +28030,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveCGroupVersion(ev, &element.ProcessContext.Process.CGroup)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.comm":
@@ -27490,7 +28042,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := element.ProcessContext.Process.Comm
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.container.id":
@@ -27502,7 +28054,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveProcessContainerID(ev, &element.ProcessContext.Process)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.created_at":
@@ -27514,7 +28066,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, &element.ProcessContext.Process))
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.egid":
@@ -27526,7 +28078,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.Credentials.EGID)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.egroup":
@@ -27538,7 +28090,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := element.ProcessContext.Process.Credentials.EGroup
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.envp":
@@ -27550,7 +28102,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveProcessEnvp(ev, &element.ProcessContext.Process)
values = append(values, result...)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.envs":
@@ -27562,7 +28114,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveProcessEnvs(ev, &element.ProcessContext.Process)
values = append(values, result...)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.envs_truncated":
@@ -27574,7 +28126,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, &element.ProcessContext.Process)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.euid":
@@ -27586,7 +28138,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.Credentials.EUID)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.euser":
@@ -27598,7 +28150,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := element.ProcessContext.Process.Credentials.EUser
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.file.change_time":
@@ -27610,7 +28162,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.FileEvent.FileFields.CTime)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.file.filesystem":
@@ -27622,7 +28174,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveFileFilesystem(ev, &element.ProcessContext.Process.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.file.gid":
@@ -27634,7 +28186,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.FileEvent.FileFields.GID)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.file.group":
@@ -27646,7 +28198,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveFileFieldsGroup(ev, &element.ProcessContext.Process.FileEvent.FileFields)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.file.hashes":
@@ -27658,7 +28210,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveHashesFromEvent(ev, &element.ProcessContext.Process.FileEvent)
values = append(values, result...)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.file.in_upper_layer":
@@ -27670,7 +28222,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &element.ProcessContext.Process.FileEvent.FileFields)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.file.inode":
@@ -27682,7 +28234,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.FileEvent.FileFields.PathKey.Inode)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.file.mode":
@@ -27694,7 +28246,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.FileEvent.FileFields.Mode)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.file.modification_time":
@@ -27706,7 +28258,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.FileEvent.FileFields.MTime)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.file.mount_id":
@@ -27718,7 +28270,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.FileEvent.FileFields.PathKey.MountID)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.file.name":
@@ -27730,7 +28282,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.file.name.length":
@@ -27744,7 +28296,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolvePackageName(ev, &element.ProcessContext.Process.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.file.package.source_version":
@@ -27756,7 +28308,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolvePackageSourceVersion(ev, &element.ProcessContext.Process.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.file.package.version":
@@ -27768,7 +28320,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolvePackageVersion(ev, &element.ProcessContext.Process.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.file.path":
@@ -27780,7 +28332,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.file.path.length":
@@ -27794,7 +28346,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(ev.FieldHandlers.ResolveRights(ev, &element.ProcessContext.Process.FileEvent.FileFields))
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.file.uid":
@@ -27806,7 +28358,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.FileEvent.FileFields.UID)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.file.user":
@@ -27818,7 +28370,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveFileFieldsUser(ev, &element.ProcessContext.Process.FileEvent.FileFields)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.fsgid":
@@ -27830,7 +28382,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.Credentials.FSGID)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.fsgroup":
@@ -27842,7 +28394,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := element.ProcessContext.Process.Credentials.FSGroup
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.fsuid":
@@ -27854,7 +28406,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.Credentials.FSUID)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.fsuser":
@@ -27866,7 +28418,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := element.ProcessContext.Process.Credentials.FSUser
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.gid":
@@ -27878,7 +28430,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.Credentials.GID)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.group":
@@ -27890,7 +28442,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := element.ProcessContext.Process.Credentials.Group
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.interpreter.file.change_time":
@@ -27902,7 +28454,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.CTime)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.interpreter.file.filesystem":
@@ -27914,7 +28466,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveFileFilesystem(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.interpreter.file.gid":
@@ -27926,7 +28478,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.GID)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.interpreter.file.group":
@@ -27938,7 +28490,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveFileFieldsGroup(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.interpreter.file.hashes":
@@ -27950,7 +28502,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveHashesFromEvent(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent)
values = append(values, result...)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.interpreter.file.in_upper_layer":
@@ -27962,7 +28514,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.interpreter.file.inode":
@@ -27974,7 +28526,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.interpreter.file.mode":
@@ -27986,7 +28538,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.Mode)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.interpreter.file.modification_time":
@@ -27998,7 +28550,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.MTime)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.interpreter.file.mount_id":
@@ -28010,7 +28562,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.interpreter.file.name":
@@ -28022,7 +28574,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.interpreter.file.name.length":
@@ -28036,7 +28588,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolvePackageName(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.interpreter.file.package.source_version":
@@ -28048,7 +28600,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolvePackageSourceVersion(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.interpreter.file.package.version":
@@ -28060,7 +28612,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolvePackageVersion(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.interpreter.file.path":
@@ -28072,7 +28624,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.interpreter.file.path.length":
@@ -28086,7 +28638,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(ev.FieldHandlers.ResolveRights(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields))
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.interpreter.file.uid":
@@ -28098,7 +28650,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.UID)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.interpreter.file.user":
@@ -28110,7 +28662,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveFileFieldsUser(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.is_exec":
@@ -28122,7 +28674,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := element.ProcessContext.Process.IsExec
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.is_kworker":
@@ -28134,7 +28686,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := element.ProcessContext.Process.PIDContext.IsKworker
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.is_thread":
@@ -28146,7 +28698,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveProcessIsThread(ev, &element.ProcessContext.Process)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.length":
@@ -28162,7 +28714,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.PIDContext.Pid)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.ppid":
@@ -28174,7 +28726,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.PPid)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.tid":
@@ -28186,7 +28738,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.PIDContext.Tid)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.tty_name":
@@ -28198,7 +28750,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := element.ProcessContext.Process.TTYName
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.uid":
@@ -28210,7 +28762,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.Credentials.UID)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.user":
@@ -28222,7 +28774,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := element.ProcessContext.Process.Credentials.User
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.user_session.k8s_groups":
@@ -28234,7 +28786,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveK8SGroups(ev, &element.ProcessContext.Process.UserSession)
values = append(values, result...)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.user_session.k8s_uid":
@@ -28246,7 +28798,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveK8SUID(ev, &element.ProcessContext.Process.UserSession)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.ancestors.user_session.k8s_username":
@@ -28258,7 +28810,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveK8SUsername(ev, &element.ProcessContext.Process.UserSession)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "signal.target.args":
@@ -30044,6 +30596,8 @@ func (ev *Event) GetFieldEventType(field eval.Field) (eval.EventType, error) {
return "", nil
case "network.l4_protocol":
return "", nil
+ case "network.network_direction":
+ return "", nil
case "network.size":
return "", nil
case "network.source.ip":
@@ -30052,6 +30606,36 @@ func (ev *Event) GetFieldEventType(field eval.Field) (eval.EventType, error) {
return "", nil
case "network.source.port":
return "", nil
+ case "network_flow_monitor.device.ifname":
+ return "network_flow_monitor", nil
+ case "network_flow_monitor.flows.destination.ip":
+ return "network_flow_monitor", nil
+ case "network_flow_monitor.flows.destination.is_public":
+ return "network_flow_monitor", nil
+ case "network_flow_monitor.flows.destination.port":
+ return "network_flow_monitor", nil
+ case "network_flow_monitor.flows.egress.data_size":
+ return "network_flow_monitor", nil
+ case "network_flow_monitor.flows.egress.packet_count":
+ return "network_flow_monitor", nil
+ case "network_flow_monitor.flows.ingress.data_size":
+ return "network_flow_monitor", nil
+ case "network_flow_monitor.flows.ingress.packet_count":
+ return "network_flow_monitor", nil
+ case "network_flow_monitor.flows.l3_protocol":
+ return "network_flow_monitor", nil
+ case "network_flow_monitor.flows.l4_protocol":
+ return "network_flow_monitor", nil
+ case "network_flow_monitor.flows.length":
+ return "network_flow_monitor", nil
+ case "network_flow_monitor.flows.source.ip":
+ return "network_flow_monitor", nil
+ case "network_flow_monitor.flows.source.is_public":
+ return "network_flow_monitor", nil
+ case "network_flow_monitor.flows.source.port":
+ return "network_flow_monitor", nil
+ case "network_flow_monitor.flows_count":
+ return "network_flow_monitor", nil
case "ondemand.arg1.str":
return "ondemand", nil
case "ondemand.arg1.uint":
@@ -30136,6 +30720,8 @@ func (ev *Event) GetFieldEventType(field eval.Field) (eval.EventType, error) {
return "packet", nil
case "packet.l4_protocol":
return "packet", nil
+ case "packet.network_direction":
+ return "packet", nil
case "packet.size":
return "packet", nil
case "packet.source.ip":
@@ -32893,6 +33479,8 @@ func (ev *Event) GetFieldType(field eval.Field) (reflect.Kind, error) {
return reflect.Int, nil
case "network.l4_protocol":
return reflect.Int, nil
+ case "network.network_direction":
+ return reflect.Int, nil
case "network.size":
return reflect.Int, nil
case "network.source.ip":
@@ -32901,6 +33489,36 @@ func (ev *Event) GetFieldType(field eval.Field) (reflect.Kind, error) {
return reflect.Bool, nil
case "network.source.port":
return reflect.Int, nil
+ case "network_flow_monitor.device.ifname":
+ return reflect.String, nil
+ case "network_flow_monitor.flows.destination.ip":
+ return reflect.Struct, nil
+ case "network_flow_monitor.flows.destination.is_public":
+ return reflect.Bool, nil
+ case "network_flow_monitor.flows.destination.port":
+ return reflect.Int, nil
+ case "network_flow_monitor.flows.egress.data_size":
+ return reflect.Int, nil
+ case "network_flow_monitor.flows.egress.packet_count":
+ return reflect.Int, nil
+ case "network_flow_monitor.flows.ingress.data_size":
+ return reflect.Int, nil
+ case "network_flow_monitor.flows.ingress.packet_count":
+ return reflect.Int, nil
+ case "network_flow_monitor.flows.l3_protocol":
+ return reflect.Int, nil
+ case "network_flow_monitor.flows.l4_protocol":
+ return reflect.Int, nil
+ case "network_flow_monitor.flows.length":
+ return reflect.Int, nil
+ case "network_flow_monitor.flows.source.ip":
+ return reflect.Struct, nil
+ case "network_flow_monitor.flows.source.is_public":
+ return reflect.Bool, nil
+ case "network_flow_monitor.flows.source.port":
+ return reflect.Int, nil
+ case "network_flow_monitor.flows_count":
+ return reflect.Int, nil
case "ondemand.arg1.str":
return reflect.String, nil
case "ondemand.arg1.uint":
@@ -32985,6 +33603,8 @@ func (ev *Event) GetFieldType(field eval.Field) (reflect.Kind, error) {
return reflect.Int, nil
case "packet.l4_protocol":
return reflect.Int, nil
+ case "packet.network_direction":
+ return reflect.Int, nil
case "packet.size":
return reflect.Int, nil
case "packet.source.ip":
@@ -38453,6 +39073,13 @@ func (ev *Event) SetFieldValue(field eval.Field, value interface{}) error {
}
ev.NetworkContext.L4Protocol = uint16(rv)
return nil
+ case "network.network_direction":
+ rv, ok := value.(int)
+ if !ok {
+ return &eval.ErrValueTypeMismatch{Field: "NetworkContext.NetworkDirection"}
+ }
+ ev.NetworkContext.NetworkDirection = uint32(rv)
+ return nil
case "network.size":
rv, ok := value.(int)
if !ok {
@@ -38484,6 +39111,157 @@ func (ev *Event) SetFieldValue(field eval.Field, value interface{}) error {
}
ev.NetworkContext.Source.Port = uint16(rv)
return nil
+ case "network_flow_monitor.device.ifname":
+ rv, ok := value.(string)
+ if !ok {
+ return &eval.ErrValueTypeMismatch{Field: "NetworkFlowMonitor.Device.IfName"}
+ }
+ ev.NetworkFlowMonitor.Device.IfName = rv
+ return nil
+ case "network_flow_monitor.flows.destination.ip":
+ if len(ev.NetworkFlowMonitor.Flows) == 0 {
+ ev.NetworkFlowMonitor.Flows = append(ev.NetworkFlowMonitor.Flows, Flow{})
+ }
+ rv, ok := value.(net.IPNet)
+ if !ok {
+ return &eval.ErrValueTypeMismatch{Field: "NetworkFlowMonitor.Flows.Destination.IPNet"}
+ }
+ ev.NetworkFlowMonitor.Flows[0].Destination.IPNet = rv
+ return nil
+ case "network_flow_monitor.flows.destination.is_public":
+ if len(ev.NetworkFlowMonitor.Flows) == 0 {
+ ev.NetworkFlowMonitor.Flows = append(ev.NetworkFlowMonitor.Flows, Flow{})
+ }
+ rv, ok := value.(bool)
+ if !ok {
+ return &eval.ErrValueTypeMismatch{Field: "NetworkFlowMonitor.Flows.Destination.IsPublic"}
+ }
+ ev.NetworkFlowMonitor.Flows[0].Destination.IsPublic = rv
+ return nil
+ case "network_flow_monitor.flows.destination.port":
+ if len(ev.NetworkFlowMonitor.Flows) == 0 {
+ ev.NetworkFlowMonitor.Flows = append(ev.NetworkFlowMonitor.Flows, Flow{})
+ }
+ rv, ok := value.(int)
+ if !ok {
+ return &eval.ErrValueTypeMismatch{Field: "NetworkFlowMonitor.Flows.Destination.Port"}
+ }
+ if rv < 0 || rv > math.MaxUint16 {
+ return &eval.ErrValueOutOfRange{Field: "NetworkFlowMonitor.Flows.Destination.Port"}
+ }
+ ev.NetworkFlowMonitor.Flows[0].Destination.Port = uint16(rv)
+ return nil
+ case "network_flow_monitor.flows.egress.data_size":
+ if len(ev.NetworkFlowMonitor.Flows) == 0 {
+ ev.NetworkFlowMonitor.Flows = append(ev.NetworkFlowMonitor.Flows, Flow{})
+ }
+ rv, ok := value.(int)
+ if !ok {
+ return &eval.ErrValueTypeMismatch{Field: "NetworkFlowMonitor.Flows.Egress.DataSize"}
+ }
+ ev.NetworkFlowMonitor.Flows[0].Egress.DataSize = uint64(rv)
+ return nil
+ case "network_flow_monitor.flows.egress.packet_count":
+ if len(ev.NetworkFlowMonitor.Flows) == 0 {
+ ev.NetworkFlowMonitor.Flows = append(ev.NetworkFlowMonitor.Flows, Flow{})
+ }
+ rv, ok := value.(int)
+ if !ok {
+ return &eval.ErrValueTypeMismatch{Field: "NetworkFlowMonitor.Flows.Egress.PacketCount"}
+ }
+ ev.NetworkFlowMonitor.Flows[0].Egress.PacketCount = uint64(rv)
+ return nil
+ case "network_flow_monitor.flows.ingress.data_size":
+ if len(ev.NetworkFlowMonitor.Flows) == 0 {
+ ev.NetworkFlowMonitor.Flows = append(ev.NetworkFlowMonitor.Flows, Flow{})
+ }
+ rv, ok := value.(int)
+ if !ok {
+ return &eval.ErrValueTypeMismatch{Field: "NetworkFlowMonitor.Flows.Ingress.DataSize"}
+ }
+ ev.NetworkFlowMonitor.Flows[0].Ingress.DataSize = uint64(rv)
+ return nil
+ case "network_flow_monitor.flows.ingress.packet_count":
+ if len(ev.NetworkFlowMonitor.Flows) == 0 {
+ ev.NetworkFlowMonitor.Flows = append(ev.NetworkFlowMonitor.Flows, Flow{})
+ }
+ rv, ok := value.(int)
+ if !ok {
+ return &eval.ErrValueTypeMismatch{Field: "NetworkFlowMonitor.Flows.Ingress.PacketCount"}
+ }
+ ev.NetworkFlowMonitor.Flows[0].Ingress.PacketCount = uint64(rv)
+ return nil
+ case "network_flow_monitor.flows.l3_protocol":
+ if len(ev.NetworkFlowMonitor.Flows) == 0 {
+ ev.NetworkFlowMonitor.Flows = append(ev.NetworkFlowMonitor.Flows, Flow{})
+ }
+ rv, ok := value.(int)
+ if !ok {
+ return &eval.ErrValueTypeMismatch{Field: "NetworkFlowMonitor.Flows.L3Protocol"}
+ }
+ if rv < 0 || rv > math.MaxUint16 {
+ return &eval.ErrValueOutOfRange{Field: "NetworkFlowMonitor.Flows.L3Protocol"}
+ }
+ ev.NetworkFlowMonitor.Flows[0].L3Protocol = uint16(rv)
+ return nil
+ case "network_flow_monitor.flows.l4_protocol":
+ if len(ev.NetworkFlowMonitor.Flows) == 0 {
+ ev.NetworkFlowMonitor.Flows = append(ev.NetworkFlowMonitor.Flows, Flow{})
+ }
+ rv, ok := value.(int)
+ if !ok {
+ return &eval.ErrValueTypeMismatch{Field: "NetworkFlowMonitor.Flows.L4Protocol"}
+ }
+ if rv < 0 || rv > math.MaxUint16 {
+ return &eval.ErrValueOutOfRange{Field: "NetworkFlowMonitor.Flows.L4Protocol"}
+ }
+ ev.NetworkFlowMonitor.Flows[0].L4Protocol = uint16(rv)
+ return nil
+ case "network_flow_monitor.flows.length":
+ if len(ev.NetworkFlowMonitor.Flows) == 0 {
+ ev.NetworkFlowMonitor.Flows = append(ev.NetworkFlowMonitor.Flows, Flow{})
+ }
+ return &eval.ErrFieldReadOnly{Field: "network_flow_monitor.flows.length"}
+ case "network_flow_monitor.flows.source.ip":
+ if len(ev.NetworkFlowMonitor.Flows) == 0 {
+ ev.NetworkFlowMonitor.Flows = append(ev.NetworkFlowMonitor.Flows, Flow{})
+ }
+ rv, ok := value.(net.IPNet)
+ if !ok {
+ return &eval.ErrValueTypeMismatch{Field: "NetworkFlowMonitor.Flows.Source.IPNet"}
+ }
+ ev.NetworkFlowMonitor.Flows[0].Source.IPNet = rv
+ return nil
+ case "network_flow_monitor.flows.source.is_public":
+ if len(ev.NetworkFlowMonitor.Flows) == 0 {
+ ev.NetworkFlowMonitor.Flows = append(ev.NetworkFlowMonitor.Flows, Flow{})
+ }
+ rv, ok := value.(bool)
+ if !ok {
+ return &eval.ErrValueTypeMismatch{Field: "NetworkFlowMonitor.Flows.Source.IsPublic"}
+ }
+ ev.NetworkFlowMonitor.Flows[0].Source.IsPublic = rv
+ return nil
+ case "network_flow_monitor.flows.source.port":
+ if len(ev.NetworkFlowMonitor.Flows) == 0 {
+ ev.NetworkFlowMonitor.Flows = append(ev.NetworkFlowMonitor.Flows, Flow{})
+ }
+ rv, ok := value.(int)
+ if !ok {
+ return &eval.ErrValueTypeMismatch{Field: "NetworkFlowMonitor.Flows.Source.Port"}
+ }
+ if rv < 0 || rv > math.MaxUint16 {
+ return &eval.ErrValueOutOfRange{Field: "NetworkFlowMonitor.Flows.Source.Port"}
+ }
+ ev.NetworkFlowMonitor.Flows[0].Source.Port = uint16(rv)
+ return nil
+ case "network_flow_monitor.flows_count":
+ rv, ok := value.(int)
+ if !ok {
+ return &eval.ErrValueTypeMismatch{Field: "NetworkFlowMonitor.FlowsCount"}
+ }
+ ev.NetworkFlowMonitor.FlowsCount = uint64(rv)
+ return nil
case "ondemand.arg1.str":
rv, ok := value.(string)
if !ok {
@@ -38786,6 +39564,13 @@ func (ev *Event) SetFieldValue(field eval.Field, value interface{}) error {
}
ev.RawPacket.NetworkContext.L4Protocol = uint16(rv)
return nil
+ case "packet.network_direction":
+ rv, ok := value.(int)
+ if !ok {
+ return &eval.ErrValueTypeMismatch{Field: "RawPacket.NetworkContext.NetworkDirection"}
+ }
+ ev.RawPacket.NetworkContext.NetworkDirection = uint32(rv)
+ return nil
case "packet.size":
rv, ok := value.(int)
if !ok {
diff --git a/pkg/security/secl/model/accessors_windows.go b/pkg/security/secl/model/accessors_windows.go
index 6f15992c5aab11..14fc7139662725 100644
--- a/pkg/security/secl/model/accessors_windows.go
+++ b/pkg/security/secl/model/accessors_windows.go
@@ -885,8 +885,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- return ev.FieldHandlers.ResolveProcessCmdLine(ev, &pce.ProcessContext.Process)
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ return ev.FieldHandlers.ResolveProcessCmdLine(ev, ¤t.ProcessContext.Process)
})
ctx.StringCache[field] = results
return results
@@ -912,8 +912,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) string {
- return pce.ProcessContext.Process.ContainerID
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) string {
+ return current.ProcessContext.Process.ContainerID
})
ctx.StringCache[field] = results
return results
@@ -940,8 +940,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) int {
- return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, &pce.ProcessContext.Process))
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) int {
+ return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, ¤t.ProcessContext.Process))
})
ctx.IntCache[field] = results
return results
@@ -968,8 +968,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result...)
return results
}
- results = newAncestorsIteratorArray(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) []string {
- return ev.FieldHandlers.ResolveProcessEnvp(ev, &pce.ProcessContext.Process)
+ results = newAncestorsIteratorArray(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) []string {
+ return ev.FieldHandlers.ResolveProcessEnvp(ev, ¤t.ProcessContext.Process)
})
ctx.StringCache[field] = results
return results
@@ -996,8 +996,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result...)
return results
}
- results = newAncestorsIteratorArray(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) []string {
- return ev.FieldHandlers.ResolveProcessEnvs(ev, &pce.ProcessContext.Process)
+ results = newAncestorsIteratorArray(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) []string {
+ return ev.FieldHandlers.ResolveProcessEnvs(ev, ¤t.ProcessContext.Process)
})
ctx.StringCache[field] = results
return results
@@ -1025,8 +1025,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- return ev.FieldHandlers.ResolveFileBasename(ev, &pce.ProcessContext.Process.FileEvent)
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ return ev.FieldHandlers.ResolveFileBasename(ev, ¤t.ProcessContext.Process.FileEvent)
})
ctx.StringCache[field] = results
return results
@@ -1054,8 +1054,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) int {
- return len(ev.FieldHandlers.ResolveFileBasename(ev, &pce.ProcessContext.Process.FileEvent))
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) int {
+ return len(ev.FieldHandlers.ResolveFileBasename(ev, ¤t.ProcessContext.Process.FileEvent))
})
ctx.IntCache[field] = results
return results
@@ -1083,8 +1083,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- return ev.FieldHandlers.ResolveFilePath(ev, &pce.ProcessContext.Process.FileEvent)
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ return ev.FieldHandlers.ResolveFilePath(ev, ¤t.ProcessContext.Process.FileEvent)
})
ctx.StringCache[field] = results
return results
@@ -1112,8 +1112,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) int {
- return len(ev.FieldHandlers.ResolveFilePath(ev, &pce.ProcessContext.Process.FileEvent))
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) int {
+ return len(ev.FieldHandlers.ResolveFilePath(ev, ¤t.ProcessContext.Process.FileEvent))
})
ctx.IntCache[field] = results
return results
@@ -1149,8 +1149,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- return int(pce.ProcessContext.Process.PIDContext.Pid)
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ return int(current.ProcessContext.Process.PIDContext.Pid)
})
ctx.IntCache[field] = results
return results
@@ -1176,8 +1176,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- return int(pce.ProcessContext.Process.PPid)
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ return int(current.ProcessContext.Process.PPid)
})
ctx.IntCache[field] = results
return results
@@ -1204,8 +1204,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- return ev.FieldHandlers.ResolveUser(ev, &pce.ProcessContext.Process)
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ return ev.FieldHandlers.ResolveUser(ev, ¤t.ProcessContext.Process)
})
ctx.StringCache[field] = results
return results
@@ -1231,8 +1231,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) string {
- return pce.ProcessContext.Process.OwnerSidString
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) string {
+ return current.ProcessContext.Process.OwnerSidString
})
ctx.StringCache[field] = results
return results
@@ -2211,7 +2211,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveProcessCmdLine(ev, &element.ProcessContext.Process)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.container.id":
@@ -2223,7 +2223,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := element.ProcessContext.Process.ContainerID
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.created_at":
@@ -2235,7 +2235,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, &element.ProcessContext.Process))
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.envp":
@@ -2247,7 +2247,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveProcessEnvp(ev, &element.ProcessContext.Process)
values = append(values, result...)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.envs":
@@ -2259,7 +2259,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveProcessEnvs(ev, &element.ProcessContext.Process)
values = append(values, result...)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.file.name":
@@ -2271,7 +2271,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.file.name.length":
@@ -2285,7 +2285,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.file.path.length":
@@ -2303,7 +2303,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.PIDContext.Pid)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.ppid":
@@ -2315,7 +2315,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.PPid)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.user":
@@ -2327,7 +2327,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveUser(ev, &element.ProcessContext.Process)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.user_sid":
@@ -2339,7 +2339,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := element.ProcessContext.Process.OwnerSidString
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.cmdline":
diff --git a/pkg/security/secl/model/category.go b/pkg/security/secl/model/category.go
index f03a79ffeb7b9e..bbe076934a8d6c 100644
--- a/pkg/security/secl/model/category.go
+++ b/pkg/security/secl/model/category.go
@@ -65,7 +65,8 @@ func GetEventTypeCategory(eventType eval.EventType) EventCategory {
case
IMDSEventType.String(),
RawPacketEventType.String(),
- DNSEventType.String():
+ DNSEventType.String(),
+ NetworkFlowMonitorEventType.String():
return NetworkCategory
}
diff --git a/pkg/security/secl/model/consts_common.go b/pkg/security/secl/model/consts_common.go
index 1b64957cba71e7..ed057c72c7d881 100644
--- a/pkg/security/secl/model/consts_common.go
+++ b/pkg/security/secl/model/consts_common.go
@@ -319,6 +319,13 @@ var (
"IP_PROTO_RAW": IPProtoRAW,
}
+ // NetworkDirectionConstants is the list of supported network directions
+ // generate_constants:Network directions,Network directions are the supported directions of network packets.
