From 09be5c89b20db800c5fe99671da16c61eca8e724 Mon Sep 17 00:00:00 2001 From: Vincent Whitchurch Date: Tue, 14 Jan 2025 11:32:29 +0100 Subject: [PATCH 01/25] usm: test: Fix args to assert.Equal (#32921) --- pkg/network/usm/sharedlibraries/watcher_test.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkg/network/usm/sharedlibraries/watcher_test.go b/pkg/network/usm/sharedlibraries/watcher_test.go index c3152c7aee7ae3..21ca3ee9fec7ee 100644 --- a/pkg/network/usm/sharedlibraries/watcher_test.go +++ b/pkg/network/usm/sharedlibraries/watcher_test.go @@ -288,13 +288,13 @@ func (s *SharedLibrarySuite) TestSharedLibraryDetectionPeriodic() { require.NoError(t, err) require.EventuallyWithT(t, func(c *assert.CollectT) { - assert.Equal(c, registerRecorder.CallsForPathID(fooPathID1), 1) + assert.Equal(c, 1, registerRecorder.CallsForPathID(fooPathID1)) // Check that we tried to attach to the process twice. See w.sync() for // why we do it. We don't actually need to attempt the registration // twice, we just need to ensure that the maps were scanned twice but we // don't have a hook for that so this check should be good enough. - assert.Equal(c, registerRecorder.CallsForPathID(errorPathID), 2) + assert.Equal(c, 2, registerRecorder.CallsForPathID(errorPathID)) }, time.Second*10, 100*time.Millisecond, "") require.EventuallyWithT(t, func(c *assert.CollectT) { @@ -312,7 +312,7 @@ func (s *SharedLibrarySuite) TestSharedLibraryDetectionPeriodic() { command2.Process.Wait() require.EventuallyWithT(t, func(c *assert.CollectT) { - assert.Equal(c, unregisterRecorder.CallsForPathID(fooPathID1), 1) + assert.Equal(c, 1, unregisterRecorder.CallsForPathID(fooPathID1)) }, time.Second*10, 100*time.Millisecond) // Check that clean up of dead processes works. From 209cecb63f8c937a0b0ee0814c7067b5d5d159c8 Mon Sep 17 00:00:00 2001 From: Florent Clarret Date: Tue, 14 Jan 2025 11:15:17 +0000 Subject: [PATCH 02/25] Update last_stable to 7.61.0 (#32896) --- release.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/release.json b/release.json index cff79e336477c3..0130a62eaddc07 100644 --- a/release.json +++ b/release.json @@ -3,7 +3,7 @@ "current_milestone": "7.63.0", "last_stable": { "6": "6.53.0", - "7": "7.60.0" + "7": "7.61.0" }, "nightly": { "INTEGRATIONS_CORE_VERSION": "master", From 7e0d68220e477e8e431111828c35501b8c918d16 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20L=C3=B3pez=20de=20Heredia?= Date: Tue, 14 Jan 2025 13:31:35 +0100 Subject: [PATCH 03/25] [APM] Reuse core config on HTTP Transport (#32808) --- comp/trace/config/config_test.go | 2 ++ comp/trace/config/setup.go | 3 +++ comp/trace/config/testdata/full.yaml | 1 + pkg/trace/config/config.go | 5 +++++ 4 files changed, 11 insertions(+) diff --git a/comp/trace/config/config_test.go b/comp/trace/config/config_test.go index 0066acbe78d99e..3b201cef2495c6 100644 --- a/comp/trace/config/config_test.go +++ b/comp/trace/config/config_test.go @@ -9,6 +9,7 @@ import ( "bufio" "bytes" "context" + "crypto/tls" _ "embed" "encoding/json" "errors" @@ -555,6 +556,7 @@ func TestFullYamlConfig(t *testing.T) { assert.Equal(t, "mymachine", cfg.Hostname) assert.Equal(t, "https://user:password@proxy_for_https:1234", cfg.ProxyURL.String()) assert.True(t, cfg.SkipSSLValidation) + assert.Equal(t, uint16(tls.VersionTLS13), cfg.NewHTTPTransport().TLSClientConfig.MinVersion) assert.Equal(t, 18125, cfg.StatsdPort) assert.False(t, cfg.Enabled) assert.Equal(t, "abc", cfg.LogFilePath) diff --git a/comp/trace/config/setup.go b/comp/trace/config/setup.go index 829154a5c5cde4..5cab5a13a6fb44 100644 --- a/comp/trace/config/setup.go +++ b/comp/trace/config/setup.go @@ -127,6 +127,9 @@ func prepareConfig(c corecompcfg.Component, tagger tagger.Component) (*config.Ag } cfg.ContainerProcRoot = coreConfigObject.GetString("container_proc_root") cfg.GetAgentAuthToken = apiutil.GetAuthToken + cfg.HTTPTransportFunc = func() *http.Transport { + return httputils.CreateHTTPTransport(coreConfigObject) + } return cfg, nil } diff --git a/comp/trace/config/testdata/full.yaml b/comp/trace/config/testdata/full.yaml index cd166c07cbd3c4..e1897a1f56b7d3 100644 --- a/comp/trace/config/testdata/full.yaml +++ b/comp/trace/config/testdata/full.yaml @@ -7,6 +7,7 @@ proxy: - https://my2.endpoint.eu use_dogstatsd: yes skip_ssl_validation: yes +min_tls_version: "tlsv1.3" dogstatsd_port: 18125 dogstatsd_non_local_traffic: yes log_level: info diff --git a/pkg/trace/config/config.go b/pkg/trace/config/config.go index cbf0b0ea5c3a3a..a28161392fa576 100644 --- a/pkg/trace/config/config.go +++ b/pkg/trace/config/config.go @@ -356,6 +356,8 @@ type AgentConfig struct { MaxSenderRetries int // HTTP client used in writer connections. If nil, default client values will be used. HTTPClientFunc func() *http.Client `json:"-"` + // HTTP Transport used in writer connections. If nil, default transport values will be used. + HTTPTransportFunc func() *http.Transport `json:"-"` // internal telemetry StatsdEnabled bool @@ -611,6 +613,9 @@ func (c *AgentConfig) NewHTTPClient() *ResetClient { // NewHTTPTransport returns a new http.Transport to be used for outgoing connections to // the Datadog API. func (c *AgentConfig) NewHTTPTransport() *http.Transport { + if c.HTTPTransportFunc != nil { + return c.HTTPTransportFunc() + } transport := &http.Transport{ TLSClientConfig: &tls.Config{InsecureSkipVerify: c.SkipSSLValidation}, // below field values are from http.DefaultTransport (go1.12) From c6517f8e1f186d14db59ced9ea9fa5652173ac28 Mon Sep 17 00:00:00 2001 From: "agent-platform-auto-pr[bot]" <153269286+agent-platform-auto-pr[bot]@users.noreply.github.com> Date: Tue, 14 Jan 2025 13:50:51 +0000 Subject: [PATCH 04/25] [Backport main] Changelog update for 7.61.0 release (#32887) Co-authored-by: FlorentClarret Co-authored-by: spencergilbert --- CHANGELOG-DCA.rst | 49 +++++++++- CHANGELOG.rst | 225 +++++++++++++++++++++++++++++++++++++++++++--- 2 files changed, 259 insertions(+), 15 deletions(-) diff --git a/CHANGELOG-DCA.rst b/CHANGELOG-DCA.rst index 7b5abd00a3bc2a..44698011d00bbf 100644 --- a/CHANGELOG-DCA.rst +++ b/CHANGELOG-DCA.rst @@ -2,6 +2,51 @@ Release Notes ============= +.. _Release Notes_7.61.0: + +7.61.0 +====== + +.. _Release Notes_7.61.0_Prelude: + +Prelude +------- + +Released on: 2025-01-13 +Pinned to datadog-agent v7.61.0: `CHANGELOG `_. + +.. _Release Notes_7.61.0_New Features: + +New Features +------------ + +- Implements the Kubernetes Admission Events webhooks. This new webhooks will emit Datadog Events + when receving Validation Admission requests. It will track deployments operations made by non-system + users. + The webhook is controlled by using the `admission_controller.kubernetes_admission_events.enabled` setting. + +- The cluster-agent now can collect pod disruption budgets from the cluster. + + +.. _Release Notes_7.61.0_Enhancement Notes: + +Enhancement Notes +----------------- + +- Cluster Agent: ``DatadogAgent`` custom resource, cluster Agent deployment, and node Agent daemonset manifests are now added to the flare archive when the Cluster Agent is deployed with the Datadog Operator (version 1.11.0+). + +- Cluster Agent: Don't overwrite the LD_PRELOAD environment variable if it's already set, append the path to Datadog's injection library instead. + + +.. _Release Notes_7.61.0_Bug Fixes: + +Bug Fixes +--------- + +- The auto-instrumentation webhook no longer injects the default environment + variables when disabled. + + .. _Release Notes_7.60.1: 7.60.1 @@ -148,7 +193,7 @@ Bug Fixes - Fixed an issue that prevented the Kubernetes autoscaler from evicting pods injected by the Admission Controller. - + .. _Release Notes_7.57.1: @@ -206,7 +251,7 @@ Bug Fixes - Library package versions for auto-instrumentation are now set to the latest major version of the library-package instead of `latest`. - + * java:v1 * dotnet:v2 * python:v2 diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 1def73a37b2e14..cee121731e6279 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -2,6 +2,205 @@ Release Notes ============= +.. _Release Notes_7.61.0: + +7.61.0 +====== + +.. _Release Notes_7.61.0_Prelude: + +Prelude +------- + +Release on: 2025-01-13 + +- Please refer to the `7.61.0 tag on integrations-core `_ for the list of changes on the Core Checks + + +.. _Release Notes_7.61.0_Upgrade Notes: + +Upgrade Notes +------------- + +- Upgraded JMXFetch to `0.49.6 `_ which fixes a ``NullPointerException`` on + JBoss when user and password not set. See `0.49.6 `_ for more details. + +- Windows containers were updated to use OpenJDK 11.0.25+9. + + +.. _Release Notes_7.61.0_New Features: + +New Features +------------ + +- Add metrics origins for Nvidia Nim integration. + +- APM: New configuration apm_config.obfuscation.credit_cards.keep_values (DD_APM_OBFUSCATION_CREDIT_CARDS_KEEP_VALUES) + can be used to skip specific tag keys that are known to never contain credit card numbers. This is especially useful + in cases where a span tag value is a number that triggers false positives from the credit card obfuscator. + +- Add new metric, ``container.restarts``, which indicates the number of times a container has been restarted due to the restart policy. + For more details: https://docs.docker.com/engine/containers/start-containers-automatically/. + +- APM: Introducing the Error Tracking Standalone config option. Only span chunks + that contain errors or exception OpenTelemetry span events are taken into + consideration by sampling. + +- Add new windows images for LTSC 2019 and LTSC 2022: + - `datadog-agent:7-servercore-ltsc2019-amd64` + - `datadog-agent:7-servercore-ltsc2022-amd64` + - `datadog-agent:7-servercore-ltsc2019-jmx-amd64` + - `datadog-agent:7-servercore-ltsc2022-jmx-amd64` + - `datadog-agent:latest-servercore-ltsc2019-jmx` + - `datadog-agent:latest-servercore-ltsc2022-jmx` + - `datadog-agent:latest-servercore-ltsc2019` + - `datadog-agent:latest-servercore-ltsc2022` + - `datadog-agent:7.X.Y-ltsc2019` + - `datadog-agent:7.X.Y-ltsc2022` + - `datadog-agent:7.X.Y-ltsc2019-jmx` + - `datadog-agent:7.X.Y-ltsc2022-jmx` + - `datadog-agent:7.X.Y-servercore-ltsc2019` + - `datadog-agent:7.X.Y-servercore-ltsc2022` + - `datadog-agent:7.X.Y-servercore-ltsc2019-jmx` + - `datadog-agent:7.X.Y-servercore-ltsc2022-jmx` + - `datadog-agent:latest-ltsc2019` + - `datadog-agent:latest-ltsc2022` + +- [ha-agent] Add haagent component used for HA Agent feature. + +- Added support for collecting container image metadata when running on a CRI-O runtime. + +- USM now monitors TLS traffic encrypted with Go TLS by default. + To disable this feature, set the `service_monitoring_config.tls.go.enabled` + configuration option to false. + +- USM now monitors traffic encrypted with Istio mTLS by default. + To disable this feature, set the `service_monitoring_config.tls.istio.enabled` configuration option to false. + +- Introduced a new configuration variable `logs_config.http_protocol`, allowing users to enforce HTTP/1.1 for outgoing HTTP connections in the Datadog Agent. This provides better control over transport protocols and improves compatibility with systems that do not support HTTP/2. + By default, the log agent will now attempt to use HTTP/2 (unless a proxy is configured) and fall back to the best available protocol if HTTP/2 is not supported. + +- Added a new feature flag `enable_operation_and_resource_name_logic_v2` in DD_APM_FEATURES. Enabling this flag modifies the logic for computing operation and resource names from OTLP spans to produce shorter, more readable names and improve alignment with OpenTelemetry specifications. + +- Add support for PHP Single Step Instrumentation in Kubernetes (not enabled by default) + + +.. _Release Notes_7.61.0_Enhancement Notes: + +Enhancement Notes +----------------- + +- [ha-agent] Run HA enabled integrations only on leader Agent + +- [ha-agent] Add agent_group tag to datadog.agent.running metric + +- Add new host tag `provider_kind` from the value of `DD_PROVIDER_KIND` for Agents running in GCE. + +- Add ``query_timeout`` to customize the timeout for queries in the Oracle check. + Previously, this was fixed at 20,000 seconds. + +- Add ability to show Agent telemetry payloads to be sent by Agent + if the telemetry is enabled. One can run it with the following command: + `agent diagnose show-metadata agent-telemetry`. See + `docs ` for more details. + +- Convert Prometheus style Counters and Histograms used in Agent telemetry + from monotonically increasing to non-monotonic values (reset on each scrape). + In addition de-accumulate Prometheus Histogram bucket values on each scrape. + +- Added support for more than 100 Aurora clusters in a user's account when using database autodiscovery + +- Adds some information about the SNMP autodiscovery status in the Agent status. + +- Adds a dedicated CRI-O Workloadmeta collector, enabling metadata collection + for containers running on a CRI-O runtime. + +- Enables a cache for SQL and MongoDB obfuscation. This cache is enabled by default but can be disabled by setting `apm_config.obfuscation.cache.enabled` to `false`. + +- Improved logging to add visibility for latency and transport protocol + +- Add a new configuration option ``log_level`` for commands where the logger is disabled by default. + +- Adds initial Windows support for TCP probes in Network Path. + +- Query Aurora instances per cluster to allow up to 100 instances per cluster + rather than 100 instances total. + +- The AWS Lambda Extension is now able to read the full 128-bit trace ID + from the headers of the end-invocation HTTP request made by dd-trace or the + datadog-lambda-go library. + +- Standardized cluster check tagging across all environments, allowing DD_TAGS, DD_EXTRA_TAGS, DD_CLUSTER_CHECKS_EXTRA_TAGS, and DD_ORCHESTRATOR_EXPLORER_EXTRA_TAGS to apply to all cluster check data when operating on the Cluster Agent, Node Agent, or Cluster Checks Runner. + + +.. _Release Notes_7.61.0_Deprecation Notes: + +Deprecation Notes +----------------- + +- Deprecates the `apm_config.obfuscation.sql.cache` option in favor of `apm_config.obfuscation.cache`. + +- Remove deprecated config `otlp_config.metrics.instrumentation_library_metadata_as_tags`. Use `otlp_config.metrics.instrumentation_scope_metadata_as_tags` instead. + +- The remote tagger will attempt to connect to the core agent indefinitely until it is successful. + The ``remote_tagger_timeout_seconds`` configuration is removed, and the timeout is no longer configurable. + +- The remote tagger for the trace-agent and security-agent is now always enabled and can not be disabled + ``apm_config.remote_tagger``, ``security_agent.remote_tagger``, and ``event_monitoring_config.remote_tagger`` config entries are removed. + + +.. _Release Notes_7.61.0_Security Notes: + +Security Notes +-------------- + +- Fix CVE-2025-21613 + +- Update ``golang.org/x/crypto`` to fix CVE-2024-45337. + + +.. _Release Notes_7.61.0_Bug Fixes: + +Bug Fixes +--------- + +- Fix an issue where the remote workloadmeta was not receiving some unset + events for ECS containers, causing incorrect billing in CWS, CSPM, CSM Pro, CSM + Enterprise, and DevSecOps Enterprise Containers. + +- Corrects the method call for gauges to be Set instead of Add. + +- Fix Oracle execution plan collection failures caused by an out-of-range position column, which can occur if the execution plan is excessively large. + +- Fix excessive number of rows coming from active session history. + +- OTLP ingestion: Stop prefixing `http_server_duration`, `http_server_request_size` and `http_server_response_size` with `otelcol`. + +- Fixes the issue of disabled services producing an error message in the event log on start. Now produces an informational message. + +- Change `kubernetes.memory.working_set` and `kubernetes.memory.usage` + metrics to be of type gauge instead of rate. + + +.. _Release Notes_7.61.0_Other Notes: + +Other Notes +----------- + +- Add metric origins for Platform Integrations: Fly.io, Kepler, Octopus Deploy, and Scaphandre. + +- Extend Agent Telemetry to start reporting ``logs.sender_latency`` metric. + +- The `enable_receive_resource_spans_v2` flag now defaults to true in Converged Agent. This enables the refactored + version of the OTLP span receiver in trace agent, improves performance by 10%, and deprecates the following functionality: + - No longer checks for information about the resource in HTTP headers (ContainerID, Lang, LangVersion, Interpreter, LangVendor). + - No longer checks for resource-related values (container, env, hostname) in span attributes. This previous behavior did not follow the OTel spec. + +- Bumps the default value for `kube_cache_sync_timeout_seconds` from 5 to 10 seconds. + +- Added origin for new Milvus integration. + + .. _Release Notes_7.60.1: 7.60.1 @@ -44,11 +243,11 @@ Upgrade Notes ------------- - * Parameter ``peer_tags_aggregation`` (a.k.a. environment variable ``DD_APM_PEER_TAGS_AGGREGATION``) is now enabled by default. This means that aggregation of peer related tags (e.g., `peer.service`, `db.instance`, etc.) now happens in the Agent, which enables statistics for Inferred Entities. If you want to disable this feature, set `peer_tags_aggregation` to `false` in your Agent configuration. - + * Parameter ``compute_stats_by_span_kind`` (a.k.a. environment variable ``DD_APM_COMPUTE_STATS_BY_SPAN_KIND``) is now enabled by default. This means spans with an eligible `span.kind` will have stats computed. If disabled, only top-level and measured spans will have stats computed. If you want to disable this feature, set `compute_stats_by_span_kind` to `false` in your Agent configuration. - + Note: When using ``peer_tags_aggregation`` and ``compute_stats_by_span_kind``, a high cardinality of peer tags or APM resources can contribute to higher CPU and memory consumption. If enabling both causes the Agent to consume too many resources, try disabling `compute_stats_by_span_kind` first. - + It is recommended that you update your tracing libraries according to the instructions `here `_ and set ``DD_TRACE_REMOVE_INTEGRATION_SERVICE_NAMES_ENABLED`` (or ``dd.trace.remove.integration-service-names.enabled``) to ``true``. - Upgraded JMXFetch to `0.49.5 `_ which adds support for ``UnloadedClassCount`` metric @@ -63,7 +262,7 @@ New Features - `Inferred Service dependencies `_ are now Generally Available (exiting Beta) and enabled by default. Inferred Services of all kinds now have trace metrics and are available in dependency maps. `apm_config.peer_tags_aggregation` and `apm_config.compute_stats_by_span_kind` both now default to `true` unless explicitly set to `false`. - Add `check_tag_cardinality` parameter config check. - + By default `check_tag_cardinality` is not set which doesn't change the behavior of the checks. Once it is set in pod annotaions, it overrides the cardinality value provided in the base agent configuration. Example of usage: @@ -71,7 +270,7 @@ New Features ad.datadoghq.com/redis.checks: | { "redisdb": { - "check_tag_cardinality": "high", + "check_tag_cardinality": "high", "instances": [ { "host": "%%host%%", @@ -100,7 +299,7 @@ Enhancement Notes based paths in Network Path. A cache of reverse DNS lookups is used to reduce the number of DNS queries. Additionally, reverse DNS lookups are now performed only - for private IPs and not for public IPs. + for private IPs and not for public IPs. - Agent flare now includes system-probe telemetry data via ``system-probe/system_probe_telemetry.log``. @@ -235,7 +434,7 @@ Enhancement Notes information about the Datadog Agent. This may include diagnostic logs and crash dumps of the Datadog Agent with obfuscated stack traces to support and further improve the Datadog Agent. - + More details could be found in the `docs `_ @@ -247,10 +446,10 @@ Enhancement Notes - Agents are now built with Go ``1.22.8``. -- While using the AWS Lambda Extension, when a Lambda Function is invoked by +- While using the AWS Lambda Extension, when a Lambda Function is invoked by a [properly instrumented][1] Step Function, the Lambda Function will create - its Trace and Parent IDs deterministically based on the Step Function's - execution context. + its Trace and Parent IDs deterministically based on the Step Function's + execution context. [1]: https://docs.datadoghq.com/serverless/step_functions/installation/?tab=custom "Install Serverless Monitoring for AWS Step Functions" - Updates default .NET library used for auto-instrumentation from v2 to v3 @@ -425,8 +624,8 @@ New Features - [oracle] Add the ``active_session_history`` configuration parameter to optionally ingest Oracle active session history samples instead of query sampling. - Added config option ``logs_config.tag_truncated_logs``. When - enabled, file logs will come with a tag ``truncated:true`` if - they were truncated by the Agent. + enabled, file logs will come with a tag ``truncated:true`` if + they were truncated by the Agent. .. _Release Notes_7.58.0_Enhancement Notes: @@ -480,7 +679,7 @@ Bug Fixes - Fixed issue with openSUSE 15 RC 6 where the eBPF tracer wouldn't start due to a failed validation of the ``tcp_sendpage`` probe. -- Fixed a rare issue where short-lived containers could cause +- Fixed a rare issue where short-lived containers could cause logs to be sent with the wrong container ID. - Fix Windows Process Agent argument stripping to account for spaces in the executable path. From 029e458d79022955510e7360d11417b14b47da1e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20L=C3=B3pez=20de=20Heredia?= Date: Tue, 14 Jan 2025 15:09:45 +0100 Subject: [PATCH 05/25] [APM] Normalize _dd.base_service meta tag (#32901) --- pkg/trace/agent/normalizer.go | 20 ++++++++++++++++++++ pkg/trace/agent/normalizer_test.go | 26 +++++++++++++++++++++++++- pkg/trace/info/info_test.go | 20 ++++++++++++-------- pkg/trace/info/stats.go | 8 ++++++++ pkg/trace/info/stats_test.go | 20 ++++++++++++-------- 5 files changed, 77 insertions(+), 17 deletions(-) diff --git a/pkg/trace/agent/normalizer.go b/pkg/trace/agent/normalizer.go index 25bf18fca89f7d..16fe2c125e7c02 100644 --- a/pkg/trace/agent/normalizer.go +++ b/pkg/trace/agent/normalizer.go @@ -30,6 +30,8 @@ const ( tagSamplingPriority = "_sampling_priority_v1" // peerServiceKey is the key for the peer.service meta field. peerServiceKey = "peer.service" + // baseServiceKey is the key for the _dd.base_service meta field. + baseServiceKey = "_dd.base_service" ) var ( @@ -80,6 +82,24 @@ func (a *Agent) normalize(ts *info.TagStats, s *pb.Span) error { s.Meta[peerServiceKey] = ps } + bSvc, ok := s.Meta[baseServiceKey] + if ok { + bs, err := traceutil.NormalizePeerService(bSvc) + switch err { + case traceutil.ErrTooLong: + ts.SpansMalformed.BaseServiceTruncate.Inc() + log.Debugf("Fixing malformed trace. _dd.base_service is too long (reason:base_service_truncate), truncating _dd.base_service to length=%d: %s", traceutil.MaxServiceLen, bs) + case traceutil.ErrInvalid: + ts.SpansMalformed.BaseServiceInvalid.Inc() + log.Debugf("Fixing malformed trace. _dd.base_service is invalid (reason:base_service_invalid), replacing invalid _dd.base_service=%s with empty string", bSvc) + default: + if err != nil { + log.Debugf("Unexpected error in _dd.base_service normalization from original value (%s) to new value (%s): %s", bSvc, bs, err) + } + } + s.Meta[baseServiceKey] = bs + } + if a.conf.HasFeature("component2name") { // This feature flag determines the component tag to become the span name. // diff --git a/pkg/trace/agent/normalizer_test.go b/pkg/trace/agent/normalizer_test.go index 8ef3941f6c9bf2..b2e2f17bdeaae8 100644 --- a/pkg/trace/agent/normalizer_test.go +++ b/pkg/trace/agent/normalizer_test.go @@ -75,9 +75,13 @@ func TestNormalizeServicePassThru(t *testing.T) { a := &Agent{conf: config.New()} ts := newTagStats() s := newTestSpan() + s.Meta[peerServiceKey] = "foo" + s.Meta[baseServiceKey] = "bar" before := s.Service assert.NoError(t, a.normalize(ts, s)) assert.Equal(t, before, s.Service) + assert.Equal(t, "foo", s.Meta[peerServiceKey]) + assert.Equal(t, "bar", s.Meta[baseServiceKey]) assert.Equal(t, newTagStats(), ts) } @@ -86,8 +90,12 @@ func TestNormalizeEmptyServiceNoLang(t *testing.T) { ts := newTagStats() s := newTestSpan() s.Service = "" + s.Meta[peerServiceKey] = "" + s.Meta[baseServiceKey] = "" assert.NoError(t, a.normalize(ts, s)) assert.Equal(t, traceutil.DefaultServiceName, s.Service) + assert.Equal(t, "", s.Meta[peerServiceKey]) // no fallback on peer service tag + assert.Equal(t, "", s.Meta[baseServiceKey]) // no fallback on base service tag assert.Equal(t, tsMalformed(&info.SpansMalformed{ServiceEmpty: *atomic.NewInt64(1)}), ts) } @@ -97,8 +105,12 @@ func TestNormalizeEmptyServiceWithLang(t *testing.T) { s := newTestSpan() s.Service = "" ts.Lang = "java" + s.Meta[peerServiceKey] = "" + s.Meta[baseServiceKey] = "" assert.NoError(t, a.normalize(ts, s)) assert.Equal(t, s.Service, fmt.Sprintf("unnamed-%s-service", ts.Lang)) + assert.Equal(t, "", s.Meta[peerServiceKey]) // no fallback on peer service tag + assert.Equal(t, "", s.Meta[baseServiceKey]) // no fallback on base service tag tsExpected := tsMalformed(&info.SpansMalformed{ServiceEmpty: *atomic.NewInt64(1)}) tsExpected.Lang = ts.Lang assert.Equal(t, tsExpected, ts) @@ -109,9 +121,17 @@ func TestNormalizeLongService(t *testing.T) { ts := newTagStats() s := newTestSpan() s.Service = strings.Repeat("CAMEMBERT", 100) + s.Meta[peerServiceKey] = strings.Repeat("BRIE", 100) + s.Meta[baseServiceKey] = strings.Repeat("ROQUEFORT", 100) assert.NoError(t, a.normalize(ts, s)) assert.Equal(t, s.Service, s.Service[:traceutil.MaxServiceLen]) - assert.Equal(t, tsMalformed(&info.SpansMalformed{ServiceTruncate: *atomic.NewInt64(1)}), ts) + assert.Equal(t, s.Meta[peerServiceKey], s.Meta[peerServiceKey][:traceutil.MaxServiceLen]) + assert.Equal(t, s.Meta[baseServiceKey], s.Meta[baseServiceKey][:traceutil.MaxServiceLen]) + assert.Equal(t, tsMalformed(&info.SpansMalformed{ + ServiceTruncate: *atomic.NewInt64(1), + PeerServiceTruncate: *atomic.NewInt64(1), + BaseServiceTruncate: *atomic.NewInt64(1), + }), ts) } func TestNormalizeNamePassThru(t *testing.T) { @@ -423,8 +443,12 @@ func TestNormalizeServiceTag(t *testing.T) { ts := newTagStats() s := newTestSpan() s.Service = "retargeting(api-Staging " + s.Meta[peerServiceKey] = "retargeting(api-Peer " + s.Meta[baseServiceKey] = "retargeting(api-Base " assert.NoError(t, a.normalize(ts, s)) assert.Equal(t, "retargeting_api-staging", s.Service) + assert.Equal(t, "retargeting_api-peer", s.Meta[peerServiceKey]) + assert.Equal(t, "retargeting_api-base", s.Meta[baseServiceKey]) assert.Equal(t, newTagStats(), ts) } diff --git a/pkg/trace/info/info_test.go b/pkg/trace/info/info_test.go index 25b7cb42b13ffa..b15a604c640aa5 100644 --- a/pkg/trace/info/info_test.go +++ b/pkg/trace/info/info_test.go @@ -483,6 +483,8 @@ func TestPublishReceiverStats(t *testing.T) { atom(12), atom(13), atom(14), + atom(15), + atom(16), }, TracesFiltered: atom(4), TracesPriorityNone: atom(5), @@ -531,14 +533,16 @@ func TestPublishReceiverStats(t *testing.T) { "ServiceInvalid": 4.0, "PeerServiceTruncate": 5.0, "PeerServiceInvalid": 6.0, - "SpanNameEmpty": 7.0, - "SpanNameTruncate": 8.0, - "SpanNameInvalid": 9.0, - "ResourceEmpty": 10.0, - "TypeTruncate": 11.0, - "InvalidStartDate": 12.0, - "InvalidDuration": 13.0, - "InvalidHTTPStatusCode": 14.0, + "BaseServiceTruncate": 7.0, + "BaseServiceInvalid": 8.0, + "SpanNameEmpty": 9.0, + "SpanNameTruncate": 10.0, + "SpanNameInvalid": 11.0, + "ResourceEmpty": 12.0, + "TypeTruncate": 13.0, + "InvalidStartDate": 14.0, + "InvalidDuration": 15.0, + "InvalidHTTPStatusCode": 16.0, }, "SpansReceived": 10.0, "TracerVersion": "", diff --git a/pkg/trace/info/stats.go b/pkg/trace/info/stats.go index 289390aa3f507c..885e11a04162e1 100644 --- a/pkg/trace/info/stats.go +++ b/pkg/trace/info/stats.go @@ -263,6 +263,10 @@ type SpansMalformed struct { PeerServiceTruncate atomic.Int64 // PeerServiceInvalid is when a span's peer.service doesn't conform to Datadog tag naming standards PeerServiceInvalid atomic.Int64 + // BaseServiceTruncate is when a span's _dd.base_service is truncated for exceeding the max length + BaseServiceTruncate atomic.Int64 + // BaseServiceInvalid is when a span's _dd.base_service doesn't conform to Datadog tag naming standards + BaseServiceInvalid atomic.Int64 // SpanNameEmpty is when a span's Name is empty SpanNameEmpty atomic.Int64 // SpanNameTruncate is when a span's Name is truncated for exceeding the max length @@ -289,6 +293,8 @@ func (s *SpansMalformed) tagCounters() map[string]*atomic.Int64 { "service_invalid": &s.ServiceInvalid, "peer_service_truncate": &s.PeerServiceTruncate, "peer_service_invalid": &s.PeerServiceInvalid, + "base_service_truncate": &s.BaseServiceTruncate, + "base_service_invalid": &s.BaseServiceInvalid, "span_name_empty": &s.SpanNameEmpty, "span_name_truncate": &s.SpanNameTruncate, "span_name_invalid": &s.SpanNameInvalid, @@ -432,6 +438,8 @@ func (s *Stats) update(recent *Stats) { s.SpansMalformed.ServiceInvalid.Add(recent.SpansMalformed.ServiceInvalid.Load()) s.SpansMalformed.PeerServiceTruncate.Add(recent.SpansMalformed.PeerServiceTruncate.Load()) s.SpansMalformed.PeerServiceInvalid.Add(recent.SpansMalformed.PeerServiceInvalid.Load()) + s.SpansMalformed.BaseServiceTruncate.Add(recent.SpansMalformed.BaseServiceTruncate.Load()) + s.SpansMalformed.BaseServiceInvalid.Add(recent.SpansMalformed.BaseServiceInvalid.Load()) s.SpansMalformed.SpanNameEmpty.Add(recent.SpansMalformed.SpanNameEmpty.Load()) s.SpansMalformed.SpanNameTruncate.Add(recent.SpansMalformed.SpanNameTruncate.Load()) s.SpansMalformed.SpanNameInvalid.Add(recent.SpansMalformed.SpanNameInvalid.Load()) diff --git a/pkg/trace/info/stats_test.go b/pkg/trace/info/stats_test.go index 13f257a031f11f..cecc9f1194e07e 100644 --- a/pkg/trace/info/stats_test.go +++ b/pkg/trace/info/stats_test.go @@ -61,6 +61,8 @@ func TestSpansMalformed(t *testing.T) { "service_truncate": 0, "peer_service_truncate": 0, "peer_service_invalid": 0, + "base_service_truncate": 0, + "base_service_invalid": 0, "invalid_start_date": 0, "invalid_http_status_code": 0, "invalid_duration": 0, @@ -217,12 +219,14 @@ func TestReceiverStats(t *testing.T) { stats.SpansMalformed.SpanNameTruncate.Store(6) stats.SpansMalformed.PeerServiceTruncate.Store(7) stats.SpansMalformed.PeerServiceInvalid.Store(8) - stats.SpansMalformed.SpanNameInvalid.Store(9) - stats.SpansMalformed.ResourceEmpty.Store(10) - stats.SpansMalformed.TypeTruncate.Store(11) - stats.SpansMalformed.InvalidStartDate.Store(12) - stats.SpansMalformed.InvalidDuration.Store(13) - stats.SpansMalformed.InvalidHTTPStatusCode.Store(14) + stats.SpansMalformed.BaseServiceTruncate.Store(9) + stats.SpansMalformed.BaseServiceInvalid.Store(10) + stats.SpansMalformed.SpanNameInvalid.Store(11) + stats.SpansMalformed.ResourceEmpty.Store(12) + stats.SpansMalformed.TypeTruncate.Store(13) + stats.SpansMalformed.InvalidStartDate.Store(14) + stats.SpansMalformed.InvalidDuration.Store(15) + stats.SpansMalformed.InvalidHTTPStatusCode.Store(16) return &ReceiverStats{ Stats: map[Tags]*TagStats{ tags: { @@ -236,7 +240,7 @@ func TestReceiverStats(t *testing.T) { t.Run("PublishAndReset", func(t *testing.T) { rs := testStats() rs.PublishAndReset(statsclient) - assert.EqualValues(t, 42, len(statsclient.CountCalls)) + assert.EqualValues(t, 44, len(statsclient.CountCalls)) assertStatsAreReset(t, rs) }) @@ -258,7 +262,7 @@ func TestReceiverStats(t *testing.T) { logs := strings.Split(b.String(), "\n") assert.Equal(t, "[INFO] [lang:go lang_version:1.12 lang_vendor:gov interpreter:gcc tracer_version:1.33 endpoint_version:v0.4 service:service] -> traces received: 1, traces filtered: 4, traces amount: 9 bytes, events extracted: 13, events sampled: 14", logs[0]) - assert.Equal(t, "[WARN] [lang:go lang_version:1.12 lang_vendor:gov interpreter:gcc tracer_version:1.33 endpoint_version:v0.4 service:service] -> traces_dropped(decoding_error:1, empty_trace:3, foreign_span:6, payload_too_large:2, span_id_zero:5, timeout:7, trace_id_zero:4, unexpected_eof:8), spans_malformed(duplicate_span_id:1, invalid_duration:13, invalid_http_status_code:14, invalid_start_date:12, peer_service_invalid:8, peer_service_truncate:7, resource_empty:10, service_empty:2, service_invalid:4, service_truncate:3, span_name_empty:5, span_name_invalid:9, span_name_truncate:6, type_truncate:11). Enable debug logging for more details.", + assert.Equal(t, "[WARN] [lang:go lang_version:1.12 lang_vendor:gov interpreter:gcc tracer_version:1.33 endpoint_version:v0.4 service:service] -> traces_dropped(decoding_error:1, empty_trace:3, foreign_span:6, payload_too_large:2, span_id_zero:5, timeout:7, trace_id_zero:4, unexpected_eof:8), spans_malformed(base_service_invalid:10, base_service_truncate:9, duplicate_span_id:1, invalid_duration:15, invalid_http_status_code:16, invalid_start_date:14, peer_service_invalid:8, peer_service_truncate:7, resource_empty:12, service_empty:2, service_invalid:4, service_truncate:3, span_name_empty:5, span_name_invalid:11, span_name_truncate:6, type_truncate:13). Enable debug logging for more details.", logs[1]) assertStatsAreReset(t, rs) From b9977d51f7e16f38e9e994ee0cb4b1efa1785e97 Mon Sep 17 00:00:00 2001 From: Vincent Whitchurch Date: Tue, 14 Jan 2025 15:35:19 +0100 Subject: [PATCH 06/25] usm: test: Fix wrong assumption in watcher test (#32949) --- pkg/network/usm/sharedlibraries/watcher_test.go | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/pkg/network/usm/sharedlibraries/watcher_test.go b/pkg/network/usm/sharedlibraries/watcher_test.go index 21ca3ee9fec7ee..e2f6652e91d0b3 100644 --- a/pkg/network/usm/sharedlibraries/watcher_test.go +++ b/pkg/network/usm/sharedlibraries/watcher_test.go @@ -290,11 +290,16 @@ func (s *SharedLibrarySuite) TestSharedLibraryDetectionPeriodic() { require.EventuallyWithT(t, func(c *assert.CollectT) { assert.Equal(c, 1, registerRecorder.CallsForPathID(fooPathID1)) - // Check that we tried to attach to the process twice. See w.sync() for - // why we do it. We don't actually need to attempt the registration - // twice, we just need to ensure that the maps were scanned twice but we - // don't have a hook for that so this check should be good enough. - assert.Equal(c, 2, registerRecorder.CallsForPathID(errorPathID)) + // We expect at least one registration attempt to the error path, but + // there could be up to two since w.sync() can scan the maps file twice. + // We can't _guarantee_ there will be two registration attempts in this + // test though because the first attempt could have happened before the + // process opened the shared library (and we don't want to move the + // watcher start to after the process start since that would test the + // initial scan and not the periodic). + errorCalls := registerRecorder.CallsForPathID(errorPathID) + assert.GreaterOrEqual(c, errorCalls, 1) + assert.LessOrEqual(c, errorCalls, 2) }, time.Second*10, 100*time.Millisecond, "") require.EventuallyWithT(t, func(c *assert.CollectT) { From 6453e2c1863ac18198f157c04ead0010db7fc920 Mon Sep 17 00:00:00 2001 From: Brian Floersch Date: Tue, 14 Jan 2025 09:45:10 -0500 Subject: [PATCH 07/25] Improve auto multiline v2 truncation behavior to be consistent with single line logs (#32831) Co-authored-by: ddrthall --- .../auto_multiline_detection/aggregator.go | 86 ++++++++---- .../aggregator_test.go | 129 +++++++++++++++--- .../internal/decoder/single_line_handler.go | 4 +- .../decoder/single_line_handler_test.go | 2 +- 4 files changed, 177 insertions(+), 44 deletions(-) diff --git a/pkg/logs/internal/decoder/auto_multiline_detection/aggregator.go b/pkg/logs/internal/decoder/auto_multiline_detection/aggregator.go index 36892db9980f2d..61556d6028a631 100644 --- a/pkg/logs/internal/decoder/auto_multiline_detection/aggregator.go +++ b/pkg/logs/internal/decoder/auto_multiline_detection/aggregator.go @@ -18,12 +18,14 @@ import ( type bucket struct { tagTruncatedLogs bool tagMultiLineLogs bool + maxContentSize int message *message.Message originalDataLen int buffer *bytes.Buffer lineCount int - truncated bool + shouldTruncate bool + needsTruncation bool } func (b *bucket) add(msg *message.Message) { @@ -42,24 +44,36 @@ func (b *bucket) isEmpty() bool { return b.originalDataLen == 0 } -func (b *bucket) truncate() { - b.buffer.Write(message.TruncatedFlag) - b.truncated = true +func (b *bucket) reset() { + b.buffer.Reset() + b.message = nil + b.lineCount = 0 + b.originalDataLen = 0 + b.needsTruncation = false } func (b *bucket) flush() *message.Message { - defer func() { - b.buffer.Reset() - b.message = nil - b.lineCount = 0 - b.originalDataLen = 0 - b.truncated = false - }() + defer b.reset() + + lastWasTruncated := b.shouldTruncate + b.shouldTruncate = b.buffer.Len() >= b.maxContentSize || b.needsTruncation data := bytes.TrimSpace(b.buffer.Bytes()) content := make([]byte, len(data)) copy(content, data) + if lastWasTruncated { + // The previous line has been truncated because it was too long, + // the new line is just the remainder. Add the truncated flag at + // the beginning of the content. + content = append(message.TruncatedFlag, content...) + } + + if b.shouldTruncate { + // The current line is too long. Mark it truncated at the end. + content = append(content, message.TruncatedFlag...) + } + msg := message.NewRawMessage(content, b.message.Status, b.originalDataLen, b.message.ParsingExtra.Timestamp) tlmTags := []string{"false", "single_line"} @@ -71,11 +85,15 @@ func (b *bucket) flush() *message.Message { } } - if b.truncated { + if lastWasTruncated || b.shouldTruncate { msg.ParsingExtra.IsTruncated = true tlmTags[0] = "true" if b.tagTruncatedLogs { - msg.ParsingExtra.Tags = append(msg.ParsingExtra.Tags, message.TruncatedReasonTag("auto_multiline")) + if b.lineCount > 1 { + msg.ParsingExtra.Tags = append(msg.ParsingExtra.Tags, message.TruncatedReasonTag("auto_multiline")) + } else { + msg.ParsingExtra.Tags = append(msg.ParsingExtra.Tags, message.TruncatedReasonTag("single_line")) + } } } @@ -103,7 +121,7 @@ func NewAggregator(outputFn func(m *message.Message), maxContentSize int, flushT return &Aggregator{ outputFn: outputFn, - bucket: &bucket{buffer: bytes.NewBuffer(nil), tagTruncatedLogs: tagTruncatedLogs, tagMultiLineLogs: tagMultiLineLogs}, + bucket: &bucket{buffer: bytes.NewBuffer(nil), tagTruncatedLogs: tagTruncatedLogs, tagMultiLineLogs: tagMultiLineLogs, maxContentSize: maxContentSize, lineCount: 0, shouldTruncate: false, needsTruncation: false}, maxContentSize: maxContentSize, flushTimeout: flushTimeout, multiLineMatchInfo: multiLineMatchInfo, @@ -120,34 +138,49 @@ func (a *Aggregator) Aggregate(msg *message.Message, label Label) { // If `noAggregate` - flush the bucket immediately and then flush the next message. if label == noAggregate { a.Flush() - a.outputFn(msg) + a.bucket.shouldTruncate = false // noAggregate messages should never be truncated at the beginning (Could break JSON formatted messages) + a.bucket.add(msg) + a.Flush() return } // If `aggregate` and the bucket is empty - flush the next message. if label == aggregate && a.bucket.isEmpty() { - a.outputFn(msg) + a.bucket.add(msg) + a.Flush() return } - // If `startGroup` - flush the bucket. + // If `startGroup` - flush the old bucket to form a new group. if label == startGroup { - a.multiLineMatchInfo.Add(1) a.Flush() + a.multiLineMatchInfo.Add(1) + a.bucket.add(msg) + if msg.RawDataLen >= a.maxContentSize { + // Start group is too big to append anything to, flush it and reset. + a.Flush() + } + return + } - // At this point we either have `startGroup` with an empty bucket or `aggregate` with a non-empty bucket - // so we add the message to the bucket or flush if the bucket will overflow the max content size. - if msg.RawDataLen+a.bucket.buffer.Len() > a.maxContentSize && !a.bucket.isEmpty() { - a.bucket.truncate() // Truncate the end of the current bucket + // Check for a total buffer size larger than the limit. This should only be reachable by an aggregate label + // following a smaller than max-size start group label, and will result in the reset (flush) of the entire bucket. + // This reset will intentionally break multi-line detection and aggregation for logs larger than the limit, because + // doing so is safer than assuming we will correctly get a new startGroup for subsequent single line logs. + if msg.RawDataLen+a.bucket.buffer.Len() >= a.maxContentSize { + a.bucket.needsTruncation = true + a.bucket.lineCount++ // Account for the current (not yet processed) message being part of the same log a.Flush() - a.bucket.truncate() // Truncate the start of the next bucket - } - if !a.bucket.isEmpty() { - a.linesCombinedInfo.Add(1) + a.bucket.lineCount++ // Account for the previous (now flushed) message being part of the same log + a.bucket.add(msg) + a.Flush() + return } + // We're an aggregate label within a startGroup and within the maxContentSize. Append new multiline + a.linesCombinedInfo.Add(1) a.bucket.add(msg) } @@ -184,6 +217,7 @@ func (a *Aggregator) FlushChan() <-chan time.Time { // Flush flushes the aggregator. func (a *Aggregator) Flush() { if a.bucket.isEmpty() { + a.bucket.reset() return } a.outputFn(a.bucket.flush()) diff --git a/pkg/logs/internal/decoder/auto_multiline_detection/aggregator_test.go b/pkg/logs/internal/decoder/auto_multiline_detection/aggregator_test.go index 93906f22ed4955..d9b15032f28d53 100644 --- a/pkg/logs/internal/decoder/auto_multiline_detection/aggregator_test.go +++ b/pkg/logs/internal/decoder/auto_multiline_detection/aggregator_test.go @@ -34,6 +34,11 @@ func assertMessageContent(t *testing.T, m *message.Message, content string) { assert.Equal(t, m.IsMultiLine, isMultiLine) } +func assertTrailingMultiline(t *testing.T, m *message.Message, content string) { + assert.Equal(t, content, string(m.GetContent())) + assert.Equal(t, m.IsMultiLine, true) +} + func TestNoAggregate(t *testing.T) { outputChan, outputFn := makeHandler() ag := NewAggregator(outputFn, 100, time.Duration(1*time.Second), false, false, status.NewInfoRegistry()) @@ -127,36 +132,84 @@ func TestTagTruncatedLogs(t *testing.T) { outputChan, outputFn := makeHandler() ag := NewAggregator(outputFn, 10, time.Duration(1*time.Second), true, false, status.NewInfoRegistry()) + // First 3 should be tagged as single line logs since they are too big to aggregate no matter what the label is. ag.Aggregate(newMessage("1234567890"), startGroup) - ag.Aggregate(newMessage("12345678901"), aggregate) // Causes overflow, truncate and flush + ag.Aggregate(newMessage("12345678901"), aggregate) ag.Aggregate(newMessage("12345"), aggregate) - ag.Aggregate(newMessage("6789"), aggregate) - ag.Aggregate(newMessage("3"), noAggregate) + + // Next 3 lines should be tagged as multiline since they were truncated after a group was started + ag.Aggregate(newMessage("1234"), startGroup) + ag.Aggregate(newMessage("5678"), aggregate) + ag.Aggregate(newMessage("90"), aggregate) + + // No aggregate should not be truncated + ag.Aggregate(newMessage("00"), noAggregate) msg := <-outputChan assert.True(t, msg.ParsingExtra.IsTruncated) - assert.Equal(t, msg.ParsingExtra.Tags, []string{message.TruncatedReasonTag("auto_multiline")}) + assert.Equal(t, msg.ParsingExtra.Tags, []string{message.TruncatedReasonTag("single_line")}) assertMessageContent(t, msg, "1234567890...TRUNCATED...") msg = <-outputChan assert.True(t, msg.ParsingExtra.IsTruncated) - assert.Equal(t, msg.ParsingExtra.Tags, []string{message.TruncatedReasonTag("auto_multiline")}) + assert.Equal(t, msg.ParsingExtra.Tags, []string{message.TruncatedReasonTag("single_line")}) assertMessageContent(t, msg, "...TRUNCATED...12345678901...TRUNCATED...") + msg = <-outputChan + assert.True(t, msg.ParsingExtra.IsTruncated) + assert.Equal(t, msg.ParsingExtra.Tags, []string{message.TruncatedReasonTag("single_line")}) + assertMessageContent(t, msg, "...TRUNCATED...12345") + msg = <-outputChan assert.True(t, msg.ParsingExtra.IsTruncated) assert.Equal(t, msg.ParsingExtra.Tags, []string{message.TruncatedReasonTag("auto_multiline")}) - assertMessageContent(t, msg, "...TRUNCATED...12345...TRUNCATED...") + assertMessageContent(t, msg, "1234\\n5678...TRUNCATED...") msg = <-outputChan assert.True(t, msg.ParsingExtra.IsTruncated) assert.Equal(t, msg.ParsingExtra.Tags, []string{message.TruncatedReasonTag("auto_multiline")}) - assertMessageContent(t, msg, "...TRUNCATED...6789") + assertTrailingMultiline(t, msg, "...TRUNCATED...90") msg = <-outputChan assert.False(t, msg.ParsingExtra.IsTruncated) assert.Empty(t, msg.ParsingExtra.Tags) - assertMessageContent(t, msg, "3") + assertMessageContent(t, msg, "00") +} + +func TestSingleGroupIsTruncatedAsMultilineLog(t *testing.T) { + outputChan, outputFn := makeHandler() + ag := NewAggregator(outputFn, 5, time.Duration(1*time.Second), true, false, status.NewInfoRegistry()) + + ag.Aggregate(newMessage("123"), startGroup) + ag.Aggregate(newMessage("456"), aggregate) + + msg := <-outputChan + assert.True(t, msg.ParsingExtra.IsTruncated) + assert.Equal(t, msg.ParsingExtra.Tags, []string{message.TruncatedReasonTag("auto_multiline")}) + assertTrailingMultiline(t, msg, "123...TRUNCATED...") + + msg = <-outputChan + assert.True(t, msg.ParsingExtra.IsTruncated) + assert.Equal(t, msg.ParsingExtra.Tags, []string{message.TruncatedReasonTag("auto_multiline")}) + assertTrailingMultiline(t, msg, "...TRUNCATED...456") +} + +func TestSingleLineTruncatedLogIsTaggedSingleLine(t *testing.T) { + outputChan, outputFn := makeHandler() + ag := NewAggregator(outputFn, 5, time.Duration(1*time.Second), true, false, status.NewInfoRegistry()) + + ag.Aggregate(newMessage("12345"), startGroup) // Exactly the size of the max message size - simulates truncation in the framer + ag.Aggregate(newMessage("456"), aggregate) + + msg := <-outputChan + assert.True(t, msg.ParsingExtra.IsTruncated) + assert.Equal(t, msg.ParsingExtra.Tags, []string{message.TruncatedReasonTag("single_line")}) + assertMessageContent(t, msg, "12345...TRUNCATED...") + + msg = <-outputChan + assert.True(t, msg.ParsingExtra.IsTruncated) + assert.Equal(t, msg.ParsingExtra.Tags, []string{message.TruncatedReasonTag("single_line")}) + assertMessageContent(t, msg, "...TRUNCATED...456") } func TestTagMultiLineLogs(t *testing.T) { @@ -164,7 +217,7 @@ func TestTagMultiLineLogs(t *testing.T) { ag := NewAggregator(outputFn, 10, time.Duration(1*time.Second), false, true, status.NewInfoRegistry()) ag.Aggregate(newMessage("12345"), startGroup) - ag.Aggregate(newMessage("67890"), aggregate) + ag.Aggregate(newMessage("6789"), aggregate) ag.Aggregate(newMessage("1"), aggregate) // Causes overflow, truncate and flush ag.Aggregate(newMessage("2"), noAggregate) @@ -172,13 +225,13 @@ func TestTagMultiLineLogs(t *testing.T) { assert.True(t, msg.ParsingExtra.IsMultiLine) assert.True(t, msg.ParsingExtra.IsTruncated) assert.Equal(t, msg.ParsingExtra.Tags, []string{message.MultiLineSourceTag("auto_multiline")}) - assertMessageContent(t, msg, "12345\\n67890...TRUNCATED...") + assertMessageContent(t, msg, "12345\\n6789...TRUNCATED...") msg = <-outputChan - assert.False(t, msg.ParsingExtra.IsMultiLine) + assert.True(t, msg.ParsingExtra.IsMultiLine) assert.True(t, msg.ParsingExtra.IsTruncated) - assert.Empty(t, msg.ParsingExtra.Tags) - assertMessageContent(t, msg, "...TRUNCATED...1") + assert.Equal(t, msg.ParsingExtra.Tags, []string{message.MultiLineSourceTag("auto_multiline")}) + assertTrailingMultiline(t, msg, "...TRUNCATED...1") msg = <-outputChan assert.False(t, msg.ParsingExtra.IsMultiLine) @@ -187,14 +240,58 @@ func TestTagMultiLineLogs(t *testing.T) { assertMessageContent(t, msg, "2") } -func TestStartGruopIsNotTruncatedWithoutAggreagation(t *testing.T) { +func TestSingleLineTooLongTruncation(t *testing.T) { outputChan, outputFn := makeHandler() ag := NewAggregator(outputFn, 5, time.Duration(1*time.Second), false, true, status.NewInfoRegistry()) - ag.Aggregate(newMessage("123456"), startGroup) + // Multi line log where each message is too large except the last one + ag.Aggregate(newMessage("123"), startGroup) + ag.Aggregate(newMessage("456"), aggregate) + ag.Aggregate(newMessage("123456"), aggregate) + ag.Aggregate(newMessage("123"), aggregate) // Force a flush ag.Aggregate(newMessage(""), startGroup) msg := <-outputChan - assertMessageContent(t, msg, "123456") + assertTrailingMultiline(t, msg, "123...TRUNCATED...") + msg = <-outputChan + assertTrailingMultiline(t, msg, "...TRUNCATED...456") + msg = <-outputChan + assertMessageContent(t, msg, "123456...TRUNCATED...") + msg = <-outputChan + assertMessageContent(t, msg, "...TRUNCATED...123") + + // Single line logs where each message is too large except the last + ag.Aggregate(newMessage("123456"), startGroup) + ag.Aggregate(newMessage("123456"), startGroup) + ag.Aggregate(newMessage("123456"), startGroup) + ag.Aggregate(newMessage("123"), startGroup) + // Force a flush + ag.Aggregate(newMessage(""), startGroup) + + msg = <-outputChan + assertMessageContent(t, msg, "123456...TRUNCATED...") + msg = <-outputChan + assertMessageContent(t, msg, "...TRUNCATED...123456...TRUNCATED...") + msg = <-outputChan + assertMessageContent(t, msg, "...TRUNCATED...123456...TRUNCATED...") + msg = <-outputChan + assertMessageContent(t, msg, "...TRUNCATED...123") + + // No aggregate logs should never be truncated from the previous message (Could break a JSON payload) + ag.Aggregate(newMessage("123456"), startGroup) + ag.Aggregate(newMessage("123456"), noAggregate) + ag.Aggregate(newMessage("123456"), startGroup) + ag.Aggregate(newMessage("123"), startGroup) + // Force a flush + ag.Aggregate(newMessage(""), startGroup) + + msg = <-outputChan + assertMessageContent(t, msg, "123456...TRUNCATED...") + msg = <-outputChan + assertMessageContent(t, msg, "123456...TRUNCATED...") + msg = <-outputChan + assertMessageContent(t, msg, "...TRUNCATED...123456...TRUNCATED...") + msg = <-outputChan + assertMessageContent(t, msg, "...TRUNCATED...123") } diff --git a/pkg/logs/internal/decoder/single_line_handler.go b/pkg/logs/internal/decoder/single_line_handler.go index 8e93cb63e08141..b69c2a78c86f68 100644 --- a/pkg/logs/internal/decoder/single_line_handler.go +++ b/pkg/logs/internal/decoder/single_line_handler.go @@ -59,7 +59,6 @@ func (h *SingleLineHandler) process(msg *message.Message) { // the new line is just a remainder, // adding the truncated flag at the beginning of the content content = append(message.TruncatedFlag, content...) - addTruncatedTag(msg) } // how should we detect logs which are too long before rendering them? @@ -67,6 +66,9 @@ func (h *SingleLineHandler) process(msg *message.Message) { // the line is too long, it needs to be cut off and send, // adding the truncated flag the end of the content content = append(content, message.TruncatedFlag...) + } + + if lastWasTruncated || h.shouldTruncate { addTruncatedTag(msg) } diff --git a/pkg/logs/internal/decoder/single_line_handler_test.go b/pkg/logs/internal/decoder/single_line_handler_test.go index 8fe3d00b574e58..579c39ed559b6f 100644 --- a/pkg/logs/internal/decoder/single_line_handler_test.go +++ b/pkg/logs/internal/decoder/single_line_handler_test.go @@ -64,7 +64,7 @@ func TestSingleLineHandlerProcess(t *testing.T) { string(message.TruncatedFlag) + "aaaaaaaaaaaaaaaaaaaa" + string(message.TruncatedFlag), string(message.TruncatedFlag) + "wait, how many a's?", }, - expTags: [][]string{{truncateTag}, {truncateTag, truncateTag}, {truncateTag}}, + expTags: [][]string{{truncateTag}, {truncateTag}, {truncateTag}}, tagTruncatedLogs: true, }, { From 87163c31bfcae2e6e3edb6cf5b3581350a541765 Mon Sep 17 00:00:00 2001 From: Julien Lebot Date: Tue, 14 Jan 2025 15:48:16 +0100 Subject: [PATCH 08/25] Move the tests requiring FIPS into the same folder (#32849) --- .gitlab/e2e_install_packages/windows.yml | 8 ++++++-- .../mutually_exclusive_product_test.go | 10 +++++----- .../tests/windows/install-test/agent_user_test.go | 2 +- test/new-e2e/tests/windows/install-test/base.go | 3 ++- .../install-test/install_subservices_test.go | 2 +- .../tests/windows/install-test/install_test.go | 14 +++++++------- .../new-e2e/tests/windows/install-test/npm_test.go | 8 ++++---- .../tests/windows/install-test/upgrade_test.go | 14 +++++++------- 8 files changed, 33 insertions(+), 28 deletions(-) rename test/new-e2e/tests/windows/{install-test => fips-test}/mutually_exclusive_product_test.go (94%) diff --git a/.gitlab/e2e_install_packages/windows.yml b/.gitlab/e2e_install_packages/windows.yml index 40fb862e2397b3..aaf2f4d361b465 100644 --- a/.gitlab/e2e_install_packages/windows.yml +++ b/.gitlab/e2e_install_packages/windows.yml @@ -58,8 +58,6 @@ - E2E_MSI_TEST: TestNPMInstallWithAddLocal - E2E_MSI_TEST: TestNPMUpgradeFromBeta - E2E_MSI_TEST: TestUpgradeFromV6 - - E2E_MSI_TEST: TestFIPSAgentDoesNotInstallOverAgent - - E2E_MSI_TEST: TestAgentDoesNotInstallOverFIPSAgent new-e2e_windows_powershell_module_test: extends: .new_e2e_template @@ -116,7 +114,13 @@ new-e2e-windows-agent-a7-x86_64-fips: - .new-e2e_agent_a7 needs: - !reference [.needs_new_e2e_template] + - deploy_windows_testing-a7 - deploy_windows_testing-a7-fips + parallel: + matrix: + - EXTRA_PARAMS: --run "TestFIPSAgent$" + - EXTRA_PARAMS: --run "TestFIPSAgentDoesNotInstallOverAgent$" + - EXTRA_PARAMS: --run "TestAgentDoesNotInstallOverFIPSAgent$" rules: - !reference [.on_deploy] - !reference [.on_e2e_or_windows_installer_changes] diff --git a/test/new-e2e/tests/windows/install-test/mutually_exclusive_product_test.go b/test/new-e2e/tests/windows/fips-test/mutually_exclusive_product_test.go similarity index 94% rename from test/new-e2e/tests/windows/install-test/mutually_exclusive_product_test.go rename to test/new-e2e/tests/windows/fips-test/mutually_exclusive_product_test.go index 1e4c084400d4d7..a844f68ed1b4a0 100644 --- a/test/new-e2e/tests/windows/install-test/mutually_exclusive_product_test.go +++ b/test/new-e2e/tests/windows/fips-test/mutually_exclusive_product_test.go @@ -3,14 +3,15 @@ // This product includes software developed at Datadog (https://www.datadoghq.com/). // Copyright 2016-present Datadog, Inc. -package installtest +package fipstest import ( "os" "path/filepath" "strings" - "github.com/DataDog/datadog-agent/pkg/util/testutil/flake" + installtest "github.com/DataDog/datadog-agent/test/new-e2e/tests/windows/install-test" + "github.com/DataDog/datadog-agent/test/new-e2e/pkg/environments" "github.com/DataDog/datadog-agent/test/new-e2e/tests/windows" windowsCommon "github.com/DataDog/datadog-agent/test/new-e2e/tests/windows/common" @@ -37,7 +38,7 @@ func TestFIPSAgentDoesNotInstallOverAgent(t *testing.T) { require.NoError(t, err, "should get last stable agent package from env") s.previousAgentPackage = previousAgentPackage os.Setenv(windowsAgent.PackageFlavorEnvVar, "fips") - run(t, s) + installtest.Run[environments.WindowsHost](t, s) } // TestAgentDoesNotInstallOverFIPSAgent tests that the base Agent cannot be installed over the FIPS agent @@ -51,7 +52,7 @@ func TestAgentDoesNotInstallOverFIPSAgent(t *testing.T) { require.NoError(t, err, "should get Agent package from env") s.previousAgentPackage = previousAgentPackage os.Setenv(windowsAgent.PackageFlavorEnvVar, "base") - run(t, s) + installtest.Run[environments.WindowsHost](t, s) } func (s *mutuallyExclusiveInstallSuite) SetupSuite() { @@ -68,7 +69,6 @@ func (s *mutuallyExclusiveInstallSuite) SetupSuite() { } func (s *mutuallyExclusiveInstallSuite) TestMutuallyExclusivePackage() { - flake.Mark(s.T()) host := s.Env().RemoteHost // Install second Agent diff --git a/test/new-e2e/tests/windows/install-test/agent_user_test.go b/test/new-e2e/tests/windows/install-test/agent_user_test.go index 225da860010c32..dc58e05ea776e8 100644 --- a/test/new-e2e/tests/windows/install-test/agent_user_test.go +++ b/test/new-e2e/tests/windows/install-test/agent_user_test.go @@ -142,7 +142,7 @@ func TestAgentUser(t *testing.T) { tc: tc, } t.Run(tc.TC().name, func(t *testing.T) { - run(t, s) + Run(t, s) }) } } diff --git a/test/new-e2e/tests/windows/install-test/base.go b/test/new-e2e/tests/windows/install-test/base.go index 5646e7d8a20af2..ba4f68158f05c4 100644 --- a/test/new-e2e/tests/windows/install-test/base.go +++ b/test/new-e2e/tests/windows/install-test/base.go @@ -260,7 +260,8 @@ func isCI() bool { return os.Getenv("CI") != "" } -func run[Env any](t *testing.T, s e2e.Suite[Env]) { +// Run sets some options and runs an install test. +func Run[Env any](t *testing.T, s e2e.Suite[Env]) { opts := []e2e.SuiteOption{e2e.WithProvisioner(awsHostWindows.ProvisionerNoAgentNoFakeIntake())} agentPackage, err := windowsAgent.GetPackageFromEnv() diff --git a/test/new-e2e/tests/windows/install-test/install_subservices_test.go b/test/new-e2e/tests/windows/install-test/install_subservices_test.go index 6a281bca8a3227..8aea1a9c5acdd0 100644 --- a/test/new-e2e/tests/windows/install-test/install_subservices_test.go +++ b/test/new-e2e/tests/windows/install-test/install_subservices_test.go @@ -42,7 +42,7 @@ func TestSubServicesOpts(t *testing.T) { tc: tc, } t.Run(tc.name, func(t *testing.T) { - run(t, s) + Run(t, s) }) // clean the host between test runs s.cleanupOnSuccessInDevMode() diff --git a/test/new-e2e/tests/windows/install-test/install_test.go b/test/new-e2e/tests/windows/install-test/install_test.go index 9ca039c19bf525..95823f0a8ca8d9 100644 --- a/test/new-e2e/tests/windows/install-test/install_test.go +++ b/test/new-e2e/tests/windows/install-test/install_test.go @@ -26,7 +26,7 @@ import ( func TestInstall(t *testing.T) { s := &testInstallSuite{} - run(t, s) + Run(t, s) } type testInstallSuite struct { @@ -127,7 +127,7 @@ func (s *testInstallSuite) testCodeSignatures(t *Tester, remoteMSIPath string) { // checks that the files are not removed func TestInstallExistingAltDir(t *testing.T) { s := &testInstallExistingAltDirSuite{} - run(t, s) + Run(t, s) } type testInstallExistingAltDirSuite struct { @@ -189,7 +189,7 @@ func (s *testInstallExistingAltDirSuite) TestInstallExistingAltDir() { func TestInstallAltDir(t *testing.T) { s := &testInstallAltDirSuite{} - run(t, s) + Run(t, s) } type testInstallAltDirSuite struct { @@ -224,7 +224,7 @@ func (s *testInstallAltDirSuite) TestInstallAltDir() { func TestInstallAltDirAndCorruptForUninstall(t *testing.T) { s := &testInstallAltDirAndCorruptForUninstallSuite{} - run(t, s) + Run(t, s) } type testInstallAltDirAndCorruptForUninstallSuite struct { @@ -261,7 +261,7 @@ func (s *testInstallAltDirAndCorruptForUninstallSuite) TestInstallAltDirAndCorru func TestRepair(t *testing.T) { s := &testRepairSuite{} - run(t, s) + Run(t, s) } type testRepairSuite struct { @@ -313,7 +313,7 @@ func (s *testRepairSuite) TestRepair() { func TestInstallOpts(t *testing.T) { s := &testInstallOptsSuite{} - run(t, s) + Run(t, s) } type testInstallOptsSuite struct { @@ -420,7 +420,7 @@ func (s *testInstallOptsSuite) TestInstallOpts() { func TestInstallFail(t *testing.T) { s := &testInstallFailSuite{} - run(t, s) + Run(t, s) } type testInstallFailSuite struct { diff --git a/test/new-e2e/tests/windows/install-test/npm_test.go b/test/new-e2e/tests/windows/install-test/npm_test.go index e6a70d4140acaf..b674713aafa659 100644 --- a/test/new-e2e/tests/windows/install-test/npm_test.go +++ b/test/new-e2e/tests/windows/install-test/npm_test.go @@ -28,7 +28,7 @@ import ( func TestNPMUpgradeToNPM(t *testing.T) { s := &testNPMUpgradeToNPMSuite{} s.previousVersion = "7.42.0-1" - run(t, s) + Run(t, s) } type testNPMUpgradeToNPMSuite struct { @@ -55,7 +55,7 @@ func (s *testNPMUpgradeToNPMSuite) TestNPMUgpradeToNPM() { func TestNPMUpgradeNPMToNPM(t *testing.T) { s := &testNPMUpgradeNPMToNPMSuite{} s.previousVersion = "7.42.0-1" - run(t, s) + Run(t, s) } type testNPMUpgradeNPMToNPMSuite struct { @@ -84,7 +84,7 @@ func (s *testNPMUpgradeNPMToNPMSuite) TestNPMUpgradeNPMToNPM() { // Old name: Scenario 9 func TestNPMInstallWithAddLocal(t *testing.T) { s := &testNPMInstallWithAddLocalSuite{} - run(t, s) + Run(t, s) } type testNPMInstallWithAddLocalSuite struct { @@ -113,7 +113,7 @@ func TestNPMUpgradeFromBeta(t *testing.T) { s := &testNPMUpgradeFromBeta{} s.previousVersion = "7.23.2-beta1-1" s.url = "https://ddagent-windows-unstable.s3.amazonaws.com/datadog-agent-7.23.2-beta1-1-x86_64.msi" - run(t, s) + Run(t, s) } type testNPMUpgradeFromBeta struct { diff --git a/test/new-e2e/tests/windows/install-test/upgrade_test.go b/test/new-e2e/tests/windows/install-test/upgrade_test.go index 6bd74a2b089240..f6cdd349f029e3 100644 --- a/test/new-e2e/tests/windows/install-test/upgrade_test.go +++ b/test/new-e2e/tests/windows/install-test/upgrade_test.go @@ -29,7 +29,7 @@ func TestUpgrade(t *testing.T) { previousAgentPackage, err := windowsAgent.GetLastStablePackageFromEnv() require.NoError(t, err, "should get last stable agent package from env") s.previousAgentPackge = previousAgentPackage - run(t, s) + Run(t, s) } type testUpgradeSuite struct { @@ -79,7 +79,7 @@ func TestUpgradeFromLatest(t *testing.T) { upgradeAgentPackge, err := windowsAgent.GetUpgradeTestPackageFromEnv() require.NoError(t, err, "should get last stable agent package from env") s.upgradeAgentPackge = upgradeAgentPackge - run(t, s) + Run(t, s) } type testUpgradeFromLatestSuite struct { @@ -140,7 +140,7 @@ func (s *testUpgradeFromLatestSuite) TestUpgradeFromLatest() { func TestUpgradeRollback(t *testing.T) { s := &testUpgradeRollbackSuite{} - run(t, s) + Run(t, s) } type testUpgradeRollbackSuite struct { @@ -186,7 +186,7 @@ func (s *testUpgradeRollbackSuite) TestUpgradeRollback() { // rolls back, that the ddprocmon service is not installed. func TestUpgradeRollbackWithoutCWS(t *testing.T) { s := &testUpgradeRollbackWithoutCWSSuite{} - run(t, s) + Run(t, s) } type testUpgradeRollbackWithoutCWSSuite struct { @@ -259,7 +259,7 @@ func (s *testUpgradeRollbackWithoutCWSSuite) TestUpgradeRollbackWithoutCWS() { func TestUpgradeChangeUser(t *testing.T) { s := &testUpgradeChangeUserSuite{} - run(t, s) + Run(t, s) } type testUpgradeChangeUserSuite struct { @@ -349,7 +349,7 @@ func TestUpgradeFromV5(t *testing.T) { } s.agent5Package.URL, err = windowsAgent.GetStableMSIURL(s.agent5Package.Version, "x86_64", "") require.NoError(t, err) - run(t, s) + Run(t, s) } type testUpgradeFromV5Suite struct { @@ -442,5 +442,5 @@ func TestUpgradeFromV6(t *testing.T) { } s.previousAgentPackge.URL, err = windowsAgent.GetStableMSIURL(s.previousAgentPackge.Version, s.previousAgentPackge.Arch, "") require.NoError(t, err) - run(t, s) + Run(t, s) } From ab736ca02a400bcbfdb2b32257c830df0066ead7 Mon Sep 17 00:00:00 2001 From: Pierre Guilleminot Date: Tue, 14 Jan 2025 15:48:28 +0100 Subject: [PATCH 09/25] [CSPM] Add image_repo metadata for docker rego rules (#32946) --- pkg/compliance/resolver.go | 27 ++++++++++++++++++++------- 1 file changed, 20 insertions(+), 7 deletions(-) diff --git a/pkg/compliance/resolver.go b/pkg/compliance/resolver.go index 057cd7a413a3fe..6ff5e98c4a39ba 100644 --- a/pkg/compliance/resolver.go +++ b/pkg/compliance/resolver.go @@ -19,6 +19,7 @@ import ( "strings" "time" + "github.com/distribution/reference" "github.com/docker/docker/api/types/container" "github.com/docker/docker/api/types/image" "github.com/docker/docker/api/types/network" @@ -556,6 +557,14 @@ func (r *defaultResolver) resolveAudit(_ context.Context, spec InputSpecAudit) ( return resolved, nil } +func parseImageRepo(name string) string { + ref, err := reference.ParseNormalizedNamed(name) + if err == nil { + return reference.Path(ref) + } + return "" +} + func (r *defaultResolver) resolveDocker(ctx context.Context, spec InputSpecDocker) (interface{}, error) { cl := r.dockerCl if cl == nil { @@ -574,10 +583,12 @@ func (r *defaultResolver) resolveDocker(ctx context.Context, spec InputSpecDocke if err != nil { return nil, err } + imageRepo := parseImageRepo(image.Config.Image) resolved = append(resolved, map[string]interface{}{ - "id": image.ID, - "tags": image.RepoTags, - "inspect": image, + "id": image.ID, + "tags": image.RepoTags, + "image_repo": imageRepo, + "inspect": image, }) } case "container": @@ -590,11 +601,13 @@ func (r *defaultResolver) resolveDocker(ctx context.Context, spec InputSpecDocke if err != nil { return nil, err } + imageRepo := parseImageRepo(container.Config.Image) resolved = append(resolved, map[string]interface{}{ - "id": container.ID, - "name": container.Name, - "image": container.Image, - "inspect": container, + "id": container.ID, + "name": container.Name, + "image": container.Image, + "image_repo": imageRepo, + "inspect": container, }) } case "network": From c6218310de27f81556db7defbe9e47bea55d8d53 Mon Sep 17 00:00:00 2001 From: Paul Cacheux Date: Tue, 14 Jan 2025 15:57:31 +0100 Subject: [PATCH 10/25] improve system-probe handling of subcommands (#32950) --- cmd/system-probe/command/command.go | 16 ++++++++++------ .../subcommands/runtime/command_linux.go | 2 +- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/cmd/system-probe/command/command.go b/cmd/system-probe/command/command.go index e9f82cdd449d0f..e76e59405c4077 100644 --- a/cmd/system-probe/command/command.go +++ b/cmd/system-probe/command/command.go @@ -9,6 +9,7 @@ package command import ( "fmt" "os" + "slices" "strings" "github.com/fatih/color" @@ -76,21 +77,24 @@ Runtime Security Monitoring, Universal Service Monitoring, and others.