diff --git a/pkg/security/generators/accessors/accessors.go b/pkg/security/generators/accessors/accessors.go index b7ae180325cc2..363028e92ea5c 100644 --- a/pkg/security/generators/accessors/accessors.go +++ b/pkg/security/generators/accessors/accessors.go @@ -18,6 +18,7 @@ import ( "os/exec" "path" "reflect" + "slices" "strconv" "strings" "text/template" @@ -65,9 +66,12 @@ func (af *AstFiles) LookupSymbol(symbol string) *ast.Object { //nolint:staticche return nil } -// GetSpecs gets specs -func (af *AstFiles) GetSpecs() []ast.Spec { - var specs []ast.Spec +// Parse extract data +func (af *AstFiles) Parse() ([]ast.Spec, []string) { + var ( + specs []ast.Spec + getters []string + ) for _, file := range af.files { for _, decl := range file.Decls { @@ -80,7 +84,13 @@ func (af *AstFiles) GetSpecs() []ast.Spec { for _, document := range decl.Doc.List { if strings.Contains(document.Text, "genaccessors") { genaccessors = true - break + } + + if strings.Contains(document.Text, "gengetter") { + els := strings.Split(document.Text, ":") + if len(els) > 1 { + getters = append(getters, strings.TrimSpace(els[1])) + } } } @@ -92,7 +102,7 @@ func (af *AstFiles) GetSpecs() []ast.Spec { } } - return specs + return specs, getters } func origTypeToBasicType(kind string) string { @@ -163,7 +173,6 @@ func handleBasic(module *common.Module, field seclField, name, alias, aliasPrefi Alias: alias, AliasPrefix: aliasPrefix, GettersOnly: field.gettersOnly, - GenGetters: field.genGetters, Ref: field.ref, RestrictedTo: restrictedTo, } @@ -194,7 +203,6 @@ func handleBasic(module *common.Module, field seclField, name, alias, aliasPrefi Alias: alias, AliasPrefix: aliasPrefix, GettersOnly: field.gettersOnly, - GenGetters: field.genGetters, Ref: field.ref, RestrictedTo: restrictedTo, } @@ -254,7 +262,6 @@ func handleNonEmbedded(module *common.Module, field seclField, aliasPrefix, alia func addLengthOpField(module *common.Module, alias string, field *common.StructField) *common.StructField { lengthField := *field - lengthField.GenGetters = false lengthField.IsLength = true lengthField.Name += ".length" lengthField.OrigType = "int" @@ -337,7 +344,6 @@ func handleFieldWithHandler(module *common.Module, field seclField, aliasPrefix, Alias: alias, AliasPrefix: aliasPrefix, GettersOnly: field.gettersOnly, - GenGetters: field.genGetters, Ref: field.ref, RestrictedTo: restrictedTo, ReadOnly: field.readOnly, @@ -394,7 +400,6 @@ type seclField struct { exposedAtEventRootOnly bool // fields that should only be exposed at the root of an event, i.e. `parent` should not be exposed for an `ancestor` of a process containerStructName string gettersOnly bool // a field that is not exposed via SECL, but still has an accessor generated - genGetters bool ref string readOnly bool } @@ -447,8 +452,6 @@ func parseFieldDef(def string) (seclField, error) { case "getters_only": field.gettersOnly = true field.exposedAtEventRootOnly = true - case "gen_getters": - field.genGetters = true case "readonly": field.readOnly = true } @@ -754,7 +757,10 @@ func parseFile(modelFile string, typesFile string, pkgName string) (*common.Modu module.TargetPkg = path.Clean(path.Join(pkgName, path.Dir(output))) } - for _, spec := range astFiles.GetSpecs() { + specs, getters := astFiles.Parse() + module.Getters = getters + + for _, spec := range specs { handleSpecRecursive(module, astFiles, spec, "", "", "", nil, nil, make(map[string]bool)) } @@ -1075,6 +1081,10 @@ func isReadOnly(field *common.StructField) bool { return field.IsLength || field.Helper || field.ReadOnly } +func genGetter(getters []string, getter string) bool { + return slices.Contains(getters, "*") || slices.Contains(getters, getter) +} + var funcMap = map[string]interface{}{ "TrimPrefix": strings.TrimPrefix, "TrimSuffix": strings.TrimSuffix, @@ -1094,6 +1104,7 @@ var funcMap = map[string]interface{}{ "GetFieldReflectType": getFieldReflectType, "GetSetHandler": getSetHandler, "IsReadOnly": isReadOnly, + "GenGetter": genGetter, } //go:embed accessors.tmpl diff --git a/pkg/security/generators/accessors/common/types.go b/pkg/security/generators/accessors/common/types.go index 00fdcd1c581a1..084ea8981838c 100644 --- a/pkg/security/generators/accessors/common/types.go +++ b/pkg/security/generators/accessors/common/types.go @@ -43,6 +43,7 @@ type Module struct { Iterators map[string]*StructField EventTypes map[string]*EventTypeMetadata Mock bool + Getters []string } // StructField represents a structure field for which an accessor will be generated diff --git a/pkg/security/generators/accessors/field_accessors.tmpl b/pkg/security/generators/accessors/field_accessors.tmpl index 7fa3da492c2c2..6c0d688f00806 100644 --- a/pkg/security/generators/accessors/field_accessors.tmpl +++ b/pkg/security/generators/accessors/field_accessors.tmpl @@ -21,7 +21,9 @@ var _ = eval.NewContext {{range $Name, $Field := .Fields}} -{{if not $Field.GenGetters }} +{{ $getter := (PascalCaseFieldName $Name) | print "Get" }} + +{{if not ($getter | GenGetter $.Getters) }} {{continue}} {{end}} @@ -32,8 +34,6 @@ var _ = eval.NewContext {{end}} {{end}} -{{ $pascalCaseName := PascalCaseFieldName $Name }} - {{$accessorReturnType := $Field.OrigType}} {{ if $Field.Handler}} {{$accessorReturnType = $Field.ReturnType}} @@ -43,8 +43,8 @@ var _ = eval.NewContext {{$accessorReturnType = $accessorReturnType | printf "[]%s" }} {{ end }} -// Get{{$pascalCaseName}} returns the value of the field, resolving if necessary -func (ev *Event) Get{{$pascalCaseName}}() {{ $accessorReturnType }} { +// {{$getter}} returns the value of the field, resolving if necessary +func (ev *Event) {{$getter}}() {{ $accessorReturnType }} { {{if ne $Field.Event ""}} if ev.GetEventType().String() != "{{$Field.Event}}" { return {{ GetDefaultValueOfType $accessorReturnType}} diff --git a/pkg/security/secl/model/field_accessors_unix.go b/pkg/security/secl/model/field_accessors_unix.go index babfff0508eae..ffdc57d2f23c9 100644 --- a/pkg/security/secl/model/field_accessors_unix.go +++ b/pkg/security/secl/model/field_accessors_unix.go @@ -18,30 +18,6 @@ var _ = time.Time{} var _ = net.IP{} var _ = eval.NewContext -// GetChdirFilePath returns the value of the field, resolving if necessary -func (ev *Event) GetChdirFilePath() string { - if ev.GetEventType().String() != "chdir" { - return "" - } - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Chdir.File) -} - -// GetChmodFilePath returns the value of the field, resolving if necessary -func (ev *Event) GetChmodFilePath() string { - if ev.GetEventType().String() != "chmod" { - return "" - } - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Chmod.File) -} - -// GetChownFilePath returns the value of the field, resolving if necessary -func (ev *Event) GetChownFilePath() string { - if ev.GetEventType().String() != "chown" { - return "" - } - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Chown.File) -} - // GetContainerCreatedAt returns the value of the field, resolving if necessary func (ev *Event) GetContainerCreatedAt() int { if ev.BaseEvent.ContainerContext == nil { @@ -74,39 +50,6 @@ func (ev *Event) GetExecCmdargv() []string { return ev.FieldHandlers.ResolveProcessCmdArgv(ev, ev.Exec.Process) } -// GetExecEnvp returns the value of the field, resolving if necessary -func (ev *Event) GetExecEnvp() []string { - if ev.GetEventType().String() != "exec" { - return []string{} - } - if ev.Exec.Process == nil { - return []string{} - } - return ev.FieldHandlers.ResolveProcessEnvp(ev, ev.Exec.Process) -} - -// GetExecExecTime returns the value of the field, resolving if necessary -func (ev *Event) GetExecExecTime() time.Time { - if ev.GetEventType().String() != "exec" { - return time.Time{} - } - if ev.Exec.Process == nil { - return time.Time{} - } - return ev.Exec.Process.ExecTime -} - -// GetExecExitTime returns the value of the field, resolving if necessary -func (ev *Event) GetExecExitTime() time.Time { - if ev.GetEventType().String() != "exec" { - return time.Time{} - } - if ev.Exec.Process == nil { - return time.Time{} - } - return ev.Exec.Process.ExitTime -} - // GetExecFilePath returns the value of the field, resolving if necessary func (ev *Event) GetExecFilePath() string { if ev.GetEventType().String() != "exec" { @@ -121,1979 +64,111 @@ func (ev *Event) GetExecFilePath() string { return ev.FieldHandlers.ResolveFilePath(ev, &ev.Exec.Process.FileEvent) } -// GetExecForkTime returns the value of the field, resolving if necessary -func (ev *Event) GetExecForkTime() time.Time { - if ev.GetEventType().String() != "exec" { - return time.Time{} - } - if ev.Exec.Process == nil { - return time.Time{} - } - return ev.Exec.Process.ForkTime -} - -// GetExecGid returns the value of the field, resolving if necessary -func (ev *Event) GetExecGid() uint32 { - if ev.GetEventType().String() != "exec" { - return uint32(0) - } - if ev.Exec.Process == nil { +// GetExitCode returns the value of the field, resolving if necessary +func (ev *Event) GetExitCode() uint32 { + if ev.GetEventType().String() != "exit" { return uint32(0) } - return ev.Exec.Process.Credentials.GID -} - -// GetExecGroup returns the value of the field, resolving if necessary -func (ev *Event) GetExecGroup() string { - if ev.GetEventType().String() != "exec" { - return "" - } - if ev.Exec.Process == nil { - return "" - } - return ev.Exec.Process.Credentials.Group + return ev.Exit.Code } -// GetExecInterpreterFilePath returns the value of the field, resolving if necessary -func (ev *Event) GetExecInterpreterFilePath() string { - if ev.GetEventType().String() != "exec" { - return "" - } - if ev.Exec.Process == nil { - return "" - } - if !ev.Exec.Process.HasInterpreter() { +// GetMountMountpointPath returns the value of the field, resolving if necessary +func (ev *Event) GetMountMountpointPath() string { + if ev.GetEventType().String() != "mount" { return "" } - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Exec.Process.LinuxBinprm.FileEvent) -} - -// GetExecPid returns the value of the field, resolving if necessary -func (ev *Event) GetExecPid() uint32 { - if ev.GetEventType().String() != "exec" { - return uint32(0) - } - if ev.Exec.Process == nil { - return uint32(0) - } - return ev.Exec.Process.PIDContext.Pid -} - -// GetExecPpid returns the value of the field, resolving if necessary -func (ev *Event) GetExecPpid() uint32 { - if ev.GetEventType().String() != "exec" { - return uint32(0) - } - if ev.Exec.Process == nil { - return uint32(0) - } - return ev.Exec.Process.PPid -} - -// GetExecUid returns the value of the field, resolving if necessary -func (ev *Event) GetExecUid() uint32 { - if ev.GetEventType().String() != "exec" { - return uint32(0) - } - if ev.Exec.Process == nil { - return uint32(0) - } - return ev.Exec.Process.Credentials.UID + return ev.FieldHandlers.ResolveMountPointPath(ev, &ev.Mount) } -// GetExecUser returns the value of the field, resolving if necessary -func (ev *Event) GetExecUser() string { - if ev.GetEventType().String() != "exec" { - return "" - } - if ev.Exec.Process == nil { +// GetMountRootPath returns the value of the field, resolving if necessary +func (ev *Event) GetMountRootPath() string { + if ev.GetEventType().String() != "mount" { return "" } - return