+ NetworkDirectionConstants = map[string]NetworkDirection{
+ "INGRESS": Ingress,
+ "EGRESS": Egress,
+ }
+
// exitCauseConstants is the list of supported Exit causes
exitCauseConstants = map[string]ExitCause{
"EXITED": ExitExited,
@@ -337,13 +344,14 @@ var (
)
var (
- dnsQTypeStrings = map[uint32]string{}
- dnsQClassStrings = map[uint32]string{}
- l3ProtocolStrings = map[L3Protocol]string{}
- l4ProtocolStrings = map[L4Protocol]string{}
- addressFamilyStrings = map[uint16]string{}
- exitCauseStrings = map[ExitCause]string{}
- tlsVersionStrings = map[uint16]string{}
+ dnsQTypeStrings = map[uint32]string{}
+ dnsQClassStrings = map[uint32]string{}
+ l3ProtocolStrings = map[L3Protocol]string{}
+ l4ProtocolStrings = map[L4Protocol]string{}
+ networkDirectionStrings = map[NetworkDirection]string{}
+ addressFamilyStrings = map[uint16]string{}
+ exitCauseStrings = map[ExitCause]string{}
+ tlsVersionStrings = map[uint16]string{}
)
// File flags
@@ -410,6 +418,13 @@ func initL4ProtocolConstants() {
}
}
+func initNetworkDirectionContants() {
+ for k, v := range NetworkDirectionConstants {
+ seclConstants[k] = &eval.IntEvaluator{Value: int(v)}
+ networkDirectionStrings[v] = k
+ }
+}
+
func initAddressFamilyConstants() {
for k, v := range addressFamilyConstants {
seclConstants[k] = &eval.IntEvaluator{Value: int(v)}
@@ -463,6 +478,7 @@ func initConstants() {
initDNSQTypeConstants()
initL3ProtocolConstants()
initL4ProtocolConstants()
+ initNetworkDirectionContants()
initAddressFamilyConstants()
initExitCauseConstants()
initBPFMapNamesConstants()
@@ -781,6 +797,20 @@ const (
IPProtoRAW L4Protocol = 255
)
+// NetworkDirection is used to identify the network direction of a flow
+type NetworkDirection uint32
+
+func (direction NetworkDirection) String() string {
+ return networkDirectionStrings[direction]
+}
+
+const (
+ // Egress is used to identify egress traffic
+ Egress NetworkDirection = iota + 1
+ // Ingress is used to identify ingress traffic
+ Ingress
+)
+
// ExitCause represents the cause of a process termination
type ExitCause uint32
diff --git a/pkg/security/secl/model/events.go b/pkg/security/secl/model/events.go
index 2c2e867ef17e85..6fcf4a0abe85cd 100644
--- a/pkg/security/secl/model/events.go
+++ b/pkg/security/secl/model/events.go
@@ -101,6 +101,8 @@ const (
CgroupWriteEventType
// RawPacketEventType raw packet event
RawPacketEventType
+ // NetworkFlowMonitorEventType is sent to monitor network activity
+ NetworkFlowMonitorEventType
// MaxKernelEventType is used internally to get the maximum number of kernel events.
MaxKernelEventType
@@ -231,6 +233,8 @@ func (t EventType) String() string {
return "ondemand"
case RawPacketEventType:
return "packet"
+ case NetworkFlowMonitorEventType:
+ return "network_flow_monitor"
case CustomEventType:
return "custom_event"
case CreateNewFileEventType:
diff --git a/pkg/security/secl/model/field_accessors_unix.go b/pkg/security/secl/model/field_accessors_unix.go
index 80a466602a68c4..11abd20248ba88 100644
--- a/pkg/security/secl/model/field_accessors_unix.go
+++ b/pkg/security/secl/model/field_accessors_unix.go
@@ -4507,6 +4507,11 @@ func (ev *Event) GetNetworkL4Protocol() uint16 {
return ev.NetworkContext.L4Protocol
}
+// GetNetworkNetworkDirection returns the value of the field, resolving if necessary
+func (ev *Event) GetNetworkNetworkDirection() uint32 {
+ return ev.NetworkContext.NetworkDirection
+}
+
// GetNetworkSize returns the value of the field, resolving if necessary
func (ev *Event) GetNetworkSize() uint32 {
return ev.NetworkContext.Size
@@ -4527,6 +4532,260 @@ func (ev *Event) GetNetworkSourcePort() uint16 {
return ev.NetworkContext.Source.Port
}
+// GetNetworkFlowMonitorDeviceIfname returns the value of the field, resolving if necessary
+func (ev *Event) GetNetworkFlowMonitorDeviceIfname() string {
+ if ev.GetEventType().String() != "network_flow_monitor" {
+ return ""
+ }
+ return ev.FieldHandlers.ResolveNetworkDeviceIfName(ev, &ev.NetworkFlowMonitor.Device)
+}
+
+// GetNetworkFlowMonitorFlowsDestinationIp returns the value of the field, resolving if necessary
+func (ev *Event) GetNetworkFlowMonitorFlowsDestinationIp() []net.IPNet {
+ if ev.GetEventType().String() != "network_flow_monitor" {
+ return []net.IPNet{}
+ }
+ var values []net.IPNet
+ ctx := eval.NewContext(ev)
+ iterator := &FlowsIterator{}
+ ptr := iterator.Front(ctx)
+ for ptr != nil {
+ elementPtr := (*Flow)(ptr)
+ element := *elementPtr
+ result := element.Destination.IPNet
+ values = append(values, result)
+ ptr = iterator.Next(ctx)
+ }
+ return values
+}
+
+// GetNetworkFlowMonitorFlowsDestinationIsPublic returns the value of the field, resolving if necessary
+func (ev *Event) GetNetworkFlowMonitorFlowsDestinationIsPublic() []bool {
+ if ev.GetEventType().String() != "network_flow_monitor" {
+ return []bool{}
+ }
+ var values []bool
+ ctx := eval.NewContext(ev)
+ iterator := &FlowsIterator{}
+ ptr := iterator.Front(ctx)
+ for ptr != nil {
+ elementPtr := (*Flow)(ptr)
+ element := *elementPtr
+ result := ev.FieldHandlers.ResolveIsIPPublic(ev, &element.Destination)
+ values = append(values, result)
+ ptr = iterator.Next(ctx)
+ }
+ return values
+}
+
+// GetNetworkFlowMonitorFlowsDestinationPort returns the value of the field, resolving if necessary
+func (ev *Event) GetNetworkFlowMonitorFlowsDestinationPort() []uint16 {
+ if ev.GetEventType().String() != "network_flow_monitor" {
+ return []uint16{}
+ }
+ var values []uint16
+ ctx := eval.NewContext(ev)
+ iterator := &FlowsIterator{}
+ ptr := iterator.Front(ctx)
+ for ptr != nil {
+ elementPtr := (*Flow)(ptr)
+ element := *elementPtr
+ result := element.Destination.Port
+ values = append(values, result)
+ ptr = iterator.Next(ctx)
+ }
+ return values
+}
+
+// GetNetworkFlowMonitorFlowsEgressDataSize returns the value of the field, resolving if necessary
+func (ev *Event) GetNetworkFlowMonitorFlowsEgressDataSize() []uint64 {
+ if ev.GetEventType().String() != "network_flow_monitor" {
+ return []uint64{}
+ }
+ var values []uint64
+ ctx := eval.NewContext(ev)
+ iterator := &FlowsIterator{}
+ ptr := iterator.Front(ctx)
+ for ptr != nil {
+ elementPtr := (*Flow)(ptr)
+ element := *elementPtr
+ result := element.Egress.DataSize
+ values = append(values, result)
+ ptr = iterator.Next(ctx)
+ }
+ return values
+}
+
+// GetNetworkFlowMonitorFlowsEgressPacketCount returns the value of the field, resolving if necessary
+func (ev *Event) GetNetworkFlowMonitorFlowsEgressPacketCount() []uint64 {
+ if ev.GetEventType().String() != "network_flow_monitor" {
+ return []uint64{}
+ }
+ var values []uint64
+ ctx := eval.NewContext(ev)
+ iterator := &FlowsIterator{}
+ ptr := iterator.Front(ctx)
+ for ptr != nil {
+ elementPtr := (*Flow)(ptr)
+ element := *elementPtr
+ result := element.Egress.PacketCount
+ values = append(values, result)
+ ptr = iterator.Next(ctx)
+ }
+ return values
+}
+
+// GetNetworkFlowMonitorFlowsIngressDataSize returns the value of the field, resolving if necessary
+func (ev *Event) GetNetworkFlowMonitorFlowsIngressDataSize() []uint64 {
+ if ev.GetEventType().String() != "network_flow_monitor" {
+ return []uint64{}
+ }
+ var values []uint64
+ ctx := eval.NewContext(ev)
+ iterator := &FlowsIterator{}
+ ptr := iterator.Front(ctx)
+ for ptr != nil {
+ elementPtr := (*Flow)(ptr)
+ element := *elementPtr
+ result := element.Ingress.DataSize
+ values = append(values, result)
+ ptr = iterator.Next(ctx)
+ }
+ return values
+}
+
+// GetNetworkFlowMonitorFlowsIngressPacketCount returns the value of the field, resolving if necessary
+func (ev *Event) GetNetworkFlowMonitorFlowsIngressPacketCount() []uint64 {
+ if ev.GetEventType().String() != "network_flow_monitor" {
+ return []uint64{}
+ }
+ var values []uint64
+ ctx := eval.NewContext(ev)
+ iterator := &FlowsIterator{}
+ ptr := iterator.Front(ctx)
+ for ptr != nil {
+ elementPtr := (*Flow)(ptr)
+ element := *elementPtr
+ result := element.Ingress.PacketCount
+ values = append(values, result)
+ ptr = iterator.Next(ctx)
+ }
+ return values
+}
+
+// GetNetworkFlowMonitorFlowsL3Protocol returns the value of the field, resolving if necessary
+func (ev *Event) GetNetworkFlowMonitorFlowsL3Protocol() []uint16 {
+ if ev.GetEventType().String() != "network_flow_monitor" {
+ return []uint16{}
+ }
+ var values []uint16
+ ctx := eval.NewContext(ev)
+ iterator := &FlowsIterator{}
+ ptr := iterator.Front(ctx)
+ for ptr != nil {
+ elementPtr := (*Flow)(ptr)
+ element := *elementPtr
+ result := element.L3Protocol
+ values = append(values, result)
+ ptr = iterator.Next(ctx)
+ }
+ return values
+}
+
+// GetNetworkFlowMonitorFlowsL4Protocol returns the value of the field, resolving if necessary
+func (ev *Event) GetNetworkFlowMonitorFlowsL4Protocol() []uint16 {
+ if ev.GetEventType().String() != "network_flow_monitor" {
+ return []uint16{}
+ }
+ var values []uint16
+ ctx := eval.NewContext(ev)
+ iterator := &FlowsIterator{}
+ ptr := iterator.Front(ctx)
+ for ptr != nil {
+ elementPtr := (*Flow)(ptr)
+ element := *elementPtr
+ result := element.L4Protocol
+ values = append(values, result)
+ ptr = iterator.Next(ctx)
+ }
+ return values
+}
+
+// GetNetworkFlowMonitorFlowsLength returns the value of the field, resolving if necessary
+func (ev *Event) GetNetworkFlowMonitorFlowsLength() int {
+ if ev.GetEventType().String() != "network_flow_monitor" {
+ return 0
+ }
+ ctx := eval.NewContext(ev)
+ iterator := &FlowsIterator{}
+ return iterator.Len(ctx)
+}
+
+// GetNetworkFlowMonitorFlowsSourceIp returns the value of the field, resolving if necessary
+func (ev *Event) GetNetworkFlowMonitorFlowsSourceIp() []net.IPNet {
+ if ev.GetEventType().String() != "network_flow_monitor" {
+ return []net.IPNet{}
+ }
+ var values []net.IPNet
+ ctx := eval.NewContext(ev)
+ iterator := &FlowsIterator{}
+ ptr := iterator.Front(ctx)
+ for ptr != nil {
+ elementPtr := (*Flow)(ptr)
+ element := *elementPtr
+ result := element.Source.IPNet
+ values = append(values, result)
+ ptr = iterator.Next(ctx)
+ }
+ return values
+}
+
+// GetNetworkFlowMonitorFlowsSourceIsPublic returns the value of the field, resolving if necessary
+func (ev *Event) GetNetworkFlowMonitorFlowsSourceIsPublic() []bool {
+ if ev.GetEventType().String() != "network_flow_monitor" {
+ return []bool{}
+ }
+ var values []bool
+ ctx := eval.NewContext(ev)
+ iterator := &FlowsIterator{}
+ ptr := iterator.Front(ctx)
+ for ptr != nil {
+ elementPtr := (*Flow)(ptr)
+ element := *elementPtr
+ result := ev.FieldHandlers.ResolveIsIPPublic(ev, &element.Source)
+ values = append(values, result)
+ ptr = iterator.Next(ctx)
+ }
+ return values
+}
+
+// GetNetworkFlowMonitorFlowsSourcePort returns the value of the field, resolving if necessary
+func (ev *Event) GetNetworkFlowMonitorFlowsSourcePort() []uint16 {
+ if ev.GetEventType().String() != "network_flow_monitor" {
+ return []uint16{}
+ }
+ var values []uint16
+ ctx := eval.NewContext(ev)
+ iterator := &FlowsIterator{}
+ ptr := iterator.Front(ctx)
+ for ptr != nil {
+ elementPtr := (*Flow)(ptr)
+ element := *elementPtr
+ result := element.Source.Port
+ values = append(values, result)
+ ptr = iterator.Next(ctx)
+ }
+ return values
+}
+
+// GetNetworkFlowMonitorFlowsCount returns the value of the field, resolving if necessary
+func (ev *Event) GetNetworkFlowMonitorFlowsCount() uint64 {
+ if ev.GetEventType().String() != "network_flow_monitor" {
+ return uint64(0)
+ }
+ return ev.NetworkFlowMonitor.FlowsCount
+}
+
// GetOndemandArg1Str returns the value of the field, resolving if necessary
func (ev *Event) GetOndemandArg1Str() string {
if ev.GetEventType().String() != "ondemand" {
@@ -4911,6 +5170,14 @@ func (ev *Event) GetPacketL4Protocol() uint16 {
return ev.RawPacket.NetworkContext.L4Protocol
}
+// GetPacketNetworkDirection returns the value of the field, resolving if necessary
+func (ev *Event) GetPacketNetworkDirection() uint32 {
+ if ev.GetEventType().String() != "packet" {
+ return uint32(0)
+ }
+ return ev.RawPacket.NetworkContext.NetworkDirection
+}
+
// GetPacketSize returns the value of the field, resolving if necessary
func (ev *Event) GetPacketSize() uint32 {
if ev.GetEventType().String() != "packet" {
@@ -4967,7 +5234,7 @@ func (ev *Event) GetProcessAncestorsArgs() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveProcessArgs(ev, &element.ProcessContext.Process)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -4988,7 +5255,7 @@ func (ev *Event) GetProcessAncestorsArgsFlags() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveProcessArgsFlags(ev, &element.ProcessContext.Process)
values = append(values, result...)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -5009,7 +5276,7 @@ func (ev *Event) GetProcessAncestorsArgsOptions() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveProcessArgsOptions(ev, &element.ProcessContext.Process)
values = append(values, result...)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -5030,7 +5297,7 @@ func (ev *Event) GetProcessAncestorsArgsScrubbed() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveProcessArgsScrubbed(ev, &element.ProcessContext.Process)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -5051,7 +5318,7 @@ func (ev *Event) GetProcessAncestorsArgsTruncated() []bool {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveProcessArgsTruncated(ev, &element.ProcessContext.Process)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -5072,7 +5339,7 @@ func (ev *Event) GetProcessAncestorsArgv() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveProcessArgv(ev, &element.ProcessContext.Process)
values = append(values, result...)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -5093,7 +5360,7 @@ func (ev *Event) GetProcessAncestorsArgv0() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveProcessArgv0(ev, &element.ProcessContext.Process)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -5114,7 +5381,7 @@ func (ev *Event) GetProcessAncestorsArgvScrubbed() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveProcessArgvScrubbed(ev, &element.ProcessContext.Process)
values = append(values, result...)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -5135,7 +5402,7 @@ func (ev *Event) GetProcessAncestorsAuid() []uint32 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.Credentials.AUID
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -5156,7 +5423,7 @@ func (ev *Event) GetProcessAncestorsCapEffective() []uint64 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.Credentials.CapEffective
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -5177,7 +5444,7 @@ func (ev *Event) GetProcessAncestorsCapPermitted() []uint64 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.Credentials.CapPermitted
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -5198,7 +5465,7 @@ func (ev *Event) GetProcessAncestorsCgroupFileInode() []uint64 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.CGroup.CGroupFile.Inode
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -5219,7 +5486,7 @@ func (ev *Event) GetProcessAncestorsCgroupFileMountId() []uint32 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.CGroup.CGroupFile.MountID
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -5240,7 +5507,7 @@ func (ev *Event) GetProcessAncestorsCgroupId() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveCGroupID(ev, &element.ProcessContext.Process.CGroup)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -5261,7 +5528,7 @@ func (ev *Event) GetProcessAncestorsCgroupManager() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveCGroupManager(ev, &element.ProcessContext.Process.CGroup)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -5282,7 +5549,7 @@ func (ev *Event) GetProcessAncestorsCgroupVersion() []int {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveCGroupVersion(ev, &element.ProcessContext.Process.CGroup)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -5303,7 +5570,7 @@ func (ev *Event) GetProcessAncestorsCmdargv() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveProcessCmdArgv(ev, &element.ProcessContext.Process)
values = append(values, result...)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -5324,7 +5591,7 @@ func (ev *Event) GetProcessAncestorsComm() []string {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.Comm
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -5345,7 +5612,7 @@ func (ev *Event) GetProcessAncestorsContainerId() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveProcessContainerID(ev, &element.ProcessContext.Process)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -5366,7 +5633,7 @@ func (ev *Event) GetProcessAncestorsCreatedAt() []int {
element := (*ProcessCacheEntry)(ptr)
result := int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, &element.ProcessContext.Process))
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -5387,7 +5654,7 @@ func (ev *Event) GetProcessAncestorsEgid() []uint32 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.Credentials.EGID
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -5408,7 +5675,7 @@ func (ev *Event) GetProcessAncestorsEgroup() []string {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.Credentials.EGroup
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -5429,7 +5696,7 @@ func (ev *Event) GetProcessAncestorsEnvp() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveProcessEnvp(ev, &element.ProcessContext.Process)
values = append(values, result...)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -5450,7 +5717,7 @@ func (ev *Event) GetProcessAncestorsEnvs() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveProcessEnvs(ev, &element.ProcessContext.Process)
values = append(values, result...)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -5471,7 +5738,7 @@ func (ev *Event) GetProcessAncestorsEnvsTruncated() []bool {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, &element.ProcessContext.Process)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -5492,7 +5759,7 @@ func (ev *Event) GetProcessAncestorsEuid() []uint32 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.Credentials.EUID
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -5513,7 +5780,7 @@ func (ev *Event) GetProcessAncestorsEuser() []string {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.Credentials.EUser
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -5534,7 +5801,7 @@ func (ev *Event) GetProcessAncestorsFileChangeTime() []uint64 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.FileEvent.FileFields.CTime
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -5555,7 +5822,7 @@ func (ev *Event) GetProcessAncestorsFileFilesystem() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveFileFilesystem(ev, &element.ProcessContext.Process.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -5576,7 +5843,7 @@ func (ev *Event) GetProcessAncestorsFileGid() []uint32 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.FileEvent.FileFields.GID
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -5597,7 +5864,7 @@ func (ev *Event) GetProcessAncestorsFileGroup() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveFileFieldsGroup(ev, &element.ProcessContext.Process.FileEvent.FileFields)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -5618,7 +5885,7 @@ func (ev *Event) GetProcessAncestorsFileHashes() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveHashesFromEvent(ev, &element.ProcessContext.Process.FileEvent)
values = append(values, result...)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -5639,7 +5906,7 @@ func (ev *Event) GetProcessAncestorsFileInUpperLayer() []bool {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &element.ProcessContext.Process.FileEvent.FileFields)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -5660,7 +5927,7 @@ func (ev *Event) GetProcessAncestorsFileInode() []uint64 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.FileEvent.FileFields.PathKey.Inode
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -5681,7 +5948,7 @@ func (ev *Event) GetProcessAncestorsFileMode() []uint16 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.FileEvent.FileFields.Mode
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -5702,7 +5969,7 @@ func (ev *Event) GetProcessAncestorsFileModificationTime() []uint64 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.FileEvent.FileFields.MTime
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -5723,7 +5990,7 @@ func (ev *Event) GetProcessAncestorsFileMountId() []uint32 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.FileEvent.FileFields.PathKey.MountID
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -5744,7 +6011,7 @@ func (ev *Event) GetProcessAncestorsFileName() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -5765,7 +6032,7 @@ func (ev *Event) GetProcessAncestorsFileNameLength() []int {
element := (*ProcessCacheEntry)(ptr)
result := len(ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.FileEvent))
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -5786,7 +6053,7 @@ func (ev *Event) GetProcessAncestorsFilePackageName() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolvePackageName(ev, &element.ProcessContext.Process.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -5807,7 +6074,7 @@ func (ev *Event) GetProcessAncestorsFilePackageSourceVersion() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolvePackageSourceVersion(ev, &element.ProcessContext.Process.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -5828,7 +6095,7 @@ func (ev *Event) GetProcessAncestorsFilePackageVersion() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolvePackageVersion(ev, &element.ProcessContext.Process.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -5849,7 +6116,7 @@ func (ev *Event) GetProcessAncestorsFilePath() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -5870,7 +6137,7 @@ func (ev *Event) GetProcessAncestorsFilePathLength() []int {
element := (*ProcessCacheEntry)(ptr)
result := len(ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.FileEvent))
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -5891,7 +6158,7 @@ func (ev *Event) GetProcessAncestorsFileRights() []int {
element := (*ProcessCacheEntry)(ptr)
result := int(ev.FieldHandlers.ResolveRights(ev, &element.ProcessContext.Process.FileEvent.FileFields))
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -5912,7 +6179,7 @@ func (ev *Event) GetProcessAncestorsFileUid() []uint32 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.FileEvent.FileFields.UID
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -5933,7 +6200,7 @@ func (ev *Event) GetProcessAncestorsFileUser() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveFileFieldsUser(ev, &element.ProcessContext.Process.FileEvent.FileFields)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -5954,7 +6221,7 @@ func (ev *Event) GetProcessAncestorsFsgid() []uint32 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.Credentials.FSGID
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -5975,7 +6242,7 @@ func (ev *Event) GetProcessAncestorsFsgroup() []string {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.Credentials.FSGroup
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -5996,7 +6263,7 @@ func (ev *Event) GetProcessAncestorsFsuid() []uint32 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.Credentials.FSUID
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -6017,7 +6284,7 @@ func (ev *Event) GetProcessAncestorsFsuser() []string {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.Credentials.FSUser
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -6038,7 +6305,7 @@ func (ev *Event) GetProcessAncestorsGid() []uint32 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.Credentials.GID
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -6059,7 +6326,7 @@ func (ev *Event) GetProcessAncestorsGroup() []string {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.Credentials.Group
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -6080,7 +6347,7 @@ func (ev *Event) GetProcessAncestorsInterpreterFileChangeTime() []uint64 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.CTime
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -6101,7 +6368,7 @@ func (ev *Event) GetProcessAncestorsInterpreterFileFilesystem() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveFileFilesystem(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -6122,7 +6389,7 @@ func (ev *Event) GetProcessAncestorsInterpreterFileGid() []uint32 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.GID
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -6143,7 +6410,7 @@ func (ev *Event) GetProcessAncestorsInterpreterFileGroup() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveFileFieldsGroup(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -6164,7 +6431,7 @@ func (ev *Event) GetProcessAncestorsInterpreterFileHashes() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveHashesFromEvent(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent)
values = append(values, result...)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -6185,7 +6452,7 @@ func (ev *Event) GetProcessAncestorsInterpreterFileInUpperLayer() []bool {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -6206,7 +6473,7 @@ func (ev *Event) GetProcessAncestorsInterpreterFileInode() []uint64 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -6227,7 +6494,7 @@ func (ev *Event) GetProcessAncestorsInterpreterFileMode() []uint16 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.Mode
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -6248,7 +6515,7 @@ func (ev *Event) GetProcessAncestorsInterpreterFileModificationTime() []uint64 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.MTime
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -6269,7 +6536,7 @@ func (ev *Event) GetProcessAncestorsInterpreterFileMountId() []uint32 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -6290,7 +6557,7 @@ func (ev *Event) GetProcessAncestorsInterpreterFileName() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -6311,7 +6578,7 @@ func (ev *Event) GetProcessAncestorsInterpreterFileNameLength() []int {
element := (*ProcessCacheEntry)(ptr)
result := len(ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent))
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -6332,7 +6599,7 @@ func (ev *Event) GetProcessAncestorsInterpreterFilePackageName() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolvePackageName(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -6353,7 +6620,7 @@ func (ev *Event) GetProcessAncestorsInterpreterFilePackageSourceVersion() []stri
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolvePackageSourceVersion(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -6374,7 +6641,7 @@ func (ev *Event) GetProcessAncestorsInterpreterFilePackageVersion() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolvePackageVersion(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -6395,7 +6662,7 @@ func (ev *Event) GetProcessAncestorsInterpreterFilePath() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -6416,7 +6683,7 @@ func (ev *Event) GetProcessAncestorsInterpreterFilePathLength() []int {
element := (*ProcessCacheEntry)(ptr)
result := len(ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent))
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -6437,7 +6704,7 @@ func (ev *Event) GetProcessAncestorsInterpreterFileRights() []int {
element := (*ProcessCacheEntry)(ptr)
result := int(ev.FieldHandlers.ResolveRights(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields))
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -6458,7 +6725,7 @@ func (ev *Event) GetProcessAncestorsInterpreterFileUid() []uint32 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.UID
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -6479,7 +6746,7 @@ func (ev *Event) GetProcessAncestorsInterpreterFileUser() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveFileFieldsUser(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -6500,7 +6767,7 @@ func (ev *Event) GetProcessAncestorsIsExec() []bool {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.IsExec
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -6521,7 +6788,7 @@ func (ev *Event) GetProcessAncestorsIsKworker() []bool {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.PIDContext.IsKworker
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -6542,7 +6809,7 @@ func (ev *Event) GetProcessAncestorsIsThread() []bool {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveProcessIsThread(ev, &element.ProcessContext.Process)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -6576,7 +6843,7 @@ func (ev *Event) GetProcessAncestorsPid() []uint32 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.PIDContext.Pid