`, func SetDefaultCommandIfNonePresent(rootCmd *cobra.Command) { var subCommandNames []string for _, command := range rootCmd.Commands() { - subCommandNames = append(subCommandNames, append(command.Aliases, command.Name())...) + subCommandNames = append(subCommandNames, command.Name()) + subCommandNames = append(subCommandNames, command.Aliases...) } + helpAndCompletionCommands := []string{"help", "-h", "--help", "completion"} + args := []string{os.Args[0], "run"} if len(os.Args) > 1 { potentialCommand := os.Args[1] - if potentialCommand == "help" || potentialCommand == "-h" || potentialCommand == "completion" { + + if slices.Contains(helpAndCompletionCommands, potentialCommand) { return } - for _, command := range subCommandNames { - if command == potentialCommand { - return - } + if slices.Contains(subCommandNames, potentialCommand) { + return } + if !strings.HasPrefix(potentialCommand, "-") { // run command takes no positional arguments, so if one is passed // fallback to default cobra handling for good errors diff --git a/cmd/system-probe/subcommands/runtime/command_linux.go b/cmd/system-probe/subcommands/runtime/command_linux.go index 1980ac0fbfb238..7d4c2795f53c99 100644 --- a/cmd/system-probe/subcommands/runtime/command_linux.go +++ b/cmd/system-probe/subcommands/runtime/command_linux.go @@ -21,7 +21,7 @@ import ( func Commands(globalParams *command.GlobalParams) []*cobra.Command { runtimeCmd := &cobra.Command{ Use: "runtime", - Short: "runtime Agent utility commands", + Short: "Runtime Security Agent (CWS) utility commands", } runtimeCmd.AddCommand(commonPolicyCommands(globalParams)...) From 2ff7d8cc8709021cf7f831a15baab93c8d1c4131 Mon Sep 17 00:00:00 2001 From: Paul Cacheux Date: Tue, 14 Jan 2025 16:11:17 +0100 Subject: [PATCH 11/25] [CWS] reduce allocations related to recv events in the security agent (#32956) --- pkg/security/agent/agent.go | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/pkg/security/agent/agent.go b/pkg/security/agent/agent.go index 60d71694f91880..1c868c85365013 100644 --- a/pkg/security/agent/agent.go +++ b/pkg/security/agent/agent.go @@ -23,8 +23,8 @@ import ( "github.com/DataDog/datadog-agent/comp/logs/agent/config" "github.com/DataDog/datadog-agent/pkg/security/common" "github.com/DataDog/datadog-agent/pkg/security/proto/api" + "github.com/DataDog/datadog-agent/pkg/security/seclog" "github.com/DataDog/datadog-agent/pkg/security/security_profile/dump" - "github.com/DataDog/datadog-agent/pkg/util/log" ) // RuntimeSecurityAgent represents the main wrapper for the Runtime Security product @@ -106,7 +106,7 @@ func (rsa *RuntimeSecurityAgent) StartEventListener() { msg += ", please check that the runtime security module is enabled in the system-probe.yaml config file" } } - log.Error(msg) + seclog.Errorf("%s", msg) default: // do nothing } @@ -119,7 +119,7 @@ func (rsa *RuntimeSecurityAgent) StartEventListener() { if !rsa.connected.Load() { rsa.connected.Store(true) - log.Info("Successfully connected to the runtime security module") + seclog.Infof("Successfully connected to the runtime security module") } for { @@ -128,7 +128,10 @@ func (rsa *RuntimeSecurityAgent) StartEventListener() { if err == io.EOF || in == nil { break } - log.Tracef("Got message from rule `%s` for event `%s`", in.RuleID, string(in.Data)) + + if seclog.DefaultLogger.IsTracing() { + seclog.DefaultLogger.Tracef("Got message from rule `%s` for event `%s`", in.RuleID, string(in.Data)) + } rsa.eventReceived.Inc() @@ -157,7 +160,10 @@ func (rsa *RuntimeSecurityAgent) StartActivityDumpListener() { if err == io.EOF || msg == nil { break } - log.Tracef("Got activity dump [%s]", msg.GetDump().GetMetadata().GetName()) + + if seclog.DefaultLogger.IsTracing() { + seclog.DefaultLogger.Tracef("Got activity dump [%s]", msg.GetDump().GetMetadata().GetName()) + } rsa.activityDumpReceived.Inc() @@ -180,7 +186,7 @@ func (rsa *RuntimeSecurityAgent) DispatchActivityDump(msg *api.ActivityDumpStrea // parse dump from message dump, err := dump.NewActivityDumpFromMessage(msg.GetDump()) if err != nil { - log.Errorf("%v", err) + seclog.Errorf("%v", err) return } if rsa.profContainersTelemetry != nil { @@ -192,7 +198,7 @@ func (rsa *RuntimeSecurityAgent) DispatchActivityDump(msg *api.ActivityDumpStrea for _, requests := range dump.StorageRequests { if err := rsa.storage.PersistRaw(requests, dump, raw); err != nil { - log.Errorf("%v", err) + seclog.Errorf("%v", err) } } } From d12f3397cdad96ffd378f85e1cfb79ab45aacf81 Mon Sep 17 00:00:00 2001 From: maxime mouial Date: Tue, 14 Jan 2025 16:42:05 +0100 Subject: [PATCH 12/25] Fix Get() method not being able to return an inner node (#31977) --- pkg/config/model/viper.go | 3 ++ pkg/config/nodetreemodel/config.go | 31 ++++++++----- pkg/config/nodetreemodel/config_test.go | 1 + pkg/config/nodetreemodel/getter.go | 58 +++++++++++++++++++------ pkg/config/nodetreemodel/getter_test.go | 22 ++++++++++ 5 files changed, 91 insertions(+), 24 deletions(-) diff --git a/pkg/config/model/viper.go b/pkg/config/model/viper.go index fc7b28591e17c9..56e5519346c7d7 100644 --- a/pkg/config/model/viper.go +++ b/pkg/config/model/viper.go @@ -32,6 +32,8 @@ type Source string // Declare every known Source const ( + // SourceSchema are settings define in the schema for the configuration but without any default. + SourceSchema Source = "schema" // SourceDefault are the values from defaults. SourceDefault Source = "default" // SourceUnknown are the values from unknown source. This should only be used in tests when calling @@ -74,6 +76,7 @@ var sources = []Source{ // sourcesPriority give each source a priority, the higher the more important a source. This is used when merging // configuration tree (a higher priority overwrites a lower one). var sourcesPriority = map[Source]int{ + SourceSchema: -1, SourceDefault: 0, SourceUnknown: 1, SourceFile: 2, diff --git a/pkg/config/nodetreemodel/config.go b/pkg/config/nodetreemodel/config.go index 84e4a50cbf3e34..601f20e00caf56 100644 --- a/pkg/config/nodetreemodel/config.go +++ b/pkg/config/nodetreemodel/config.go @@ -333,7 +333,7 @@ func (c *ntmConfig) SetKnown(key string) { panic("cannot SetKnown() once the config has been marked as ready for use") } - c.addToKnownKeys(key) + c.addToSchema(key, model.SourceSchema) } // IsKnown returns whether a key is known @@ -387,19 +387,25 @@ func (c *ntmConfig) mergeAllLayers() error { } c.root = root + // recompile allSettings now that we have the full config + c.allSettings = c.computeAllSettings(c.schema, "") return nil } -func computeAllSettings(node InnerNode, path string) []string { +func (c *ntmConfig) computeAllSettings(node InnerNode, path string) []string { knownKeys := []string{} for _, name := range node.ChildrenKeys() { newPath := joinKey(path, name) child, _ := node.GetChild(name) - if _, ok := child.(LeafNode); ok { - knownKeys = append(knownKeys, newPath) + if leaf, ok := child.(LeafNode); ok { + if leaf.Source() != model.SourceSchema { + knownKeys = append(knownKeys, newPath) + } else if c.leafAtPathFromNode(newPath, c.root) != missingLeaf { + knownKeys = append(knownKeys, newPath) + } } else if inner, ok := child.(InnerNode); ok { - knownKeys = append(knownKeys, computeAllSettings(inner, newPath)...) + knownKeys = append(knownKeys, c.computeAllSettings(inner, newPath)...) } else { log.Errorf("unknown node type in the tree: %T", child) } @@ -417,7 +423,7 @@ func (c *ntmConfig) BuildSchema() { if err := c.mergeAllLayers(); err != nil { c.warnings = append(c.warnings, err.Error()) } - c.allSettings = computeAllSettings(c.schema, "") + c.allSettings = c.computeAllSettings(c.schema, "") } // Stringify stringifies the config, but only with the test build tag @@ -572,6 +578,14 @@ func (c *ntmConfig) AllKeysLowercased() []string { } func (c *ntmConfig) leafAtPathFromNode(key string, curr Node) LeafNode { + node := c.nodeAtPathFromNode(key, curr) + if leaf, ok := node.(LeafNode); ok { + return leaf + } + return missingLeaf +} + +func (c *ntmConfig) nodeAtPathFromNode(key string, curr Node) Node { pathParts := splitKey(key) for _, part := range pathParts { next, err := curr.GetChild(part) @@ -580,10 +594,7 @@ func (c *ntmConfig) leafAtPathFromNode(key string, curr Node) LeafNode { } curr = next } - if leaf, ok := curr.(LeafNode); ok { - return leaf - } - return missingLeaf + return curr } // GetNode returns a Node for the given key diff --git a/pkg/config/nodetreemodel/config_test.go b/pkg/config/nodetreemodel/config_test.go index ad51994ea03317..f917c9344ed332 100644 --- a/pkg/config/nodetreemodel/config_test.go +++ b/pkg/config/nodetreemodel/config_test.go @@ -256,6 +256,7 @@ func TestAllSettings(t *testing.T) { cfg.SetDefault("a", 0) cfg.SetDefault("b.c", 0) cfg.SetDefault("b.d", 0) + cfg.SetKnown("b.e") cfg.BuildSchema() cfg.ReadConfig(strings.NewReader("a: 987")) diff --git a/pkg/config/nodetreemodel/getter.go b/pkg/config/nodetreemodel/getter.go index a94b5fb69cdec1..0c1abc7f92b82b 100644 --- a/pkg/config/nodetreemodel/getter.go +++ b/pkg/config/nodetreemodel/getter.go @@ -112,14 +112,44 @@ func (c *ntmConfig) inferTypeFromDefault(key string, value interface{}) (interfa return deepcopy.Copy(value), nil } +func (c *ntmConfig) getNodeValue(key string) interface{} { + if !c.isReady() { + log.Errorf("attempt to read key before config is constructed: %s", key) + return missingLeaf + } + + node := c.nodeAtPathFromNode(key, c.root) + + if leaf, ok := node.(LeafNode); ok { + return leaf.Get() + } + + // When querying an InnerNode we convert it as a map[string]interface{} to mimic Viper's logic + var converter func(node InnerNode) map[string]interface{} + converter = func(node InnerNode) map[string]interface{} { + res := map[string]interface{}{} + for _, name := range node.ChildrenKeys() { + child, _ := node.GetChild(name) + + if leaf, ok := child.(LeafNode); ok { + res[name] = leaf.Get() + } else { + res[name] = converter(child.(InnerNode)) + } + } + return res + } + + return converter(node.(InnerNode)) +} + // Get returns a copy of the value for the given key func (c *ntmConfig) Get(key string) interface{} { c.RLock() defer c.RUnlock() c.checkKnownKey(key) - val := c.leafAtPath(key).Get() - val, err := c.inferTypeFromDefault(key, val) + val, err := c.inferTypeFromDefault(key, c.getNodeValue(key)) if err != nil { log.Warnf("failed to get configuration value for key %q: %s", key, err) } @@ -149,7 +179,7 @@ func (c *ntmConfig) GetString(key string) string { c.RLock() defer c.RUnlock() c.checkKnownKey(key) - str, err := cast.ToStringE(c.leafAtPath(key).Get()) + str, err := cast.ToStringE(c.getNodeValue(key)) if err != nil { log.Warnf("failed to get configuration value for key %q: %s", key, err) } @@ -161,7 +191,7 @@ func (c *ntmConfig) GetBool(key string) bool { c.RLock() defer c.RUnlock() c.checkKnownKey(key) - b, err := cast.ToBoolE(c.leafAtPath(key).Get()) + b, err := cast.ToBoolE(c.getNodeValue(key)) if err != nil { log.Warnf("failed to get configuration value for key %q: %s", key, err) } @@ -173,7 +203,7 @@ func (c *ntmConfig) GetInt(key string) int { c.RLock() defer c.RUnlock() c.checkKnownKey(key) - val, err := cast.ToIntE(c.leafAtPath(key).Get()) + val, err := cast.ToIntE(c.getNodeValue(key)) if err != nil { log.Warnf("failed to get configuration value for key %q: %s", key, err) } @@ -185,7 +215,7 @@ func (c *ntmConfig) GetInt32(key string) int32 { c.RLock() defer c.RUnlock() c.checkKnownKey(key) - val, err := cast.ToInt32E(c.leafAtPath(key).Get()) + val, err := cast.ToInt32E(c.getNodeValue(key)) if err != nil { log.Warnf("failed to get configuration value for key %q: %s", key, err) } @@ -197,7 +227,7 @@ func (c *ntmConfig) GetInt64(key string) int64 { c.RLock() defer c.RUnlock() c.checkKnownKey(key) - val, err := cast.ToInt64E(c.leafAtPath(key).Get()) + val, err := cast.ToInt64E(c.getNodeValue(key)) if err != nil { log.Warnf("failed to get configuration value for key %q: %s", key, err) } @@ -209,7 +239,7 @@ func (c *ntmConfig) GetFloat64(key string) float64 { c.RLock() defer c.RUnlock() c.checkKnownKey(key) - val, err := cast.ToFloat64E(c.leafAtPath(key).Get()) + val, err := cast.ToFloat64E(c.getNodeValue(key)) if err != nil { log.Warnf("failed to get configuration value for key %q: %s", key, err) } @@ -222,7 +252,7 @@ func (c *ntmConfig) GetFloat64Slice(key string) []float64 { defer c.RUnlock() c.checkKnownKey(key) - list, err := cast.ToStringSliceE(c.leafAtPath(key).Get()) + list, err := cast.ToStringSliceE(c.getNodeValue(key)) if err != nil { log.Warnf("failed to get configuration value for key %q: %s", key, err) } @@ -244,7 +274,7 @@ func (c *ntmConfig) GetDuration(key string) time.Duration { c.RLock() defer c.RUnlock() c.checkKnownKey(key) - val, err := cast.ToDurationE(c.leafAtPath(key).Get()) + val, err := cast.ToDurationE(c.getNodeValue(key)) if err != nil { log.Warnf("failed to get configuration value for key %q: %s", key, err) } @@ -256,7 +286,7 @@ func (c *ntmConfig) GetStringSlice(key string) []string { c.RLock() defer c.RUnlock() c.checkKnownKey(key) - val, err := cast.ToStringSliceE(c.leafAtPath(key).Get()) + val, err := cast.ToStringSliceE(c.getNodeValue(key)) if err != nil { log.Warnf("failed to get configuration value for key %q: %s", key, err) } @@ -268,7 +298,7 @@ func (c *ntmConfig) GetStringMap(key string) map[string]interface{} { c.RLock() defer c.RUnlock() c.checkKnownKey(key) - val, err := cast.ToStringMapE(c.leafAtPath(key).Get()) + val, err := cast.ToStringMapE(c.getNodeValue(key)) if err != nil { log.Warnf("failed to get configuration value for key %q: %s", key, err) } @@ -280,7 +310,7 @@ func (c *ntmConfig) GetStringMapString(key string) map[string]string { c.RLock() defer c.RUnlock() c.checkKnownKey(key) - val, err := cast.ToStringMapStringE(c.leafAtPath(key).Get()) + val, err := cast.ToStringMapStringE(c.getNodeValue(key)) if err != nil { log.Warnf("failed to get configuration value for key %q: %s", key, err) } @@ -292,7 +322,7 @@ func (c *ntmConfig) GetStringMapStringSlice(key string) map[string][]string { c.RLock() defer c.RUnlock() c.checkKnownKey(key) - val, err := cast.ToStringMapStringSliceE(c.leafAtPath(key).Get()) + val, err := cast.ToStringMapStringSliceE(c.getNodeValue(key)) if err != nil { log.Warnf("failed to get configuration value for key %q: %s", key, err) } diff --git a/pkg/config/nodetreemodel/getter_test.go b/pkg/config/nodetreemodel/getter_test.go index 3c05bffc40d279..b035c18d8fd989 100644 --- a/pkg/config/nodetreemodel/getter_test.go +++ b/pkg/config/nodetreemodel/getter_test.go @@ -44,6 +44,28 @@ func TestGet(t *testing.T) { assert.Equal(t, 9876, cfg.Get("a")) assert.Equal(t, nil, cfg.Get("does_not_exists")) + + // test implicit conversion + cfg.Set("a", "1111", model.SourceAgentRuntime) + assert.Equal(t, 1111, cfg.Get("a")) +} + +func TestGetInnerNode(t *testing.T) { + cfg := NewConfig("test", "", nil) + cfg.SetDefault("a.b.c", 1234) + cfg.SetDefault("a.e", 1234) + cfg.BuildSchema() + + assert.Equal(t, 1234, cfg.Get("a.b.c")) + assert.Equal(t, 1234, cfg.Get("a.e")) + assert.Equal(t, map[string]interface{}{"c": 1234}, cfg.Get("a.b")) + assert.Equal(t, map[string]interface{}{"b": map[string]interface{}{"c": 1234}, "e": 1234}, cfg.Get("a")) + + cfg.Set("a.b.c", 9876, model.SourceAgentRuntime) + assert.Equal(t, 9876, cfg.Get("a.b.c")) + assert.Equal(t, 1234, cfg.Get("a.e")) + assert.Equal(t, map[string]interface{}{"c": 9876}, cfg.Get("a.b")) + assert.Equal(t, map[string]interface{}{"b": map[string]interface{}{"c": 9876}, "e": 1234}, cfg.Get("a")) } func TestGetCastToDefault(t *testing.T) { From 89eba3d3acc5ae1204051467635e743e7ca9b2d8 Mon Sep 17 00:00:00 2001 From: Nenad Noveljic <18366081+nenadnoveljic@users.noreply.github.com> Date: Tue, 14 Jan 2025 17:11:56 +0100 Subject: [PATCH 13/25] Pass DBMS type to SQL Lexer obfuscator (#32928) --- pkg/obfuscate/sql.go | 12 ++++++++++++ pkg/trace/agent/obfuscate.go | 5 +++-- pkg/trace/agent/obfuscate_test.go | 16 ++++++++++++++++ 3 files changed, 31 insertions(+), 2 deletions(-) diff --git a/pkg/obfuscate/sql.go b/pkg/obfuscate/sql.go index 8674173c8fdc37..05148e1800350a 100644 --- a/pkg/obfuscate/sql.go +++ b/pkg/obfuscate/sql.go @@ -287,6 +287,10 @@ func (f *groupingFilter) Reset() { f.groupMulti = 0 } +func isSQLLexer(obfuscationMode ObfuscationMode) bool { + return obfuscationMode != "" +} + // ObfuscateSQLString quantizes and obfuscates the given input SQL query string. Quantization removes // some elements such as comments and aliases and obfuscation attempts to hide sensitive information // in strings and numbers by redacting them. @@ -294,6 +298,14 @@ func (o *Obfuscator) ObfuscateSQLString(in string) (*ObfuscatedQuery, error) { return o.ObfuscateSQLStringWithOptions(in, &o.opts.SQL) } +// ObfuscateSQLStringForDBMS quantizes and obfuscates the given input SQL query string for a specific DBMS. +func (o *Obfuscator) ObfuscateSQLStringForDBMS(in string, dbms string) (*ObfuscatedQuery, error) { + if isSQLLexer(o.opts.SQL.ObfuscationMode) { + o.opts.SQL.DBMS = dbms + } + return o.ObfuscateSQLStringWithOptions(in, &o.opts.SQL) +} + // ObfuscateSQLStringWithOptions accepts an optional SQLOptions to change the behavior of the obfuscator // to quantize and obfuscate the given input SQL query string. Quantization removes some elements such as comments // and aliases and obfuscation attempts to hide sensitive information in strings and numbers by redacting them. diff --git a/pkg/trace/agent/obfuscate.go b/pkg/trace/agent/obfuscate.go index f4effbb4ac85d4..271c45aec79bc8 100644 --- a/pkg/trace/agent/obfuscate.go +++ b/pkg/trace/agent/obfuscate.go @@ -23,6 +23,7 @@ const ( tagOpenSearchBody = "opensearch.body" tagSQLQuery = "sql.query" tagHTTPURL = "http.url" + tagDBMS = "db.system" ) const ( @@ -51,7 +52,7 @@ func (a *Agent) obfuscateSpan(span *pb.Span) { if span.Resource == "" { return } - oq, err := o.ObfuscateSQLString(span.Resource) + oq, err := o.ObfuscateSQLStringForDBMS(span.Resource, span.Meta[tagDBMS]) if err != nil { // we have an error, discard the SQL to avoid polluting user resources. log.Debugf("Error parsing SQL query: %v. Resource: %q", err, span.Resource) @@ -166,7 +167,7 @@ func (a *Agent) obfuscateStatsGroup(b *pb.ClientGroupedStats) { switch b.Type { case "sql", "cassandra": - oq, err := o.ObfuscateSQLString(b.Resource) + oq, err := o.ObfuscateSQLStringForDBMS(b.Resource, b.DBType) if err != nil { log.Errorf("Error obfuscating stats group resource %q: %v", b.Resource, err) b.Resource = textNonParsable diff --git a/pkg/trace/agent/obfuscate_test.go b/pkg/trace/agent/obfuscate_test.go index 507e938884816d..59daaad39bd354 100644 --- a/pkg/trace/agent/obfuscate_test.go +++ b/pkg/trace/agent/obfuscate_test.go @@ -491,3 +491,19 @@ func TestObfuscateSpanEvent(t *testing.T) { } } } + +func TestLexerObfuscation(t *testing.T) { + ctx, cancelFunc := context.WithCancel(context.Background()) + cfg := config.New() + cfg.Endpoints[0].APIKey = "test" + cfg.Features["sqllexer"] = struct{}{} + agnt := NewAgent(ctx, cfg, telemetry.NewNoopCollector(), &statsd.NoOpClient{}, gzip.NewComponent()) + defer cancelFunc() + span := &pb.Span{ + Resource: "SELECT * FROM [u].[users]", + Type: "sql", + Meta: map[string]string{"db.type": "sqlserver"}, + } + agnt.obfuscateSpan(span) + assert.Equal(t, "SELECT * FROM [u].[users]", span.Resource) +} From 736a4fe7673efc7f649f17bfe14162f700067116 Mon Sep 17 00:00:00 2001 From: Mark Spicer Date: Tue, 14 Jan 2025 11:12:12 -0500 Subject: [PATCH 14/25] feat(ssi): enable language with a default version (#32879) --- .../auto_instrumentation_test.go | 11 +++++++++++ .../mutate/autoinstrumentation/language_versions.go | 13 ++++++++++++- ...i-language-default-version-9bc955d06c045ae6.yaml | 12 ++++++++++++ 3 files changed, 35 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/enable-ssi-language-default-version-9bc955d06c045ae6.yaml diff --git a/pkg/clusteragent/admission/mutate/autoinstrumentation/auto_instrumentation_test.go b/pkg/clusteragent/admission/mutate/autoinstrumentation/auto_instrumentation_test.go index d5f32099e14c24..bb0d3ba371d046 100644 --- a/pkg/clusteragent/admission/mutate/autoinstrumentation/auto_instrumentation_test.go +++ b/pkg/clusteragent/admission/mutate/autoinstrumentation/auto_instrumentation_test.go @@ -696,6 +696,17 @@ func TestExtractLibInfo(t *testing.T) { }, }, }, + { + name: "java with default version", + pod: common.FakePodWithAnnotation("admission.datadoghq.com/java-lib.version", "default"), + containerRegistry: "registry", + expectedLibsToInject: []libInfo{ + { + lang: "java", + image: "registry/dd-lib-java-init:v1", + }, + }, + }, { name: "java from common registry", pod: common.FakePodWithAnnotation("admission.datadoghq.com/java-lib.version", "v1"), diff --git a/pkg/clusteragent/admission/mutate/autoinstrumentation/language_versions.go b/pkg/clusteragent/admission/mutate/autoinstrumentation/language_versions.go index e76387c975f2c4..323ea26862c91a 100644 --- a/pkg/clusteragent/admission/mutate/autoinstrumentation/language_versions.go +++ b/pkg/clusteragent/admission/mutate/autoinstrumentation/language_versions.go @@ -11,8 +11,9 @@ import ( "fmt" "slices" - "github.com/DataDog/datadog-agent/pkg/clusteragent/admission/common" corev1 "k8s.io/api/core/v1" + + "github.com/DataDog/datadog-agent/pkg/clusteragent/admission/common" ) const ( @@ -63,6 +64,9 @@ func (l language) libVersionAnnotationExtractor(registry string) annotationExtra return annotationExtractor[libInfo]{ key: fmt.Sprintf(libVersionAnnotationKeyFormat, l), do: func(version string) (libInfo, error) { + if version == defaultVersionMagicString { + version = l.defaultLibVersion() + } return l.libInfo("", l.libImageName(registry, version)), nil }, } @@ -81,6 +85,9 @@ func (l language) ctrLibVersionAnnotationExtractor(ctr, registry string) annotat return annotationExtractor[libInfo]{ key: fmt.Sprintf(libVersionAnnotationKeyCtrFormat, ctr, l), do: func(version string) (libInfo, error) { + if version == defaultVersionMagicString { + version = l.defaultLibVersion() + } return l.libInfo(ctr, l.libImageName(registry, version)), nil }, } @@ -112,6 +119,10 @@ func (l language) isEnabledByDefault() bool { return l != "php" } +// defaultVersionMagicString is a magic string that indicates that the user +// wishes to utilize the default version found in languageVersions. +const defaultVersionMagicString = "default" + // languageVersions defines the major library versions we consider "default" for each // supported language. If not set, we will default to "latest", see defaultLibVersion. // diff --git a/releasenotes/notes/enable-ssi-language-default-version-9bc955d06c045ae6.yaml b/releasenotes/notes/enable-ssi-language-default-version-9bc955d06c045ae6.yaml new file mode 100644 index 00000000000000..0532e84da68f77 --- /dev/null +++ b/releasenotes/notes/enable-ssi-language-default-version-9bc955d06c045ae6.yaml @@ -0,0 +1,12 @@ +# Each section from every release note are combined when the +# CHANGELOG.rst is rendered. So the text needs to be worded so that +# it does not depend on any information only available in another +# section. This may mean repeating some details, but each section +# must be readable independently of the other. +# +# Each section note must be formatted as reStructuredText. +--- +enhancements: + - | + Users can now enable a pod with SSI using a default language library version + and no longer need to pin to a specific version. From 15796b34c805e91d7bae0f075e710057bc36767e Mon Sep 17 00:00:00 2001 From: Florent Clarret Date: Tue, 14 Jan 2025 17:01:40 +0000 Subject: [PATCH 15/25] Pin integrations-core in nightly and dev builds (#32959) --- release.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/release.json b/release.json index 0130a62eaddc07..2e0c3b692f953b 100644 --- a/release.json +++ b/release.json @@ -6,7 +6,7 @@ "7": "7.61.0" }, "nightly": { - "INTEGRATIONS_CORE_VERSION": "master", + "INTEGRATIONS_CORE_VERSION": "a0ac38c5deba1623702a38132a59b86e2bcfe443", "OMNIBUS_SOFTWARE_VERSION": "8135c8dc77134b6c46edceca760e033279032a96", "OMNIBUS_RUBY_VERSION": "650e39bb0b7c8d57ddabe21eb0588b368986aede", "JMXFETCH_VERSION": "0.49.6", @@ -25,7 +25,7 @@ "WINDOWS_APMINJECT_SHASUM": "5fdd62a84e640204386b9c28dc2e3ac5d9b8adde6427cb9f5914619f94d7b5bd" }, "nightly-a7": { - "INTEGRATIONS_CORE_VERSION": "master", + "INTEGRATIONS_CORE_VERSION": "a0ac38c5deba1623702a38132a59b86e2bcfe443", "OMNIBUS_SOFTWARE_VERSION": "8135c8dc77134b6c46edceca760e033279032a96", "OMNIBUS_RUBY_VERSION": "650e39bb0b7c8d57ddabe21eb0588b368986aede", "JMXFETCH_VERSION": "0.49.6", From 89bc0fa1fcd21eb40a73f23e740bf7975fd128fd Mon Sep 17 00:00:00 2001 From: David Ortiz Date: Tue, 14 Jan 2025 18:49:39 +0100 Subject: [PATCH 16/25] [go.mod] Bump datadog-operator/api dependency (#32960) --- go.mod | 4 ++-- go.sum | 8 ++++---- test/new-e2e/go.mod | 2 +- test/new-e2e/go.sum | 4 ++-- 4 files changed, 9 insertions(+), 9 deletions(-) diff --git a/go.mod b/go.mod index b31e391b05c3ca..39e4930b3eb518 100644 --- a/go.mod +++ b/go.mod @@ -159,7 +159,7 @@ require ( github.com/DataDog/datadog-agent/pkg/util/scrubber v0.59.1 github.com/DataDog/datadog-go/v5 v5.6.0 // TODO: pin to an operator released version once there is a release that includes the api module - github.com/DataDog/datadog-operator/api v0.0.0-20250109202733-a3e7eab6a736 + github.com/DataDog/datadog-operator/api v0.0.0-20250114151552-463ab54482b4 github.com/DataDog/ebpf-manager v0.7.7 github.com/DataDog/gopsutil v1.2.2 github.com/DataDog/nikos v1.12.9 @@ -857,7 +857,7 @@ require ( github.com/google/cel-go v0.20.1 // indirect github.com/google/certificate-transparency-go v1.1.8 // indirect github.com/google/flatbuffers v24.3.25+incompatible // indirect - github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 // indirect + github.com/google/gnostic-models v0.6.9 // indirect github.com/google/go-github/v62 v62.0.0 // indirect github.com/google/go-querystring v1.1.0 // indirect github.com/google/s2a-go v0.1.8 // indirect diff --git a/go.sum b/go.sum index e7728c0c5e8f84..054f694903a968 100644 --- a/go.sum +++ b/go.sum @@ -164,8 +164,8 @@ github.com/DataDog/datadog-api-client-go/v2 v2.33.0/go.mod h1:d3tOEgUd2kfsr9uuHQ github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ= github.com/DataDog/datadog-go/v5 v5.6.0 h1:2oCLxjF/4htd55piM75baflj/KoE6VYS7alEUqFvRDw= github.com/DataDog/datadog-go/v5 v5.6.0/go.mod h1:K9kcYBlxkcPP8tvvjZZKs/m1edNAUFzBbdpTUKfCsuw= -github.com/DataDog/datadog-operator/api v0.0.0-20250109202733-a3e7eab6a736 h1:GBHrDEjtdHDL+24ncs+KySyM37xw3LstTr93XZdmgN4= -github.com/DataDog/datadog-operator/api v0.0.0-20250109202733-a3e7eab6a736/go.mod h1:B1gtSG6OWMpqG6RNF2PV1WLfNLxF3xpqYWzyPQlg5eg= +github.com/DataDog/datadog-operator/api v0.0.0-20250114151552-463ab54482b4 h1:Lb06hh5dOz327LZZIfCu2/Kcxstf9ml7c0B2ZSm9Y5k= +github.com/DataDog/datadog-operator/api v0.0.0-20250114151552-463ab54482b4/go.mod h1:Ef4llzn4c4p6FPZNjeYgIQFHa2va2JPC8Wf/kivrF2E= github.com/DataDog/dd-sensitive-data-scanner/sds-go/go v0.0.0-20240816154533-f7f9beb53a42 h1:RoH7VLzTnxHEugRPIgnGlxwDFszFGI7b3WZZUtWuPRM= github.com/DataDog/dd-sensitive-data-scanner/sds-go/go v0.0.0-20240816154533-f7f9beb53a42/go.mod h1:TX7CTOQ3LbQjfAi4SwqUoR5gY1zfUk7VRBDTuArjaDc= github.com/DataDog/dd-trace-go/v2 v2.0.0-beta.11 h1:6vwU//TjBIghQKMgIP9UyIRhN/LWS1y8tYzvRnu8JZw= @@ -919,8 +919,8 @@ github.com/google/certificate-transparency-go v1.1.8 h1:LGYKkgZF7satzgTak9R4yzfJ github.com/google/certificate-transparency-go v1.1.8/go.mod h1:bV/o8r0TBKRf1X//iiiSgWrvII4d7/8OiA+3vG26gI8= github.com/google/flatbuffers v24.3.25+incompatible h1:CX395cjN9Kke9mmalRoL3d81AtFUxJM+yDthflgJGkI= github.com/google/flatbuffers v24.3.25+incompatible/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8= -github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 h1:0VpGH+cDhbDtdcweoyCVsF3fhN8kejK6rFe/2FFX2nU= -github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49/go.mod h1:BkkQ4L1KS1xMt2aWSPStnn55ChGC0DPOn2FQYj+f25M= +github.com/google/gnostic-models v0.6.9 h1:MU/8wDLif2qCXZmzncUQ/BOfxWfthHi63KqpoNbWqVw= +github.com/google/gnostic-models v0.6.9/go.mod h1:CiWsm0s6BSQd1hRn8/QmxqB6BesYcbSZxsz9b0KuDBw= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= diff --git a/test/new-e2e/go.mod b/test/new-e2e/go.mod index 2d43564fb1e1cb..3b28971ad99717 100644 --- a/test/new-e2e/go.mod +++ b/test/new-e2e/go.mod @@ -162,7 +162,7 @@ require ( github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect github.com/golang/protobuf v1.5.4 // indirect github.com/google/btree v1.1.3 // indirect - github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 // indirect + github.com/google/gnostic-models v0.6.9 // indirect github.com/google/go-cmp v0.6.0 // indirect github.com/google/gofuzz v1.2.0 // indirect github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect diff --git a/test/new-e2e/go.sum b/test/new-e2e/go.sum index 93792c53d0b97b..d1c1330a1940d7 100644 --- a/test/new-e2e/go.sum +++ b/test/new-e2e/go.sum @@ -234,8 +234,8 @@ github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg= github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4= -github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 h1:0VpGH+cDhbDtdcweoyCVsF3fhN8kejK6rFe/2FFX2nU= -github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49/go.mod h1:BkkQ4L1KS1xMt2aWSPStnn55ChGC0DPOn2FQYj+f25M= +github.com/google/gnostic-models v0.6.9 h1:MU/8wDLif2qCXZmzncUQ/BOfxWfthHi63KqpoNbWqVw= +github.com/google/gnostic-models v0.6.9/go.mod h1:CiWsm0s6BSQd1hRn8/QmxqB6BesYcbSZxsz9b0KuDBw= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= From e88aa10b13c6e7bc4e86c52468e14d4379bf4d97 Mon Sep 17 00:00:00 2001 From: Guillaume Pagnoux Date: Tue, 14 Jan 2025 19:05:22 +0100 Subject: [PATCH 17/25] discovery: e2e: mark containerID test as flaky (#32962) --- test/new-e2e/tests/discovery/docker_test.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/test/new-e2e/tests/discovery/docker_test.go b/test/new-e2e/tests/discovery/docker_test.go index 1d5f0f52475265..f6e04600d57d67 100644 --- a/test/new-e2e/tests/discovery/docker_test.go +++ b/test/new-e2e/tests/discovery/docker_test.go @@ -11,6 +11,7 @@ import ( "testing" "time" + "github.com/DataDog/datadog-agent/pkg/util/testutil/flake" "github.com/DataDog/datadog-agent/test/fakeintake/aggregator" "github.com/DataDog/datadog-agent/test/new-e2e/pkg/e2e" "github.com/DataDog/datadog-agent/test/new-e2e/pkg/environments" @@ -46,6 +47,8 @@ func TestDiscoveryDocker(t *testing.T) { func (s *dockerDiscoveryTestSuite) TestServiceDiscoveryContainerID() { t := s.T() + flake.Mark(t) + client := s.Env().FakeIntake.Client() err := client.FlushServerAndResetAggregators() require.NoError(t, err) From 3cafc4dba28982620f6db7909a9de7493791ef02 Mon Sep 17 00:00:00 2001 From: Jordan Storms Date: Tue, 14 Jan 2025 14:27:19 -0500 Subject: [PATCH 18/25] [SVLS-5205] Fix SIGSEGV for Serverless container environments using serverless-init and DogStatsD in multiple containers (#32821) --- cmd/serverless-init/metric/metric.go | 5 +++++ cmd/serverless-init/metric/metric_test.go | 11 +++++++++++ 2 files changed, 16 insertions(+) diff --git a/cmd/serverless-init/metric/metric.go b/cmd/serverless-init/metric/metric.go index 0cfac6823a6288..ff5ff64a575754 100644 --- a/cmd/serverless-init/metric/metric.go +++ b/cmd/serverless-init/metric/metric.go @@ -12,6 +12,7 @@ import ( "github.com/DataDog/datadog-agent/pkg/aggregator" "github.com/DataDog/datadog-agent/pkg/metrics" + "github.com/DataDog/datadog-agent/pkg/util/log" ) // AddColdStartMetric adds the coldstart metric to the demultiplexer @@ -29,6 +30,10 @@ func AddShutdownMetric(metricPrefix string, tags []string, _ time.Time, demux ag } func add(name string, tags []string, timestamp time.Time, demux aggregator.Demultiplexer) { + if demux == nil { + log.Debugf("Cannot add metric %s, the metric agent is not running", name) + return + } metricTimestamp := float64(timestamp.UnixNano()) / float64(time.Second) demux.AggregateSample(metrics.MetricSample{ Name: name, diff --git a/cmd/serverless-init/metric/metric_test.go b/cmd/serverless-init/metric/metric_test.go index facd4acabca0c6..6c9badf1beac59 100644 --- a/cmd/serverless-init/metric/metric_test.go +++ b/cmd/serverless-init/metric/metric_test.go @@ -64,6 +64,17 @@ func TestAddShutdownMetric(t *testing.T) { assert.Equal(t, metric.Tags[1], "tagb:valueb") } +func TestNilDemuxDoesNotPanic(t *testing.T) { + demux := createDemultiplexer(t) + timestamp := time.Now() + // Pass nil for demux to mimic when a port is blocked and dogstatsd does not start properly. + // This previously led to a panic and segmentation fault + add("metric", []string{"taga:valuea", "tagb:valueb"}, timestamp, nil) + generatedMetrics, timedMetrics := demux.WaitForSamples(100 * time.Millisecond) + assert.Equal(t, 0, len(timedMetrics)) + assert.Equal(t, 0, len(generatedMetrics)) +} + func createDemultiplexer(t *testing.T) demultiplexer.FakeSamplerMock { return fxutil.Test[demultiplexer.FakeSamplerMock](t, fx.Provide(func() log.Component { return logmock.New(t) }), compressionmock.MockModule(), demultiplexerimpl.FakeSamplerMockModule(), hostnameimpl.MockModule()) } From f8e0609677ce21fcaeff186c7e0fbb53dac0c7ca Mon Sep 17 00:00:00 2001 From: Adrien Boitreaud <72934368+aboitreaud@users.noreply.github.com> Date: Tue, 14 Jan 2025 20:48:54 +0100 Subject: [PATCH 19/25] [DJM] Add Databricks workspace name as tag (#32965) --- pkg/fleet/installer/setup/djm/databricks.go | 1 + pkg/fleet/installer/setup/djm/databricks_test.go | 14 ++++++++------ 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/pkg/fleet/installer/setup/djm/databricks.go b/pkg/fleet/installer/setup/djm/databricks.go index e1e699f65a2de9..c27b46b8a5316d 100644 --- a/pkg/fleet/installer/setup/djm/databricks.go +++ b/pkg/fleet/installer/setup/djm/databricks.go @@ -121,6 +121,7 @@ func setupCommonHostTags(s *common.Setup) { return clusterNameRegex.ReplaceAllString(v, "_") }) setIfExists(s, "DB_CLUSTER_ID", "databricks_cluster_id", nil) + setIfExists(s, "DATABRICKS_WORKSPACE", "databricks_workspace", nil) // dupes for backward compatibility setIfExists(s, "DB_CLUSTER_ID", "cluster_id", nil) diff --git a/pkg/fleet/installer/setup/djm/databricks_test.go b/pkg/fleet/installer/setup/djm/databricks_test.go index 0bd7d183122cf3..fb93a6605f203c 100644 --- a/pkg/fleet/installer/setup/djm/databricks_test.go +++ b/pkg/fleet/installer/setup/djm/databricks_test.go @@ -27,12 +27,13 @@ func TestSetupCommonHostTags(t *testing.T) { { name: "basic fields with formatting", env: map[string]string{ - "DB_DRIVER_IP": "192.168.1.100", - "DB_INSTANCE_TYPE": "m4.xlarge", - "DB_IS_JOB_CLUSTER": "true", - "DD_JOB_NAME": "example,'job,name", - "DB_CLUSTER_NAME": "example[,'job]name", - "DB_CLUSTER_ID": "cluster123", + "DB_DRIVER_IP": "192.168.1.100", + "DB_INSTANCE_TYPE": "m4.xlarge", + "DB_IS_JOB_CLUSTER": "true", + "DD_JOB_NAME": "example,'job,name", + "DB_CLUSTER_NAME": "example[,'job]name", + "DB_CLUSTER_ID": "cluster123", + "DATABRICKS_WORKSPACE": "example_workspace", }, wantTags: []string{ "spark_host_ip:192.168.1.100", @@ -43,6 +44,7 @@ func TestSetupCommonHostTags(t *testing.T) { "databricks_cluster_id:cluster123", "cluster_id:cluster123", "cluster_name:example___job_name", + "databricks_workspace:example_workspace", }, }, { From df1eadc3b8afae4981162905f7b861b56b322627 Mon Sep 17 00:00:00 2001 From: Jack Phillips Date: Tue, 14 Jan 2025 15:02:38 -0500 Subject: [PATCH 20/25] fix %s to %w in IsUserAnAdmin (#32958) --- pkg/util/winutil/users.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/util/winutil/users.go b/pkg/util/winutil/users.go index 0f341f34f95d4b..171017a32cbac6 100644 --- a/pkg/util/winutil/users.go +++ b/pkg/util/winutil/users.go @@ -56,7 +56,7 @@ func IsUserAnAdmin() (bool, error) { 0, 0, 0, 0, 0, 0, &administratorsGroup) if err != nil { - return false, fmt.Errorf("could not get local system SID: %s", err) + return false, fmt.Errorf("could not get local system SID: %w", err) } defer windows.FreeSid(administratorsGroup) @@ -64,7 +64,7 @@ func IsUserAnAdmin() (bool, error) { var isAdmin bool err = CheckTokenMembership(0, administratorsGroup, &isAdmin) if err != nil { - return false, fmt.Errorf("could not check token membership: %s", err) + return false, fmt.Errorf("could not check token membership: %w", err) } return isAdmin, nil From ad8b8854e381df65d59127458fc55758cee2aaab Mon Sep 17 00:00:00 2001 From: Geoffrey Oxberry Date: Tue, 14 Jan 2025 12:46:28 -0800 Subject: [PATCH 21/25] [smp] set idle all features QG limit to 735 MiB (#32966) Signed-off-by: Geoffrey M. Oxberry --- .../cases/quality_gate_idle_all_features/experiment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/regression/cases/quality_gate_idle_all_features/experiment.yaml b/test/regression/cases/quality_gate_idle_all_features/experiment.yaml index c4b0c1aeafd726..1246cbf236cb32 100644 --- a/test/regression/cases/quality_gate_idle_all_features/experiment.yaml +++ b/test/regression/cases/quality_gate_idle_all_features/experiment.yaml @@ -46,7 +46,7 @@ checks: description: "Memory usage quality gate. This puts a bound on the total agent memory usage." bounds: series: total_rss_bytes - upper_bound: "754.0 MiB" + upper_bound: "735.0 MiB" report_links: - text: "bounds checks dashboard" From 8b3351796582b28a7f8f5b2cfb96e403da41afa4 Mon Sep 17 00:00:00 2001 From: "Brian L. Troutwine" Date: Tue, 14 Jan 2025 17:45:14 -0800 Subject: [PATCH 22/25] Introduce intake connection count check (#32975) Signed-off-by: Brian L. Troutwine --- test/regression/cases/quality_gate_idle/experiment.yaml | 6 ++++++ .../cases/quality_gate_idle_all_features/experiment.yaml | 6 ++++++ test/regression/cases/quality_gate_logs/experiment.yaml | 6 ++++++ 3 files changed, 18 insertions(+) diff --git a/test/regression/cases/quality_gate_idle/experiment.yaml b/test/regression/cases/quality_gate_idle/experiment.yaml index 631361b35b1c71..5c3506908c199e 100644 --- a/test/regression/cases/quality_gate_idle/experiment.yaml +++ b/test/regression/cases/quality_gate_idle/experiment.yaml @@ -37,6 +37,12 @@ checks: series: total_rss_bytes upper_bound: "356.0 MiB" + - name: intake_connections + description: "Connections established to intake APIs. This puts a bound on total connections per Agent instance." + bounds: + series: "connection.current" + upper_bound: 3 + report_links: - text: "bounds checks dashboard" link: "https://app.datadoghq.com/dashboard/vz3-jd5-bdi?fromUser=true&refresh_mode=paused&tpl_var_experiment%5B0%5D={{ experiment }}&tpl_var_job_id%5B0%5D={{ job_id }}&tpl_var_run-id%5B0%5D={{ job_id }}&view=spans&from_ts={{ start_time_ms }}&to_ts={{ end_time_ms }}&live=false" diff --git a/test/regression/cases/quality_gate_idle_all_features/experiment.yaml b/test/regression/cases/quality_gate_idle_all_features/experiment.yaml index 1246cbf236cb32..4bb4edbca83300 100644 --- a/test/regression/cases/quality_gate_idle_all_features/experiment.yaml +++ b/test/regression/cases/quality_gate_idle_all_features/experiment.yaml @@ -48,6 +48,12 @@ checks: series: total_rss_bytes upper_bound: "735.0 MiB" + - name: intake_connections + description: "Connections established to intake APIs. This puts a bound on total connections per Agent instance." + bounds: + series: "connection.current" + upper_bound: 3 + report_links: - text: "bounds checks dashboard" link: "https://app.datadoghq.com/dashboard/vz3-jd5-bdi?fromUser=true&refresh_mode=paused&tpl_var_experiment%5B0%5D={{ experiment }}&tpl_var_job_id%5B0%5D={{ job_id }}&tpl_var_run-id%5B0%5D={{ job_id }}&view=spans&from_ts={{ start_time_ms }}&to_ts={{ end_time_ms }}&live=false" diff --git a/test/regression/cases/quality_gate_logs/experiment.yaml b/test/regression/cases/quality_gate_logs/experiment.yaml index 50b1d75540c4d4..1698bb0e6aa988 100644 --- a/test/regression/cases/quality_gate_logs/experiment.yaml +++ b/test/regression/cases/quality_gate_logs/experiment.yaml @@ -35,3 +35,9 @@ checks: bounds: series: lost_bytes upper_bound: 0KiB + + - name: intake_connections + description: "Connections established to intake APIs. This puts a bound on total connections per Agent instance." + bounds: + series: "connection.current" + upper_bound: 6 From 00abd8c3dfaada537beb0a04af7003d1027a9d20 Mon Sep 17 00:00:00 2001 From: Paul Cacheux Date: Wed, 15 Jan 2025 10:39:11 +0100 Subject: [PATCH 23/25] omnibus: add GLIBC check for system-probe binary (#32973) --- omnibus/config/software/datadog-agent.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/omnibus/config/software/datadog-agent.rb b/omnibus/config/software/datadog-agent.rb index 6a09072b788328..d33a70c47a7e28 100644 --- a/omnibus/config/software/datadog-agent.rb +++ b/omnibus/config/software/datadog-agent.rb @@ -166,6 +166,7 @@ command "invoke -e system-probe.build #{fips_args}", env: env elsif linux_target? command "invoke -e system-probe.build-sysprobe-binary #{fips_args} --install-path=#{install_dir}", env: env + command "!(objdump -p ./bin/system-probe/system-probe | egrep 'GLIBC_2\.(1[8-9]|[2-9][0-9])')" end if windows_target? From 14ca022f1b4a7cbdc6c0fd2fe8824f5ec00d7802 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Guillermo=20Juli=C3=A1n?= Date: Wed, 15 Jan 2025 11:21:31 +0100 Subject: [PATCH 24/25] wmeta: add nvml collector (#32109) This PR adds the NVML collector to workloadmeta, so that we collect data about the NVIDIA GPUs present in the system that can be used in other parts of the agent, including the tagger. --- .github/CODEOWNERS | 1 + .gitlab-ci.yml | 1 + comp/api/authtoken/go.mod | 12 +- comp/core/config/go.mod | 12 +- comp/core/log/impl-trace/go.mod | 12 +- comp/core/log/impl/go.mod | 12 +- comp/core/log/mock/go.mod | 4 +- comp/core/status/statusimpl/go.mod | 12 +- .../collectors/catalog-core/options.go | 2 + .../collectors/catalog/options.go | 2 + .../collectors/internal/nvml/nvml.go | 124 ++++++++++++++++++ .../collectors/internal/nvml/nvml_nop.go | 15 +++ .../collectors/internal/nvml/nvml_test.go | 48 +++++++ .../collectors/internal/nvml/stub.go | 7 + comp/core/workloadmeta/def/types.go | 7 + comp/core/workloadmeta/impl/dump.go | 2 + comp/forwarder/defaultforwarder/go.mod | 12 +- .../orchestrator/orchestratorinterface/go.mod | 12 +- comp/logs/agent/config/go.mod | 12 +- comp/otelcol/converter/impl/go.mod | 12 +- comp/otelcol/ddflareextension/impl/go.mod | 12 +- comp/otelcol/logsagentpipeline/go.mod | 12 +- .../logsagentpipelineimpl/go.mod | 12 +- .../exporter/datadogexporter/go.mod | 12 +- .../exporter/logsagentexporter/go.mod | 12 +- .../exporter/serializerexporter/go.mod | 12 +- comp/otelcol/otlp/testutil/go.mod | 12 +- comp/serializer/compression/go.mod | 12 +- go.mod | 12 +- pkg/api/go.mod | 12 +- .../env/environment_container_features.go | 2 + pkg/config/env/environment_containers.go | 17 +++ pkg/config/env/go.mod | 19 ++- pkg/config/env/go.sum | 6 + pkg/config/mock/go.mod | 12 +- pkg/config/remote/go.mod | 12 +- pkg/config/setup/go.mod | 12 +- pkg/config/utils/go.mod | 12 +- pkg/gpu/testutil/mocks.go | 6 + pkg/logs/auditor/go.mod | 12 +- pkg/logs/client/go.mod | 12 +- pkg/logs/diagnostic/go.mod | 12 +- pkg/logs/message/go.mod | 12 +- pkg/logs/pipeline/go.mod | 12 +- pkg/logs/processor/go.mod | 12 +- pkg/logs/sds/go.mod | 12 +- pkg/logs/sender/go.mod | 12 +- pkg/logs/sources/go.mod | 12 +- pkg/logs/util/testutils/go.mod | 12 +- pkg/metrics/go.mod | 12 +- pkg/serializer/go.mod | 12 +- pkg/util/flavor/go.mod | 12 +- pkg/util/grpc/go.mod | 12 +- pkg/util/http/go.mod | 12 +- pkg/util/log/setup/go.mod | 12 +- pkg/util/system/dlopen_linux.go | 43 ++++++ pkg/util/system/dlopen_other.go | 16 +++ test/new-e2e/tests/gpu/gpu_test.go | 9 ++ test/otel/go.mod | 12 +- 59 files changed, 565 insertions(+), 246 deletions(-) create mode 100644 comp/core/workloadmeta/collectors/internal/nvml/nvml.go create mode 100644 comp/core/workloadmeta/collectors/internal/nvml/nvml_nop.go create mode 100644 comp/core/workloadmeta/collectors/internal/nvml/nvml_test.go create mode 100644 comp/core/workloadmeta/collectors/internal/nvml/stub.go create mode 100644 pkg/util/system/dlopen_linux.go create mode 100644 pkg/util/system/dlopen_other.go diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 3f00a7c544bf9b..7fd42771c56ca8 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -546,6 +546,7 @@ /pkg/tagger/ @DataDog/container-platform /pkg/windowsdriver/ @DataDog/windows-kernel-integrations /comp/core/workloadmeta/collectors/internal/cloudfoundry @DataDog/platform-integrations +/comp/core/workloadmeta/collectors/internal/nvml @DataDog/ebpf-platform /pkg/sbom/ @DataDog/container-integrations @DataDog/agent-security /pkg/internaltelemetry @DataDog/windows-kernel-integrations @DataDog/fleet /pkg/networkpath/ @DataDog/network-device-monitoring @DataDog/Networks diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index be283da9433697..80f4b199117efa 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1170,6 +1170,7 @@ workflow: - pkg/gpu/**/* - test/new-e2e/tests/gpu/**/* - pkg/collector/corechecks/gpu/**/* + - comp/core/workloadmeta/collectors/internal/nvml/**/* compare_to: main # TODO: use a variable, when this is supported https://gitlab.com/gitlab-org/gitlab/-/issues/369916 # windows_docker_2022 configures the job to use the Windows Server 2022 runners. diff --git a/comp/api/authtoken/go.mod b/comp/api/authtoken/go.mod index 692fd75a5a99ba..6428c12054c168 100644 --- a/comp/api/authtoken/go.mod +++ b/comp/api/authtoken/go.mod @@ -66,15 +66,15 @@ require ( github.com/DataDog/datadog-agent/pkg/config/teeconfig v0.60.0-devel // indirect github.com/DataDog/datadog-agent/pkg/config/utils v0.56.0 // indirect github.com/DataDog/datadog-agent/pkg/util/executable v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/filesystem v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/filesystem v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/hostname/validate v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/log v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/log v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/log/setup v0.58.0-devel // indirect - github.com/DataDog/datadog-agent/pkg/util/pointer v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/scrubber v0.59.1 // indirect - github.com/DataDog/datadog-agent/pkg/util/system v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/pointer v0.60.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/scrubber v0.60.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/system v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/system/socket v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/winutil v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/winutil v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/version v0.59.1 // indirect github.com/DataDog/viper v1.14.0 // indirect github.com/Microsoft/go-winio v0.6.2 // indirect diff --git a/comp/core/config/go.mod b/comp/core/config/go.mod index 5f12e7600784e4..2e3588c53ed8df 100644 --- a/comp/core/config/go.mod +++ b/comp/core/config/go.mod @@ -42,7 +42,7 @@ require ( github.com/DataDog/datadog-agent/pkg/util/defaultpaths v0.0.0-00010101000000-000000000000 github.com/DataDog/datadog-agent/pkg/util/fxutil v0.56.0-rc.3 github.com/DataDog/datadog-agent/pkg/util/option v0.59.0 - github.com/DataDog/datadog-agent/pkg/util/winutil v0.59.1 + github.com/DataDog/datadog-agent/pkg/util/winutil v0.60.1 github.com/DataDog/viper v1.14.0 github.com/stretchr/testify v1.10.0 go.uber.org/fx v1.23.0 @@ -58,12 +58,12 @@ require ( github.com/DataDog/datadog-agent/pkg/config/structure v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/config/teeconfig v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/util/executable v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/filesystem v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/filesystem v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/hostname/validate v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/log v0.59.1 // indirect - github.com/DataDog/datadog-agent/pkg/util/pointer v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/scrubber v0.59.1 // indirect - github.com/DataDog/datadog-agent/pkg/util/system v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/log v0.60.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/pointer v0.60.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/scrubber v0.60.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/system v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/system/socket v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/version v0.59.1 // indirect github.com/Microsoft/go-winio v0.6.2 // indirect diff --git a/comp/core/log/impl-trace/go.mod b/comp/core/log/impl-trace/go.mod index 9da7eaed4328ce..9838e5804cf7f0 100644 --- a/comp/core/log/impl-trace/go.mod +++ b/comp/core/log/impl-trace/go.mod @@ -45,7 +45,7 @@ require ( github.com/DataDog/datadog-agent/pkg/config/env v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/trace v0.56.0-rc.3 github.com/DataDog/datadog-agent/pkg/util/fxutil v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/log v0.59.1 + github.com/DataDog/datadog-agent/pkg/util/log v0.60.1 github.com/cihub/seelog v0.0.0-20170130134532-f561c5e57575 // indirect; v2.6 github.com/stretchr/testify v1.10.0 go.uber.org/fx v1.23.0 // indirect @@ -68,14 +68,14 @@ require ( github.com/DataDog/datadog-agent/pkg/config/structure v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/config/teeconfig v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/util/executable v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/filesystem v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/filesystem v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/hostname/validate v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/util/option v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/pointer v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/scrubber v0.59.1 // indirect - github.com/DataDog/datadog-agent/pkg/util/system v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/pointer v0.60.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/scrubber v0.60.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/system v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/system/socket v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/winutil v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/winutil v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/version v0.59.1 // indirect github.com/DataDog/viper v1.14.0 // indirect github.com/Microsoft/go-winio v0.6.2 // indirect diff --git a/comp/core/log/impl/go.mod b/comp/core/log/impl/go.mod index 11736e49c9a8e8..90a9c802bb9ca4 100644 --- a/comp/core/log/impl/go.mod +++ b/comp/core/log/impl/go.mod @@ -39,7 +39,7 @@ require ( github.com/DataDog/datadog-agent/comp/core/log/def v0.0.0-00010101000000-000000000000 github.com/DataDog/datadog-agent/comp/def v0.56.0-rc.3 github.com/DataDog/datadog-agent/pkg/config/mock v0.59.0 - github.com/DataDog/datadog-agent/pkg/util/log v0.59.1 + github.com/DataDog/datadog-agent/pkg/util/log v0.60.1 github.com/DataDog/datadog-agent/pkg/util/log/setup v0.0.0-00010101000000-000000000000 github.com/stretchr/testify v1.10.0 ) @@ -56,15 +56,15 @@ require ( github.com/DataDog/datadog-agent/pkg/config/structure v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/config/teeconfig v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/util/executable v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/filesystem v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/filesystem v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/fxutil v0.56.0-rc.3 // indirect github.com/DataDog/datadog-agent/pkg/util/hostname/validate v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/util/option v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/pointer v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/scrubber v0.59.1 // indirect - github.com/DataDog/datadog-agent/pkg/util/system v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/pointer v0.60.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/scrubber v0.60.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/system v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/system/socket v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/winutil v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/winutil v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/version v0.59.1 // indirect github.com/DataDog/viper v1.14.0 // indirect github.com/Microsoft/go-winio v0.6.2 // indirect diff --git a/comp/core/log/mock/go.mod b/comp/core/log/mock/go.mod index 806ac2a0cf0100..e69fa4e54919fe 100644 --- a/comp/core/log/mock/go.mod +++ b/comp/core/log/mock/go.mod @@ -31,7 +31,7 @@ replace ( require ( github.com/DataDog/datadog-agent/comp/core/log/def v0.0.0-00010101000000-000000000000 - github.com/DataDog/datadog-agent/pkg/util/log v0.59.1 + github.com/DataDog/datadog-agent/pkg/util/log v0.60.1 github.com/DataDog/datadog-agent/pkg/util/log/setup v0.0.0-00010101000000-000000000000 ) @@ -39,7 +39,7 @@ require ( github.com/DataDog/datadog-agent/pkg/config/model v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/config/nodetreemodel v0.60.0-devel // indirect github.com/DataDog/datadog-agent/pkg/config/teeconfig v0.60.0-devel // indirect - github.com/DataDog/datadog-agent/pkg/util/scrubber v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/scrubber v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/version v0.59.1 // indirect github.com/DataDog/viper v1.14.0 // indirect github.com/cihub/seelog v0.0.0-20170130134532-f561c5e57575 // indirect diff --git a/comp/core/status/statusimpl/go.mod b/comp/core/status/statusimpl/go.mod index 95a89f26d371ce..3e479f4186af46 100644 --- a/comp/core/status/statusimpl/go.mod +++ b/comp/core/status/statusimpl/go.mod @@ -68,16 +68,16 @@ require ( github.com/DataDog/datadog-agent/pkg/config/structure v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/config/teeconfig v0.60.0-devel // indirect github.com/DataDog/datadog-agent/pkg/util/executable v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/filesystem v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/filesystem v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/hostname/validate v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/log v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/log v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/log/setup v0.56.0-rc.3 // indirect github.com/DataDog/datadog-agent/pkg/util/option v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/pointer v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/scrubber v0.59.1 // indirect - github.com/DataDog/datadog-agent/pkg/util/system v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/pointer v0.60.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/scrubber v0.60.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/system v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/system/socket v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/winutil v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/winutil v0.60.1 // indirect github.com/DataDog/viper v1.14.0 // indirect github.com/Microsoft/go-winio v0.6.2 // indirect github.com/cihub/seelog v0.0.0-20170130134532-f561c5e57575 // indirect diff --git a/comp/core/workloadmeta/collectors/catalog-core/options.go b/comp/core/workloadmeta/collectors/catalog-core/options.go index bba615c6bd790f..5dbb5398da63e0 100644 --- a/comp/core/workloadmeta/collectors/catalog-core/options.go +++ b/comp/core/workloadmeta/collectors/catalog-core/options.go @@ -21,6 +21,7 @@ import ( "github.com/DataDog/datadog-agent/comp/core/workloadmeta/collectors/internal/kubeapiserver" "github.com/DataDog/datadog-agent/comp/core/workloadmeta/collectors/internal/kubelet" "github.com/DataDog/datadog-agent/comp/core/workloadmeta/collectors/internal/kubemetadata" + "github.com/DataDog/datadog-agent/comp/core/workloadmeta/collectors/internal/nvml" "github.com/DataDog/datadog-agent/comp/core/workloadmeta/collectors/internal/podman" "github.com/DataDog/datadog-agent/comp/core/workloadmeta/collectors/internal/process" remoteprocesscollector "github.com/DataDog/datadog-agent/comp/core/workloadmeta/collectors/internal/remote/processcollector" @@ -41,5 +42,6 @@ func getCollectorOptions() []fx.Option { podman.GetFxOptions(), remoteprocesscollector.GetFxOptions(), process.GetFxOptions(), + nvml.GetFxOptions(), } } diff --git a/comp/core/workloadmeta/collectors/catalog/options.go b/comp/core/workloadmeta/collectors/catalog/options.go index 05f6ca9ac5e122..1778576a3573e1 100644 --- a/comp/core/workloadmeta/collectors/catalog/options.go +++ b/comp/core/workloadmeta/collectors/catalog/options.go @@ -21,6 +21,7 @@ import ( "github.com/DataDog/datadog-agent/comp/core/workloadmeta/collectors/internal/kubeapiserver" "github.com/DataDog/datadog-agent/comp/core/workloadmeta/collectors/internal/kubelet" "github.com/DataDog/datadog-agent/comp/core/workloadmeta/collectors/internal/kubemetadata" + "github.com/DataDog/datadog-agent/comp/core/workloadmeta/collectors/internal/nvml" "github.com/DataDog/datadog-agent/comp/core/workloadmeta/collectors/internal/podman" "github.com/DataDog/datadog-agent/comp/core/workloadmeta/collectors/internal/remote/processcollector" remoteworkloadmeta "github.com/DataDog/datadog-agent/comp/core/workloadmeta/collectors/internal/remote/workloadmeta" @@ -42,5 +43,6 @@ func getCollectorOptions() []fx.Option { remoteworkloadmeta.GetFxOptions(), remoteWorkloadmetaParams(), processcollector.GetFxOptions(), + nvml.GetFxOptions(), } } diff --git a/comp/core/workloadmeta/collectors/internal/nvml/nvml.go b/comp/core/workloadmeta/collectors/internal/nvml/nvml.go new file mode 100644 index 00000000000000..d612a3dd01fd16 --- /dev/null +++ b/comp/core/workloadmeta/collectors/internal/nvml/nvml.go @@ -0,0 +1,124 @@ +// Unless explicitly stated otherwise all files in this repository are licensed +// under the Apache License Version 2.0. +// This product includes software developed at Datadog (https://www.datadoghq.com/). +// Copyright 2024-present Datadog, Inc. + +//go:build linux + +package nvml + +import ( + "context" + "fmt" + + "go.uber.org/fx" + + "github.com/NVIDIA/go-nvml/pkg/nvml" + + workloadmeta "github.com/DataDog/datadog-agent/comp/core/workloadmeta/def" + "github.com/DataDog/datadog-agent/pkg/config/env" + "github.com/DataDog/datadog-agent/pkg/errors" +) + +const ( + collectorID = "nvml" + componentName = "workloadmeta-nvml" + nvidiaVendor = "nvidia" +) + +type collector struct { + id string + catalog workloadmeta.AgentType + store workloadmeta.Component + nvmlLib nvml.Interface +} + +// NewCollector returns a kubelet CollectorProvider that instantiates its collector +func NewCollector() (workloadmeta.CollectorProvider, error) { + return workloadmeta.CollectorProvider{ + Collector: &collector{ + id: collectorID, + catalog: workloadmeta.NodeAgent, + }, + }, nil +} + +// GetFxOptions returns the FX framework options for the collector +func GetFxOptions() fx.Option { + return fx.Provide(NewCollector) +} + +// Start initializes the NVML library and sets the store +func (c *collector) Start(_ context.Context, store workloadmeta.Component) error { + if !env.IsFeaturePresent(env.NVML) { + return errors.NewDisabled(componentName, "Agent does not have NVML library available") + } + + c.store = store + // TODO: Add configuration option for NVML library path + c.nvmlLib = nvml.New() + ret := c.nvmlLib.Init() + if ret != nvml.SUCCESS && ret != nvml.ERROR_ALREADY_INITIALIZED { + return fmt.Errorf("failed to initialize NVML library: %v", nvml.ErrorString(ret)) + } + + return nil +} + +// Pull collects the GPUs available on the node and notifies the store +func (c *collector) Pull(_ context.Context) error { + count, ret := c.nvmlLib.DeviceGetCount() + if ret != nvml.SUCCESS { + return fmt.Errorf("failed to get device count: %v", nvml.ErrorString(ret)) + } + + var events []workloadmeta.CollectorEvent + for i := 0; i < count; i++ { + dev, ret := c.nvmlLib.DeviceGetHandleByIndex(i) + if ret != nvml.SUCCESS { + return fmt.Errorf("failed to get device handle for index %d: %v", i, nvml.ErrorString(ret)) + } + + uuid, ret := dev.GetUUID() + if ret != nvml.SUCCESS { + return fmt.Errorf("failed to get device UUID for index %d: %v", i, nvml.ErrorString(ret)) + } + + name, ret := dev.GetName() + if ret != nvml.SUCCESS { + return fmt.Errorf("failed to get device name for index %d: %v", i, nvml.ErrorString(ret)) + } + + gpu := &workloadmeta.GPU{ + EntityID: workloadmeta.EntityID{ + Kind: workloadmeta.KindGPU, + ID: uuid, + }, + EntityMeta: workloadmeta.EntityMeta{ + Name: name, + }, + Vendor: nvidiaVendor, + Device: name, + Index: i, + } + + event := workloadmeta.CollectorEvent{ + Source: workloadmeta.SourceRuntime, + Type: workloadmeta.EventTypeSet, + Entity: gpu, + } + events = append(events, event) + } + + c.store.Notify(events) + + return nil +} + +func (c *collector) GetID() string { + return c.id +} + +func (c *collector) GetTargetCatalog() workloadmeta.AgentType { + return c.catalog +} diff --git a/comp/core/workloadmeta/collectors/internal/nvml/nvml_nop.go b/comp/core/workloadmeta/collectors/internal/nvml/nvml_nop.go new file mode 100644 index 00000000000000..7d6beacc270f97 --- /dev/null +++ b/comp/core/workloadmeta/collectors/internal/nvml/nvml_nop.go @@ -0,0 +1,15 @@ +// Unless explicitly stated otherwise all files in this repository are licensed +// under the Apache License Version 2.0. +// This product includes software developed at Datadog (https://www.datadoghq.com/). +// Copyright 2024-present Datadog, Inc. + +//go:build !linux + +package nvml + +import "go.uber.org/fx" + +// GetFxOptions returns the FX framework options for the collector +func GetFxOptions() fx.Option { + return nil +} diff --git a/comp/core/workloadmeta/collectors/internal/nvml/nvml_test.go b/comp/core/workloadmeta/collectors/internal/nvml/nvml_test.go new file mode 100644 index 00000000000000..0793fc9665687f --- /dev/null +++ b/comp/core/workloadmeta/collectors/internal/nvml/nvml_test.go @@ -0,0 +1,48 @@ +// Unless explicitly stated otherwise all files in this repository are licensed +// under the Apache License Version 2.0. +// This product includes software developed at Datadog (https://www.datadoghq.com/). +// Copyright 2024-present Datadog, Inc. + +//go:build linux + +package nvml + +import ( + "context" + "testing" + + "github.com/stretchr/testify/require" + + workloadmeta "github.com/DataDog/datadog-agent/comp/core/workloadmeta/def" + "github.com/DataDog/datadog-agent/pkg/gpu/testutil" +) + +func TestPull(t *testing.T) { + wmetaMock := testutil.GetWorkloadMetaMock(t) + nvmlMock := testutil.GetBasicNvmlMock() + + c := &collector{ + id: collectorID, + catalog: workloadmeta.NodeAgent, + store: wmetaMock, + nvmlLib: nvmlMock, + } + + c.Pull(context.Background()) + + gpus := wmetaMock.ListGPUs() + require.Equal(t, len(testutil.GPUUUIDs), len(gpus)) + + foundIDs := make(map[string]bool) + for _, gpu := range gpus { + foundIDs[gpu.ID] = true + + require.Equal(t, nvidiaVendor, gpu.Vendor) + require.Equal(t, testutil.DefaultGPUName, gpu.Name) + require.Equal(t, testutil.DefaultGPUName, gpu.Device) + } + + for _, uuid := range testutil.GPUUUIDs { + require.True(t, foundIDs[uuid], "GPU with UUID %s not found", uuid) + } +} diff --git a/comp/core/workloadmeta/collectors/internal/nvml/stub.go b/comp/core/workloadmeta/collectors/internal/nvml/stub.go new file mode 100644 index 00000000000000..bb7f692241c977 --- /dev/null +++ b/comp/core/workloadmeta/collectors/internal/nvml/stub.go @@ -0,0 +1,7 @@ +// Unless explicitly stated otherwise all files in this repository are licensed +// under the Apache License Version 2.0. +// This product includes software developed at Datadog (https://www.datadoghq.com/). +// Copyright 2024-present Datadog, Inc. + +// Package nvml implements the NVML collector for workloadmeta +package nvml diff --git a/comp/core/workloadmeta/def/types.go b/comp/core/workloadmeta/def/types.go index ad7dbbeda21e39..ab249af8d8a2ea 100644 --- a/comp/core/workloadmeta/def/types.go +++ b/comp/core/workloadmeta/def/types.go @@ -1365,6 +1365,12 @@ type GPU struct { // specific. Device string ActivePIDs []int + + // Index is the index of the GPU in the host system. This is useful as sometimes + // GPUs will be identified by their index instead of their UUID. Note that the index + // is not guaranteed to be stable across reboots, nor is necessarily the same inside + // of containers. + Index int } var _ Entity = &GPU{} @@ -1408,6 +1414,7 @@ func (g GPU) String(verbose bool) string { _, _ = fmt.Fprintln(&sb, "Vendor:", g.Vendor) _, _ = fmt.Fprintln(&sb, "Device:", g.Device) _, _ = fmt.Fprintln(&sb, "Active PIDs:", g.ActivePIDs) + _, _ = fmt.Fprintln(&sb, "Index:", g.Index) return sb.String() } diff --git a/comp/core/workloadmeta/impl/dump.go b/comp/core/workloadmeta/impl/dump.go index 3ffadfdaf6f7fa..fd2b626c20d247 100644 --- a/comp/core/workloadmeta/impl/dump.go +++ b/comp/core/workloadmeta/impl/dump.go @@ -35,6 +35,8 @@ func (w *workloadmeta) Dump(verbose bool) wmdef.WorkloadDumpResponse { info = e.String(verbose) case *wmdef.KubernetesMetadata: info = e.String(verbose) + case *wmdef.GPU: + info = e.String(verbose) default: return "", fmt.Errorf("unsupported type %T", e) } diff --git a/comp/forwarder/defaultforwarder/go.mod b/comp/forwarder/defaultforwarder/go.mod index b8dfe1557887ec..29cc11ab23fbdd 100644 --- a/comp/forwarder/defaultforwarder/go.mod +++ b/comp/forwarder/defaultforwarder/go.mod @@ -67,11 +67,11 @@ require ( github.com/DataDog/datadog-agent/pkg/telemetry v0.56.0-rc.3 github.com/DataDog/datadog-agent/pkg/util/backoff v0.56.0-rc.3 github.com/DataDog/datadog-agent/pkg/util/common v0.56.0-rc.3 - github.com/DataDog/datadog-agent/pkg/util/filesystem v0.59.0 + github.com/DataDog/datadog-agent/pkg/util/filesystem v0.60.1 github.com/DataDog/datadog-agent/pkg/util/fxutil v0.57.1 github.com/DataDog/datadog-agent/pkg/util/http v0.56.0-rc.3 github.com/DataDog/datadog-agent/pkg/util/option v0.59.0 - github.com/DataDog/datadog-agent/pkg/util/scrubber v0.59.1 + github.com/DataDog/datadog-agent/pkg/util/scrubber v0.60.1 github.com/DataDog/datadog-agent/pkg/version v0.59.1 github.com/golang/protobuf v1.5.4 github.com/hashicorp/go-multierror v1.1.1 @@ -93,12 +93,12 @@ require ( github.com/DataDog/datadog-agent/pkg/config/teeconfig v0.60.0-devel // indirect github.com/DataDog/datadog-agent/pkg/util/executable v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/util/hostname/validate v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/log v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/log v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/log/setup v0.56.0-rc.3 // indirect - github.com/DataDog/datadog-agent/pkg/util/pointer v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/system v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/pointer v0.60.