ev.Exec.Process.Credentials.User -} - -// GetExitCmdargv returns the value of the field, resolving if necessary -func (ev *Event) GetExitCmdargv() []string { - if ev.GetEventType().String() != "exit" { - return []string{} - } - if ev.Exit.Process == nil { - return []string{} - } - return ev.FieldHandlers.ResolveProcessCmdArgv(ev, ev.Exit.Process) -} - -// GetExitCode returns the value of the field, resolving if necessary -func (ev *Event) GetExitCode() uint32 { - if ev.GetEventType().String() != "exit" { - return uint32(0) - } - return ev.Exit.Code + return ev.FieldHandlers.ResolveMountRootPath(ev, &ev.Mount) } -// GetExitEnvp returns the value of the field, resolving if necessary -func (ev *Event) GetExitEnvp() []string { - if ev.GetEventType().String() != "exit" { - return []string{} - } - if ev.Exit.Process == nil { +// GetProcessEnvp returns the value of the field, resolving if necessary +func (ev *Event) GetProcessEnvp() []string { + if ev.BaseEvent.ProcessContext == nil { return []string{} } - return ev.FieldHandlers.ResolveProcessEnvp(ev, ev.Exit.Process) + return ev.FieldHandlers.ResolveProcessEnvp(ev, &ev.BaseEvent.ProcessContext.Process) } -// GetExitExecTime returns the value of the field, resolving if necessary -func (ev *Event) GetExitExecTime() time.Time { - if ev.GetEventType().String() != "exit" { - return time.Time{} - } - if ev.Exit.Process == nil { +// GetProcessExecTime returns the value of the field, resolving if necessary +func (ev *Event) GetProcessExecTime() time.Time { + if ev.BaseEvent.ProcessContext == nil { return time.Time{} } - return ev.Exit.Process.ExecTime + return ev.BaseEvent.ProcessContext.Process.ExecTime } -// GetExitExitTime returns the value of the field, resolving if necessary -func (ev *Event) GetExitExitTime() time.Time { - if ev.GetEventType().String() != "exit" { - return time.Time{} - } - if ev.Exit.Process == nil { +// GetProcessExitTime returns the value of the field, resolving if necessary +func (ev *Event) GetProcessExitTime() time.Time { + if ev.BaseEvent.ProcessContext == nil { return time.Time{} } - return ev.Exit.Process.ExitTime -} - -// GetExitFilePath returns the value of the field, resolving if necessary -func (ev *Event) GetExitFilePath() string { - if ev.GetEventType().String() != "exit" { - return "" - } - if ev.Exit.Process == nil { - return "" - } - if !ev.Exit.Process.IsNotKworker() { - return "" - } - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Exit.Process.FileEvent) + return ev.BaseEvent.ProcessContext.Process.ExitTime } -// GetExitForkTime returns the value of the field, resolving if necessary -func (ev *Event) GetExitForkTime() time.Time { - if ev.GetEventType().String() != "exit" { - return time.Time{} - } - if ev.Exit.Process == nil { +// GetProcessForkTime returns the value of the field, resolving if necessary +func (ev *Event) GetProcessForkTime() time.Time { + if ev.BaseEvent.ProcessContext == nil { return time.Time{} } - return ev.Exit.Process.ForkTime + return ev.BaseEvent.ProcessContext.Process.ForkTime } -// GetExitGid returns the value of the field, resolving if necessary -func (ev *Event) GetExitGid() uint32 { - if ev.GetEventType().String() != "exit" { - return uint32(0) - } - if ev.Exit.Process == nil { +// GetProcessGid returns the value of the field, resolving if necessary +func (ev *Event) GetProcessGid() uint32 { + if ev.BaseEvent.ProcessContext == nil { return uint32(0) } - return ev.Exit.Process.Credentials.GID -} - -// GetExitGroup returns the value of the field, resolving if necessary -func (ev *Event) GetExitGroup() string { - if ev.GetEventType().String() != "exit" { - return "" - } - if ev.Exit.Process == nil { - return "" - } - return ev.Exit.Process.Credentials.Group + return ev.BaseEvent.ProcessContext.Process.Credentials.GID } -// GetExitInterpreterFilePath returns the value of the field, resolving if necessary -func (ev *Event) GetExitInterpreterFilePath() string { - if ev.GetEventType().String() != "exit" { - return "" - } - if ev.Exit.Process == nil { - return "" - } - if !ev.Exit.Process.HasInterpreter() { +// GetProcessGroup returns the value of the field, resolving if necessary +func (ev *Event) GetProcessGroup() string { + if ev.BaseEvent.ProcessContext == nil { return "" } - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Exit.Process.LinuxBinprm.FileEvent) + return ev.BaseEvent.ProcessContext.Process.Credentials.Group } -// GetExitPid returns the value of the field, resolving if necessary -func (ev *Event) GetExitPid() uint32 { - if ev.GetEventType().String() != "exit" { - return uint32(0) - } - if ev.Exit.Process == nil { +// GetProcessPid returns the value of the field, resolving if necessary +func (ev *Event) GetProcessPid() uint32 { + if ev.BaseEvent.ProcessContext == nil { return uint32(0) } - return ev.Exit.Process.PIDContext.Pid + return ev.BaseEvent.ProcessContext.Process.PIDContext.Pid } -// GetExitPpid returns the value of the field, resolving if necessary -func (ev *Event) GetExitPpid() uint32 { - if ev.GetEventType().String() != "exit" { - return uint32(0) - } - if ev.Exit.Process == nil { +// GetProcessPpid returns the value of the field, resolving if necessary +func (ev *Event) GetProcessPpid() uint32 { + if ev.BaseEvent.ProcessContext == nil { return uint32(0) } - return ev.Exit.Process.PPid + return ev.BaseEvent.ProcessContext.Process.PPid } -// GetExitUid returns the value of the field, resolving if necessary -func (ev *Event) GetExitUid() uint32 { - if ev.GetEventType().String() != "exit" { - return uint32(0) - } - if ev.Exit.Process == nil { +// GetProcessUid returns the value of the field, resolving if necessary +func (ev *Event) GetProcessUid() uint32 { + if ev.BaseEvent.ProcessContext == nil { return uint32(0) } - return ev.Exit.Process.Credentials.UID -} - -// GetExitUser returns the value of the field, resolving if necessary -func (ev *Event) GetExitUser() string { - if ev.GetEventType().String() != "exit" { - return "" - } - if ev.Exit.Process == nil { - return "" - } - return ev.Exit.Process.Credentials.User -} - -// GetLinkFileDestinationPath returns the value of the field, resolving if necessary -func (ev *Event) GetLinkFileDestinationPath() string { - if ev.GetEventType().String() != "link" { - return "" - } - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Link.Target) -} - -// GetLinkFilePath returns the value of the field, resolving if necessary -func (ev *Event) GetLinkFilePath() string { - if ev.GetEventType().String() != "link" { - return "" - } - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Link.Source) -} - -// GetLoadModuleFilePath returns the value of the field, resolving if necessary -func (ev *Event) GetLoadModuleFilePath() string { - if ev.GetEventType().String() != "load_module" { - return "" - } - return ev.FieldHandlers.ResolveFilePath(ev, &ev.LoadModule.File) -} - -// GetMkdirFilePath returns the value of the field, resolving if necessary -func (ev *Event) GetMkdirFilePath() string { - if ev.GetEventType().String() != "mkdir" { - return "" - } - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Mkdir.File) -} - -// GetMmapFilePath returns the value of the field, resolving if necessary -func (ev *Event) GetMmapFilePath() string { - if ev.GetEventType().String() != "mmap" { - return "" - } - return ev.FieldHandlers.ResolveFilePath(ev, &ev.MMap.File) -} - -// GetMountMountpointPath returns the value of the field, resolving if necessary -func (ev *Event) GetMountMountpointPath() string { - if ev.GetEventType().String() != "mount" { - return "" - } - return ev.FieldHandlers.ResolveMountPointPath(ev, &ev.Mount) -} - -// GetMountRootPath returns the value of the field, resolving if necessary -func (ev *Event) GetMountRootPath() string { - if ev.GetEventType().String() != "mount" { - return "" - } - return ev.FieldHandlers.ResolveMountRootPath(ev, &ev.Mount) -} - -// GetOpenFilePath returns the value of the field, resolving if necessary -func (ev *Event) GetOpenFilePath() string { - if ev.GetEventType().String() != "open" { - return "" - } - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Open.File) + return ev.BaseEvent.ProcessContext.Process.Credentials.UID } -// GetProcessAncestorsCmdargv returns the value of the field, resolving if necessary -func (ev *Event) GetProcessAncestorsCmdargv() []string { +// GetProcessUser returns the value of the field, resolving if necessary +func (ev *Event) GetProcessUser() string { if ev.BaseEvent.ProcessContext == nil { - return []string{} - } - if ev.BaseEvent.ProcessContext.Ancestor == nil { - return []string{} - } - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := (*ProcessCacheEntry)(ptr) - result := ev.FieldHandlers.ResolveProcessCmdArgv(ev, &element.ProcessContext.Process) - values = append(values, result...) - ptr = iterator.Next(ctx) + return "" } - return values -} - -// GetProcessAncestorsEnvp returns the value of the field, resolving if necessary -func (ev *Event) GetProcessAncestorsEnvp() []string { - if ev.BaseEvent.ProcessContext == nil { - return []string{} - } - if ev.BaseEvent.ProcessContext.Ancestor == nil { - return []string{} - } - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := (*ProcessCacheEntry)(ptr) - result := ev.FieldHandlers.ResolveProcessEnvp(ev, &element.ProcessContext.Process) - values = append(values, result...) - ptr = iterator.Next(ctx) - } - return values -} - -// GetProcessAncestorsFilePath returns the value of the field, resolving if necessary -func (ev *Event) GetProcessAncestorsFilePath() []string { - if ev.BaseEvent.ProcessContext == nil { - return []string{} - } - if ev.BaseEvent.ProcessContext.Ancestor == nil { - return []string{} - } - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := (*ProcessCacheEntry)(ptr) - result := ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.FileEvent) - values = append(values, result) - ptr = iterator.Next(ctx) - } - return values -} - -// GetProcessAncestorsGid returns the value of the field, resolving if necessary -func (ev *Event) GetProcessAncestorsGid() []uint32 { - if ev.BaseEvent.ProcessContext == nil { - return []uint32{} - } - if ev.BaseEvent.ProcessContext.Ancestor == nil { - return []uint32{} - } - var values []uint32 - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := (*ProcessCacheEntry)(ptr) - result := element.ProcessContext.Process.Credentials.GID - values = append(values, result) - ptr = iterator.Next(ctx) - } - return values -} - -// GetProcessAncestorsGroup returns the value of the field, resolving if necessary -func (ev *Event) GetProcessAncestorsGroup() []string { - if ev.BaseEvent.ProcessContext == nil { - return []string{} - } - if ev.BaseEvent.ProcessContext.Ancestor == nil { - return []string{} - } - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := (*ProcessCacheEntry)(ptr) - result := element.ProcessContext.Process.Credentials.Group - values = append(values, result) - ptr = iterator.Next(ctx) - } - return values -} - -// GetProcessAncestorsInterpreterFilePath returns the value of the field, resolving if necessary -func (ev *Event) GetProcessAncestorsInterpreterFilePath() []string { - if ev.BaseEvent.ProcessContext == nil { - return []string{} - } - if