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -6597,7 +6864,7 @@ func (ev *Event) GetProcessAncestorsPpid() []uint32 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.PPid
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -6618,7 +6885,7 @@ func (ev *Event) GetProcessAncestorsTid() []uint32 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.PIDContext.Tid
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -6639,7 +6906,7 @@ func (ev *Event) GetProcessAncestorsTtyName() []string {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.TTYName
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -6660,7 +6927,7 @@ func (ev *Event) GetProcessAncestorsUid() []uint32 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.Credentials.UID
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -6681,7 +6948,7 @@ func (ev *Event) GetProcessAncestorsUser() []string {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.Credentials.User
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -6702,7 +6969,7 @@ func (ev *Event) GetProcessAncestorsUserSessionK8sGroups() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveK8SGroups(ev, &element.ProcessContext.Process.UserSession)
values = append(values, result...)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -6723,7 +6990,7 @@ func (ev *Event) GetProcessAncestorsUserSessionK8sUid() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveK8SUID(ev, &element.ProcessContext.Process.UserSession)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -6744,7 +7011,7 @@ func (ev *Event) GetProcessAncestorsUserSessionK8sUsername() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveK8SUsername(ev, &element.ProcessContext.Process.UserSession)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -8882,7 +9149,7 @@ func (ev *Event) GetPtraceTraceeAncestorsArgs() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveProcessArgs(ev, &element.ProcessContext.Process)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -8906,7 +9173,7 @@ func (ev *Event) GetPtraceTraceeAncestorsArgsFlags() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveProcessArgsFlags(ev, &element.ProcessContext.Process)
values = append(values, result...)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -8930,7 +9197,7 @@ func (ev *Event) GetPtraceTraceeAncestorsArgsOptions() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveProcessArgsOptions(ev, &element.ProcessContext.Process)
values = append(values, result...)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -8954,7 +9221,7 @@ func (ev *Event) GetPtraceTraceeAncestorsArgsScrubbed() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveProcessArgsScrubbed(ev, &element.ProcessContext.Process)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -8978,7 +9245,7 @@ func (ev *Event) GetPtraceTraceeAncestorsArgsTruncated() []bool {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveProcessArgsTruncated(ev, &element.ProcessContext.Process)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -9002,7 +9269,7 @@ func (ev *Event) GetPtraceTraceeAncestorsArgv() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveProcessArgv(ev, &element.ProcessContext.Process)
values = append(values, result...)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -9026,7 +9293,7 @@ func (ev *Event) GetPtraceTraceeAncestorsArgv0() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveProcessArgv0(ev, &element.ProcessContext.Process)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -9050,7 +9317,7 @@ func (ev *Event) GetPtraceTraceeAncestorsArgvScrubbed() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveProcessArgvScrubbed(ev, &element.ProcessContext.Process)
values = append(values, result...)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -9074,7 +9341,7 @@ func (ev *Event) GetPtraceTraceeAncestorsAuid() []uint32 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.Credentials.AUID
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -9098,7 +9365,7 @@ func (ev *Event) GetPtraceTraceeAncestorsCapEffective() []uint64 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.Credentials.CapEffective
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -9122,7 +9389,7 @@ func (ev *Event) GetPtraceTraceeAncestorsCapPermitted() []uint64 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.Credentials.CapPermitted
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -9146,7 +9413,7 @@ func (ev *Event) GetPtraceTraceeAncestorsCgroupFileInode() []uint64 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.CGroup.CGroupFile.Inode
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -9170,7 +9437,7 @@ func (ev *Event) GetPtraceTraceeAncestorsCgroupFileMountId() []uint32 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.CGroup.CGroupFile.MountID
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -9194,7 +9461,7 @@ func (ev *Event) GetPtraceTraceeAncestorsCgroupId() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveCGroupID(ev, &element.ProcessContext.Process.CGroup)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -9218,7 +9485,7 @@ func (ev *Event) GetPtraceTraceeAncestorsCgroupManager() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveCGroupManager(ev, &element.ProcessContext.Process.CGroup)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -9242,7 +9509,7 @@ func (ev *Event) GetPtraceTraceeAncestorsCgroupVersion() []int {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveCGroupVersion(ev, &element.ProcessContext.Process.CGroup)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -9266,7 +9533,7 @@ func (ev *Event) GetPtraceTraceeAncestorsCmdargv() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveProcessCmdArgv(ev, &element.ProcessContext.Process)
values = append(values, result...)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -9290,7 +9557,7 @@ func (ev *Event) GetPtraceTraceeAncestorsComm() []string {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.Comm
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -9314,7 +9581,7 @@ func (ev *Event) GetPtraceTraceeAncestorsContainerId() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveProcessContainerID(ev, &element.ProcessContext.Process)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -9338,7 +9605,7 @@ func (ev *Event) GetPtraceTraceeAncestorsCreatedAt() []int {
element := (*ProcessCacheEntry)(ptr)
result := int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, &element.ProcessContext.Process))
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -9362,7 +9629,7 @@ func (ev *Event) GetPtraceTraceeAncestorsEgid() []uint32 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.Credentials.EGID
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -9386,7 +9653,7 @@ func (ev *Event) GetPtraceTraceeAncestorsEgroup() []string {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.Credentials.EGroup
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -9410,7 +9677,7 @@ func (ev *Event) GetPtraceTraceeAncestorsEnvp() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveProcessEnvp(ev, &element.ProcessContext.Process)
values = append(values, result...)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -9434,7 +9701,7 @@ func (ev *Event) GetPtraceTraceeAncestorsEnvs() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveProcessEnvs(ev, &element.ProcessContext.Process)
values = append(values, result...)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -9458,7 +9725,7 @@ func (ev *Event) GetPtraceTraceeAncestorsEnvsTruncated() []bool {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, &element.ProcessContext.Process)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -9482,7 +9749,7 @@ func (ev *Event) GetPtraceTraceeAncestorsEuid() []uint32 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.Credentials.EUID
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -9506,7 +9773,7 @@ func (ev *Event) GetPtraceTraceeAncestorsEuser() []string {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.Credentials.EUser
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -9530,7 +9797,7 @@ func (ev *Event) GetPtraceTraceeAncestorsFileChangeTime() []uint64 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.FileEvent.FileFields.CTime
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -9554,7 +9821,7 @@ func (ev *Event) GetPtraceTraceeAncestorsFileFilesystem() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveFileFilesystem(ev, &element.ProcessContext.Process.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -9578,7 +9845,7 @@ func (ev *Event) GetPtraceTraceeAncestorsFileGid() []uint32 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.FileEvent.FileFields.GID
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -9602,7 +9869,7 @@ func (ev *Event) GetPtraceTraceeAncestorsFileGroup() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveFileFieldsGroup(ev, &element.ProcessContext.Process.FileEvent.FileFields)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -9626,7 +9893,7 @@ func (ev *Event) GetPtraceTraceeAncestorsFileHashes() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveHashesFromEvent(ev, &element.ProcessContext.Process.FileEvent)
values = append(values, result...)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -9650,7 +9917,7 @@ func (ev *Event) GetPtraceTraceeAncestorsFileInUpperLayer() []bool {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &element.ProcessContext.Process.FileEvent.FileFields)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -9674,7 +9941,7 @@ func (ev *Event) GetPtraceTraceeAncestorsFileInode() []uint64 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.FileEvent.FileFields.PathKey.Inode
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -9698,7 +9965,7 @@ func (ev *Event) GetPtraceTraceeAncestorsFileMode() []uint16 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.FileEvent.FileFields.Mode
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -9722,7 +9989,7 @@ func (ev *Event) GetPtraceTraceeAncestorsFileModificationTime() []uint64 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.FileEvent.FileFields.MTime
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -9746,7 +10013,7 @@ func (ev *Event) GetPtraceTraceeAncestorsFileMountId() []uint32 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.FileEvent.FileFields.PathKey.MountID
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -9770,7 +10037,7 @@ func (ev *Event) GetPtraceTraceeAncestorsFileName() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -9794,7 +10061,7 @@ func (ev *Event) GetPtraceTraceeAncestorsFileNameLength() []int {
element := (*ProcessCacheEntry)(ptr)
result := len(ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.FileEvent))
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -9818,7 +10085,7 @@ func (ev *Event) GetPtraceTraceeAncestorsFilePackageName() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolvePackageName(ev, &element.ProcessContext.Process.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -9842,7 +10109,7 @@ func (ev *Event) GetPtraceTraceeAncestorsFilePackageSourceVersion() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolvePackageSourceVersion(ev, &element.ProcessContext.Process.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -9866,7 +10133,7 @@ func (ev *Event) GetPtraceTraceeAncestorsFilePackageVersion() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolvePackageVersion(ev, &element.ProcessContext.Process.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -9890,7 +10157,7 @@ func (ev *Event) GetPtraceTraceeAncestorsFilePath() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -9914,7 +10181,7 @@ func (ev *Event) GetPtraceTraceeAncestorsFilePathLength() []int {
element := (*ProcessCacheEntry)(ptr)
result := len(ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.FileEvent))
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -9938,7 +10205,7 @@ func (ev *Event) GetPtraceTraceeAncestorsFileRights() []int {
element := (*ProcessCacheEntry)(ptr)
result := int(ev.FieldHandlers.ResolveRights(ev, &element.ProcessContext.Process.FileEvent.FileFields))
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -9962,7 +10229,7 @@ func (ev *Event) GetPtraceTraceeAncestorsFileUid() []uint32 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.FileEvent.FileFields.UID
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -9986,7 +10253,7 @@ func (ev *Event) GetPtraceTraceeAncestorsFileUser() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveFileFieldsUser(ev, &element.ProcessContext.Process.FileEvent.FileFields)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -10010,7 +10277,7 @@ func (ev *Event) GetPtraceTraceeAncestorsFsgid() []uint32 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.Credentials.FSGID
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -10034,7 +10301,7 @@ func (ev *Event) GetPtraceTraceeAncestorsFsgroup() []string {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.Credentials.FSGroup
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -10058,7 +10325,7 @@ func (ev *Event) GetPtraceTraceeAncestorsFsuid() []uint32 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.Credentials.FSUID
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -10082,7 +10349,7 @@ func (ev *Event) GetPtraceTraceeAncestorsFsuser() []string {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.Credentials.FSUser
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -10106,7 +10373,7 @@ func (ev *Event) GetPtraceTraceeAncestorsGid() []uint32 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.Credentials.GID
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -10130,7 +10397,7 @@ func (ev *Event) GetPtraceTraceeAncestorsGroup() []string {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.Credentials.Group
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -10154,7 +10421,7 @@ func (ev *Event) GetPtraceTraceeAncestorsInterpreterFileChangeTime() []uint64 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.CTime
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -10178,7 +10445,7 @@ func (ev *Event) GetPtraceTraceeAncestorsInterpreterFileFilesystem() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveFileFilesystem(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -10202,7 +10469,7 @@ func (ev *Event) GetPtraceTraceeAncestorsInterpreterFileGid() []uint32 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.GID
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -10226,7 +10493,7 @@ func (ev *Event) GetPtraceTraceeAncestorsInterpreterFileGroup() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveFileFieldsGroup(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -10250,7 +10517,7 @@ func (ev *Event) GetPtraceTraceeAncestorsInterpreterFileHashes() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveHashesFromEvent(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent)
values = append(values, result...)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -10274,7 +10541,7 @@ func (ev *Event) GetPtraceTraceeAncestorsInterpreterFileInUpperLayer() []bool {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -10298,7 +10565,7 @@ func (ev *Event) GetPtraceTraceeAncestorsInterpreterFileInode() []uint64 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -10322,7 +10589,7 @@ func (ev *Event) GetPtraceTraceeAncestorsInterpreterFileMode() []uint16 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.Mode
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -10346,7 +10613,7 @@ func (ev *Event) GetPtraceTraceeAncestorsInterpreterFileModificationTime() []uin
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.MTime
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -10370,7 +10637,7 @@ func (ev *Event) GetPtraceTraceeAncestorsInterpreterFileMountId() []uint32 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -10394,7 +10661,7 @@ func (ev *Event) GetPtraceTraceeAncestorsInterpreterFileName() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -10418,7 +10685,7 @@ func (ev *Event) GetPtraceTraceeAncestorsInterpreterFileNameLength() []int {
element := (*ProcessCacheEntry)(ptr)
result := len(ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent))
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -10442,7 +10709,7 @@ func (ev *Event) GetPtraceTraceeAncestorsInterpreterFilePackageName() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolvePackageName(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -10466,7 +10733,7 @@ func (ev *Event) GetPtraceTraceeAncestorsInterpreterFilePackageSourceVersion() [
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolvePackageSourceVersion(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -10490,7 +10757,7 @@ func (ev *Event) GetPtraceTraceeAncestorsInterpreterFilePackageVersion() []strin
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolvePackageVersion(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -10514,7 +10781,7 @@ func (ev *Event) GetPtraceTraceeAncestorsInterpreterFilePath() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -10538,7 +10805,7 @@ func (ev *Event) GetPtraceTraceeAncestorsInterpreterFilePathLength() []int {
element := (*ProcessCacheEntry)(ptr)
result := len(ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent))
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -10562,7 +10829,7 @@ func (ev *Event) GetPtraceTraceeAncestorsInterpreterFileRights() []int {
element := (*ProcessCacheEntry)(ptr)
result := int(ev.FieldHandlers.ResolveRights(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields))
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -10586,7 +10853,7 @@ func (ev *Event) GetPtraceTraceeAncestorsInterpreterFileUid() []uint32 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.UID
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -10610,7 +10877,7 @@ func (ev *Event) GetPtraceTraceeAncestorsInterpreterFileUser() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveFileFieldsUser(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -10634,7 +10901,7 @@ func (ev *Event) GetPtraceTraceeAncestorsIsExec() []bool {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.IsExec
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -10658,7 +10925,7 @@ func (ev *Event) GetPtraceTraceeAncestorsIsKworker() []bool {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.PIDContext.IsKworker
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -10682,7 +10949,7 @@ func (ev *Event) GetPtraceTraceeAncestorsIsThread() []bool {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveProcessIsThread(ev, &element.ProcessContext.Process)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -10722,7 +10989,7 @@ func (ev *Event) GetPtraceTraceeAncestorsPid() []uint32 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.PIDContext.Pid
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -10746,7 +11013,7 @@ func (ev *Event) GetPtraceTraceeAncestorsPpid() []uint32 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.PPid
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -10770,7 +11037,7 @@ func (ev *Event) GetPtraceTraceeAncestorsTid() []uint32 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.PIDContext.Tid
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -10794,7 +11061,7 @@ func (ev *Event) GetPtraceTraceeAncestorsTtyName() []string {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.TTYName
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -10818,7 +11085,7 @@ func (ev *Event) GetPtraceTraceeAncestorsUid() []uint32 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.Credentials.UID
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -10842,7 +11109,7 @@ func (ev *Event) GetPtraceTraceeAncestorsUser() []string {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.Credentials.User
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -10866,7 +11133,7 @@ func (ev *Event) GetPtraceTraceeAncestorsUserSessionK8sGroups() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveK8SGroups(ev, &element.ProcessContext.Process.UserSession)
values = append(values, result...)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -10890,7 +11157,7 @@ func (ev *Event) GetPtraceTraceeAncestorsUserSessionK8sUid() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveK8SUID(ev, &element.ProcessContext.Process.UserSession)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -10914,7 +11181,7 @@ func (ev *Event) GetPtraceTraceeAncestorsUserSessionK8sUsername() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveK8SUsername(ev, &element.ProcessContext.Process.UserSession)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -14627,7 +14894,7 @@ func (ev *Event) GetSignalTargetAncestorsArgs() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveProcessArgs(ev, &element.ProcessContext.Process)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -14651,7 +14918,7 @@ func (ev *Event) GetSignalTargetAncestorsArgsFlags() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveProcessArgsFlags(ev, &element.ProcessContext.Process)
values = append(values, result...)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -14675,7 +14942,7 @@ func (ev *Event) GetSignalTargetAncestorsArgsOptions() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveProcessArgsOptions(ev, &element.ProcessContext.Process)
values = append(values, result...)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -14699,7 +14966,7 @@ func (ev *Event) GetSignalTargetAncestorsArgsScrubbed() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveProcessArgsScrubbed(ev, &element.ProcessContext.Process)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -14723,7 +14990,7 @@ func (ev *Event) GetSignalTargetAncestorsArgsTruncated() []bool {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveProcessArgsTruncated(ev, &element.ProcessContext.Process)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -14747,7 +15014,7 @@ func (ev *Event) GetSignalTargetAncestorsArgv() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveProcessArgv(ev, &element.ProcessContext.Process)
values = append(values, result...)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -14771,7 +15038,7 @@ func (ev *Event) GetSignalTargetAncestorsArgv0() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveProcessArgv0(ev, &element.ProcessContext.Process)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -14795,7 +15062,7 @@ func (ev *Event) GetSignalTargetAncestorsArgvScrubbed() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveProcessArgvScrubbed(ev, &element.ProcessContext.Process)
values = append(values, result...)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -14819,7 +15086,7 @@ func (ev *Event) GetSignalTargetAncestorsAuid() []uint32 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.Credentials.AUID
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -14843,7 +15110,7 @@ func (ev *Event) GetSignalTargetAncestorsCapEffective() []uint64 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.Credentials.CapEffective
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -14867,7 +15134,7 @@ func (ev *Event) GetSignalTargetAncestorsCapPermitted() []uint64 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.Credentials.CapPermitted
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -14891,7 +15158,7 @@ func (ev *Event) GetSignalTargetAncestorsCgroupFileInode() []uint64 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.CGroup.CGroupFile.Inode
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -14915,7 +15182,7 @@ func (ev *Event) GetSignalTargetAncestorsCgroupFileMountId() []uint32 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.CGroup.CGroupFile.MountID
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -14939,7 +15206,7 @@ func (ev *Event) GetSignalTargetAncestorsCgroupId() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveCGroupID(ev, &element.ProcessContext.Process.CGroup)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -14963,7 +15230,7 @@ func (ev *Event) GetSignalTargetAncestorsCgroupManager() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveCGroupManager(ev, &element.ProcessContext.Process.CGroup)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -14987,7 +15254,7 @@ func (ev *Event) GetSignalTargetAncestorsCgroupVersion() []int {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveCGroupVersion(ev, &element.ProcessContext.Process.CGroup)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -15011,7 +15278,7 @@ func (ev *Event) GetSignalTargetAncestorsCmdargv() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveProcessCmdArgv(ev, &element.ProcessContext.Process)
values = append(values, result...)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -15035,7 +15302,7 @@ func (ev *Event) GetSignalTargetAncestorsComm() []string {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.Comm
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -15059,7 +15326,7 @@ func (ev *Event) GetSignalTargetAncestorsContainerId() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveProcessContainerID(ev, &element.ProcessContext.Process)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -15083,7 +15350,7 @@ func (ev *Event) GetSignalTargetAncestorsCreatedAt() []int {
element := (*ProcessCacheEntry)(ptr)
result := int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, &element.ProcessContext.Process))
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -15107,7 +15374,7 @@ func (ev *Event) GetSignalTargetAncestorsEgid() []uint32 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.Credentials.EGID
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -15131,7 +15398,7 @@ func (ev *Event) GetSignalTargetAncestorsEgroup() []string {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.Credentials.EGroup
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -15155,7 +15422,7 @@ func (ev *Event) GetSignalTargetAncestorsEnvp() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveProcessEnvp(ev, &element.ProcessContext.Process)
values = append(values, result...)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -15179,7 +15446,7 @@ func (ev *Event) GetSignalTargetAncestorsEnvs() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveProcessEnvs(ev, &element.ProcessContext.Process)
values = append(values, result...)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -15203,7 +15470,7 @@ func (ev *Event) GetSignalTargetAncestorsEnvsTruncated() []bool {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, &element.ProcessContext.Process)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -15227,7 +15494,7 @@ func (ev *Event) GetSignalTargetAncestorsEuid() []uint32 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.Credentials.EUID
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -15251,7 +15518,7 @@ func (ev *Event) GetSignalTargetAncestorsEuser() []string {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.Credentials.EUser
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -15275,7 +15542,7 @@ func (ev *Event) GetSignalTargetAncestorsFileChangeTime() []uint64 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.FileEvent.FileFields.CTime
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -15299,7 +15566,7 @@ func (ev *Event) GetSignalTargetAncestorsFileFilesystem() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveFileFilesystem(ev, &element.ProcessContext.Process.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -15323,7 +15590,7 @@ func (ev *Event) GetSignalTargetAncestorsFileGid() []uint32 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.FileEvent.FileFields.GID
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -15347,7 +15614,7 @@ func (ev *Event) GetSignalTargetAncestorsFileGroup() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveFileFieldsGroup(ev, &element.ProcessContext.Process.FileEvent.FileFields)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -15371,7 +15638,7 @@ func (ev *Event) GetSignalTargetAncestorsFileHashes() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveHashesFromEvent(ev, &element.ProcessContext.Process.FileEvent)
values = append(values, result...)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -15395,7 +15662,7 @@ func (ev *Event) GetSignalTargetAncestorsFileInUpperLayer() []bool {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &element.ProcessContext.Process.FileEvent.FileFields)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -15419,7 +15686,7 @@ func (ev *Event) GetSignalTargetAncestorsFileInode() []uint64 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.FileEvent.FileFields.PathKey.Inode