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/system v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/system/socket v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/winutil v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/winutil v0.60.1 // indirect github.com/DataDog/viper v1.14.0 // indirect github.com/Microsoft/go-winio v0.6.2 // indirect github.com/beorn7/perks v1.0.1 // indirect diff --git a/comp/forwarder/orchestrator/orchestratorinterface/go.mod b/comp/forwarder/orchestrator/orchestratorinterface/go.mod index 71948459efc153..d0d18a5c27afbf 100644 --- a/comp/forwarder/orchestrator/orchestratorinterface/go.mod +++ b/comp/forwarder/orchestrator/orchestratorinterface/go.mod @@ -89,17 +89,17 @@ require ( github.com/DataDog/datadog-agent/pkg/util/backoff v0.56.0-rc.3 // indirect github.com/DataDog/datadog-agent/pkg/util/common v0.56.0-rc.3 // indirect github.com/DataDog/datadog-agent/pkg/util/executable v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/filesystem v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/filesystem v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/fxutil v0.57.1 // indirect github.com/DataDog/datadog-agent/pkg/util/hostname/validate v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/util/http v0.56.0-rc.3 // indirect - github.com/DataDog/datadog-agent/pkg/util/log v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/log v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/option v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/pointer v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/scrubber v0.59.1 // indirect - github.com/DataDog/datadog-agent/pkg/util/system v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/pointer v0.60.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/scrubber v0.60.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/system v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/system/socket v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/winutil v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/winutil v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/version v0.59.1 // indirect github.com/DataDog/viper v1.14.0 // indirect github.com/Microsoft/go-winio v0.6.2 // indirect diff --git a/comp/logs/agent/config/go.mod b/comp/logs/agent/config/go.mod index aae1341b12d072..f0fb1e7c66c3dc 100644 --- a/comp/logs/agent/config/go.mod +++ b/comp/logs/agent/config/go.mod @@ -43,8 +43,8 @@ require ( github.com/DataDog/datadog-agent/pkg/config/structure v0.59.0 github.com/DataDog/datadog-agent/pkg/config/utils v0.56.0-rc.3 github.com/DataDog/datadog-agent/pkg/util/fxutil v0.56.0-rc.3 - github.com/DataDog/datadog-agent/pkg/util/log v0.59.1 - github.com/DataDog/datadog-agent/pkg/util/pointer v0.59.0 + github.com/DataDog/datadog-agent/pkg/util/log v0.60.1 + github.com/DataDog/datadog-agent/pkg/util/pointer v0.60.1 github.com/DataDog/viper v1.14.0 github.com/stretchr/testify v1.10.0 go.uber.org/fx v1.23.0 @@ -61,13 +61,13 @@ require ( github.com/DataDog/datadog-agent/pkg/config/nodetreemodel v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/config/teeconfig v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/util/executable v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/filesystem v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/filesystem v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/hostname/validate v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/util/option v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/scrubber v0.59.1 // indirect - github.com/DataDog/datadog-agent/pkg/util/system v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/scrubber v0.60.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/system v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/system/socket v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/winutil v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/winutil v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/version v0.59.1 // indirect github.com/Microsoft/go-winio v0.6.2 // indirect github.com/cihub/seelog v0.0.0-20170130134532-f561c5e57575 // indirect diff --git a/comp/otelcol/converter/impl/go.mod b/comp/otelcol/converter/impl/go.mod index f3312ddbbb4a04..a382f9181151fa 100644 --- a/comp/otelcol/converter/impl/go.mod +++ b/comp/otelcol/converter/impl/go.mod @@ -66,16 +66,16 @@ require ( github.com/DataDog/datadog-agent/pkg/config/structure v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/config/teeconfig v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/util/executable v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/filesystem v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/filesystem v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/fxutil v0.56.2 // indirect github.com/DataDog/datadog-agent/pkg/util/hostname/validate v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/log v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/log v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/option v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/pointer v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/scrubber v0.59.1 // indirect - github.com/DataDog/datadog-agent/pkg/util/system v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/pointer v0.60.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/scrubber v0.60.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/system v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/system/socket v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/winutil v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/winutil v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/version v0.59.1 // indirect github.com/DataDog/viper v1.14.0 // indirect github.com/Microsoft/go-winio v0.6.2 // indirect diff --git a/comp/otelcol/ddflareextension/impl/go.mod b/comp/otelcol/ddflareextension/impl/go.mod index 5ce10dd69255ef..b8a394d3917c98 100644 --- a/comp/otelcol/ddflareextension/impl/go.mod +++ b/comp/otelcol/ddflareextension/impl/go.mod @@ -257,22 +257,22 @@ require ( github.com/DataDog/datadog-agent/pkg/util/cgroups v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/util/common v0.56.0-rc.3 // indirect github.com/DataDog/datadog-agent/pkg/util/executable v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/filesystem v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/filesystem v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/fxutil v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/util/hostname/validate v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/util/http v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/util/json v0.56.0-rc.3 // indirect - github.com/DataDog/datadog-agent/pkg/util/log v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/log v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/log/setup v0.58.0-devel // indirect github.com/DataDog/datadog-agent/pkg/util/option v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/pointer v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/scrubber v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/pointer v0.60.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/scrubber v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/sort v0.56.0-rc.3 // indirect github.com/DataDog/datadog-agent/pkg/util/startstop v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/util/statstracker v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/system v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/system v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/system/socket v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/winutil v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/winutil v0.60.1 // indirect github.com/DataDog/datadog-api-client-go/v2 v2.33.0 // indirect github.com/DataDog/datadog-go/v5 v5.6.0 // indirect github.com/DataDog/dd-sensitive-data-scanner/sds-go/go v0.0.0-20240816154533-f7f9beb53a42 // indirect diff --git a/comp/otelcol/logsagentpipeline/go.mod b/comp/otelcol/logsagentpipeline/go.mod index 38f8c438b1b4ad..dcc4997dd3e187 100644 --- a/comp/otelcol/logsagentpipeline/go.mod +++ b/comp/otelcol/logsagentpipeline/go.mod @@ -92,19 +92,19 @@ require ( github.com/DataDog/datadog-agent/pkg/telemetry v0.56.0-rc.3 // indirect github.com/DataDog/datadog-agent/pkg/util/backoff v0.56.0-rc.3 // indirect github.com/DataDog/datadog-agent/pkg/util/executable v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/filesystem v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/filesystem v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/fxutil v0.56.0-rc.3 // indirect github.com/DataDog/datadog-agent/pkg/util/hostname/validate v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/util/http v0.56.0-rc.3 // indirect - github.com/DataDog/datadog-agent/pkg/util/log v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/log v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/option v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/pointer v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/scrubber v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/pointer v0.60.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/scrubber v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/startstop v0.56.0-rc.3 // indirect github.com/DataDog/datadog-agent/pkg/util/statstracker v0.56.0-rc.3 // indirect - github.com/DataDog/datadog-agent/pkg/util/system v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/system v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/system/socket v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/winutil v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/winutil v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/version v0.59.1 // indirect github.com/DataDog/dd-sensitive-data-scanner/sds-go/go v0.0.0-20240816154533-f7f9beb53a42 // indirect github.com/DataDog/viper v1.14.0 // indirect diff --git a/comp/otelcol/logsagentpipeline/logsagentpipelineimpl/go.mod b/comp/otelcol/logsagentpipeline/logsagentpipelineimpl/go.mod index 41166e534eb157..25abbe1fc45ea8 100644 --- a/comp/otelcol/logsagentpipeline/logsagentpipelineimpl/go.mod +++ b/comp/otelcol/logsagentpipeline/logsagentpipelineimpl/go.mod @@ -109,17 +109,17 @@ require ( github.com/DataDog/datadog-agent/pkg/telemetry v0.56.0-rc.3 // indirect github.com/DataDog/datadog-agent/pkg/util/backoff v0.56.0-rc.3 // indirect github.com/DataDog/datadog-agent/pkg/util/executable v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/filesystem v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/filesystem v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/hostname/validate v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/util/http v0.56.0-rc.3 // indirect - github.com/DataDog/datadog-agent/pkg/util/log v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/log v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/log/setup v0.56.0-rc.3 // indirect - github.com/DataDog/datadog-agent/pkg/util/pointer v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/scrubber v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/pointer v0.60.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/scrubber v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/statstracker v0.56.0-rc.3 // indirect - github.com/DataDog/datadog-agent/pkg/util/system v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/system v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/system/socket v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/winutil v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/winutil v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/version v0.59.1 // indirect github.com/DataDog/dd-sensitive-data-scanner/sds-go/go v0.0.0-20240816154533-f7f9beb53a42 // indirect github.com/DataDog/viper v1.14.0 // indirect diff --git a/comp/otelcol/otlp/components/exporter/datadogexporter/go.mod b/comp/otelcol/otlp/components/exporter/datadogexporter/go.mod index 4b812e26191a2a..8bd175dadf827e 100644 --- a/comp/otelcol/otlp/components/exporter/datadogexporter/go.mod +++ b/comp/otelcol/otlp/components/exporter/datadogexporter/go.mod @@ -189,21 +189,21 @@ require ( github.com/DataDog/datadog-agent/pkg/util/cgroups v0.56.0-rc.3 // indirect github.com/DataDog/datadog-agent/pkg/util/common v0.56.0-rc.3 // indirect github.com/DataDog/datadog-agent/pkg/util/executable v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/filesystem v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/filesystem v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/fxutil v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/util/hostname/validate v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/util/http v0.56.0-rc.3 // indirect github.com/DataDog/datadog-agent/pkg/util/json v0.56.0-rc.3 // indirect - github.com/DataDog/datadog-agent/pkg/util/log v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/log v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/option v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/pointer v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/scrubber v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/pointer v0.60.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/scrubber v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/sort v0.56.0-rc.3 // indirect github.com/DataDog/datadog-agent/pkg/util/startstop v0.56.0-rc.3 // indirect github.com/DataDog/datadog-agent/pkg/util/statstracker v0.56.0-rc.3 // indirect - github.com/DataDog/datadog-agent/pkg/util/system v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/system v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/system/socket v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/winutil v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/winutil v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/version v0.59.1 // indirect github.com/DataDog/datadog-api-client-go/v2 v2.33.0 // indirect github.com/DataDog/dd-sensitive-data-scanner/sds-go/go v0.0.0-20240816154533-f7f9beb53a42 // indirect diff --git a/comp/otelcol/otlp/components/exporter/logsagentexporter/go.mod b/comp/otelcol/otlp/components/exporter/logsagentexporter/go.mod index c67221a1ae7d1b..f6c0091d1edbf9 100644 --- a/comp/otelcol/otlp/components/exporter/logsagentexporter/go.mod +++ b/comp/otelcol/otlp/components/exporter/logsagentexporter/go.mod @@ -47,7 +47,7 @@ require ( github.com/DataDog/datadog-agent/comp/otelcol/otlp/testutil v0.56.0-rc.3 github.com/DataDog/datadog-agent/pkg/logs/message v0.56.0-rc.3 github.com/DataDog/datadog-agent/pkg/logs/sources v0.56.0-rc.3 - github.com/DataDog/datadog-agent/pkg/util/scrubber v0.59.1 + github.com/DataDog/datadog-agent/pkg/util/scrubber v0.60.1 github.com/DataDog/opentelemetry-mapping-go/pkg/otlp/attributes v0.22.0 github.com/DataDog/opentelemetry-mapping-go/pkg/otlp/logs v0.22.0 github.com/stormcat24/protodep v0.1.8 @@ -86,15 +86,15 @@ require ( github.com/DataDog/datadog-agent/pkg/logs/status/utils v0.56.0-rc.3 // indirect github.com/DataDog/datadog-agent/pkg/proto v0.55.0 // indirect github.com/DataDog/datadog-agent/pkg/util/executable v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/filesystem v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/filesystem v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/hostname/validate v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/log v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/log v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/option v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/pointer v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/pointer v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/statstracker v0.56.0-rc.3 // indirect - github.com/DataDog/datadog-agent/pkg/util/system v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/system v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/system/socket v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/winutil v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/winutil v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/version v0.59.1 // indirect github.com/DataDog/datadog-api-client-go/v2 v2.33.0 // indirect github.com/DataDog/opentelemetry-mapping-go/pkg/inframetadata v0.22.0 // indirect diff --git a/comp/otelcol/otlp/components/exporter/serializerexporter/go.mod b/comp/otelcol/otlp/components/exporter/serializerexporter/go.mod index 7187d40303c670..7512830af0e48f 100644 --- a/comp/otelcol/otlp/components/exporter/serializerexporter/go.mod +++ b/comp/otelcol/otlp/components/exporter/serializerexporter/go.mod @@ -69,7 +69,7 @@ require ( github.com/DataDog/datadog-agent/pkg/proto v0.56.0-rc.3 github.com/DataDog/datadog-agent/pkg/serializer v0.56.0-rc.3 github.com/DataDog/datadog-agent/pkg/tagset v0.56.0-rc.3 - github.com/DataDog/datadog-agent/pkg/util/log v0.59.1 + github.com/DataDog/datadog-agent/pkg/util/log v0.60.1 github.com/DataDog/opentelemetry-mapping-go/pkg/otlp/attributes v0.22.0 github.com/DataDog/opentelemetry-mapping-go/pkg/otlp/metrics v0.22.0 github.com/DataDog/opentelemetry-mapping-go/pkg/quantile v0.22.0 @@ -123,18 +123,18 @@ require ( github.com/DataDog/datadog-agent/pkg/util/buf v0.56.0-rc.3 // indirect github.com/DataDog/datadog-agent/pkg/util/common v0.56.0-rc.3 // indirect github.com/DataDog/datadog-agent/pkg/util/executable v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/filesystem v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/filesystem v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/fxutil v0.57.1 // indirect github.com/DataDog/datadog-agent/pkg/util/hostname/validate v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/util/http v0.56.0-rc.3 // indirect github.com/DataDog/datadog-agent/pkg/util/json v0.56.0-rc.3 // indirect github.com/DataDog/datadog-agent/pkg/util/option v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/pointer v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/scrubber v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/pointer v0.60.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/scrubber v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/sort v0.56.0-rc.3 // indirect - github.com/DataDog/datadog-agent/pkg/util/system v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/system v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/system/socket v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/winutil v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/winutil v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/version v0.59.1 // indirect github.com/DataDog/mmh3 v0.0.0-20210722141835-012dc69a9e49 // indirect github.com/DataDog/sketches-go v1.4.6 // indirect diff --git a/comp/otelcol/otlp/testutil/go.mod b/comp/otelcol/otlp/testutil/go.mod index 2adbdacc9efd72..34531e0e5d204e 100644 --- a/comp/otelcol/otlp/testutil/go.mod +++ b/comp/otelcol/otlp/testutil/go.mod @@ -53,15 +53,15 @@ require ( github.com/DataDog/datadog-agent/pkg/config/structure v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/config/teeconfig v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/util/executable v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/filesystem v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/filesystem v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/hostname/validate v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/log v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/log v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/option v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/pointer v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/scrubber v0.59.1 // indirect - github.com/DataDog/datadog-agent/pkg/util/system v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/pointer v0.60.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/scrubber v0.60.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/system v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/system/socket v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/winutil v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/winutil v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/version v0.59.1 // indirect github.com/DataDog/viper v1.14.0 // indirect github.com/Microsoft/go-winio v0.6.2 // indirect diff --git a/comp/serializer/compression/go.mod b/comp/serializer/compression/go.mod index bc763234b050d9..a0b8f60dc39f9f 100644 --- a/comp/serializer/compression/go.mod +++ b/comp/serializer/compression/go.mod @@ -36,7 +36,7 @@ replace ( require ( github.com/DataDog/datadog-agent/comp/core/config v0.56.0-rc.3 github.com/DataDog/datadog-agent/pkg/util/fxutil v0.56.0-rc.3 - github.com/DataDog/datadog-agent/pkg/util/log v0.59.1 + github.com/DataDog/datadog-agent/pkg/util/log v0.60.1 github.com/DataDog/zstd v1.5.6 ) @@ -54,14 +54,14 @@ require ( github.com/DataDog/datadog-agent/pkg/config/structure v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/config/teeconfig v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/util/executable v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/filesystem v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/filesystem v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/hostname/validate v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/util/option v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/pointer v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/scrubber v0.59.1 // indirect - github.com/DataDog/datadog-agent/pkg/util/system v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/pointer v0.60.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/scrubber v0.60.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/system v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/system/socket v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/winutil v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/winutil v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/version v0.59.1 // indirect github.com/DataDog/viper v1.14.0 // indirect github.com/Microsoft/go-winio v0.6.2 // indirect diff --git a/go.mod b/go.mod index 39e4930b3eb518..c27f741ede4840 100644 --- a/go.mod +++ b/go.mod @@ -154,9 +154,9 @@ require ( github.com/DataDog/datadog-agent/pkg/security/secl v0.56.0 github.com/DataDog/datadog-agent/pkg/trace v0.59.0 github.com/DataDog/datadog-agent/pkg/util/cgroups v0.59.0 - github.com/DataDog/datadog-agent/pkg/util/log v0.59.1 - github.com/DataDog/datadog-agent/pkg/util/pointer v0.59.0 - github.com/DataDog/datadog-agent/pkg/util/scrubber v0.59.1 + github.com/DataDog/datadog-agent/pkg/util/log v0.60.1 + github.com/DataDog/datadog-agent/pkg/util/pointer v0.60.1 + github.com/DataDog/datadog-agent/pkg/util/scrubber v0.60.1 github.com/DataDog/datadog-go/v5 v5.6.0 // TODO: pin to an operator released version once there is a release that includes the api module github.com/DataDog/datadog-operator/api v0.0.0-20250114151552-463ab54482b4 @@ -691,7 +691,7 @@ require ( github.com/DataDog/datadog-agent/pkg/util/common v0.59.0 github.com/DataDog/datadog-agent/pkg/util/containers/image v0.56.2 github.com/DataDog/datadog-agent/pkg/util/executable v0.59.0 - github.com/DataDog/datadog-agent/pkg/util/filesystem v0.59.0 + github.com/DataDog/datadog-agent/pkg/util/filesystem v0.60.1 github.com/DataDog/datadog-agent/pkg/util/flavor v0.56.0-rc.3 github.com/DataDog/datadog-agent/pkg/util/fxutil v0.59.0 github.com/DataDog/datadog-agent/pkg/util/grpc v0.59.0 @@ -702,10 +702,10 @@ require ( github.com/DataDog/datadog-agent/pkg/util/option v0.59.0 github.com/DataDog/datadog-agent/pkg/util/sort v0.59.0 github.com/DataDog/datadog-agent/pkg/util/startstop v0.59.0 - github.com/DataDog/datadog-agent/pkg/util/system v0.59.0 + github.com/DataDog/datadog-agent/pkg/util/system v0.60.1 github.com/DataDog/datadog-agent/pkg/util/testutil v0.59.0 github.com/DataDog/datadog-agent/pkg/util/uuid v0.59.0 - github.com/DataDog/datadog-agent/pkg/util/winutil v0.59.1 + github.com/DataDog/datadog-agent/pkg/util/winutil v0.60.1 github.com/DataDog/datadog-agent/pkg/version v0.59.1 github.com/DataDog/go-libddwaf/v3 v3.5.1 github.com/DataDog/go-sqllexer v0.0.20 diff --git a/pkg/api/go.mod b/pkg/api/go.mod index f5c74d8a9d18bc..c220d1c0c30b51 100644 --- a/pkg/api/go.mod +++ b/pkg/api/go.mod @@ -42,9 +42,9 @@ require ( github.com/DataDog/datadog-agent/pkg/config/mock v0.59.0 github.com/DataDog/datadog-agent/pkg/config/model v0.59.0 github.com/DataDog/datadog-agent/pkg/config/utils v0.56.0-rc.3 - github.com/DataDog/datadog-agent/pkg/util/filesystem v0.59.0 - github.com/DataDog/datadog-agent/pkg/util/log v0.59.1 - github.com/DataDog/datadog-agent/pkg/util/system v0.59.0 + github.com/DataDog/datadog-agent/pkg/util/filesystem v0.60.1 + github.com/DataDog/datadog-agent/pkg/util/log v0.60.1 + github.com/DataDog/datadog-agent/pkg/util/system v0.60.1 github.com/stretchr/testify v1.10.0 ) @@ -63,10 +63,10 @@ require ( github.com/DataDog/datadog-agent/pkg/util/fxutil v0.56.0-rc.3 // indirect github.com/DataDog/datadog-agent/pkg/util/hostname/validate v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/util/option v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/pointer v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/scrubber v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/pointer v0.60.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/scrubber v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/system/socket v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/winutil v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/winutil v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/version v0.59.1 // indirect github.com/DataDog/viper v1.14.0 // indirect github.com/Microsoft/go-winio v0.6.2 // indirect diff --git a/pkg/config/env/environment_container_features.go b/pkg/config/env/environment_container_features.go index ffced09b49c611..ebb854289e938d 100644 --- a/pkg/config/env/environment_container_features.go +++ b/pkg/config/env/environment_container_features.go @@ -33,4 +33,6 @@ const ( Podman Feature = "podman" // PodResources socket present PodResources Feature = "podresources" + // NVML library present for GPU detection + NVML Feature = "nvml" ) diff --git a/pkg/config/env/environment_containers.go b/pkg/config/env/environment_containers.go index 7dbb0cf9ce58f3..4ec4b44f6ee135 100644 --- a/pkg/config/env/environment_containers.go +++ b/pkg/config/env/environment_containers.go @@ -16,6 +16,7 @@ import ( "github.com/DataDog/datadog-agent/pkg/config/model" "github.com/DataDog/datadog-agent/pkg/util/log" + "github.com/DataDog/datadog-agent/pkg/util/system" "github.com/DataDog/datadog-agent/pkg/util/system/socket" ) @@ -29,6 +30,7 @@ const ( defaultPodmanContainersStoragePath = "/var/lib/containers/storage" unixSocketPrefix = "unix://" winNamedPipePrefix = "npipe://" + defaultNVMLLibraryName = "libnvidia-ml.so.1" socketTimeout = 500 * time.Millisecond ) @@ -47,6 +49,7 @@ func init() { registerFeature(CloudFoundry) registerFeature(Podman) registerFeature(PodResources) + registerFeature(NVML) } // IsAnyContainerFeaturePresent checks if any of known container features is present @@ -71,6 +74,7 @@ func detectContainerFeatures(features FeatureMap, cfg model.Reader) { detectCloudFoundry(features, cfg) detectPodman(features, cfg) detectPodResources(features, cfg) + detectNVML(features) } func detectKubernetes(features FeatureMap, cfg model.Reader) { @@ -243,6 +247,19 @@ func detectPodResources(features FeatureMap, cfg model.Reader) { } } +func detectNVML(features FeatureMap) { + // Use dlopen to search for the library to avoid importing the go-nvml package here, + // which is 1MB in size and would increase the agent binary size, when we don't really + // need it for anything else. + if err := system.CheckLibraryExists(defaultNVMLLibraryName); err != nil { + log.Debugf("Agent did not find NVML library: %v", err) + return + } + + features[NVML] = struct{}{} + log.Infof("Agent found NVML library") +} + func getHostMountPrefixes() []string { if IsContainerized() { return []string{"", defaultHostMountPrefix} diff --git a/pkg/config/env/go.mod b/pkg/config/env/go.mod index 14bdcd74d1a31f..770d734f095a0e 100644 --- a/pkg/config/env/go.mod +++ b/pkg/config/env/go.mod @@ -13,15 +13,17 @@ replace ( require ( github.com/DataDog/datadog-agent/pkg/config/model v0.56.0-rc.3 - github.com/DataDog/datadog-agent/pkg/util/filesystem v0.56.0-rc.3 - github.com/DataDog/datadog-agent/pkg/util/log v0.59.1 + github.com/DataDog/datadog-agent/pkg/util/filesystem v0.60.1 + github.com/DataDog/datadog-agent/pkg/util/log v0.60.1 + github.com/DataDog/datadog-agent/pkg/util/system v0.60.1 github.com/DataDog/datadog-agent/pkg/util/system/socket v0.56.0-rc.3 github.com/stretchr/testify v1.10.0 ) require ( - github.com/DataDog/datadog-agent/pkg/util/scrubber v0.59.1 // indirect - github.com/DataDog/datadog-agent/pkg/util/winutil v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/pointer v0.60.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/scrubber v0.60.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/winutil v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/version v0.59.1 // indirect github.com/DataDog/viper v1.14.0 // indirect github.com/Microsoft/go-winio v0.6.2 // indirect @@ -32,6 +34,7 @@ require ( github.com/go-ole/go-ole v1.3.0 // indirect github.com/hashicorp/hcl v1.0.1-vault-5 // indirect github.com/hectane/go-acl v0.0.0-20230122075934-ca0b05cb1adb // indirect + github.com/lufia/plan9stats v0.0.0-20240226150601-1dcf7310316a // indirect github.com/magiconair/properties v1.8.7 // indirect github.com/mitchellh/mapstructure v1.5.1-0.20231216201459-8508981c8b6c // indirect github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 // indirect @@ -43,6 +46,8 @@ require ( github.com/spf13/cast v1.7.1 // indirect github.com/spf13/jwalterweatherman v1.1.0 // indirect github.com/spf13/pflag v1.0.5 // indirect + github.com/tklauser/go-sysconf v0.3.14 // indirect + github.com/tklauser/numcpus v0.8.0 // indirect github.com/yusufpapurcu/wmi v1.2.4 // indirect go.uber.org/atomic v1.11.0 // indirect golang.org/x/sys v0.29.0 // indirect @@ -52,3 +57,9 @@ require ( ) replace github.com/DataDog/datadog-agent/pkg/version => ../../version + +replace github.com/DataDog/datadog-agent/pkg/util/pointer => ../../util/pointer + +replace github.com/DataDog/datadog-agent/pkg/util/system => ../../util/system + +replace github.com/DataDog/datadog-agent/pkg/util/testutil => ../../util/testutil diff --git a/pkg/config/env/go.sum b/pkg/config/env/go.sum index e35ea74083bfe0..59909ceb82e8f4 100644 --- a/pkg/config/env/go.sum +++ b/pkg/config/env/go.sum @@ -100,6 +100,8 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/lufia/plan9stats v0.0.0-20240226150601-1dcf7310316a h1:3Bm7EwfUQUvhNeKIkUct/gl9eod1TcXuj8stxvi/GoI= +github.com/lufia/plan9stats v0.0.0-20240226150601-1dcf7310316a/go.mod h1:ilwx/Dta8jXAgpFYFvSWEMwxmbWXyiUHkd5FwyKhb5k= github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0VQdvPDY= github.com/magiconair/properties v1.8.7/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0= @@ -177,6 +179,10 @@ github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81P github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA= github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw= +github.com/tklauser/go-sysconf v0.3.14 h1:g5vzr9iPFFz24v2KZXs/pvpvh8/V9Fw6vQK5ZZb78yU= +github.com/tklauser/go-sysconf v0.3.14/go.mod h1:1ym4lWMLUOhuBOPGtRcJm7tEGX4SCYNEEEtghGG/8uY= +github.com/tklauser/numcpus v0.8.0 h1:Mx4Wwe/FjZLeQsK/6kt2EOepwwSl7SmJrK5bV/dXYgY= +github.com/tklauser/numcpus v0.8.0/go.mod h1:ZJZlAY+dmR4eut8epnzf0u/VwodKmryxR8txiloSqBE= github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/tmc/grpc-websocket-proxy v0.0.0-20200122045848-3419fae592fc/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc= diff --git a/pkg/config/mock/go.mod b/pkg/config/mock/go.mod index 6ae52d1b4145b1..d83e16fcbd9cc4 100644 --- a/pkg/config/mock/go.mod +++ b/pkg/config/mock/go.mod @@ -43,15 +43,15 @@ require ( github.com/DataDog/datadog-agent/pkg/config/structure v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/config/teeconfig v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/util/executable v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/filesystem v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/filesystem v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/hostname/validate v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/log v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/log v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/option v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/pointer v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/scrubber v0.59.1 // indirect - github.com/DataDog/datadog-agent/pkg/util/system v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/pointer v0.60.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/scrubber v0.60.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/system v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/system/socket v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/winutil v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/winutil v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/version v0.59.1 // indirect github.com/DataDog/viper v1.14.0 // indirect github.com/Microsoft/go-winio v0.6.2 // indirect diff --git a/pkg/config/remote/go.mod b/pkg/config/remote/go.mod index 6ee7fa66674e99..89a2223f88de7b 100644 --- a/pkg/config/remote/go.mod +++ b/pkg/config/remote/go.mod @@ -50,7 +50,7 @@ require ( github.com/DataDog/datadog-agent/pkg/util/backoff v0.56.0-rc.3 github.com/DataDog/datadog-agent/pkg/util/grpc v0.56.0-rc.3 github.com/DataDog/datadog-agent/pkg/util/http v0.56.0-rc.3 - github.com/DataDog/datadog-agent/pkg/util/log v0.59.1 + github.com/DataDog/datadog-agent/pkg/util/log v0.60.1 github.com/DataDog/datadog-agent/pkg/util/uuid v0.56.0-rc.3 github.com/Masterminds/semver v1.5.0 github.com/benbjohnson/clock v1.3.5 @@ -77,13 +77,13 @@ require ( github.com/DataDog/datadog-agent/pkg/obfuscate v0.48.0 // indirect github.com/DataDog/datadog-agent/pkg/util/cache v0.56.0-rc.3 // indirect github.com/DataDog/datadog-agent/pkg/util/executable v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/filesystem v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/filesystem v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/hostname/validate v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/util/option v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/pointer v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/system v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/pointer v0.60.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/system v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/system/socket v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/winutil v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/winutil v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/version v0.59.1 // indirect github.com/DataDog/datadog-go/v5 v5.6.0 // indirect github.com/DataDog/go-libddwaf/v3 v3.5.1 // indirect @@ -121,7 +121,7 @@ require ( ) require ( - github.com/DataDog/datadog-agent/pkg/util/scrubber v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/scrubber v0.60.1 // indirect github.com/DataDog/go-tuf v1.1.0-0.5.2 github.com/DataDog/viper v1.14.0 // indirect github.com/cihub/seelog v0.0.0-20170130134532-f561c5e57575 // indirect diff --git a/pkg/config/setup/go.mod b/pkg/config/setup/go.mod index 75ebc105301910..53a1f6890ad404 100644 --- a/pkg/config/setup/go.mod +++ b/pkg/config/setup/go.mod @@ -44,11 +44,11 @@ require ( github.com/DataDog/datadog-agent/pkg/util/executable v0.59.0 github.com/DataDog/datadog-agent/pkg/util/fxutil v0.56.0-rc.3 github.com/DataDog/datadog-agent/pkg/util/hostname/validate v0.59.0 - github.com/DataDog/datadog-agent/pkg/util/log v0.59.1 + github.com/DataDog/datadog-agent/pkg/util/log v0.60.1 github.com/DataDog/datadog-agent/pkg/util/option v0.59.0 - github.com/DataDog/datadog-agent/pkg/util/scrubber v0.59.1 - github.com/DataDog/datadog-agent/pkg/util/system v0.59.0 - github.com/DataDog/datadog-agent/pkg/util/winutil v0.59.1 + github.com/DataDog/datadog-agent/pkg/util/scrubber v0.60.1 + github.com/DataDog/datadog-agent/pkg/util/system v0.60.1 + github.com/DataDog/datadog-agent/pkg/util/winutil v0.60.1 github.com/stretchr/testify v1.10.0 go.uber.org/fx v1.23.0 gopkg.in/yaml.v2 v2.4.0 @@ -59,8 +59,8 @@ require ( github.com/DataDog/datadog-agent/comp/core/flare/builder v0.56.0-rc.3 // indirect github.com/DataDog/datadog-agent/comp/core/flare/types v0.56.0-rc.3 // indirect github.com/DataDog/datadog-agent/comp/def v0.56.0-rc.3 // indirect - github.com/DataDog/datadog-agent/pkg/util/filesystem v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/pointer v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/filesystem v0.60.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/pointer v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/system/socket v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/version v0.59.1 // indirect github.com/DataDog/viper v1.14.0 // indirect diff --git a/pkg/config/utils/go.mod b/pkg/config/utils/go.mod index c004b3e0a267e4..491cc9a2b4cf82 100644 --- a/pkg/config/utils/go.mod +++ b/pkg/config/utils/go.mod @@ -38,7 +38,7 @@ require ( github.com/DataDog/datadog-agent/pkg/config/model v0.59.0 github.com/DataDog/datadog-agent/pkg/config/setup v0.59.0 github.com/DataDog/datadog-agent/pkg/config/structure v0.59.0 - github.com/DataDog/datadog-agent/pkg/util/log v0.59.1 + github.com/DataDog/datadog-agent/pkg/util/log v0.60.1 github.com/DataDog/datadog-agent/pkg/version v0.59.1 github.com/stretchr/testify v1.10.0 ) @@ -50,14 +50,14 @@ require ( github.com/DataDog/datadog-agent/pkg/config/nodetreemodel v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/config/teeconfig v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/util/executable v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/filesystem v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/filesystem v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/hostname/validate v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/util/option v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/pointer v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/scrubber v0.59.1 // indirect - github.com/DataDog/datadog-agent/pkg/util/system v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/pointer v0.60.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/scrubber v0.60.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/system v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/system/socket v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/winutil v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/winutil v0.60.1 // indirect github.com/DataDog/viper v1.14.0 // indirect github.com/Microsoft/go-winio v0.6.2 // indirect github.com/cihub/seelog v0.0.0-20170130134532-f561c5e57575 // indirect diff --git a/pkg/gpu/testutil/mocks.go b/pkg/gpu/testutil/mocks.go index 009385125600a3..d90576972a5a81 100644 --- a/pkg/gpu/testutil/mocks.go +++ b/pkg/gpu/testutil/mocks.go @@ -45,6 +45,9 @@ var GPUCores = []int{DefaultGpuCores, 20, 30, 40, 50, 60, 70} // DefaultGpuUUID is the UUID for the default device returned by the mock var DefaultGpuUUID = GPUUUIDs[0] +// DefaultGPUName is the name for the default device returned by the mock +var DefaultGPUName = "Tesla T4" + // GetDeviceMock returns a mock of the nvml.Device with the given UUID. func GetDeviceMock(deviceIdx int) *nvmlmock.Device { return &nvmlmock.Device{ @@ -57,6 +60,9 @@ func GetDeviceMock(deviceIdx int) *nvmlmock.Device { GetUUIDFunc: func() (string, nvml.Return) { return GPUUUIDs[deviceIdx], nvml.SUCCESS }, + GetNameFunc: func() (string, nvml.Return) { + return DefaultGPUName, nvml.SUCCESS + }, } } diff --git a/pkg/logs/auditor/go.mod b/pkg/logs/auditor/go.mod index fe619764653de0..0aca7786f87a03 100644 --- a/pkg/logs/auditor/go.mod +++ b/pkg/logs/auditor/go.mod @@ -47,7 +47,7 @@ require ( github.com/DataDog/datadog-agent/pkg/logs/message v0.56.0-rc.3 github.com/DataDog/datadog-agent/pkg/logs/sources v0.56.0-rc.3 github.com/DataDog/datadog-agent/pkg/status/health v0.56.0-rc.3 - github.com/DataDog/datadog-agent/pkg/util/log v0.59.1 + github.com/DataDog/datadog-agent/pkg/util/log v0.60.1 github.com/stretchr/testify v1.10.0 ) @@ -62,15 +62,15 @@ require ( github.com/DataDog/datadog-agent/pkg/config/utils v0.56.0-rc.3 // indirect github.com/DataDog/datadog-agent/pkg/logs/status/utils v0.56.0-rc.3 // indirect github.com/DataDog/datadog-agent/pkg/util/executable v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/filesystem v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/filesystem v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/hostname/validate v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/util/option v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/pointer v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/scrubber v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/pointer v0.60.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/scrubber v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/statstracker v0.56.0-rc.3 // indirect - github.com/DataDog/datadog-agent/pkg/util/system v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/system v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/system/socket v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/winutil v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/winutil v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/version v0.59.1 // indirect github.com/DataDog/viper v1.14.0 // indirect github.com/Microsoft/go-winio v0.6.2 // indirect diff --git a/pkg/logs/client/go.mod b/pkg/logs/client/go.mod index 8ed35c60d65b90..fd1dd7ae650366 100644 --- a/pkg/logs/client/go.mod +++ b/pkg/logs/client/go.mod @@ -60,7 +60,7 @@ require ( github.com/DataDog/datadog-agent/pkg/telemetry v0.56.0-rc.3 github.com/DataDog/datadog-agent/pkg/util/backoff v0.56.0-rc.3 github.com/DataDog/datadog-agent/pkg/util/http v0.56.0-rc.3 - github.com/DataDog/datadog-agent/pkg/util/log v0.59.1 + github.com/DataDog/datadog-agent/pkg/util/log v0.60.1 github.com/DataDog/datadog-agent/pkg/version v0.59.1 github.com/stretchr/testify v1.10.0 golang.org/x/net v0.34.0 @@ -79,16 +79,16 @@ require ( github.com/DataDog/datadog-agent/pkg/config/utils v0.56.0-rc.3 // indirect github.com/DataDog/datadog-agent/pkg/logs/status/utils v0.56.0-rc.3 // indirect github.com/DataDog/datadog-agent/pkg/util/executable v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/filesystem v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/filesystem v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/fxutil v0.56.0-rc.3 // indirect github.com/DataDog/datadog-agent/pkg/util/hostname/validate v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/util/option v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/pointer v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/scrubber v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/pointer v0.60.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/scrubber v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/statstracker v0.56.0-rc.3 // indirect - github.com/DataDog/datadog-agent/pkg/util/system v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/system v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/system/socket v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/winutil v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/winutil v0.60.1 // indirect github.com/DataDog/viper v1.14.0 // indirect github.com/Microsoft/go-winio v0.6.2 // indirect github.com/benbjohnson/clock v1.3.5 // indirect diff --git a/pkg/logs/diagnostic/go.mod b/pkg/logs/diagnostic/go.mod index c7a129a64d2139..595e737b5ed866 100644 --- a/pkg/logs/diagnostic/go.mod +++ b/pkg/logs/diagnostic/go.mod @@ -64,17 +64,17 @@ require ( github.com/DataDog/datadog-agent/pkg/config/utils v0.56.0-rc.3 // indirect github.com/DataDog/datadog-agent/pkg/logs/status/utils v0.56.0-rc.3 // indirect github.com/DataDog/datadog-agent/pkg/util/executable v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/filesystem v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/filesystem v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/fxutil v0.56.0-rc.3 // indirect github.com/DataDog/datadog-agent/pkg/util/hostname/validate v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/log v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/log v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/option v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/pointer v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/scrubber v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/pointer v0.60.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/scrubber v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/statstracker v0.56.0-rc.3 // indirect - github.com/DataDog/datadog-agent/pkg/util/system v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/system v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/system/socket v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/winutil v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/winutil v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/version v0.59.1 // indirect github.com/DataDog/viper v1.14.0 // indirect github.com/Microsoft/go-winio v0.6.2 // indirect diff --git a/pkg/logs/message/go.mod b/pkg/logs/message/go.mod index b4cab778ea0407..6d0f9b115ab7c1 100644 --- a/pkg/logs/message/go.mod +++ b/pkg/logs/message/go.mod @@ -42,7 +42,7 @@ replace ( require ( github.com/DataDog/datadog-agent/comp/logs/agent/config v0.56.0-rc.3 github.com/DataDog/datadog-agent/pkg/logs/sources v0.56.0-rc.3 - github.com/DataDog/datadog-agent/pkg/util/log v0.59.1 + github.com/DataDog/datadog-agent/pkg/util/log v0.60.1 github.com/stretchr/testify v1.10.0 ) @@ -58,15 +58,15 @@ require ( github.com/DataDog/datadog-agent/pkg/config/utils v0.56.0-rc.3 // indirect github.com/DataDog/datadog-agent/pkg/logs/status/utils v0.56.0-rc.3 // indirect github.com/DataDog/datadog-agent/pkg/util/executable v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/filesystem v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/filesystem v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/hostname/validate v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/util/option v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/pointer v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/scrubber v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/pointer v0.60.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/scrubber v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/statstracker v0.56.0-rc.3 // indirect - github.com/DataDog/datadog-agent/pkg/util/system v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/system v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/system/socket v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/winutil v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/winutil v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/version v0.59.1 // indirect github.com/DataDog/viper v1.14.0 // indirect github.com/Microsoft/go-winio v0.6.2 // indirect diff --git a/pkg/logs/pipeline/go.mod b/pkg/logs/pipeline/go.mod index 8fa1e035e419c9..5236b97787d2e6 100644 --- a/pkg/logs/pipeline/go.mod +++ b/pkg/logs/pipeline/go.mod @@ -71,7 +71,7 @@ require ( github.com/DataDog/datadog-agent/pkg/logs/sender v0.56.0-rc.3 github.com/DataDog/datadog-agent/pkg/logs/status/statusinterface v0.56.0-rc.3 github.com/DataDog/datadog-agent/pkg/status/health v0.56.0-rc.3 - github.com/DataDog/datadog-agent/pkg/util/log v0.59.1 + github.com/DataDog/datadog-agent/pkg/util/log v0.60.1 github.com/DataDog/datadog-agent/pkg/util/startstop v0.56.0-rc.3 github.com/hashicorp/go-multierror v1.1.1 github.com/stretchr/testify v1.10.0 @@ -94,17 +94,17 @@ require ( github.com/DataDog/datadog-agent/pkg/telemetry v0.56.0-rc.3 // indirect github.com/DataDog/datadog-agent/pkg/util/backoff v0.56.0-rc.3 // indirect github.com/DataDog/datadog-agent/pkg/util/executable v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/filesystem v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/filesystem v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/fxutil v0.56.0-rc.3 // indirect github.com/DataDog/datadog-agent/pkg/util/hostname/validate v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/util/http v0.56.0-rc.3 // indirect github.com/DataDog/datadog-agent/pkg/util/option v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/pointer v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/scrubber v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/pointer v0.60.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/scrubber v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/statstracker v0.56.0-rc.3 // indirect - github.com/DataDog/datadog-agent/pkg/util/system v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/system v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/system/socket v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/winutil v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/winutil v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/version v0.59.1 // indirect github.com/DataDog/dd-sensitive-data-scanner/sds-go/go v0.0.0-20240816154533-f7f9beb53a42 // indirect github.com/DataDog/viper v1.14.0 // indirect diff --git a/pkg/logs/processor/go.mod b/pkg/logs/processor/go.mod index 280fb195c3456b..b8c958f886ee55 100644 --- a/pkg/logs/processor/go.mod +++ b/pkg/logs/processor/go.mod @@ -57,7 +57,7 @@ require ( github.com/DataDog/datadog-agent/pkg/logs/metrics v0.56.0-rc.3 github.com/DataDog/datadog-agent/pkg/logs/sds v0.56.0-rc.3 github.com/DataDog/datadog-agent/pkg/logs/sources v0.56.0-rc.3 - github.com/DataDog/datadog-agent/pkg/util/log v0.59.1 + github.com/DataDog/datadog-agent/pkg/util/log v0.60.1 github.com/stretchr/testify v1.10.0 ) @@ -75,16 +75,16 @@ require ( github.com/DataDog/datadog-agent/pkg/logs/status/utils v0.56.0-rc.3 // indirect github.com/DataDog/datadog-agent/pkg/telemetry v0.56.0-rc.3 // indirect github.com/DataDog/datadog-agent/pkg/util/executable v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/filesystem v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/filesystem v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/fxutil v0.56.0-rc.3 // indirect github.com/DataDog/datadog-agent/pkg/util/hostname/validate v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/util/option v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/pointer v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/scrubber v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/pointer v0.60.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/scrubber v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/statstracker v0.56.0-rc.3 // indirect - github.com/DataDog/datadog-agent/pkg/util/system v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/system v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/system/socket v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/winutil v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/winutil v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/version v0.59.1 // indirect github.com/DataDog/dd-sensitive-data-scanner/sds-go/go v0.0.0-20240816154533-f7f9beb53a42 // indirect github.com/DataDog/viper v1.14.0 // indirect diff --git a/pkg/logs/sds/go.mod b/pkg/logs/sds/go.mod index e78e3c4ce466c9..a838dd4057483c 100644 --- a/pkg/logs/sds/go.mod +++ b/pkg/logs/sds/go.mod @@ -52,7 +52,7 @@ require ( github.com/DataDog/datadog-agent/pkg/config/model v0.59.0 github.com/DataDog/datadog-agent/pkg/logs/message v0.56.0-rc.3 github.com/DataDog/datadog-agent/pkg/telemetry v0.56.0-rc.3 - github.com/DataDog/datadog-agent/pkg/util/log v0.59.1 + github.com/DataDog/datadog-agent/pkg/util/log v0.60.1 github.com/DataDog/dd-sensitive-data-scanner/sds-go/go v0.0.0-20240816154533-f7f9beb53a42 github.com/stretchr/testify v1.10.0 ) @@ -72,16 +72,16 @@ require ( github.com/DataDog/datadog-agent/pkg/logs/sources v0.56.0-rc.3 // indirect github.com/DataDog/datadog-agent/pkg/logs/status/utils v0.56.0-rc.3 // indirect github.com/DataDog/datadog-agent/pkg/util/executable v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/filesystem v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/filesystem v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/fxutil v0.56.0-rc.3 // indirect github.com/DataDog/datadog-agent/pkg/util/hostname/validate v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/util/option v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/pointer v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/scrubber v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/pointer v0.60.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/scrubber v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/statstracker v0.56.0-rc.3 // indirect - github.com/DataDog/datadog-agent/pkg/util/system v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/system v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/system/socket v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/winutil v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/winutil v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/version v0.59.1 // indirect github.com/DataDog/viper v1.14.0 // indirect github.com/Microsoft/go-winio v0.6.2 // indirect diff --git a/pkg/logs/sender/go.mod b/pkg/logs/sender/go.mod index 4959d17e7e1627..21fcbedf0c3750 100644 --- a/pkg/logs/sender/go.mod +++ b/pkg/logs/sender/go.mod @@ -59,7 +59,7 @@ require ( github.com/DataDog/datadog-agent/pkg/logs/sources v0.56.0-rc.3 github.com/DataDog/datadog-agent/pkg/logs/status/statusinterface v0.56.0-rc.3 github.com/DataDog/datadog-agent/pkg/telemetry v0.56.0-rc.3 - github.com/DataDog/datadog-agent/pkg/util/log v0.59.1 + github.com/DataDog/datadog-agent/pkg/util/log v0.60.1 github.com/benbjohnson/clock v1.3.5 github.com/stretchr/testify v1.10.0 ) @@ -78,17 +78,17 @@ require ( github.com/DataDog/datadog-agent/pkg/logs/status/utils v0.56.0-rc.3 // indirect github.com/DataDog/datadog-agent/pkg/util/backoff v0.56.0-rc.3 // indirect github.com/DataDog/datadog-agent/pkg/util/executable v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/filesystem v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/filesystem v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/fxutil v0.56.0-rc.3 // indirect github.com/DataDog/datadog-agent/pkg/util/hostname/validate v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/util/http v0.56.0-rc.3 // indirect github.com/DataDog/datadog-agent/pkg/util/option v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/pointer v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/scrubber v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/pointer v0.60.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/scrubber v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/statstracker v0.56.0-rc.3 // indirect - github.com/DataDog/datadog-agent/pkg/util/system v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/system v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/system/socket v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/winutil v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/winutil v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/version v0.59.1 // indirect github.com/DataDog/viper v1.14.0 // indirect github.com/Microsoft/go-winio v0.6.2 // indirect diff --git a/pkg/logs/sources/go.mod b/pkg/logs/sources/go.mod index f4dd05570d0ee9..df42b75450daea 100644 --- a/pkg/logs/sources/go.mod +++ b/pkg/logs/sources/go.mod @@ -41,7 +41,7 @@ replace ( require ( github.com/DataDog/datadog-agent/comp/logs/agent/config v0.56.0-rc.3 github.com/DataDog/datadog-agent/pkg/logs/status/utils v0.56.0-rc.3 - github.com/DataDog/datadog-agent/pkg/util/log v0.59.1 + github.com/DataDog/datadog-agent/pkg/util/log v0.60.1 github.com/DataDog/datadog-agent/pkg/util/statstracker v0.56.0-rc.3 github.com/stretchr/testify v1.10.0 ) @@ -57,14 +57,14 @@ require ( github.com/DataDog/datadog-agent/pkg/config/teeconfig v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/config/utils v0.56.0-rc.3 // indirect github.com/DataDog/datadog-agent/pkg/util/executable v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/filesystem v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/filesystem v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/hostname/validate v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/util/option v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/pointer v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/scrubber v0.59.1 // indirect - github.com/DataDog/datadog-agent/pkg/util/system v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/pointer v0.60.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/scrubber v0.60.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/system v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/system/socket v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/winutil v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/winutil v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/version v0.59.1 // indirect github.com/DataDog/viper v1.14.0 // indirect github.com/Microsoft/go-winio v0.6.2 // indirect diff --git a/pkg/logs/util/testutils/go.mod b/pkg/logs/util/testutils/go.mod index 2bc57124e0f833..bf0c4c74e87a39 100644 --- a/pkg/logs/util/testutils/go.mod +++ b/pkg/logs/util/testutils/go.mod @@ -56,16 +56,16 @@ require ( github.com/DataDog/datadog-agent/pkg/config/utils v0.56.0-rc.3 // indirect github.com/DataDog/datadog-agent/pkg/logs/status/utils v0.56.0-rc.3 // indirect github.com/DataDog/datadog-agent/pkg/util/executable v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/filesystem v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/filesystem v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/hostname/validate v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/log v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/log v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/option v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/pointer v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/scrubber v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/pointer v0.60.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/scrubber v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/statstracker v0.56.0-rc.3 // indirect - github.com/DataDog/datadog-agent/pkg/util/system v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/system v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/system/socket v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/winutil v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/winutil v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/version v0.59.1 // indirect github.com/DataDog/viper v1.14.0 // indirect github.com/Microsoft/go-winio v0.6.2 // indirect diff --git a/pkg/metrics/go.mod b/pkg/metrics/go.mod index 867d03928fc3e1..deef82bf384fc8 100644 --- a/pkg/metrics/go.mod +++ b/pkg/metrics/go.mod @@ -47,7 +47,7 @@ require ( github.com/DataDog/datadog-agent/pkg/tagset v0.56.0-rc.3 github.com/DataDog/datadog-agent/pkg/telemetry v0.56.0-rc.3 github.com/DataDog/datadog-agent/pkg/util/buf v0.56.0-rc.3 - github.com/DataDog/datadog-agent/pkg/util/log v0.59.1 + github.com/DataDog/datadog-agent/pkg/util/log v0.60.1 github.com/DataDog/opentelemetry-mapping-go/pkg/quantile v0.22.0 github.com/stretchr/testify v1.10.0 go.uber.org/atomic v1.11.0 @@ -64,16 +64,16 @@ require ( github.com/DataDog/datadog-agent/pkg/config/setup v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/config/teeconfig v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/util/executable v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/filesystem v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/filesystem v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/fxutil v0.57.1 // indirect github.com/DataDog/datadog-agent/pkg/util/hostname/validate v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/util/option v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/pointer v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/scrubber v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/pointer v0.60.