ev.BaseEvent.ProcessContext.Ancestor == nil { - return []string{} - } - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := (*ProcessCacheEntry)(ptr) - result := ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) - values = append(values, result) - ptr = iterator.Next(ctx) - } - return values -} - -// GetProcessAncestorsPid returns the value of the field, resolving if necessary -func (ev *Event) GetProcessAncestorsPid() []uint32 { - if ev.BaseEvent.ProcessContext == nil { - return []uint32{} - } - if ev.BaseEvent.ProcessContext.Ancestor == nil { - return []uint32{} - } - var values []uint32 - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := (*ProcessCacheEntry)(ptr) - result := element.ProcessContext.Process.PIDContext.Pid - values = append(values, result) - ptr = iterator.Next(ctx) - } - return values -} - -// GetProcessAncestorsPpid returns the value of the field, resolving if necessary -func (ev *Event) GetProcessAncestorsPpid() []uint32 { - if ev.BaseEvent.ProcessContext == nil { - return []uint32{} - } - if ev.BaseEvent.ProcessContext.Ancestor == nil { - return []uint32{} - } - var values []uint32 - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := (*ProcessCacheEntry)(ptr) - result := element.ProcessContext.Process.PPid - values = append(values, result) - ptr = iterator.Next(ctx) - } - return values -} - -// GetProcessAncestorsUid returns the value of the field, resolving if necessary -func (ev *Event) GetProcessAncestorsUid() []uint32 { - if ev.BaseEvent.ProcessContext == nil { - return []uint32{} - } - if ev.BaseEvent.ProcessContext.Ancestor == nil { - return []uint32{} - } - var values []uint32 - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := (*ProcessCacheEntry)(ptr) - result := element.ProcessContext.Process.Credentials.UID - values = append(values, result) - ptr = iterator.Next(ctx) - } - return values -} - -// GetProcessAncestorsUser returns the value of the field, resolving if necessary -func (ev *Event) GetProcessAncestorsUser() []string { - if ev.BaseEvent.ProcessContext == nil { - return []string{} - } - if ev.BaseEvent.ProcessContext.Ancestor == nil { - return []string{} - } - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := (*ProcessCacheEntry)(ptr) - result := element.ProcessContext.Process.Credentials.User - values = append(values, result) - ptr = iterator.Next(ctx) - } - return values -} - -// GetProcessCmdargv returns the value of the field, resolving if necessary -func (ev *Event) GetProcessCmdargv() []string { - if ev.BaseEvent.ProcessContext == nil { - return []string{} - } - return ev.FieldHandlers.ResolveProcessCmdArgv(ev, &ev.BaseEvent.ProcessContext.Process) -} - -// GetProcessEnvp returns the value of the field, resolving if necessary -func (ev *Event) GetProcessEnvp() []string { - if ev.BaseEvent.ProcessContext == nil { - return []string{} - } - return ev.FieldHandlers.ResolveProcessEnvp(ev, &ev.BaseEvent.ProcessContext.Process) -} - -// GetProcessExecTime returns the value of the field, resolving if necessary -func (ev *Event) GetProcessExecTime() time.Time { - if ev.BaseEvent.ProcessContext == nil { - return time.Time{} - } - return ev.BaseEvent.ProcessContext.Process.ExecTime -} - -// GetProcessExitTime returns the value of the field, resolving if necessary -func (ev *Event) GetProcessExitTime() time.Time { - if ev.BaseEvent.ProcessContext == nil { - return time.Time{} - } - return ev.BaseEvent.ProcessContext.Process.ExitTime -} - -// GetProcessFilePath returns the value of the field, resolving if necessary -func (ev *Event) GetProcessFilePath() string { - if ev.BaseEvent.ProcessContext == nil { - return "" - } - if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { - return "" - } - return ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent) -} - -// GetProcessForkTime returns the value of the field, resolving if necessary -func (ev *Event) GetProcessForkTime() time.Time { - if ev.BaseEvent.ProcessContext == nil { - return time.Time{} - } - return ev.BaseEvent.ProcessContext.Process.ForkTime -} - -// GetProcessGid returns the value of the field, resolving if necessary -func (ev *Event) GetProcessGid() uint32 { - if ev.BaseEvent.ProcessContext == nil { - return uint32(0) - } - return ev.BaseEvent.ProcessContext.Process.Credentials.GID -} - -// GetProcessGroup returns the value of the field, resolving if necessary -func (ev *Event) GetProcessGroup() string { - if ev.BaseEvent.ProcessContext == nil { - return "" - } - return ev.BaseEvent.ProcessContext.Process.Credentials.Group -} - -// GetProcessInterpreterFilePath returns the value of the field, resolving if necessary -func (ev *Event) GetProcessInterpreterFilePath() string { - if ev.BaseEvent.ProcessContext == nil { - return "" - } - if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { - return "" - } - return ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent) -} - -// GetProcessParentCmdargv returns the value of the field, resolving if necessary -func (ev *Event) GetProcessParentCmdargv() []string { - if ev.BaseEvent.ProcessContext == nil { - return []string{} - } - if ev.BaseEvent.ProcessContext.Parent == nil { - return []string{} - } - if !ev.BaseEvent.ProcessContext.HasParent() { - return []string{} - } - return ev.FieldHandlers.ResolveProcessCmdArgv(ev, ev.BaseEvent.ProcessContext.Parent) -} - -// GetProcessParentEnvp returns the value of the field, resolving if necessary -func (ev *Event) GetProcessParentEnvp() []string { - if ev.BaseEvent.ProcessContext == nil { - return []string{} - } - if ev.BaseEvent.ProcessContext.Parent == nil { - return []string{} - } - if !ev.BaseEvent.ProcessContext.HasParent() { - return []string{} - } - return ev.FieldHandlers.ResolveProcessEnvp(ev, ev.BaseEvent.ProcessContext.Parent) -} - -// GetProcessParentFilePath returns the value of the field, resolving if necessary -func (ev *Event) GetProcessParentFilePath() string { - if ev.BaseEvent.ProcessContext == nil { - return "" - } - if ev.BaseEvent.ProcessContext.Parent == nil { - return "" - } - if !ev.BaseEvent.ProcessContext.HasParent() { - return "" - } - if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { - return "" - } - return ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent) -} - -// GetProcessParentGid returns the value of the field, resolving if necessary -func (ev *Event) GetProcessParentGid() uint32 { - if ev.BaseEvent.ProcessContext == nil { - return uint32(0) - } - if ev.BaseEvent.ProcessContext.Parent == nil { - return uint32(0) - } - if !ev.BaseEvent.ProcessContext.HasParent() { - return uint32(0) - } - return ev.BaseEvent.ProcessContext.Parent.Credentials.GID -} - -// GetProcessParentGroup returns the value of the field, resolving if necessary -func (ev *Event) GetProcessParentGroup() string { - if ev.BaseEvent.ProcessContext == nil { - return "" - } - if ev.BaseEvent.ProcessContext.Parent == nil { - return "" - } - if !ev.BaseEvent.ProcessContext.HasParent() { - return "" - } - return ev.BaseEvent.ProcessContext.Parent.Credentials.Group -} - -// GetProcessParentInterpreterFilePath returns the value of the field, resolving if necessary -func (ev *Event) GetProcessParentInterpreterFilePath() string { - if ev.BaseEvent.ProcessContext == nil { - return "" - } - if ev.BaseEvent.ProcessContext.Parent == nil { - return "" - } - if !ev.BaseEvent.ProcessContext.HasParent() { - return "" - } - if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { - return "" - } - return ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent) -} - -// GetProcessParentPid returns the value of the field, resolving if necessary -func (ev *Event) GetProcessParentPid() uint32 { - if ev.BaseEvent.ProcessContext == nil { - return uint32(0) - } - if ev.BaseEvent.ProcessContext.Parent == nil { - return uint32(0) - } - if !ev.BaseEvent.ProcessContext.HasParent() { - return uint32(0) - } - return ev.BaseEvent.ProcessContext.Parent.PIDContext.Pid -} - -// GetProcessParentPpid returns the value of the field, resolving if necessary -func (ev *Event) GetProcessParentPpid() uint32 { - if ev.BaseEvent.ProcessContext == nil { - return uint32(0) - } - if ev.BaseEvent.ProcessContext.Parent == nil { - return uint32(0) - } - if !ev.BaseEvent.ProcessContext.HasParent() { - return uint32(0) - } - return ev.BaseEvent.ProcessContext.Parent.PPid -} - -// GetProcessParentUid returns the value of the field, resolving if necessary -func (ev *Event) GetProcessParentUid() uint32 { - if ev.BaseEvent.ProcessContext == nil { - return uint32(0) - } - if ev.BaseEvent.ProcessContext.Parent == nil { - return uint32(0) - } - if !ev.BaseEvent.ProcessContext.HasParent() { - return uint32(0) - } - return ev.BaseEvent.ProcessContext.Parent.Credentials.UID -} - -// GetProcessParentUser returns the value of the field, resolving if necessary -func (ev *Event) GetProcessParentUser() string { - if ev.BaseEvent.ProcessContext == nil { - return "" - } - if ev.BaseEvent.ProcessContext.Parent == nil { - return "" - } - if !ev.BaseEvent.ProcessContext.HasParent() { - return "" - } - return ev.BaseEvent.ProcessContext.Parent.Credentials.User -} - -// GetProcessPid returns the value of the field, resolving if necessary -func (ev *Event) GetProcessPid() uint32 { - if ev.BaseEvent.ProcessContext == nil { - return uint32(0) - } - return ev.BaseEvent.ProcessContext.Process.PIDContext.Pid -} - -// GetProcessPpid returns the value of the field, resolving if necessary -func (ev *Event) GetProcessPpid() uint32 { - if ev.BaseEvent.ProcessContext == nil { - return uint32(0) - } - return ev.BaseEvent.ProcessContext.Process.PPid -} - -// GetProcessUid returns the value of the field, resolving if necessary -func (ev *Event) GetProcessUid() uint32 { - if ev.BaseEvent.ProcessContext == nil { - return uint32(0) - } - return ev.BaseEvent.ProcessContext.Process.Credentials.UID -} - -// GetProcessUser returns the value of the field, resolving if necessary -func (ev *Event) GetProcessUser() string { - if ev.BaseEvent.ProcessContext == nil { - return "" - } - return ev.BaseEvent.ProcessContext.Process.Credentials.User -} - -// GetPtraceTraceeAncestorsCmdargv returns the value of the field, resolving if necessary -func (ev *Event) GetPtraceTraceeAncestorsCmdargv() []string { - if ev.GetEventType().String() != "ptrace" { - return []string{} - } - if ev.PTrace.Tracee == nil { - return []string{} - } - if ev.PTrace.Tracee.Ancestor == nil { - return []string{} - } - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := (*ProcessCacheEntry)(ptr) - result := ev.FieldHandlers.ResolveProcessCmdArgv(ev, &element.ProcessContext.Process) - values = append(values, result...) - ptr = iterator.Next(ctx) - } - return values -} - -// GetPtraceTraceeAncestorsEnvp returns the value of the field, resolving if necessary -func (ev *Event) GetPtraceTraceeAncestorsEnvp() []string { - if ev.GetEventType().String() != "ptrace" { - return []string{} - } - if ev.PTrace.Tracee == nil { - return []string{} - } - if ev.PTrace.Tracee.Ancestor == nil { - return []string{} - } - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := (*ProcessCacheEntry)(ptr) - result := ev.FieldHandlers.ResolveProcessEnvp(ev, &element.ProcessContext.Process) - values = append(values, result...) - ptr = iterator.Next(ctx) - } - return values -} - -// GetPtraceTraceeAncestorsFilePath returns the value of the field, resolving if necessary -func (ev *Event) GetPtraceTraceeAncestorsFilePath() []string { - if ev.GetEventType().String() != "ptrace" { - return []string{} - } - if ev.PTrace.Tracee == nil { - return []string{} - } - if ev.PTrace.Tracee.Ancestor == nil { - return []string{} - } - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := (*ProcessCacheEntry)(ptr) - result := ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.FileEvent) - values = append(values, result) - ptr = iterator.Next(ctx) - } - return values -} - -// GetPtraceTraceeAncestorsGid returns the value of the field, resolving if necessary -func (ev *Event) GetPtraceTraceeAncestorsGid() []uint32 { - if ev.GetEventType().String() != "ptrace" { - return []uint32{} - } - if ev.PTrace.Tracee == nil { - return []uint32{} - } - if ev.PTrace.Tracee.Ancestor == nil { - return []uint32{} - } - var values []uint32 - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := (*ProcessCacheEntry)(ptr) - result := element.ProcessContext.Process.Credentials.GID - values = append(values, result) - ptr = iterator.Next(ctx) - } - return values -} - -// GetPtraceTraceeAncestorsGroup returns the value of the field, resolving if necessary -func (ev *Event) GetPtraceTraceeAncestorsGroup() []string { - if ev.GetEventType().String() != "ptrace" { - return []string{} - } - if ev.PTrace.Tracee == nil { - return []string{} - } - if ev.PTrace.Tracee.Ancestor == nil { - return []string{} - } - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := (*ProcessCacheEntry)(ptr) - result := element.ProcessContext.Process.Credentials.Group - values = append(values, result) - ptr = iterator.Next(ctx) - } - return values -} - -// GetPtraceTraceeAncestorsInterpreterFilePath returns the value of the field, resolving if necessary -func (ev *Event) GetPtraceTraceeAncestorsInterpreterFilePath() []string { - if ev.GetEventType().String() != "ptrace" { - return []string{} - } - if ev.PTrace.Tracee == nil { - return []string{} - } - if ev.PTrace.Tracee.Ancestor == nil { - return []string{} - } - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := (*ProcessCacheEntry)(ptr) - result := ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) - values = append(values, result) - ptr = iterator.Next(ctx) - } - return values -} - -// GetPtraceTraceeAncestorsPid returns the value of the field, resolving if necessary -func (ev *Event) GetPtraceTraceeAncestorsPid() []uint32 { - if ev.GetEventType().String() != "ptrace" { - return []uint32{} - } - if ev.PTrace.Tracee == nil { - return []uint32{} - } - if ev.PTrace.Tracee.Ancestor == nil { - return []uint32{} - } - var values []uint32 - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := (*ProcessCacheEntry)(ptr) - result := element.ProcessContext.Process.PIDContext.Pid - values = append(values, result) - ptr = iterator.Next(ctx) - } - return values -} - -// GetPtraceTraceeAncestorsPpid returns the value of the field, resolving if necessary -func (ev *Event) GetPtraceTraceeAncestorsPpid() []uint32 { - if ev.GetEventType().String() != "ptrace" { - return []uint32{} - } - if ev.PTrace.Tracee == nil { - return []uint32{} - } - if ev.PTrace.Tracee.Ancestor == nil { - return []uint32{} - } - var values []uint32 - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := (*ProcessCacheEntry)(ptr) - result := element.ProcessContext.Process.PPid - values = append(values, result) - ptr = iterator.Next(ctx) - } - return values -} - -// GetPtraceTraceeAncestorsUid returns the value of the field, resolving if necessary -func (ev *Event) GetPtraceTraceeAncestorsUid() []uint32 { - if ev.GetEventType().String() != "ptrace" { - return []uint32{} - } - if ev.PTrace.Tracee == nil { - return []uint32{} - } - if ev.PTrace.Tracee.Ancestor == nil { - return []uint32{} - } - var values []uint32 - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := (*ProcessCacheEntry)(ptr) - result := element.ProcessContext.Process.Credentials.UID - values = append(values, result) - ptr = iterator.Next(ctx) - } - return values -} - -// GetPtraceTraceeAncestorsUser returns the value of the field, resolving if necessary -func (ev *Event) GetPtraceTraceeAncestorsUser() []string { - if ev.GetEventType().String() != "ptrace" { - return []string{} - } - if ev.PTrace.Tracee == nil { - return []string{} - } - if ev.PTrace.Tracee.Ancestor == nil { - return []string{} - } - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := (*ProcessCacheEntry)(ptr) - result := element.ProcessContext.Process.Credentials.User - values = append(values, result) - ptr = iterator.Next(ctx) - } - return values -} - -// GetPtraceTraceeCmdargv returns the value of the field, resolving if necessary -func (ev *Event) GetPtraceTraceeCmdargv() []string { - if ev.GetEventType().String() != "ptrace" { - return []string{} - } - if ev.PTrace.Tracee == nil { - return []string{} - } - return ev.FieldHandlers.ResolveProcessCmdArgv(ev, &ev.PTrace.Tracee.Process) -} - -// GetPtraceTraceeEnvp returns the value of the field, resolving if necessary -func (ev *Event) GetPtraceTraceeEnvp() []string { - if ev.GetEventType().String() != "ptrace" { - return []string{} - } - if ev.PTrace.Tracee == nil { - return []string{} - } - return ev.FieldHandlers.ResolveProcessEnvp(ev, &ev.PTrace.Tracee.Process) -} - -// GetPtraceTraceeExecTime returns the value of the field, resolving if necessary -func (ev *Event) GetPtraceTraceeExecTime() time.Time { - if ev.GetEventType().String() != "ptrace" { - return time.Time{} - } - if ev.PTrace.Tracee == nil { - return time.Time{} - } - return ev.PTrace.Tracee.Process.ExecTime -} - -// GetPtraceTraceeExitTime returns the value of the field, resolving if necessary -func (ev *Event) GetPtraceTraceeExitTime() time.Time { - if ev.GetEventType().String() != "ptrace" { - return time.Time{} - } - if ev.PTrace.Tracee == nil { - return time.Time{} - } - return ev.PTrace.Tracee.Process.ExitTime -} - -// GetPtraceTraceeFilePath returns the value of the field, resolving if necessary -func (ev *Event) GetPtraceTraceeFilePath() string { - if ev.GetEventType().String() != "ptrace" { - return "" - } - if ev.PTrace.Tracee == nil { - return "" - } - if !ev.PTrace.Tracee.Process.IsNotKworker() { - return "" - } - return ev.FieldHandlers.ResolveFilePath(ev, &ev.PTrace.Tracee.Process.FileEvent) -} - -// GetPtraceTraceeForkTime returns the value of the field, resolving if necessary -func (ev *Event) GetPtraceTraceeForkTime() time.Time { - if ev.GetEventType().String() != "ptrace" { - return time.Time{} - } - if ev.PTrace.Tracee == nil { - return time.Time{} - } - return ev.PTrace.Tracee.Process.ForkTime -} - -// GetPtraceTraceeGid returns the value of the field, resolving if necessary -func (ev *Event) GetPtraceTraceeGid() uint32 { - if ev.GetEventType().String() != "ptrace" { - return uint32(0) - } - if ev.PTrace.Tracee == nil { - return uint32(0) - } - return ev.PTrace.Tracee.Process.Credentials.GID -} - -// GetPtraceTraceeGroup returns the value of the field, resolving if necessary -func (ev *Event) GetPtraceTraceeGroup() string { - if ev.GetEventType().String() != "ptrace" { - return "" - } - if ev.PTrace.Tracee == nil { - return "" - } - return ev.PTrace.Tracee.Process.Credentials.Group -} - -// GetPtraceTraceeInterpreterFilePath returns the value of the field, resolving if necessary -func (ev *Event) GetPtraceTraceeInterpreterFilePath() string { - if ev.GetEventType().String() != "ptrace" { - return "" - } - if ev.PTrace.Tracee == nil { - return "" - } - if !ev.PTrace.Tracee.Process.HasInterpreter() { - return "" - } - return ev.FieldHandlers.ResolveFilePath(ev, &ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent) -} - -// GetPtraceTraceeParentCmdargv returns the value of the field, resolving if necessary -func (ev *Event) GetPtraceTraceeParentCmdargv() []string { - if ev.GetEventType().String() != "ptrace" { - return []string{} - } - if ev.PTrace.Tracee == nil { - return []string{} - } - if ev.PTrace.Tracee.Parent == nil { - return []string{} - } - if !ev.PTrace.Tracee.HasParent() { - return []string{} - } - return ev.FieldHandlers.ResolveProcessCmdArgv(ev, ev.PTrace.Tracee.Parent) -} - -// GetPtraceTraceeParentEnvp returns the value of the field, resolving if necessary -func (ev *Event) GetPtraceTraceeParentEnvp() []string { - if ev.GetEventType().String() != "ptrace" { - return []string{} - } - if ev.PTrace.Tracee == nil { - return []string{} - } - if ev.PTrace.Tracee.Parent == nil { - return []string{} - } - if !ev.PTrace.Tracee.HasParent() { - return []string{} - } - return ev.FieldHandlers.ResolveProcessEnvp(ev, ev.PTrace.Tracee.Parent) -} - -// GetPtraceTraceeParentFilePath returns the value of the field, resolving if necessary -func (ev *Event) GetPtraceTraceeParentFilePath() string { - if ev.GetEventType().String() != "ptrace" { - return "" - } - if ev.PTrace.Tracee == nil { - return "" - } - if ev.PTrace.Tracee.Parent == nil { - return "" - } - if !ev.PTrace.Tracee.HasParent() { - return "" - } - if !ev.PTrace.Tracee.Parent.IsNotKworker() { - return "" - } - return ev.FieldHandlers.ResolveFilePath(ev, &ev.PTrace.Tracee.Parent.FileEvent) -} - -// GetPtraceTraceeParentGid returns the value of the field, resolving if necessary -func (ev *Event) GetPtraceTraceeParentGid() uint32 { - if ev.GetEventType().String() != "ptrace" { - return uint32(0) - } - if ev.PTrace.Tracee == nil { - return uint32(0) - } - if ev.PTrace.Tracee.Parent == nil { - return uint32(0) - } - if !ev.PTrace.Tracee.HasParent() { - return uint32(0) - } - return ev.PTrace.Tracee.Parent.Credentials.GID -} - -// GetPtraceTraceeParentGroup returns the value of the field, resolving if necessary -func (ev *Event) GetPtraceTraceeParentGroup() string { - if ev.GetEventType().String() != "ptrace" { - return "" - } - if ev.PTrace.Tracee == nil { - return "" - } - if ev.PTrace.Tracee.Parent == nil { - return "" - } - if !ev.PTrace.Tracee.HasParent() { - return "" - } - return ev.PTrace.Tracee.Parent.Credentials.Group -} - -// GetPtraceTraceeParentInterpreterFilePath returns the value of the field, resolving if necessary -func (ev *Event) GetPtraceTraceeParentInterpreterFilePath() string { - if ev.GetEventType().String() != "ptrace" { - return "" - } - if ev.PTrace.Tracee == nil { - return "" - } - if ev.PTrace.Tracee.Parent == nil { - return "" - } - if !ev.PTrace.Tracee.HasParent() { - return "" - } - if !ev.PTrace.Tracee.Parent.HasInterpreter() { - return "" - } - return ev.FieldHandlers.ResolveFilePath(ev, &ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent) -} - -// GetPtraceTraceeParentPid returns the value of the field, resolving if necessary -func (ev *Event) GetPtraceTraceeParentPid() uint32 { - if ev.GetEventType().String() != "ptrace" { - return uint32(0) - } - if ev.PTrace.Tracee == nil { - return uint32(0) - } - if ev.PTrace.Tracee.Parent == nil { - return uint32(0) - } - if !ev.PTrace.Tracee.HasParent() { - return uint32(0) - } - return ev.PTrace.Tracee.Parent.PIDContext.Pid -} - -// GetPtraceTraceeParentPpid returns the value of the field, resolving if necessary -func (ev *Event) GetPtraceTraceeParentPpid() uint32 { - if ev.GetEventType().String() != "ptrace" { - return uint32(0) - } - if ev.PTrace.Tracee == nil { - return uint32(0) - } - if ev.PTrace.Tracee.Parent == nil { - return uint32(0) - } - if !ev.PTrace.Tracee.HasParent() { - return uint32(0) - } - return ev.PTrace.Tracee.Parent.PPid -} - -// GetPtraceTraceeParentUid returns the value of the field, resolving if necessary -func (ev *Event) GetPtraceTraceeParentUid() uint32 { - if ev.GetEventType().String() != "ptrace" { - return uint32(0) - } - if ev.PTrace.Tracee == nil { - return uint32(0) - } - if ev.PTrace.Tracee.Parent == nil { - return uint32(0) - } - if !ev.PTrace.Tracee.HasParent() { - return uint32(0) - } - return ev.PTrace.Tracee.Parent.Credentials.UID -} - -// GetPtraceTraceeParentUser returns the value of the field, resolving if necessary -func (ev *Event) GetPtraceTraceeParentUser() string { - if ev.GetEventType().String() != "ptrace" { - return "" - } - if ev.PTrace.Tracee == nil { - return "" - } - if ev.PTrace.Tracee.Parent == nil { - return "" - } - if !ev.PTrace.Tracee.HasParent() { - return "" - } - return ev.PTrace.Tracee.Parent.Credentials.User -} - -// GetPtraceTraceePid returns the value of the field, resolving if necessary -func (ev *Event) GetPtraceTraceePid() uint32 { - if ev.GetEventType().String() != "ptrace" { - return uint32(0) - } - if ev.PTrace.Tracee == nil { - return uint32(0) - } - return ev.PTrace.Tracee.Process.PIDContext.Pid -} - -// GetPtraceTraceePpid returns the value of the field, resolving if necessary -func (ev *Event) GetPtraceTraceePpid() uint32 { - if ev.GetEventType().String() != "ptrace" { - return uint32(0) - } - if ev.PTrace.Tracee == nil { - return uint32(0) - } - return ev.PTrace.Tracee.Process.PPid -} - -// GetPtraceTraceeUid returns the value of the field, resolving if necessary -func (ev *Event) GetPtraceTraceeUid() uint32 { - if ev.GetEventType().String() != "ptrace" { - return uint32(0) - } - if ev.PTrace.Tracee == nil { - return uint32(0) - } - return ev.PTrace.Tracee.Process.Credentials.UID -} - -// GetPtraceTraceeUser returns the value of the field, resolving if necessary -func (ev *Event) GetPtraceTraceeUser() string { - if ev.GetEventType().String() != "ptrace" { - return "" - } - if ev.PTrace.Tracee == nil { - return "" - } - return ev.PTrace.Tracee.Process.Credentials.User -} - -// GetRemovexattrFilePath returns the value of the field, resolving if necessary -func (ev *Event) GetRemovexattrFilePath() string { - if ev.GetEventType().String() != "removexattr" { - return "" - } - return ev.FieldHandlers.ResolveFilePath(ev, &ev.RemoveXAttr.File) -} - -// GetRenameFileDestinationPath returns the value of the field, resolving if necessary -func (ev *Event) GetRenameFileDestinationPath() string { - if ev.GetEventType().String() != "rename" { - return "" - } - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Rename.New) -} - -// GetRenameFilePath returns the value of the field, resolving if necessary -func (ev *Event) GetRenameFilePath() string { - if ev.GetEventType().String() != "rename" { - return "" - } - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Rename.Old) -} - -// GetRmdirFilePath returns the value of the field, resolving if necessary -func (ev *Event) GetRmdirFilePath() string { - if ev.GetEventType().String() != "rmdir" { - return "" - } - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Rmdir.File) -} - -// GetSetxattrFilePath returns the value of the field, resolving if necessary -func (ev *Event) GetSetxattrFilePath() string { - if ev.GetEventType().String() != "setxattr" { - return "" - } - return ev.FieldHandlers.ResolveFilePath(ev, &ev.SetXAttr.File) -} - -// GetSignalTargetAncestorsCmdargv returns the value of the field, resolving if necessary -func (ev *Event) GetSignalTargetAncestorsCmdargv() []string { - if ev.GetEventType().String() != "signal" { - return []string{} - } - if ev.Signal.Target == nil { - return []string{} - } - if ev.Signal.Target.Ancestor == nil { - return []string{} - } - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := (*ProcessCacheEntry)(ptr) - result := ev.FieldHandlers.ResolveProcessCmdArgv(ev, &element.ProcessContext.Process) - values = append(values, result...) - ptr = iterator.Next(ctx) - } - return values -} - -// GetSignalTargetAncestorsEnvp returns the value of the field, resolving if necessary -func (ev *Event) GetSignalTargetAncestorsEnvp() []string { - if ev.GetEventType().String() != "signal" { - return []string{} - } - if ev.Signal.Target == nil { - return []string{} - } - if ev.Signal.Target.Ancestor == nil { - return []string{} - } - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := (*ProcessCacheEntry)(ptr) - result := ev.FieldHandlers.ResolveProcessEnvp(ev, &element.ProcessContext.Process) - values = append(values, result...) - ptr = iterator.Next(ctx) - } - return values -} - -// GetSignalTargetAncestorsFilePath returns the value of the field, resolving if necessary -func (ev *Event) GetSignalTargetAncestorsFilePath() []string { - if ev.GetEventType().String() != "signal" { - return []string{} - } - if ev.Signal.Target == nil { - return []string{} - } - if ev.Signal.Target.Ancestor == nil { - return []string{} - } - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := (*ProcessCacheEntry)(ptr) - result := ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.FileEvent) - values = append(values, result) - ptr = iterator.Next(ctx) - } - return values -} - -// GetSignalTargetAncestorsGid returns the value of the field, resolving if necessary -func (ev *Event) GetSignalTargetAncestorsGid() []uint32 { - if ev.GetEventType().String() != "signal" { - return []uint32{} - } - if ev.Signal.Target == nil { - return []uint32{} - } - if ev.Signal.Target.Ancestor == nil { - return []uint32{} - } - var values []uint32 - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := (*ProcessCacheEntry)(ptr) - result := element.ProcessContext.Process.Credentials.GID - values = append(values, result) - ptr = iterator.Next(ctx) - } - return values -} - -// GetSignalTargetAncestorsGroup returns the value of the field, resolving if necessary -func (ev *Event) GetSignalTargetAncestorsGroup() []string { - if ev.GetEventType().String() != "signal" { - return []string{} - } - if ev.Signal.Target == nil { - return []string{} - } - if ev.Signal.Target.Ancestor == nil { - return []string{} - } - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := (*ProcessCacheEntry)(ptr) - result := element.ProcessContext.Process.Credentials.Group - values = append(values, result) - ptr = iterator.Next(ctx) - } - return values -} - -// GetSignalTargetAncestorsInterpreterFilePath returns the value of the field, resolving if necessary -func (ev *Event) GetSignalTargetAncestorsInterpreterFilePath() []string { - if ev.GetEventType().String() != "signal" { - return []string{} - } - if ev.Signal.Target == nil { - return []string{} - } - if ev.Signal.Target.Ancestor == nil { - return []string{} - } - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := (*ProcessCacheEntry)(ptr) - result := ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) - values = append(values, result) - ptr = iterator.Next(ctx) - } - return values -} - -// GetSignalTargetAncestorsPid returns the value of the field, resolving if necessary -func (ev *Event) GetSignalTargetAncestorsPid() []uint32 { - if ev.GetEventType().String() != "signal" { - return []uint32{} - } - if ev.Signal.Target == nil { - return []uint32{} - } - if ev.Signal.Target.Ancestor == nil { - return []uint32{} - } - var values []uint32 - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := (*ProcessCacheEntry)(ptr) - result := element.ProcessContext.Process.PIDContext.Pid - values = append(values, result) - ptr = iterator.Next(ctx) - } - return values -} - -// GetSignalTargetAncestorsPpid returns the value of the field, resolving if necessary -func (ev *Event) GetSignalTargetAncestorsPpid() []uint32 { - if ev.GetEventType().String() != "signal" { - return []uint32{} - } - if ev.Signal.Target == nil { - return []uint32{} - } - if ev.Signal.Target.Ancestor == nil { - return []uint32{} - } - var values []uint32 - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := (*ProcessCacheEntry)(ptr) - result := element.ProcessContext.Process.PPid - values = append(values, result) - ptr = iterator.Next(ctx) - } - return values -} - -// GetSignalTargetAncestorsUid returns the value of the field, resolving if necessary -func (ev *Event) GetSignalTargetAncestorsUid() []uint32 { - if ev.GetEventType().String() != "signal" { - return []uint32{} - } - if ev.Signal.Target == nil { - return []uint32{} - } - if ev.Signal.Target.Ancestor == nil { - return []uint32{} - } - var values []uint32 - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := (*ProcessCacheEntry)(ptr) - result := element.ProcessContext.Process.Credentials.UID - values = append(values, result) - ptr = iterator.Next(ctx) - } - return values -} - -// GetSignalTargetAncestorsUser returns the value of the field, resolving if necessary -func (ev *Event) GetSignalTargetAncestorsUser() []string { - if ev.GetEventType().String() != "signal" { - return []string{} - } - if ev.Signal.Target == nil { - return []string{} - } - if ev.Signal.Target.Ancestor == nil { - return []string{} - } - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := (*ProcessCacheEntry)(ptr) - result := element.ProcessContext.Process.Credentials.User - values = append(values, result) - ptr = iterator.Next(ctx) - } - return values -} - -// GetSignalTargetCmdargv returns the value of the field, resolving if necessary -func (ev *Event) GetSignalTargetCmdargv() []string { - if ev.GetEventType().String() != "signal" { - return []string{} - } - if ev.Signal.Target == nil { - return []string{} - } - return ev.FieldHandlers.ResolveProcessCmdArgv(ev, &ev.Signal.Target.Process) -} - -// GetSignalTargetEnvp returns the value of the field, resolving if necessary -func (ev *Event) GetSignalTargetEnvp() []string { - if ev.GetEventType().String() != "signal" { - return []string{} - } - if ev.Signal.Target == nil { - return []string{} - } - return ev.FieldHandlers.ResolveProcessEnvp(ev, &ev.Signal.Target.Process) -} - -// GetSignalTargetExecTime returns the value of the field, resolving if necessary -func (ev *Event) GetSignalTargetExecTime() time.Time { - if ev.GetEventType().String() != "signal" { - return time.Time{} - } - if ev.Signal.Target == nil { - return time.Time{} - } - return ev.Signal.Target.Process.ExecTime -} - -// GetSignalTargetExitTime returns the value of the field, resolving if necessary -func (ev *Event) GetSignalTargetExitTime() time.Time { - if ev.GetEventType().String() != "signal" { - return time.Time{} - } - if ev.Signal.Target == nil { - return time.Time{} - } - return ev.Signal.Target.Process.ExitTime -} - -// GetSignalTargetFilePath returns the value of the field, resolving if necessary -func (ev *Event) GetSignalTargetFilePath() string { - if ev.GetEventType().String() != "signal" { - return "" - } - if ev.Signal.Target == nil { - return "" - } - if !ev.Signal.Target.Process.IsNotKworker() { - return "" - } - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Signal.Target.Process.FileEvent) -} - -// GetSignalTargetForkTime