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -15443,7 +15710,7 @@ func (ev *Event) GetSignalTargetAncestorsFileMode() []uint16 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.FileEvent.FileFields.Mode
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -15467,7 +15734,7 @@ func (ev *Event) GetSignalTargetAncestorsFileModificationTime() []uint64 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.FileEvent.FileFields.MTime
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -15491,7 +15758,7 @@ func (ev *Event) GetSignalTargetAncestorsFileMountId() []uint32 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.FileEvent.FileFields.PathKey.MountID
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -15515,7 +15782,7 @@ func (ev *Event) GetSignalTargetAncestorsFileName() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -15539,7 +15806,7 @@ func (ev *Event) GetSignalTargetAncestorsFileNameLength() []int {
element := (*ProcessCacheEntry)(ptr)
result := len(ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.FileEvent))
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -15563,7 +15830,7 @@ func (ev *Event) GetSignalTargetAncestorsFilePackageName() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolvePackageName(ev, &element.ProcessContext.Process.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -15587,7 +15854,7 @@ func (ev *Event) GetSignalTargetAncestorsFilePackageSourceVersion() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolvePackageSourceVersion(ev, &element.ProcessContext.Process.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -15611,7 +15878,7 @@ func (ev *Event) GetSignalTargetAncestorsFilePackageVersion() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolvePackageVersion(ev, &element.ProcessContext.Process.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -15635,7 +15902,7 @@ func (ev *Event) GetSignalTargetAncestorsFilePath() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -15659,7 +15926,7 @@ func (ev *Event) GetSignalTargetAncestorsFilePathLength() []int {
element := (*ProcessCacheEntry)(ptr)
result := len(ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.FileEvent))
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -15683,7 +15950,7 @@ func (ev *Event) GetSignalTargetAncestorsFileRights() []int {
element := (*ProcessCacheEntry)(ptr)
result := int(ev.FieldHandlers.ResolveRights(ev, &element.ProcessContext.Process.FileEvent.FileFields))
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -15707,7 +15974,7 @@ func (ev *Event) GetSignalTargetAncestorsFileUid() []uint32 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.FileEvent.FileFields.UID
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -15731,7 +15998,7 @@ func (ev *Event) GetSignalTargetAncestorsFileUser() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveFileFieldsUser(ev, &element.ProcessContext.Process.FileEvent.FileFields)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -15755,7 +16022,7 @@ func (ev *Event) GetSignalTargetAncestorsFsgid() []uint32 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.Credentials.FSGID
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -15779,7 +16046,7 @@ func (ev *Event) GetSignalTargetAncestorsFsgroup() []string {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.Credentials.FSGroup
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -15803,7 +16070,7 @@ func (ev *Event) GetSignalTargetAncestorsFsuid() []uint32 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.Credentials.FSUID
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -15827,7 +16094,7 @@ func (ev *Event) GetSignalTargetAncestorsFsuser() []string {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.Credentials.FSUser
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -15851,7 +16118,7 @@ func (ev *Event) GetSignalTargetAncestorsGid() []uint32 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.Credentials.GID
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -15875,7 +16142,7 @@ func (ev *Event) GetSignalTargetAncestorsGroup() []string {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.Credentials.Group
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -15899,7 +16166,7 @@ func (ev *Event) GetSignalTargetAncestorsInterpreterFileChangeTime() []uint64 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.CTime
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -15923,7 +16190,7 @@ func (ev *Event) GetSignalTargetAncestorsInterpreterFileFilesystem() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveFileFilesystem(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -15947,7 +16214,7 @@ func (ev *Event) GetSignalTargetAncestorsInterpreterFileGid() []uint32 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.GID
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -15971,7 +16238,7 @@ func (ev *Event) GetSignalTargetAncestorsInterpreterFileGroup() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveFileFieldsGroup(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -15995,7 +16262,7 @@ func (ev *Event) GetSignalTargetAncestorsInterpreterFileHashes() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveHashesFromEvent(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent)
values = append(values, result...)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -16019,7 +16286,7 @@ func (ev *Event) GetSignalTargetAncestorsInterpreterFileInUpperLayer() []bool {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -16043,7 +16310,7 @@ func (ev *Event) GetSignalTargetAncestorsInterpreterFileInode() []uint64 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -16067,7 +16334,7 @@ func (ev *Event) GetSignalTargetAncestorsInterpreterFileMode() []uint16 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.Mode
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -16091,7 +16358,7 @@ func (ev *Event) GetSignalTargetAncestorsInterpreterFileModificationTime() []uin
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.MTime
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -16115,7 +16382,7 @@ func (ev *Event) GetSignalTargetAncestorsInterpreterFileMountId() []uint32 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -16139,7 +16406,7 @@ func (ev *Event) GetSignalTargetAncestorsInterpreterFileName() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -16163,7 +16430,7 @@ func (ev *Event) GetSignalTargetAncestorsInterpreterFileNameLength() []int {
element := (*ProcessCacheEntry)(ptr)
result := len(ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent))
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -16187,7 +16454,7 @@ func (ev *Event) GetSignalTargetAncestorsInterpreterFilePackageName() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolvePackageName(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -16211,7 +16478,7 @@ func (ev *Event) GetSignalTargetAncestorsInterpreterFilePackageSourceVersion() [
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolvePackageSourceVersion(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -16235,7 +16502,7 @@ func (ev *Event) GetSignalTargetAncestorsInterpreterFilePackageVersion() []strin
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolvePackageVersion(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -16259,7 +16526,7 @@ func (ev *Event) GetSignalTargetAncestorsInterpreterFilePath() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -16283,7 +16550,7 @@ func (ev *Event) GetSignalTargetAncestorsInterpreterFilePathLength() []int {
element := (*ProcessCacheEntry)(ptr)
result := len(ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent))
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -16307,7 +16574,7 @@ func (ev *Event) GetSignalTargetAncestorsInterpreterFileRights() []int {
element := (*ProcessCacheEntry)(ptr)
result := int(ev.FieldHandlers.ResolveRights(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields))
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -16331,7 +16598,7 @@ func (ev *Event) GetSignalTargetAncestorsInterpreterFileUid() []uint32 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.UID
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -16355,7 +16622,7 @@ func (ev *Event) GetSignalTargetAncestorsInterpreterFileUser() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveFileFieldsUser(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -16379,7 +16646,7 @@ func (ev *Event) GetSignalTargetAncestorsIsExec() []bool {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.IsExec
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -16403,7 +16670,7 @@ func (ev *Event) GetSignalTargetAncestorsIsKworker() []bool {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.PIDContext.IsKworker
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -16427,7 +16694,7 @@ func (ev *Event) GetSignalTargetAncestorsIsThread() []bool {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveProcessIsThread(ev, &element.ProcessContext.Process)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -16467,7 +16734,7 @@ func (ev *Event) GetSignalTargetAncestorsPid() []uint32 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.PIDContext.Pid
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -16491,7 +16758,7 @@ func (ev *Event) GetSignalTargetAncestorsPpid() []uint32 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.PPid
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -16515,7 +16782,7 @@ func (ev *Event) GetSignalTargetAncestorsTid() []uint32 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.PIDContext.Tid
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -16539,7 +16806,7 @@ func (ev *Event) GetSignalTargetAncestorsTtyName() []string {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.TTYName
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -16563,7 +16830,7 @@ func (ev *Event) GetSignalTargetAncestorsUid() []uint32 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.Credentials.UID
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -16587,7 +16854,7 @@ func (ev *Event) GetSignalTargetAncestorsUser() []string {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.Credentials.User
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -16611,7 +16878,7 @@ func (ev *Event) GetSignalTargetAncestorsUserSessionK8sGroups() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveK8SGroups(ev, &element.ProcessContext.Process.UserSession)
values = append(values, result...)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -16635,7 +16902,7 @@ func (ev *Event) GetSignalTargetAncestorsUserSessionK8sUid() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveK8SUID(ev, &element.ProcessContext.Process.UserSession)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -16659,7 +16926,7 @@ func (ev *Event) GetSignalTargetAncestorsUserSessionK8sUsername() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveK8SUsername(ev, &element.ProcessContext.Process.UserSession)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
diff --git a/pkg/security/secl/model/field_accessors_windows.go b/pkg/security/secl/model/field_accessors_windows.go
index 1ed3130e6951e3..b1d20c4574c0c5 100644
--- a/pkg/security/secl/model/field_accessors_windows.go
+++ b/pkg/security/secl/model/field_accessors_windows.go
@@ -790,7 +790,7 @@ func (ev *Event) GetProcessAncestorsCmdline() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveProcessCmdLine(ev, &element.ProcessContext.Process)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -811,7 +811,7 @@ func (ev *Event) GetProcessAncestorsCmdlineScrubbed() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveProcessCmdLineScrubbed(ev, &element.ProcessContext.Process)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -832,7 +832,7 @@ func (ev *Event) GetProcessAncestorsContainerId() []string {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.ContainerID
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -853,7 +853,7 @@ func (ev *Event) GetProcessAncestorsCreatedAt() []int {
element := (*ProcessCacheEntry)(ptr)
result := int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, &element.ProcessContext.Process))
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -874,7 +874,7 @@ func (ev *Event) GetProcessAncestorsEnvp() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveProcessEnvp(ev, &element.ProcessContext.Process)
values = append(values, result...)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -895,7 +895,7 @@ func (ev *Event) GetProcessAncestorsEnvs() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveProcessEnvs(ev, &element.ProcessContext.Process)
values = append(values, result...)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -916,7 +916,7 @@ func (ev *Event) GetProcessAncestorsFileName() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -937,7 +937,7 @@ func (ev *Event) GetProcessAncestorsFileNameLength() []int {
element := (*ProcessCacheEntry)(ptr)
result := len(ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.FileEvent))
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -958,7 +958,7 @@ func (ev *Event) GetProcessAncestorsFilePath() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -979,7 +979,7 @@ func (ev *Event) GetProcessAncestorsFilePathLength() []int {
element := (*ProcessCacheEntry)(ptr)
result := len(ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.FileEvent))
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -1013,7 +1013,7 @@ func (ev *Event) GetProcessAncestorsPid() []uint32 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.PIDContext.Pid
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -1034,7 +1034,7 @@ func (ev *Event) GetProcessAncestorsPpid() []uint32 {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.PPid
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -1055,7 +1055,7 @@ func (ev *Event) GetProcessAncestorsUser() []string {
element := (*ProcessCacheEntry)(ptr)
result := ev.FieldHandlers.ResolveUser(ev, &element.ProcessContext.Process)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
@@ -1076,7 +1076,7 @@ func (ev *Event) GetProcessAncestorsUserSid() []string {
element := (*ProcessCacheEntry)(ptr)
result := element.ProcessContext.Process.OwnerSidString
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values
}
diff --git a/pkg/security/secl/model/field_handlers_unix.go b/pkg/security/secl/model/field_handlers_unix.go
index 6dd4df4c575c55..91214443be7624 100644
--- a/pkg/security/secl/model/field_handlers_unix.go
+++ b/pkg/security/secl/model/field_handlers_unix.go
@@ -561,6 +561,8 @@ func (ev *Event) resolveFields(forADs bool) {
_ = ev.FieldHandlers.ResolveSyscallCtxArgsStr3(ev, &ev.Mount.SyscallContext)
}
case "mprotect":
+ case "network_flow_monitor":
+ _ = ev.FieldHandlers.ResolveNetworkDeviceIfName(ev, &ev.NetworkFlowMonitor.Device)
case "ondemand":
_ = ev.FieldHandlers.ResolveOnDemandName(ev, &ev.OnDemand)
_ = ev.FieldHandlers.ResolveOnDemandArg1Str(ev, &ev.OnDemand)
diff --git a/pkg/security/secl/model/model.go b/pkg/security/secl/model/model.go
index 9a6ae500f2d6fa..d6679446521822 100644
--- a/pkg/security/secl/model/model.go
+++ b/pkg/security/secl/model/model.go
@@ -96,15 +96,30 @@ type IPPortContext struct {
IsPublicResolved bool `field:"-"`
}
+// GetComparable returns a comparable version of IPPortContext
+func (ipc *IPPortContext) GetComparable() IPPortContextComparable {
+ return IPPortContextComparable{
+ IP: ipc.IPNet.String(),
+ Port: ipc.Port,
+ }
+}
+
+// IPPortContextComparable is used by activity trees to lookup flows quickly
+type IPPortContextComparable struct {
+ IP string
+ Port uint16
+}
+
// NetworkContext represents the network context of the event
type NetworkContext struct {
Device NetworkDeviceContext `field:"device"` // network device on which the network packet was captured
- L3Protocol uint16 `field:"l3_protocol"` // SECLDoc[l3_protocol] Definition:`L3 protocol of the network packet` Constants:`L3 protocols`
- L4Protocol uint16 `field:"l4_protocol"` // SECLDoc[l4_protocol] Definition:`L4 protocol of the network packet` Constants:`L4 protocols`
- Source IPPortContext `field:"source"` // source of the network packet
- Destination IPPortContext `field:"destination"` // destination of the network packet
- Size uint32 `field:"size"` // SECLDoc[size] Definition:`Size in bytes of the network packet`
+ L3Protocol uint16 `field:"l3_protocol"` // SECLDoc[l3_protocol] Definition:`L3 protocol of the network packet` Constants:`L3 protocols`
+ L4Protocol uint16 `field:"l4_protocol"` // SECLDoc[l4_protocol] Definition:`L4 protocol of the network packet` Constants:`L4 protocols`
+ Source IPPortContext `field:"source"` // source of the network packet
+ Destination IPPortContext `field:"destination"` // destination of the network packet
+ NetworkDirection uint32 `field:"network_direction"` // SECLDoc[network_direction] Definition:`Network direction of the network packet` Constants:`Network directions`
+ Size uint32 `field:"size"` // SECLDoc[size] Definition:`Size in bytes of the network packet`
}
// IsZero returns if there is a network context
@@ -508,7 +523,7 @@ func (it *ProcessAncestorsIterator) Front(ctx *eval.Context) *ProcessCacheEntry
}
// Next returns the next element
-func (it *ProcessAncestorsIterator) Next() *ProcessCacheEntry {
+func (it *ProcessAncestorsIterator) Next(_ *eval.Context) *ProcessCacheEntry {
if next := it.prev.Ancestor; next != nil {
it.prev = next
return next
diff --git a/pkg/security/secl/model/model_unix.go b/pkg/security/secl/model/model_unix.go
index c7ff2ac4240b3c..08bb7aaee0a6fa 100644
--- a/pkg/security/secl/model/model_unix.go
+++ b/pkg/security/secl/model/model_unix.go
@@ -74,9 +74,10 @@ type Event struct {
UnloadModule UnloadModuleEvent `field:"unload_module" event:"unload_module"` // [7.35] [Kernel] A kernel module was deleted
// network events
- DNS DNSEvent `field:"dns" event:"dns"` // [7.36] [Network] A DNS request was sent
- IMDS IMDSEvent `field:"imds" event:"imds"` // [7.55] [Network] An IMDS event was captured
- RawPacket RawPacketEvent `field:"packet" event:"packet"` // [7.60] [Network] A raw network packet captured
+ DNS DNSEvent `field:"dns" event:"dns"` // [7.36] [Network] A DNS request was sent
+ IMDS IMDSEvent `field:"imds" event:"imds"` // [7.55] [Network] An IMDS event was captured
+ RawPacket RawPacketEvent `field:"packet" event:"packet"` // [7.60] [Network] A raw network packet was captured
+ NetworkFlowMonitor NetworkFlowMonitorEvent `field:"network_flow_monitor" event:"network_flow_monitor"` // [7.62] [Network] A network monitor event was sent
// on-demand events
OnDemand OnDemandEvent `field:"ondemand" event:"ondemand"`
@@ -735,3 +736,81 @@ type RawPacketEvent struct {
CaptureInfo gopacket.CaptureInfo `field:"-"`
Data []byte `field:"-"`
}
+
+// NetworkStats is used to record network statistics
+type NetworkStats struct {
+ DataSize uint64 `field:"data_size"` // SECLDoc[data_size] Definition:`Amount of data transmitted or received`
+ PacketCount uint64 `field:"packet_count"` // SECLDoc[packet_count] Definition:`Count of network packets transmitted or received`
+}
+
+func (ns *NetworkStats) Add(input NetworkStats) {
+ ns.DataSize += input.DataSize
+ ns.PacketCount += input.PacketCount
+}
+
+// Flow is used to represent a network 5-tuple with statistics
+type Flow struct {
+ Source IPPortContext `field:"source"` // source of the network packet
+ Destination IPPortContext `field:"destination"` // destination of the network packet
+ L3Protocol uint16 `field:"l3_protocol"` // SECLDoc[l3_protocol] Definition:`L3 protocol of the network packet` Constants:`L3 protocols`
+ L4Protocol uint16 `field:"l4_protocol"` // SECLDoc[l4_protocol] Definition:`L4 protocol of the network packet` Constants:`L4 protocols`
+
+ Ingress NetworkStats `field:"ingress"` // SECLDoc[ingress] Definition:`Network statistics about ingress traffic`
+ Egress NetworkStats `field:"egress"` // SECLDoc[egress] Definition:`Network statistics about egress traffic`
+}
+
+// NetworkFlowMonitorEvent represents a network flow monitor event
+type NetworkFlowMonitorEvent struct {
+ Device NetworkDeviceContext `field:"device"` // network device on which the network flows were captured
+ FlowsCount uint64 `field:"flows_count"` // SECLDoc[flows_count] Definition:`Number of captured network flows`
+ FlushNetworkStatsType uint64 `field:"-"`
+ Flows []Flow `field:"flows,iterator:FlowsIterator"` // list of captured flows
+}
+
+// FlowsIterator defines an iterator of flozs
+type FlowsIterator struct {
+ prev int
+}
+
+// Front returns the first element
+func (it *FlowsIterator) Front(ctx *eval.Context) *Flow {
+ if len(ctx.Event.(*Event).NetworkFlowMonitor.Flows) == 0 {
+ return nil
+ }
+
+ front := ctx.Event.(*Event).NetworkFlowMonitor.Flows[0]
+ it.prev = 0
+ return &front
+}
+
+// Next returns the next element
+func (it *FlowsIterator) Next(ctx *eval.Context) *Flow {
+ if len(ctx.Event.(*Event).NetworkFlowMonitor.Flows) > it.prev+1 {
+ it.prev += 1
+ return &(ctx.Event.(*Event).NetworkFlowMonitor.Flows[it.prev])
+ }
+ return nil
+}
+
+// At returns the element at the given position
+func (it *FlowsIterator) At(ctx *eval.Context, regID eval.RegisterID, pos int) *Flow {
+ if entry := ctx.RegisterCache[regID]; entry != nil && entry.Pos == pos {
+ return entry.Value.(*Flow)
+ }
+
+ if len(ctx.Event.(*Event).NetworkFlowMonitor.Flows) > pos {
+ flow := &(ctx.Event.(*Event).NetworkFlowMonitor.Flows[pos])
+ ctx.RegisterCache[regID] = &eval.RegisterCacheEntry{
+ Pos: pos,
+ Value: flow,
+ }
+ return flow
+ }
+
+ return nil
+}
+
+// Len returns the len
+func (it *FlowsIterator) Len(ctx *eval.Context) int {
+ return len(ctx.Event.(*Event).NetworkFlowMonitor.Flows)
+}
diff --git a/pkg/security/secl/model/string_array_iter.go b/pkg/security/secl/model/string_array_iter.go
index c27537255c729d..718f162384ecd9 100644
--- a/pkg/security/secl/model/string_array_iter.go
+++ b/pkg/security/secl/model/string_array_iter.go
@@ -8,24 +8,37 @@ package model
import "github.com/DataDog/datadog-agent/pkg/security/secl/compiler/eval"
-func newAncestorsIterator[T any](iter *ProcessAncestorsIterator, ctx *eval.Context, ev *Event, perIter func(ev *Event, pce *ProcessCacheEntry) T) []T {
- results := make([]T, 0, ctx.CachedAncestorsCount)
- for pce := iter.Front(ctx); pce != nil; pce = iter.Next() {
- results = append(results, perIter(ev, pce))
+type AncestorsIterator[T any] interface {
+ Front(ctx *eval.Context) T
+ Next(ctx *eval.Context) T
+ At(ctx *eval.Context, regID eval.RegisterID, pos int) T
+ Len(ctx *eval.Context) int
+}
+
+// Helper function to check if a value is nil
+func isNil[V comparable](v V) bool {
+ var zero V
+ return v == zero
+}
+
+func newAncestorsIterator[T any, V comparable](iter AncestorsIterator[V], field eval.Field, ctx *eval.Context, ev *Event, perIter func(ev *Event, current V) T) []T {
+ results := make([]T, 0, ctx.AncestorsCounters[field])
+ for entry := iter.Front(ctx); !isNil(entry); entry = iter.Next(ctx) {
+ results = append(results, perIter(ev, entry))
}
- ctx.CachedAncestorsCount = len(results)
+ ctx.AncestorsCounters[field] = len(results)
return results
}
-func newAncestorsIteratorArray[T any](iter *ProcessAncestorsIterator, ctx *eval.Context, ev *Event, perIter func(ev *Event, pce *ProcessCacheEntry) []T) []T {
- results := make([]T, 0, ctx.CachedAncestorsCount)
+func newAncestorsIteratorArray[T any, V comparable](iter AncestorsIterator[V], field eval.Field, ctx *eval.Context, ev *Event, perIter func(ev *Event, current V) []T) []T {
+ results := make([]T, 0, ctx.AncestorsCounters[field])
ancestorsCount := 0
- for pce := iter.Front(ctx); pce != nil; pce = iter.Next() {
- results = append(results, perIter(ev, pce)...)
+ for entry := iter.Front(ctx); !isNil(entry); entry = iter.Next(ctx) {
+ results = append(results, perIter(ev, entry)...)
ancestorsCount++
}
- ctx.CachedAncestorsCount = ancestorsCount
+ ctx.AncestorsCounters[field] = ancestorsCount
return results
}
diff --git a/pkg/security/secl/model/unmarshallers_linux.go b/pkg/security/secl/model/unmarshallers_linux.go
index 7c38d3127e1ba2..7c6428720ac7f7 100644
--- a/pkg/security/secl/model/unmarshallers_linux.go
+++ b/pkg/security/secl/model/unmarshallers_linux.go
@@ -1056,7 +1056,7 @@ func (e *NetworkContext) UnmarshalBinary(data []byte) (int, error) {
return 0, err
}
- if len(data)-read < 44 {
+ if len(data)-read < 48 {
return 0, ErrNotEnoughData
}
@@ -1065,11 +1065,11 @@ func (e *NetworkContext) UnmarshalBinary(data []byte) (int, error) {
SliceToArray(data[read+16:read+32], dstIP[:])
e.Source.Port = binary.BigEndian.Uint16(data[read+32 : read+34])
e.Destination.Port = binary.BigEndian.Uint16(data[read+34 : read+36])
- // padding 4 bytes
+ e.L4Protocol = binary.NativeEndian.Uint16(data[read+36 : read+38])
+ e.L3Protocol = binary.NativeEndian.Uint16(data[read+38 : read+40])
e.Size = binary.NativeEndian.Uint32(data[read+40 : read+44])
- e.L3Protocol = binary.NativeEndian.Uint16(data[read+44 : read+46])
- e.L4Protocol = binary.NativeEndian.Uint16(data[read+46 : read+48])
+ e.NetworkDirection = binary.NativeEndian.Uint32(data[read+44 : read+48])
// readjust IP sizes depending on the protocol
switch e.L3Protocol {
@@ -1393,3 +1393,84 @@ func (e *RawPacketEvent) UnmarshalBinary(data []byte) (int, error) {
return len(data), nil
}
+
+// UnmarshalBinary unmarshals a binary representation of itself
+func (e *NetworkStats) UnmarshalBinary(data []byte) (int, error) {
+ if len(data) < 16 {
+ return 0, ErrNotEnoughData
+ }
+
+ e.DataSize = binary.NativeEndian.Uint64(data[0:8])
+ e.PacketCount = binary.NativeEndian.Uint64(data[8:16])
+ return 16, nil
+}
+
+// UnmarshalBinary unmarshals a binary representation of itself
+func (e *Flow) UnmarshalBinary(data []byte) (int, error) {
+ if len(data) < 40 {
+ return 0, ErrNotEnoughData
+ }
+
+ var srcIP, dstIP [16]byte
+ SliceToArray(data[0:16], srcIP[:])
+ SliceToArray(data[16:32], dstIP[:])
+ e.Source.Port = binary.BigEndian.Uint16(data[32:34])
+ e.Destination.Port = binary.BigEndian.Uint16(data[34:36])
+ e.L4Protocol = binary.NativeEndian.Uint16(data[36:38])
+ e.L3Protocol = binary.NativeEndian.Uint16(data[38:40])
+
+ // readjust IP sizes depending on the protocol
+ switch e.L3Protocol {
+ case 0x800: // unix.ETH_P_IP
+ e.Source.IPNet = *eval.IPNetFromIP(srcIP[0:4])
+ e.Destination.IPNet = *eval.IPNetFromIP(dstIP[0:4])
+ default:
+ e.Source.IPNet = *eval.IPNetFromIP(srcIP[:])
+ e.Destination.IPNet = *eval.IPNetFromIP(dstIP[:])
+ }
+
+ // parse stats
+ readIngress, err := e.Ingress.UnmarshalBinary(data[40:])
+ if err != nil {
+ return 0, ErrNotEnoughData
+ }
+ readEgress, err := e.Egress.UnmarshalBinary(data[40+readIngress:])
+ if err != nil {
+ return 0, ErrNotEnoughData
+ }
+
+ return 40 + readIngress + readEgress, nil
+}
+
+// UnmarshalBinary unmarshals a binary representation of itself
+func (e *NetworkFlowMonitorEvent) UnmarshalBinary(data []byte) (int, error) {
+ read, err := e.Device.UnmarshalBinary(data)
+ if err != nil {
+ return 0, ErrNotEnoughData
+ }
+ total := read
+ data = data[read:]
+
+ if len(data) < 16 {
+ return 0, ErrNotEnoughData
+ }
+ e.FlowsCount = binary.NativeEndian.Uint64(data[0:8])
+ e.FlushNetworkStatsType = binary.NativeEndian.Uint64(data[8:16])
+ total += 16
+ data = data[16:]
+
+ for i := uint64(0); i < e.FlowsCount; i++ {
+ // parse flow
+ var flow Flow
+ read, err = flow.UnmarshalBinary(data)
+ if err != nil {
+ return 0, err
+ }
+ total += read
+ data = data[read:]
+
+ e.Flows = append(e.Flows, flow)
+ }
+
+ return total, nil
+}
diff --git a/pkg/security/seclwin/model/accessors_win.go b/pkg/security/seclwin/model/accessors_win.go
index d7f989e58bd935..ec877b63c56510 100644
--- a/pkg/security/seclwin/model/accessors_win.go
+++ b/pkg/security/seclwin/model/accessors_win.go
@@ -883,8 +883,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- return ev.FieldHandlers.ResolveProcessCmdLine(ev, &pce.ProcessContext.Process)
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ return ev.FieldHandlers.ResolveProcessCmdLine(ev, ¤t.ProcessContext.Process)
})
ctx.StringCache[field] = results
return results
@@ -910,8 +910,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) string {
- return pce.ProcessContext.Process.ContainerID
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) string {
+ return current.ProcessContext.Process.ContainerID
})
ctx.StringCache[field] = results
return results
@@ -938,8 +938,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) int {
- return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, &pce.ProcessContext.Process))
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) int {
+ return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, ¤t.ProcessContext.Process))
})
ctx.IntCache[field] = results
return results
@@ -966,8 +966,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result...)