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/scrubber v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/sort v0.56.0-rc.3 // indirect - github.com/DataDog/datadog-agent/pkg/util/system v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/system v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/system/socket v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/winutil v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/winutil v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/version v0.59.1 // indirect github.com/DataDog/sketches-go v1.4.6 // indirect github.com/DataDog/viper v1.14.0 // indirect diff --git a/pkg/serializer/go.mod b/pkg/serializer/go.mod index 75b4d887ddb56f..821f78a0669f97 100644 --- a/pkg/serializer/go.mod +++ b/pkg/serializer/go.mod @@ -78,7 +78,7 @@ require ( github.com/DataDog/datadog-agent/pkg/tagset v0.56.0-rc.3 github.com/DataDog/datadog-agent/pkg/telemetry v0.56.0-rc.3 github.com/DataDog/datadog-agent/pkg/util/json v0.56.0-rc.3 - github.com/DataDog/datadog-agent/pkg/util/log v0.59.1 + github.com/DataDog/datadog-agent/pkg/util/log v0.60.1 github.com/DataDog/datadog-agent/pkg/version v0.59.1 github.com/DataDog/opentelemetry-mapping-go/pkg/quantile v0.22.0 github.com/gogo/protobuf v1.3.2 @@ -112,17 +112,17 @@ require ( github.com/DataDog/datadog-agent/pkg/util/buf v0.56.0-rc.3 // indirect github.com/DataDog/datadog-agent/pkg/util/common v0.56.0-rc.3 // indirect github.com/DataDog/datadog-agent/pkg/util/executable v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/filesystem v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/filesystem v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/fxutil v0.57.1 // indirect github.com/DataDog/datadog-agent/pkg/util/hostname/validate v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/util/http v0.56.0-rc.3 // indirect github.com/DataDog/datadog-agent/pkg/util/option v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/pointer v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/scrubber v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/pointer v0.60.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/scrubber v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/sort v0.56.0-rc.3 // indirect - github.com/DataDog/datadog-agent/pkg/util/system v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/system v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/system/socket v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/winutil v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/winutil v0.60.1 // indirect github.com/DataDog/mmh3 v0.0.0-20210722141835-012dc69a9e49 // indirect github.com/DataDog/sketches-go v1.4.6 // indirect github.com/DataDog/viper v1.14.0 // indirect diff --git a/pkg/util/flavor/go.mod b/pkg/util/flavor/go.mod index c582fea783d845..912e97bed534f1 100644 --- a/pkg/util/flavor/go.mod +++ b/pkg/util/flavor/go.mod @@ -44,15 +44,15 @@ require ( github.com/DataDog/datadog-agent/pkg/config/structure v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/config/teeconfig v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/util/executable v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/filesystem v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/filesystem v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/hostname/validate v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/log v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/log v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/option v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/pointer v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/scrubber v0.59.1 // indirect - github.com/DataDog/datadog-agent/pkg/util/system v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/pointer v0.60.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/scrubber v0.60.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/system v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/system/socket v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/winutil v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/winutil v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/version v0.59.1 // indirect github.com/DataDog/viper v1.14.0 // indirect github.com/Microsoft/go-winio v0.6.2 // indirect diff --git a/pkg/util/grpc/go.mod b/pkg/util/grpc/go.mod index f98e62c64f498c..98820a711e917f 100644 --- a/pkg/util/grpc/go.mod +++ b/pkg/util/grpc/go.mod @@ -37,7 +37,7 @@ replace ( require ( github.com/DataDog/datadog-agent/pkg/api v0.56.0-rc.3 github.com/DataDog/datadog-agent/pkg/proto v0.56.0-rc.3 - github.com/DataDog/datadog-agent/pkg/util/log v0.59.1 + github.com/DataDog/datadog-agent/pkg/util/log v0.60.1 github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 github.com/stretchr/testify v1.10.0 golang.org/x/net v0.34.0 @@ -55,14 +55,14 @@ require ( github.com/DataDog/datadog-agent/pkg/config/teeconfig v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/config/utils v0.56.0-rc.3 // indirect github.com/DataDog/datadog-agent/pkg/util/executable v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/filesystem v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/filesystem v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/hostname/validate v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/util/option v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/pointer v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/scrubber v0.59.1 // indirect - github.com/DataDog/datadog-agent/pkg/util/system v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/pointer v0.60.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/scrubber v0.60.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/system v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/system/socket v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/winutil v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/winutil v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/version v0.59.1 // indirect github.com/DataDog/viper v1.14.0 // indirect github.com/Microsoft/go-winio v0.6.2 // indirect diff --git a/pkg/util/http/go.mod b/pkg/util/http/go.mod index 31b552c2253066..e66b05154fd58f 100644 --- a/pkg/util/http/go.mod +++ b/pkg/util/http/go.mod @@ -33,7 +33,7 @@ replace ( require ( github.com/DataDog/datadog-agent/pkg/config/mock v0.59.0 github.com/DataDog/datadog-agent/pkg/config/model v0.59.0 - github.com/DataDog/datadog-agent/pkg/util/log v0.59.1 + github.com/DataDog/datadog-agent/pkg/util/log v0.60.1 github.com/stretchr/testify v1.10.0 golang.org/x/net v0.34.0 ) @@ -47,14 +47,14 @@ require ( github.com/DataDog/datadog-agent/pkg/config/structure v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/config/teeconfig v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/util/executable v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/filesystem v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/filesystem v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/hostname/validate v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/util/option v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/pointer v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/scrubber v0.59.1 // indirect - github.com/DataDog/datadog-agent/pkg/util/system v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/pointer v0.60.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/scrubber v0.60.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/system v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/system/socket v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/winutil v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/winutil v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/version v0.59.1 // indirect github.com/DataDog/viper v1.14.0 // indirect github.com/Microsoft/go-winio v0.6.2 // indirect diff --git a/pkg/util/log/setup/go.mod b/pkg/util/log/setup/go.mod index 6016b33d8a7d42..023577e5217f77 100644 --- a/pkg/util/log/setup/go.mod +++ b/pkg/util/log/setup/go.mod @@ -33,7 +33,7 @@ replace ( require ( github.com/DataDog/datadog-agent/pkg/config/mock v0.59.0 github.com/DataDog/datadog-agent/pkg/config/model v0.59.0 - github.com/DataDog/datadog-agent/pkg/util/log v0.59.1 + github.com/DataDog/datadog-agent/pkg/util/log v0.60.1 github.com/cihub/seelog v0.0.0-20170130134532-f561c5e57575 github.com/stretchr/testify v1.10.0 ) @@ -47,14 +47,14 @@ require ( github.com/DataDog/datadog-agent/pkg/config/structure v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/config/teeconfig v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/util/executable v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/filesystem v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/filesystem v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/hostname/validate v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/util/option v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/pointer v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/scrubber v0.59.1 // indirect - github.com/DataDog/datadog-agent/pkg/util/system v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/pointer v0.60.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/scrubber v0.60.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/system v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/system/socket v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/winutil v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/winutil v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/version v0.59.1 // indirect github.com/DataDog/viper v1.14.0 // indirect github.com/Microsoft/go-winio v0.6.2 // indirect diff --git a/pkg/util/system/dlopen_linux.go b/pkg/util/system/dlopen_linux.go new file mode 100644 index 00000000000000..bfc3e9e273a5e1 --- /dev/null +++ b/pkg/util/system/dlopen_linux.go @@ -0,0 +1,43 @@ +// Unless explicitly stated otherwise all files in this repository are licensed +// under the Apache License Version 2.0. +// This product includes software developed at Datadog (https://www.datadoghq.com/). +// Copyright 2016-present Datadog, Inc. + +//go:build linux && cgo + +package system + +// #cgo LDFLAGS: -ldl +// #include +// #include +import "C" + +import ( + "fmt" + "unsafe" +) + +// CheckLibraryExists checks if a library is available on the system by trying it to +// open with dlopen. It returns an error if the library is not found. This is +// the most direct way to check for a library's presence on Linux, as there are +// multiple sources for paths for library searches, so it's better to use the +// same mechanism that the loader uses. +func CheckLibraryExists(libname string) error { + cname := C.CString(libname) + defer C.free(unsafe.Pointer(cname)) + + // Lazy: resolve undefined symbols as they are needed, avoid loading everything at once + handle := C.dlopen(cname, C.RTLD_LAZY) + if handle == nil { + e := C.dlerror() + var errstr string + if e != nil { + errstr = C.GoString(e) + } + + return fmt.Errorf("could not locate %s: %s", libname, errstr) + } + + defer C.dlclose(handle) + return nil +} diff --git a/pkg/util/system/dlopen_other.go b/pkg/util/system/dlopen_other.go new file mode 100644 index 00000000000000..51a4e1d97c1169 --- /dev/null +++ b/pkg/util/system/dlopen_other.go @@ -0,0 +1,16 @@ +// Unless explicitly stated otherwise all files in this repository are licensed +// under the Apache License Version 2.0. +// This product includes software developed at Datadog (https://www.datadoghq.com/). +// Copyright 2016-present Datadog, Inc. + +//go:build !linux || !cgo + +package system + +import "errors" + +// CheckLibraryExists checks if a library is available on the system by trying it to +// open with dlopen. It returns an error if the library is not found. +func CheckLibraryExists(_ string) error { + return errors.New("CheckLibrary is not supported on this platform") +} diff --git a/test/new-e2e/tests/gpu/gpu_test.go b/test/new-e2e/tests/gpu/gpu_test.go index 6ba889a89550bc..3f43fcdfc93a6f 100644 --- a/test/new-e2e/tests/gpu/gpu_test.go +++ b/test/new-e2e/tests/gpu/gpu_test.go @@ -158,3 +158,12 @@ func (v *gpuSuite) TestNvmlMetricsPresent() { } }, 5*time.Minute, 10*time.Second) } + +func (v *gpuSuite) TestWorkloadmetaHasGPUs() { + out, err := v.Env().RemoteHost.Execute("agent workload-list") + v.Require().NoError(err) + v.Contains(out, "=== Entity gpu sources(merged):[runtime] id: ") + if v.T().Failed() { + v.T().Log(out) + } +} diff --git a/test/otel/go.mod b/test/otel/go.mod index f5611d747ace96..a1247fe1e23bf7 100644 --- a/test/otel/go.mod +++ b/test/otel/go.mod @@ -162,19 +162,19 @@ require ( github.com/DataDog/datadog-agent/pkg/util/backoff v0.56.0-rc.3 // indirect github.com/DataDog/datadog-agent/pkg/util/cgroups v0.56.0-rc.3 // indirect github.com/DataDog/datadog-agent/pkg/util/executable v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/filesystem v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/filesystem v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/fxutil v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/util/hostname/validate v0.59.0 // indirect github.com/DataDog/datadog-agent/pkg/util/http v0.56.0-rc.3 // indirect - github.com/DataDog/datadog-agent/pkg/util/log v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/log v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/option v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/pointer v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/scrubber v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/pointer v0.60.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/scrubber v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/startstop v0.56.0-rc.3 // indirect github.com/DataDog/datadog-agent/pkg/util/statstracker v0.56.0-rc.3 // indirect - github.com/DataDog/datadog-agent/pkg/util/system v0.59.0 // indirect + github.com/DataDog/datadog-agent/pkg/util/system v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/util/system/socket v0.59.0 // indirect - github.com/DataDog/datadog-agent/pkg/util/winutil v0.59.1 // indirect + github.com/DataDog/datadog-agent/pkg/util/winutil v0.60.1 // indirect github.com/DataDog/datadog-agent/pkg/version v0.59.1 // indirect github.com/DataDog/datadog-api-client-go/v2 v2.33.0 // indirect github.com/DataDog/datadog-go/v5 v5.6.0 // indirect From dbd33e1a2d078f8ffc65884344f4c3d04e283d5a Mon Sep 17 00:00:00 2001 From: Paul Cacheux Date: Wed, 15 Jan 2025 11:26:54 +0100 Subject: [PATCH 25/25] [CWS] remove `GetFieldValue` duplicated implementation (#32792) --- pkg/security/secl/compiler/eval/context.go | 3 + .../generators/accessors/accessors.tmpl | 140 +- pkg/security/secl/model/accessors_unix.go | 7532 ++--------------- pkg/security/secl/model/accessors_windows.go | 476 +- pkg/security/seclwin/model/accessors_win.go | 476 +- 5 files changed, 818 insertions(+), 7809 deletions(-) diff --git a/pkg/security/secl/compiler/eval/context.go b/pkg/security/secl/compiler/eval/context.go index 038a24634b353d..4ec748374646b9 100644 --- a/pkg/security/secl/compiler/eval/context.go +++ b/pkg/security/secl/compiler/eval/context.go @@ -37,6 +37,8 @@ type Context struct { CachedAncestorsCount int resolvedFields []string + + Error error } // Now return and cache the `now` timestamp @@ -56,6 +58,7 @@ func (c *Context) SetEvent(evt Event) { func (c *Context) Reset() { c.Event = nil c.now = time.Time{} + c.Error = nil clear(c.StringCache) clear(c.IntCache) diff --git a/pkg/security/secl/compiler/generators/accessors/accessors.tmpl b/pkg/security/secl/compiler/generators/accessors/accessors.tmpl index 477a9687ded94a..f1c791f1ba658f 100644 --- a/pkg/security/secl/compiler/generators/accessors/accessors.tmpl +++ b/pkg/security/secl/compiler/generators/accessors/accessors.tmpl @@ -22,7 +22,7 @@ import ( var _ = math.MaxUint16 var _ = net.IP{} -func (m *Model) GetEventTypes() []eval.EventType { +func (_ *Model) GetEventTypes() []eval.EventType { return []eval.EventType{ {{range $Name, $Exists := .EventTypes}} {{- if ne $Name ""}} @@ -32,7 +32,7 @@ func (m *Model) GetEventTypes() []eval.EventType { } } -func (m *Model) GetFieldRestrictions(field eval.Field) []eval.EventType { +func (_ *Model) GetFieldRestrictions(field eval.Field) []eval.EventType { switch field { {{range $Name, $Field := .Fields}} {{- if $Field.RestrictedTo }} @@ -45,7 +45,7 @@ func (m *Model) GetFieldRestrictions(field eval.Field) []eval.EventType { return nil } -func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Evaluator, error) { +func (_ *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Evaluator, error) { switch field { {{range $Name, $Field := .Fields}} {{- if $Field.GettersOnly }} @@ -98,6 +98,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval {{$SubName := $Field.Iterator.Name | TrimPrefix $Check}} {{$Check = $SubName | printf "element%s"}} if !{{$Check}}() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, {{$Field.GetDefaultScalarReturnValue}}) } {{end}} @@ -145,6 +146,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval {{$SubName := $Field.Iterator.Name | TrimPrefix $Check}} {{$Check = $SubName | printf "pce%s"}} if !{{$Check}}() { + ctx.Error = &eval.ErrNotSupported{Field: field} {{if $Field.GetArrayPrefix}} return nil {{else}} @@ -192,6 +194,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval {{range $Check := $Checks}} {{$Check = $Check | printf "ev.%s"}} if !{{$Check}}() { + ctx.Error = &eval.ErrNotSupported{Field: field} return {{$Field.GetDefaultReturnValue}} } {{end}} @@ -274,129 +277,18 @@ func (ev *Event) GetFields() []eval.Field { } func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) { - switch field { - {{range $Name, $Field := .Fields}} - {{- if $Field.GettersOnly }} - {{continue}} - {{end}} - - {{if $Field.Ref}} - {{$Ref := index $.Fields $Field.Ref}} - {{if $Ref}} - {{$Field = $Ref}} - {{end}} - {{end}} - - case "{{$Name}}": - {{- if and $Field.Iterator (not $Field.IsLength)}} - var values []{{$Field.ReturnType}} - - ctx := eval.NewContext(ev) - - iterator := &{{$Field.Iterator.ReturnType}}{} - ptr := iterator.Front(ctx) - - for ptr != nil { - {{if $Field.Iterator.IsOrigTypePtr}} - element := ptr - {{else}} - element := *ptr - {{end}} - - {{$SubName := $Field.Iterator.Name | TrimPrefix $Field.Name}} - - {{$Return := $SubName | printf "element%s"}} - {{if $Field.Handler}} - {{$SubName = $Field.Iterator.Name | TrimPrefix $Field.Prefix}} - {{$Handler := $Field.Iterator.Name | TrimPrefix $Field.Handler}} - {{$Return = print "ev.FieldHandlers." $Handler "(ev, &element" $SubName ")"}} - {{end}} - - {{if $Field.IsLength}} - {{$Return = ".length" | TrimSuffix $Return}} - {{end}} - - {{if and (eq $Field.ReturnType "int") (ne $Field.OrigType "int")}} - result := int({{$Return}}) - {{else}} - {{if $Field.IsLength}} - result := len({{$Return}}) - {{else}} - result := {{$Return}} - {{end}} - {{end}} - - {{if not $Field.GetArrayPrefix}} - values = append(values, result) - {{else}} - values = append(values, result...) - {{end}} - - ptr = iterator.Next() - } - - return values, nil - {{else}} - {{$Return := $Field.Name | printf "ev.%s"}} - - {{$Checks := $Field | GetChecks $.AllFields}} - {{range $Check := $Checks}} - {{$Check = $Check | printf "ev.%s"}} - if !{{$Check}}() { - return {{$Field.GetDefaultReturnValue}}, &eval.ErrNotSupported{Field: field} - } - {{end}} - - {{if $Field.IsLength}} - {{- if $Field.IsIterator}} - ctx := eval.NewContext(ev) - iterator := &{{$Field.Iterator.ReturnType}}{} - {{$Return = "iterator.Len(ctx)"}} - {{else}} - {{$Return = ".length" | TrimSuffix $Return | printf "len(%s)"}} - {{end}} - {{end}} - {{if $Field.Handler}} - {{$Ptr := "&"}} - {{$Parent := index $.AllFields $Field.Prefix}} - {{- if or (not $Parent) $Parent.IsOrigTypePtr}} - {{$Ptr = ""}} - {{end}} - - {{$Prefix := $Field.Prefix}} - {{ if not $Prefix }} - {{$Return = print "ev.FieldHandlers." $Field.Handler "(ev)"}} - {{else}} - {{$Return = print "ev.FieldHandlers." $Field.Handler "(ev, " $Ptr "ev." $Prefix ")"}} - {{end}} - {{end}} - - {{if eq $Field.ReturnType "string"}} - return {{$Return}}, nil - {{else if eq $Field.ReturnType "int"}} - {{- if and ($Field.IsArray) (ne $Field.OrigType "int") }} - result := make([]int, len({{$Return}})) - for i, v := range {{$Return}} { - result[i] = int(v) - } - return result, nil - {{- else}} - {{- if ne $Field.OrigType "int"}} - return int({{$Return}}), nil - {{- else}} - return {{$Return}}, nil - {{end -}} - {{end -}} - {{else if eq $Field.ReturnType "bool"}} - return {{$Return}}, nil - {{else if eq $Field.ReturnType "net.IPNet"}} - return {{$Return}}, nil - {{end}} - {{end}} - {{end}} + m := &Model{} + evaluator, err := m.GetEvaluator(field, "") + if err != nil { + return nil, err } - return nil, &eval.ErrFieldNotFound{Field: field} + ctx := eval.NewContext(ev) + value := evaluator.Eval(ctx) + if ctx.Error != nil { + return nil, ctx.Error + } + return value, nil } func (ev *Event) GetFieldMetadata(field eval.Field) (eval.EventType, reflect.Kind, error) { diff --git a/pkg/security/secl/model/accessors_unix.go b/pkg/security/secl/model/accessors_unix.go index 23ba88d41595dd..a846e3f4ecf7d2 100644 --- a/pkg/security/secl/model/accessors_unix.go +++ b/pkg/security/secl/model/accessors_unix.go @@ -20,7 +20,7 @@ import ( var _ = math.MaxUint16 var _ = net.IP{} -func (m *Model) GetEventTypes() []eval.EventType { +func (_ *Model) GetEventTypes() []eval.EventType { return []eval.EventType{ eval.EventType("accept"), eval.EventType("bind"), @@ -58,7 +58,7 @@ func (m *Model) GetEventTypes() []eval.EventType { eval.EventType("utimes"), } } -func (m *Model) GetFieldRestrictions(field eval.Field) []eval.EventType { +func (_ *Model) GetFieldRestrictions(field eval.Field) []eval.EventType { switch field { case "network.destination.ip": return []eval.EventType{"dns", "imds"} @@ -83,7 +83,7 @@ func (m *Model) GetFieldRestrictions(field eval.Field) []eval.EventType { } return nil } -func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Evaluator, error) { +func (_ *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Evaluator, error) { switch field { case "accept.addr.family": return &eval.IntEvaluator{ @@ -1599,6 +1599,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Exec.Process.FileEvent.FileFields.CTime) @@ -1612,6 +1613,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Exec.Process.FileEvent) @@ -1625,6 +1627,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Exec.Process.FileEvent.FileFields.GID) @@ -1638,6 +1641,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Exec.Process.FileEvent.FileFields) @@ -1651,6 +1655,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return []string{} } return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Exec.Process.FileEvent) @@ -1664,6 +1669,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return false } return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Exec.Process.FileEvent.FileFields) @@ -1677,6 +1683,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Exec.Process.FileEvent.FileFields.PathKey.Inode) @@ -1690,6 +1697,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Exec.Process.FileEvent.FileFields.Mode) @@ -1703,6 +1711,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Exec.Process.FileEvent.FileFields.MTime) @@ -1716,6 +1725,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Exec.Process.FileEvent.FileFields.PathKey.MountID) @@ -1730,6 +1740,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exec.Process.FileEvent) @@ -1754,6 +1765,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageName(ev, &ev.Exec.Process.FileEvent) @@ -1767,6 +1779,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Exec.Process.FileEvent) @@ -1780,6 +1793,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Exec.Process.FileEvent) @@ -1794,6 +1808,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFilePath(ev, &ev.Exec.Process.FileEvent) @@ -1818,6 +1833,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.FieldHandlers.ResolveRights(ev, &ev.Exec.Process.FileEvent.FileFields)) @@ -1831,6 +1847,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Exec.Process.FileEvent.FileFields.UID) @@ -1844,6 +1861,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Exec.Process.FileEvent.FileFields) @@ -1917,6 +1935,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Exec.Process.LinuxBinprm.FileEvent.FileFields.CTime) @@ -1930,6 +1949,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Exec.Process.LinuxBinprm.FileEvent) @@ -1943,6 +1963,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Exec.Process.LinuxBinprm.FileEvent.FileFields.GID) @@ -1956,6 +1977,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Exec.Process.LinuxBinprm.FileEvent.FileFields) @@ -1969,6 +1991,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return []string{} } return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Exec.Process.LinuxBinprm.FileEvent) @@ -1982,6 +2005,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return false } return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Exec.Process.LinuxBinprm.FileEvent.FileFields) @@ -1995,6 +2019,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Exec.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode) @@ -2008,6 +2033,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Exec.Process.LinuxBinprm.FileEvent.FileFields.Mode) @@ -2021,6 +2047,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Exec.Process.LinuxBinprm.FileEvent.FileFields.MTime) @@ -2034,6 +2061,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Exec.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID) @@ -2048,6 +2076,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exec.Process.LinuxBinprm.FileEvent) @@ -2072,6 +2101,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageName(ev, &ev.Exec.Process.LinuxBinprm.FileEvent) @@ -2085,6 +2115,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Exec.Process.LinuxBinprm.FileEvent) @@ -2098,6 +2129,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Exec.Process.LinuxBinprm.FileEvent) @@ -2112,6 +2144,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFilePath(ev, &ev.Exec.Process.LinuxBinprm.FileEvent) @@ -2136,6 +2169,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.FieldHandlers.ResolveRights(ev, &ev.Exec.Process.LinuxBinprm.FileEvent.FileFields)) @@ -2149,6 +2183,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Exec.Process.LinuxBinprm.FileEvent.FileFields.UID) @@ -2162,6 +2197,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Exec.Process.LinuxBinprm.FileEvent.FileFields) @@ -2565,6 +2601,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Exit.Process.FileEvent.FileFields.CTime) @@ -2578,6 +2615,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Exit.Process.FileEvent) @@ -2591,6 +2629,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Exit.Process.FileEvent.FileFields.GID) @@ -2604,6 +2643,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Exit.Process.FileEvent.FileFields) @@ -2617,6 +2657,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return []string{} } return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Exit.Process.FileEvent) @@ -2630,6 +2671,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return false } return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Exit.Process.FileEvent.FileFields) @@ -2643,6 +2685,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Exit.Process.FileEvent.FileFields.PathKey.Inode) @@ -2656,6 +2699,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Exit.Process.FileEvent.FileFields.Mode) @@ -2669,6 +2713,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Exit.Process.FileEvent.FileFields.MTime) @@ -2682,6 +2727,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Exit.Process.FileEvent.FileFields.PathKey.MountID) @@ -2696,6 +2742,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exit.Process.FileEvent) @@ -2720,6 +2767,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageName(ev, &ev.Exit.Process.FileEvent) @@ -2733,6 +2781,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Exit.Process.FileEvent) @@ -2746,6 +2795,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Exit.Process.FileEvent) @@ -2760,6 +2810,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFilePath(ev, &ev.Exit.Process.FileEvent) @@ -2784,6 +2835,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.FieldHandlers.ResolveRights(ev, &ev.Exit.Process.FileEvent.FileFields)) @@ -2797,6 +2849,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Exit.Process.FileEvent.FileFields.UID) @@ -2810,6 +2863,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Exit.Process.FileEvent.FileFields) @@ -2883,6 +2937,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Exit.Process.LinuxBinprm.FileEvent.FileFields.CTime) @@ -2896,6 +2951,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Exit.Process.LinuxBinprm.FileEvent) @@ -2909,6 +2965,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Exit.Process.LinuxBinprm.FileEvent.FileFields.GID) @@ -2922,6 +2979,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Exit.Process.LinuxBinprm.FileEvent.FileFields) @@ -2935,6 +2993,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return []string{} } return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Exit.Process.LinuxBinprm.FileEvent) @@ -2948,6 +3007,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return false } return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Exit.Process.LinuxBinprm.FileEvent.FileFields) @@ -2961,6 +3021,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Exit.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode) @@ -2974,6 +3035,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Exit.Process.LinuxBinprm.FileEvent.FileFields.Mode) @@ -2987,6 +3049,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Exit.Process.LinuxBinprm.FileEvent.FileFields.MTime) @@ -3000,6 +3063,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Exit.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID) @@ -3014,6 +3078,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exit.Process.LinuxBinprm.FileEvent) @@ -3038,6 +3103,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageName(ev, &ev.Exit.Process.LinuxBinprm.FileEvent) @@ -3051,6 +3117,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Exit.Process.LinuxBinprm.FileEvent) @@ -3064,6 +3131,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Exit.Process.LinuxBinprm.FileEvent) @@ -3078,6 +3146,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFilePath(ev, &ev.Exit.Process.LinuxBinprm.FileEvent) @@ -3102,6 +3171,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.FieldHandlers.ResolveRights(ev, &ev.Exit.Process.LinuxBinprm.FileEvent.FileFields)) @@ -3115,6 +3185,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Exit.Process.LinuxBinprm.FileEvent.FileFields.UID) @@ -3128,6 +3199,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Exit.Process.LinuxBinprm.FileEvent.FileFields) @@ -5888,6 +5960,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, 0) } result := int(element.ProcessContext.Process.FileEvent.FileFields.CTime) @@ -5896,6 +5969,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int { if !pce.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(pce.ProcessContext.Process.FileEvent.FileFields.CTime) @@ -5922,6 +5996,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, "") } result := ev.FieldHandlers.ResolveFileFilesystem(ev, &element.ProcessContext.Process.FileEvent) @@ -5930,6 +6005,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string { if !pce.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFilesystem(ev, &pce.ProcessContext.Process.FileEvent) @@ -5955,6 +6031,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, 0) } result := int(element.ProcessContext.Process.FileEvent.FileFields.GID) @@ -5963,6 +6040,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int { if !pce.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(pce.ProcessContext.Process.FileEvent.FileFields.GID) @@ -5989,6 +6067,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, "") } result := ev.FieldHandlers.ResolveFileFieldsGroup(ev, &element.ProcessContext.Process.FileEvent.FileFields) @@ -5997,6 +6076,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string { if !pce.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &pce.ProcessContext.Process.FileEvent.FileFields) @@ -6023,6 +6103,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, "") } result := ev.FieldHandlers.ResolveHashesFromEvent(ev, &element.ProcessContext.Process.FileEvent) @@ -6031,6 +6112,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIteratorArray(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) []string { if !pce.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return nil } return ev.FieldHandlers.ResolveHashesFromEvent(ev, &pce.ProcessContext.Process.FileEvent) @@ -6057,6 +6139,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, false) } result := ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &element.ProcessContext.Process.FileEvent.FileFields) @@ -6065,6 +6148,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) bool { if !pce.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return false } return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &pce.ProcessContext.Process.FileEvent.FileFields) @@ -6090,6 +6174,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, 0) } result := int(element.ProcessContext.Process.FileEvent.FileFields.PathKey.Inode) @@ -6098,6 +6183,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int { if !pce.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(pce.ProcessContext.Process.FileEvent.FileFields.PathKey.Inode) @@ -6123,6 +6209,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, 0) } result := int(element.ProcessContext.Process.FileEvent.FileFields.Mode) @@ -6131,6 +6218,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int { if !pce.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(pce.ProcessContext.Process.FileEvent.FileFields.Mode) @@ -6156,6 +6244,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, 0) } result := int(element.ProcessContext.Process.FileEvent.FileFields.MTime) @@ -6164,6 +6253,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int { if !pce.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(pce.ProcessContext.Process.FileEvent.FileFields.MTime) @@ -6189,6 +6279,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, 0) } result := int(element.ProcessContext.Process.FileEvent.FileFields.PathKey.MountID) @@ -6197,6 +6288,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int { if !pce.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(pce.ProcessContext.Process.FileEvent.FileFields.PathKey.MountID) @@ -6224,6 +6316,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, "") } result := ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.FileEvent) @@ -6232,6 +6325,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string { if !pce.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileBasename(ev, &pce.ProcessContext.Process.FileEvent) @@ -6287,6 +6381,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, "") } result := ev.FieldHandlers.ResolvePackageName(ev, &element.ProcessContext.Process.FileEvent) @@ -6295,6 +6390,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string { if !pce.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageName(ev, &pce.ProcessContext.Process.FileEvent) @@ -6321,6 +6417,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, "") } result := ev.FieldHandlers.ResolvePackageSourceVersion(ev, &element.ProcessContext.Process.FileEvent) @@ -6329,6 +6426,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string { if !pce.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &pce.ProcessContext.Process.FileEvent) @@ -6355,6 +6453,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, "") } result := ev.FieldHandlers.ResolvePackageVersion(ev, &element.ProcessContext.Process.FileEvent) @@ -6363,6 +6462,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string { if !pce.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageVersion(ev, &pce.ProcessContext.Process.FileEvent) @@ -6390,6 +6490,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, "") } result := ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.FileEvent) @@ -6398,6 +6499,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string { if !pce.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFilePath(ev, &pce.ProcessContext.Process.FileEvent) @@ -6453,6 +6555,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, 0) } result := int(ev.FieldHandlers.ResolveRights(ev, &element.ProcessContext.Process.FileEvent.FileFields)) @@ -6461,6 +6564,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) int { if !pce.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.FieldHandlers.ResolveRights(ev, &pce.ProcessContext.Process.FileEvent.FileFields)) @@ -6486,6 +6590,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, 0) } result := int(element.ProcessContext.Process.FileEvent.FileFields.UID) @@ -6494,6 +6599,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int { if !pce.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(pce.ProcessContext.Process.FileEvent.FileFields.UID) @@ -6520,6 +6626,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, "") } result := ev.FieldHandlers.ResolveFileFieldsUser(ev, &element.ProcessContext.Process.FileEvent.FileFields) @@ -6528,6 +6635,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string { if !pce.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFieldsUser(ev, &pce.ProcessContext.Process.FileEvent.FileFields) @@ -6715,6 +6823,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, 0) } result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.CTime) @@ -6723,6 +6832,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int { if !pce.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.CTime) @@ -6749,6 +6859,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, "") } result := ev.FieldHandlers.ResolveFileFilesystem(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) @@ -6757,6 +6868,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string { if !pce.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFilesystem(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent) @@ -6782,6 +6894,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, 0) } result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.GID) @@ -6790,6 +6903,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int { if !pce.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.GID) @@ -6816,6 +6930,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, "") } result := ev.FieldHandlers.ResolveFileFieldsGroup(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields) @@ -6824,6 +6939,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string { if !pce.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields) @@ -6850,6 +6966,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, "") } result := ev.FieldHandlers.ResolveHashesFromEvent(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) @@ -6858,6 +6975,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIteratorArray(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) []string { if !pce.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return nil } return ev.FieldHandlers.ResolveHashesFromEvent(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent) @@ -6884,6 +7002,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, false) } result := ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields) @@ -6892,6 +7011,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) bool { if !pce.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return false } return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields) @@ -6917,6 +7037,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, 0) } result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode) @@ -6925,6 +7046,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int { if !pce.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode) @@ -6950,6 +7072,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, 0) } result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.Mode) @@ -6958,6 +7081,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int { if !pce.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.Mode) @@ -6983,6 +7107,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, 0) } result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.MTime) @@ -6991,6 +7116,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int { if !pce.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.MTime) @@ -7016,6 +7142,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, 0) } result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID) @@ -7024,6 +7151,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int { if !pce.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID) @@ -7051,6 +7179,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, "") } result := ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) @@ -7059,6 +7188,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string { if !pce.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileBasename(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent) @@ -7114,6 +7244,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, "") } result := ev.FieldHandlers.ResolvePackageName(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) @@ -7122,6 +7253,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string { if !pce.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageName(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent) @@ -7148,6 +7280,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, "") } result := ev.FieldHandlers.ResolvePackageSourceVersion(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) @@ -7156,6 +7289,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string { if !pce.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent) @@ -7182,6 +7316,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, "") } result := ev.FieldHandlers.ResolvePackageVersion(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) @@ -7190,6 +7325,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string { if !pce.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageVersion(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent) @@ -7217,6 +7353,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, "") } result := ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) @@ -7225,6 +7362,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string { if !pce.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFilePath(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent) @@ -7280,6 +7418,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, 0) } result := int(ev.FieldHandlers.ResolveRights(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields)) @@ -7288,6 +7427,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) int { if !pce.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.FieldHandlers.ResolveRights(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields)) @@ -7313,6 +7453,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, 0) } result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.UID) @@ -7321,6 +7462,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int { if !pce.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.UID) @@ -7347,6 +7489,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, "") } result := ev.FieldHandlers.ResolveFileFieldsUser(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields) @@ -7355,6 +7498,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string { if !pce.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFieldsUser(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields) @@ -7948,6 +8092,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.BaseEvent.ProcessContext.Process.FileEvent.FileFields.CTime) @@ -7961,6 +8106,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent) @@ -7974,6 +8120,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.BaseEvent.ProcessContext.Process.FileEvent.FileFields.GID) @@ -7987,6 +8134,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent.FileFields) @@ -8000,6 +8148,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return []string{} } return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent) @@ -8013,6 +8162,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return false } return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent.FileFields) @@ -8026,6 +8176,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.BaseEvent.ProcessContext.Process.FileEvent.FileFields.PathKey.Inode) @@ -8039,6 +8190,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.BaseEvent.ProcessContext.Process.FileEvent.FileFields.Mode) @@ -8052,6 +8204,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.BaseEvent.ProcessContext.Process.FileEvent.FileFields.MTime) @@ -8065,6 +8218,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.BaseEvent.ProcessContext.Process.FileEvent.FileFields.PathKey.MountID) @@ -8079,6 +8233,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent) @@ -8103,6 +8258,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageName(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent) @@ -8116,6 +8272,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent) @@ -8129,6 +8286,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent) @@ -8143,6 +8301,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent) @@ -8167,6 +8326,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.FieldHandlers.ResolveRights(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent.FileFields)) @@ -8180,6 +8340,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.BaseEvent.ProcessContext.Process.FileEvent.FileFields.UID) @@ -8193,6 +8354,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent.FileFields) @@ -8266,6 +8428,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.CTime) @@ -8279,6 +8442,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent) @@ -8292,6 +8456,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.GID) @@ -8305,6 +8470,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields) @@ -8318,6 +8484,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return []string{} } return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent) @@ -8331,6 +8498,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return false } return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields) @@ -8344,6 +8512,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode) @@ -8357,6 +8526,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.Mode) @@ -8370,6 +8540,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.MTime) @@ -8383,6 +8554,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID) @@ -8397,6 +8569,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent) @@ -8421,6 +8594,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageName(ev, &ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent) @@ -8434,6 +8608,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent) @@ -8447,6 +8622,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent) @@ -8461,6 +8637,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent) @@ -8485,6 +8662,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.FieldHandlers.ResolveRights(ev, &ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields)) @@ -8498,6 +8676,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.UID) @@ -8511,6 +8690,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields) @@ -8554,6 +8734,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveProcessArgs(ev, ev.BaseEvent.ProcessContext.Parent) @@ -8567,6 +8748,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return []string{} } return ev.FieldHandlers.ResolveProcessArgsFlags(ev, ev.BaseEvent.ProcessContext.Parent) @@ -8580,6 +8762,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return []string{} } return ev.FieldHandlers.ResolveProcessArgsOptions(ev, ev.BaseEvent.ProcessContext.Parent) @@ -8593,6 +8776,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return false } return ev.FieldHandlers.ResolveProcessArgsTruncated(ev, ev.BaseEvent.ProcessContext.Parent) @@ -8606,6 +8790,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return []string{} } return ev.FieldHandlers.ResolveProcessArgv(ev, ev.BaseEvent.ProcessContext.Parent) @@ -8619,6 +8804,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveProcessArgv0(ev, ev.BaseEvent.ProcessContext.Parent) @@ -8632,6 +8818,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.BaseEvent.ProcessContext.Parent.Credentials.AUID) @@ -8645,6 +8832,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.BaseEvent.ProcessContext.Parent.Credentials.CapEffective) @@ -8658,6 +8846,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.BaseEvent.ProcessContext.Parent.Credentials.CapPermitted) @@ -8671,6 +8860,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.BaseEvent.ProcessContext.Parent.CGroup.CGroupFile.Inode) @@ -8684,6 +8874,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.BaseEvent.ProcessContext.Parent.CGroup.CGroupFile.MountID) @@ -8697,6 +8888,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveCGroupID(ev, &ev.BaseEvent.ProcessContext.Parent.CGroup) @@ -8710,6 +8902,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveCGroupManager(ev, &ev.BaseEvent.ProcessContext.Parent.CGroup) @@ -8723,6 +8916,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return ev.FieldHandlers.ResolveCGroupVersion(ev, &ev.BaseEvent.ProcessContext.Parent.CGroup) @@ -8736,6 +8930,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.BaseEvent.ProcessContext.Parent.Comm @@ -8749,6 +8944,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveProcessContainerID(ev, ev.BaseEvent.ProcessContext.Parent) @@ -8762,6 +8958,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, ev.BaseEvent.ProcessContext.Parent)) @@ -8775,6 +8972,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.BaseEvent.ProcessContext.Parent.Credentials.EGID) @@ -8788,6 +8986,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.BaseEvent.ProcessContext.Parent.Credentials.EGroup @@ -8801,6 +9000,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return []string{} } return ev.FieldHandlers.ResolveProcessEnvp(ev, ev.BaseEvent.ProcessContext.Parent) @@ -8814,6 +9014,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return []string{} } return ev.FieldHandlers.ResolveProcessEnvs(ev, ev.BaseEvent.ProcessContext.Parent) @@ -8827,6 +9028,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return false } return ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, ev.BaseEvent.ProcessContext.Parent) @@ -8840,6 +9042,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.BaseEvent.ProcessContext.Parent.Credentials.EUID) @@ -8853,6 +9056,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.BaseEvent.ProcessContext.Parent.Credentials.EUser @@ -8866,9 +9070,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.BaseEvent.ProcessContext.Parent.FileEvent.FileFields.CTime) @@ -8882,9 +9088,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent) @@ -8898,9 +9106,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.BaseEvent.ProcessContext.Parent.FileEvent.FileFields.GID) @@ -8914,9 +9124,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent.FileFields) @@ -8930,9 +9142,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return []string{} } if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return []string{} } return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent) @@ -8946,9 +9160,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return false } if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return false } return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent.FileFields) @@ -8962,9 +9178,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.BaseEvent.ProcessContext.Parent.FileEvent.FileFields.PathKey.Inode) @@ -8978,9 +9196,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.BaseEvent.ProcessContext.Parent.FileEvent.FileFields.Mode) @@ -8994,9 +9214,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.BaseEvent.ProcessContext.Parent.FileEvent.FileFields.MTime) @@ -9010,9 +9232,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.BaseEvent.ProcessContext.Parent.FileEvent.FileFields.PathKey.MountID) @@ -9027,9 +9251,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent) @@ -9054,9 +9280,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageName(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent) @@ -9070,9 +9298,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent) @@ -9086,9 +9316,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent) @@ -9103,9 +9335,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent) @@ -9130,9 +9364,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.FieldHandlers.ResolveRights(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent.FileFields)) @@ -9146,9 +9382,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.BaseEvent.ProcessContext.Parent.FileEvent.FileFields.UID) @@ -9162,9 +9400,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent.FileFields) @@ -9178,6 +9418,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.BaseEvent.ProcessContext.Parent.Credentials.FSGID) @@ -9191,6 +9432,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.BaseEvent.ProcessContext.Parent.Credentials.FSGroup @@ -9204,6 +9446,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.BaseEvent.ProcessContext.Parent.Credentials.FSUID) @@ -9217,6 +9460,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.BaseEvent.ProcessContext.Parent.Credentials.FSUser @@ -9230,6 +9474,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.BaseEvent.ProcessContext.Parent.Credentials.GID) @@ -9243,6 +9488,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.BaseEvent.ProcessContext.Parent.Credentials.Group @@ -9256,9 +9502,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields.CTime) @@ -9272,9 +9520,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent) @@ -9288,9 +9538,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields.GID) @@ -9304,9 +9556,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields) @@ -9320,9 +9574,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return []string{} } if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return []string{} } return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent) @@ -9336,9 +9592,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return false } if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return false } return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields) @@ -9352,9 +9610,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields.PathKey.Inode) @@ -9368,9 +9628,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields.Mode) @@ -9384,9 +9646,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields.MTime) @@ -9400,9 +9664,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields.PathKey.MountID) @@ -9417,9 +9683,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent) @@ -9444,9 +9712,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageName(ev, &ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent) @@ -9460,9 +9730,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent) @@ -9476,9 +9748,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent) @@ -9493,9 +9767,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent) @@ -9520,9 +9796,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.FieldHandlers.ResolveRights(ev, &ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields)) @@ -9536,9 +9814,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields.UID) @@ -9552,9 +9832,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields) @@ -9568,6 +9850,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return false } return ev.BaseEvent.ProcessContext.Parent.IsExec @@ -9581,6 +9864,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return false } return ev.BaseEvent.ProcessContext.Parent.PIDContext.IsKworker @@ -9594,6 +9878,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return false } return ev.FieldHandlers.ResolveProcessIsThread(ev, ev.BaseEvent.ProcessContext.Parent) @@ -9607,6 +9892,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.BaseEvent.ProcessContext.Parent.PIDContext.Pid) @@ -9620,6 +9906,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.BaseEvent.ProcessContext.Parent.PPid) @@ -9633,6 +9920,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.BaseEvent.ProcessContext.Parent.PIDContext.Tid) @@ -9646,6 +9934,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.BaseEvent.ProcessContext.Parent.TTYName @@ -9659,6 +9948,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.BaseEvent.ProcessContext.Parent.Credentials.UID) @@ -9672,6 +9962,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.BaseEvent.ProcessContext.Parent.Credentials.User @@ -9685,6 +9976,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return []string{} } return ev.FieldHandlers.ResolveK8SGroups(ev, &ev.BaseEvent.ProcessContext.Parent.UserSession) @@ -9698,6 +9990,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveK8SUID(ev, &ev.BaseEvent.ProcessContext.Parent.UserSession) @@ -9711,6 +10004,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveK8SUsername(ev, &ev.BaseEvent.ProcessContext.Parent.UserSession) @@ -10506,6 +10800,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, 0) } result := int(element.ProcessContext.Process.FileEvent.FileFields.CTime) @@ -10514,6 +10809,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int { if !pce.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(pce.ProcessContext.Process.FileEvent.FileFields.CTime) @@ -10540,6 +10836,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, "") } result := ev.FieldHandlers.ResolveFileFilesystem(ev, &element.ProcessContext.Process.FileEvent) @@ -10548,6 +10845,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string { if !pce.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFilesystem(ev, &pce.ProcessContext.Process.FileEvent) @@ -10573,6 +10871,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, 0) } result := int(element.ProcessContext.Process.FileEvent.FileFields.GID) @@ -10581,6 +10880,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int { if !pce.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(pce.ProcessContext.Process.FileEvent.FileFields.GID) @@ -10607,6 +10907,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, "") } result := ev.FieldHandlers.ResolveFileFieldsGroup(ev, &element.ProcessContext.Process.FileEvent.FileFields) @@ -10615,6 +10916,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string { if !pce.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &pce.ProcessContext.Process.FileEvent.FileFields) @@ -10641,6 +10943,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, "") } result := ev.FieldHandlers.ResolveHashesFromEvent(ev, &element.ProcessContext.Process.FileEvent) @@ -10649,6 +10952,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIteratorArray(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) []string { if !pce.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return nil } return ev.FieldHandlers.ResolveHashesFromEvent(ev, &pce.ProcessContext.Process.FileEvent) @@ -10675,6 +10979,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, false) } result := ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &element.ProcessContext.Process.FileEvent.FileFields) @@ -10683,6 +10988,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) bool { if !pce.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return false } return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &pce.ProcessContext.Process.FileEvent.FileFields) @@ -10708,6 +11014,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, 0) } result := int(element.ProcessContext.Process.FileEvent.FileFields.PathKey.Inode) @@ -10716,6 +11023,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int { if !pce.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(pce.ProcessContext.Process.FileEvent.FileFields.PathKey.Inode) @@ -10741,6 +11049,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, 0) } result := int(element.ProcessContext.Process.FileEvent.FileFields.Mode) @@ -10749,6 +11058,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int { if !pce.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(pce.ProcessContext.Process.FileEvent.FileFields.Mode) @@ -10774,6 +11084,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, 0) } result := int(element.ProcessContext.Process.FileEvent.FileFields.MTime) @@ -10782,6 +11093,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int { if !pce.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(pce.ProcessContext.Process.FileEvent.FileFields.MTime) @@ -10807,6 +11119,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, 0) } result := int(element.ProcessContext.Process.FileEvent.FileFields.PathKey.MountID) @@ -10815,6 +11128,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int { if !pce.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(pce.ProcessContext.Process.FileEvent.FileFields.PathKey.MountID) @@ -10842,6 +11156,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, "") } result := ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.FileEvent) @@ -10850,6 +11165,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string { if !pce.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileBasename(ev, &pce.ProcessContext.Process.FileEvent) @@ -10905,6 +11221,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, "") } result := ev.FieldHandlers.ResolvePackageName(ev, &element.ProcessContext.Process.FileEvent) @@ -10913,6 +11230,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string { if !pce.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageName(ev, &pce.ProcessContext.Process.FileEvent) @@ -10939,6 +11257,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, "") } result := ev.FieldHandlers.ResolvePackageSourceVersion(ev, &element.ProcessContext.Process.FileEvent) @@ -10947,6 +11266,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string { if !pce.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &pce.ProcessContext.Process.FileEvent) @@ -10973,6 +11293,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, "") } result := ev.FieldHandlers.ResolvePackageVersion(ev, &element.ProcessContext.Process.FileEvent) @@ -10981,6 +11302,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string { if !pce.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageVersion(ev, &pce.ProcessContext.Process.FileEvent) @@ -11008,6 +11330,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, "") } result := ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.FileEvent) @@ -11016,6 +11339,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string { if !pce.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFilePath(ev, &pce.ProcessContext.Process.FileEvent) @@ -11071,6 +11395,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, 0) } result := int(ev.FieldHandlers.ResolveRights(ev, &element.ProcessContext.Process.FileEvent.FileFields)) @@ -11079,6 +11404,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) int { if !pce.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.FieldHandlers.ResolveRights(ev, &pce.ProcessContext.Process.FileEvent.FileFields)) @@ -11104,6 +11430,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, 0) } result := int(element.ProcessContext.Process.FileEvent.FileFields.UID) @@ -11112,6 +11439,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int { if !pce.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(pce.ProcessContext.Process.FileEvent.FileFields.UID) @@ -11138,6 +11466,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, "") } result := ev.FieldHandlers.ResolveFileFieldsUser(ev, &element.ProcessContext.Process.FileEvent.FileFields) @@ -11146,6 +11475,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string { if !pce.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFieldsUser(ev, &pce.ProcessContext.Process.FileEvent.FileFields) @@ -11333,6 +11663,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, 0) } result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.CTime) @@ -11341,6 +11672,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int { if !pce.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.CTime) @@ -11367,6 +11699,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, "") } result := ev.FieldHandlers.ResolveFileFilesystem(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) @@ -11375,6 +11708,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string { if !pce.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFilesystem(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent) @@ -11400,6 +11734,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, 0) } result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.GID) @@ -11408,6 +11743,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int { if !pce.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.GID) @@ -11434,6 +11770,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, "") } result := ev.FieldHandlers.ResolveFileFieldsGroup(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields) @@ -11442,6 +11779,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string { if !pce.