returns the value of the field, resolving if necessary -func (ev *Event) GetSignalTargetForkTime() time.Time { - if ev.GetEventType().String() != "signal" { - return time.Time{} - } - if ev.Signal.Target == nil { - return time.Time{} - } - return ev.Signal.Target.Process.ForkTime -} - -// GetSignalTargetGid returns the value of the field, resolving if necessary -func (ev *Event) GetSignalTargetGid() uint32 { - if ev.GetEventType().String() != "signal" { - return uint32(0) - } - if ev.Signal.Target == nil { - return uint32(0) - } - return ev.Signal.Target.Process.Credentials.GID -} - -// GetSignalTargetGroup returns the value of the field, resolving if necessary -func (ev *Event) GetSignalTargetGroup() string { - if ev.GetEventType().String() != "signal" { - return "" - } - if ev.Signal.Target == nil { - return "" - } - return ev.Signal.Target.Process.Credentials.Group -} - -// GetSignalTargetInterpreterFilePath returns the value of the field, resolving if necessary -func (ev *Event) GetSignalTargetInterpreterFilePath() string { - if ev.GetEventType().String() != "signal" { - return "" - } - if ev.Signal.Target == nil { - return "" - } - if !ev.Signal.Target.Process.HasInterpreter() { - return "" - } - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Signal.Target.Process.LinuxBinprm.FileEvent) -} - -// GetSignalTargetParentCmdargv returns the value of the field, resolving if necessary -func (ev *Event) GetSignalTargetParentCmdargv() []string { - if ev.GetEventType().String() != "signal" { - return []string{} - } - if ev.Signal.Target == nil { - return []string{} - } - if ev.Signal.Target.Parent == nil { - return []string{} - } - if !ev.Signal.Target.HasParent() { - return []string{} - } - return ev.FieldHandlers.ResolveProcessCmdArgv(ev, ev.Signal.Target.Parent) -} - -// GetSignalTargetParentEnvp returns the value of the field, resolving if necessary -func (ev *Event) GetSignalTargetParentEnvp() []string { - if ev.GetEventType().String() != "signal" { - return []string{} - } - if ev.Signal.Target == nil { - return []string{} - } - if ev.Signal.Target.Parent == nil { - return []string{} - } - if !ev.Signal.Target.HasParent() { - return []string{} - } - return ev.FieldHandlers.ResolveProcessEnvp(ev, ev.Signal.Target.Parent) -} - -// GetSignalTargetParentFilePath returns the value of the field, resolving if necessary -func (ev *Event) GetSignalTargetParentFilePath() string { - if ev.GetEventType().String() != "signal" { - return "" - } - if ev.Signal.Target == nil { - return "" - } - if ev.Signal.Target.Parent == nil { - return "" - } - if !ev.Signal.Target.HasParent() { - return "" - } - if !ev.Signal.Target.Parent.IsNotKworker() { - return "" - } - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Signal.Target.Parent.FileEvent) -} - -// GetSignalTargetParentGid returns the value of the field, resolving if necessary -func (ev *Event) GetSignalTargetParentGid() uint32 { - if ev.GetEventType().String() != "signal" { - return uint32(0) - } - if ev.Signal.Target == nil { - return uint32(0) - } - if ev.Signal.Target.Parent == nil { - return uint32(0) - } - if !ev.Signal.Target.HasParent() { - return uint32(0) - } - return ev.Signal.Target.Parent.Credentials.GID -} - -// GetSignalTargetParentGroup returns the value of the field, resolving if necessary -func (ev *Event) GetSignalTargetParentGroup() string { - if ev.GetEventType().String() != "signal" { - return "" - } - if ev.Signal.Target == nil { - return "" - } - if ev.Signal.Target.Parent == nil { - return "" - } - if !ev.Signal.Target.HasParent() { - return "" - } - return ev.Signal.Target.Parent.Credentials.Group -} - -// GetSignalTargetParentInterpreterFilePath returns the value of the field, resolving if necessary -func (ev *Event) GetSignalTargetParentInterpreterFilePath() string { - if ev.GetEventType().String() != "signal" { - return "" - } - if ev.Signal.Target == nil { - return "" - } - if ev.Signal.Target.Parent == nil { - return "" - } - if !ev.Signal.Target.HasParent() { - return "" - } - if !ev.Signal.Target.Parent.HasInterpreter() { - return "" - } - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Signal.Target.Parent.LinuxBinprm.FileEvent) -} - -// GetSignalTargetParentPid returns the value of the field, resolving if necessary -func (ev *Event) GetSignalTargetParentPid() uint32 { - if ev.GetEventType().String() != "signal" { - return uint32(0) - } - if ev.Signal.Target == nil { - return uint32(0) - } - if ev.Signal.Target.Parent == nil { - return uint32(0) - } - if !ev.Signal.Target.HasParent() { - return uint32(0) - } - return ev.Signal.Target.Parent.PIDContext.Pid -} - -// GetSignalTargetParentPpid returns the value of the field, resolving if necessary -func (ev *Event) GetSignalTargetParentPpid() uint32 { - if ev.GetEventType().String() != "signal" { - return uint32(0) - } - if ev.Signal.Target == nil { - return uint32(0) - } - if ev.Signal.Target.Parent == nil { - return uint32(0) - } - if !ev.Signal.Target.HasParent() { - return uint32(0) - } - return ev.Signal.Target.Parent.PPid -} - -// GetSignalTargetParentUid returns the value of the field, resolving if necessary -func (ev *Event) GetSignalTargetParentUid() uint32 { - if ev.GetEventType().String() != "signal" { - return uint32(0) - } - if ev.Signal.Target == nil { - return uint32(0) - } - if ev.Signal.Target.Parent == nil { - return uint32(0) - } - if !ev.Signal.Target.HasParent() { - return uint32(0) - } - return ev.Signal.Target.Parent.Credentials.UID -} - -// GetSignalTargetParentUser returns the value of the field, resolving if necessary -func (ev *Event) GetSignalTargetParentUser() string { - if ev.GetEventType().String() != "signal" { - return "" - } - if ev.Signal.Target == nil { - return "" - } - if ev.Signal.Target.Parent == nil { - return "" - } - if !ev.Signal.Target.HasParent() { - return "" - } - return ev.Signal.Target.Parent.Credentials.User -} - -// GetSignalTargetPid returns the value of the field, resolving if necessary -func (ev *Event) GetSignalTargetPid() uint32 { - if ev.GetEventType().String() != "signal" { - return uint32(0) - } - if ev.Signal.Target == nil { - return uint32(0) - } - return ev.Signal.Target.Process.PIDContext.Pid -} - -// GetSignalTargetPpid returns the value of the field, resolving if necessary -func (ev *Event) GetSignalTargetPpid() uint32 { - if ev.GetEventType().String() != "signal" { - return uint32(0) - } - if ev.Signal.Target == nil { - return uint32(0) - } - return ev.Signal.Target.Process.PPid -} - -// GetSignalTargetUid returns the value of the field, resolving if necessary -func (ev *Event) GetSignalTargetUid() uint32 { - if ev.GetEventType().String() != "signal" { - return uint32(0) - } - if ev.Signal.Target == nil { - return uint32(0) - } - return ev.Signal.Target.Process.Credentials.UID -} - -// GetSignalTargetUser returns the value of the field, resolving if necessary -func (ev *Event) GetSignalTargetUser() string { - if ev.GetEventType().String() != "signal" { - return "" - } - if ev.Signal.Target == nil { - return "" - } - return ev.Signal.Target.Process.Credentials.User -} - -// GetSpliceFilePath returns the value of the field, resolving if necessary -func (ev *Event) GetSpliceFilePath() string { - if ev.GetEventType().String() != "splice" { - return "" - } - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Splice.File) + return ev.BaseEvent.ProcessContext.Process.Credentials.User } // GetTimestamp returns the value of the field, resolving if necessary func (ev *Event) GetTimestamp() time.Time { return ev.FieldHandlers.ResolveEventTime(ev, &ev.BaseEvent) } - -// GetUnlinkFilePath returns the value of the field, resolving if necessary -func (ev *Event) GetUnlinkFilePath() string { - if ev.GetEventType().String() != "unlink" { - return "" - } - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Unlink.File) -} - -// GetUtimesFilePath returns the value of the field, resolving if necessary -func (ev *Event) GetUtimesFilePath() string { - if ev.GetEventType().String() != "utimes" { - return "" - } - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Utimes.File) -} diff --git a/pkg/security/secl/model/field_accessors_windows.go b/pkg/security/secl/model/field_accessors_windows.go index dc67e0e864110..249277a840f87 100644 --- a/pkg/security/secl/model/field_accessors_windows.go +++ b/pkg/security/secl/model/field_accessors_windows.go @@ -18,14 +18,6 @@ var _ = time.Time{} var _ = net.IP{} var _ = eval.NewContext -// GetContainerCreatedAt returns the value of the field, resolving if necessary -func (ev *Event) GetContainerCreatedAt() int { - if ev.BaseEvent.ContainerContext == nil { - return 0 - } - return ev.FieldHandlers.ResolveContainerCreatedAt(ev, ev.BaseEvent.ContainerContext) -} - // GetContainerId returns the value of the field, resolving if necessary func (ev *Event) GetContainerId() string { if ev.BaseEvent.ContainerContext == nil { @@ -39,39 +31,6 @@ func (ev *Event) GetEventService() string { return ev.FieldHandlers.ResolveService(ev, &ev.BaseEvent) } -// GetExecEnvp returns the value of the field, resolving if necessary -func (ev *Event) GetExecEnvp() []string { - if ev.GetEventType().String() != "exec" { - return []string{} - } - if ev.Exec.Process == nil { - return []string{} - } - return ev.FieldHandlers.ResolveProcessEnvp(ev, ev.Exec.Process) -} - -// GetExecExecTime returns the value of the field, resolving if necessary -func (ev *Event) GetExecExecTime() time.Time { - if ev.GetEventType().String() != "exec" { - return time.Time{} - } - if ev.Exec.Process == nil { - return time.Time{} - } - return ev.Exec.Process.ExecTime -} - -// GetExecExitTime returns the value of the field, resolving if necessary -func (ev *Event) GetExecExitTime() time.Time { - if ev.GetEventType().String() != "exec" { - return time.Time{} - } - if ev.Exec.Process == nil { - return time.Time{} - } - return ev.Exec.Process.ExitTime -} - // GetExecFilePath returns the value of the field, resolving if necessary func (ev *Event) GetExecFilePath() string { if ev.GetEventType().String() != "exec" { @@ -83,28 +42,6 @@ func (ev *Event) GetExecFilePath() string { return ev.FieldHandlers.ResolveFilePath(ev, &ev.Exec.Process.FileEvent) } -// GetExecPid returns the value of the field, resolving if necessary -func (ev *Event) GetExecPid() uint32 { - if ev.GetEventType().String() != "exec" { - return uint32(0) - } - if ev.Exec.Process == nil { - return uint32(0) - } - return ev.Exec.Process.PIDContext.Pid -} - -// GetExecPpid returns the value of the field, resolving if necessary -func (ev *Event) GetExecPpid() uint32 { - if ev.GetEventType().String() != "exec" { - return uint32(0) - } - if ev.Exec.Process == nil { - return uint32(0) - } - return ev.Exec.Process.PPid -} - // GetExitCode returns the value of the field, resolving if necessary func (ev *Event) GetExitCode() uint32 { if ev.GetEventType().String() != "exit" { @@ -113,156 +50,6 @@ func (ev *Event) GetExitCode() uint32 { return ev.Exit.Code } -// GetExitEnvp returns the value of the field, resolving if necessary -func (ev *Event) GetExitEnvp() []string { - if ev.GetEventType().String() != "exit" { - return []string{} - } - if ev.Exit.Process == nil { - return []string{} - } - return ev.FieldHandlers.ResolveProcessEnvp(ev, ev.Exit.Process) -} - -// GetExitExecTime returns the value of the field, resolving if necessary -func (ev *Event) GetExitExecTime() time.Time { - if ev.GetEventType().String() != "exit" { - return time.Time{} - } - if ev.Exit.Process == nil { - return time.Time{} - } - return ev.Exit.Process.ExecTime -} - -// GetExitExitTime returns the value of the field, resolving if necessary -func (ev *Event) GetExitExitTime() time.Time { - if ev.GetEventType().String() != "exit" { - return time.Time{} - } - if ev.Exit.Process == nil { - return time.Time{} - } - return ev.Exit.Process.ExitTime -} - -// GetExitFilePath returns the value of the field, resolving if necessary -func (ev *Event) GetExitFilePath() string { - if ev.GetEventType().String() != "exit" { - return "" - } - if ev.Exit.Process == nil { - return "" - } - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Exit.Process.FileEvent) -} - -// GetExitPid returns the value of the field, resolving if necessary -func (ev *Event) GetExitPid() uint32 { - if ev.GetEventType().String() != "exit" { - return uint32(0) - } - if ev.Exit.Process == nil { - return uint32(0) - } - return ev.Exit.Process.PIDContext.Pid -} - -// GetExitPpid returns the value of the field, resolving if necessary -func (ev *Event) GetExitPpid() uint32 { - if ev.GetEventType().String() != "exit" { - return uint32(0) - } - if ev.Exit.Process == nil { - return uint32(0) - } - return ev.Exit.Process.PPid -} - -// GetProcessAncestorsEnvp returns the value of the field, resolving if necessary -func (ev *Event) GetProcessAncestorsEnvp() []string { - if ev.BaseEvent.ProcessContext == nil { - return []string{} - } - if ev.BaseEvent.ProcessContext.Ancestor == nil { - return []string{} - } - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := (*ProcessCacheEntry)(ptr) - result := ev.FieldHandlers.ResolveProcessEnvp(ev, &element.ProcessContext.Process) - values = append(values, result...) - ptr = iterator.Next(ctx) - } - return values -} - -// GetProcessAncestorsFilePath returns the value of the field, resolving if necessary -func (ev *Event) GetProcessAncestorsFilePath() []string { - if ev.BaseEvent.ProcessContext == nil { - return []string{} - } - if ev.BaseEvent.ProcessContext.Ancestor == nil { - return []string{} - } - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := (*ProcessCacheEntry)(ptr) - result := ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.FileEvent) - values = append(values, result) - ptr = iterator.Next(ctx) - } - return values -} - -// GetProcessAncestorsPid returns the value of the field, resolving if necessary -func (ev *Event) GetProcessAncestorsPid() []uint32 { - if ev.BaseEvent.ProcessContext == nil { - return []uint32{} - } - if ev.BaseEvent.ProcessContext.Ancestor == nil { - return []uint32{} - } - var values []uint32 - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := (*ProcessCacheEntry)(ptr) - result := element.ProcessContext.Process.PIDContext.Pid - values = append(values, result) - ptr = iterator.Next(ctx) - } - return values -} - -// GetProcessAncestorsPpid returns the value of the field, resolving if necessary -func (ev *Event) GetProcessAncestorsPpid() []uint32 { - if ev.BaseEvent.ProcessContext == nil { - return []uint32{} - } - if ev.BaseEvent.ProcessContext.Ancestor == nil { - return []uint32{} - } - var values []uint32 - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := (*ProcessCacheEntry)(ptr) - result := element.ProcessContext.Process.PPid - values = append(values, result) - ptr = iterator.Next(ctx) - } - return values -} - // GetProcessEnvp returns the value of the field, resolving if necessary func (ev *Event) GetProcessEnvp() []string { if ev.BaseEvent.ProcessContext == nil { @@ -287,70 +74,6 @@ func (ev *Event) GetProcessExitTime() time.Time { return ev.BaseEvent.ProcessContext.Process.ExitTime } -// GetProcessFilePath returns the value of the field, resolving if necessary -func (ev *Event) GetProcessFilePath() string { - if ev.BaseEvent.ProcessContext == nil { - return "" - } - return ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent) -} - -// GetProcessParentEnvp returns the value of the field, resolving if necessary -func (ev *Event) GetProcessParentEnvp() []string { - if ev.BaseEvent.ProcessContext == nil { - return []string{} - } - if ev.BaseEvent.ProcessContext.Parent == nil { - return []string{} - } - if !ev.BaseEvent.ProcessContext.HasParent() { - return []string{} - } - return ev.FieldHandlers.ResolveProcessEnvp(ev, ev.BaseEvent.ProcessContext.Parent) -} - -// GetProcessParentFilePath returns the value of the field, resolving if necessary -func (ev *Event) GetProcessParentFilePath() string { - if ev.BaseEvent.ProcessContext == nil { - return "" - } - if ev.BaseEvent.ProcessContext.Parent == nil { - return "" - } - if !ev.BaseEvent.ProcessContext.HasParent() { - return "" - } - return ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent) -} - -// GetProcessParentPid returns the value of the field, resolving if necessary -func (ev *Event) GetProcessParentPid() uint32 { - if ev.BaseEvent.ProcessContext == nil { - return uint32(0) - } - if ev.BaseEvent.ProcessContext.Parent == nil { - return uint32(0) - } - if !ev.BaseEvent.ProcessContext.HasParent() { - return uint32(0) - } - return ev.BaseEvent.ProcessContext.Parent.PIDContext.Pid -} - -// GetProcessParentPpid returns the value of the field, resolving if necessary -func (ev *Event) GetProcessParentPpid() uint32 { - if ev.BaseEvent.ProcessContext == nil { - return uint32(0) - } - if ev.BaseEvent.ProcessContext.Parent == nil { - return uint32(0) - } - if !ev.BaseEvent.ProcessContext.HasParent() { - return uint32(0) - } - return ev.BaseEvent.ProcessContext.Parent.PPid -} - // GetProcessPid returns the value of the field, resolving if necessary func (ev *Event) GetProcessPid() uint32 { if ev.BaseEvent.ProcessContext == nil { diff --git a/pkg/security/secl/model/model_unix.go b/pkg/security/secl/model/model_unix.go index 41448b7010e2e..da35f1f1076cb 100644 --- a/pkg/security/secl/model/model_unix.go +++ b/pkg/security/secl/model/model_unix.go @@ -29,6 +29,26 @@ const ( // Event represents an event sent from the kernel // genaccessors +// gengetter: GetContainerCreatedAt +// gengetter: GetContainerId +// gengetter: GetExecCmdargv +// gengetter: GetExecFilePath +// gengetter: GetExecFilePath) +// gengetter: GetExitCode +// gengetter: GetMountMountpointPath +// gengetter: GetMountRootPath +// gengetter: GetProcessEnvp +// gengetter: GetProcessExecTime +// gengetter: GetProcessExitTime +// gengetter: GetProcessForkTime +// gengetter: GetProcessGid +// gengetter: GetProcessGroup +// gengetter: GetProcessPid +// gengetter: GetProcessPpid +// gengetter: GetProcessUid +// gengetter: GetProcessUser +// gengetter: GetTimestamp +// gengetter: GetEventService type Event struct { BaseEvent @@ -202,10 +222,10 @@ type CapsetEvent struct { // Credentials represents the kernel credentials of a process type Credentials struct { - UID uint32 `field:"uid,opts:gen_getters"` // SECLDoc[uid] Definition:`UID of the process` - GID uint32 `field:"gid,opts:gen_getters"` // SECLDoc[gid] Definition:`GID of the process` - User string `field:"user,opts:gen_getters"` // SECLDoc[user] Definition:`User of the process` Example:`process.user == "root"` Description:`Constrain an event to be triggered by a process running as the root user.` - Group string `field:"group,opts:gen_getters"` // SECLDoc[group] Definition:`Group of the process` + UID uint32 `field:"uid"` // SECLDoc[uid] Definition:`UID of the process` + GID uint32 `field:"gid"` // SECLDoc[gid] Definition:`GID of the process` + User string `field:"user"` // SECLDoc[user] Definition:`User of the process` Example:`process.user == "root"` Description:`Constrain an event to be triggered by a process running as the root user.` + Group string `field:"group"` // SECLDoc[group] Definition:`Group of the process` EUID uint32 `field:"euid"` // SECLDoc[euid] Definition:`Effective UID of the process` EGID uint32 `field:"egid"` // SECLDoc[egid] Definition:`Effective GID of the process` @@ -254,15 +274,15 @@ type Process struct { LinuxBinprm LinuxBinprm `field:"interpreter,check:HasInterpreter,set_handler:SetInterpreterFields"` // Script interpreter as identified by the shebang // pid_cache_t - ForkTime time.Time `field:"fork_time,opts:getters_only|gen_getters"` - ExitTime time.Time `field:"exit_time,opts:getters_only|gen_getters"` - ExecTime time.Time `field:"exec_time,opts:getters_only|gen_getters"` + ForkTime time.Time `field:"fork_time,opts:getters_only"` + ExitTime time.Time `field:"exit_time,opts:getters_only"` + ExecTime time.Time `field:"exec_time,opts:getters_only"` // TODO: merge with ExecTime CreatedAt uint64 `field:"created_at,handler:ResolveProcessCreatedAt"` // SECLDoc[created_at] Definition:`Timestamp of the creation of the process` Cookie uint64 `field:"-"` - PPid uint32 `field:"ppid,opts:gen_getters"` // SECLDoc[ppid] Definition:`Parent process ID` + PPid uint32 `field:"ppid"` // SECLDoc[ppid] Definition:`Parent process ID` // credentials_t section of pid_cache_t Credentials @@ -278,13 +298,13 @@ type Process struct { EnvsEntry *EnvsEntry `field:"-"` // defined to generate accessors, ArgsTruncated and EnvsTruncated are used during by unmarshaller - Argv0 string `field:"argv0,handler:ResolveProcessArgv0,weight:100"` // SECLDoc[argv0] Definition:`First argument of the process` - Args string `field:"args,handler:ResolveProcessArgs,weight:500,opts:skip_ad|readonly"` // SECLDoc[args] Definition:`Arguments of the process (as a string, excluding argv0)` Example:`exec.args == "-sV -p 22,53,110,143,4564 198.116.0-255.1-127"` Description:`Matches any process with these exact arguments.` Example:`exec.args =~ "* -F * http*"` Description:`Matches any process that has the "-F" argument anywhere before an argument starting with "http".` - Argv []string `field:"argv,handler:ResolveProcessArgv,weight:500; cmdargv,handler:ResolveProcessCmdArgv,opts:getters_only|gen_getters; args_flags,handler:ResolveProcessArgsFlags,opts:helper; args_options,handler:ResolveProcessArgsOptions,opts:helper"` // SECLDoc[argv] Definition:`Arguments of the process (as an array, excluding argv0)` Example:`exec.argv in ["127.0.0.1"]` Description:`Matches any process that has this IP address as one of its arguments.` SECLDoc[args_flags] Definition:`Flags in the process arguments` Example:`exec.args_flags in ["s"] && exec.args_flags in ["V"]` Description:`Matches any process with both "-s" and "-V" flags in its arguments. Also matches "-sV".` SECLDoc[args_options] Definition:`Argument of the process as options` Example:`exec.args_options in ["p=0-1024"]` Description:`Matches any process that has either "-p 0-1024" or "--p=0-1024" in its arguments.