return results
}
- results = newAncestorsIteratorArray(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) []string {
- return ev.FieldHandlers.ResolveProcessEnvp(ev, &pce.ProcessContext.Process)
+ results = newAncestorsIteratorArray(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) []string {
+ return ev.FieldHandlers.ResolveProcessEnvp(ev, ¤t.ProcessContext.Process)
})
ctx.StringCache[field] = results
return results
@@ -994,8 +994,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result...)
return results
}
- results = newAncestorsIteratorArray(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) []string {
- return ev.FieldHandlers.ResolveProcessEnvs(ev, &pce.ProcessContext.Process)
+ results = newAncestorsIteratorArray(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) []string {
+ return ev.FieldHandlers.ResolveProcessEnvs(ev, ¤t.ProcessContext.Process)
})
ctx.StringCache[field] = results
return results
@@ -1023,8 +1023,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- return ev.FieldHandlers.ResolveFileBasename(ev, &pce.ProcessContext.Process.FileEvent)
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ return ev.FieldHandlers.ResolveFileBasename(ev, ¤t.ProcessContext.Process.FileEvent)
})
ctx.StringCache[field] = results
return results
@@ -1052,8 +1052,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) int {
- return len(ev.FieldHandlers.ResolveFileBasename(ev, &pce.ProcessContext.Process.FileEvent))
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) int {
+ return len(ev.FieldHandlers.ResolveFileBasename(ev, ¤t.ProcessContext.Process.FileEvent))
})
ctx.IntCache[field] = results
return results
@@ -1081,8 +1081,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- return ev.FieldHandlers.ResolveFilePath(ev, &pce.ProcessContext.Process.FileEvent)
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ return ev.FieldHandlers.ResolveFilePath(ev, ¤t.ProcessContext.Process.FileEvent)
})
ctx.StringCache[field] = results
return results
@@ -1110,8 +1110,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) int {
- return len(ev.FieldHandlers.ResolveFilePath(ev, &pce.ProcessContext.Process.FileEvent))
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) int {
+ return len(ev.FieldHandlers.ResolveFilePath(ev, ¤t.ProcessContext.Process.FileEvent))
})
ctx.IntCache[field] = results
return results
@@ -1147,8 +1147,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- return int(pce.ProcessContext.Process.PIDContext.Pid)
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ return int(current.ProcessContext.Process.PIDContext.Pid)
})
ctx.IntCache[field] = results
return results
@@ -1174,8 +1174,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int {
- return int(pce.ProcessContext.Process.PPid)
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) int {
+ return int(current.ProcessContext.Process.PPid)
})
ctx.IntCache[field] = results
return results
@@ -1202,8 +1202,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string {
- return ev.FieldHandlers.ResolveUser(ev, &pce.ProcessContext.Process)
+ results = newAncestorsIterator(iterator, field, ctx, ev, func(ev *Event, current *ProcessCacheEntry) string {
+ return ev.FieldHandlers.ResolveUser(ev, ¤t.ProcessContext.Process)
})
ctx.StringCache[field] = results
return results
@@ -1229,8 +1229,8 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval
results = append(results, result)
return results
}
- results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) string {
- return pce.ProcessContext.Process.OwnerSidString
+ results = newAncestorsIterator(iterator, field, ctx, nil, func(ev *Event, current *ProcessCacheEntry) string {
+ return current.ProcessContext.Process.OwnerSidString
})
ctx.StringCache[field] = results
return results
@@ -2209,7 +2209,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveProcessCmdLine(ev, &element.ProcessContext.Process)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.container.id":
@@ -2221,7 +2221,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := element.ProcessContext.Process.ContainerID
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.created_at":
@@ -2233,7 +2233,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, &element.ProcessContext.Process))
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.envp":
@@ -2245,7 +2245,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveProcessEnvp(ev, &element.ProcessContext.Process)
values = append(values, result...)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.envs":
@@ -2257,7 +2257,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveProcessEnvs(ev, &element.ProcessContext.Process)
values = append(values, result...)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.file.name":
@@ -2269,7 +2269,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.file.name.length":
@@ -2283,7 +2283,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.FileEvent)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.file.path.length":
@@ -2301,7 +2301,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.PIDContext.Pid)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.ppid":
@@ -2313,7 +2313,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := int(element.ProcessContext.Process.PPid)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.user":
@@ -2325,7 +2325,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := ev.FieldHandlers.ResolveUser(ev, &element.ProcessContext.Process)
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.ancestors.user_sid":
@@ -2337,7 +2337,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
element := ptr
result := element.ProcessContext.Process.OwnerSidString
values = append(values, result)
- ptr = iterator.Next()
+ ptr = iterator.Next(ctx)
}
return values, nil
case "process.cmdline":
diff --git a/pkg/security/seclwin/model/consts_common.go b/pkg/security/seclwin/model/consts_common.go
index 1b64957cba71e7..ed057c72c7d881 100644
--- a/pkg/security/seclwin/model/consts_common.go
+++ b/pkg/security/seclwin/model/consts_common.go
@@ -319,6 +319,13 @@ var (
"IP_PROTO_RAW": IPProtoRAW,
}
+ // NetworkDirectionConstants is the list of supported network directions
+ // generate_constants:Network directions,Network directions are the supported directions of network packets.
+ NetworkDirectionConstants = map[string]NetworkDirection{
+ "INGRESS": Ingress,
+ "EGRESS": Egress,
+ }
+
// exitCauseConstants is the list of supported Exit causes
exitCauseConstants = map[string]ExitCause{
"EXITED": ExitExited,
@@ -337,13 +344,14 @@ var (
)
var (
- dnsQTypeStrings = map[uint32]string{}
- dnsQClassStrings = map[uint32]string{}
- l3ProtocolStrings = map[L3Protocol]string{}
- l4ProtocolStrings = map[L4Protocol]string{}
- addressFamilyStrings = map[uint16]string{}
- exitCauseStrings = map[ExitCause]string{}
- tlsVersionStrings = map[uint16]string{}
+ dnsQTypeStrings = map[uint32]string{}
+ dnsQClassStrings = map[uint32]string{}
+ l3ProtocolStrings = map[L3Protocol]string{}
+ l4ProtocolStrings = map[L4Protocol]string{}
+ networkDirectionStrings = map[NetworkDirection]string{}
+ addressFamilyStrings = map[uint16]string{}
+ exitCauseStrings = map[ExitCause]string{}
+ tlsVersionStrings = map[uint16]string{}
)
// File flags
@@ -410,6 +418,13 @@ func initL4ProtocolConstants() {
}
}
+func initNetworkDirectionContants() {
+ for k, v := range NetworkDirectionConstants {
+ seclConstants[k] = &eval.IntEvaluator{Value: int(v)}
+ networkDirectionStrings[v] = k
+ }
+}
+
func initAddressFamilyConstants() {
for k, v := range addressFamilyConstants {
seclConstants[k] = &eval.IntEvaluator{Value: int(v)}
@@ -463,6 +478,7 @@ func initConstants() {
initDNSQTypeConstants()
initL3ProtocolConstants()
initL4ProtocolConstants()
+ initNetworkDirectionContants()
initAddressFamilyConstants()
initExitCauseConstants()
initBPFMapNamesConstants()
@@ -781,6 +797,20 @@ const (
IPProtoRAW L4Protocol = 255
)
+// NetworkDirection is used to identify the network direction of a flow
+type NetworkDirection uint32
+
+func (direction NetworkDirection) String() string {
+ return networkDirectionStrings[direction]
+}
+
+const (
+ // Egress is used to identify egress traffic
+ Egress NetworkDirection = iota + 1
+ // Ingress is used to identify ingress traffic
+ Ingress
+)
+
// ExitCause represents the cause of a process termination
type ExitCause uint32
diff --git a/pkg/security/seclwin/model/events.go b/pkg/security/seclwin/model/events.go
index 2c2e867ef17e85..6fcf4a0abe85cd 100644
--- a/pkg/security/seclwin/model/events.go
+++ b/pkg/security/seclwin/model/events.go
@@ -101,6 +101,8 @@ const (
CgroupWriteEventType
// RawPacketEventType raw packet event
RawPacketEventType
+ // NetworkFlowMonitorEventType is sent to monitor network activity
+ NetworkFlowMonitorEventType
// MaxKernelEventType is used internally to get the maximum number of kernel events.
MaxKernelEventType
@@ -231,6 +233,8 @@ func (t EventType) String() string {
return "ondemand"
case RawPacketEventType:
return "packet"
+ case NetworkFlowMonitorEventType:
+ return "network_flow_monitor"
case CustomEventType:
return "custom_event"
case CreateNewFileEventType:
diff --git a/pkg/security/seclwin/model/model.go b/pkg/security/seclwin/model/model.go
index 9a6ae500f2d6fa..d6679446521822 100644
--- a/pkg/security/seclwin/model/model.go
+++ b/pkg/security/seclwin/model/model.go
@@ -96,15 +96,30 @@ type IPPortContext struct {
IsPublicResolved bool `field:"-"`
}
+// GetComparable returns a comparable version of IPPortContext
+func (ipc *IPPortContext) GetComparable() IPPortContextComparable {
+ return IPPortContextComparable{
+ IP: ipc.IPNet.String(),
+ Port: ipc.Port,
+ }
+}
+
+// IPPortContextComparable is used by activity trees to lookup flows quickly
+type IPPortContextComparable struct {
+ IP string
+ Port uint16
+}
+
// NetworkContext represents the network context of the event
type NetworkContext struct {
Device NetworkDeviceContext `field:"device"` // network device on which the network packet was captured
- L3Protocol uint16 `field:"l3_protocol"` // SECLDoc[l3_protocol] Definition:`L3 protocol of the network packet` Constants:`L3 protocols`
- L4Protocol uint16 `field:"l4_protocol"` // SECLDoc[l4_protocol] Definition:`L4 protocol of the network packet` Constants:`L4 protocols`
- Source IPPortContext `field:"source"` // source of the network packet
- Destination IPPortContext `field:"destination"` // destination of the network packet
- Size uint32 `field:"size"` // SECLDoc[size] Definition:`Size in bytes of the network packet`
+ L3Protocol uint16 `field:"l3_protocol"` // SECLDoc[l3_protocol] Definition:`L3 protocol of the network packet` Constants:`L3 protocols`
+ L4Protocol uint16 `field:"l4_protocol"` // SECLDoc[l4_protocol] Definition:`L4 protocol of the network packet` Constants:`L4 protocols`
+ Source IPPortContext `field:"source"` // source of the network packet
+ Destination IPPortContext `field:"destination"` // destination of the network packet
+ NetworkDirection uint32 `field:"network_direction"` // SECLDoc[network_direction] Definition:`Network direction of the network packet` Constants:`Network directions`
+ Size uint32 `field:"size"` // SECLDoc[size] Definition:`Size in bytes of the network packet`
}
// IsZero returns if there is a network context
@@ -508,7 +523,7 @@ func (it *ProcessAncestorsIterator) Front(ctx *eval.Context) *ProcessCacheEntry
}
// Next returns the next element
-func (it *ProcessAncestorsIterator) Next() *ProcessCacheEntry {
+func (it *ProcessAncestorsIterator) Next(_ *eval.Context) *ProcessCacheEntry {
if next := it.prev.Ancestor; next != nil {
it.prev = next
return next
diff --git a/pkg/security/seclwin/model/string_array_iter.go b/pkg/security/seclwin/model/string_array_iter.go
index c27537255c729d..718f162384ecd9 100644
--- a/pkg/security/seclwin/model/string_array_iter.go
+++ b/pkg/security/seclwin/model/string_array_iter.go
@@ -8,24 +8,37 @@ package model
import "github.com/DataDog/datadog-agent/pkg/security/secl/compiler/eval"
-func newAncestorsIterator[T any](iter *ProcessAncestorsIterator, ctx *eval.Context, ev *Event, perIter func(ev *Event, pce *ProcessCacheEntry) T) []T {
- results := make([]T, 0, ctx.CachedAncestorsCount)
- for pce := iter.Front(ctx); pce != nil; pce = iter.Next() {
- results = append(results, perIter(ev, pce))
+type AncestorsIterator[T any] interface {
+ Front(ctx *eval.Context) T
+ Next(ctx *eval.Context) T
+ At(ctx *eval.Context, regID eval.RegisterID, pos int) T
+ Len(ctx *eval.Context) int
+}
+
+// Helper function to check if a value is nil
+func isNil[V comparable](v V) bool {
+ var zero V
+ return v == zero
+}
+
+func newAncestorsIterator[T any, V comparable](iter AncestorsIterator[V], field eval.Field, ctx *eval.Context, ev *Event, perIter func(ev *Event, current V) T) []T {
+ results := make([]T, 0, ctx.AncestorsCounters[field])
+ for entry := iter.Front(ctx); !isNil(entry); entry = iter.Next(ctx) {
+ results = append(results, perIter(ev, entry))
}
- ctx.CachedAncestorsCount = len(results)
+ ctx.AncestorsCounters[field] = len(results)
return results
}
-func newAncestorsIteratorArray[T any](iter *ProcessAncestorsIterator, ctx *eval.Context, ev *Event, perIter func(ev *Event, pce *ProcessCacheEntry) []T) []T {
- results := make([]T, 0, ctx.CachedAncestorsCount)
+func newAncestorsIteratorArray[T any, V comparable](iter AncestorsIterator[V], field eval.Field, ctx *eval.Context, ev *Event, perIter func(ev *Event, current V) []T) []T {
+ results := make([]T, 0, ctx.AncestorsCounters[field])
ancestorsCount := 0
- for pce := iter.Front(ctx); pce != nil; pce = iter.Next() {
- results = append(results, perIter(ev, pce)...)
+ for entry := iter.Front(ctx); !isNil(entry); entry = iter.Next(ctx) {
+ results = append(results, perIter(ev, entry)...)
ancestorsCount++
}
- ctx.CachedAncestorsCount = ancestorsCount
+ ctx.AncestorsCounters[field] = ancestorsCount
return results
}
diff --git a/pkg/security/security_profile/activity_tree/activity_tree.go b/pkg/security/security_profile/activity_tree/activity_tree.go
index 7987e8061f7534..0bbeb11c6220c3 100644
--- a/pkg/security/security_profile/activity_tree/activity_tree.go
+++ b/pkg/security/security_profile/activity_tree/activity_tree.go
@@ -402,6 +402,8 @@ func (at *ActivityTree) insertEvent(event *model.Event, dryRun bool, insertMissi
return node.InsertBindEvent(event, imageTag, generationType, at.Stats, dryRun), nil
case model.SyscallsEventType:
return node.InsertSyscalls(event, imageTag, at.SyscallsMask, at.Stats, dryRun), nil
+ case model.NetworkFlowMonitorEventType:
+ return node.InsertNetworkFlowMonitorEvent(event, imageTag, generationType, at.Stats, dryRun), nil
case model.ExitEventType:
// Update the exit time of the process (this is purely informative, do not rely on timestamps to detect
// execed children)
diff --git a/pkg/security/security_profile/activity_tree/activity_tree_graph.go b/pkg/security/security_profile/activity_tree/activity_tree_graph.go
index 14f70a5a98dddd..8769285b2712b6 100644
--- a/pkg/security/security_profile/activity_tree/activity_tree_graph.go
+++ b/pkg/security/security_profile/activity_tree/activity_tree_graph.go
@@ -10,6 +10,7 @@ package activitytree
import (
"fmt"
+ "strconv"
"strings"
"github.com/DataDog/datadog-agent/pkg/security/resolvers/process"
@@ -18,28 +19,68 @@ import (
)
var (
+ bigText = 10
+ mediumText = 7
+ smallText = 5
+ tableHeader = "<
"
+
processColor = "#8fbbff"
processProfileDriftColor = "#c2daff"
processRuntimeColor = "#edf3ff"
processSnapshotColor = "white"
processShape = "record"
+ processClusterColor = "#c7ddff"
+
+ processCategoryColor = "#c7c7c7"
+ processCategoryProfileDriftColor = "#e0e0e0"
+ processCategoryRuntimeColor = "#f5f5f5"
+ processCategorySnapshotColor = "white"
+ processCategoryShape = "record"
+ processCategoryClusterColor = "#e3e3e3"
fileColor = "#77bf77"
fileProfileDriftColor = "#c6e1c1"
fileRuntimeColor = "#e9f3e7"
fileSnapshotColor = "white"
fileShape = "record"
+ fileClusterColor = "#c2f2c2"
networkColor = "#ff9800"
networkProfileDriftColor = "#faddb1"
networkRuntimeColor = "#ffebcd"
networkShape = "record"
+ networkClusterColor = "#fff5e6"
)
+func (at *ActivityTree) getGraphTitle(name string, selector string) string {
+ title := tableHeader
+ title += "Name | " + name + " |
"
+ for i, t := range strings.Split(selector, ",") {
+ if i%3 == 0 {
+ if i != 0 {
+ title += ""
+ }
+ title += ""
+ if i == 0 {
+ title += "Selector | "
+ } else {
+ title += " | "
+ }
+ title += ""
+ } else {
+ title += ", "
+ }
+ title += t
+ }
+ title += " |
"
+ title += "
>"
+ return title
+}
+
// PrepareGraphData returns a graph from the activity tree
-func (at *ActivityTree) PrepareGraphData(title string, resolver *process.EBPFResolver) utils.Graph {
+func (at *ActivityTree) PrepareGraphData(name string, selector string, resolver *process.EBPFResolver) utils.Graph {
data := utils.Graph{
- Title: title,
+ Title: at.getGraphTitle(name, selector),
Nodes: make(map[utils.GraphID]*utils.Node),
}
@@ -66,11 +107,12 @@ func (at *ActivityTree) prepareProcessNode(p *ProcessNode, data *utils.Graph, re
}
panGraphID := utils.NewGraphID(utils.NewNodeIDFromPtr(p))
pan := &utils.Node{
- ID: panGraphID,
- Label: p.getNodeLabel(args),
- Size: 60,
- Color: processColor,
- Shape: processShape,
+ ID: panGraphID,
+ Label: p.getNodeLabel(args),
+ Size: smallText,
+ Color: processColor,
+ Shape: processShape,
+ IsTable: true,
}
switch p.GenerationType {
case ProfileDrift:
@@ -113,22 +155,76 @@ func (at *ActivityTree) prepareProcessNode(p *ProcessNode, data *utils.Graph, re
}
}
- for _, f := range p.Files {
- fileID := at.prepareFileNode(f, data, "", panGraphID)
- data.Edges = append(data.Edges, &utils.Edge{
- From: panGraphID,
- To: fileID,
- Color: fileColor,
- })
+ if len(p.Files) > 0 {
+ // create new subgraph for the filesystem events
+ subgraph := utils.SubGraph{
+ Nodes: make(map[utils.GraphID]*utils.Node),
+ Title: "Filesystem",
+ TitleSize: mediumText,
+ Color: fileClusterColor,
+ Name: "cluster_" + panGraphID.Derive(utils.NewRandomNodeID()).String(),
+ }
+
+ for _, f := range p.Files {
+ fileID := at.prepareFileNode(f, &subgraph, panGraphID)
+ data.Edges = append(data.Edges, &utils.Edge{
+ From: panGraphID,
+ To: fileID,
+ Color: fileColor,
+ })
+ }
+
+ // add subgraph
+ data.SubGraphs = append(data.SubGraphs, &subgraph)
+ }
+
+ for _, n := range p.NetworkDevices {
+ // create new subgraph for network device
+ subgraph := utils.SubGraph{
+ Nodes: make(map[utils.GraphID]*utils.Node),
+ Title: "Network Flows",
+ TitleSize: mediumText,
+ }
+ deviceNodeID, ok := at.prepareNetworkDeviceNode(n, &subgraph, panGraphID)
+ if ok {
+ subgraph.Name = "cluster_" + deviceNodeID.String()
+ subgraph.Color = networkClusterColor
+
+ data.Edges = append(data.Edges, &utils.Edge{
+ From: panGraphID,
+ To: deviceNodeID,
+ Color: networkColor,
+ })
+
+ // build network flow nodes
+ for _, flowNode := range n.FlowNodes {
+ at.prepareNetworkFlowNodes(flowNode, &subgraph, deviceNodeID)
+ }
+
+ // add subgraph
+ data.SubGraphs = append(data.SubGraphs, &subgraph)
+ }
}
if len(p.Syscalls) > 0 {
- syscallsNodeID := at.prepareSyscallsNode(p, data)
+ // create new subgraph for syscalls
+ subgraph := utils.SubGraph{
+ Nodes: make(map[utils.GraphID]*utils.Node),
+ Title: "Syscalls",
+ TitleSize: mediumText,
+ Color: processCategoryClusterColor,
+ }
+
+ syscallsNodeID := at.prepareSyscallsNode(p, &subgraph)
+ subgraph.Name = "cluster_" + syscallsNodeID.String()
data.Edges = append(data.Edges, &utils.Edge{
From: utils.NewGraphID(utils.NewNodeIDFromPtr(p)),
To: syscallsNodeID,
- Color: processColor,
+ Color: processCategoryColor,
})
+
+ // add subgraph
+ data.SubGraphs = append(data.SubGraphs, &subgraph)
}
for _, child := range p.Children {
@@ -157,7 +253,7 @@ func (at *ActivityTree) prepareDNSNode(n *DNSNode, data *utils.Graph, processID
dnsNode := &utils.Node{
ID: processID.Derive(utils.NewNodeIDFromPtr(n)),
Label: name,
- Size: 30,
+ Size: smallText,
Color: networkColor,
Shape: networkShape,
}
@@ -172,7 +268,7 @@ func (at *ActivityTree) prepareDNSNode(n *DNSNode, data *utils.Graph, processID
}
func (at *ActivityTree) prepareIMDSNode(n *IMDSNode, data *utils.Graph, processID utils.GraphID) (utils.GraphID, bool) {
- label := "<"
+ label := tableHeader
label += "IMDS | " + n.Event.Type + " |
"
label += "Cloud provider | " + n.Event.CloudProvider + " |
"
if len(n.Event.UserAgent) > 0 {
@@ -198,7 +294,7 @@ func (at *ActivityTree) prepareIMDSNode(n *IMDSNode, data *utils.Graph, processI
imdsNode := &utils.Node{
ID: processID.Derive(utils.NewNodeIDFromPtr(n)),
Label: label,
- Size: 30,
+ Size: smallText,
Color: networkColor,
Shape: networkShape,
IsTable: true,
@@ -213,6 +309,79 @@ func (at *ActivityTree) prepareIMDSNode(n *IMDSNode, data *utils.Graph, processI
return imdsNode.ID, true
}
+func (at *ActivityTree) prepareNetworkDeviceNode(n *NetworkDeviceNode, data *utils.SubGraph, processID utils.GraphID) (utils.GraphID, bool) {
+ label := tableHeader
+ label += "Device name | " + n.Context.IfName + " |
"
+ label += "Index | " + strconv.Itoa(int(n.Context.IfIndex)) + " |
"
+ label += "Network namespace | " + strconv.Itoa(int(n.Context.NetNS)) + " |
"
+ label += "
>"
+
+ deviceNode := &utils.Node{
+ ID: processID.Derive(utils.NewNodeIDFromPtr(n)),
+ Label: label,
+ Size: smallText,
+ Color: networkColor,
+ Shape: networkShape,
+ IsTable: true,
+ }
+
+ switch n.GenerationType {
+ case Runtime, Snapshot, Unknown:
+ deviceNode.FillColor = networkRuntimeColor
+ case ProfileDrift:
+ deviceNode.FillColor = networkProfileDriftColor
+ }
+ data.Nodes[deviceNode.ID] = deviceNode
+ return deviceNode.ID, true
+}
+
+func (at *ActivityTree) prepareNetworkFlowNodes(n *FlowNode, data *utils.SubGraph, deviceID utils.GraphID) bool {
+ if len(n.Flows) == 0 {
+ return false
+ }
+
+ for _, flow := range n.Flows {
+ label := tableHeader
+ label += "Source | " + fmt.Sprintf("%s:%d", flow.Source.IPNet.String(), flow.Source.Port) + " |
"
+ if flow.Source.IsPublicResolved {
+ label += "Is src public ? | " + strconv.FormatBool(flow.Source.IsPublic) + " |
"
+ }
+ label += "Destination | " + fmt.Sprintf("%s:%d", flow.Destination.IPNet.String(), flow.Destination.Port) + " |
"
+ if flow.Destination.IsPublicResolved {
+ label += "Is dst public ? | " + strconv.FormatBool(flow.Destination.IsPublic) + " |
"
+ }
+ label += "L4 protocol | " + model.L4Protocol(flow.L4Protocol).String() + " |