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields) @@ -11468,6 +11806,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, "") } result := ev.FieldHandlers.ResolveHashesFromEvent(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) @@ -11476,6 +11815,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIteratorArray(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) []string { if !pce.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return nil } return ev.FieldHandlers.ResolveHashesFromEvent(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent) @@ -11502,6 +11842,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, false) } result := ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields) @@ -11510,6 +11851,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) bool { if !pce.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return false } return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields) @@ -11535,6 +11877,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, 0) } result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode) @@ -11543,6 +11886,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int { if !pce.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode) @@ -11568,6 +11912,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, 0) } result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.Mode) @@ -11576,6 +11921,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int { if !pce.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.Mode) @@ -11601,6 +11947,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, 0) } result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.MTime) @@ -11609,6 +11956,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int { if !pce.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.MTime) @@ -11634,6 +11982,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, 0) } result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID) @@ -11642,6 +11991,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int { if !pce.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID) @@ -11669,6 +12019,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, "") } result := ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) @@ -11677,6 +12028,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string { if !pce.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileBasename(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent) @@ -11732,6 +12084,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, "") } result := ev.FieldHandlers.ResolvePackageName(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) @@ -11740,6 +12093,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string { if !pce.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageName(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent) @@ -11766,6 +12120,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, "") } result := ev.FieldHandlers.ResolvePackageSourceVersion(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) @@ -11774,6 +12129,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string { if !pce.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent) @@ -11800,6 +12156,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, "") } result := ev.FieldHandlers.ResolvePackageVersion(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) @@ -11808,6 +12165,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string { if !pce.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageVersion(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent) @@ -11835,6 +12193,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, "") } result := ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) @@ -11843,6 +12202,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string { if !pce.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFilePath(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent) @@ -11898,6 +12258,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, 0) } result := int(ev.FieldHandlers.ResolveRights(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields)) @@ -11906,6 +12267,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) int { if !pce.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.FieldHandlers.ResolveRights(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields)) @@ -11931,6 +12293,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, 0) } result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.UID) @@ -11939,6 +12302,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int { if !pce.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.UID) @@ -11965,6 +12329,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, "") } result := ev.FieldHandlers.ResolveFileFieldsUser(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields) @@ -11973,6 +12338,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string { if !pce.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFieldsUser(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields) @@ -12566,6 +12932,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.PTrace.Tracee.Process.FileEvent.FileFields.CTime) @@ -12579,6 +12946,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.PTrace.Tracee.Process.FileEvent) @@ -12592,6 +12960,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.PTrace.Tracee.Process.FileEvent.FileFields.GID) @@ -12605,6 +12974,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.PTrace.Tracee.Process.FileEvent.FileFields) @@ -12618,6 +12988,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return []string{} } return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.PTrace.Tracee.Process.FileEvent) @@ -12631,6 +13002,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return false } return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.PTrace.Tracee.Process.FileEvent.FileFields) @@ -12644,6 +13016,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.PTrace.Tracee.Process.FileEvent.FileFields.PathKey.Inode) @@ -12657,6 +13030,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.PTrace.Tracee.Process.FileEvent.FileFields.Mode) @@ -12670,6 +13044,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.PTrace.Tracee.Process.FileEvent.FileFields.MTime) @@ -12683,6 +13058,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.PTrace.Tracee.Process.FileEvent.FileFields.PathKey.MountID) @@ -12697,6 +13073,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileBasename(ev, &ev.PTrace.Tracee.Process.FileEvent) @@ -12721,6 +13098,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageName(ev, &ev.PTrace.Tracee.Process.FileEvent) @@ -12734,6 +13112,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.PTrace.Tracee.Process.FileEvent) @@ -12747,6 +13126,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.PTrace.Tracee.Process.FileEvent) @@ -12761,6 +13141,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFilePath(ev, &ev.PTrace.Tracee.Process.FileEvent) @@ -12785,6 +13166,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.FieldHandlers.ResolveRights(ev, &ev.PTrace.Tracee.Process.FileEvent.FileFields)) @@ -12798,6 +13180,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.PTrace.Tracee.Process.FileEvent.FileFields.UID) @@ -12811,6 +13194,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.PTrace.Tracee.Process.FileEvent.FileFields) @@ -12884,6 +13268,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields.CTime) @@ -12897,6 +13282,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent) @@ -12910,6 +13296,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields.GID) @@ -12923,6 +13310,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields) @@ -12936,6 +13324,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return []string{} } return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent) @@ -12949,6 +13338,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return false } return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields) @@ -12962,6 +13352,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode) @@ -12975,6 +13366,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields.Mode) @@ -12988,6 +13380,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields.MTime) @@ -13001,6 +13394,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID) @@ -13015,6 +13409,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileBasename(ev, &ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent) @@ -13039,6 +13434,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageName(ev, &ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent) @@ -13052,6 +13448,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent) @@ -13065,6 +13462,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent) @@ -13079,6 +13477,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFilePath(ev, &ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent) @@ -13103,6 +13502,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.FieldHandlers.ResolveRights(ev, &ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields)) @@ -13116,6 +13516,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields.UID) @@ -13129,6 +13530,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields) @@ -13172,6 +13574,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveProcessArgs(ev, ev.PTrace.Tracee.Parent) @@ -13185,6 +13588,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return []string{} } return ev.FieldHandlers.ResolveProcessArgsFlags(ev, ev.PTrace.Tracee.Parent) @@ -13198,6 +13602,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return []string{} } return ev.FieldHandlers.ResolveProcessArgsOptions(ev, ev.PTrace.Tracee.Parent) @@ -13211,6 +13616,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return false } return ev.FieldHandlers.ResolveProcessArgsTruncated(ev, ev.PTrace.Tracee.Parent) @@ -13224,6 +13630,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return []string{} } return ev.FieldHandlers.ResolveProcessArgv(ev, ev.PTrace.Tracee.Parent) @@ -13237,6 +13644,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveProcessArgv0(ev, ev.PTrace.Tracee.Parent) @@ -13250,6 +13658,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.PTrace.Tracee.Parent.Credentials.AUID) @@ -13263,6 +13672,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.PTrace.Tracee.Parent.Credentials.CapEffective) @@ -13276,6 +13686,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.PTrace.Tracee.Parent.Credentials.CapPermitted) @@ -13289,6 +13700,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.PTrace.Tracee.Parent.CGroup.CGroupFile.Inode) @@ -13302,6 +13714,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.PTrace.Tracee.Parent.CGroup.CGroupFile.MountID) @@ -13315,6 +13728,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveCGroupID(ev, &ev.PTrace.Tracee.Parent.CGroup) @@ -13328,6 +13742,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveCGroupManager(ev, &ev.PTrace.Tracee.Parent.CGroup) @@ -13341,6 +13756,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return ev.FieldHandlers.ResolveCGroupVersion(ev, &ev.PTrace.Tracee.Parent.CGroup) @@ -13354,6 +13770,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.PTrace.Tracee.Parent.Comm @@ -13367,6 +13784,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveProcessContainerID(ev, ev.PTrace.Tracee.Parent) @@ -13380,6 +13798,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, ev.PTrace.Tracee.Parent)) @@ -13393,6 +13812,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.PTrace.Tracee.Parent.Credentials.EGID) @@ -13406,6 +13826,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.PTrace.Tracee.Parent.Credentials.EGroup @@ -13419,6 +13840,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return []string{} } return ev.FieldHandlers.ResolveProcessEnvp(ev, ev.PTrace.Tracee.Parent) @@ -13432,6 +13854,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return []string{} } return ev.FieldHandlers.ResolveProcessEnvs(ev, ev.PTrace.Tracee.Parent) @@ -13445,6 +13868,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return false } return ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, ev.PTrace.Tracee.Parent) @@ -13458,6 +13882,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.PTrace.Tracee.Parent.Credentials.EUID) @@ -13471,6 +13896,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.PTrace.Tracee.Parent.Credentials.EUser @@ -13484,9 +13910,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } if !ev.PTrace.Tracee.Parent.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.PTrace.Tracee.Parent.FileEvent.FileFields.CTime) @@ -13500,9 +13928,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } if !ev.PTrace.Tracee.Parent.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.PTrace.Tracee.Parent.FileEvent) @@ -13516,9 +13946,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } if !ev.PTrace.Tracee.Parent.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.PTrace.Tracee.Parent.FileEvent.FileFields.GID) @@ -13532,9 +13964,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } if !ev.PTrace.Tracee.Parent.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.PTrace.Tracee.Parent.FileEvent.FileFields) @@ -13548,9 +13982,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return []string{} } if !ev.PTrace.Tracee.Parent.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return []string{} } return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.PTrace.Tracee.Parent.FileEvent) @@ -13564,9 +14000,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return false } if !ev.PTrace.Tracee.Parent.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return false } return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.PTrace.Tracee.Parent.FileEvent.FileFields) @@ -13580,9 +14018,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } if !ev.PTrace.Tracee.Parent.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.PTrace.Tracee.Parent.FileEvent.FileFields.PathKey.Inode) @@ -13596,9 +14036,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } if !ev.PTrace.Tracee.Parent.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.PTrace.Tracee.Parent.FileEvent.FileFields.Mode) @@ -13612,9 +14054,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } if !ev.PTrace.Tracee.Parent.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.PTrace.Tracee.Parent.FileEvent.FileFields.MTime) @@ -13628,9 +14072,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } if !ev.PTrace.Tracee.Parent.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.PTrace.Tracee.Parent.FileEvent.FileFields.PathKey.MountID) @@ -13645,9 +14091,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } if !ev.PTrace.Tracee.Parent.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileBasename(ev, &ev.PTrace.Tracee.Parent.FileEvent) @@ -13672,9 +14120,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } if !ev.PTrace.Tracee.Parent.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageName(ev, &ev.PTrace.Tracee.Parent.FileEvent) @@ -13688,9 +14138,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } if !ev.PTrace.Tracee.Parent.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.PTrace.Tracee.Parent.FileEvent) @@ -13704,9 +14156,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } if !ev.PTrace.Tracee.Parent.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.PTrace.Tracee.Parent.FileEvent) @@ -13721,9 +14175,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } if !ev.PTrace.Tracee.Parent.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFilePath(ev, &ev.PTrace.Tracee.Parent.FileEvent) @@ -13748,9 +14204,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } if !ev.PTrace.Tracee.Parent.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.FieldHandlers.ResolveRights(ev, &ev.PTrace.Tracee.Parent.FileEvent.FileFields)) @@ -13764,9 +14222,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } if !ev.PTrace.Tracee.Parent.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.PTrace.Tracee.Parent.FileEvent.FileFields.UID) @@ -13780,9 +14240,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } if !ev.PTrace.Tracee.Parent.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.PTrace.Tracee.Parent.FileEvent.FileFields) @@ -13796,6 +14258,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.PTrace.Tracee.Parent.Credentials.FSGID) @@ -13809,6 +14272,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.PTrace.Tracee.Parent.Credentials.FSGroup @@ -13822,6 +14286,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.PTrace.Tracee.Parent.Credentials.FSUID) @@ -13835,6 +14300,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.PTrace.Tracee.Parent.Credentials.FSUser @@ -13848,6 +14314,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.PTrace.Tracee.Parent.Credentials.GID) @@ -13861,6 +14328,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.PTrace.Tracee.Parent.Credentials.Group @@ -13874,9 +14342,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } if !ev.PTrace.Tracee.Parent.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields.CTime) @@ -13890,9 +14360,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } if !ev.PTrace.Tracee.Parent.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent) @@ -13906,9 +14378,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } if !ev.PTrace.Tracee.Parent.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields.GID) @@ -13922,9 +14396,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } if !ev.PTrace.Tracee.Parent.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields) @@ -13938,9 +14414,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return []string{} } if !ev.PTrace.Tracee.Parent.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return []string{} } return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent) @@ -13954,9 +14432,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return false } if !ev.PTrace.Tracee.Parent.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return false } return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields) @@ -13970,9 +14450,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } if !ev.PTrace.Tracee.Parent.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields.PathKey.Inode) @@ -13986,9 +14468,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } if !ev.PTrace.Tracee.Parent.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields.Mode) @@ -14002,9 +14486,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } if !ev.PTrace.Tracee.Parent.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields.MTime) @@ -14018,9 +14504,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } if !ev.PTrace.Tracee.Parent.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields.PathKey.MountID) @@ -14035,9 +14523,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } if !ev.PTrace.Tracee.Parent.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileBasename(ev, &ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent) @@ -14062,9 +14552,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } if !ev.PTrace.Tracee.Parent.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageName(ev, &ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent) @@ -14078,9 +14570,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } if !ev.PTrace.Tracee.Parent.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent) @@ -14094,9 +14588,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } if !ev.PTrace.Tracee.Parent.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent) @@ -14111,9 +14607,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } if !ev.PTrace.Tracee.Parent.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFilePath(ev, &ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent) @@ -14138,9 +14636,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } if !ev.PTrace.Tracee.Parent.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.FieldHandlers.ResolveRights(ev, &ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields)) @@ -14154,9 +14654,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } if !ev.PTrace.Tracee.Parent.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields.UID) @@ -14170,9 +14672,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } if !ev.PTrace.Tracee.Parent.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields) @@ -14186,6 +14690,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return false } return ev.PTrace.Tracee.Parent.IsExec @@ -14199,6 +14704,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return false } return ev.PTrace.Tracee.Parent.PIDContext.IsKworker @@ -14212,6 +14718,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return false } return ev.FieldHandlers.ResolveProcessIsThread(ev, ev.PTrace.Tracee.Parent) @@ -14225,6 +14732,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.PTrace.Tracee.Parent.PIDContext.Pid) @@ -14238,6 +14746,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.PTrace.Tracee.Parent.PPid) @@ -14251,6 +14760,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.PTrace.Tracee.Parent.PIDContext.Tid) @@ -14264,6 +14774,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.PTrace.Tracee.Parent.TTYName @@ -14277,6 +14788,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.PTrace.Tracee.Parent.Credentials.UID) @@ -14290,6 +14802,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.PTrace.Tracee.Parent.Credentials.User @@ -14303,6 +14816,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return []string{} } return ev.FieldHandlers.ResolveK8SGroups(ev, &ev.PTrace.Tracee.Parent.UserSession) @@ -14316,6 +14830,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveK8SUID(ev, &ev.PTrace.Tracee.Parent.UserSession) @@ -14329,6 +14844,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveK8SUsername(ev, &ev.PTrace.Tracee.Parent.UserSession) @@ -16414,6 +16930,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, 0) } result := int(element.ProcessContext.Process.FileEvent.FileFields.CTime) @@ -16422,6 +16939,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int { if !pce.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(pce.ProcessContext.Process.FileEvent.FileFields.CTime) @@ -16448,6 +16966,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, "") } result := ev.FieldHandlers.ResolveFileFilesystem(ev, &element.ProcessContext.Process.FileEvent) @@ -16456,6 +16975,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string { if !pce.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFilesystem(ev, &pce.ProcessContext.Process.FileEvent) @@ -16481,6 +17001,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, 0) } result := int(element.ProcessContext.Process.FileEvent.FileFields.GID) @@ -16489,6 +17010,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int { if !pce.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(pce.ProcessContext.Process.FileEvent.FileFields.GID) @@ -16515,6 +17037,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, "") } result := ev.FieldHandlers.ResolveFileFieldsGroup(ev, &element.ProcessContext.Process.FileEvent.FileFields) @@ -16523,6 +17046,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string { if !pce.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &pce.ProcessContext.Process.FileEvent.FileFields) @@ -16549,6 +17073,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, "") } result := ev.FieldHandlers.ResolveHashesFromEvent(ev, &element.ProcessContext.Process.FileEvent) @@ -16557,6 +17082,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIteratorArray(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) []string { if !pce.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return nil } return ev.FieldHandlers.ResolveHashesFromEvent(ev, &pce.ProcessContext.Process.FileEvent) @@ -16583,6 +17109,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, false) } result := ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &element.ProcessContext.Process.FileEvent.FileFields) @@ -16591,6 +17118,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) bool { if !pce.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return false } return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &pce.ProcessContext.Process.FileEvent.FileFields) @@ -16616,6 +17144,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, 0) } result := int(element.ProcessContext.Process.FileEvent.FileFields.PathKey.Inode) @@ -16624,6 +17153,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int { if !pce.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(pce.ProcessContext.Process.FileEvent.FileFields.PathKey.Inode) @@ -16649,6 +17179,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, 0) } result := int(element.ProcessContext.Process.FileEvent.FileFields.Mode) @@ -16657,6 +17188,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int { if !pce.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(pce.ProcessContext.Process.FileEvent.FileFields.Mode) @@ -16682,6 +17214,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, 0) } result := int(element.ProcessContext.Process.FileEvent.FileFields.MTime) @@ -16690,6 +17223,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int { if !pce.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(pce.ProcessContext.Process.FileEvent.FileFields.MTime) @@ -16715,6 +17249,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, 0) } result := int(element.ProcessContext.Process.FileEvent.FileFields.PathKey.MountID) @@ -16723,6 +17258,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int { if !pce.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(pce.ProcessContext.Process.FileEvent.FileFields.PathKey.MountID) @@ -16750,6 +17286,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, "") } result := ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.FileEvent) @@ -16758,6 +17295,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string { if !pce.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileBasename(ev, &pce.ProcessContext.Process.FileEvent) @@ -16813,6 +17351,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, "") } result := ev.FieldHandlers.ResolvePackageName(ev, &element.ProcessContext.Process.FileEvent) @@ -16821,6 +17360,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string { if !pce.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageName(ev, &pce.ProcessContext.Process.FileEvent) @@ -16847,6 +17387,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, "") } result := ev.FieldHandlers.ResolvePackageSourceVersion(ev, &element.ProcessContext.Process.FileEvent) @@ -16855,6 +17396,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string { if !pce.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &pce.ProcessContext.Process.FileEvent) @@ -16881,6 +17423,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, "") } result := ev.FieldHandlers.ResolvePackageVersion(ev, &element.ProcessContext.Process.FileEvent) @@ -16889,6 +17432,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string { if !pce.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageVersion(ev, &pce.ProcessContext.Process.FileEvent) @@ -16916,6 +17460,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, "") } result := ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.FileEvent) @@ -16924,6 +17469,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string { if !pce.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFilePath(ev, &pce.ProcessContext.Process.FileEvent) @@ -16979,6 +17525,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, 0) } result := int(ev.FieldHandlers.ResolveRights(ev, &element.ProcessContext.Process.FileEvent.FileFields)) @@ -16987,6 +17534,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) int { if !pce.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.FieldHandlers.ResolveRights(ev, &pce.ProcessContext.Process.FileEvent.FileFields)) @@ -17012,6 +17560,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, 0) } result := int(element.ProcessContext.Process.FileEvent.FileFields.UID) @@ -17020,6 +17569,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int { if !pce.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(pce.ProcessContext.Process.FileEvent.FileFields.UID) @@ -17046,6 +17596,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, "") } result := ev.FieldHandlers.ResolveFileFieldsUser(ev, &element.ProcessContext.Process.FileEvent.FileFields) @@ -17054,6 +17605,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string { if !pce.ProcessContext.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFieldsUser(ev, &pce.ProcessContext.Process.FileEvent.FileFields) @@ -17241,6 +17793,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, 0) } result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.CTime) @@ -17249,6 +17802,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int { if !pce.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.CTime) @@ -17275,6 +17829,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, "") } result := ev.FieldHandlers.ResolveFileFilesystem(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) @@ -17283,6 +17838,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string { if !pce.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFilesystem(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent) @@ -17308,6 +17864,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, 0) } result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.GID) @@ -17316,6 +17873,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int { if !pce.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.GID) @@ -17342,6 +17900,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, "") } result := ev.FieldHandlers.ResolveFileFieldsGroup(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields) @@ -17350,6 +17909,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string { if !pce.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields) @@ -17376,6 +17936,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, "") } result := ev.FieldHandlers.ResolveHashesFromEvent(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) @@ -17384,6 +17945,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIteratorArray(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) []string { if !pce.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return nil } return ev.FieldHandlers.ResolveHashesFromEvent(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent) @@ -17410,6 +17972,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, false) } result := ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields) @@ -17418,6 +17981,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) bool { if !pce.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return false } return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields) @@ -17443,6 +18007,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, 0) } result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode) @@ -17451,6 +18016,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int { if !pce.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode) @@ -17476,6 +18042,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, 0) } result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.Mode) @@ -17484,6 +18051,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int { if !pce.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.Mode) @@ -17509,6 +18077,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, 0) } result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.MTime) @@ -17517,6 +18086,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int { if !pce.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.MTime) @@ -17542,6 +18112,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, 0) } result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID) @@ -17550,6 +18121,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int { if !pce.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID) @@ -17577,6 +18149,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, "") } result := ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) @@ -17585,6 +18158,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string { if !pce.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileBasename(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent) @@ -17640,6 +18214,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, "") } result := ev.FieldHandlers.ResolvePackageName(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) @@ -17648,6 +18223,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string { if !pce.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageName(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent) @@ -17674,6 +18250,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, "") } result := ev.FieldHandlers.ResolvePackageSourceVersion(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) @@ -17682,6 +18259,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string { if !pce.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent) @@ -17708,6 +18286,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, "") } result := ev.FieldHandlers.ResolvePackageVersion(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) @@ -17716,6 +18295,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string { if !pce.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageVersion(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent) @@ -17743,6 +18323,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, "") } result := ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) @@ -17751,6 +18332,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string { if !pce.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFilePath(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent) @@ -17806,6 +18388,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, 0) } result := int(ev.FieldHandlers.ResolveRights(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields)) @@ -17814,6 +18397,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) int { if !pce.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.FieldHandlers.ResolveRights(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields)) @@ -17839,6 +18423,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, 0) } result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.UID) @@ -17847,6 +18432,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, nil, func(ev *Event, pce *ProcessCacheEntry) int { if !pce.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.UID) @@ -17873,6 +18459,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } element := value if !element.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return append(results, "") } result := ev.FieldHandlers.ResolveFileFieldsUser(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields) @@ -17881,6 +18468,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval } results = newAncestorsIterator(iterator, ctx, ev, func(ev *Event, pce *ProcessCacheEntry) string { if !pce.ProcessContext.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFieldsUser(ev, &pce.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields) @@ -18474,6 +19062,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Signal.Target.Process.FileEvent.FileFields.CTime) @@ -18487,6 +19076,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Signal.Target.Process.FileEvent) @@ -18500,6 +19090,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Signal.Target.Process.FileEvent.FileFields.GID) @@ -18513,6 +19104,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Signal.Target.Process.FileEvent.FileFields) @@ -18526,6 +19118,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return []string{} } return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Signal.Target.Process.FileEvent) @@ -18539,6 +19132,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return false } return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Signal.Target.Process.FileEvent.FileFields) @@ -18552,6 +19146,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Signal.Target.Process.FileEvent.FileFields.PathKey.Inode) @@ -18565,6 +19160,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Signal.Target.Process.FileEvent.FileFields.Mode) @@ -18578,6 +19174,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Signal.Target.Process.FileEvent.FileFields.MTime) @@ -18591,6 +19188,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Signal.Target.Process.FileEvent.FileFields.PathKey.MountID) @@ -18605,6 +19203,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Signal.Target.Process.FileEvent) @@ -18629,6 +19228,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageName(ev, &ev.Signal.Target.Process.FileEvent) @@ -18642,6 +19242,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Signal.Target.Process.FileEvent) @@ -18655,6 +19256,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Signal.Target.Process.FileEvent) @@ -18669,6 +19271,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFilePath(ev, &ev.Signal.Target.Process.FileEvent) @@ -18693,6 +19296,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.FieldHandlers.ResolveRights(ev, &ev.Signal.Target.Process.FileEvent.FileFields)) @@ -18706,6 +19310,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Signal.Target.Process.FileEvent.FileFields.UID) @@ -18719,6 +19324,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Signal.Target.Process.FileEvent.FileFields) @@ -18792,6 +19398,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Signal.Target.Process.LinuxBinprm.FileEvent.FileFields.CTime) @@ -18805,6 +19412,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Signal.Target.Process.LinuxBinprm.FileEvent) @@ -18818,6 +19426,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Signal.Target.Process.LinuxBinprm.FileEvent.FileFields.GID) @@ -18831,6 +19440,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Signal.Target.Process.LinuxBinprm.FileEvent.FileFields) @@ -18844,6 +19454,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return []string{} } return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Signal.Target.Process.LinuxBinprm.FileEvent) @@ -18857,6 +19468,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return false } return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Signal.Target.Process.LinuxBinprm.FileEvent.FileFields) @@ -18870,6 +19482,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Signal.Target.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode) @@ -18883,6 +19496,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Signal.Target.Process.LinuxBinprm.FileEvent.FileFields.Mode) @@ -18896,6 +19510,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Signal.Target.Process.LinuxBinprm.FileEvent.FileFields.MTime) @@ -18909,6 +19524,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Signal.Target.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID) @@ -18923,6 +19539,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Signal.Target.Process.LinuxBinprm.FileEvent) @@ -18947,6 +19564,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageName(ev, &ev.Signal.Target.Process.LinuxBinprm.FileEvent) @@ -18960,6 +19578,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Signal.Target.Process.LinuxBinprm.FileEvent) @@ -18973,6 +19592,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Signal.Target.Process.LinuxBinprm.FileEvent) @@ -18987,6 +19607,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFilePath(ev, &ev.Signal.Target.Process.LinuxBinprm.FileEvent) @@ -19011,6 +19632,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.FieldHandlers.ResolveRights(ev, &ev.Signal.Target.Process.LinuxBinprm.FileEvent.FileFields)) @@ -19024,6 +19646,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Signal.Target.Process.LinuxBinprm.FileEvent.FileFields.UID) @@ -19037,6 +19660,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Signal.Target.Process.LinuxBinprm.FileEvent.FileFields) @@ -19080,6 +19704,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveProcessArgs(ev, ev.Signal.Target.Parent) @@ -19093,6 +19718,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return []string{} } return ev.FieldHandlers.ResolveProcessArgsFlags(ev, ev.Signal.Target.Parent) @@ -19106,6 +19732,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return []string{} } return ev.FieldHandlers.ResolveProcessArgsOptions(ev, ev.Signal.Target.Parent) @@ -19119,6 +19746,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return false } return ev.FieldHandlers.ResolveProcessArgsTruncated(ev, ev.Signal.Target.Parent) @@ -19132,6 +19760,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return []string{} } return ev.FieldHandlers.ResolveProcessArgv(ev, ev.Signal.Target.Parent) @@ -19145,6 +19774,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveProcessArgv0(ev, ev.Signal.Target.Parent) @@ -19158,6 +19788,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Signal.Target.Parent.Credentials.AUID) @@ -19171,6 +19802,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Signal.Target.Parent.Credentials.CapEffective) @@ -19184,6 +19816,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Signal.Target.Parent.Credentials.CapPermitted) @@ -19197,6 +19830,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Signal.Target.Parent.CGroup.CGroupFile.Inode) @@ -19210,6 +19844,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Signal.Target.Parent.CGroup.CGroupFile.MountID) @@ -19223,6 +19858,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveCGroupID(ev, &ev.Signal.Target.Parent.CGroup) @@ -19236,6 +19872,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveCGroupManager(ev, &ev.Signal.Target.Parent.CGroup) @@ -19249,6 +19886,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return ev.FieldHandlers.ResolveCGroupVersion(ev, &ev.Signal.Target.Parent.CGroup) @@ -19262,6 +19900,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.Signal.Target.Parent.Comm @@ -19275,6 +19914,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveProcessContainerID(ev, ev.Signal.Target.Parent) @@ -19288,6 +19928,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, ev.Signal.Target.Parent)) @@ -19301,6 +19942,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Signal.Target.Parent.Credentials.EGID) @@ -19314,6 +19956,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.Signal.Target.Parent.Credentials.EGroup @@ -19327,6 +19970,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return []string{} } return ev.FieldHandlers.ResolveProcessEnvp(ev, ev.Signal.Target.Parent) @@ -19340,6 +19984,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return []string{} } return ev.FieldHandlers.ResolveProcessEnvs(ev, ev.Signal.Target.Parent) @@ -19353,6 +19998,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return false } return ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, ev.Signal.Target.Parent) @@ -19366,6 +20012,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Signal.Target.Parent.Credentials.EUID) @@ -19379,6 +20026,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.Signal.Target.Parent.Credentials.EUser @@ -19392,9 +20040,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } if !ev.Signal.Target.Parent.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Signal.Target.Parent.FileEvent.FileFields.CTime) @@ -19408,9 +20058,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } if !ev.Signal.Target.Parent.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Signal.Target.Parent.FileEvent) @@ -19424,9 +20076,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } if !ev.Signal.Target.Parent.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Signal.Target.Parent.FileEvent.FileFields.GID) @@ -19440,9 +20094,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } if !ev.Signal.Target.Parent.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Signal.Target.Parent.FileEvent.FileFields) @@ -19456,9 +20112,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return []string{} } if !ev.Signal.Target.Parent.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return []string{} } return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Signal.Target.Parent.FileEvent) @@ -19472,9 +20130,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return false } if !ev.Signal.Target.Parent.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return false } return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Signal.Target.Parent.FileEvent.FileFields) @@ -19488,9 +20148,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } if !ev.Signal.Target.Parent.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Signal.Target.Parent.FileEvent.FileFields.PathKey.Inode) @@ -19504,9 +20166,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } if !ev.Signal.Target.Parent.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Signal.Target.Parent.FileEvent.FileFields.Mode) @@ -19520,9 +20184,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } if !ev.Signal.Target.Parent.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Signal.Target.Parent.FileEvent.FileFields.MTime) @@ -19536,9 +20202,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } if !ev.Signal.Target.Parent.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Signal.Target.Parent.FileEvent.FileFields.PathKey.MountID) @@ -19553,9 +20221,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } if !ev.Signal.Target.Parent.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Signal.Target.Parent.FileEvent) @@ -19580,9 +20250,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } if !ev.Signal.Target.Parent.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageName(ev, &ev.Signal.Target.Parent.FileEvent) @@ -19596,9 +20268,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } if !ev.Signal.Target.Parent.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Signal.Target.Parent.FileEvent) @@ -19612,9 +20286,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } if !ev.Signal.Target.Parent.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Signal.Target.Parent.FileEvent) @@ -19629,9 +20305,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } if !ev.Signal.Target.Parent.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFilePath(ev, &ev.Signal.Target.Parent.FileEvent) @@ -19656,9 +20334,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } if !ev.Signal.Target.Parent.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.FieldHandlers.ResolveRights(ev, &ev.Signal.Target.Parent.FileEvent.FileFields)) @@ -19672,9 +20352,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } if !ev.Signal.Target.Parent.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Signal.Target.Parent.FileEvent.FileFields.UID) @@ -19688,9 +20370,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } if !ev.Signal.Target.Parent.IsNotKworker() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Signal.Target.Parent.FileEvent.FileFields) @@ -19704,6 +20388,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Signal.Target.Parent.Credentials.FSGID) @@ -19717,6 +20402,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.Signal.Target.Parent.Credentials.FSGroup @@ -19730,6 +20416,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Signal.Target.Parent.Credentials.FSUID) @@ -19743,6 +20430,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.Signal.Target.Parent.Credentials.FSUser @@ -19756,6 +20444,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Signal.Target.Parent.Credentials.GID) @@ -19769,6 +20458,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.Signal.Target.Parent.Credentials.Group @@ -19782,9 +20472,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } if !ev.Signal.Target.Parent.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields.CTime) @@ -19798,9 +20490,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } if !ev.Signal.Target.Parent.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Signal.Target.Parent.LinuxBinprm.FileEvent) @@ -19814,9 +20508,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } if !ev.Signal.Target.Parent.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields.GID) @@ -19830,9 +20526,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } if !ev.Signal.Target.Parent.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields) @@ -19846,9 +20544,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return []string{} } if !ev.Signal.Target.Parent.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return []string{} } return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Signal.Target.Parent.LinuxBinprm.FileEvent) @@ -19862,9 +20562,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return false } if !ev.Signal.Target.Parent.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return false } return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields) @@ -19878,9 +20580,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } if !ev.Signal.Target.Parent.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields.PathKey.Inode) @@ -19894,9 +20598,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } if !ev.Signal.Target.Parent.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields.Mode) @@ -19910,9 +20616,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } if !ev.Signal.Target.Parent.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields.MTime) @@ -19926,9 +20634,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } if !ev.Signal.Target.Parent.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields.PathKey.MountID) @@ -19943,9 +20653,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } if !ev.Signal.Target.Parent.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Signal.Target.Parent.LinuxBinprm.FileEvent) @@ -19970,9 +20682,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } if !ev.Signal.Target.Parent.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageName(ev, &ev.Signal.Target.Parent.LinuxBinprm.FileEvent) @@ -19986,9 +20700,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } if !ev.Signal.Target.Parent.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Signal.Target.Parent.LinuxBinprm.FileEvent) @@ -20002,9 +20718,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } if !ev.Signal.Target.Parent.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Signal.Target.Parent.LinuxBinprm.FileEvent) @@ -20019,9 +20737,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } if !ev.Signal.Target.Parent.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFilePath(ev, &ev.Signal.Target.Parent.LinuxBinprm.FileEvent) @@ -20046,9 +20766,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } if !ev.Signal.Target.Parent.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.FieldHandlers.ResolveRights(ev, &ev.Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields)) @@ -20062,9 +20784,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } if !ev.Signal.Target.Parent.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields.UID) @@ -20078,9 +20802,11 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } if !ev.Signal.Target.Parent.HasInterpreter() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields) @@ -20094,6 +20820,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return false } return ev.Signal.Target.Parent.IsExec @@ -20107,6 +20834,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return false } return ev.Signal.Target.Parent.PIDContext.IsKworker @@ -20120,6 +20848,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return false } return ev.FieldHandlers.ResolveProcessIsThread(ev, ev.Signal.Target.Parent) @@ -20133,6 +20862,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Signal.Target.Parent.PIDContext.Pid) @@ -20146,6 +20876,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Signal.Target.Parent.PPid) @@ -20159,6 +20890,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Signal.Target.Parent.PIDContext.Tid) @@ -20172,6 +20904,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.Signal.Target.Parent.TTYName @@ -20185,6 +20918,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.Signal.Target.Parent.Credentials.UID) @@ -20198,6 +20932,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.Signal.Target.Parent.Credentials.User @@ -20211,6 +20946,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return []string{} } return ev.FieldHandlers.ResolveK8SGroups(ev, &ev.Signal.Target.Parent.UserSession) @@ -20224,6 +20960,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveK8SUID(ev, &ev.Signal.Target.Parent.UserSession) @@ -20237,6 +20974,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveK8SUsername(ev, &ev.Signal.Target.Parent.UserSession) @@ -22514,6785 +23252,17 @@ func (ev *Event) GetFields() []eval.Field { } } func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) { - switch field { - case "accept.addr.family": - return int(ev.Accept.AddrFamily), nil - case "accept.addr.ip": - return ev.Accept.Addr.IPNet, nil - case "accept.addr.is_public": - return ev.FieldHandlers.ResolveIsIPPublic(ev, &ev.Accept.Addr), nil - case "accept.addr.port": - return int(ev.Accept.Addr.Port), nil - case "accept.retval": - return int(ev.Accept.SyscallEvent.Retval), nil - case "bind.addr.family": - return int(ev.Bind.AddrFamily), nil - case "bind.addr.ip": - return ev.Bind.Addr.IPNet, nil - case "bind.addr.is_public": - return ev.FieldHandlers.ResolveIsIPPublic(ev, &ev.Bind.Addr), nil - case "bind.addr.port": - return int(ev.Bind.Addr.Port), nil - case "bind.protocol": - return int(ev.Bind.Protocol), nil - case "bind.retval": - return int(ev.Bind.SyscallEvent.Retval), nil - case "bpf.cmd": - return int(ev.BPF.Cmd), nil - case "bpf.map.name": - return ev.BPF.Map.Name, nil - case "bpf.map.type": - return int(ev.BPF.Map.Type), nil - case "bpf.prog.attach_type": - return int(ev.BPF.Program.AttachType), nil - case "bpf.prog.helpers": - result := make([]int, len(ev.BPF.Program.Helpers)) - for i, v := range ev.BPF.Program.Helpers { - result[i] = int(v) - } - return result, nil - case "bpf.prog.name": - return ev.BPF.Program.Name, nil - case "bpf.prog.tag": - return ev.BPF.Program.Tag, nil - case "bpf.prog.type": - return int(ev.BPF.Program.Type), nil - case "bpf.retval": - return int(ev.BPF.SyscallEvent.Retval), nil - case "capset.cap_effective": - return int(ev.Capset.CapEffective), nil - case "capset.cap_permitted": - return int(ev.Capset.CapPermitted), nil - case "cgroup.file.inode": - return int(ev.CGroupContext.CGroupFile.Inode), nil - case "cgroup.file.mount_id": - return int(ev.CGroupContext.CGroupFile.MountID), nil - case "cgroup.id": - return ev.FieldHandlers.ResolveCGroupID(ev, &ev.CGroupContext), nil - case "cgroup.manager": - return ev.FieldHandlers.ResolveCGroupManager(ev, &ev.CGroupContext), nil - case "cgroup.version": - return ev.FieldHandlers.ResolveCGroupVersion(ev, &ev.CGroupContext), nil - case "chdir.file.change_time": - return int(ev.Chdir.File.FileFields.CTime), nil - case "chdir.file.filesystem": - return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Chdir.File), nil - case "chdir.file.gid": - return int(ev.Chdir.File.FileFields.GID), nil - case "chdir.file.group": - return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Chdir.File.FileFields), nil - case "chdir.file.hashes": - return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Chdir.File), nil - case "chdir.file.in_upper_layer": - return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Chdir.File.FileFields), nil - case "chdir.file.inode": - return int(ev.Chdir.File.FileFields.PathKey.Inode), nil - case "chdir.file.mode": - return int(ev.Chdir.File.FileFields.Mode), nil - case "chdir.file.modification_time": - return int(ev.Chdir.File.FileFields.MTime), nil - case "chdir.file.mount_id": - return int(ev.Chdir.File.FileFields.PathKey.MountID), nil - case "chdir.file.name": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Chdir.File), nil - case "chdir.file.name.length": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Chdir.File), nil - case "chdir.file.package.name": - return ev.FieldHandlers.ResolvePackageName(ev, &ev.Chdir.File), nil - case "chdir.file.package.source_version": - return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Chdir.File), nil - case "chdir.file.package.version": - return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Chdir.File), nil - case "chdir.file.path": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Chdir.File), nil - case "chdir.file.path.length": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Chdir.File), nil - case "chdir.file.rights": - return int(ev.FieldHandlers.ResolveRights(ev, &ev.Chdir.File.FileFields)), nil - case "chdir.file.uid": - return int(ev.Chdir.File.FileFields.UID), nil - case "chdir.file.user": - return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Chdir.File.FileFields), nil - case "chdir.retval": - return int(ev.Chdir.SyscallEvent.Retval), nil - case "chdir.syscall.path": - return ev.FieldHandlers.ResolveSyscallCtxArgsStr1(ev, &ev.Chdir.SyscallContext), nil - case "chmod.file.change_time": - return int(ev.Chmod.File.FileFields.CTime), nil - case "chmod.file.destination.mode": - return int(ev.Chmod.Mode), nil - case "chmod.file.destination.rights": - return int(ev.Chmod.Mode), nil - case "chmod.file.filesystem": - return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Chmod.File), nil - case "chmod.file.gid": - return int(ev.Chmod.File.FileFields.GID), nil - case "chmod.file.group": - return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Chmod.File.FileFields), nil - case "chmod.file.hashes": - return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Chmod.File), nil - case "chmod.file.in_upper_layer": - return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Chmod.File.FileFields), nil - case "chmod.file.inode": - return int(ev.Chmod.File.FileFields.PathKey.Inode), nil - case "chmod.file.mode": - return int(ev.Chmod.File.FileFields.Mode), nil - case "chmod.file.modification_time": - return int(ev.Chmod.File.FileFields.MTime), nil - case "chmod.file.mount_id": - return int(ev.Chmod.File.FileFields.PathKey.MountID), nil - case "chmod.file.name": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Chmod.File), nil - case "chmod.file.name.length": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Chmod.File), nil - case "chmod.file.package.name": - return ev.FieldHandlers.ResolvePackageName(ev, &ev.Chmod.File), nil - case "chmod.file.package.source_version": - return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Chmod.File), nil - case "chmod.file.package.version": - return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Chmod.File), nil - case "chmod.file.path": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Chmod.File), nil - case "chmod.file.path.length": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Chmod.File), nil - case "chmod.file.rights": - return int(ev.FieldHandlers.ResolveRights(ev, &ev.Chmod.File.FileFields)), nil - case "chmod.file.uid": - return int(ev.Chmod.File.FileFields.UID), nil - case "chmod.file.user": - return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Chmod.File.FileFields), nil - case "chmod.retval": - return int(ev.Chmod.SyscallEvent.Retval), nil - case "chmod.syscall.mode": - return int(ev.FieldHandlers.ResolveSyscallCtxArgsInt2(ev, &ev.Chmod.SyscallContext)), nil - case "chmod.syscall.path": - return ev.FieldHandlers.ResolveSyscallCtxArgsStr1(ev, &ev.Chmod.SyscallContext), nil - case "chown.file.change_time": - return int(ev.Chown.File.FileFields.CTime), nil - case "chown.file.destination.gid": - return int(ev.Chown.GID), nil - case "chown.file.destination.group": - return ev.FieldHandlers.ResolveChownGID(ev, &ev.Chown), nil - case "chown.file.destination.uid": - return int(ev.Chown.UID), nil - case "chown.file.destination.user": - return ev.FieldHandlers.ResolveChownUID(ev, &ev.Chown), nil - case "chown.file.filesystem": - return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Chown.File), nil - case "chown.file.gid": - return int(ev.Chown.File.FileFields.GID), nil - case "chown.file.group": - return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Chown.File.FileFields), nil - case "chown.file.hashes": - return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Chown.File), nil - case "chown.file.in_upper_layer": - return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Chown.File.FileFields), nil - case "chown.file.inode": - return int(ev.Chown.File.FileFields.PathKey.Inode), nil - case "chown.file.mode": - return int(ev.Chown.File.FileFields.Mode), nil - case "chown.file.modification_time": - return int(ev.Chown.File.FileFields.MTime), nil - case "chown.file.mount_id": - return int(ev.Chown.File.FileFields.PathKey.MountID), nil - case "chown.file.name": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Chown.File), nil - case "chown.file.name.length": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Chown.File), nil - case "chown.file.package.name": - return ev.FieldHandlers.ResolvePackageName(ev, &ev.Chown.File), nil - case "chown.file.package.source_version": - return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Chown.File), nil - case "chown.file.package.version": - return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Chown.File), nil - case "chown.file.path": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Chown.File), nil - case "chown.file.path.length": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Chown.File), nil - case "chown.file.rights": - return int(ev.FieldHandlers.ResolveRights(ev, &ev.Chown.File.FileFields)), nil - case "chown.file.uid": - return int(ev.Chown.File.FileFields.UID), nil - case "chown.file.user": - return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Chown.File.FileFields), nil - case "chown.retval": - return int(ev.Chown.SyscallEvent.Retval), nil - case "chown.syscall.gid": - return int(ev.FieldHandlers.ResolveSyscallCtxArgsInt3(ev, &ev.Chown.SyscallContext)), nil - case "chown.syscall.path": - return ev.FieldHandlers.ResolveSyscallCtxArgsStr1(ev, &ev.Chown.SyscallContext), nil - case "chown.syscall.uid": - return int(ev.FieldHandlers.ResolveSyscallCtxArgsInt2(ev, &ev.Chown.SyscallContext)), nil - case "connect.addr.family": - return int(ev.Connect.AddrFamily), nil - case "connect.addr.ip": - return ev.Connect.Addr.IPNet, nil - case "connect.addr.is_public": - return ev.FieldHandlers.ResolveIsIPPublic(ev, &ev.Connect.Addr), nil - case "connect.addr.port": - return int(ev.Connect.Addr.Port), nil - case "connect.protocol": - return int(ev.Connect.Protocol), nil - case "connect.retval": - return int(ev.Connect.SyscallEvent.Retval), nil - case "container.created_at": - return int(ev.FieldHandlers.ResolveContainerCreatedAt(ev, ev.BaseEvent.ContainerContext)), nil - case "container.id": - return ev.FieldHandlers.ResolveContainerID(ev, ev.BaseEvent.ContainerContext), nil - case "container.runtime": - return ev.FieldHandlers.ResolveContainerRuntime(ev, ev.BaseEvent.ContainerContext), nil - case "container.tags": - return ev.FieldHandlers.ResolveContainerTags(ev, ev.BaseEvent.ContainerContext), nil - case "dns.id": - return int(ev.DNS.ID), nil - case "dns.question.class": - return int(ev.DNS.Class), nil - case "dns.question.count": - return int(ev.DNS.Count), nil - case "dns.question.length": - return int(ev.DNS.Size), nil - case "dns.question.name": - return ev.DNS.Name, nil - case "dns.question.name.length": - return len(ev.DNS.Name), nil - case "dns.question.type": - return int(ev.DNS.Type), nil - case "event.async": - return ev.FieldHandlers.ResolveAsync(ev), nil - case "event.hostname": - return ev.FieldHandlers.ResolveHostname(ev, &ev.BaseEvent), nil - case "event.origin": - return ev.BaseEvent.Origin, nil - case "event.os": - return ev.BaseEvent.Os, nil - case "event.service": - return ev.FieldHandlers.ResolveService(ev, &ev.BaseEvent), nil - case "event.timestamp": - return int(ev.FieldHandlers.ResolveEventTimestamp(ev, &ev.BaseEvent)), nil - case "exec.args": - return ev.FieldHandlers.ResolveProcessArgs(ev, ev.Exec.Process), nil - case "exec.args_flags": - return ev.FieldHandlers.ResolveProcessArgsFlags(ev, ev.Exec.Process), nil - case "exec.args_options": - return ev.FieldHandlers.ResolveProcessArgsOptions(ev, ev.Exec.Process), nil - case "exec.args_truncated": - return ev.FieldHandlers.ResolveProcessArgsTruncated(ev, ev.Exec.Process), nil - case "exec.argv": - return ev.FieldHandlers.ResolveProcessArgv(ev, ev.Exec.Process), nil - case "exec.argv0": - return ev.FieldHandlers.ResolveProcessArgv0(ev, ev.Exec.Process), nil - case "exec.auid": - return int(ev.Exec.Process.Credentials.AUID), nil - case "exec.cap_effective": - return int(ev.Exec.Process.Credentials.CapEffective), nil - case "exec.cap_permitted": - return int(ev.Exec.Process.Credentials.CapPermitted), nil - case "exec.cgroup.file.inode": - return int(ev.Exec.Process.CGroup.CGroupFile.Inode), nil - case "exec.cgroup.file.mount_id": - return int(ev.Exec.Process.CGroup.CGroupFile.MountID), nil - case "exec.cgroup.id": - return ev.FieldHandlers.ResolveCGroupID(ev, &ev.Exec.Process.CGroup), nil - case "exec.cgroup.manager": - return ev.FieldHandlers.ResolveCGroupManager(ev, &ev.Exec.Process.CGroup), nil - case "exec.cgroup.version": - return ev.FieldHandlers.ResolveCGroupVersion(ev, &ev.Exec.Process.CGroup), nil - case "exec.comm": - return ev.Exec.Process.Comm, nil - case "exec.container.id": - return ev.FieldHandlers.ResolveProcessContainerID(ev, ev.Exec.Process), nil - case "exec.created_at": - return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, ev.Exec.Process)), nil - case "exec.egid": - return int(ev.Exec.Process.Credentials.EGID), nil - case "exec.egroup": - return ev.Exec.Process.Credentials.EGroup, nil - case "exec.envp": - return ev.FieldHandlers.ResolveProcessEnvp(ev, ev.Exec.Process), nil - case "exec.envs": - return ev.FieldHandlers.ResolveProcessEnvs(ev, ev.Exec.Process), nil - case "exec.envs_truncated": - return ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, ev.Exec.Process), nil - case "exec.euid": - return int(ev.Exec.Process.Credentials.EUID), nil - case "exec.euser": - return ev.Exec.Process.Credentials.EUser, nil - case "exec.file.change_time": - if !ev.Exec.Process.