` - ArgsTruncated bool `field:"args_truncated,handler:ResolveProcessArgsTruncated"` // SECLDoc[args_truncated] Definition:`Indicator of arguments truncation` - Envs []string `field:"envs,handler:ResolveProcessEnvs,weight:100"` // SECLDoc[envs] Definition:`Environment variable names of the process` - Envp []string `field:"envp,handler:ResolveProcessEnvp,weight:100,opts:gen_getters"` // SECLDoc[envp] Definition:`Environment variables of the process` - EnvsTruncated bool `field:"envs_truncated,handler:ResolveProcessEnvsTruncated"` // SECLDoc[envs_truncated] Definition:`Indicator of environment variables truncation` + Argv0 string `field:"argv0,handler:ResolveProcessArgv0,weight:100"` // SECLDoc[argv0] Definition:`First argument of the process` + Args string `field:"args,handler:ResolveProcessArgs,weight:500,opts:skip_ad|readonly"` // SECLDoc[args] Definition:`Arguments of the process (as a string, excluding argv0)` Example:`exec.args == "-sV -p 22,53,110,143,4564 198.116.0-255.1-127"` Description:`Matches any process with these exact arguments.` Example:`exec.args =~ "* -F * http*"` Description:`Matches any process that has the "-F" argument anywhere before an argument starting with "http".` + Argv []string `field:"argv,handler:ResolveProcessArgv,weight:500; cmdargv,handler:ResolveProcessCmdArgv,opts:getters_only; args_flags,handler:ResolveProcessArgsFlags,opts:helper; args_options,handler:ResolveProcessArgsOptions,opts:helper"` // SECLDoc[argv] Definition:`Arguments of the process (as an array, excluding argv0)` Example:`exec.argv in ["127.0.0.1"]` Description:`Matches any process that has this IP address as one of its arguments.` SECLDoc[args_flags] Definition:`Flags in the process arguments` Example:`exec.args_flags in ["s"] && exec.args_flags in ["V"]` Description:`Matches any process with both "-s" and "-V" flags in its arguments. Also matches "-sV".` SECLDoc[args_options] Definition:`Argument of the process as options` Example:`exec.args_options in ["p=0-1024"]` Description:`Matches any process that has either "-p 0-1024" or "--p=0-1024" in its arguments.` + ArgsTruncated bool `field:"args_truncated,handler:ResolveProcessArgsTruncated"` // SECLDoc[args_truncated] Definition:`Indicator of arguments truncation` + Envs []string `field:"envs,handler:ResolveProcessEnvs,weight:100"` // SECLDoc[envs] Definition:`Environment variable names of the process` + Envp []string `field:"envp,handler:ResolveProcessEnvp,weight:100"` // SECLDoc[envp] Definition:`Environment variables of the process` + EnvsTruncated bool `field:"envs_truncated,handler:ResolveProcessEnvsTruncated"` // SECLDoc[envs_truncated] Definition:`Indicator of environment variables truncation` ArgsScrubbed string `field:"args_scrubbed,handler:ResolveProcessArgsScrubbed,opts:getters_only"` ArgvScrubbed []string `field:"argv_scrubbed,handler:ResolveProcessArgvScrubbed,opts:getters_only"` @@ -350,9 +370,9 @@ type FileFields struct { type FileEvent struct { FileFields - PathnameStr string `field:"path,handler:ResolveFilePath,opts:length|gen_getters" op_override:"ProcessSymlinkPathname"` // SECLDoc[path] Definition:`File's path` Example:`exec.file.path == "/usr/bin/apt"` Description:`Matches the execution of the file located at /usr/bin/apt` Example:`open.file.path == "/etc/passwd"` Description:`Matches any process opening the /etc/passwd file.` - BasenameStr string `field:"name,handler:ResolveFileBasename,opts:length" op_override:"ProcessSymlinkBasename"` // SECLDoc[name] Definition:`File's basename` Example:`exec.file.name == "apt"` Description:`Matches the execution of any file named apt.` - Filesystem string `field:"filesystem,handler:ResolveFileFilesystem"` // SECLDoc[filesystem] Definition:`File's filesystem` + PathnameStr string `field:"path,handler:ResolveFilePath,opts:length" op_override:"ProcessSymlinkPathname"` // SECLDoc[path] Definition:`File's path` Example:`exec.file.path == "/usr/bin/apt"` Description:`Matches the execution of the file located at /usr/bin/apt` Example:`open.file.path == "/etc/passwd"` Description:`Matches any process opening the /etc/passwd file.` + BasenameStr string `field:"name,handler:ResolveFileBasename,opts:length" op_override:"ProcessSymlinkBasename"` // SECLDoc[name] Definition:`File's basename` Example:`exec.file.name == "apt"` Description:`Matches the execution of any file named apt.` + Filesystem string `field:"filesystem,handler:ResolveFileFilesystem"` // SECLDoc[filesystem] Definition:`File's filesystem` MountPath string `field:"-"` MountSource uint32 `field:"-"` @@ -431,9 +451,9 @@ type MountEvent struct { SyscallEvent SyscallContext Mount - MountPointPath string `field:"mountpoint.path,handler:ResolveMountPointPath,opts:gen_getters"` // SECLDoc[mountpoint.path] Definition:`Path of the mount point` - MountSourcePath string `field:"source.path,handler:ResolveMountSourcePath"` // SECLDoc[source.path] Definition:`Source path of a bind mount` - MountRootPath string `field:"root.path,handler:ResolveMountRootPath,opts:gen_getters"` // SECLDoc[root.path] Definition:`Root path of the mount` + MountPointPath string `field:"mountpoint.path,handler:ResolveMountPointPath"` // SECLDoc[mountpoint.path] Definition:`Path of the mount point` + MountSourcePath string `field:"source.path,handler:ResolveMountSourcePath"` // SECLDoc[source.path] Definition:`Source path of a bind mount` + MountRootPath string `field:"root.path,handler:ResolveMountRootPath"` // SECLDoc[root.path] Definition:`Root path of the mount` MountPointPathResolutionError error `field:"-"` MountSourcePathResolutionError error `field:"-"` MountRootPathResolutionError error `field:"-"` @@ -485,8 +505,8 @@ type SELinuxEvent struct { // PIDContext holds the process context of a kernel event type PIDContext struct { - Pid uint32 `field:"pid,opts:gen_getters"` // SECLDoc[pid] Definition:`Process ID of the process (also called thread group ID)` - Tid uint32 `field:"tid"` // SECLDoc[tid] Definition:`Thread ID of the thread` + Pid uint32 `field:"pid"` // SECLDoc[pid] Definition:`Process ID of the process (also called thread group ID)` + Tid uint32 `field:"tid"` // SECLDoc[tid] Definition:`Thread ID of the thread` NetNS uint32 `field:"-"` IsKworker bool `field:"is_kworker"` // SECLDoc[is_kworker] Definition:`Indicates whether the process is a kworker` ExecInode uint64 `field:"-"` // used to track exec and event loss diff --git a/pkg/security/secl/model/model_windows.go b/pkg/security/secl/model/model_windows.go index 83b80fe0e25f6..c5b35d78e8060 100644 --- a/pkg/security/secl/model/model_windows.go +++ b/pkg/security/secl/model/model_windows.go @@ -25,6 +25,17 @@ func (m *Model) ValidateField(field eval.Field, fieldValue eval.FieldValue) erro // Event represents an event sent from the kernel // genaccessors +// gengetter: GetContainerId +// gengetter: GetContainerId +// gengetter: GetEventService +// gengetter: GetExecFilePath +// gengetter: GetExitCode +// gengetter: GetProcessEnvp +// gengetter: GetProcessExecTime +// gengetter: GetProcessExitTime +// gengetter: GetProcessPid +// gengetter: GetProcessPpid +// gengetter: GetTimestamp type Event struct { BaseEvent @@ -81,7 +92,7 @@ type Process struct { CreatedAt uint64 `field:"created_at,handler:ResolveProcessCreatedAt"` // SECLDoc[created_at] Definition:`Timestamp of the creation of the process` - PPid uint32 `field:"ppid,opts:gen_getters"` // SECLDoc[ppid] Definition:`Parent process ID` + PPid uint32 `field:"ppid"` // SECLDoc[ppid] Definition:`Parent process ID` ArgsEntry *ArgsEntry `field:"-"` EnvsEntry *EnvsEntry `field:"-"` @@ -92,8 +103,8 @@ type Process struct { OwnerSidString string `field:"user_sid"` // SECLDoc[user_sid] Definition:`Sid of the user of the process` User string `field:"user,handler:ResolveUser"` // SECLDoc[user] Definition:`User name` - Envs []string `field:"envs,handler:ResolveProcessEnvs,weight:100"` // SECLDoc[envs] Definition:`Environment variable names of the process` - Envp []string `field:"envp,handler:ResolveProcessEnvp,weight:100,opts:gen_getters"` // SECLDoc[envp] Definition:`Environment variables of the process` // SECLDoc[envp] Definition:`Environment variables of the process` + Envs []string `field:"envs,handler:ResolveProcessEnvs,weight:100"` // SECLDoc[envs] Definition:`Environment variable names of the process` + Envp []string `field:"envp,handler:ResolveProcessEnvp,weight:100"` // SECLDoc[envp] Definition:`Environment variables of the process` // SECLDoc[envp] Definition:`Environment variables of the process` // cache version Variables eval.Variables `field:"-"` @@ -107,7 +118,7 @@ type ExecEvent struct { // PIDContext holds the process context of an kernel event type PIDContext struct { - Pid uint32 `field:"pid,opts:gen_getters"` // SECLDoc[pid] Definition:`Process ID of the process (also called thread group ID)` + Pid uint32 `field:"pid"` // SECLDoc[pid] Definition:`Process ID of the process (also called thread group ID)` } // NetworkDeviceContext defines a network device context diff --git a/pkg/security/seclwin/model/model_win.go b/pkg/security/seclwin/model/model_win.go index 83b80fe0e25f6..c5b35d78e8060 100644 --- a/pkg/security/seclwin/model/model_win.go +++ b/pkg/security/seclwin/model/model_win.go @@ -25,6 +25,17 @@ func (m *Model) ValidateField(field eval.Field, fieldValue eval.FieldValue) erro // Event represents an event sent from the kernel // genaccessors +// gengetter: GetContainerId +// gengetter: GetContainerId +// gengetter: GetEventService +// gengetter: GetExecFilePath +// gengetter: GetExitCode +// gengetter: GetProcessEnvp +// gengetter: GetProcessExecTime +// gengetter: GetProcessExitTime +// gengetter: GetProcessPid +// gengetter: GetProcessPpid +// gengetter: GetTimestamp type Event struct { BaseEvent @@ -81,7 +92,7 @@ type Process struct { CreatedAt uint64 `field:"created_at,handler:ResolveProcessCreatedAt"` // SECLDoc[created_at] Definition:`Timestamp of the creation of the process` - PPid uint32 `field:"ppid,opts:gen_getters"` // SECLDoc[ppid] Definition:`Parent process ID` + PPid uint32 `field:"ppid"` // SECLDoc[ppid] Definition:`Parent process ID` ArgsEntry *ArgsEntry `field:"-"` EnvsEntry *EnvsEntry `field:"-"` @@ -92,8 +103,8 @@ type Process struct { OwnerSidString string `field:"user_sid"` // SECLDoc[user_sid] Definition:`Sid of the user of the process` User string `field:"user,handler:ResolveUser"` // SECLDoc[user] Definition:`User name` - Envs []string `field:"envs,handler:ResolveProcessEnvs,weight:100"` // SECLDoc[envs] Definition:`Environment variable names of the process` - Envp []string `field:"envp,handler:ResolveProcessEnvp,weight:100,opts:gen_getters"` // SECLDoc[envp] Definition:`Environment variables of the process` // SECLDoc[envp] Definition:`Environment variables of the process` + Envs []string `field:"envs,handler:ResolveProcessEnvs,weight:100"` // SECLDoc[envs] Definition:`Environment variable names of the process` + Envp []string `field:"envp,handler:ResolveProcessEnvp,weight:100"` // SECLDoc[envp] Definition:`Environment variables of the process` // SECLDoc[envp] Definition:`Environment variables of the process` // cache version Variables eval.Variables `field:"-"` @@ -107,7 +118,7 @@ type ExecEvent struct { // PIDContext holds the process context of an kernel event type PIDContext struct { - Pid uint32 `field:"pid,opts:gen_getters"` // SECLDoc[pid] Definition:`Process ID of the process (also called thread group ID)` + Pid uint32 `field:"pid"` // SECLDoc[pid] Definition:`Process ID of the process (also called thread group ID)` } // NetworkDeviceContext defines a network device context