"
+ label += "Egress | " + strconv.Itoa(int(flow.Egress.DataSize)) + " bytes / " + strconv.Itoa(int(flow.Egress.PacketCount)) + " pkts |
"
+ label += "Ingress | " + strconv.Itoa(int(flow.Ingress.DataSize)) + " bytes / " + strconv.Itoa(int(flow.Ingress.PacketCount)) + " pkts |
"
+ label += ">"
+
+ flowNode := &utils.Node{
+ ID: deviceID.Derive(utils.NewNodeIDFromPtr(&flow.Source)),
+ Label: label,
+ Size: smallText,
+ Color: networkColor,
+ Shape: networkShape,
+ IsTable: true,
+ }
+
+ switch n.GenerationType {
+ case Runtime, Snapshot, Unknown:
+ flowNode.FillColor = networkRuntimeColor
+ case ProfileDrift:
+ flowNode.FillColor = networkProfileDriftColor
+ }
+ data.Nodes[flowNode.ID] = flowNode
+
+ data.Edges = append(data.Edges, &utils.Edge{
+ From: deviceID,
+ To: flowNode.ID,
+ Color: networkColor,
+ })
+ }
+
+ return true
+}
+
func (at *ActivityTree) prepareSocketNode(n *SocketNode, data *utils.Graph, processID utils.GraphID) utils.GraphID {
targetID := processID.Derive(utils.NewNodeIDFromPtr(n))
@@ -220,7 +389,7 @@ func (at *ActivityTree) prepareSocketNode(n *SocketNode, data *utils.Graph, proc
socketNode := &utils.Node{
ID: targetID,
Label: n.Family,
- Size: 30,
+ Size: smallText,
Color: networkColor,
Shape: networkShape,
}
@@ -238,7 +407,7 @@ func (at *ActivityTree) prepareSocketNode(n *SocketNode, data *utils.Graph, proc
bindNode := &utils.Node{
ID: processID.Derive(utils.NewNodeIDFromPtr(n), utils.NewNodeID(uint64(i+1))),
Label: fmt.Sprintf("[%s]:%d", node.IP, node.Port),
- Size: 30,
+ Size: smallText,
Color: networkColor,
Shape: networkShape,
}
@@ -260,14 +429,15 @@ func (at *ActivityTree) prepareSocketNode(n *SocketNode, data *utils.Graph, proc
return targetID
}
-func (at *ActivityTree) prepareFileNode(f *FileNode, data *utils.Graph, prefix string, processID utils.GraphID) utils.GraphID {
+func (at *ActivityTree) prepareFileNode(f *FileNode, data *utils.SubGraph, processID utils.GraphID) utils.GraphID {
mergedID := processID.Derive(utils.NewNodeIDFromPtr(f))
fn := &utils.Node{
- ID: mergedID,
- Label: f.getNodeLabel(),
- Size: 30,
- Color: fileColor,
- Shape: fileShape,
+ ID: mergedID,
+ Label: f.getNodeLabel(""),
+ Size: smallText,
+ Color: fileColor,
+ Shape: fileShape,
+ IsTable: true,
}
switch f.GenerationType {
case ProfileDrift:
@@ -278,32 +448,32 @@ func (at *ActivityTree) prepareFileNode(f *FileNode, data *utils.Graph, prefix s
fn.FillColor = fileSnapshotColor
}
data.Nodes[mergedID] = fn
-
- for _, child := range f.Children {
- childID := at.prepareFileNode(child, data, prefix+f.Name, processID)
- data.Edges = append(data.Edges, &utils.Edge{
- From: mergedID,
- To: childID,
- Color: fileColor,
- })
- }
return mergedID
}
-func (at *ActivityTree) prepareSyscallsNode(p *ProcessNode, data *utils.Graph) utils.GraphID {
- label := "<"
- for _, s := range p.Syscalls {
- label += "" + model.Syscall(s.Syscall).String() + " |
"
+func (at *ActivityTree) prepareSyscallsNode(p *ProcessNode, data *utils.SubGraph) utils.GraphID {
+ label := tableHeader
+ for i, s := range p.Syscalls {
+ if i%5 == 0 {
+ if i != 0 {
+ label += ""
+ }
+ label += ""
+ } else {
+ label += ", "
+ }
+ label += model.Syscall(s.Syscall).String()
}
+ label += " |
"
label += "
>"
syscallsNode := &utils.Node{
ID: utils.NewGraphIDWithDescription("syscalls", utils.NewNodeIDFromPtr(p)),
Label: label,
- Size: 30,
- Color: processColor,
- FillColor: processSnapshotColor,
- Shape: processShape,
+ Size: smallText,
+ Color: processCategoryColor,
+ FillColor: processCategorySnapshotColor,
+ Shape: processCategoryShape,
IsTable: true,
}
data.Nodes[syscallsNode.ID] = syscallsNode
diff --git a/pkg/security/security_profile/activity_tree/activity_tree_stats.go b/pkg/security/security_profile/activity_tree/activity_tree_stats.go
index 7f10be52327b44..4f6e5c31607aaa 100644
--- a/pkg/security/security_profile/activity_tree/activity_tree_stats.go
+++ b/pkg/security/security_profile/activity_tree/activity_tree_stats.go
@@ -27,6 +27,7 @@ type Stats struct {
SocketNodes int64
IMDSNodes int64
SyscallNodes int64
+ FlowNodes int64
counts map[model.EventType]*statsPerEventType
}
@@ -74,6 +75,7 @@ func (stats *Stats) ApproximateSize() int64 {
total += stats.SocketNodes * int64(unsafe.Sizeof(SocketNode{})) // 40
total += stats.IMDSNodes * int64(unsafe.Sizeof(IMDSNode{}))
total += stats.SyscallNodes * int64(unsafe.Sizeof(SyscallNode{}))
+ total += stats.FlowNodes * int64(unsafe.Sizeof(FlowNode{}))
return total
}
diff --git a/pkg/security/security_profile/activity_tree/file_node.go b/pkg/security/security_profile/activity_tree/file_node.go
index 3f5b3033512c20..59fdf2cb263051 100644
--- a/pkg/security/security_profile/activity_tree/file_node.go
+++ b/pkg/security/security_profile/activity_tree/file_node.go
@@ -12,6 +12,7 @@ import (
"fmt"
"io"
"sort"
+ "strconv"
"strings"
"time"
@@ -67,25 +68,44 @@ func NewFileNode(fileEvent *model.FileEvent, event *model.Event, name string, im
return fan
}
-func (fn *FileNode) getNodeLabel() string {
- label := fn.Name
- if fn.Open != nil {
- label += " [open]"
+func (fn *FileNode) getNodeLabel(prefix string) string {
+ var label string
+ if prefix == "" {
+ label += tableHeader
+ label += ""
+ label += "Events | "
+ label += "Hash count | "
+ label += "File | "
+ label += "Package | "
+ label += "
"
+ }
+ label += fn.buildNodeRow(prefix)
+ for _, child := range fn.Children {
+ label += child.getNodeLabel(prefix + "/" + fn.Name)
}
- if fn.File != nil {
- if len(fn.File.PkgName) != 0 {
- label += fmt.Sprintf("|%s:%s}", fn.File.PkgName, fn.File.PkgVersion)
- }
- // add hashes
- if len(fn.File.Hashes) > 0 {
- label += fmt.Sprintf("|%v", strings.Join(fn.File.Hashes, "|"))
- } else {
- label += fmt.Sprintf("|(%s)", fn.File.HashState)
- }
+ if prefix == "" {
+ label += ">"
}
return label
}
+func (fn *FileNode) buildNodeRow(prefix string) string {
+ var out string
+ if fn.Open != nil && fn.File != nil {
+ var pkg string
+ if len(fn.File.PkgName) != 0 {
+ pkg = fmt.Sprintf("%s:%s", fn.File.PkgName, fn.File.PkgVersion)
+ }
+ out += ""
+ out += "open | "
+ out += "" + strconv.Itoa(len(fn.File.Hashes)) + " hash(es) | "
+ out += "" + fmt.Sprintf("%s/%s", prefix, fn.Name) + " | "
+ out += "" + pkg + " | "
+ out += "
"
+ }
+ return out
+}
+
func (fn *FileNode) enrichFromEvent(event *model.Event) {
if event == nil {
return
diff --git a/pkg/security/security_profile/activity_tree/flow_node.go b/pkg/security/security_profile/activity_tree/flow_node.go
new file mode 100644
index 00000000000000..952e7ae7801bbf
--- /dev/null
+++ b/pkg/security/security_profile/activity_tree/flow_node.go
@@ -0,0 +1,74 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2016-present Datadog, Inc.
+
+//go:build linux
+
+// Package activitytree holds activitytree related files
+package activitytree
+
+import (
+ "github.com/DataDog/datadog-agent/pkg/security/secl/model"
+)
+
+// FlowNode is used to store a flow node
+type FlowNode struct {
+ ImageTags []string
+ GenerationType NodeGenerationType
+
+ // Flows are indexed by destination IPPortContext
+ Flows map[model.IPPortContextComparable]*model.Flow
+}
+
+// NewFlowNode returns a new FlowNode instance
+func NewFlowNode(flow model.Flow, generationType NodeGenerationType, imageTag string, stats *Stats) *FlowNode {
+ node := &FlowNode{
+ GenerationType: generationType,
+ Flows: make(map[model.IPPortContextComparable]*model.Flow),
+ }
+
+ node.insertFlow(flow, false, imageTag, stats)
+
+ return node
+}
+
+func (node *FlowNode) appendImageTag(imageTag string) {
+ node.ImageTags, _ = AppendIfNotPresent(node.ImageTags, imageTag)
+}
+
+func (node *FlowNode) evictImageTag(imageTag string) bool {
+ imageTags, removed := removeImageTagFromList(node.ImageTags, imageTag)
+ if removed {
+ if len(imageTags) == 0 {
+ return true
+ }
+ node.ImageTags = imageTags
+ }
+ return false
+}
+
+func (node *FlowNode) insertFlow(flow model.Flow, dryRun bool, imageTag string, stats *Stats) bool {
+ if imageTag != "" {
+ node.appendImageTag(imageTag)
+ }
+
+ var newFlow bool
+ existingFlow, ok := node.Flows[flow.Destination.GetComparable()]
+ if ok {
+ // add metrics
+ existingFlow.Egress.Add(flow.Egress)
+ existingFlow.Ingress.Add(flow.Ingress)
+ } else {
+ // create new entry
+ newFlow = true
+ if dryRun {
+ // exit early
+ return newFlow
+ }
+ node.Flows[flow.Destination.GetComparable()] = &flow
+ stats.FlowNodes++
+ }
+
+ return newFlow
+}
diff --git a/pkg/security/security_profile/activity_tree/network_device_node.go b/pkg/security/security_profile/activity_tree/network_device_node.go
new file mode 100644
index 00000000000000..5221331049aad0
--- /dev/null
+++ b/pkg/security/security_profile/activity_tree/network_device_node.go
@@ -0,0 +1,78 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2016-present Datadog, Inc.
+
+//go:build linux
+
+// Package activitytree holds activitytree related files
+package activitytree
+
+import (
+ "github.com/DataDog/datadog-agent/pkg/security/secl/model"
+)
+
+// NetworkDeviceNode is used to store a Network Device node
+type NetworkDeviceNode struct {
+ MatchedRules []*model.MatchedRule
+ GenerationType NodeGenerationType
+
+ Context model.NetworkDeviceContext
+
+ // FlowNodes are indexed by source IPPortContexts
+ FlowNodes map[model.IPPortContextComparable]*FlowNode
+}
+
+// NewNetworkDeviceNode returns a new NetworkDeviceNode instance
+func NewNetworkDeviceNode(ctx *model.NetworkDeviceContext, generationType NodeGenerationType) *NetworkDeviceNode {
+ node := &NetworkDeviceNode{
+ GenerationType: generationType,
+ Context: *ctx,
+ FlowNodes: make(map[model.IPPortContextComparable]*FlowNode),
+ }
+ return node
+}
+
+func (netdevice *NetworkDeviceNode) appendImageTag(imageTag string) {
+ for _, flow := range netdevice.FlowNodes {
+ flow.appendImageTag(imageTag)
+ }
+}
+
+func (netdevice *NetworkDeviceNode) evictImageTag(imageTag string) bool {
+ for key, flow := range netdevice.FlowNodes {
+ if shouldRemove := flow.evictImageTag(imageTag); !shouldRemove {
+ delete(netdevice.FlowNodes, key)
+ }
+ }
+
+ return len(netdevice.FlowNodes) == 0
+}
+
+func (netdevice *NetworkDeviceNode) insertNetworkFlowMonitorEvent(event *model.NetworkFlowMonitorEvent, dryRun bool, rules []*model.MatchedRule, generationType NodeGenerationType, imageTag string, stats *Stats) bool {
+ if len(rules) > 0 {
+ netdevice.MatchedRules = model.AppendMatchedRule(netdevice.MatchedRules, rules)
+ }
+
+ var newFlow bool
+ for _, flow := range event.Flows {
+ existingNode, ok := netdevice.FlowNodes[flow.Source.GetComparable()]
+ if ok {
+ newFlow = newFlow || existingNode.insertFlow(flow, dryRun, imageTag, stats)
+ if newFlow && dryRun {
+ // exit early
+ return newFlow
+ }
+ } else {
+ newFlow = true
+ if dryRun {
+ // exit early
+ return newFlow
+ }
+ // create new entry
+ netdevice.FlowNodes[flow.Source.GetComparable()] = NewFlowNode(flow, generationType, imageTag, stats)
+ }
+ }
+
+ return newFlow
+}
diff --git a/pkg/security/security_profile/activity_tree/process_node.go b/pkg/security/security_profile/activity_tree/process_node.go
index 11525c9eacc791..758387b3264960 100644
--- a/pkg/security/security_profile/activity_tree/process_node.go
+++ b/pkg/security/security_profile/activity_tree/process_node.go
@@ -10,15 +10,14 @@ package activitytree
import (
"fmt"
- "io"
- "sort"
- "strings"
-
"github.com/DataDog/datadog-agent/pkg/security/resolvers"
sprocess "github.com/DataDog/datadog-agent/pkg/security/resolvers/process"
"github.com/DataDog/datadog-agent/pkg/security/secl/model"
"github.com/DataDog/datadog-agent/pkg/security/utils"
"golang.org/x/exp/slices"
+ "io"
+ "sort"
+ "strconv"
)
// ProcessNodeParent is an interface used to identify the parent of a process node
@@ -38,9 +37,10 @@ type ProcessNode struct {
ImageTags []string
MatchedRules []*model.MatchedRule
- Files map[string]*FileNode
- DNSNames map[string]*DNSNode
- IMDSEvents map[model.IMDSEvent]*IMDSNode
+ Files map[string]*FileNode
+ DNSNames map[string]*DNSNode
+ IMDSEvents map[model.IMDSEvent]*IMDSNode
+ NetworkDevices map[model.NetworkDeviceContext]*NetworkDeviceNode
Sockets []*SocketNode
Syscalls []*SyscallNode
@@ -62,6 +62,7 @@ func NewProcessNode(entry *model.ProcessCacheEntry, generationType NodeGeneratio
Files: make(map[string]*FileNode),
DNSNames: make(map[string]*DNSNode),
IMDSEvents: make(map[model.IMDSEvent]*IMDSNode),
+ NetworkDevices: make(map[model.NetworkDeviceContext]*NetworkDeviceNode),
}
}
@@ -95,22 +96,30 @@ func (pn *ProcessNode) AppendImageTag(imageTag string) {
}
func (pn *ProcessNode) getNodeLabel(args string) string {
- var label string
+ label := tableHeader
+
+ label += "Command | "
if sprocess.IsBusybox(pn.Process.FileEvent.PathnameStr) {
arg0, _ := sprocess.GetProcessArgv0(&pn.Process)
- label = fmt.Sprintf("%s %s", arg0, args)
+ label += fmt.Sprintf("%s %s", arg0, args) + " |
"
} else {
- label = fmt.Sprintf("%s %s", pn.Process.FileEvent.PathnameStr, args)
+ label += fmt.Sprintf("%s %s", pn.Process.FileEvent.PathnameStr, args)
}
+ label += ""
+
if len(pn.Process.FileEvent.PkgName) != 0 {
- label += fmt.Sprintf(" \\{%s %s\\}", pn.Process.FileEvent.PkgName, pn.Process.FileEvent.PkgVersion)
+ label += "Package | " + fmt.Sprintf("%s:%s", pn.Process.FileEvent.PkgName, pn.Process.FileEvent.PkgVersion) + " |
"
}
// add hashes
if len(pn.Process.FileEvent.Hashes) > 0 {
- label += fmt.Sprintf("|%v", strings.Join(pn.Process.FileEvent.Hashes, "|"))
+ label += "Hashes | " + pn.Process.FileEvent.Hashes[0] + " |
"
+ for _, h := range pn.Process.FileEvent.Hashes {
+ label += " | " + h + " |
"
+ }
} else {
- label += fmt.Sprintf("|(%s)", pn.Process.FileEvent.HashState)
+ label += "Hash state | " + pn.Process.FileEvent.HashState.String() + " |
"
}
+ label += ">"
return label
}
@@ -338,6 +347,21 @@ func (pn *ProcessNode) InsertIMDSEvent(evt *model.Event, imageTag string, genera
return true
}
+// InsertNetworkFlowMonitorEvent inserts a Network Flow Monitor event in a process node
+func (pn *ProcessNode) InsertNetworkFlowMonitorEvent(evt *model.Event, imageTag string, generationType NodeGenerationType, stats *Stats, dryRun bool) bool {
+ deviceNode, ok := pn.NetworkDevices[evt.NetworkFlowMonitor.Device]
+ if ok {
+ return deviceNode.insertNetworkFlowMonitorEvent(&evt.NetworkFlowMonitor, dryRun, evt.Rules, generationType, imageTag, stats)
+ }
+
+ if !dryRun {
+ newNode := NewNetworkDeviceNode(&evt.NetworkFlowMonitor.Device, generationType)
+ newNode.insertNetworkFlowMonitorEvent(&evt.NetworkFlowMonitor, dryRun, evt.Rules, generationType, imageTag, stats)
+ pn.NetworkDevices[evt.NetworkFlowMonitor.Device] = newNode
+ }
+ return true
+}
+
// InsertBindEvent inserts a bind event in a process node
func (pn *ProcessNode) InsertBindEvent(evt *model.Event, imageTag string, generationType NodeGenerationType, stats *Stats, dryRun bool) bool {
if evt.Bind.SyscallEvent.Retval != 0 {
@@ -401,6 +425,12 @@ func (pn *ProcessNode) TagAllNodes(imageTag string) {
for _, scall := range pn.Syscalls {
scall.appendImageTag(imageTag)
}
+ for _, imds := range pn.IMDSEvents {
+ imds.appendImageTag(imageTag)
+ }
+ for _, device := range pn.NetworkDevices {
+ device.appendImageTag(imageTag)
+ }
for _, child := range pn.Children {
child.TagAllNodes(imageTag)
}
@@ -453,6 +483,13 @@ func (pn *ProcessNode) EvictImageTag(imageTag string, DNSNames *utils.StringKeys
}
}
+ // Evict image tag from network device nodes
+ for key, device := range pn.NetworkDevices {
+ if shouldRemoveNode := device.evictImageTag(imageTag); shouldRemoveNode {
+ delete(pn.NetworkDevices, key)
+ }
+ }
+
newSockets := []*SocketNode{}
for _, sock := range pn.Sockets {
if shouldRemoveNode := sock.evictImageTag(imageTag); !shouldRemoveNode {
diff --git a/pkg/security/security_profile/dump/activity_dump.go b/pkg/security/security_profile/dump/activity_dump.go
index 4df6a218cebe33..b50c7d6da4cf6c 100644
--- a/pkg/security/security_profile/dump/activity_dump.go
+++ b/pkg/security/security_profile/dump/activity_dump.go
@@ -710,6 +710,9 @@ func (ad *ActivityDump) ToSecurityActivityDumpMessage() *api.ActivityDumpMessage
FileNodesCount: ad.ActivityTree.Stats.FileNodes,
DNSNodesCount: ad.ActivityTree.Stats.DNSNodes,
SocketNodesCount: ad.ActivityTree.Stats.SocketNodes,
+ IMDSNodesCount: ad.ActivityTree.Stats.IMDSNodes,
+ SyscallNodesCount: ad.ActivityTree.Stats.SyscallNodes,
+ FlowNodesCount: ad.ActivityTree.Stats.FlowNodes,
ApproximateSize: ad.ActivityTree.Stats.ApproximateSize(),
}
}
diff --git a/pkg/security/security_profile/dump/graph.go b/pkg/security/security_profile/dump/graph.go
index 5a82ce371f5ae9..2f9244b1dad689 100644
--- a/pkg/security/security_profile/dump/graph.go
+++ b/pkg/security/security_profile/dump/graph.go
@@ -11,7 +11,6 @@ package dump
import (
"bytes"
"fmt"
-
"github.com/DataDog/datadog-agent/pkg/security/config"
"github.com/DataDog/datadog-agent/pkg/security/resolvers/process"
"github.com/DataDog/datadog-agent/pkg/security/utils"
@@ -19,24 +18,42 @@ import (
// ActivityDumpGraphTemplate is the template used to generate graphs
var ActivityDumpGraphTemplate = `digraph {
- label = "{{ .Title }}"
+ label = {{ .Title }}
labelloc = "t"
- fontsize = 75
fontcolor = "black"
fontname = "arial"
+ fontsize = 5
ratio = expand
- ranksep = 2
+ ranksep = 1.5
graph [pad=2]
- node [margin=0.3, padding=1, penwidth=3]
- edge [penwidth=2]
+ node [margin=0.05, padding=1, penwidth=1]
+ edge [penwidth=1]
{{ range .Nodes }}
{{ .ID }} [label={{ if not .IsTable }}"{{ end }}{{ .Label }}{{ if not .IsTable }}"{{ end }}, fontsize={{ .Size }}, shape={{ .Shape }}, fontname = "arial", color="{{ .Color }}", fillcolor="{{ .FillColor }}", style="filled"]
{{ end }}
{{ range .Edges }}
- {{ .From }} -> {{ .To }} [arrowhead=none, color="{{ .Color }}"]
+ {{ .From }} -> {{ .To }} [{{ if not .HasArrowHead}}arrowhead=none,{{ end }} color="{{ .Color }}", label={{ if not .IsTable }}"{{ end }}{{ .Label }}{{ if not .IsTable }}"{{ end }}]
+ {{ end }}
+
+ {{ range .SubGraphs }}
+ subgraph {{ .Name }} {
+ style=filled;
+ color="{{ .Color }}";
+ label="{{ .Title }}";
+ fontSize={{ .TitleSize }};
+ margin=5;
+
+ {{ range .Nodes }}
+ {{ .ID }} [label={{ if not .IsTable }}"{{ end }}{{ .Label }}{{ if not .IsTable }}"{{ end }}, fontsize={{ .Size }}, shape={{ .Shape }}, fontname = "arial", color="{{ .Color }}", fillcolor="{{ .FillColor }}", style="filled"]
+ {{ end }}
+
+ {{ range .Edges }}
+ {{ .From }} -> {{ .To }} [{{ if not .HasArrowHead}}arrowhead=none,{{ end }} color="{{ .Color }}", label={{ if not .IsTable }}"{{ end }}{{ .Label }}{{ if not .IsTable }}"{{ end }}]
+ {{ end }}
+ }
{{ end }}
}`
@@ -45,12 +62,11 @@ func (ad *ActivityDump) ToGraph() utils.Graph {
ad.Lock()
defer ad.Unlock()
- title := fmt.Sprintf("%s: %s", ad.Metadata.Name, ad.getSelectorStr())
var resolver *process.EBPFResolver
if ad.adm != nil {
resolver = ad.adm.resolvers.ProcessResolver
}
- return ad.ActivityTree.PrepareGraphData(title, resolver)
+ return ad.ActivityTree.PrepareGraphData(ad.Metadata.Name, ad.getSelectorStr(), resolver)
}
// EncodeDOT encodes an activity dump in the DOT format
diff --git a/pkg/security/security_profile/dump/load_controller.go b/pkg/security/security_profile/dump/load_controller.go
index ae8767bcfd1536..0dbcb2becb5734 100644
--- a/pkg/security/security_profile/dump/load_controller.go
+++ b/pkg/security/security_profile/dump/load_controller.go
@@ -22,7 +22,7 @@ import (
var (
// TracedEventTypesReductionOrder is the order by which event types are reduced
- TracedEventTypesReductionOrder = []model.EventType{model.BindEventType, model.IMDSEventType, model.DNSEventType, model.SyscallsEventType, model.FileOpenEventType}
+ TracedEventTypesReductionOrder = []model.EventType{model.BindEventType, model.IMDSEventType, model.NetworkFlowMonitorEventType, model.DNSEventType, model.SyscallsEventType, model.FileOpenEventType}
absoluteMinimumDumpTimeout = 10 * time.Second
)
diff --git a/pkg/security/security_profile/profile/manager.go b/pkg/security/security_profile/profile/manager.go
index 38fd111fbfe5ad..25944201947423 100644
--- a/pkg/security/security_profile/profile/manager.go
+++ b/pkg/security/security_profile/profile/manager.go
@@ -561,10 +561,10 @@ func (m *SecurityProfileManager) SendStats() error {
}
}
- tags := []string{
+ t := []string{
fmt.Sprintf("in_kernel:%v", profilesLoadedInKernel),
}
- if err := m.statsdClient.Gauge(metrics.MetricSecurityProfileProfiles, float64(len(m.profiles)), tags, 1.0); err != nil {
+ if err := m.statsdClient.Gauge(metrics.MetricSecurityProfileProfiles, float64(len(m.profiles)), t, 1.0); err != nil {
return fmt.Errorf("couldn't send MetricSecurityProfileProfiles: %w", err)
}
@@ -587,9 +587,9 @@ func (m *SecurityProfileManager) SendStats() error {
}
for entry, count := range m.eventFiltering {
- tags := []string{fmt.Sprintf("event_type:%s", entry.eventType), entry.state.ToTag(), entry.result.toTag()}
+ t := []string{fmt.Sprintf("event_type:%s", entry.eventType), entry.state.ToTag(), entry.result.toTag()}
if value := count.Swap(0); value > 0 {
- if err := m.statsdClient.Count(metrics.MetricSecurityProfileEventFiltering, int64(value), tags, 1.0); err != nil {
+ if err := m.statsdClient.Count(metrics.MetricSecurityProfileEventFiltering, int64(value), t, 1.0); err != nil {
return fmt.Errorf("couldn't send MetricSecurityProfileEventFiltering metric: %w", err)
}
}
@@ -600,8 +600,8 @@ func (m *SecurityProfileManager) SendStats() error {
m.evictedVersions = []cgroupModel.WorkloadSelector{}
m.evictedVersionsLock.Unlock()
for _, version := range evictedVersions {
- tags := version.ToTags()
- if err := m.statsdClient.Count(metrics.MetricSecurityProfileEvictedVersions, 1, tags, 1.0); err != nil {
+ t := version.ToTags()
+ if err := m.statsdClient.Count(metrics.MetricSecurityProfileEvictedVersions, 1, t, 1.0); err != nil {
return fmt.Errorf("couldn't send MetricSecurityProfileEvictedVersions metric: %w", err)
}
@@ -746,7 +746,7 @@ func (m *SecurityProfileManager) LookupEventInProfiles(event *model.Event) {
profile.versionContextsLock.Lock()
ctx, found := profile.versionContexts[imageTag]
if found {
- // update the lastseen of this version
+ // update the last seen of this version
ctx.lastSeenNano = uint64(m.resolvers.TimeResolver.ComputeMonotonicTimestamp(time.Now()))
} else {
// create a new version
diff --git a/pkg/security/serializers/serializers_base.go b/pkg/security/serializers/serializers_base.go
index 32f84ace271f86..16725e68d1367e 100644
--- a/pkg/security/serializers/serializers_base.go