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Exec.Process.FileEvent.FileFields.CTime), nil - case "exec.file.filesystem": - if !ev.Exec.Process.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Exec.Process.FileEvent), nil - case "exec.file.gid": - if !ev.Exec.Process.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Exec.Process.FileEvent.FileFields.GID), nil - case "exec.file.group": - if !ev.Exec.Process.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Exec.Process.FileEvent.FileFields), nil - case "exec.file.hashes": - if !ev.Exec.Process.IsNotKworker() { - return []string{}, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Exec.Process.FileEvent), nil - case "exec.file.in_upper_layer": - if !ev.Exec.Process.IsNotKworker() { - return false, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Exec.Process.FileEvent.FileFields), nil - case "exec.file.inode": - if !ev.Exec.Process.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Exec.Process.FileEvent.FileFields.PathKey.Inode), nil - case "exec.file.mode": - if !ev.Exec.Process.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Exec.Process.FileEvent.FileFields.Mode), nil - case "exec.file.modification_time": - if !ev.Exec.Process.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Exec.Process.FileEvent.FileFields.MTime), nil - case "exec.file.mount_id": - if !ev.Exec.Process.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Exec.Process.FileEvent.FileFields.PathKey.MountID), nil - case "exec.file.name": - if !ev.Exec.Process.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exec.Process.FileEvent), nil - case "exec.file.name.length": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exec.Process.FileEvent), nil - case "exec.file.package.name": - if !ev.Exec.Process.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolvePackageName(ev, &ev.Exec.Process.FileEvent), nil - case "exec.file.package.source_version": - if !ev.Exec.Process.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Exec.Process.FileEvent), nil - case "exec.file.package.version": - if !ev.Exec.Process.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Exec.Process.FileEvent), nil - case "exec.file.path": - if !ev.Exec.Process.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Exec.Process.FileEvent), nil - case "exec.file.path.length": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Exec.Process.FileEvent), nil - case "exec.file.rights": - if !ev.Exec.Process.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.FieldHandlers.ResolveRights(ev, &ev.Exec.Process.FileEvent.FileFields)), nil - case "exec.file.uid": - if !ev.Exec.Process.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Exec.Process.FileEvent.FileFields.UID), nil - case "exec.file.user": - if !ev.Exec.Process.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Exec.Process.FileEvent.FileFields), nil - case "exec.fsgid": - return int(ev.Exec.Process.Credentials.FSGID), nil - case "exec.fsgroup": - return ev.Exec.Process.Credentials.FSGroup, nil - case "exec.fsuid": - return int(ev.Exec.Process.Credentials.FSUID), nil - case "exec.fsuser": - return ev.Exec.Process.Credentials.FSUser, nil - case "exec.gid": - return int(ev.Exec.Process.Credentials.GID), nil - case "exec.group": - return ev.Exec.Process.Credentials.Group, nil - case "exec.interpreter.file.change_time": - if !ev.Exec.Process.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Exec.Process.LinuxBinprm.FileEvent.FileFields.CTime), nil - case "exec.interpreter.file.filesystem": - if !ev.Exec.Process.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Exec.Process.LinuxBinprm.FileEvent), nil - case "exec.interpreter.file.gid": - if !ev.Exec.Process.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Exec.Process.LinuxBinprm.FileEvent.FileFields.GID), nil - case "exec.interpreter.file.group": - if !ev.Exec.Process.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Exec.Process.LinuxBinprm.FileEvent.FileFields), nil - case "exec.interpreter.file.hashes": - if !ev.Exec.Process.HasInterpreter() { - return []string{}, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Exec.Process.LinuxBinprm.FileEvent), nil - case "exec.interpreter.file.in_upper_layer": - if !ev.Exec.Process.HasInterpreter() { - return false, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Exec.Process.LinuxBinprm.FileEvent.FileFields), nil - case "exec.interpreter.file.inode": - if !ev.Exec.Process.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Exec.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode), nil - case "exec.interpreter.file.mode": - if !ev.Exec.Process.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Exec.Process.LinuxBinprm.FileEvent.FileFields.Mode), nil - case "exec.interpreter.file.modification_time": - if !ev.Exec.Process.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Exec.Process.LinuxBinprm.FileEvent.FileFields.MTime), nil - case "exec.interpreter.file.mount_id": - if !ev.Exec.Process.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Exec.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID), nil - case "exec.interpreter.file.name": - if !ev.Exec.Process.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exec.Process.LinuxBinprm.FileEvent), nil - case "exec.interpreter.file.name.length": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exec.Process.LinuxBinprm.FileEvent), nil - case "exec.interpreter.file.package.name": - if !ev.Exec.Process.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolvePackageName(ev, &ev.Exec.Process.LinuxBinprm.FileEvent), nil - case "exec.interpreter.file.package.source_version": - if !ev.Exec.Process.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Exec.Process.LinuxBinprm.FileEvent), nil - case "exec.interpreter.file.package.version": - if !ev.Exec.Process.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Exec.Process.LinuxBinprm.FileEvent), nil - case "exec.interpreter.file.path": - if !ev.Exec.Process.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Exec.Process.LinuxBinprm.FileEvent), nil - case "exec.interpreter.file.path.length": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Exec.Process.LinuxBinprm.FileEvent), nil - case "exec.interpreter.file.rights": - if !ev.Exec.Process.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.FieldHandlers.ResolveRights(ev, &ev.Exec.Process.LinuxBinprm.FileEvent.FileFields)), nil - case "exec.interpreter.file.uid": - if !ev.Exec.Process.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Exec.Process.LinuxBinprm.FileEvent.FileFields.UID), nil - case "exec.interpreter.file.user": - if !ev.Exec.Process.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Exec.Process.LinuxBinprm.FileEvent.FileFields), nil - case "exec.is_exec": - return ev.Exec.Process.IsExec, nil - case "exec.is_kworker": - return ev.Exec.Process.PIDContext.IsKworker, nil - case "exec.is_thread": - return ev.FieldHandlers.ResolveProcessIsThread(ev, ev.Exec.Process), nil - case "exec.pid": - return int(ev.Exec.Process.PIDContext.Pid), nil - case "exec.ppid": - return int(ev.Exec.Process.PPid), nil - case "exec.syscall.path": - return ev.FieldHandlers.ResolveSyscallCtxArgsStr1(ev, &ev.Exec.SyscallContext), nil - case "exec.tid": - return int(ev.Exec.Process.PIDContext.Tid), nil - case "exec.tty_name": - return ev.Exec.Process.TTYName, nil - case "exec.uid": - return int(ev.Exec.Process.Credentials.UID), nil - case "exec.user": - return ev.Exec.Process.Credentials.User, nil - case "exec.user_session.k8s_groups": - return ev.FieldHandlers.ResolveK8SGroups(ev, &ev.Exec.Process.UserSession), nil - case "exec.user_session.k8s_uid": - return ev.FieldHandlers.ResolveK8SUID(ev, &ev.Exec.Process.UserSession), nil - case "exec.user_session.k8s_username": - return ev.FieldHandlers.ResolveK8SUsername(ev, &ev.Exec.Process.UserSession), nil - case "exit.args": - return ev.FieldHandlers.ResolveProcessArgs(ev, ev.Exit.Process), nil - case "exit.args_flags": - return ev.FieldHandlers.ResolveProcessArgsFlags(ev, ev.Exit.Process), nil - case "exit.args_options": - return ev.FieldHandlers.ResolveProcessArgsOptions(ev, ev.Exit.Process), nil - case "exit.args_truncated": - return ev.FieldHandlers.ResolveProcessArgsTruncated(ev, ev.Exit.Process), nil - case "exit.argv": - return ev.FieldHandlers.ResolveProcessArgv(ev, ev.Exit.Process), nil - case "exit.argv0": - return ev.FieldHandlers.ResolveProcessArgv0(ev, ev.Exit.Process), nil - case "exit.auid": - return int(ev.Exit.Process.Credentials.AUID), nil - case "exit.cap_effective": - return int(ev.Exit.Process.Credentials.CapEffective), nil - case "exit.cap_permitted": - return int(ev.Exit.Process.Credentials.CapPermitted), nil - case "exit.cause": - return int(ev.Exit.Cause), nil - case "exit.cgroup.file.inode": - return int(ev.Exit.Process.CGroup.CGroupFile.Inode), nil - case "exit.cgroup.file.mount_id": - return int(ev.Exit.Process.CGroup.CGroupFile.MountID), nil - case "exit.cgroup.id": - return ev.FieldHandlers.ResolveCGroupID(ev, &ev.Exit.Process.CGroup), nil - case "exit.cgroup.manager": - return ev.FieldHandlers.ResolveCGroupManager(ev, &ev.Exit.Process.CGroup), nil - case "exit.cgroup.version": - return ev.FieldHandlers.ResolveCGroupVersion(ev, &ev.Exit.Process.CGroup), nil - case "exit.code": - return int(ev.Exit.Code), nil - case "exit.comm": - return ev.Exit.Process.Comm, nil - case "exit.container.id": - return ev.FieldHandlers.ResolveProcessContainerID(ev, ev.Exit.Process), nil - case "exit.created_at": - return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, ev.Exit.Process)), nil - case "exit.egid": - return int(ev.Exit.Process.Credentials.EGID), nil - case "exit.egroup": - return ev.Exit.Process.Credentials.EGroup, nil - case "exit.envp": - return ev.FieldHandlers.ResolveProcessEnvp(ev, ev.Exit.Process), nil - case "exit.envs": - return ev.FieldHandlers.ResolveProcessEnvs(ev, ev.Exit.Process), nil - case "exit.envs_truncated": - return ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, ev.Exit.Process), nil - case "exit.euid": - return int(ev.Exit.Process.Credentials.EUID), nil - case "exit.euser": - return ev.Exit.Process.Credentials.EUser, nil - case "exit.file.change_time": - if !ev.Exit.Process.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Exit.Process.FileEvent.FileFields.CTime), nil - case "exit.file.filesystem": - if !ev.Exit.Process.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Exit.Process.FileEvent), nil - case "exit.file.gid": - if !ev.Exit.Process.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Exit.Process.FileEvent.FileFields.GID), nil - case "exit.file.group": - if !ev.Exit.Process.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Exit.Process.FileEvent.FileFields), nil - case "exit.file.hashes": - if !ev.Exit.Process.IsNotKworker() { - return []string{}, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Exit.Process.FileEvent), nil - case "exit.file.in_upper_layer": - if !ev.Exit.Process.IsNotKworker() { - return false, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Exit.Process.FileEvent.FileFields), nil - case "exit.file.inode": - if !ev.Exit.Process.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Exit.Process.FileEvent.FileFields.PathKey.Inode), nil - case "exit.file.mode": - if !ev.Exit.Process.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Exit.Process.FileEvent.FileFields.Mode), nil - case "exit.file.modification_time": - if !ev.Exit.Process.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Exit.Process.FileEvent.FileFields.MTime), nil - case "exit.file.mount_id": - if !ev.Exit.Process.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Exit.Process.FileEvent.FileFields.PathKey.MountID), nil - case "exit.file.name": - if !ev.Exit.Process.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exit.Process.FileEvent), nil - case "exit.file.name.length": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exit.Process.FileEvent), nil - case "exit.file.package.name": - if !ev.Exit.Process.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolvePackageName(ev, &ev.Exit.Process.FileEvent), nil - case "exit.file.package.source_version": - if !ev.Exit.Process.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Exit.Process.FileEvent), nil - case "exit.file.package.version": - if !ev.Exit.Process.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Exit.Process.FileEvent), nil - case "exit.file.path": - if !ev.Exit.Process.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Exit.Process.FileEvent), nil - case "exit.file.path.length": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Exit.Process.FileEvent), nil - case "exit.file.rights": - if !ev.Exit.Process.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.FieldHandlers.ResolveRights(ev, &ev.Exit.Process.FileEvent.FileFields)), nil - case "exit.file.uid": - if !ev.Exit.Process.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Exit.Process.FileEvent.FileFields.UID), nil - case "exit.file.user": - if !ev.Exit.Process.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Exit.Process.FileEvent.FileFields), nil - case "exit.fsgid": - return int(ev.Exit.Process.Credentials.FSGID), nil - case "exit.fsgroup": - return ev.Exit.Process.Credentials.FSGroup, nil - case "exit.fsuid": - return int(ev.Exit.Process.Credentials.FSUID), nil - case "exit.fsuser": - return ev.Exit.Process.Credentials.FSUser, nil - case "exit.gid": - return int(ev.Exit.Process.Credentials.GID), nil - case "exit.group": - return ev.Exit.Process.Credentials.Group, nil - case "exit.interpreter.file.change_time": - if !ev.Exit.Process.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Exit.Process.LinuxBinprm.FileEvent.FileFields.CTime), nil - case "exit.interpreter.file.filesystem": - if !ev.Exit.Process.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Exit.Process.LinuxBinprm.FileEvent), nil - case "exit.interpreter.file.gid": - if !ev.Exit.Process.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Exit.Process.LinuxBinprm.FileEvent.FileFields.GID), nil - case "exit.interpreter.file.group": - if !ev.Exit.Process.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Exit.Process.LinuxBinprm.FileEvent.FileFields), nil - case "exit.interpreter.file.hashes": - if !ev.Exit.Process.HasInterpreter() { - return []string{}, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Exit.Process.LinuxBinprm.FileEvent), nil - case "exit.interpreter.file.in_upper_layer": - if !ev.Exit.Process.HasInterpreter() { - return false, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Exit.Process.LinuxBinprm.FileEvent.FileFields), nil - case "exit.interpreter.file.inode": - if !ev.Exit.Process.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Exit.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode), nil - case "exit.interpreter.file.mode": - if !ev.Exit.Process.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Exit.Process.LinuxBinprm.FileEvent.FileFields.Mode), nil - case "exit.interpreter.file.modification_time": - if !ev.Exit.Process.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Exit.Process.LinuxBinprm.FileEvent.FileFields.MTime), nil - case "exit.interpreter.file.mount_id": - if !ev.Exit.Process.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Exit.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID), nil - case "exit.interpreter.file.name": - if !ev.Exit.Process.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exit.Process.LinuxBinprm.FileEvent), nil - case "exit.interpreter.file.name.length": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exit.Process.LinuxBinprm.FileEvent), nil - case "exit.interpreter.file.package.name": - if !ev.Exit.Process.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolvePackageName(ev, &ev.Exit.Process.LinuxBinprm.FileEvent), nil - case "exit.interpreter.file.package.source_version": - if !ev.Exit.Process.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Exit.Process.LinuxBinprm.FileEvent), nil - case "exit.interpreter.file.package.version": - if !ev.Exit.Process.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Exit.Process.LinuxBinprm.FileEvent), nil - case "exit.interpreter.file.path": - if !ev.Exit.Process.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Exit.Process.LinuxBinprm.FileEvent), nil - case "exit.interpreter.file.path.length": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Exit.Process.LinuxBinprm.FileEvent), nil - case "exit.interpreter.file.rights": - if !ev.Exit.Process.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.FieldHandlers.ResolveRights(ev, &ev.Exit.Process.LinuxBinprm.FileEvent.FileFields)), nil - case "exit.interpreter.file.uid": - if !ev.Exit.Process.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Exit.Process.LinuxBinprm.FileEvent.FileFields.UID), nil - case "exit.interpreter.file.user": - if !ev.Exit.Process.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Exit.Process.LinuxBinprm.FileEvent.FileFields), nil - case "exit.is_exec": - return ev.Exit.Process.IsExec, nil - case "exit.is_kworker": - return ev.Exit.Process.PIDContext.IsKworker, nil - case "exit.is_thread": - return ev.FieldHandlers.ResolveProcessIsThread(ev, ev.Exit.Process), nil - case "exit.pid": - return int(ev.Exit.Process.PIDContext.Pid), nil - case "exit.ppid": - return int(ev.Exit.Process.PPid), nil - case "exit.tid": - return int(ev.Exit.Process.PIDContext.Tid), nil - case "exit.tty_name": - return ev.Exit.Process.TTYName, nil - case "exit.uid": - return int(ev.Exit.Process.Credentials.UID), nil - case "exit.user": - return ev.Exit.Process.Credentials.User, nil - case "exit.user_session.k8s_groups": - return ev.FieldHandlers.ResolveK8SGroups(ev, &ev.Exit.Process.UserSession), nil - case "exit.user_session.k8s_uid": - return ev.FieldHandlers.ResolveK8SUID(ev, &ev.Exit.Process.UserSession), nil - case "exit.user_session.k8s_username": - return ev.FieldHandlers.ResolveK8SUsername(ev, &ev.Exit.Process.UserSession), nil - case "imds.aws.is_imds_v2": - return ev.IMDS.AWS.IsIMDSv2, nil - case "imds.aws.security_credentials.type": - return ev.IMDS.AWS.SecurityCredentials.Type, nil - case "imds.cloud_provider": - return ev.IMDS.CloudProvider, nil - case "imds.host": - return ev.IMDS.Host, nil - case "imds.server": - return ev.IMDS.Server, nil - case "imds.type": - return ev.IMDS.Type, nil - case "imds.url": - return ev.IMDS.URL, nil - case "imds.user_agent": - return ev.IMDS.UserAgent, nil - case "link.file.change_time": - return int(ev.Link.Source.FileFields.CTime), nil - case "link.file.destination.change_time": - return int(ev.Link.Target.FileFields.CTime), nil - case "link.file.destination.filesystem": - return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Link.Target), nil - case "link.file.destination.gid": - return int(ev.Link.Target.FileFields.GID), nil - case "link.file.destination.group": - return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Link.Target.FileFields), nil - case "link.file.destination.hashes": - return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Link.Target), nil - case "link.file.destination.in_upper_layer": - return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Link.Target.FileFields), nil - case "link.file.destination.inode": - return int(ev.Link.Target.FileFields.PathKey.Inode), nil - case "link.file.destination.mode": - return int(ev.Link.Target.FileFields.Mode), nil - case "link.file.destination.modification_time": - return int(ev.Link.Target.FileFields.MTime), nil - case "link.file.destination.mount_id": - return int(ev.Link.Target.FileFields.PathKey.MountID), nil - case "link.file.destination.name": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Link.Target), nil - case "link.file.destination.name.length": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Link.Target), nil - case "link.file.destination.package.name": - return ev.FieldHandlers.ResolvePackageName(ev, &ev.Link.Target), nil - case "link.file.destination.package.source_version": - return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Link.Target), nil - case "link.file.destination.package.version": - return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Link.Target), nil - case "link.file.destination.path": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Link.Target), nil - case "link.file.destination.path.length": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Link.Target), nil - case "link.file.destination.rights": - return int(ev.FieldHandlers.ResolveRights(ev, &ev.Link.Target.FileFields)), nil - case "link.file.destination.uid": - return int(ev.Link.Target.FileFields.UID), nil - case "link.file.destination.user": - return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Link.Target.FileFields), nil - case "link.file.filesystem": - return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Link.Source), nil - case "link.file.gid": - return int(ev.Link.Source.FileFields.GID), nil - case "link.file.group": - return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Link.Source.FileFields), nil - case "link.file.hashes": - return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Link.Source), nil - case "link.file.in_upper_layer": - return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Link.Source.FileFields), nil - case "link.file.inode": - return int(ev.Link.Source.FileFields.PathKey.Inode), nil - case "link.file.mode": - return int(ev.Link.Source.FileFields.Mode), nil - case "link.file.modification_time": - return int(ev.Link.Source.FileFields.MTime), nil - case "link.file.mount_id": - return int(ev.Link.Source.FileFields.PathKey.MountID), nil - case "link.file.name": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Link.Source), nil - case "link.file.name.length": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Link.Source), nil - case "link.file.package.name": - return ev.FieldHandlers.ResolvePackageName(ev, &ev.Link.Source), nil - case "link.file.package.source_version": - return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Link.Source), nil - case "link.file.package.version": - return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Link.Source), nil - case "link.file.path": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Link.Source), nil - case "link.file.path.length": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Link.Source), nil - case "link.file.rights": - return int(ev.FieldHandlers.ResolveRights(ev, &ev.Link.Source.FileFields)), nil - case "link.file.uid": - return int(ev.Link.Source.FileFields.UID), nil - case "link.file.user": - return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Link.Source.FileFields), nil - case "link.retval": - return int(ev.Link.SyscallEvent.Retval), nil - case "link.syscall.destination.path": - return ev.FieldHandlers.ResolveSyscallCtxArgsStr2(ev, &ev.Link.SyscallContext), nil - case "link.syscall.path": - return ev.FieldHandlers.ResolveSyscallCtxArgsStr1(ev, &ev.Link.SyscallContext), nil - case "load_module.args": - return ev.FieldHandlers.ResolveModuleArgs(ev, &ev.LoadModule), nil - case "load_module.args_truncated": - return ev.LoadModule.ArgsTruncated, nil - case "load_module.argv": - return ev.FieldHandlers.ResolveModuleArgv(ev, &ev.LoadModule), nil - case "load_module.file.change_time": - return int(ev.LoadModule.File.FileFields.CTime), nil - case "load_module.file.filesystem": - return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.LoadModule.File), nil - case "load_module.file.gid": - return int(ev.LoadModule.File.FileFields.GID), nil - case "load_module.file.group": - return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.LoadModule.File.FileFields), nil - case "load_module.file.hashes": - return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.LoadModule.File), nil - case "load_module.file.in_upper_layer": - return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.LoadModule.File.FileFields), nil - case "load_module.file.inode": - return int(ev.LoadModule.File.FileFields.PathKey.Inode), nil - case "load_module.file.mode": - return int(ev.LoadModule.File.FileFields.Mode), nil - case "load_module.file.modification_time": - return int(ev.LoadModule.File.FileFields.MTime), nil - case "load_module.file.mount_id": - return int(ev.LoadModule.File.FileFields.PathKey.MountID), nil - case "load_module.file.name": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.LoadModule.File), nil - case "load_module.file.name.length": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.LoadModule.File), nil - case "load_module.file.package.name": - return ev.FieldHandlers.ResolvePackageName(ev, &ev.LoadModule.File), nil - case "load_module.file.package.source_version": - return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.LoadModule.File), nil - case "load_module.file.package.version": - return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.LoadModule.File), nil - case "load_module.file.path": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.LoadModule.File), nil - case "load_module.file.path.length": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.LoadModule.File), nil - case "load_module.file.rights": - return int(ev.FieldHandlers.ResolveRights(ev, &ev.LoadModule.File.FileFields)), nil - case "load_module.file.uid": - return int(ev.LoadModule.File.FileFields.UID), nil - case "load_module.file.user": - return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.LoadModule.File.FileFields), nil - case "load_module.loaded_from_memory": - return ev.LoadModule.LoadedFromMemory, nil - case "load_module.name": - return ev.LoadModule.Name, nil - case "load_module.retval": - return int(ev.LoadModule.SyscallEvent.Retval), nil - case "mkdir.file.change_time": - return int(ev.Mkdir.File.FileFields.CTime), nil - case "mkdir.file.destination.mode": - return int(ev.Mkdir.Mode), nil - case "mkdir.file.destination.rights": - return int(ev.Mkdir.Mode), nil - case "mkdir.file.filesystem": - return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Mkdir.File), nil - case "mkdir.file.gid": - return int(ev.Mkdir.File.FileFields.GID), nil - case "mkdir.file.group": - return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Mkdir.File.FileFields), nil - case "mkdir.file.hashes": - return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Mkdir.File), nil - case "mkdir.file.in_upper_layer": - return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Mkdir.File.FileFields), nil - case "mkdir.file.inode": - return int(ev.Mkdir.File.FileFields.PathKey.Inode), nil - case "mkdir.file.mode": - return int(ev.Mkdir.File.FileFields.Mode), nil - case "mkdir.file.modification_time": - return int(ev.Mkdir.File.FileFields.MTime), nil - case "mkdir.file.mount_id": - return int(ev.Mkdir.File.FileFields.PathKey.MountID), nil - case "mkdir.file.name": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Mkdir.File), nil - case "mkdir.file.name.length": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Mkdir.File), nil - case "mkdir.file.package.name": - return ev.FieldHandlers.ResolvePackageName(ev, &ev.Mkdir.File), nil - case "mkdir.file.package.source_version": - return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Mkdir.File), nil - case "mkdir.file.package.version": - return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Mkdir.File), nil - case "mkdir.file.path": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Mkdir.File), nil - case "mkdir.file.path.length": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Mkdir.File), nil - case "mkdir.file.rights": - return int(ev.FieldHandlers.ResolveRights(ev, &ev.Mkdir.File.FileFields)), nil - case "mkdir.file.uid": - return int(ev.Mkdir.File.FileFields.UID), nil - case "mkdir.file.user": - return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Mkdir.File.FileFields), nil - case "mkdir.retval": - return int(ev.Mkdir.SyscallEvent.Retval), nil - case "mkdir.syscall.mode": - return int(ev.FieldHandlers.ResolveSyscallCtxArgsInt2(ev, &ev.Mkdir.SyscallContext)), nil - case "mkdir.syscall.path": - return ev.FieldHandlers.ResolveSyscallCtxArgsStr1(ev, &ev.Mkdir.SyscallContext), nil - case "mmap.file.change_time": - return int(ev.MMap.File.FileFields.CTime), nil - case "mmap.file.filesystem": - return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.MMap.File), nil - case "mmap.file.gid": - return int(ev.MMap.File.FileFields.GID), nil - case "mmap.file.group": - return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.MMap.File.FileFields), nil - case "mmap.file.hashes": - return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.MMap.File), nil - case "mmap.file.in_upper_layer": - return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.MMap.File.FileFields), nil - case "mmap.file.inode": - return int(ev.MMap.File.FileFields.PathKey.Inode), nil - case "mmap.file.mode": - return int(ev.MMap.File.FileFields.Mode), nil - case "mmap.file.modification_time": - return int(ev.MMap.File.FileFields.MTime), nil - case "mmap.file.mount_id": - return int(ev.MMap.File.FileFields.PathKey.MountID), nil - case "mmap.file.name": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.MMap.File), nil - case "mmap.file.name.length": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.MMap.File), nil - case "mmap.file.package.name": - return ev.FieldHandlers.ResolvePackageName(ev, &ev.MMap.File), nil - case "mmap.file.package.source_version": - return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.MMap.File), nil - case "mmap.file.package.version": - return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.MMap.File), nil - case "mmap.file.path": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.MMap.File), nil - case "mmap.file.path.length": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.MMap.File), nil - case "mmap.file.rights": - return int(ev.FieldHandlers.ResolveRights(ev, &ev.MMap.File.FileFields)), nil - case "mmap.file.uid": - return int(ev.MMap.File.FileFields.UID), nil - case "mmap.file.user": - return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.MMap.File.FileFields), nil - case "mmap.flags": - return int(ev.MMap.Flags), nil - case "mmap.protection": - return int(ev.MMap.Protection), nil - case "mmap.retval": - return int(ev.MMap.SyscallEvent.Retval), nil - case "mount.fs_type": - return ev.Mount.Mount.FSType, nil - case "mount.mountpoint.path": - return ev.FieldHandlers.ResolveMountPointPath(ev, &ev.Mount), nil - case "mount.retval": - return int(ev.Mount.SyscallEvent.Retval), nil - case "mount.root.path": - return ev.FieldHandlers.ResolveMountRootPath(ev, &ev.Mount), nil - case "mount.source.path": - return ev.FieldHandlers.ResolveMountSourcePath(ev, &ev.Mount), nil - case "mount.syscall.fs_type": - return ev.FieldHandlers.ResolveSyscallCtxArgsStr3(ev, &ev.Mount.SyscallContext), nil - case "mount.syscall.mountpoint.path": - return ev.FieldHandlers.ResolveSyscallCtxArgsStr2(ev, &ev.Mount.SyscallContext), nil - case "mount.syscall.source.path": - return ev.FieldHandlers.ResolveSyscallCtxArgsStr1(ev, &ev.Mount.SyscallContext), nil - case "mprotect.req_protection": - return ev.MProtect.ReqProtection, nil - case "mprotect.retval": - return int(ev.MProtect.SyscallEvent.Retval), nil - case "mprotect.vm_protection": - return ev.MProtect.VMProtection, nil - case "network.destination.ip": - return ev.NetworkContext.Destination.IPNet, nil - case "network.destination.is_public": - return ev.FieldHandlers.ResolveIsIPPublic(ev, &ev.NetworkContext.Destination), nil - case "network.destination.port": - return int(ev.NetworkContext.Destination.Port), nil - case "network.device.ifname": - return ev.FieldHandlers.ResolveNetworkDeviceIfName(ev, &ev.NetworkContext.Device), nil - case "network.l3_protocol": - return int(ev.NetworkContext.L3Protocol), nil - case "network.l4_protocol": - return int(ev.NetworkContext.L4Protocol), nil - case "network.size": - return int(ev.NetworkContext.Size), nil - case "network.source.ip": - return ev.NetworkContext.Source.IPNet, nil - case "network.source.is_public": - return ev.FieldHandlers.ResolveIsIPPublic(ev, &ev.NetworkContext.Source), nil - case "network.source.port": - return int(ev.NetworkContext.Source.Port), nil - case "ondemand.arg1.str": - return ev.FieldHandlers.ResolveOnDemandArg1Str(ev, &ev.OnDemand), nil - case "ondemand.arg1.uint": - return int(ev.FieldHandlers.ResolveOnDemandArg1Uint(ev, &ev.OnDemand)), nil - case "ondemand.arg2.str": - return ev.FieldHandlers.ResolveOnDemandArg2Str(ev, &ev.OnDemand), nil - case "ondemand.arg2.uint": - return int(ev.FieldHandlers.ResolveOnDemandArg2Uint(ev, &ev.OnDemand)), nil - case "ondemand.arg3.str": - return ev.FieldHandlers.ResolveOnDemandArg3Str(ev, &ev.OnDemand), nil - case "ondemand.arg3.uint": - return int(ev.FieldHandlers.ResolveOnDemandArg3Uint(ev, &ev.OnDemand)), nil - case "ondemand.arg4.str": - return ev.FieldHandlers.ResolveOnDemandArg4Str(ev, &ev.OnDemand), nil - case "ondemand.arg4.uint": - return int(ev.FieldHandlers.ResolveOnDemandArg4Uint(ev, &ev.OnDemand)), nil - case "ondemand.name": - return ev.FieldHandlers.ResolveOnDemandName(ev, &ev.OnDemand), nil - case "open.file.change_time": - return int(ev.Open.File.FileFields.CTime), nil - case "open.file.destination.mode": - return int(ev.Open.Mode), nil - case "open.file.filesystem": - return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Open.File), nil - case "open.file.gid": - return int(ev.Open.File.FileFields.GID), nil - case "open.file.group": - return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Open.File.FileFields), nil - case "open.file.hashes": - return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Open.File), nil - case "open.file.in_upper_layer": - return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Open.File.FileFields), nil - case "open.file.inode": - return int(ev.Open.File.FileFields.PathKey.Inode), nil - case "open.file.mode": - return int(ev.Open.File.FileFields.Mode), nil - case "open.file.modification_time": - return int(ev.Open.File.FileFields.MTime), nil - case "open.file.mount_id": - return int(ev.Open.File.FileFields.PathKey.MountID), nil - case "open.file.name": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Open.File), nil - case "open.file.name.length": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Open.File), nil - case "open.file.package.name": - return ev.FieldHandlers.ResolvePackageName(ev, &ev.Open.File), nil - case "open.file.package.source_version": - return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Open.File), nil - case "open.file.package.version": - return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Open.File), nil - case "open.file.path": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Open.File), nil - case "open.file.path.length": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Open.File), nil - case "open.file.rights": - return int(ev.FieldHandlers.ResolveRights(ev, &ev.Open.File.FileFields)), nil - case "open.file.uid": - return int(ev.Open.File.FileFields.UID), nil - case "open.file.user": - return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Open.File.FileFields), nil - case "open.flags": - return int(ev.Open.Flags), nil - case "open.retval": - return int(ev.Open.SyscallEvent.Retval), nil - case "open.syscall.flags": - return int(ev.FieldHandlers.ResolveSyscallCtxArgsInt2(ev, &ev.Open.SyscallContext)), nil - case "open.syscall.mode": - return int(ev.FieldHandlers.ResolveSyscallCtxArgsInt3(ev, &ev.Open.SyscallContext)), nil - case "open.syscall.path": - return ev.FieldHandlers.ResolveSyscallCtxArgsStr1(ev, &ev.Open.SyscallContext), nil - case "packet.destination.ip": - return ev.RawPacket.NetworkContext.Destination.IPNet, nil - case "packet.destination.is_public": - return ev.FieldHandlers.ResolveIsIPPublic(ev, &ev.RawPacket.NetworkContext.Destination), nil - case "packet.destination.port": - return int(ev.RawPacket.NetworkContext.Destination.Port), nil - case "packet.device.ifname": - return ev.FieldHandlers.ResolveNetworkDeviceIfName(ev, &ev.RawPacket.NetworkContext.Device), nil - case "packet.filter": - return ev.RawPacket.Filter, nil - case "packet.l3_protocol": - return int(ev.RawPacket.NetworkContext.L3Protocol), nil - case "packet.l4_protocol": - return int(ev.RawPacket.NetworkContext.L4Protocol), nil - case "packet.size": - return int(ev.RawPacket.NetworkContext.Size), nil - case "packet.source.ip": - return ev.RawPacket.NetworkContext.Source.IPNet, nil - case "packet.source.is_public": - return ev.FieldHandlers.ResolveIsIPPublic(ev, &ev.RawPacket.NetworkContext.Source), nil - case "packet.source.port": - return int(ev.RawPacket.NetworkContext.Source.Port), nil - case "packet.tls.version": - return int(ev.RawPacket.TLSContext.Version), nil - case "process.ancestors.args": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveProcessArgs(ev, &element.ProcessContext.Process) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.args_flags": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveProcessArgsFlags(ev, &element.ProcessContext.Process) - values = append(values, result...) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.args_options": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveProcessArgsOptions(ev, &element.ProcessContext.Process) - values = append(values, result...) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.args_truncated": - var values []bool - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveProcessArgsTruncated(ev, &element.ProcessContext.Process) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.argv": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveProcessArgv(ev, &element.ProcessContext.Process) - values = append(values, result...) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.argv0": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveProcessArgv0(ev, &element.ProcessContext.Process) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.auid": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.Credentials.AUID) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.cap_effective": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.Credentials.CapEffective) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.cap_permitted": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.Credentials.CapPermitted) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.cgroup.file.inode": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.CGroup.CGroupFile.Inode) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.cgroup.file.mount_id": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.CGroup.CGroupFile.MountID) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.cgroup.id": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveCGroupID(ev, &element.ProcessContext.Process.CGroup) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.cgroup.manager": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveCGroupManager(ev, &element.ProcessContext.Process.CGroup) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.cgroup.version": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveCGroupVersion(ev, &element.ProcessContext.Process.CGroup) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.comm": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := element.ProcessContext.Process.Comm - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.container.id": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveProcessContainerID(ev, &element.ProcessContext.Process) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.created_at": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, &element.ProcessContext.Process)) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.egid": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.Credentials.EGID) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.egroup": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := element.ProcessContext.Process.Credentials.EGroup - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.envp": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveProcessEnvp(ev, &element.ProcessContext.Process) - values = append(values, result...) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.envs": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveProcessEnvs(ev, &element.ProcessContext.Process) - values = append(values, result...) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.envs_truncated": - var values []bool - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, &element.ProcessContext.Process) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.euid": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.Credentials.EUID) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.euser": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := element.ProcessContext.Process.Credentials.EUser - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.file.change_time": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.FileEvent.FileFields.CTime) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.file.filesystem": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveFileFilesystem(ev, &element.ProcessContext.Process.FileEvent) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.file.gid": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.FileEvent.FileFields.GID) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.file.group": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveFileFieldsGroup(ev, &element.ProcessContext.Process.FileEvent.FileFields) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.file.hashes": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveHashesFromEvent(ev, &element.ProcessContext.Process.FileEvent) - values = append(values, result...) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.file.in_upper_layer": - var values []bool - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &element.ProcessContext.Process.FileEvent.FileFields) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.file.inode": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.FileEvent.FileFields.PathKey.Inode) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.file.mode": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.FileEvent.FileFields.Mode) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.file.modification_time": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.FileEvent.FileFields.MTime) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.file.mount_id": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.FileEvent.FileFields.PathKey.MountID) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.file.name": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.FileEvent) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.file.name.length": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.FileEvent), nil - case "process.ancestors.file.package.name": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolvePackageName(ev, &element.ProcessContext.Process.FileEvent) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.file.package.source_version": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolvePackageSourceVersion(ev, &element.ProcessContext.Process.FileEvent) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.file.package.version": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolvePackageVersion(ev, &element.ProcessContext.Process.FileEvent) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.file.path": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.FileEvent) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.file.path.length": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.FileEvent), nil - case "process.ancestors.file.rights": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(ev.FieldHandlers.ResolveRights(ev, &element.ProcessContext.Process.FileEvent.FileFields)) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.file.uid": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.FileEvent.FileFields.UID) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.file.user": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveFileFieldsUser(ev, &element.ProcessContext.Process.FileEvent.FileFields) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.fsgid": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.Credentials.FSGID) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.fsgroup": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := element.ProcessContext.Process.Credentials.FSGroup - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.fsuid": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.Credentials.FSUID) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.fsuser": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := element.ProcessContext.Process.Credentials.FSUser - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.gid": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.Credentials.GID) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.group": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := element.ProcessContext.Process.Credentials.Group - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.interpreter.file.change_time": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.CTime) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.interpreter.file.filesystem": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveFileFilesystem(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.interpreter.file.gid": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.GID) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.interpreter.file.group": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveFileFieldsGroup(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.interpreter.file.hashes": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveHashesFromEvent(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) - values = append(values, result...) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.interpreter.file.in_upper_layer": - var values []bool - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.interpreter.file.inode": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.interpreter.file.mode": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.Mode) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.interpreter.file.modification_time": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.MTime) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.interpreter.file.mount_id": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.interpreter.file.name": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.interpreter.file.name.length": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent), nil - case "process.ancestors.interpreter.file.package.name": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolvePackageName(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.interpreter.file.package.source_version": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolvePackageSourceVersion(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.interpreter.file.package.version": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolvePackageVersion(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.interpreter.file.path": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.interpreter.file.path.length": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent), nil - case "process.ancestors.interpreter.file.rights": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(ev.FieldHandlers.ResolveRights(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields)) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.interpreter.file.uid": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.UID) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.interpreter.file.user": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveFileFieldsUser(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.is_exec": - var values []bool - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := element.ProcessContext.Process.IsExec - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.is_kworker": - var values []bool - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := element.ProcessContext.Process.PIDContext.IsKworker - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.is_thread": - var values []bool - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveProcessIsThread(ev, &element.ProcessContext.Process) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.length": - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - return iterator.Len(ctx), nil - case "process.ancestors.pid": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.PIDContext.Pid) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.ppid": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.PPid) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.tid": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.PIDContext.Tid) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.tty_name": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := element.ProcessContext.Process.TTYName - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.uid": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.Credentials.UID) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.user": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := element.ProcessContext.Process.Credentials.User - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.user_session.k8s_groups": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveK8SGroups(ev, &element.ProcessContext.Process.UserSession) - values = append(values, result...) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.user_session.k8s_uid": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveK8SUID(ev, &element.ProcessContext.Process.UserSession) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.user_session.k8s_username": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveK8SUsername(ev, &element.ProcessContext.Process.UserSession) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.args": - return ev.FieldHandlers.ResolveProcessArgs(ev, &ev.BaseEvent.ProcessContext.Process), nil - case "process.args_flags": - return ev.FieldHandlers.ResolveProcessArgsFlags(ev, &ev.BaseEvent.ProcessContext.Process), nil - case "process.args_options": - return ev.FieldHandlers.ResolveProcessArgsOptions(ev, &ev.BaseEvent.ProcessContext.Process), nil - case "process.args_truncated": - return ev.FieldHandlers.ResolveProcessArgsTruncated(ev, &ev.BaseEvent.ProcessContext.Process), nil - case "process.argv": - return ev.FieldHandlers.ResolveProcessArgv(ev, &ev.BaseEvent.ProcessContext.Process), nil - case "process.argv0": - return ev.FieldHandlers.ResolveProcessArgv0(ev, &ev.BaseEvent.ProcessContext.Process), nil - case "process.auid": - return int(ev.BaseEvent.ProcessContext.Process.Credentials.AUID), nil - case "process.cap_effective": - return int(ev.BaseEvent.ProcessContext.Process.Credentials.CapEffective), nil - case "process.cap_permitted": - return int(ev.BaseEvent.ProcessContext.Process.Credentials.CapPermitted), nil - case "process.cgroup.file.inode": - return int(ev.BaseEvent.ProcessContext.Process.CGroup.CGroupFile.Inode), nil - case "process.cgroup.file.mount_id": - return int(ev.BaseEvent.ProcessContext.Process.CGroup.CGroupFile.MountID), nil - case "process.cgroup.id": - return ev.FieldHandlers.ResolveCGroupID(ev, &ev.BaseEvent.ProcessContext.Process.CGroup), nil - case "process.cgroup.manager": - return ev.FieldHandlers.ResolveCGroupManager(ev, &ev.BaseEvent.ProcessContext.Process.CGroup), nil - case "process.cgroup.version": - return ev.FieldHandlers.ResolveCGroupVersion(ev, &ev.BaseEvent.ProcessContext.Process.CGroup), nil - case "process.comm": - return ev.BaseEvent.ProcessContext.Process.Comm, nil - case "process.container.id": - return ev.FieldHandlers.ResolveProcessContainerID(ev, &ev.BaseEvent.ProcessContext.Process), nil - case "process.created_at": - return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, &ev.BaseEvent.ProcessContext.Process)), nil - case "process.egid": - return int(ev.BaseEvent.ProcessContext.Process.Credentials.EGID), nil - case "process.egroup": - return ev.BaseEvent.ProcessContext.Process.Credentials.EGroup, nil - case "process.envp": - return ev.FieldHandlers.ResolveProcessEnvp(ev, &ev.BaseEvent.ProcessContext.Process), nil - case "process.envs": - return ev.FieldHandlers.ResolveProcessEnvs(ev, &ev.BaseEvent.ProcessContext.Process), nil - case "process.envs_truncated": - return ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, &ev.BaseEvent.ProcessContext.Process), nil - case "process.euid": - return int(ev.BaseEvent.ProcessContext.Process.Credentials.EUID), nil - case "process.euser": - return ev.BaseEvent.ProcessContext.Process.Credentials.EUser, nil - case "process.file.change_time": - if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.BaseEvent.ProcessContext.Process.FileEvent.FileFields.CTime), nil - case "process.file.filesystem": - if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent), nil - case "process.file.gid": - if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.BaseEvent.ProcessContext.Process.FileEvent.FileFields.GID), nil - case "process.file.group": - if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent.FileFields), nil - case "process.file.hashes": - if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { - return []string{}, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent), nil - case "process.file.in_upper_layer": - if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { - return false, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent.FileFields), nil - case "process.file.inode": - if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.BaseEvent.ProcessContext.Process.FileEvent.FileFields.PathKey.Inode), nil - case "process.file.mode": - if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.BaseEvent.ProcessContext.Process.FileEvent.FileFields.Mode), nil - case "process.file.modification_time": - if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.BaseEvent.ProcessContext.Process.FileEvent.FileFields.MTime), nil - case "process.file.mount_id": - if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.BaseEvent.ProcessContext.Process.FileEvent.FileFields.PathKey.MountID), nil - case "process.file.name": - if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent), nil - case "process.file.name.length": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent), nil - case "process.file.package.name": - if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolvePackageName(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent), nil - case "process.file.package.source_version": - if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent), nil - case "process.file.package.version": - if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent), nil - case "process.file.path": - if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent), nil - case "process.file.path.length": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent), nil - case "process.file.rights": - if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.FieldHandlers.ResolveRights(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent.FileFields)), nil - case "process.file.uid": - if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.BaseEvent.ProcessContext.Process.FileEvent.FileFields.UID), nil - case "process.file.user": - if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent.FileFields), nil - case "process.fsgid": - return int(ev.BaseEvent.ProcessContext.Process.Credentials.FSGID), nil - case "process.fsgroup": - return ev.BaseEvent.ProcessContext.Process.Credentials.FSGroup, nil - case "process.fsuid": - return int(ev.BaseEvent.ProcessContext.Process.Credentials.FSUID), nil - case "process.fsuser": - return ev.BaseEvent.ProcessContext.Process.Credentials.FSUser, nil - case "process.gid": - return int(ev.BaseEvent.ProcessContext.Process.Credentials.GID), nil - case "process.group": - return ev.BaseEvent.ProcessContext.Process.Credentials.Group, nil - case "process.interpreter.file.change_time": - if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.CTime), nil - case "process.interpreter.file.filesystem": - if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent), nil - case "process.interpreter.file.gid": - if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.GID), nil - case "process.interpreter.file.group": - if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields), nil - case "process.interpreter.file.hashes": - if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { - return []string{}, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent), nil - case "process.interpreter.file.in_upper_layer": - if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { - return false, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields), nil - case "process.interpreter.file.inode": - if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode), nil - case "process.interpreter.file.mode": - if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.Mode), nil - case "process.interpreter.file.modification_time": - if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.MTime), nil - case "process.interpreter.file.mount_id": - if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID), nil - case "process.interpreter.file.name": - if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent), nil - case "process.interpreter.file.name.length": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent), nil - case "process.interpreter.file.package.name": - if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolvePackageName(ev, &ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent), nil - case "process.interpreter.file.package.source_version": - if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent), nil - case "process.interpreter.file.package.version": - if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent), nil - case "process.interpreter.file.path": - if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent), nil - case "process.interpreter.file.path.length": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent), nil - case "process.interpreter.file.rights": - if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.FieldHandlers.ResolveRights(ev, &ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields)), nil - case "process.interpreter.file.uid": - if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.UID), nil - case "process.interpreter.file.user": - if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields), nil - case "process.is_exec": - return ev.BaseEvent.ProcessContext.Process.IsExec, nil - case "process.is_kworker": - return ev.BaseEvent.ProcessContext.Process.PIDContext.IsKworker, nil - case "process.is_thread": - return ev.FieldHandlers.ResolveProcessIsThread(ev, &ev.BaseEvent.ProcessContext.Process), nil - case "process.parent.args": - if !ev.BaseEvent.ProcessContext.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveProcessArgs(ev, ev.BaseEvent.ProcessContext.Parent), nil - case "process.parent.args_flags": - if !ev.BaseEvent.ProcessContext.HasParent() { - return []string{}, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveProcessArgsFlags(ev, ev.BaseEvent.ProcessContext.Parent), nil - case "process.parent.args_options": - if !ev.BaseEvent.ProcessContext.HasParent() { - return []string{}, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveProcessArgsOptions(ev, ev.BaseEvent.ProcessContext.Parent), nil - case "process.parent.args_truncated": - if !ev.BaseEvent.ProcessContext.HasParent() { - return false, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveProcessArgsTruncated(ev, ev.BaseEvent.ProcessContext.Parent), nil - case "process.parent.argv": - if !ev.BaseEvent.ProcessContext.HasParent() { - return []string{}, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveProcessArgv(ev, ev.BaseEvent.ProcessContext.Parent), nil - case "process.parent.argv0": - if !ev.BaseEvent.ProcessContext.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveProcessArgv0(ev, ev.BaseEvent.ProcessContext.Parent), nil - case "process.parent.auid": - if !ev.BaseEvent.ProcessContext.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.BaseEvent.ProcessContext.Parent.Credentials.AUID), nil - case "process.parent.cap_effective": - if !ev.BaseEvent.ProcessContext.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.BaseEvent.ProcessContext.Parent.Credentials.CapEffective), nil - case "process.parent.cap_permitted": - if !ev.BaseEvent.ProcessContext.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.BaseEvent.ProcessContext.Parent.Credentials.CapPermitted), nil - case "process.parent.cgroup.file.inode": - if !ev.BaseEvent.ProcessContext.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.BaseEvent.ProcessContext.Parent.CGroup.CGroupFile.Inode), nil - case "process.parent.cgroup.file.mount_id": - if !ev.BaseEvent.ProcessContext.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.BaseEvent.ProcessContext.Parent.CGroup.CGroupFile.MountID), nil - case "process.parent.cgroup.id": - if !ev.BaseEvent.ProcessContext.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveCGroupID(ev, &ev.BaseEvent.ProcessContext.Parent.CGroup), nil - case "process.parent.cgroup.manager": - if !ev.BaseEvent.ProcessContext.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveCGroupManager(ev, &ev.BaseEvent.ProcessContext.Parent.CGroup), nil - case "process.parent.cgroup.version": - if !ev.BaseEvent.ProcessContext.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveCGroupVersion(ev, &ev.BaseEvent.ProcessContext.Parent.CGroup), nil - case "process.parent.comm": - if !ev.BaseEvent.ProcessContext.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.BaseEvent.ProcessContext.Parent.Comm, nil - case "process.parent.container.id": - if !ev.BaseEvent.ProcessContext.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveProcessContainerID(ev, ev.BaseEvent.ProcessContext.Parent), nil - case "process.parent.created_at": - if !ev.BaseEvent.ProcessContext.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, ev.BaseEvent.ProcessContext.Parent)), nil - case "process.parent.egid": - if !ev.BaseEvent.ProcessContext.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.BaseEvent.ProcessContext.Parent.Credentials.EGID), nil - case "process.parent.egroup": - if !ev.BaseEvent.ProcessContext.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.BaseEvent.ProcessContext.Parent.Credentials.EGroup, nil - case "process.parent.envp": - if !ev.BaseEvent.ProcessContext.HasParent() { - return []string{}, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveProcessEnvp(ev, ev.BaseEvent.ProcessContext.Parent), nil - case "process.parent.envs": - if !ev.BaseEvent.ProcessContext.HasParent() { - return []string{}, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveProcessEnvs(ev, ev.BaseEvent.ProcessContext.Parent), nil - case "process.parent.envs_truncated": - if !ev.BaseEvent.ProcessContext.HasParent() { - return false, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, ev.BaseEvent.ProcessContext.Parent), nil - case "process.parent.euid": - if !ev.BaseEvent.ProcessContext.