+++ b/pkg/security/serializers/serializers_base.go
@@ -124,6 +124,8 @@ type NetworkContextSerializer struct {
Destination IPPortSerializer `json:"destination"`
// size is the size in bytes of the network event
Size uint32 `json:"size"`
+ // network_direction indicates if the packet was captured on ingress or egress
+ NetworkDirection string `json:"network_direction"`
}
// AWSSecurityCredentialsSerializer serializes the security credentials from an AWS IMDS request
@@ -230,6 +232,45 @@ type RawPacketSerializer struct {
TLSContext *TLSContextSerializer `json:"tls,omitempty"`
}
+// NetworkStatsSerializer defines a new network stats serializer
+// easyjson:json
+type NetworkStatsSerializer struct {
+ // data_size is the total count of bytes sent or received
+ DataSize uint64 `json:"data_size,omitempty"`
+ // packet_count is the total count of packets sent or received
+ PacketCount uint64 `json:"packet_count,omitempty"`
+}
+
+// FlowSerializer defines a new flow serializer
+// easyjson:json
+type FlowSerializer struct {
+ // l3_protocol is the layer 3 protocol name
+ L3Protocol string `json:"l3_protocol"`
+ // l4_protocol is the layer 4 protocol name
+ L4Protocol string `json:"l4_protocol"`
+ // source is the emitter of the network event
+ Source IPPortSerializer `json:"source"`
+ // destination is the receiver of the network event
+ Destination IPPortSerializer `json:"destination"`
+
+ // ingress holds the network statistics for ingress traffic
+ Ingress *NetworkStatsSerializer `json:"ingress,omitempty"`
+ // egress holds the network statistics for egress traffic
+ Egress *NetworkStatsSerializer `json:"egress,omitempty"`
+}
+
+// NetworkFlowMonitorSerializer defines a network monitor event serializer
+// easyjson:json
+type NetworkFlowMonitorSerializer struct {
+ // device is the network device on which the event was captured
+ Device *NetworkDeviceSerializer `json:"device,omitempty"`
+
+ // flows_count holds the count of flows for this event
+ FlowsCount uint64 `json:"flows_count,omitempty"`
+ // flows is the list of flows with network statistics that were captured
+ Flows []*FlowSerializer `json:"flows,omitempty"`
+}
+
func newMatchedRulesSerializer(r *model.MatchedRule) MatchedRuleSerializer {
mrs := MatchedRuleSerializer{
ID: r.RuleID,
diff --git a/pkg/security/serializers/serializers_base_linux_easyjson.go b/pkg/security/serializers/serializers_base_linux_easyjson.go
index 743795c1405279..971b0c983f165c 100644
--- a/pkg/security/serializers/serializers_base_linux_easyjson.go
+++ b/pkg/security/serializers/serializers_base_linux_easyjson.go
@@ -186,6 +186,8 @@ func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers2(i
(out.Destination).UnmarshalEasyJSON(in)
case "size":
out.Size = uint32(in.Uint32())
+ case "network_direction":
+ out.NetworkDirection = string(in.String())
default:
in.SkipRecursive()
}
@@ -246,6 +248,11 @@ func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers2(o
out.RawString(prefix)
out.Uint32(uint32(in.Size))
}
+ {
+ const prefix string = ",\"network_direction\":"
+ out.RawString(prefix)
+ out.String(string(in.NetworkDirection))
+ }
out.RawByte('}')
}
@@ -890,7 +897,199 @@ func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers4(o
}
out.RawByte('}')
}
-func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers5(in *jlexer.Lexer, out *NetworkContextSerializer) {
+func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers5(in *jlexer.Lexer, out *NetworkStatsSerializer) {
+ isTopLevel := in.IsStart()
+ if in.IsNull() {
+ if isTopLevel {
+ in.Consumed()
+ }
+ in.Skip()
+ return
+ }
+ in.Delim('{')
+ for !in.IsDelim('}') {
+ key := in.UnsafeFieldName(false)
+ in.WantColon()
+ if in.IsNull() {
+ in.Skip()
+ in.WantComma()
+ continue
+ }
+ switch key {
+ case "data_size":
+ out.DataSize = uint64(in.Uint64())
+ case "packet_count":
+ out.PacketCount = uint64(in.Uint64())
+ default:
+ in.SkipRecursive()
+ }
+ in.WantComma()
+ }
+ in.Delim('}')
+ if isTopLevel {
+ in.Consumed()
+ }
+}
+func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers5(out *jwriter.Writer, in NetworkStatsSerializer) {
+ out.RawByte('{')
+ first := true
+ _ = first
+ if in.DataSize != 0 {
+ const prefix string = ",\"data_size\":"
+ first = false
+ out.RawString(prefix[1:])
+ out.Uint64(uint64(in.DataSize))
+ }
+ if in.PacketCount != 0 {
+ const prefix string = ",\"packet_count\":"
+ if first {
+ first = false
+ out.RawString(prefix[1:])
+ } else {
+ out.RawString(prefix)
+ }
+ out.Uint64(uint64(in.PacketCount))
+ }
+ out.RawByte('}')
+}
+
+// MarshalEasyJSON supports easyjson.Marshaler interface
+func (v NetworkStatsSerializer) MarshalEasyJSON(w *jwriter.Writer) {
+ easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers5(w, v)
+}
+
+// UnmarshalEasyJSON supports easyjson.Unmarshaler interface
+func (v *NetworkStatsSerializer) UnmarshalEasyJSON(l *jlexer.Lexer) {
+ easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers5(l, v)
+}
+func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers6(in *jlexer.Lexer, out *NetworkFlowMonitorSerializer) {
+ isTopLevel := in.IsStart()
+ if in.IsNull() {
+ if isTopLevel {
+ in.Consumed()
+ }
+ in.Skip()
+ return
+ }
+ in.Delim('{')
+ for !in.IsDelim('}') {
+ key := in.UnsafeFieldName(false)
+ in.WantColon()
+ if in.IsNull() {
+ in.Skip()
+ in.WantComma()
+ continue
+ }
+ switch key {
+ case "device":
+ if in.IsNull() {
+ in.Skip()
+ out.Device = nil
+ } else {
+ if out.Device == nil {
+ out.Device = new(NetworkDeviceSerializer)
+ }
+ (*out.Device).UnmarshalEasyJSON(in)
+ }
+ case "flows_count":
+ out.FlowsCount = uint64(in.Uint64())
+ case "flows":
+ if in.IsNull() {
+ in.Skip()
+ out.Flows = nil
+ } else {
+ in.Delim('[')
+ if out.Flows == nil {
+ if !in.IsDelim(']') {
+ out.Flows = make([]*FlowSerializer, 0, 8)
+ } else {
+ out.Flows = []*FlowSerializer{}
+ }
+ } else {
+ out.Flows = (out.Flows)[:0]
+ }
+ for !in.IsDelim(']') {
+ var v18 *FlowSerializer
+ if in.IsNull() {
+ in.Skip()
+ v18 = nil
+ } else {
+ if v18 == nil {
+ v18 = new(FlowSerializer)
+ }
+ (*v18).UnmarshalEasyJSON(in)
+ }
+ out.Flows = append(out.Flows, v18)
+ in.WantComma()
+ }
+ in.Delim(']')
+ }
+ default:
+ in.SkipRecursive()
+ }
+ in.WantComma()
+ }
+ in.Delim('}')
+ if isTopLevel {
+ in.Consumed()
+ }
+}
+func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers6(out *jwriter.Writer, in NetworkFlowMonitorSerializer) {
+ out.RawByte('{')
+ first := true
+ _ = first
+ if in.Device != nil {
+ const prefix string = ",\"device\":"
+ first = false
+ out.RawString(prefix[1:])
+ (*in.Device).MarshalEasyJSON(out)
+ }
+ if in.FlowsCount != 0 {
+ const prefix string = ",\"flows_count\":"
+ if first {
+ first = false
+ out.RawString(prefix[1:])
+ } else {
+ out.RawString(prefix)
+ }
+ out.Uint64(uint64(in.FlowsCount))
+ }
+ if len(in.Flows) != 0 {
+ const prefix string = ",\"flows\":"
+ if first {
+ first = false
+ out.RawString(prefix[1:])
+ } else {
+ out.RawString(prefix)
+ }
+ {
+ out.RawByte('[')
+ for v19, v20 := range in.Flows {
+ if v19 > 0 {
+ out.RawByte(',')
+ }
+ if v20 == nil {
+ out.RawString("null")
+ } else {
+ (*v20).MarshalEasyJSON(out)
+ }
+ }
+ out.RawByte(']')
+ }
+ }
+ out.RawByte('}')
+}
+
+// MarshalEasyJSON supports easyjson.Marshaler interface
+func (v NetworkFlowMonitorSerializer) MarshalEasyJSON(w *jwriter.Writer) {
+ easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers6(w, v)
+}
+
+// UnmarshalEasyJSON supports easyjson.Unmarshaler interface
+func (v *NetworkFlowMonitorSerializer) UnmarshalEasyJSON(l *jlexer.Lexer) {
+ easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers6(l, v)
+}
+func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers7(in *jlexer.Lexer, out *NetworkContextSerializer) {
isTopLevel := in.IsStart()
if in.IsNull() {
if isTopLevel {
@@ -929,6 +1128,8 @@ func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers5(i
(out.Destination).UnmarshalEasyJSON(in)
case "size":
out.Size = uint32(in.Uint32())
+ case "network_direction":
+ out.NetworkDirection = string(in.String())
default:
in.SkipRecursive()
}
@@ -939,7 +1140,7 @@ func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers5(i
in.Consumed()
}
}
-func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers5(out *jwriter.Writer, in NetworkContextSerializer) {
+func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers7(out *jwriter.Writer, in NetworkContextSerializer) {
out.RawByte('{')
first := true
_ = first
@@ -979,19 +1180,24 @@ func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers5(o
out.RawString(prefix)
out.Uint32(uint32(in.Size))
}
+ {
+ const prefix string = ",\"network_direction\":"
+ out.RawString(prefix)
+ out.String(string(in.NetworkDirection))
+ }
out.RawByte('}')
}
// MarshalEasyJSON supports easyjson.Marshaler interface
func (v NetworkContextSerializer) MarshalEasyJSON(w *jwriter.Writer) {
- easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers5(w, v)
+ easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers7(w, v)
}
// UnmarshalEasyJSON supports easyjson.Unmarshaler interface
func (v *NetworkContextSerializer) UnmarshalEasyJSON(l *jlexer.Lexer) {
- easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers5(l, v)
+ easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers7(l, v)
}
-func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers6(in *jlexer.Lexer, out *MatchedRuleSerializer) {
+func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers8(in *jlexer.Lexer, out *MatchedRuleSerializer) {
isTopLevel := in.IsStart()
if in.IsNull() {
if isTopLevel {
@@ -1030,9 +1236,9 @@ func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers6(i
out.Tags = (out.Tags)[:0]
}
for !in.IsDelim(']') {
- var v18 string
- v18 = string(in.String())
- out.Tags = append(out.Tags, v18)
+ var v21 string
+ v21 = string(in.String())
+ out.Tags = append(out.Tags, v21)
in.WantComma()
}
in.Delim(']')
@@ -1051,7 +1257,7 @@ func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers6(i
in.Consumed()
}
}
-func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers6(out *jwriter.Writer, in MatchedRuleSerializer) {
+func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers8(out *jwriter.Writer, in MatchedRuleSerializer) {
out.RawByte('{')
first := true
_ = first
@@ -1081,11 +1287,11 @@ func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers6(o
}
{
out.RawByte('[')
- for v19, v20 := range in.Tags {
- if v19 > 0 {
+ for v22, v23 := range in.Tags {
+ if v22 > 0 {
out.RawByte(',')
}
- out.String(string(v20))
+ out.String(string(v23))
}
out.RawByte(']')
}
@@ -1115,14 +1321,14 @@ func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers6(o
// MarshalEasyJSON supports easyjson.Marshaler interface
func (v MatchedRuleSerializer) MarshalEasyJSON(w *jwriter.Writer) {
- easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers6(w, v)
+ easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers8(w, v)
}
// UnmarshalEasyJSON supports easyjson.Unmarshaler interface
func (v *MatchedRuleSerializer) UnmarshalEasyJSON(l *jlexer.Lexer) {
- easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers6(l, v)
+ easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers8(l, v)
}
-func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers7(in *jlexer.Lexer, out *IPPortSerializer) {
+func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers9(in *jlexer.Lexer, out *IPPortSerializer) {
isTopLevel := in.IsStart()
if in.IsNull() {
if isTopLevel {
@@ -1155,7 +1361,7 @@ func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers7(i
in.Consumed()
}
}
-func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers7(out *jwriter.Writer, in IPPortSerializer) {
+func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers9(out *jwriter.Writer, in IPPortSerializer) {
out.RawByte('{')
first := true
_ = first
@@ -1174,14 +1380,14 @@ func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers7(o
// MarshalEasyJSON supports easyjson.Marshaler interface
func (v IPPortSerializer) MarshalEasyJSON(w *jwriter.Writer) {
- easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers7(w, v)
+ easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers9(w, v)
}
// UnmarshalEasyJSON supports easyjson.Unmarshaler interface
func (v *IPPortSerializer) UnmarshalEasyJSON(l *jlexer.Lexer) {
- easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers7(l, v)
+ easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers9(l, v)
}
-func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers8(in *jlexer.Lexer, out *IPPortFamilySerializer) {
+func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers10(in *jlexer.Lexer, out *IPPortFamilySerializer) {
isTopLevel := in.IsStart()
if in.IsNull() {
if isTopLevel {
@@ -1216,7 +1422,7 @@ func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers8(i
in.Consumed()
}
}
-func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers8(out *jwriter.Writer, in IPPortFamilySerializer) {
+func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers10(out *jwriter.Writer, in IPPortFamilySerializer) {
out.RawByte('{')
first := true
_ = first
@@ -1240,14 +1446,14 @@ func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers8(o
// MarshalEasyJSON supports easyjson.Marshaler interface
func (v IPPortFamilySerializer) MarshalEasyJSON(w *jwriter.Writer) {
- easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers8(w, v)
+ easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers10(w, v)
}
// UnmarshalEasyJSON supports easyjson.Unmarshaler interface
func (v *IPPortFamilySerializer) UnmarshalEasyJSON(l *jlexer.Lexer) {
- easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers8(l, v)
+ easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers10(l, v)
}
-func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers9(in *jlexer.Lexer, out *IMDSEventSerializer) {
+func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers11(in *jlexer.Lexer, out *IMDSEventSerializer) {
isTopLevel := in.IsStart()
if in.IsNull() {
if isTopLevel {
@@ -1298,7 +1504,7 @@ func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers9(i
in.Consumed()
}
}
-func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers9(out *jwriter.Writer, in IMDSEventSerializer) {
+func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers11(out *jwriter.Writer, in IMDSEventSerializer) {
out.RawByte('{')
first := true
_ = first
@@ -1342,14 +1548,117 @@ func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers9(o
// MarshalEasyJSON supports easyjson.Marshaler interface
func (v IMDSEventSerializer) MarshalEasyJSON(w *jwriter.Writer) {
- easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers9(w, v)
+ easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers11(w, v)
}
// UnmarshalEasyJSON supports easyjson.Unmarshaler interface
func (v *IMDSEventSerializer) UnmarshalEasyJSON(l *jlexer.Lexer) {
- easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers9(l, v)
+ easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers11(l, v)
}
-func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers10(in *jlexer.Lexer, out *ExitEventSerializer) {
+func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers12(in *jlexer.Lexer, out *FlowSerializer) {
+ isTopLevel := in.IsStart()
+ if in.IsNull() {
+ if isTopLevel {
+ in.Consumed()
+ }
+ in.Skip()
+ return
+ }
+ in.Delim('{')
+ for !in.IsDelim('}') {
+ key := in.UnsafeFieldName(false)
+ in.WantColon()
+ if in.IsNull() {
+ in.Skip()
+ in.WantComma()
+ continue
+ }
+ switch key {
+ case "l3_protocol":
+ out.L3Protocol = string(in.String())
+ case "l4_protocol":
+ out.L4Protocol = string(in.String())
+ case "source":
+ (out.Source).UnmarshalEasyJSON(in)
+ case "destination":
+ (out.Destination).UnmarshalEasyJSON(in)
+ case "ingress":
+ if in.IsNull() {
+ in.Skip()
+ out.Ingress = nil
+ } else {
+ if out.Ingress == nil {
+ out.Ingress = new(NetworkStatsSerializer)
+ }
+ (*out.Ingress).UnmarshalEasyJSON(in)
+ }
+ case "egress":
+ if in.IsNull() {
+ in.Skip()
+ out.Egress = nil
+ } else {
+ if out.Egress == nil {
+ out.Egress = new(NetworkStatsSerializer)
+ }
+ (*out.Egress).UnmarshalEasyJSON(in)
+ }
+ default:
+ in.SkipRecursive()
+ }
+ in.WantComma()
+ }
+ in.Delim('}')
+ if isTopLevel {
+ in.Consumed()
+ }
+}
+func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers12(out *jwriter.Writer, in FlowSerializer) {
+ out.RawByte('{')
+ first := true
+ _ = first
+ {
+ const prefix string = ",\"l3_protocol\":"
+ out.RawString(prefix[1:])
+ out.String(string(in.L3Protocol))
+ }
+ {
+ const prefix string = ",\"l4_protocol\":"
+ out.RawString(prefix)
+ out.String(string(in.L4Protocol))
+ }
+ {
+ const prefix string = ",\"source\":"
+ out.RawString(prefix)
+ (in.Source).MarshalEasyJSON(out)
+ }
+ {
+ const prefix string = ",\"destination\":"
+ out.RawString(prefix)
+ (in.Destination).MarshalEasyJSON(out)
+ }
+ if in.Ingress != nil {
+ const prefix string = ",\"ingress\":"
+ out.RawString(prefix)
+ (*in.Ingress).MarshalEasyJSON(out)
+ }
+ if in.Egress != nil {
+ const prefix string = ",\"egress\":"
+ out.RawString(prefix)
+ (*in.Egress).MarshalEasyJSON(out)
+ }
+ out.RawByte('}')
+}
+
+// MarshalEasyJSON supports easyjson.Marshaler interface
+func (v FlowSerializer) MarshalEasyJSON(w *jwriter.Writer) {
+ easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers12(w, v)
+}
+
+// UnmarshalEasyJSON supports easyjson.Unmarshaler interface
+func (v *FlowSerializer) UnmarshalEasyJSON(l *jlexer.Lexer) {
+ easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers12(l, v)
+}
+func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers13(in *jlexer.Lexer, out *ExitEventSerializer) {
isTopLevel := in.IsStart()
if in.IsNull() {
if isTopLevel {
@@ -1382,7 +1691,7 @@ func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers10(
in.Consumed()
}
}
-func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers10(out *jwriter.Writer, in ExitEventSerializer) {
+func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers13(out *jwriter.Writer, in ExitEventSerializer) {
out.RawByte('{')
first := true
_ = first
@@ -1401,14 +1710,14 @@ func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers10(
// MarshalEasyJSON supports easyjson.Marshaler interface
func (v ExitEventSerializer) MarshalEasyJSON(w *jwriter.Writer) {
- easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers10(w, v)
+ easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers13(w, v)
}
// UnmarshalEasyJSON supports easyjson.Unmarshaler interface
func (v *ExitEventSerializer) UnmarshalEasyJSON(l *jlexer.Lexer) {
- easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers10(l, v)
+ easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers13(l, v)
}
-func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers11(in *jlexer.Lexer, out *EventContextSerializer) {
+func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers14(in *jlexer.Lexer, out *EventContextSerializer) {
isTopLevel := in.IsStart()
if in.IsNull() {
if isTopLevel {
@@ -1451,9 +1760,9 @@ func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers11(
out.MatchedRules = (out.MatchedRules)[:0]
}
for !in.IsDelim(']') {
- var v21 MatchedRuleSerializer
- (v21).UnmarshalEasyJSON(in)
- out.MatchedRules = append(out.MatchedRules, v21)
+ var v24 MatchedRuleSerializer
+ (v24).UnmarshalEasyJSON(in)
+ out.MatchedRules = append(out.MatchedRules, v24)
in.WantComma()
}
in.Delim(']')
@@ -1470,7 +1779,7 @@ func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers11(
in.Consumed()
}
}
-func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers11(out *jwriter.Writer, in EventContextSerializer) {
+func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers14(out *jwriter.Writer, in EventContextSerializer) {
out.RawByte('{')
first := true
_ = first
@@ -1520,11 +1829,11 @@ func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers11(
}
{
out.RawByte('[')
- for v22, v23 := range in.MatchedRules {
- if v22 > 0 {
+ for v25, v26 := range in.MatchedRules {
+ if v25 > 0 {
out.RawByte(',')
}
- (v23).MarshalEasyJSON(out)
+ (v26).MarshalEasyJSON(out)
}
out.RawByte(']')
}
@@ -1544,14 +1853,14 @@ func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers11(
// MarshalEasyJSON supports easyjson.Marshaler interface
func (v EventContextSerializer) MarshalEasyJSON(w *jwriter.Writer) {
- easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers11(w, v)
+ easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers14(w, v)
}
// UnmarshalEasyJSON supports easyjson.Unmarshaler interface
func (v *EventContextSerializer) UnmarshalEasyJSON(l *jlexer.Lexer) {
- easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers11(l, v)
+ easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers14(l, v)
}
-func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers12(in *jlexer.Lexer, out *DNSQuestionSerializer) {
+func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers15(in *jlexer.Lexer, out *DNSQuestionSerializer) {
isTopLevel := in.IsStart()
if in.IsNull() {
if isTopLevel {
@@ -1590,7 +1899,7 @@ func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers12(
in.Consumed()
}
}
-func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers12(out *jwriter.Writer, in DNSQuestionSerializer) {
+func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers15(out *jwriter.Writer, in DNSQuestionSerializer) {
out.RawByte('{')
first := true
_ = first
@@ -1624,14 +1933,14 @@ func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers12(
// MarshalEasyJSON supports easyjson.Marshaler interface
func (v DNSQuestionSerializer) MarshalEasyJSON(w *jwriter.Writer) {
- easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers12(w, v)
+ easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers15(w, v)
}
// UnmarshalEasyJSON supports easyjson.Unmarshaler interface
func (v *DNSQuestionSerializer) UnmarshalEasyJSON(l *jlexer.Lexer) {
- easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers12(l, v)
+ easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers15(l, v)
}
-func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers13(in *jlexer.Lexer, out *DNSEventSerializer) {
+func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers16(in *jlexer.Lexer, out *DNSEventSerializer) {
isTopLevel := in.IsStart()
if in.IsNull() {
if isTopLevel {
@@ -1664,7 +1973,7 @@ func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers13(
in.Consumed()
}
}
-func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers13(out *jwriter.Writer, in DNSEventSerializer) {
+func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers16(out *jwriter.Writer, in DNSEventSerializer) {
out.RawByte('{')
first := true
_ = first
@@ -1683,14 +1992,14 @@ func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers13(
// MarshalEasyJSON supports easyjson.Marshaler interface
func (v DNSEventSerializer) MarshalEasyJSON(w *jwriter.Writer) {
- easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers13(w, v)
+ easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers16(w, v)
}
// UnmarshalEasyJSON supports easyjson.Unmarshaler interface
func (v *DNSEventSerializer) UnmarshalEasyJSON(l *jlexer.Lexer) {
- easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers13(l, v)
+ easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers16(l, v)
}
-func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers14(in *jlexer.Lexer, out *ContainerContextSerializer) {
+func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers17(in *jlexer.Lexer, out *ContainerContextSerializer) {
isTopLevel := in.IsStart()
if in.IsNull() {
if isTopLevel {
@@ -1735,7 +2044,7 @@ func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers14(
in.Consumed()
}
}
-func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers14(out *jwriter.Writer, in ContainerContextSerializer) {
+func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers17(out *jwriter.Writer, in ContainerContextSerializer) {
out.RawByte('{')
first := true
_ = first
@@ -1770,14 +2079,14 @@ func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers14(
// MarshalEasyJSON supports easyjson.Marshaler interface
func (v ContainerContextSerializer) MarshalEasyJSON(w *jwriter.Writer) {
- easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers14(w, v)
+ easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers17(w, v)
}
// UnmarshalEasyJSON supports easyjson.Unmarshaler interface
func (v *ContainerContextSerializer) UnmarshalEasyJSON(l *jlexer.Lexer) {
- easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers14(l, v)
+ easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers17(l, v)
}
-func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers15(in *jlexer.Lexer, out *CGroupContextSerializer) {
+func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers18(in *jlexer.Lexer, out *CGroupContextSerializer) {
isTopLevel := in.IsStart()
if in.IsNull() {
if isTopLevel {
@@ -1810,7 +2119,7 @@ func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers15(
in.Consumed()
}
}
-func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers15(out *jwriter.Writer, in CGroupContextSerializer) {
+func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers18(out *jwriter.Writer, in CGroupContextSerializer) {
out.RawByte('{')
first := true
_ = first
@@ -1835,14 +2144,14 @@ func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers15(
// MarshalEasyJSON supports easyjson.Marshaler interface
func (v CGroupContextSerializer) MarshalEasyJSON(w *jwriter.Writer) {
- easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers15(w, v)
+ easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers18(w, v)
}
// UnmarshalEasyJSON supports easyjson.Unmarshaler interface
func (v *CGroupContextSerializer) UnmarshalEasyJSON(l *jlexer.Lexer) {
- easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers15(l, v)
+ easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers18(l, v)
}
-func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers16(in *jlexer.Lexer, out *BaseEventSerializer) {
+func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers19(in *jlexer.Lexer, out *BaseEventSerializer) {
isTopLevel := in.IsStart()
if in.IsNull() {
if isTopLevel {
@@ -1932,7 +2241,7 @@ func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers16(
in.Consumed()
}
}
-func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers16(out *jwriter.Writer, in BaseEventSerializer) {
+func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers19(out *jwriter.Writer, in BaseEventSerializer) {
out.RawByte('{')
first := true
_ = first
@@ -2007,14 +2316,14 @@ func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers16(
// MarshalEasyJSON supports easyjson.Marshaler interface
func (v BaseEventSerializer) MarshalEasyJSON(w *jwriter.Writer) {
- easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers16(w, v)
+ easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers19(w, v)
}
// UnmarshalEasyJSON supports easyjson.Unmarshaler interface
func (v *BaseEventSerializer) UnmarshalEasyJSON(l *jlexer.Lexer) {
- easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers16(l, v)
+ easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers19(l, v)
}
-func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers17(in *jlexer.Lexer, out *AWSSecurityCredentialsSerializer) {
+func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers20(in *jlexer.Lexer, out *AWSSecurityCredentialsSerializer) {
isTopLevel := in.IsStart()
if in.IsNull() {
if isTopLevel {
@@ -2053,7 +2362,7 @@ func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers17(
in.Consumed()
}
}
-func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers17(out *jwriter.Writer, in AWSSecurityCredentialsSerializer) {
+func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers20(out *jwriter.Writer, in AWSSecurityCredentialsSerializer) {
out.RawByte('{')
first := true
_ = first
@@ -2087,14 +2396,14 @@ func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers17(
// MarshalEasyJSON supports easyjson.Marshaler interface
func (v AWSSecurityCredentialsSerializer) MarshalEasyJSON(w *jwriter.Writer) {
- easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers17(w, v)
+ easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers20(w, v)
}
// UnmarshalEasyJSON supports easyjson.Unmarshaler interface
func (v *AWSSecurityCredentialsSerializer) UnmarshalEasyJSON(l *jlexer.Lexer) {
- easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers17(l, v)
+ easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers20(l, v)
}
-func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers18(in *jlexer.Lexer, out *AWSIMDSEventSerializer) {
+func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers21(in *jlexer.Lexer, out *AWSIMDSEventSerializer) {
isTopLevel := in.IsStart()
if in.IsNull() {
if isTopLevel {
@@ -2135,7 +2444,7 @@ func easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers18(
in.Consumed()
}
}
-func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers18(out *jwriter.Writer, in AWSIMDSEventSerializer) {
+func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers21(out *jwriter.Writer, in AWSIMDSEventSerializer) {
out.RawByte('{')
first := true
_ = first
@@ -2154,10 +2463,10 @@ func easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers18(
// MarshalEasyJSON supports easyjson.Marshaler interface
func (v AWSIMDSEventSerializer) MarshalEasyJSON(w *jwriter.Writer) {
- easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers18(w, v)
+ easyjsonA1e47abeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers21(w, v)
}
// UnmarshalEasyJSON supports easyjson.Unmarshaler interface
func (v *AWSIMDSEventSerializer) UnmarshalEasyJSON(l *jlexer.Lexer) {
- easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers18(l, v)
+ easyjsonA1e47abeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers21(l, v)
}
diff --git a/pkg/security/serializers/serializers_linux.go b/pkg/security/serializers/serializers_linux.go
index 69b1cf0bd225ab..55acb7f11095db 100644
--- a/pkg/security/serializers/serializers_linux.go
+++ b/pkg/security/serializers/serializers_linux.go
@@ -623,23 +623,24 @@ type EventSerializer struct {
*DDContextSerializer `json:"dd,omitempty"`
*SecurityProfileContextSerializer `json:"security_profile,omitempty"`
- *SELinuxEventSerializer `json:"selinux,omitempty"`
- *BPFEventSerializer `json:"bpf,omitempty"`
- *MMapEventSerializer `json:"mmap,omitempty"`
- *MProtectEventSerializer `json:"mprotect,omitempty"`
- *PTraceEventSerializer `json:"ptrace,omitempty"`
- *ModuleEventSerializer `json:"module,omitempty"`
- *SignalEventSerializer `json:"signal,omitempty"`
- *SpliceEventSerializer `json:"splice,omitempty"`
- *DNSEventSerializer `json:"dns,omitempty"`
- *IMDSEventSerializer `json:"imds,omitempty"`
- *BindEventSerializer `json:"bind,omitempty"`
- *ConnectEventSerializer `json:"connect,omitempty"`
- *MountEventSerializer `json:"mount,omitempty"`
- *SyscallsEventSerializer `json:"syscalls,omitempty"`
- *UserContextSerializer `json:"usr,omitempty"`
- *SyscallContextSerializer `json:"syscall,omitempty"`
- *RawPacketSerializer `json:"packet,omitempty"`
+ *SELinuxEventSerializer `json:"selinux,omitempty"`
+ *BPFEventSerializer `json:"bpf,omitempty"`
+ *MMapEventSerializer `json:"mmap,omitempty"`
+ *MProtectEventSerializer `json:"mprotect,omitempty"`
+ *PTraceEventSerializer `json:"ptrace,omitempty"`
+ *ModuleEventSerializer `json:"module,omitempty"`
+ *SignalEventSerializer `json:"signal,omitempty"`
+ *SpliceEventSerializer `json:"splice,omitempty"`
+ *DNSEventSerializer `json:"dns,omitempty"`
+ *IMDSEventSerializer `json:"imds,omitempty"`
+ *BindEventSerializer `json:"bind,omitempty"`
+ *ConnectEventSerializer `json:"connect,omitempty"`
+ *MountEventSerializer `json:"mount,omitempty"`
+ *SyscallsEventSerializer `json:"syscalls,omitempty"`
+ *UserContextSerializer `json:"usr,omitempty"`
+ *SyscallContextSerializer `json:"syscall,omitempty"`
+ *RawPacketSerializer `json:"packet,omitempty"`
+ *NetworkFlowMonitorSerializer `json:"network_flow_monitor,omitempty"`
}
func newSyscallsEventSerializer(e *model.SyscallsEvent) *SyscallsEventSerializer {
@@ -1024,6 +1025,37 @@ func newRawPacketEventSerializer(rp *model.RawPacketEvent, e *model.Event) *RawP
}
}
+func newNetworkStatsSerializer(networkStats *model.NetworkStats, e *model.Event) *NetworkStatsSerializer {
+ return &NetworkStatsSerializer{
+ DataSize: networkStats.DataSize,
+ PacketCount: networkStats.PacketCount,
+ }
+}
+
+func newFlowSerializer(flow *model.Flow, e *model.Event) *FlowSerializer {
+ return &FlowSerializer{
+ L3Protocol: model.L3Protocol(flow.L3Protocol).String(),
+ L4Protocol: model.L4Protocol(flow.L4Protocol).String(),
+ Source: newIPPortSerializer(&flow.Source),
+ Destination: newIPPortSerializer(&flow.Destination),
+ Ingress: newNetworkStatsSerializer(&flow.Ingress, e),
+ Egress: newNetworkStatsSerializer(&flow.Egress, e),
+ }
+}
+
+func newNetworkFlowMonitorSerializer(nm *model.NetworkFlowMonitorEvent, e *model.Event) *NetworkFlowMonitorSerializer {
+ s := &NetworkFlowMonitorSerializer{
+ Device: newNetworkDeviceSerializer(&nm.Device, e),
+ FlowsCount: nm.FlowsCount,
+ }
+
+ for _, flow := range nm.Flows {
+ s.Flows = append(s.Flows, newFlowSerializer(&flow, e))
+ }
+
+ return s
+}
+
func serializeOutcome(retval int64) string {
switch {
case retval < 0:
@@ -1080,7 +1112,7 @@ func newProcessContextSerializer(pc *model.ProcessContext, e *model.Event) *Proc
ancestor = pce
prev = s
- ptr = it.Next()
+ ptr = it.Next(ctx)
}
// shrink the middle of the ancestors list if it is too long
@@ -1126,7 +1158,7 @@ func newDDContextSerializer(e *model.Event) *DDContextSerializer {
break
}
- ptr = it.Next()
+ ptr = it.Next(ctx)
}
return s
}
@@ -1134,12 +1166,13 @@ func newDDContextSerializer(e *model.Event) *DDContextSerializer {
// nolint: deadcode, unused
func newNetworkContextSerializer(e *model.Event, networkCtx *model.NetworkContext) *NetworkContextSerializer {
return &NetworkContextSerializer{
- Device: newNetworkDeviceSerializer(&networkCtx.Device, e),
- L3Protocol: model.L3Protocol(networkCtx.L3Protocol).String(),
- L4Protocol: model.L4Protocol(networkCtx.L4Protocol).String(),
- Source: newIPPortSerializer(&networkCtx.Source),
- Destination: newIPPortSerializer(&networkCtx.Destination),
- Size: networkCtx.Size,
+ Device: newNetworkDeviceSerializer(&networkCtx.Device, e),
+ L3Protocol: model.L3Protocol(networkCtx.L3Protocol).String(),
+ L4Protocol: model.L4Protocol(networkCtx.L4Protocol).String(),
+ Source: newIPPortSerializer(&networkCtx.Source),
+ Destination: newIPPortSerializer(&networkCtx.Destination),
+ Size: networkCtx.Size,
+ NetworkDirection: model.NetworkDirection(networkCtx.NetworkDirection).String(),
}
}
@@ -1439,6 +1472,8 @@ func NewEventSerializer(event *model.Event, opts *eval.Opts) *EventSerializer {
})
case model.RawPacketEventType:
s.RawPacketSerializer = newRawPacketEventSerializer(&event.RawPacket, event)
+ case model.NetworkFlowMonitorEventType:
+ s.NetworkFlowMonitorSerializer = newNetworkFlowMonitorSerializer(&event.NetworkFlowMonitor, event)
}
return s
diff --git a/pkg/security/serializers/serializers_linux_easyjson.go b/pkg/security/serializers/serializers_linux_easyjson.go
index ec264f2cb6de4f..f4995b257713e4 100644
--- a/pkg/security/serializers/serializers_linux_easyjson.go
+++ b/pkg/security/serializers/serializers_linux_easyjson.go
@@ -3612,6 +3612,7 @@ func easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers24(
out.UserContextSerializer = new(UserContextSerializer)
out.SyscallContextSerializer = new(SyscallContextSerializer)
out.RawPacketSerializer = new(RawPacketSerializer)
+ out.NetworkFlowMonitorSerializer = new(NetworkFlowMonitorSerializer)
in.Delim('{')
for !in.IsDelim('}') {
key := in.UnsafeFieldName(false)
@@ -3843,6 +3844,16 @@ func easyjsonDdc0fdbeDecodeGithubComDataDogDatadogAgentPkgSecuritySerializers24(
}
(*out.RawPacketSerializer).UnmarshalEasyJSON(in)
}
+ case "network_flow_monitor":
+ if in.IsNull() {
+ in.Skip()
+ out.NetworkFlowMonitorSerializer = nil
+ } else {
+ if out.NetworkFlowMonitorSerializer == nil {
+ out.NetworkFlowMonitorSerializer = new(NetworkFlowMonitorSerializer)
+ }
+ (*out.NetworkFlowMonitorSerializer).UnmarshalEasyJSON(in)
+ }
case "evt":
(out.EventContextSerializer).UnmarshalEasyJSON(in)
case "date":
@@ -4120,6 +4131,16 @@ func easyjsonDdc0fdbeEncodeGithubComDataDogDatadogAgentPkgSecuritySerializers24(
}
(*in.RawPacketSerializer).MarshalEasyJSON(out)
}
+ if in.NetworkFlowMonitorSerializer != nil {
+ const prefix string = ",\"network_flow_monitor\":"
+ if first {
+ first = false
+ out.RawString(prefix[1:])
+ } else {
+ out.RawString(prefix)
+ }
+ (*in.NetworkFlowMonitorSerializer).MarshalEasyJSON(out)
+ }
if true {
const prefix string = ",\"evt\":"
if first {
diff --git a/pkg/security/tests/module_tester.go b/pkg/security/tests/module_tester.go
index 0b01cbcd72d494..4680672aaab682 100644
--- a/pkg/security/tests/module_tester.go
+++ b/pkg/security/tests/module_tester.go
@@ -811,6 +811,8 @@ func genTestConfigs(cfgDir string, opts testOpts) (*emconfig.Config, *secconfig.
"EnforcementDisarmerExecutableMaxAllowed": opts.enforcementDisarmerExecutableMaxAllowed,
"EnforcementDisarmerExecutablePeriod": opts.enforcementDisarmerExecutablePeriod,
"EventServerRetention": opts.eventServerRetention,
+ "EventStreamUseFentry": opts.eventStreamUseFentry,
+ "NetworkFlowMonitorEnabled": opts.networkFlowMonitorEnabled,
}); err != nil {
return nil, nil, err
}
diff --git a/pkg/security/tests/module_tester_linux.go b/pkg/security/tests/module_tester_linux.go
index 37a54cf6fee5b6..d04c82521cfa25 100644
--- a/pkg/security/tests/module_tester_linux.go
+++ b/pkg/security/tests/module_tester_linux.go
@@ -72,11 +72,16 @@ system_probe_config:
enable_runtime_compiler: true
event_monitoring_config:
+ event_stream:
+ use_fentry_amd64: {{ .EventStreamUseFentry }}
+ use_fentry: {{ .EventStreamUseFentry }}
socket: /tmp/test-event-monitor.sock
custom_sensitive_words:
- "*custom*"
network:
enabled: true
+ flow_monitor:
+ enabled: {{ .NetworkFlowMonitorEnabled }}
ingress:
enabled: {{ .NetworkIngressEnabled }}
raw_packet:
diff --git a/pkg/security/tests/network_test.go b/pkg/security/tests/network_test.go
index 2a34b3101e17af..617e4e90192a0b 100644
--- a/pkg/security/tests/network_test.go
+++ b/pkg/security/tests/network_test.go
@@ -9,11 +9,13 @@
package tests
import (
+ "context"
"fmt"
"net"
"net/netip"
"os"
"path/filepath"
+ "strconv"
"strings"
"testing"
@@ -259,3 +261,62 @@ func TestRawPacketFilter(t *testing.T) {
runTest(t, filters, rawpacket.DefaultProgOpts)
})
}
+
+func TestNetworkFlowSendUDP4(t *testing.T) {
+ SkipIfNotAvailable(t)
+
+ checkKernelCompatibility(t, "RHEL, SLES, SUSE and Oracle kernels", func(kv *kernel.Version) bool {
+ // TODO: Oracle because we are missing offsets
+ // OpenSUSE distributions are missing the dummy kernel module
+ return kv.IsRH7Kernel() || kv.IsOracleUEKKernel() || kv.IsSLESKernel() || kv.IsOpenSUSELeapKernel()
+ })
+
+ if testEnvironment != DockerEnvironment && !env.IsContainerized() {
+ if out, err := loadModule("veth"); err != nil {
+ t.Fatalf("couldn't load 'veth' module: %s, %v", string(out), err)
+ }
+ }
+
+ testDestIP := "127.0.0.1"
+ testUDPDestPort := 12345
+
+ rule := &rules.RuleDefinition{
+ ID: "test_rule_network_flow",
+ Expression: `network_flow_monitor.flows.length > 0 && process.file.name == "syscall_tester"`,
+ }
+
+ test, err := newTestModule(t, nil, []*rules.RuleDefinition{rule}, withStaticOpts(
+ testOpts{
+ networkFlowMonitorEnabled: true,
+ eventStreamUseFentry: true,
+ },
+ ))
+ if err != nil {
+ t.Fatal(err)
+ }
+ defer test.Close()
+
+ syscallTester, err := loadSyscallTester(t, test, "syscall_tester")
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ t.Run("test_network_flow_send_udp4", func(t *testing.T) {
+ test.WaitSignal(t, func() error {
+ return runSyscallTesterFunc(context.Background(), t, syscallTester, "network_flow_send_udp4", testDestIP, strconv.Itoa(testUDPDestPort))
+ }, func(event *model.Event, r *rules.Rule) {
+ assert.Equal(t, "network_flow_monitor", event.GetType(), "wrong event type")
+ assert.Equal(t, uint64(1), event.NetworkFlowMonitor.FlowsCount, "wrong flow count")
+ if len(event.NetworkFlowMonitor.Flows) > 0 {
+ assert.Equal(t, testDestIP, event.NetworkFlowMonitor.Flows[0].Destination.IPNet.IP.To4().String(), "wrong destination IP")
+ assert.Equal(t, uint16(testUDPDestPort), event.NetworkFlowMonitor.Flows[0].Destination.Port, "wrong destination Port")
+ assert.Equal(t, uint16(model.IPProtoUDP), event.NetworkFlowMonitor.Flows[0].L4Protocol, "wrong L4 protocol")
+ assert.Equal(t, uint16(model.EthPIP), event.NetworkFlowMonitor.Flows[0].L3Protocol, "wrong L3 protocol")
+ assert.Equal(t, uint64(1), event.NetworkFlowMonitor.Flows[0].Egress.PacketCount, "wrong egress packet count")
+ assert.Equal(t, uint64(46), event.NetworkFlowMonitor.Flows[0].Egress.DataSize, "wrong egress data size") // full packet size including l2 header
+ assert.Equal(t, uint64(0), event.NetworkFlowMonitor.Flows[0].Ingress.PacketCount, "wrong ingress packet count")
+ assert.Equal(t, uint64(0), event.NetworkFlowMonitor.Flows[0].Ingress.DataSize, "wrong ingress data size")
+ }
+ })
+ })
+}
diff --git a/pkg/security/tests/syscall_tester/c/syscall_tester.c b/pkg/security/tests/syscall_tester/c/syscall_tester.c
index 5fc0ba53ddf09c..b08cacf463c9db 100644
--- a/pkg/security/tests/syscall_tester/c/syscall_tester.c
+++ b/pkg/security/tests/syscall_tester/c/syscall_tester.c
@@ -868,6 +868,49 @@ int test_new_netns_exec(int argc, char **argv) {
return EXIT_FAILURE;
}
+int test_network_flow_send_udp4(int argc, char **argv) {
+ if (argc < 3) {
+ fprintf(stderr, "Please specify the remote IP address and port\n");
+ return EXIT_FAILURE;
+ }
+
+ int sockfd;
+ struct sockaddr_in server_addr;
+ const char *message = "DATA";
+
+ // Create a DGRAM socket
+ sockfd = socket(AF_INET, SOCK_DGRAM, 0);
+ if (sockfd < 0) {
+ fprintf(stderr, "Socket creation failed\n");
+ return EXIT_FAILURE;
+ }
+
+ // Configure server address structure
+ memset(&server_addr, 0, sizeof(server_addr));
+ server_addr.sin_family = AF_INET;
+ server_addr.sin_port = htons(atoi(argv[2]));
+ server_addr.sin_addr.s_addr = inet_addr(argv[1]);
+
+ // Send the message
+ if (sendto(sockfd, message, strlen(message), 0, (struct sockaddr *)&server_addr, sizeof(server_addr)) < 0) {
+ fprintf(stderr, "Failed to send data\n");
+ close(sockfd);
+ return EXIT_FAILURE;
+ }
+
+ printf("Message sent: %s\n", message);
+ pid_t pid;
+
+ // Get the process ID
+ pid = getpid();
+ printf("Process ID: %d\n", pid);
+
+ // Close the socket
+ close(sockfd);
+ printf("Socket closed.\n");
+ return EXIT_SUCCESS;
+}
+
int main(int argc, char **argv) {
setbuf(stdout, NULL);
@@ -947,6 +990,8 @@ int main(int argc, char **argv) {
exit_code = test_slow_cat(sub_argc, sub_argv);
} else if (strcmp(cmd, "slow-write") == 0) {
exit_code = test_slow_write(sub_argc, sub_argv);
+ } else if (strcmp(cmd, "network_flow_send_udp4") == 0) {
+ exit_code = test_network_flow_send_udp4(sub_argc, sub_argv);
}
else {
fprintf(stderr, "Unknown command `%s`\n", cmd);
diff --git a/pkg/security/tests/testopts.go b/pkg/security/tests/testopts.go
index fe1a31333cc262..3f17db14b796e4 100644
--- a/pkg/security/tests/testopts.go
+++ b/pkg/security/tests/testopts.go
@@ -74,6 +74,8 @@ type testOpts struct {
enforcementDisarmerExecutablePeriod time.Duration
eventServerRetention time.Duration
discardRuntime bool
+ eventStreamUseFentry bool
+ networkFlowMonitorEnabled bool
}
type dynamicTestOpts struct {
@@ -159,5 +161,7 @@ func (to testOpts) Equal(opts testOpts) bool {
to.enforcementDisarmerExecutableMaxAllowed == opts.enforcementDisarmerExecutableMaxAllowed &&
to.enforcementDisarmerExecutablePeriod == opts.enforcementDisarmerExecutablePeriod &&
to.eventServerRetention == opts.eventServerRetention &&
- to.discardRuntime == opts.discardRuntime
+ to.discardRuntime == opts.discardRuntime &&
+ to.eventStreamUseFentry == opts.eventStreamUseFentry &&
+ to.networkFlowMonitorEnabled == opts.networkFlowMonitorEnabled
}
diff --git a/pkg/security/utils/graph.go b/pkg/security/utils/graph.go
index 74afe7012a4b78..95edbbdb13e003 100644
--- a/pkg/security/utils/graph.go
+++ b/pkg/security/utils/graph.go
@@ -27,16 +27,30 @@ type Node struct {
// Edge describes an edge of a dot edge
type Edge struct {
- From GraphID
- To GraphID
- Color string
+ From GraphID
+ To GraphID
+ Color string
+ HasArrowHead bool
+ Label string
+ IsTable bool
+}
+
+// SubGraph describes a dot subgraph
+type SubGraph struct {
+ Name string
+ Title string
+ TitleSize int
+ Color string
+ Nodes map[GraphID]*Node
+ Edges []*Edge
}
// Graph describes a dot graph
type Graph struct {
- Title string
- Nodes map[GraphID]*Node
- Edges []*Edge
+ Title string
+ Nodes map[GraphID]*Node
+ Edges []*Edge
+ SubGraphs []*SubGraph
}
// EncodeDOT encodes an activity dump in the DOT format