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.BaseEvent.ProcessContext.Parent.Credentials.EUID), nil - case "process.parent.euser": - if !ev.BaseEvent.ProcessContext.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.BaseEvent.ProcessContext.Parent.Credentials.EUser, nil - case "process.parent.file.change_time": - if !ev.BaseEvent.ProcessContext.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.BaseEvent.ProcessContext.Parent.FileEvent.FileFields.CTime), nil - case "process.parent.file.filesystem": - if !ev.BaseEvent.ProcessContext.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent), nil - case "process.parent.file.gid": - if !ev.BaseEvent.ProcessContext.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.BaseEvent.ProcessContext.Parent.FileEvent.FileFields.GID), nil - case "process.parent.file.group": - if !ev.BaseEvent.ProcessContext.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent.FileFields), nil - case "process.parent.file.hashes": - if !ev.BaseEvent.ProcessContext.HasParent() { - return []string{}, &eval.ErrNotSupported{Field: field} - } - if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { - return []string{}, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent), nil - case "process.parent.file.in_upper_layer": - if !ev.BaseEvent.ProcessContext.HasParent() { - return false, &eval.ErrNotSupported{Field: field} - } - if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { - return false, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent.FileFields), nil - case "process.parent.file.inode": - if !ev.BaseEvent.ProcessContext.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.BaseEvent.ProcessContext.Parent.FileEvent.FileFields.PathKey.Inode), nil - case "process.parent.file.mode": - if !ev.BaseEvent.ProcessContext.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.BaseEvent.ProcessContext.Parent.FileEvent.FileFields.Mode), nil - case "process.parent.file.modification_time": - if !ev.BaseEvent.ProcessContext.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.BaseEvent.ProcessContext.Parent.FileEvent.FileFields.MTime), nil - case "process.parent.file.mount_id": - if !ev.BaseEvent.ProcessContext.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.BaseEvent.ProcessContext.Parent.FileEvent.FileFields.PathKey.MountID), nil - case "process.parent.file.name": - if !ev.BaseEvent.ProcessContext.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent), nil - case "process.parent.file.name.length": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent), nil - case "process.parent.file.package.name": - if !ev.BaseEvent.ProcessContext.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolvePackageName(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent), nil - case "process.parent.file.package.source_version": - if !ev.BaseEvent.ProcessContext.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent), nil - case "process.parent.file.package.version": - if !ev.BaseEvent.ProcessContext.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent), nil - case "process.parent.file.path": - if !ev.BaseEvent.ProcessContext.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent), nil - case "process.parent.file.path.length": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent), nil - case "process.parent.file.rights": - if !ev.BaseEvent.ProcessContext.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.FieldHandlers.ResolveRights(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent.FileFields)), nil - case "process.parent.file.uid": - if !ev.BaseEvent.ProcessContext.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.BaseEvent.ProcessContext.Parent.FileEvent.FileFields.UID), nil - case "process.parent.file.user": - if !ev.BaseEvent.ProcessContext.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent.FileFields), nil - case "process.parent.fsgid": - if !ev.BaseEvent.ProcessContext.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.BaseEvent.ProcessContext.Parent.Credentials.FSGID), nil - case "process.parent.fsgroup": - if !ev.BaseEvent.ProcessContext.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.BaseEvent.ProcessContext.Parent.Credentials.FSGroup, nil - case "process.parent.fsuid": - if !ev.BaseEvent.ProcessContext.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.BaseEvent.ProcessContext.Parent.Credentials.FSUID), nil - case "process.parent.fsuser": - if !ev.BaseEvent.ProcessContext.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.BaseEvent.ProcessContext.Parent.Credentials.FSUser, nil - case "process.parent.gid": - if !ev.BaseEvent.ProcessContext.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.BaseEvent.ProcessContext.Parent.Credentials.GID), nil - case "process.parent.group": - if !ev.BaseEvent.ProcessContext.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.BaseEvent.ProcessContext.Parent.Credentials.Group, nil - case "process.parent.interpreter.file.change_time": - if !ev.BaseEvent.ProcessContext.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields.CTime), nil - case "process.parent.interpreter.file.filesystem": - if !ev.BaseEvent.ProcessContext.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent), nil - case "process.parent.interpreter.file.gid": - if !ev.BaseEvent.ProcessContext.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields.GID), nil - case "process.parent.interpreter.file.group": - if !ev.BaseEvent.ProcessContext.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields), nil - case "process.parent.interpreter.file.hashes": - if !ev.BaseEvent.ProcessContext.HasParent() { - return []string{}, &eval.ErrNotSupported{Field: field} - } - if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { - return []string{}, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent), nil - case "process.parent.interpreter.file.in_upper_layer": - if !ev.BaseEvent.ProcessContext.HasParent() { - return false, &eval.ErrNotSupported{Field: field} - } - if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { - return false, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields), nil - case "process.parent.interpreter.file.inode": - if !ev.BaseEvent.ProcessContext.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields.PathKey.Inode), nil - case "process.parent.interpreter.file.mode": - if !ev.BaseEvent.ProcessContext.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields.Mode), nil - case "process.parent.interpreter.file.modification_time": - if !ev.BaseEvent.ProcessContext.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields.MTime), nil - case "process.parent.interpreter.file.mount_id": - if !ev.BaseEvent.ProcessContext.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields.PathKey.MountID), nil - case "process.parent.interpreter.file.name": - if !ev.BaseEvent.ProcessContext.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent), nil - case "process.parent.interpreter.file.name.length": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent), nil - case "process.parent.interpreter.file.package.name": - if !ev.BaseEvent.ProcessContext.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolvePackageName(ev, &ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent), nil - case "process.parent.interpreter.file.package.source_version": - if !ev.BaseEvent.ProcessContext.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent), nil - case "process.parent.interpreter.file.package.version": - if !ev.BaseEvent.ProcessContext.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent), nil - case "process.parent.interpreter.file.path": - if !ev.BaseEvent.ProcessContext.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent), nil - case "process.parent.interpreter.file.path.length": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent), nil - case "process.parent.interpreter.file.rights": - if !ev.BaseEvent.ProcessContext.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.FieldHandlers.ResolveRights(ev, &ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields)), nil - case "process.parent.interpreter.file.uid": - if !ev.BaseEvent.ProcessContext.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields.UID), nil - case "process.parent.interpreter.file.user": - if !ev.BaseEvent.ProcessContext.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields), nil - case "process.parent.is_exec": - if !ev.BaseEvent.ProcessContext.HasParent() { - return false, &eval.ErrNotSupported{Field: field} - } - return ev.BaseEvent.ProcessContext.Parent.IsExec, nil - case "process.parent.is_kworker": - if !ev.BaseEvent.ProcessContext.HasParent() { - return false, &eval.ErrNotSupported{Field: field} - } - return ev.BaseEvent.ProcessContext.Parent.PIDContext.IsKworker, nil - case "process.parent.is_thread": - if !ev.BaseEvent.ProcessContext.HasParent() { - return false, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveProcessIsThread(ev, ev.BaseEvent.ProcessContext.Parent), nil - case "process.parent.pid": - if !ev.BaseEvent.ProcessContext.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.BaseEvent.ProcessContext.Parent.PIDContext.Pid), nil - case "process.parent.ppid": - if !ev.BaseEvent.ProcessContext.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.BaseEvent.ProcessContext.Parent.PPid), nil - case "process.parent.tid": - if !ev.BaseEvent.ProcessContext.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.BaseEvent.ProcessContext.Parent.PIDContext.Tid), nil - case "process.parent.tty_name": - if !ev.BaseEvent.ProcessContext.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.BaseEvent.ProcessContext.Parent.TTYName, nil - case "process.parent.uid": - if !ev.BaseEvent.ProcessContext.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.BaseEvent.ProcessContext.Parent.Credentials.UID), nil - case "process.parent.user": - if !ev.BaseEvent.ProcessContext.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.BaseEvent.ProcessContext.Parent.Credentials.User, nil - case "process.parent.user_session.k8s_groups": - if !ev.BaseEvent.ProcessContext.HasParent() { - return []string{}, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveK8SGroups(ev, &ev.BaseEvent.ProcessContext.Parent.UserSession), nil - case "process.parent.user_session.k8s_uid": - if !ev.BaseEvent.ProcessContext.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveK8SUID(ev, &ev.BaseEvent.ProcessContext.Parent.UserSession), nil - case "process.parent.user_session.k8s_username": - if !ev.BaseEvent.ProcessContext.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveK8SUsername(ev, &ev.BaseEvent.ProcessContext.Parent.UserSession), nil - case "process.pid": - return int(ev.BaseEvent.ProcessContext.Process.PIDContext.Pid), nil - case "process.ppid": - return int(ev.BaseEvent.ProcessContext.Process.PPid), nil - case "process.tid": - return int(ev.BaseEvent.ProcessContext.Process.PIDContext.Tid), nil - case "process.tty_name": - return ev.BaseEvent.ProcessContext.Process.TTYName, nil - case "process.uid": - return int(ev.BaseEvent.ProcessContext.Process.Credentials.UID), nil - case "process.user": - return ev.BaseEvent.ProcessContext.Process.Credentials.User, nil - case "process.user_session.k8s_groups": - return ev.FieldHandlers.ResolveK8SGroups(ev, &ev.BaseEvent.ProcessContext.Process.UserSession), nil - case "process.user_session.k8s_uid": - return ev.FieldHandlers.ResolveK8SUID(ev, &ev.BaseEvent.ProcessContext.Process.UserSession), nil - case "process.user_session.k8s_username": - return ev.FieldHandlers.ResolveK8SUsername(ev, &ev.BaseEvent.ProcessContext.Process.UserSession), nil - case "ptrace.request": - return int(ev.PTrace.Request), nil - case "ptrace.retval": - return int(ev.PTrace.SyscallEvent.Retval), nil - case "ptrace.tracee.ancestors.args": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveProcessArgs(ev, &element.ProcessContext.Process) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.args_flags": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveProcessArgsFlags(ev, &element.ProcessContext.Process) - values = append(values, result...) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.args_options": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveProcessArgsOptions(ev, &element.ProcessContext.Process) - values = append(values, result...) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.args_truncated": - var values []bool - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveProcessArgsTruncated(ev, &element.ProcessContext.Process) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.argv": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveProcessArgv(ev, &element.ProcessContext.Process) - values = append(values, result...) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.argv0": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveProcessArgv0(ev, &element.ProcessContext.Process) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.auid": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.Credentials.AUID) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.cap_effective": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.Credentials.CapEffective) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.cap_permitted": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.Credentials.CapPermitted) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.cgroup.file.inode": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.CGroup.CGroupFile.Inode) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.cgroup.file.mount_id": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.CGroup.CGroupFile.MountID) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.cgroup.id": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveCGroupID(ev, &element.ProcessContext.Process.CGroup) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.cgroup.manager": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveCGroupManager(ev, &element.ProcessContext.Process.CGroup) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.cgroup.version": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveCGroupVersion(ev, &element.ProcessContext.Process.CGroup) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.comm": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := element.ProcessContext.Process.Comm - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.container.id": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveProcessContainerID(ev, &element.ProcessContext.Process) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.created_at": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, &element.ProcessContext.Process)) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.egid": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.Credentials.EGID) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.egroup": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := element.ProcessContext.Process.Credentials.EGroup - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.envp": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveProcessEnvp(ev, &element.ProcessContext.Process) - values = append(values, result...) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.envs": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveProcessEnvs(ev, &element.ProcessContext.Process) - values = append(values, result...) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.envs_truncated": - var values []bool - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, &element.ProcessContext.Process) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.euid": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.Credentials.EUID) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.euser": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := element.ProcessContext.Process.Credentials.EUser - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.file.change_time": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.FileEvent.FileFields.CTime) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.file.filesystem": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveFileFilesystem(ev, &element.ProcessContext.Process.FileEvent) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.file.gid": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.FileEvent.FileFields.GID) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.file.group": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveFileFieldsGroup(ev, &element.ProcessContext.Process.FileEvent.FileFields) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.file.hashes": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveHashesFromEvent(ev, &element.ProcessContext.Process.FileEvent) - values = append(values, result...) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.file.in_upper_layer": - var values []bool - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &element.ProcessContext.Process.FileEvent.FileFields) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.file.inode": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.FileEvent.FileFields.PathKey.Inode) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.file.mode": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.FileEvent.FileFields.Mode) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.file.modification_time": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.FileEvent.FileFields.MTime) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.file.mount_id": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.FileEvent.FileFields.PathKey.MountID) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.file.name": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.FileEvent) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.file.name.length": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.PTrace.Tracee.Ancestor.ProcessContext.Process.FileEvent), nil - case "ptrace.tracee.ancestors.file.package.name": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolvePackageName(ev, &element.ProcessContext.Process.FileEvent) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.file.package.source_version": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolvePackageSourceVersion(ev, &element.ProcessContext.Process.FileEvent) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.file.package.version": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolvePackageVersion(ev, &element.ProcessContext.Process.FileEvent) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.file.path": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.FileEvent) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.file.path.length": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.PTrace.Tracee.Ancestor.ProcessContext.Process.FileEvent), nil - case "ptrace.tracee.ancestors.file.rights": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(ev.FieldHandlers.ResolveRights(ev, &element.ProcessContext.Process.FileEvent.FileFields)) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.file.uid": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.FileEvent.FileFields.UID) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.file.user": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveFileFieldsUser(ev, &element.ProcessContext.Process.FileEvent.FileFields) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.fsgid": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.Credentials.FSGID) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.fsgroup": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := element.ProcessContext.Process.Credentials.FSGroup - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.fsuid": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.Credentials.FSUID) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.fsuser": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := element.ProcessContext.Process.Credentials.FSUser - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.gid": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.Credentials.GID) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.group": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := element.ProcessContext.Process.Credentials.Group - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.interpreter.file.change_time": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.CTime) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.interpreter.file.filesystem": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveFileFilesystem(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.interpreter.file.gid": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.GID) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.interpreter.file.group": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveFileFieldsGroup(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.interpreter.file.hashes": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveHashesFromEvent(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) - values = append(values, result...) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.interpreter.file.in_upper_layer": - var values []bool - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.interpreter.file.inode": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.interpreter.file.mode": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.Mode) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.interpreter.file.modification_time": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.MTime) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.interpreter.file.mount_id": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.interpreter.file.name": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.interpreter.file.name.length": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.PTrace.Tracee.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent), nil - case "ptrace.tracee.ancestors.interpreter.file.package.name": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolvePackageName(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.interpreter.file.package.source_version": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolvePackageSourceVersion(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.interpreter.file.package.version": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolvePackageVersion(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.interpreter.file.path": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.interpreter.file.path.length": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.PTrace.Tracee.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent), nil - case "ptrace.tracee.ancestors.interpreter.file.rights": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(ev.FieldHandlers.ResolveRights(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields)) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.interpreter.file.uid": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.UID) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.interpreter.file.user": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveFileFieldsUser(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.is_exec": - var values []bool - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := element.ProcessContext.Process.IsExec - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.is_kworker": - var values []bool - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := element.ProcessContext.Process.PIDContext.IsKworker - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.is_thread": - var values []bool - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveProcessIsThread(ev, &element.ProcessContext.Process) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.length": - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - return iterator.Len(ctx), nil - case "ptrace.tracee.ancestors.pid": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.PIDContext.Pid) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.ppid": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.PPid) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.tid": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.PIDContext.Tid) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.tty_name": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := element.ProcessContext.Process.TTYName - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.uid": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.Credentials.UID) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.user": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := element.ProcessContext.Process.Credentials.User - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.user_session.k8s_groups": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveK8SGroups(ev, &element.ProcessContext.Process.UserSession) - values = append(values, result...) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.user_session.k8s_uid": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveK8SUID(ev, &element.ProcessContext.Process.UserSession) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.ancestors.user_session.k8s_username": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveK8SUsername(ev, &element.ProcessContext.Process.UserSession) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "ptrace.tracee.args": - return ev.FieldHandlers.ResolveProcessArgs(ev, &ev.PTrace.Tracee.Process), nil - case "ptrace.tracee.args_flags": - return ev.FieldHandlers.ResolveProcessArgsFlags(ev, &ev.PTrace.Tracee.Process), nil - case "ptrace.tracee.args_options": - return ev.FieldHandlers.ResolveProcessArgsOptions(ev, &ev.PTrace.Tracee.Process), nil - case "ptrace.tracee.args_truncated": - return ev.FieldHandlers.ResolveProcessArgsTruncated(ev, &ev.PTrace.Tracee.Process), nil - case "ptrace.tracee.argv": - return ev.FieldHandlers.ResolveProcessArgv(ev, &ev.PTrace.Tracee.Process), nil - case "ptrace.tracee.argv0": - return ev.FieldHandlers.ResolveProcessArgv0(ev, &ev.PTrace.Tracee.Process), nil - case "ptrace.tracee.auid": - return int(ev.PTrace.Tracee.Process.Credentials.AUID), nil - case "ptrace.tracee.cap_effective": - return int(ev.PTrace.Tracee.Process.Credentials.CapEffective), nil - case "ptrace.tracee.cap_permitted": - return int(ev.PTrace.Tracee.Process.Credentials.CapPermitted), nil - case "ptrace.tracee.cgroup.file.inode": - return int(ev.PTrace.Tracee.Process.CGroup.CGroupFile.Inode), nil - case "ptrace.tracee.cgroup.file.mount_id": - return int(ev.PTrace.Tracee.Process.CGroup.CGroupFile.MountID), nil - case "ptrace.tracee.cgroup.id": - return ev.FieldHandlers.ResolveCGroupID(ev, &ev.PTrace.Tracee.Process.CGroup), nil - case "ptrace.tracee.cgroup.manager": - return ev.FieldHandlers.ResolveCGroupManager(ev, &ev.PTrace.Tracee.Process.CGroup), nil - case "ptrace.tracee.cgroup.version": - return ev.FieldHandlers.ResolveCGroupVersion(ev, &ev.PTrace.Tracee.Process.CGroup), nil - case "ptrace.tracee.comm": - return ev.PTrace.Tracee.Process.Comm, nil - case "ptrace.tracee.container.id": - return ev.FieldHandlers.ResolveProcessContainerID(ev, &ev.PTrace.Tracee.Process), nil - case "ptrace.tracee.created_at": - return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, &ev.PTrace.Tracee.Process)), nil - case "ptrace.tracee.egid": - return int(ev.PTrace.Tracee.Process.Credentials.EGID), nil - case "ptrace.tracee.egroup": - return ev.PTrace.Tracee.Process.Credentials.EGroup, nil - case "ptrace.tracee.envp": - return ev.FieldHandlers.ResolveProcessEnvp(ev, &ev.PTrace.Tracee.Process), nil - case "ptrace.tracee.envs": - return ev.FieldHandlers.ResolveProcessEnvs(ev, &ev.PTrace.Tracee.Process), nil - case "ptrace.tracee.envs_truncated": - return ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, &ev.PTrace.Tracee.Process), nil - case "ptrace.tracee.euid": - return int(ev.PTrace.Tracee.Process.Credentials.EUID), nil - case "ptrace.tracee.euser": - return ev.PTrace.Tracee.Process.Credentials.EUser, nil - case "ptrace.tracee.file.change_time": - if !ev.PTrace.Tracee.Process.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.PTrace.Tracee.Process.FileEvent.FileFields.CTime), nil - case "ptrace.tracee.file.filesystem": - if !ev.PTrace.Tracee.Process.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.PTrace.Tracee.Process.FileEvent), nil - case "ptrace.tracee.file.gid": - if !ev.PTrace.Tracee.Process.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.PTrace.Tracee.Process.FileEvent.FileFields.GID), nil - case "ptrace.tracee.file.group": - if !ev.PTrace.Tracee.Process.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.PTrace.Tracee.Process.FileEvent.FileFields), nil - case "ptrace.tracee.file.hashes": - if !ev.PTrace.Tracee.Process.IsNotKworker() { - return []string{}, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.PTrace.Tracee.Process.FileEvent), nil - case "ptrace.tracee.file.in_upper_layer": - if !ev.PTrace.Tracee.Process.IsNotKworker() { - return false, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.PTrace.Tracee.Process.FileEvent.FileFields), nil - case "ptrace.tracee.file.inode": - if !ev.PTrace.Tracee.Process.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.PTrace.Tracee.Process.FileEvent.FileFields.PathKey.Inode), nil - case "ptrace.tracee.file.mode": - if !ev.PTrace.Tracee.Process.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.PTrace.Tracee.Process.FileEvent.FileFields.Mode), nil - case "ptrace.tracee.file.modification_time": - if !ev.PTrace.Tracee.Process.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.PTrace.Tracee.Process.FileEvent.FileFields.MTime), nil - case "ptrace.tracee.file.mount_id": - if !ev.PTrace.Tracee.Process.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.PTrace.Tracee.Process.FileEvent.FileFields.PathKey.MountID), nil - case "ptrace.tracee.file.name": - if !ev.PTrace.Tracee.Process.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.PTrace.Tracee.Process.FileEvent), nil - case "ptrace.tracee.file.name.length": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.PTrace.Tracee.Process.FileEvent), nil - case "ptrace.tracee.file.package.name": - if !ev.PTrace.Tracee.Process.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolvePackageName(ev, &ev.PTrace.Tracee.Process.FileEvent), nil - case "ptrace.tracee.file.package.source_version": - if !ev.PTrace.Tracee.Process.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.PTrace.Tracee.Process.FileEvent), nil - case "ptrace.tracee.file.package.version": - if !ev.PTrace.Tracee.Process.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.PTrace.Tracee.Process.FileEvent), nil - case "ptrace.tracee.file.path": - if !ev.PTrace.Tracee.Process.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFilePath(ev, &ev.PTrace.Tracee.Process.FileEvent), nil - case "ptrace.tracee.file.path.length": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.PTrace.Tracee.Process.FileEvent), nil - case "ptrace.tracee.file.rights": - if !ev.PTrace.Tracee.Process.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.FieldHandlers.ResolveRights(ev, &ev.PTrace.Tracee.Process.FileEvent.FileFields)), nil - case "ptrace.tracee.file.uid": - if !ev.PTrace.Tracee.Process.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.PTrace.Tracee.Process.FileEvent.FileFields.UID), nil - case "ptrace.tracee.file.user": - if !ev.PTrace.Tracee.Process.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.PTrace.Tracee.Process.FileEvent.FileFields), nil - case "ptrace.tracee.fsgid": - return int(ev.PTrace.Tracee.Process.Credentials.FSGID), nil - case "ptrace.tracee.fsgroup": - return ev.PTrace.Tracee.Process.Credentials.FSGroup, nil - case "ptrace.tracee.fsuid": - return int(ev.PTrace.Tracee.Process.Credentials.FSUID), nil - case "ptrace.tracee.fsuser": - return ev.PTrace.Tracee.Process.Credentials.FSUser, nil - case "ptrace.tracee.gid": - return int(ev.PTrace.Tracee.Process.Credentials.GID), nil - case "ptrace.tracee.group": - return ev.PTrace.Tracee.Process.Credentials.Group, nil - case "ptrace.tracee.interpreter.file.change_time": - if !ev.PTrace.Tracee.Process.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields.CTime), nil - case "ptrace.tracee.interpreter.file.filesystem": - if !ev.PTrace.Tracee.Process.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent), nil - case "ptrace.tracee.interpreter.file.gid": - if !ev.PTrace.Tracee.Process.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields.GID), nil - case "ptrace.tracee.interpreter.file.group": - if !ev.PTrace.Tracee.Process.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields), nil - case "ptrace.tracee.interpreter.file.hashes": - if !ev.PTrace.Tracee.Process.HasInterpreter() { - return []string{}, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent), nil - case "ptrace.tracee.interpreter.file.in_upper_layer": - if !ev.PTrace.Tracee.Process.HasInterpreter() { - return false, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields), nil - case "ptrace.tracee.interpreter.file.inode": - if !ev.PTrace.Tracee.Process.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode), nil - case "ptrace.tracee.interpreter.file.mode": - if !ev.PTrace.Tracee.Process.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields.Mode), nil - case "ptrace.tracee.interpreter.file.modification_time": - if !ev.PTrace.Tracee.Process.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields.MTime), nil - case "ptrace.tracee.interpreter.file.mount_id": - if !ev.PTrace.Tracee.Process.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID), nil - case "ptrace.tracee.interpreter.file.name": - if !ev.PTrace.Tracee.Process.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent), nil - case "ptrace.tracee.interpreter.file.name.length": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent), nil - case "ptrace.tracee.interpreter.file.package.name": - if !ev.PTrace.Tracee.Process.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolvePackageName(ev, &ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent), nil - case "ptrace.tracee.interpreter.file.package.source_version": - if !ev.PTrace.Tracee.Process.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent), nil - case "ptrace.tracee.interpreter.file.package.version": - if !ev.PTrace.Tracee.Process.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent), nil - case "ptrace.tracee.interpreter.file.path": - if !ev.PTrace.Tracee.Process.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFilePath(ev, &ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent), nil - case "ptrace.tracee.interpreter.file.path.length": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent), nil - case "ptrace.tracee.interpreter.file.rights": - if !ev.PTrace.Tracee.Process.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.FieldHandlers.ResolveRights(ev, &ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields)), nil - case "ptrace.tracee.interpreter.file.uid": - if !ev.PTrace.Tracee.Process.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields.UID), nil - case "ptrace.tracee.interpreter.file.user": - if !ev.PTrace.Tracee.Process.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields), nil - case "ptrace.tracee.is_exec": - return ev.PTrace.Tracee.Process.IsExec, nil - case "ptrace.tracee.is_kworker": - return ev.PTrace.Tracee.Process.PIDContext.IsKworker, nil - case "ptrace.tracee.is_thread": - return ev.FieldHandlers.ResolveProcessIsThread(ev, &ev.PTrace.Tracee.Process), nil - case "ptrace.tracee.parent.args": - if !ev.PTrace.Tracee.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveProcessArgs(ev, ev.PTrace.Tracee.Parent), nil - case "ptrace.tracee.parent.args_flags": - if !ev.PTrace.Tracee.HasParent() { - return []string{}, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveProcessArgsFlags(ev, ev.PTrace.Tracee.Parent), nil - case "ptrace.tracee.parent.args_options": - if !ev.PTrace.Tracee.HasParent() { - return []string{}, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveProcessArgsOptions(ev, ev.PTrace.Tracee.Parent), nil - case "ptrace.tracee.parent.args_truncated": - if !ev.PTrace.Tracee.HasParent() { - return false, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveProcessArgsTruncated(ev, ev.PTrace.Tracee.Parent), nil - case "ptrace.tracee.parent.argv": - if !ev.PTrace.Tracee.HasParent() { - return []string{}, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveProcessArgv(ev, ev.PTrace.Tracee.Parent), nil - case "ptrace.tracee.parent.argv0": - if !ev.PTrace.Tracee.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveProcessArgv0(ev, ev.PTrace.Tracee.Parent), nil - case "ptrace.tracee.parent.auid": - if !ev.PTrace.Tracee.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.PTrace.Tracee.Parent.Credentials.AUID), nil - case "ptrace.tracee.parent.cap_effective": - if !ev.PTrace.Tracee.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.PTrace.Tracee.Parent.Credentials.CapEffective), nil - case "ptrace.tracee.parent.cap_permitted": - if !ev.PTrace.Tracee.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.PTrace.Tracee.Parent.Credentials.CapPermitted), nil - case "ptrace.tracee.parent.cgroup.file.inode": - if !ev.PTrace.Tracee.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.PTrace.Tracee.Parent.CGroup.CGroupFile.Inode), nil - case "ptrace.tracee.parent.cgroup.file.mount_id": - if !ev.PTrace.Tracee.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.PTrace.Tracee.Parent.CGroup.CGroupFile.MountID), nil - case "ptrace.tracee.parent.cgroup.id": - if !ev.PTrace.Tracee.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveCGroupID(ev, &ev.PTrace.Tracee.Parent.CGroup), nil - case "ptrace.tracee.parent.cgroup.manager": - if !ev.PTrace.Tracee.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveCGroupManager(ev, &ev.PTrace.Tracee.Parent.CGroup), nil - case "ptrace.tracee.parent.cgroup.version": - if !ev.PTrace.Tracee.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveCGroupVersion(ev, &ev.PTrace.Tracee.Parent.CGroup), nil - case "ptrace.tracee.parent.comm": - if !ev.PTrace.Tracee.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.PTrace.Tracee.Parent.Comm, nil - case "ptrace.tracee.parent.container.id": - if !ev.PTrace.Tracee.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveProcessContainerID(ev, ev.PTrace.Tracee.Parent), nil - case "ptrace.tracee.parent.created_at": - if !ev.PTrace.Tracee.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, ev.PTrace.Tracee.Parent)), nil - case "ptrace.tracee.parent.egid": - if !ev.PTrace.Tracee.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.PTrace.Tracee.Parent.Credentials.EGID), nil - case "ptrace.tracee.parent.egroup": - if !ev.PTrace.Tracee.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.PTrace.Tracee.Parent.Credentials.EGroup, nil - case "ptrace.tracee.parent.envp": - if !ev.PTrace.Tracee.HasParent() { - return []string{}, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveProcessEnvp(ev, ev.PTrace.Tracee.Parent), nil - case "ptrace.tracee.parent.envs": - if !ev.PTrace.Tracee.HasParent() { - return []string{}, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveProcessEnvs(ev, ev.PTrace.Tracee.Parent), nil - case "ptrace.tracee.parent.envs_truncated": - if !ev.PTrace.Tracee.HasParent() { - return false, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, ev.PTrace.Tracee.Parent), nil - case "ptrace.tracee.parent.euid": - if !ev.PTrace.Tracee.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.PTrace.Tracee.Parent.Credentials.EUID), nil - case "ptrace.tracee.parent.euser": - if !ev.PTrace.Tracee.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.PTrace.Tracee.Parent.Credentials.EUser, nil - case "ptrace.tracee.parent.file.change_time": - if !ev.PTrace.Tracee.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - if !ev.PTrace.Tracee.Parent.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.PTrace.Tracee.Parent.FileEvent.FileFields.CTime), nil - case "ptrace.tracee.parent.file.filesystem": - if !ev.PTrace.Tracee.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - if !ev.PTrace.Tracee.Parent.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.PTrace.Tracee.Parent.FileEvent), nil - case "ptrace.tracee.parent.file.gid": - if !ev.PTrace.Tracee.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - if !ev.PTrace.Tracee.Parent.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.PTrace.Tracee.Parent.FileEvent.FileFields.GID), nil - case "ptrace.tracee.parent.file.group": - if !ev.PTrace.Tracee.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - if !ev.PTrace.Tracee.Parent.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.PTrace.Tracee.Parent.FileEvent.FileFields), nil - case "ptrace.tracee.parent.file.hashes": - if !ev.PTrace.Tracee.HasParent() { - return []string{}, &eval.ErrNotSupported{Field: field} - } - if !ev.PTrace.Tracee.Parent.IsNotKworker() { - return []string{}, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.PTrace.Tracee.Parent.FileEvent), nil - case "ptrace.tracee.parent.file.in_upper_layer": - if !ev.PTrace.Tracee.HasParent() { - return false, &eval.ErrNotSupported{Field: field} - } - if !ev.PTrace.Tracee.Parent.IsNotKworker() { - return false, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.PTrace.Tracee.Parent.FileEvent.FileFields), nil - case "ptrace.tracee.parent.file.inode": - if !ev.PTrace.Tracee.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - if !ev.PTrace.Tracee.Parent.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.PTrace.Tracee.Parent.FileEvent.FileFields.PathKey.Inode), nil - case "ptrace.tracee.parent.file.mode": - if !ev.PTrace.Tracee.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - if !ev.PTrace.Tracee.Parent.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.PTrace.Tracee.Parent.FileEvent.FileFields.Mode), nil - case "ptrace.tracee.parent.file.modification_time": - if !ev.PTrace.Tracee.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - if !ev.PTrace.Tracee.Parent.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.PTrace.Tracee.Parent.FileEvent.FileFields.MTime), nil - case "ptrace.tracee.parent.file.mount_id": - if !ev.PTrace.Tracee.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - if !ev.PTrace.Tracee.Parent.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.PTrace.Tracee.Parent.FileEvent.FileFields.PathKey.MountID), nil - case "ptrace.tracee.parent.file.name": - if !ev.PTrace.Tracee.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - if !ev.PTrace.Tracee.Parent.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.PTrace.Tracee.Parent.FileEvent), nil - case "ptrace.tracee.parent.file.name.length": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.PTrace.Tracee.Parent.FileEvent), nil - case "ptrace.tracee.parent.file.package.name": - if !ev.PTrace.Tracee.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - if !ev.PTrace.Tracee.Parent.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolvePackageName(ev, &ev.PTrace.Tracee.Parent.FileEvent), nil - case "ptrace.tracee.parent.file.package.source_version": - if !ev.PTrace.Tracee.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - if !ev.PTrace.Tracee.Parent.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.PTrace.Tracee.Parent.FileEvent), nil - case "ptrace.tracee.parent.file.package.version": - if !ev.PTrace.Tracee.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - if !ev.PTrace.Tracee.Parent.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.PTrace.Tracee.Parent.FileEvent), nil - case "ptrace.tracee.parent.file.path": - if !ev.PTrace.Tracee.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - if !ev.PTrace.Tracee.Parent.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFilePath(ev, &ev.PTrace.Tracee.Parent.FileEvent), nil - case "ptrace.tracee.parent.file.path.length": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.PTrace.Tracee.Parent.FileEvent), nil - case "ptrace.tracee.parent.file.rights": - if !ev.PTrace.Tracee.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - if !ev.PTrace.Tracee.Parent.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.FieldHandlers.ResolveRights(ev, &ev.PTrace.Tracee.Parent.FileEvent.FileFields)), nil - case "ptrace.tracee.parent.file.uid": - if !ev.PTrace.Tracee.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - if !ev.PTrace.Tracee.Parent.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.PTrace.Tracee.Parent.FileEvent.FileFields.UID), nil - case "ptrace.tracee.parent.file.user": - if !ev.PTrace.Tracee.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - if !ev.PTrace.Tracee.Parent.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.PTrace.Tracee.Parent.FileEvent.FileFields), nil - case "ptrace.tracee.parent.fsgid": - if !ev.PTrace.Tracee.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.PTrace.Tracee.Parent.Credentials.FSGID), nil - case "ptrace.tracee.parent.fsgroup": - if !ev.PTrace.Tracee.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.PTrace.Tracee.Parent.Credentials.FSGroup, nil - case "ptrace.tracee.parent.fsuid": - if !ev.PTrace.Tracee.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.PTrace.Tracee.Parent.Credentials.FSUID), nil - case "ptrace.tracee.parent.fsuser": - if !ev.PTrace.Tracee.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.PTrace.Tracee.Parent.Credentials.FSUser, nil - case "ptrace.tracee.parent.gid": - if !ev.PTrace.Tracee.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.PTrace.Tracee.Parent.Credentials.GID), nil - case "ptrace.tracee.parent.group": - if !ev.PTrace.Tracee.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.PTrace.Tracee.Parent.Credentials.Group, nil - case "ptrace.tracee.parent.interpreter.file.change_time": - if !ev.PTrace.Tracee.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - if !ev.PTrace.Tracee.Parent.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields.CTime), nil - case "ptrace.tracee.parent.interpreter.file.filesystem": - if !ev.PTrace.Tracee.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - if !ev.PTrace.Tracee.Parent.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent), nil - case "ptrace.tracee.parent.interpreter.file.gid": - if !ev.PTrace.Tracee.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - if !ev.PTrace.Tracee.Parent.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields.GID), nil - case "ptrace.tracee.parent.interpreter.file.group": - if !ev.PTrace.Tracee.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - if !ev.PTrace.Tracee.Parent.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields), nil - case "ptrace.tracee.parent.interpreter.file.hashes": - if !ev.PTrace.Tracee.HasParent() { - return []string{}, &eval.ErrNotSupported{Field: field} - } - if !ev.PTrace.Tracee.Parent.HasInterpreter() { - return []string{}, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent), nil - case "ptrace.tracee.parent.interpreter.file.in_upper_layer": - if !ev.PTrace.Tracee.HasParent() { - return false, &eval.ErrNotSupported{Field: field} - } - if !ev.PTrace.Tracee.Parent.HasInterpreter() { - return false, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields), nil - case "ptrace.tracee.parent.interpreter.file.inode": - if !ev.PTrace.Tracee.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - if !ev.PTrace.Tracee.Parent.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields.PathKey.Inode), nil - case "ptrace.tracee.parent.interpreter.file.mode": - if !ev.PTrace.Tracee.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - if !ev.PTrace.Tracee.Parent.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields.Mode), nil - case "ptrace.tracee.parent.interpreter.file.modification_time": - if !ev.PTrace.Tracee.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - if !ev.PTrace.Tracee.Parent.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields.MTime), nil - case "ptrace.tracee.parent.interpreter.file.mount_id": - if !ev.PTrace.Tracee.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - if !ev.PTrace.Tracee.Parent.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields.PathKey.MountID), nil - case "ptrace.tracee.parent.interpreter.file.name": - if !ev.PTrace.Tracee.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - if !ev.PTrace.Tracee.Parent.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent), nil - case "ptrace.tracee.parent.interpreter.file.name.length": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent), nil - case "ptrace.tracee.parent.interpreter.file.package.name": - if !ev.PTrace.Tracee.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - if !ev.PTrace.Tracee.Parent.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolvePackageName(ev, &ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent), nil - case "ptrace.tracee.parent.interpreter.file.package.source_version": - if !ev.PTrace.Tracee.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - if !ev.PTrace.Tracee.Parent.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent), nil - case "ptrace.tracee.parent.interpreter.file.package.version": - if !ev.PTrace.Tracee.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - if !ev.PTrace.Tracee.Parent.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent), nil - case "ptrace.tracee.parent.interpreter.file.path": - if !ev.PTrace.Tracee.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - if !ev.PTrace.Tracee.Parent.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFilePath(ev, &ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent), nil - case "ptrace.tracee.parent.interpreter.file.path.length": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent), nil - case "ptrace.tracee.parent.interpreter.file.rights": - if !ev.PTrace.Tracee.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - if !ev.PTrace.Tracee.Parent.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.FieldHandlers.ResolveRights(ev, &ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields)), nil - case "ptrace.tracee.parent.interpreter.file.uid": - if !ev.PTrace.Tracee.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - if !ev.PTrace.Tracee.Parent.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields.UID), nil - case "ptrace.tracee.parent.interpreter.file.user": - if !ev.PTrace.Tracee.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - if !ev.PTrace.Tracee.Parent.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields), nil - case "ptrace.tracee.parent.is_exec": - if !ev.PTrace.Tracee.HasParent() { - return false, &eval.ErrNotSupported{Field: field} - } - return ev.PTrace.Tracee.Parent.IsExec, nil - case "ptrace.tracee.parent.is_kworker": - if !ev.PTrace.Tracee.HasParent() { - return false, &eval.ErrNotSupported{Field: field} - } - return ev.PTrace.Tracee.Parent.PIDContext.IsKworker, nil - case "ptrace.tracee.parent.is_thread": - if !ev.PTrace.Tracee.HasParent() { - return false, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveProcessIsThread(ev, ev.PTrace.Tracee.Parent), nil - case "ptrace.tracee.parent.pid": - if !ev.PTrace.Tracee.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.PTrace.Tracee.Parent.PIDContext.Pid), nil - case "ptrace.tracee.parent.ppid": - if !ev.PTrace.Tracee.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.PTrace.Tracee.Parent.PPid), nil - case "ptrace.tracee.parent.tid": - if !ev.PTrace.Tracee.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.PTrace.Tracee.Parent.PIDContext.Tid), nil - case "ptrace.tracee.parent.tty_name": - if !ev.PTrace.Tracee.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.PTrace.Tracee.Parent.TTYName, nil - case "ptrace.tracee.parent.uid": - if !ev.PTrace.Tracee.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.PTrace.Tracee.Parent.Credentials.UID), nil - case "ptrace.tracee.parent.user": - if !ev.PTrace.Tracee.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.PTrace.Tracee.Parent.Credentials.User, nil - case "ptrace.tracee.parent.user_session.k8s_groups": - if !ev.PTrace.Tracee.HasParent() { - return []string{}, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveK8SGroups(ev, &ev.PTrace.Tracee.Parent.UserSession), nil - case "ptrace.tracee.parent.user_session.k8s_uid": - if !ev.PTrace.Tracee.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveK8SUID(ev, &ev.PTrace.Tracee.Parent.UserSession), nil - case "ptrace.tracee.parent.user_session.k8s_username": - if !ev.PTrace.Tracee.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveK8SUsername(ev, &ev.PTrace.Tracee.Parent.UserSession), nil - case "ptrace.tracee.pid": - return int(ev.PTrace.Tracee.Process.PIDContext.Pid), nil - case "ptrace.tracee.ppid": - return int(ev.PTrace.Tracee.Process.PPid), nil - case "ptrace.tracee.tid": - return int(ev.PTrace.Tracee.Process.PIDContext.Tid), nil - case "ptrace.tracee.tty_name": - return ev.PTrace.Tracee.Process.TTYName, nil - case "ptrace.tracee.uid": - return int(ev.PTrace.Tracee.Process.Credentials.UID), nil - case "ptrace.tracee.user": - return ev.PTrace.Tracee.Process.Credentials.User, nil - case "ptrace.tracee.user_session.k8s_groups": - return ev.FieldHandlers.ResolveK8SGroups(ev, &ev.PTrace.Tracee.Process.UserSession), nil - case "ptrace.tracee.user_session.k8s_uid": - return ev.FieldHandlers.ResolveK8SUID(ev, &ev.PTrace.Tracee.Process.UserSession), nil - case "ptrace.tracee.user_session.k8s_username": - return ev.FieldHandlers.ResolveK8SUsername(ev, &ev.PTrace.Tracee.Process.UserSession), nil - case "removexattr.file.change_time": - return int(ev.RemoveXAttr.File.FileFields.CTime), nil - case "removexattr.file.destination.name": - return ev.FieldHandlers.ResolveXAttrName(ev, &ev.RemoveXAttr), nil - case "removexattr.file.destination.namespace": - return ev.FieldHandlers.ResolveXAttrNamespace(ev, &ev.RemoveXAttr), nil - case "removexattr.file.filesystem": - return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.RemoveXAttr.File), nil - case "removexattr.file.gid": - return int(ev.RemoveXAttr.File.FileFields.GID), nil - case "removexattr.file.group": - return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.RemoveXAttr.File.FileFields), nil - case "removexattr.file.hashes": - return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.RemoveXAttr.File), nil - case "removexattr.file.in_upper_layer": - return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.RemoveXAttr.File.FileFields), nil - case "removexattr.file.inode": - return int(ev.RemoveXAttr.File.FileFields.PathKey.Inode), nil - case "removexattr.file.mode": - return int(ev.RemoveXAttr.File.FileFields.Mode), nil - case "removexattr.file.modification_time": - return int(ev.RemoveXAttr.File.FileFields.MTime), nil - case "removexattr.file.mount_id": - return int(ev.RemoveXAttr.File.FileFields.PathKey.MountID), nil - case "removexattr.file.name": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.RemoveXAttr.File), nil - case "removexattr.file.name.length": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.RemoveXAttr.File), nil - case "removexattr.file.package.name": - return ev.FieldHandlers.ResolvePackageName(ev, &ev.RemoveXAttr.File), nil - case "removexattr.file.package.source_version": - return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.RemoveXAttr.File), nil - case "removexattr.file.package.version": - return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.RemoveXAttr.File), nil - case "removexattr.file.path": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.RemoveXAttr.File), nil - case "removexattr.file.path.length": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.RemoveXAttr.File), nil - case "removexattr.file.rights": - return int(ev.FieldHandlers.ResolveRights(ev, &ev.RemoveXAttr.File.FileFields)), nil - case "removexattr.file.uid": - return int(ev.RemoveXAttr.File.FileFields.UID), nil - case "removexattr.file.user": - return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.RemoveXAttr.File.FileFields), nil - case "removexattr.retval": - return int(ev.RemoveXAttr.SyscallEvent.Retval), nil - case "rename.file.change_time": - return int(ev.Rename.Old.FileFields.CTime), nil - case "rename.file.destination.change_time": - return int(ev.Rename.New.FileFields.CTime), nil - case "rename.file.destination.filesystem": - return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Rename.New), nil - case "rename.file.destination.gid": - return int(ev.Rename.New.FileFields.GID), nil - case "rename.file.destination.group": - return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Rename.New.FileFields), nil - case "rename.file.destination.hashes": - return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Rename.New), nil - case "rename.file.destination.in_upper_layer": - return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Rename.New.FileFields), nil - case "rename.file.destination.inode": - return int(ev.Rename.New.FileFields.PathKey.Inode), nil - case "rename.file.destination.mode": - return int(ev.Rename.New.FileFields.Mode), nil - case "rename.file.destination.modification_time": - return int(ev.Rename.New.FileFields.MTime), nil - case "rename.file.destination.mount_id": - return int(ev.Rename.New.FileFields.PathKey.MountID), nil - case "rename.file.destination.name": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Rename.New), nil - case "rename.file.destination.name.length": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Rename.New), nil - case "rename.file.destination.package.name": - return ev.FieldHandlers.ResolvePackageName(ev, &ev.Rename.New), nil - case "rename.file.destination.package.source_version": - return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Rename.New), nil - case "rename.file.destination.package.version": - return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Rename.New), nil - case "rename.file.destination.path": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Rename.New), nil - case "rename.file.destination.path.length": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Rename.New), nil - case "rename.file.destination.rights": - return int(ev.FieldHandlers.ResolveRights(ev, &ev.Rename.New.FileFields)), nil - case "rename.file.destination.uid": - return int(ev.Rename.New.FileFields.UID), nil - case "rename.file.destination.user": - return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Rename.New.FileFields), nil - case "rename.file.filesystem": - return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Rename.Old), nil - case "rename.file.gid": - return int(ev.Rename.Old.FileFields.GID), nil - case "rename.file.group": - return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Rename.Old.FileFields), nil - case "rename.file.hashes": - return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Rename.Old), nil - case "rename.file.in_upper_layer": - return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Rename.Old.FileFields), nil - case "rename.file.inode": - return int(ev.Rename.Old.FileFields.PathKey.Inode), nil - case "rename.file.mode": - return int(ev.Rename.Old.FileFields.Mode), nil - case "rename.file.modification_time": - return int(ev.Rename.Old.FileFields.MTime), nil - case "rename.file.mount_id": - return int(ev.Rename.Old.FileFields.PathKey.MountID), nil - case "rename.file.name": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Rename.Old), nil - case "rename.file.name.length": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Rename.Old), nil - case "rename.file.package.name": - return ev.FieldHandlers.ResolvePackageName(ev, &ev.Rename.Old), nil - case "rename.file.package.source_version": - return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Rename.Old), nil - case "rename.file.package.version": - return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Rename.Old), nil - case "rename.file.path": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Rename.Old), nil - case "rename.file.path.length": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Rename.Old), nil - case "rename.file.rights": - return int(ev.FieldHandlers.ResolveRights(ev, &ev.Rename.Old.FileFields)), nil - case "rename.file.uid": - return int(ev.Rename.Old.FileFields.UID), nil - case "rename.file.user": - return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Rename.Old.FileFields), nil - case "rename.retval": - return int(ev.Rename.SyscallEvent.Retval), nil - case "rename.syscall.destination.path": - return ev.FieldHandlers.ResolveSyscallCtxArgsStr2(ev, &ev.Rename.SyscallContext), nil - case "rename.syscall.path": - return ev.FieldHandlers.ResolveSyscallCtxArgsStr1(ev, &ev.Rename.SyscallContext), nil - case "rmdir.file.change_time": - return int(ev.Rmdir.File.FileFields.CTime), nil - case "rmdir.file.filesystem": - return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Rmdir.File), nil - case "rmdir.file.gid": - return int(ev.Rmdir.File.FileFields.GID), nil - case "rmdir.file.group": - return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Rmdir.File.FileFields), nil - case "rmdir.file.hashes": - return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Rmdir.File), nil - case "rmdir.file.in_upper_layer": - return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Rmdir.File.FileFields), nil - case "rmdir.file.inode": - return int(ev.Rmdir.File.FileFields.PathKey.Inode), nil - case "rmdir.file.mode": - return int(ev.Rmdir.File.FileFields.Mode), nil - case "rmdir.file.modification_time": - return int(ev.Rmdir.File.FileFields.MTime), nil - case "rmdir.file.mount_id": - return int(ev.Rmdir.File.FileFields.PathKey.MountID), nil - case "rmdir.file.name": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Rmdir.File), nil - case "rmdir.file.name.length": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Rmdir.File), nil - case "rmdir.file.package.name": - return ev.FieldHandlers.ResolvePackageName(ev, &ev.Rmdir.File), nil - case "rmdir.file.package.source_version": - return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Rmdir.File), nil - case "rmdir.file.package.version": - return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Rmdir.File), nil - case "rmdir.file.path": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Rmdir.File), nil - case "rmdir.file.path.length": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Rmdir.File), nil - case "rmdir.file.rights": - return int(ev.FieldHandlers.ResolveRights(ev, &ev.Rmdir.File.FileFields)), nil - case "rmdir.file.uid": - return int(ev.Rmdir.File.FileFields.UID), nil - case "rmdir.file.user": - return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Rmdir.File.FileFields), nil - case "rmdir.retval": - return int(ev.Rmdir.SyscallEvent.Retval), nil - case "rmdir.syscall.path": - return ev.FieldHandlers.ResolveSyscallCtxArgsStr1(ev, &ev.Rmdir.SyscallContext), nil - case "selinux.bool.name": - return ev.FieldHandlers.ResolveSELinuxBoolName(ev, &ev.SELinux), nil - case "selinux.bool.state": - return ev.SELinux.BoolChangeValue, nil - case "selinux.bool_commit.state": - return ev.SELinux.BoolCommitValue, nil - case "selinux.enforce.status": - return ev.SELinux.EnforceStatus, nil - case "setgid.egid": - return int(ev.SetGID.EGID), nil - case "setgid.egroup": - return ev.FieldHandlers.ResolveSetgidEGroup(ev, &ev.SetGID), nil - case "setgid.fsgid": - return int(ev.SetGID.FSGID), nil - case "setgid.fsgroup": - return ev.FieldHandlers.ResolveSetgidFSGroup(ev, &ev.SetGID), nil - case "setgid.gid": - return int(ev.SetGID.GID), nil - case "setgid.group": - return ev.FieldHandlers.ResolveSetgidGroup(ev, &ev.SetGID), nil - case "setuid.euid": - return int(ev.SetUID.EUID), nil - case "setuid.euser": - return ev.FieldHandlers.ResolveSetuidEUser(ev, &ev.SetUID), nil - case "setuid.fsuid": - return int(ev.SetUID.FSUID), nil - case "setuid.fsuser": - return ev.FieldHandlers.ResolveSetuidFSUser(ev, &ev.SetUID), nil - case "setuid.uid": - return int(ev.SetUID.UID), nil - case "setuid.user": - return ev.FieldHandlers.ResolveSetuidUser(ev, &ev.SetUID), nil - case "setxattr.file.change_time": - return int(ev.SetXAttr.File.FileFields.CTime), nil - case "setxattr.file.destination.name": - return ev.FieldHandlers.ResolveXAttrName(ev, &ev.SetXAttr), nil - case "setxattr.file.destination.namespace": - return ev.FieldHandlers.ResolveXAttrNamespace(ev, &ev.SetXAttr), nil - case "setxattr.file.filesystem": - return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.SetXAttr.File), nil - case "setxattr.file.gid": - return int(ev.SetXAttr.File.FileFields.GID), nil - case "setxattr.file.group": - return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.SetXAttr.File.FileFields), nil - case "setxattr.file.hashes": - return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.SetXAttr.File), nil - case "setxattr.file.in_upper_layer": - return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.SetXAttr.File.FileFields), nil - case "setxattr.file.inode": - return int(ev.SetXAttr.File.FileFields.PathKey.Inode), nil - case "setxattr.file.mode": - return int(ev.SetXAttr.File.FileFields.Mode), nil - case "setxattr.file.modification_time": - return int(ev.SetXAttr.File.FileFields.MTime), nil - case "setxattr.file.mount_id": - return int(ev.SetXAttr.File.FileFields.PathKey.MountID), nil - case "setxattr.file.name": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.SetXAttr.File), nil - case "setxattr.file.name.length": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.SetXAttr.File), nil - case "setxattr.file.package.name": - return ev.FieldHandlers.ResolvePackageName(ev, &ev.SetXAttr.File), nil - case "setxattr.file.package.source_version": - return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.SetXAttr.File), nil - case "setxattr.file.package.version": - return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.SetXAttr.File), nil - case "setxattr.file.path": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.SetXAttr.File), nil - case "setxattr.file.path.length": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.SetXAttr.File), nil - case "setxattr.file.rights": - return int(ev.FieldHandlers.ResolveRights(ev, &ev.SetXAttr.File.FileFields)), nil - case "setxattr.file.uid": - return int(ev.SetXAttr.File.FileFields.UID), nil - case "setxattr.file.user": - return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.SetXAttr.File.FileFields), nil - case "setxattr.retval": - return int(ev.SetXAttr.SyscallEvent.Retval), nil - case "signal.pid": - return int(ev.Signal.PID), nil - case "signal.retval": - return int(ev.Signal.SyscallEvent.Retval), nil - case "signal.target.ancestors.args": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveProcessArgs(ev, &element.ProcessContext.Process) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.args_flags": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveProcessArgsFlags(ev, &element.ProcessContext.Process) - values = append(values, result...) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.args_options": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveProcessArgsOptions(ev, &element.ProcessContext.Process) - values = append(values, result...) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.args_truncated": - var values []bool - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveProcessArgsTruncated(ev, &element.ProcessContext.Process) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.argv": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveProcessArgv(ev, &element.ProcessContext.Process) - values = append(values, result...) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.argv0": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveProcessArgv0(ev, &element.ProcessContext.Process) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.auid": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.Credentials.AUID) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.cap_effective": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.Credentials.CapEffective) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.cap_permitted": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.Credentials.CapPermitted) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.cgroup.file.inode": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.CGroup.CGroupFile.Inode) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.cgroup.file.mount_id": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.CGroup.CGroupFile.MountID) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.cgroup.id": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveCGroupID(ev, &element.ProcessContext.Process.CGroup) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.cgroup.manager": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveCGroupManager(ev, &element.ProcessContext.Process.CGroup) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.cgroup.version": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveCGroupVersion(ev, &element.ProcessContext.Process.CGroup) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.comm": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := element.ProcessContext.Process.Comm - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.container.id": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveProcessContainerID(ev, &element.ProcessContext.Process) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.created_at": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, &element.ProcessContext.Process)) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.egid": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.Credentials.EGID) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.egroup": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := element.ProcessContext.Process.Credentials.EGroup - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.envp": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveProcessEnvp(ev, &element.ProcessContext.Process) - values = append(values, result...) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.envs": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveProcessEnvs(ev, &element.ProcessContext.Process) - values = append(values, result...) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.envs_truncated": - var values []bool - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, &element.ProcessContext.Process) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.euid": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.Credentials.EUID) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.euser": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := element.ProcessContext.Process.Credentials.EUser - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.file.change_time": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.FileEvent.FileFields.CTime) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.file.filesystem": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveFileFilesystem(ev, &element.ProcessContext.Process.FileEvent) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.file.gid": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.FileEvent.FileFields.GID) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.file.group": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveFileFieldsGroup(ev, &element.ProcessContext.Process.FileEvent.FileFields) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.file.hashes": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveHashesFromEvent(ev, &element.ProcessContext.Process.FileEvent) - values = append(values, result...) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.file.in_upper_layer": - var values []bool - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &element.ProcessContext.Process.FileEvent.FileFields) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.file.inode": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.FileEvent.FileFields.PathKey.Inode) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.file.mode": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.FileEvent.FileFields.Mode) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.file.modification_time": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.FileEvent.FileFields.MTime) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.file.mount_id": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.FileEvent.FileFields.PathKey.MountID) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.file.name": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.FileEvent) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.file.name.length": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Signal.Target.Ancestor.ProcessContext.Process.FileEvent), nil - case "signal.target.ancestors.file.package.name": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolvePackageName(ev, &element.ProcessContext.Process.FileEvent) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.file.package.source_version": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolvePackageSourceVersion(ev, &element.ProcessContext.Process.FileEvent) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.file.package.version": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolvePackageVersion(ev, &element.ProcessContext.Process.FileEvent) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.file.path": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.FileEvent) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.file.path.length": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Signal.Target.Ancestor.ProcessContext.Process.FileEvent), nil - case "signal.target.ancestors.file.rights": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(ev.FieldHandlers.ResolveRights(ev, &element.ProcessContext.Process.FileEvent.FileFields)) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.file.uid": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.FileEvent.FileFields.UID) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.file.user": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveFileFieldsUser(ev, &element.ProcessContext.Process.FileEvent.FileFields) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.fsgid": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.Credentials.FSGID) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.fsgroup": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := element.ProcessContext.Process.Credentials.FSGroup - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.fsuid": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.Credentials.FSUID) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.fsuser": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := element.ProcessContext.Process.Credentials.FSUser - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.gid": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.Credentials.GID) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.group": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := element.ProcessContext.Process.Credentials.Group - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.interpreter.file.change_time": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.CTime) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.interpreter.file.filesystem": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveFileFilesystem(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.interpreter.file.gid": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.GID) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.interpreter.file.group": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveFileFieldsGroup(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.interpreter.file.hashes": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveHashesFromEvent(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) - values = append(values, result...) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.interpreter.file.in_upper_layer": - var values []bool - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.interpreter.file.inode": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.interpreter.file.mode": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.Mode) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.interpreter.file.modification_time": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.MTime) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.interpreter.file.mount_id": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.interpreter.file.name": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.interpreter.file.name.length": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Signal.Target.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent), nil - case "signal.target.ancestors.interpreter.file.package.name": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolvePackageName(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.interpreter.file.package.source_version": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolvePackageSourceVersion(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.interpreter.file.package.version": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolvePackageVersion(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.interpreter.file.path": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.interpreter.file.path.length": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Signal.Target.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent), nil - case "signal.target.ancestors.interpreter.file.rights": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(ev.FieldHandlers.ResolveRights(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields)) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.interpreter.file.uid": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.UID) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.interpreter.file.user": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveFileFieldsUser(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.is_exec": - var values []bool - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := element.ProcessContext.Process.IsExec - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.is_kworker": - var values []bool - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := element.ProcessContext.Process.PIDContext.IsKworker - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.is_thread": - var values []bool - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveProcessIsThread(ev, &element.ProcessContext.Process) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.length": - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - return iterator.Len(ctx), nil - case "signal.target.ancestors.pid": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.PIDContext.Pid) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.ppid": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.PPid) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.tid": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.PIDContext.Tid) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.tty_name": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := element.ProcessContext.Process.TTYName - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.uid": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.Credentials.UID) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.user": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := element.ProcessContext.Process.Credentials.User - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.user_session.k8s_groups": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveK8SGroups(ev, &element.ProcessContext.Process.UserSession) - values = append(values, result...) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.user_session.k8s_uid": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveK8SUID(ev, &element.ProcessContext.Process.UserSession) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.ancestors.user_session.k8s_username": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveK8SUsername(ev, &element.ProcessContext.Process.UserSession) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "signal.target.args": - return ev.FieldHandlers.ResolveProcessArgs(ev, &ev.Signal.Target.Process), nil - case "signal.target.args_flags": - return ev.FieldHandlers.ResolveProcessArgsFlags(ev, &ev.Signal.Target.Process), nil - case "signal.target.args_options": - return ev.FieldHandlers.ResolveProcessArgsOptions(ev, &ev.Signal.Target.Process), nil - case "signal.target.args_truncated": - return ev.FieldHandlers.ResolveProcessArgsTruncated(ev, &ev.Signal.Target.Process), nil - case "signal.target.argv": - return ev.FieldHandlers.ResolveProcessArgv(ev, &ev.Signal.Target.Process), nil - case "signal.target.argv0": - return ev.FieldHandlers.ResolveProcessArgv0(ev, &ev.Signal.Target.Process), nil - case "signal.target.auid": - return int(ev.Signal.Target.Process.Credentials.AUID), nil - case "signal.target.cap_effective": - return int(ev.Signal.Target.Process.Credentials.CapEffective), nil - case "signal.target.cap_permitted": - return int(ev.Signal.Target.Process.Credentials.CapPermitted), nil - case "signal.target.cgroup.file.inode": - return int(ev.Signal.Target.Process.CGroup.CGroupFile.Inode), nil - case "signal.target.cgroup.file.mount_id": - return int(ev.Signal.Target.Process.CGroup.CGroupFile.MountID), nil - case "signal.target.cgroup.id": - return ev.FieldHandlers.ResolveCGroupID(ev, &ev.Signal.Target.Process.CGroup), nil - case "signal.target.cgroup.manager": - return ev.FieldHandlers.ResolveCGroupManager(ev, &ev.Signal.Target.Process.CGroup), nil - case "signal.target.cgroup.version": - return ev.FieldHandlers.ResolveCGroupVersion(ev, &ev.Signal.Target.Process.CGroup), nil - case "signal.target.comm": - return ev.Signal.Target.Process.Comm, nil - case "signal.target.container.id": - return ev.FieldHandlers.ResolveProcessContainerID(ev, &ev.Signal.Target.Process), nil - case "signal.target.created_at": - return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, &ev.Signal.Target.Process)), nil - case "signal.target.egid": - return int(ev.Signal.Target.Process.Credentials.EGID), nil - case "signal.target.egroup": - return ev.Signal.Target.Process.Credentials.EGroup, nil - case "signal.target.envp": - return ev.FieldHandlers.ResolveProcessEnvp(ev, &ev.Signal.Target.Process), nil - case "signal.target.envs": - return ev.FieldHandlers.ResolveProcessEnvs(ev, &ev.Signal.Target.Process), nil - case "signal.target.envs_truncated": - return ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, &ev.Signal.Target.Process), nil - case "signal.target.euid": - return int(ev.Signal.Target.Process.Credentials.EUID), nil - case "signal.target.euser": - return ev.Signal.Target.Process.Credentials.EUser, nil - case "signal.target.file.change_time": - if !ev.Signal.Target.Process.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Signal.Target.Process.FileEvent.FileFields.CTime), nil - case "signal.target.file.filesystem": - if !ev.Signal.Target.Process.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Signal.Target.Process.FileEvent), nil - case "signal.target.file.gid": - if !ev.Signal.Target.Process.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Signal.Target.Process.FileEvent.FileFields.GID), nil - case "signal.target.file.group": - if !ev.Signal.Target.Process.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Signal.Target.Process.FileEvent.FileFields), nil - case "signal.target.file.hashes": - if !ev.Signal.Target.Process.IsNotKworker() { - return []string{}, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Signal.Target.Process.FileEvent), nil - case "signal.target.file.in_upper_layer": - if !ev.Signal.Target.Process.IsNotKworker() { - return false, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Signal.Target.Process.FileEvent.FileFields), nil - case "signal.target.file.inode": - if !ev.Signal.Target.Process.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Signal.Target.Process.FileEvent.FileFields.PathKey.Inode), nil - case "signal.target.file.mode": - if !ev.Signal.Target.Process.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Signal.Target.Process.FileEvent.FileFields.Mode), nil - case "signal.target.file.modification_time": - if !ev.Signal.Target.Process.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Signal.Target.Process.FileEvent.FileFields.MTime), nil - case "signal.target.file.mount_id": - if !ev.Signal.Target.Process.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Signal.Target.Process.FileEvent.FileFields.PathKey.MountID), nil - case "signal.target.file.name": - if !ev.Signal.Target.Process.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Signal.Target.Process.FileEvent), nil - case "signal.target.file.name.length": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Signal.Target.Process.FileEvent), nil - case "signal.target.file.package.name": - if !ev.Signal.Target.Process.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolvePackageName(ev, &ev.Signal.Target.Process.FileEvent), nil - case "signal.target.file.package.source_version": - if !ev.Signal.Target.Process.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Signal.Target.Process.FileEvent), nil - case "signal.target.file.package.version": - if !ev.Signal.Target.Process.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Signal.Target.Process.FileEvent), nil - case "signal.target.file.path": - if !ev.Signal.Target.Process.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Signal.Target.Process.FileEvent), nil - case "signal.target.file.path.length": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Signal.Target.Process.FileEvent), nil - case "signal.target.file.rights": - if !ev.Signal.Target.Process.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.FieldHandlers.ResolveRights(ev, &ev.Signal.Target.Process.FileEvent.FileFields)), nil - case "signal.target.file.uid": - if !ev.Signal.Target.Process.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Signal.Target.Process.FileEvent.FileFields.UID), nil - case "signal.target.file.user": - if !ev.Signal.Target.Process.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Signal.Target.Process.FileEvent.FileFields), nil - case "signal.target.fsgid": - return int(ev.Signal.Target.Process.Credentials.FSGID), nil - case "signal.target.fsgroup": - return ev.Signal.Target.Process.Credentials.FSGroup, nil - case "signal.target.fsuid": - return int(ev.Signal.Target.Process.Credentials.FSUID), nil - case "signal.target.fsuser": - return ev.Signal.Target.Process.Credentials.FSUser, nil - case "signal.target.gid": - return int(ev.Signal.Target.Process.Credentials.GID), nil - case "signal.target.group": - return ev.Signal.Target.Process.Credentials.Group, nil - case "signal.target.interpreter.file.change_time": - if !ev.Signal.Target.Process.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Signal.Target.Process.LinuxBinprm.FileEvent.FileFields.CTime), nil - case "signal.target.interpreter.file.filesystem": - if !ev.Signal.Target.Process.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Signal.Target.Process.LinuxBinprm.FileEvent), nil - case "signal.target.interpreter.file.gid": - if !ev.Signal.Target.Process.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Signal.Target.Process.LinuxBinprm.FileEvent.FileFields.GID), nil - case "signal.target.interpreter.file.group": - if !ev.Signal.Target.Process.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Signal.Target.Process.LinuxBinprm.FileEvent.FileFields), nil - case "signal.target.interpreter.file.hashes": - if !ev.Signal.Target.Process.HasInterpreter() { - return []string{}, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Signal.Target.Process.LinuxBinprm.FileEvent), nil - case "signal.target.interpreter.file.in_upper_layer": - if !ev.Signal.Target.Process.HasInterpreter() { - return false, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Signal.Target.Process.LinuxBinprm.FileEvent.FileFields), nil - case "signal.target.interpreter.file.inode": - if !ev.Signal.Target.Process.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Signal.Target.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode), nil - case "signal.target.interpreter.file.mode": - if !ev.Signal.Target.Process.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Signal.Target.Process.LinuxBinprm.FileEvent.FileFields.Mode), nil - case "signal.target.interpreter.file.modification_time": - if !ev.Signal.Target.Process.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Signal.Target.Process.LinuxBinprm.FileEvent.FileFields.MTime), nil - case "signal.target.interpreter.file.mount_id": - if !ev.Signal.Target.Process.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Signal.Target.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID), nil - case "signal.target.interpreter.file.name": - if !ev.Signal.Target.Process.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Signal.Target.Process.LinuxBinprm.FileEvent), nil - case "signal.target.interpreter.file.name.length": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Signal.Target.Process.LinuxBinprm.FileEvent), nil - case "signal.target.interpreter.file.package.name": - if !ev.Signal.Target.Process.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolvePackageName(ev, &ev.Signal.Target.Process.LinuxBinprm.FileEvent), nil - case "signal.target.interpreter.file.package.source_version": - if !ev.Signal.Target.Process.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Signal.Target.Process.LinuxBinprm.FileEvent), nil - case "signal.target.interpreter.file.package.version": - if !ev.Signal.Target.Process.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Signal.Target.Process.LinuxBinprm.FileEvent), nil - case "signal.target.interpreter.file.path": - if !ev.Signal.Target.Process.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Signal.Target.Process.LinuxBinprm.FileEvent), nil - case "signal.target.interpreter.file.path.length": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Signal.Target.Process.LinuxBinprm.FileEvent), nil - case "signal.target.interpreter.file.rights": - if !ev.Signal.Target.Process.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.FieldHandlers.ResolveRights(ev, &ev.Signal.Target.Process.LinuxBinprm.FileEvent.FileFields)), nil - case "signal.target.interpreter.file.uid": - if !ev.Signal.Target.Process.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Signal.Target.Process.LinuxBinprm.FileEvent.FileFields.UID), nil - case "signal.target.interpreter.file.user": - if !ev.Signal.Target.Process.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Signal.Target.Process.LinuxBinprm.FileEvent.FileFields), nil - case "signal.target.is_exec": - return ev.Signal.Target.Process.IsExec, nil - case "signal.target.is_kworker": - return ev.Signal.Target.Process.PIDContext.IsKworker, nil - case "signal.target.is_thread": - return ev.FieldHandlers.ResolveProcessIsThread(ev, &ev.Signal.Target.Process), nil - case "signal.target.parent.args": - if !ev.Signal.Target.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveProcessArgs(ev, ev.Signal.Target.Parent), nil - case "signal.target.parent.args_flags": - if !ev.Signal.Target.HasParent() { - return []string{}, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveProcessArgsFlags(ev, ev.Signal.Target.Parent), nil - case "signal.target.parent.args_options": - if !ev.Signal.Target.HasParent() { - return []string{}, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveProcessArgsOptions(ev, ev.Signal.Target.Parent), nil - case "signal.target.parent.args_truncated": - if !ev.Signal.Target.HasParent() { - return false, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveProcessArgsTruncated(ev, ev.Signal.Target.Parent), nil - case "signal.target.parent.argv": - if !ev.Signal.Target.HasParent() { - return []string{}, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveProcessArgv(ev, ev.Signal.Target.Parent), nil - case "signal.target.parent.argv0": - if !ev.Signal.Target.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveProcessArgv0(ev, ev.Signal.Target.Parent), nil - case "signal.target.parent.auid": - if !ev.Signal.Target.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Signal.Target.Parent.Credentials.AUID), nil - case "signal.target.parent.cap_effective": - if !ev.Signal.Target.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Signal.Target.Parent.Credentials.CapEffective), nil - case "signal.target.parent.cap_permitted": - if !ev.Signal.Target.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Signal.Target.Parent.Credentials.CapPermitted), nil - case "signal.target.parent.cgroup.file.inode": - if !ev.Signal.Target.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Signal.Target.Parent.CGroup.CGroupFile.Inode), nil - case "signal.target.parent.cgroup.file.mount_id": - if !ev.Signal.Target.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Signal.Target.Parent.CGroup.CGroupFile.MountID), nil - case "signal.target.parent.cgroup.id": - if !ev.Signal.Target.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveCGroupID(ev, &ev.Signal.Target.Parent.CGroup), nil - case "signal.target.parent.cgroup.manager": - if !ev.Signal.Target.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveCGroupManager(ev, &ev.Signal.Target.Parent.CGroup), nil - case "signal.target.parent.cgroup.version": - if !ev.Signal.Target.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveCGroupVersion(ev, &ev.Signal.Target.Parent.CGroup), nil - case "signal.target.parent.comm": - if !ev.Signal.Target.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.Signal.Target.Parent.Comm, nil - case "signal.target.parent.container.id": - if !ev.Signal.Target.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveProcessContainerID(ev, ev.Signal.Target.Parent), nil - case "signal.target.parent.created_at": - if !ev.Signal.Target.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, ev.Signal.Target.Parent)), nil - case "signal.target.parent.egid": - if !ev.Signal.Target.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Signal.Target.Parent.Credentials.EGID), nil - case "signal.target.parent.egroup": - if !ev.Signal.Target.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.Signal.Target.Parent.Credentials.EGroup, nil - case "signal.target.parent.envp": - if !ev.Signal.Target.HasParent() { - return []string{}, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveProcessEnvp(ev, ev.Signal.Target.Parent), nil - case "signal.target.parent.envs": - if !ev.Signal.Target.HasParent() { - return []string{}, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveProcessEnvs(ev, ev.Signal.Target.Parent), nil - case "signal.target.parent.envs_truncated": - if !ev.Signal.Target.HasParent() { - return false, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, ev.Signal.Target.Parent), nil - case "signal.target.parent.euid": - if !ev.Signal.Target.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Signal.Target.Parent.Credentials.EUID), nil - case "signal.target.parent.euser": - if !ev.Signal.Target.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.Signal.Target.Parent.Credentials.EUser, nil - case "signal.target.parent.file.change_time": - if !ev.Signal.Target.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - if !ev.Signal.Target.Parent.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Signal.Target.Parent.FileEvent.FileFields.CTime), nil - case "signal.target.parent.file.filesystem": - if !ev.Signal.Target.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - if !ev.Signal.Target.Parent.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Signal.Target.Parent.FileEvent), nil - case "signal.target.parent.file.gid": - if !ev.Signal.Target.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - if !ev.Signal.Target.Parent.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Signal.Target.Parent.FileEvent.FileFields.GID), nil - case "signal.target.parent.file.group": - if !ev.Signal.Target.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - if !ev.Signal.Target.Parent.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Signal.Target.Parent.FileEvent.FileFields), nil - case "signal.target.parent.file.hashes": - if !ev.Signal.Target.HasParent() { - return []string{}, &eval.ErrNotSupported{Field: field} - } - if !ev.Signal.Target.Parent.IsNotKworker() { - return []string{}, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Signal.Target.Parent.FileEvent), nil - case "signal.target.parent.file.in_upper_layer": - if !ev.Signal.Target.HasParent() { - return false, &eval.ErrNotSupported{Field: field} - } - if !ev.Signal.Target.Parent.IsNotKworker() { - return false, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Signal.Target.Parent.FileEvent.FileFields), nil - case "signal.target.parent.file.inode": - if !ev.Signal.Target.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - if !ev.Signal.Target.Parent.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Signal.Target.Parent.FileEvent.FileFields.PathKey.Inode), nil - case "signal.target.parent.file.mode": - if !ev.Signal.Target.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - if !ev.Signal.Target.Parent.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Signal.Target.Parent.FileEvent.FileFields.Mode), nil - case "signal.target.parent.file.modification_time": - if !ev.Signal.Target.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - if !ev.Signal.Target.Parent.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Signal.Target.Parent.FileEvent.FileFields.MTime), nil - case "signal.target.parent.file.mount_id": - if !ev.Signal.Target.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - if !ev.Signal.Target.Parent.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Signal.Target.Parent.FileEvent.FileFields.PathKey.MountID), nil - case "signal.target.parent.file.name": - if !ev.Signal.Target.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - if !ev.Signal.Target.Parent.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Signal.Target.Parent.FileEvent), nil - case "signal.target.parent.file.name.length": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Signal.Target.Parent.FileEvent), nil - case "signal.target.parent.file.package.name": - if !ev.Signal.Target.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - if !ev.Signal.Target.Parent.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolvePackageName(ev, &ev.Signal.Target.Parent.FileEvent), nil - case "signal.target.parent.file.package.source_version": - if !ev.Signal.Target.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - if !ev.Signal.Target.Parent.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Signal.Target.Parent.FileEvent), nil - case "signal.target.parent.file.package.version": - if !ev.Signal.Target.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - if !ev.Signal.Target.Parent.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Signal.Target.Parent.FileEvent), nil - case "signal.target.parent.file.path": - if !ev.Signal.Target.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - if !ev.Signal.Target.Parent.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Signal.Target.Parent.FileEvent), nil - case "signal.target.parent.file.path.length": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Signal.Target.Parent.FileEvent), nil - case "signal.target.parent.file.rights": - if !ev.Signal.Target.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - if !ev.Signal.Target.Parent.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.FieldHandlers.ResolveRights(ev, &ev.Signal.Target.Parent.FileEvent.FileFields)), nil - case "signal.target.parent.file.uid": - if !ev.Signal.Target.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - if !ev.Signal.Target.Parent.IsNotKworker() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Signal.Target.Parent.FileEvent.FileFields.UID), nil - case "signal.target.parent.file.user": - if !ev.Signal.Target.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - if !ev.Signal.Target.Parent.IsNotKworker() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Signal.Target.Parent.FileEvent.FileFields), nil - case "signal.target.parent.fsgid": - if !ev.Signal.Target.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Signal.Target.Parent.Credentials.FSGID), nil - case "signal.target.parent.fsgroup": - if !ev.Signal.Target.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.Signal.Target.Parent.Credentials.FSGroup, nil - case "signal.target.parent.fsuid": - if !ev.Signal.Target.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Signal.Target.Parent.Credentials.FSUID), nil - case "signal.target.parent.fsuser": - if !ev.Signal.Target.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.Signal.Target.Parent.Credentials.FSUser, nil - case "signal.target.parent.gid": - if !ev.Signal.Target.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Signal.Target.Parent.Credentials.GID), nil - case "signal.target.parent.group": - if !ev.Signal.Target.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.Signal.Target.Parent.Credentials.Group, nil - case "signal.target.parent.interpreter.file.change_time": - if !ev.Signal.Target.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - if !ev.Signal.Target.Parent.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields.CTime), nil - case "signal.target.parent.interpreter.file.filesystem": - if !ev.Signal.Target.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - if !ev.Signal.Target.Parent.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Signal.Target.Parent.LinuxBinprm.FileEvent), nil - case "signal.target.parent.interpreter.file.gid": - if !ev.Signal.Target.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - if !ev.Signal.Target.Parent.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields.GID), nil - case "signal.target.parent.interpreter.file.group": - if !ev.Signal.Target.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - if !ev.Signal.Target.Parent.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields), nil - case "signal.target.parent.interpreter.file.hashes": - if !ev.Signal.Target.HasParent() { - return []string{}, &eval.ErrNotSupported{Field: field} - } - if !ev.Signal.Target.Parent.HasInterpreter() { - return []string{}, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Signal.Target.Parent.LinuxBinprm.FileEvent), nil - case "signal.target.parent.interpreter.file.in_upper_layer": - if !ev.Signal.Target.HasParent() { - return false, &eval.ErrNotSupported{Field: field} - } - if !ev.Signal.Target.Parent.HasInterpreter() { - return false, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields), nil - case "signal.target.parent.interpreter.file.inode": - if !ev.Signal.Target.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - if !ev.Signal.Target.Parent.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields.PathKey.Inode), nil - case "signal.target.parent.interpreter.file.mode": - if !ev.Signal.Target.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - if !ev.Signal.Target.Parent.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields.Mode), nil - case "signal.target.parent.interpreter.file.modification_time": - if !ev.Signal.Target.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - if !ev.Signal.Target.Parent.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields.MTime), nil - case "signal.target.parent.interpreter.file.mount_id": - if !ev.Signal.Target.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - if !ev.Signal.Target.Parent.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields.PathKey.MountID), nil - case "signal.target.parent.interpreter.file.name": - if !ev.Signal.Target.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - if !ev.Signal.Target.Parent.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Signal.Target.Parent.LinuxBinprm.FileEvent), nil - case "signal.target.parent.interpreter.file.name.length": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Signal.Target.Parent.LinuxBinprm.FileEvent), nil - case "signal.target.parent.interpreter.file.package.name": - if !ev.Signal.Target.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - if !ev.Signal.Target.Parent.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolvePackageName(ev, &ev.Signal.Target.Parent.LinuxBinprm.FileEvent), nil - case "signal.target.parent.interpreter.file.package.source_version": - if !ev.Signal.Target.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - if !ev.Signal.Target.Parent.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Signal.Target.Parent.LinuxBinprm.FileEvent), nil - case "signal.target.parent.interpreter.file.package.version": - if !ev.Signal.Target.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - if !ev.Signal.Target.Parent.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Signal.Target.Parent.LinuxBinprm.FileEvent), nil - case "signal.target.parent.interpreter.file.path": - if !ev.Signal.Target.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - if !ev.Signal.Target.Parent.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Signal.Target.Parent.LinuxBinprm.FileEvent), nil - case "signal.target.parent.interpreter.file.path.length": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Signal.Target.Parent.LinuxBinprm.FileEvent), nil - case "signal.target.parent.interpreter.file.rights": - if !ev.Signal.Target.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - if !ev.Signal.Target.Parent.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.FieldHandlers.ResolveRights(ev, &ev.Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields)), nil - case "signal.target.parent.interpreter.file.uid": - if !ev.Signal.Target.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - if !ev.Signal.Target.Parent.HasInterpreter() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields.UID), nil - case "signal.target.parent.interpreter.file.user": - if !ev.Signal.Target.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - if !ev.Signal.Target.Parent.HasInterpreter() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields), nil - case "signal.target.parent.is_exec": - if !ev.Signal.Target.HasParent() { - return false, &eval.ErrNotSupported{Field: field} - } - return ev.Signal.Target.Parent.IsExec, nil - case "signal.target.parent.is_kworker": - if !ev.Signal.Target.HasParent() { - return false, &eval.ErrNotSupported{Field: field} - } - return ev.Signal.Target.Parent.PIDContext.IsKworker, nil - case "signal.target.parent.is_thread": - if !ev.Signal.Target.HasParent() { - return false, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveProcessIsThread(ev, ev.Signal.Target.Parent), nil - case "signal.target.parent.pid": - if !ev.Signal.Target.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Signal.Target.Parent.PIDContext.Pid), nil - case "signal.target.parent.ppid": - if !ev.Signal.Target.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Signal.Target.Parent.PPid), nil - case "signal.target.parent.tid": - if !ev.Signal.Target.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Signal.Target.Parent.PIDContext.Tid), nil - case "signal.target.parent.tty_name": - if !ev.Signal.Target.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.Signal.Target.Parent.TTYName, nil - case "signal.target.parent.uid": - if !ev.Signal.Target.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.Signal.Target.Parent.Credentials.UID), nil - case "signal.target.parent.user": - if !ev.Signal.Target.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.Signal.Target.Parent.Credentials.User, nil - case "signal.target.parent.user_session.k8s_groups": - if !ev.Signal.Target.HasParent() { - return []string{}, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveK8SGroups(ev, &ev.Signal.Target.Parent.UserSession), nil - case "signal.target.parent.user_session.k8s_uid": - if !ev.Signal.Target.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveK8SUID(ev, &ev.Signal.Target.Parent.UserSession), nil - case "signal.target.parent.user_session.k8s_username": - if !ev.Signal.Target.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveK8SUsername(ev, &ev.Signal.Target.Parent.UserSession), nil - case "signal.target.pid": - return int(ev.Signal.Target.Process.PIDContext.Pid), nil - case "signal.target.ppid": - return int(ev.Signal.Target.Process.PPid), nil - case "signal.target.tid": - return int(ev.Signal.Target.Process.PIDContext.Tid), nil - case "signal.target.tty_name": - return ev.Signal.Target.Process.TTYName, nil - case "signal.target.uid": - return int(ev.Signal.Target.Process.Credentials.UID), nil - case "signal.target.user": - return ev.Signal.Target.Process.Credentials.User, nil - case "signal.target.user_session.k8s_groups": - return ev.FieldHandlers.ResolveK8SGroups(ev, &ev.Signal.Target.Process.UserSession), nil - case "signal.target.user_session.k8s_uid": - return ev.FieldHandlers.ResolveK8SUID(ev, &ev.Signal.Target.Process.UserSession), nil - case "signal.target.user_session.k8s_username": - return ev.FieldHandlers.ResolveK8SUsername(ev, &ev.Signal.Target.Process.UserSession), nil - case "signal.type": - return int(ev.Signal.Type), nil - case "splice.file.change_time": - return int(ev.Splice.File.FileFields.CTime), nil - case "splice.file.filesystem": - return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Splice.File), nil - case "splice.file.gid": - return int(ev.Splice.File.FileFields.GID), nil - case "splice.file.group": - return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Splice.File.FileFields), nil - case "splice.file.hashes": - return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Splice.File), nil - case "splice.file.in_upper_layer": - return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Splice.File.FileFields), nil - case "splice.file.inode": - return int(ev.Splice.File.FileFields.PathKey.Inode), nil - case "splice.file.mode": - return int(ev.Splice.File.FileFields.Mode), nil - case "splice.file.modification_time": - return int(ev.Splice.File.FileFields.MTime), nil - case "splice.file.mount_id": - return int(ev.Splice.File.FileFields.PathKey.MountID), nil - case "splice.file.name": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Splice.File), nil - case "splice.file.name.length": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Splice.File), nil - case "splice.file.package.name": - return ev.FieldHandlers.ResolvePackageName(ev, &ev.Splice.File), nil - case "splice.file.package.source_version": - return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Splice.File), nil - case "splice.file.package.version": - return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Splice.File), nil - case "splice.file.path": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Splice.File), nil - case "splice.file.path.length": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Splice.File), nil - case "splice.file.rights": - return int(ev.FieldHandlers.ResolveRights(ev, &ev.Splice.File.FileFields)), nil - case "splice.file.uid": - return int(ev.Splice.File.FileFields.UID), nil - case "splice.file.user": - return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Splice.File.FileFields), nil - case "splice.pipe_entry_flag": - return int(ev.Splice.PipeEntryFlag), nil - case "splice.pipe_exit_flag": - return int(ev.Splice.PipeExitFlag), nil - case "splice.retval": - return int(ev.Splice.SyscallEvent.Retval), nil - case "unlink.file.change_time": - return int(ev.Unlink.File.FileFields.CTime), nil - case "unlink.file.filesystem": - return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Unlink.File), nil - case "unlink.file.gid": - return int(ev.Unlink.File.FileFields.GID), nil - case "unlink.file.group": - return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Unlink.File.FileFields), nil - case "unlink.file.hashes": - return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Unlink.File), nil - case "unlink.file.in_upper_layer": - return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Unlink.File.FileFields), nil - case "unlink.file.inode": - return int(ev.Unlink.File.FileFields.PathKey.Inode), nil - case "unlink.file.mode": - return int(ev.Unlink.File.FileFields.Mode), nil - case "unlink.file.modification_time": - return int(ev.Unlink.File.FileFields.MTime), nil - case "unlink.file.mount_id": - return int(ev.Unlink.File.FileFields.PathKey.MountID), nil - case "unlink.file.name": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Unlink.File), nil - case "unlink.file.name.length": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Unlink.File), nil - case "unlink.file.package.name": - return ev.FieldHandlers.ResolvePackageName(ev, &ev.Unlink.File), nil - case "unlink.file.package.source_version": - return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Unlink.File), nil - case "unlink.file.package.version": - return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Unlink.File), nil - case "unlink.file.path": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Unlink.File), nil - case "unlink.file.path.length": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Unlink.File), nil - case "unlink.file.rights": - return int(ev.FieldHandlers.ResolveRights(ev, &ev.Unlink.File.FileFields)), nil - case "unlink.file.uid": - return int(ev.Unlink.File.FileFields.UID), nil - case "unlink.file.user": - return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Unlink.File.FileFields), nil - case "unlink.flags": - return int(ev.Unlink.Flags), nil - case "unlink.retval": - return int(ev.Unlink.SyscallEvent.Retval), nil - case "unlink.syscall.dirfd": - return int(ev.FieldHandlers.ResolveSyscallCtxArgsInt1(ev, &ev.Unlink.SyscallContext)), nil - case "unlink.syscall.flags": - return int(ev.FieldHandlers.ResolveSyscallCtxArgsInt3(ev, &ev.Unlink.SyscallContext)), nil - case "unlink.syscall.path": - return ev.FieldHandlers.ResolveSyscallCtxArgsStr2(ev, &ev.Unlink.SyscallContext), nil - case "unload_module.name": - return ev.UnloadModule.Name, nil - case "unload_module.retval": - return int(ev.UnloadModule.SyscallEvent.Retval), nil - case "utimes.file.change_time": - return int(ev.Utimes.File.FileFields.CTime), nil - case "utimes.file.filesystem": - return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Utimes.File), nil - case "utimes.file.gid": - return int(ev.Utimes.File.FileFields.GID), nil - case "utimes.file.group": - return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Utimes.File.FileFields), nil - case "utimes.file.hashes": - return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Utimes.File), nil - case "utimes.file.in_upper_layer": - return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Utimes.File.FileFields), nil - case "utimes.file.inode": - return int(ev.Utimes.File.FileFields.PathKey.Inode), nil - case "utimes.file.mode": - return int(ev.Utimes.File.FileFields.Mode), nil - case "utimes.file.modification_time": - return int(ev.Utimes.File.FileFields.MTime), nil - case "utimes.file.mount_id": - return int(ev.Utimes.File.FileFields.PathKey.MountID), nil - case "utimes.file.name": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Utimes.File), nil - case "utimes.file.name.length": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Utimes.File), nil - case "utimes.file.package.name": - return ev.FieldHandlers.ResolvePackageName(ev, &ev.Utimes.File), nil - case "utimes.file.package.source_version": - return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Utimes.File), nil - case "utimes.file.package.version": - return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Utimes.File), nil - case "utimes.file.path": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Utimes.File), nil - case "utimes.file.path.length": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Utimes.File), nil - case "utimes.file.rights": - return int(ev.FieldHandlers.ResolveRights(ev, &ev.Utimes.File.FileFields)), nil - case "utimes.file.uid": - return int(ev.Utimes.File.FileFields.UID), nil - case "utimes.file.user": - return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Utimes.File.FileFields), nil - case "utimes.retval": - return int(ev.Utimes.SyscallEvent.Retval), nil - case "utimes.syscall.path": - return ev.FieldHandlers.ResolveSyscallCtxArgsStr1(ev, &ev.Utimes.SyscallContext), nil + m := &Model{} + evaluator, err := m.GetEvaluator(field, "") + if err != nil { + return nil, err } - return nil, &eval.ErrFieldNotFound{Field: field} + ctx := eval.NewContext(ev) + value := evaluator.Eval(ctx) + if ctx.Error != nil { + return nil, ctx.Error + } + return value, nil } func (ev *Event) GetFieldMetadata(field eval.Field) (eval.EventType, reflect.Kind, error) { switch field { diff --git a/pkg/security/secl/model/accessors_windows.go b/pkg/security/secl/model/accessors_windows.go index 6304411ddba684..687057f1d39ca1 100644 --- a/pkg/security/secl/model/accessors_windows.go +++ b/pkg/security/secl/model/accessors_windows.go @@ -20,7 +20,7 @@ import ( var _ = math.MaxUint16 var _ = net.IP{} -func (m *Model) GetEventTypes() []eval.EventType { +func (_ *Model) GetEventTypes() []eval.EventType { return []eval.EventType{ eval.EventType("change_permission"), eval.EventType("create"), @@ -35,12 +35,12 @@ func (m *Model) GetEventTypes() []eval.EventType { eval.EventType("write"), } } -func (m *Model) GetFieldRestrictions(field eval.Field) []eval.EventType { +func (_ *Model) GetFieldRestrictions(field eval.Field) []eval.EventType { switch field { } return nil } -func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Evaluator, error) { +func (_ *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Evaluator, error) { switch field { case "change_permission.new_sd": return &eval.StringEvaluator{ @@ -1343,6 +1343,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveProcessCmdLine(ev, ev.BaseEvent.ProcessContext.Parent) @@ -1356,6 +1357,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.BaseEvent.ProcessContext.Parent.ContainerID @@ -1369,6 +1371,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, ev.BaseEvent.ProcessContext.Parent)) @@ -1382,6 +1385,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return []string{} } return ev.FieldHandlers.ResolveProcessEnvp(ev, ev.BaseEvent.ProcessContext.Parent) @@ -1395,6 +1399,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return []string{} } return ev.FieldHandlers.ResolveProcessEnvs(ev, ev.BaseEvent.ProcessContext.Parent) @@ -1409,6 +1414,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent) @@ -1434,6 +1440,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent) @@ -1458,6 +1465,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.BaseEvent.ProcessContext.Parent.PIDContext.Pid) @@ -1471,6 +1479,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.BaseEvent.ProcessContext.Parent.PPid) @@ -1484,6 +1493,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveUser(ev, ev.BaseEvent.ProcessContext.Parent) @@ -1497,6 +1507,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.BaseEvent.ProcessContext.Parent.OwnerSidString @@ -2045,456 +2056,17 @@ func (ev *Event) GetFields() []eval.Field { } } func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) { - switch field { - case "change_permission.new_sd": - return ev.FieldHandlers.ResolveNewSecurityDescriptor(ev, &ev.ChangePermission), nil - case "change_permission.old_sd": - return ev.FieldHandlers.ResolveOldSecurityDescriptor(ev, &ev.ChangePermission), nil - case "change_permission.path": - return ev.ChangePermission.ObjectName, nil - case "change_permission.type": - return ev.ChangePermission.ObjectType, nil - case "change_permission.user_domain": - return ev.ChangePermission.UserDomain, nil - case "change_permission.username": - return ev.ChangePermission.UserName, nil - case "container.created_at": - return int(ev.FieldHandlers.ResolveContainerCreatedAt(ev, ev.BaseEvent.ContainerContext)), nil - case "container.id": - return ev.FieldHandlers.ResolveContainerID(ev, ev.BaseEvent.ContainerContext), nil - case "container.runtime": - return ev.FieldHandlers.ResolveContainerRuntime(ev, ev.BaseEvent.ContainerContext), nil - case "container.tags": - return ev.FieldHandlers.ResolveContainerTags(ev, ev.BaseEvent.ContainerContext), nil - case "create.file.device_path": - return ev.FieldHandlers.ResolveFimFilePath(ev, &ev.CreateNewFile.File), nil - case "create.file.device_path.length": - return ev.FieldHandlers.ResolveFimFilePath(ev, &ev.CreateNewFile.File), nil - case "create.file.name": - return ev.FieldHandlers.ResolveFimFileBasename(ev, &ev.CreateNewFile.File), nil - case "create.file.name.length": - return ev.FieldHandlers.ResolveFimFileBasename(ev, &ev.CreateNewFile.File), nil - case "create.file.path": - return ev.FieldHandlers.ResolveFileUserPath(ev, &ev.CreateNewFile.File), nil - case "create.file.path.length": - return ev.FieldHandlers.ResolveFileUserPath(ev, &ev.CreateNewFile.File), nil - case "create.registry.key_name": - return ev.CreateRegistryKey.Registry.KeyName, nil - case "create.registry.key_name.length": - return len(ev.CreateRegistryKey.Registry.KeyName), nil - case "create.registry.key_path": - return ev.CreateRegistryKey.Registry.KeyPath, nil - case "create.registry.key_path.length": - return len(ev.CreateRegistryKey.Registry.KeyPath), nil - case "create_key.registry.key_name": - return ev.CreateRegistryKey.Registry.KeyName, nil - case "create_key.registry.key_name.length": - return len(ev.CreateRegistryKey.Registry.KeyName), nil - case "create_key.registry.key_path": - return ev.CreateRegistryKey.Registry.KeyPath, nil - case "create_key.registry.key_path.length": - return len(ev.CreateRegistryKey.Registry.KeyPath), nil - case "delete.file.device_path": - return ev.FieldHandlers.ResolveFimFilePath(ev, &ev.DeleteFile.File), nil - case "delete.file.device_path.length": - return ev.FieldHandlers.ResolveFimFilePath(ev, &ev.DeleteFile.File), nil - case "delete.file.name": - return ev.FieldHandlers.ResolveFimFileBasename(ev, &ev.DeleteFile.File), nil - case "delete.file.name.length": - return ev.FieldHandlers.ResolveFimFileBasename(ev, &ev.DeleteFile.File), nil - case "delete.file.path": - return ev.FieldHandlers.ResolveFileUserPath(ev, &ev.DeleteFile.File), nil - case "delete.file.path.length": - return ev.FieldHandlers.ResolveFileUserPath(ev, &ev.DeleteFile.File), nil - case "delete.registry.key_name": - return ev.DeleteRegistryKey.Registry.KeyName, nil - case "delete.registry.key_name.length": - return len(ev.DeleteRegistryKey.Registry.KeyName), nil - case "delete.registry.key_path": - return ev.DeleteRegistryKey.Registry.KeyPath, nil - case "delete.registry.key_path.length": - return len(ev.DeleteRegistryKey.Registry.KeyPath), nil - case "delete_key.registry.key_name": - return ev.DeleteRegistryKey.Registry.KeyName, nil - case "delete_key.registry.key_name.length": - return len(ev.DeleteRegistryKey.Registry.KeyName), nil - case "delete_key.registry.key_path": - return ev.DeleteRegistryKey.Registry.KeyPath, nil - case "delete_key.registry.key_path.length": - return len(ev.DeleteRegistryKey.Registry.KeyPath), nil - case "event.hostname": - return ev.FieldHandlers.ResolveHostname(ev, &ev.BaseEvent), nil - case "event.origin": - return ev.BaseEvent.Origin, nil - case "event.os": - return ev.BaseEvent.Os, nil - case "event.service": - return ev.FieldHandlers.ResolveService(ev, &ev.BaseEvent), nil - case "event.timestamp": - return int(ev.FieldHandlers.ResolveEventTimestamp(ev, &ev.BaseEvent)), nil - case "exec.cmdline": - return ev.FieldHandlers.ResolveProcessCmdLine(ev, ev.Exec.Process), nil - case "exec.container.id": - return ev.Exec.Process.ContainerID, nil - case "exec.created_at": - return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, ev.Exec.Process)), nil - case "exec.envp": - return ev.FieldHandlers.ResolveProcessEnvp(ev, ev.Exec.Process), nil - case "exec.envs": - return ev.FieldHandlers.ResolveProcessEnvs(ev, ev.Exec.Process), nil - case "exec.file.name": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exec.Process.FileEvent), nil - case "exec.file.name.length": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exec.Process.FileEvent), nil - case "exec.file.path": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Exec.Process.FileEvent), nil - case "exec.file.path.length": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Exec.Process.FileEvent), nil - case "exec.pid": - return int(ev.Exec.Process.PIDContext.Pid), nil - case "exec.ppid": - return int(ev.Exec.Process.PPid), nil - case "exec.user": - return ev.FieldHandlers.ResolveUser(ev, ev.Exec.Process), nil - case "exec.user_sid": - return ev.Exec.Process.OwnerSidString, nil - case "exit.cause": - return int(ev.Exit.Cause), nil - case "exit.cmdline": - return ev.FieldHandlers.ResolveProcessCmdLine(ev, ev.Exit.Process), nil - case "exit.code": - return int(ev.Exit.Code), nil - case "exit.container.id": - return ev.Exit.Process.ContainerID, nil - case "exit.created_at": - return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, ev.Exit.Process)), nil - case "exit.envp": - return ev.FieldHandlers.ResolveProcessEnvp(ev, ev.Exit.Process), nil - case "exit.envs": - return ev.FieldHandlers.ResolveProcessEnvs(ev, ev.Exit.Process), nil - case "exit.file.name": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exit.Process.FileEvent), nil - case "exit.file.name.length": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exit.Process.FileEvent), nil - case "exit.file.path": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Exit.Process.FileEvent), nil - case "exit.file.path.length": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Exit.Process.FileEvent), nil - case "exit.pid": - return int(ev.Exit.Process.PIDContext.Pid), nil - case "exit.ppid": - return int(ev.Exit.Process.PPid), nil - case "exit.user": - return ev.FieldHandlers.ResolveUser(ev, ev.Exit.Process), nil - case "exit.user_sid": - return ev.Exit.Process.OwnerSidString, nil - case "open.registry.key_name": - return ev.OpenRegistryKey.Registry.KeyName, nil - case "open.registry.key_name.length": - return len(ev.OpenRegistryKey.Registry.KeyName), nil - case "open.registry.key_path": - return ev.OpenRegistryKey.Registry.KeyPath, nil - case "open.registry.key_path.length": - return len(ev.OpenRegistryKey.Registry.KeyPath), nil - case "open_key.registry.key_name": - return ev.OpenRegistryKey.Registry.KeyName, nil - case "open_key.registry.key_name.length": - return len(ev.OpenRegistryKey.Registry.KeyName), nil - case "open_key.registry.key_path": - return ev.OpenRegistryKey.Registry.KeyPath, nil - case "open_key.registry.key_path.length": - return len(ev.OpenRegistryKey.Registry.KeyPath), nil - case "process.ancestors.cmdline": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveProcessCmdLine(ev, &element.ProcessContext.Process) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.container.id": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := element.ProcessContext.Process.ContainerID - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.created_at": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, &element.ProcessContext.Process)) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.envp": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveProcessEnvp(ev, &element.ProcessContext.Process) - values = append(values, result...) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.envs": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveProcessEnvs(ev, &element.ProcessContext.Process) - values = append(values, result...) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.file.name": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.FileEvent) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.file.name.length": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.FileEvent), nil - case "process.ancestors.file.path": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.FileEvent) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.file.path.length": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.FileEvent), nil - case "process.ancestors.length": - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - return iterator.Len(ctx), nil - case "process.ancestors.pid": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.PIDContext.Pid) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.ppid": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.PPid) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.user": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveUser(ev, &element.ProcessContext.Process) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.user_sid": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := element.ProcessContext.Process.OwnerSidString - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.cmdline": - return ev.FieldHandlers.ResolveProcessCmdLine(ev, &ev.BaseEvent.ProcessContext.Process), nil - case "process.container.id": - return ev.BaseEvent.ProcessContext.Process.ContainerID, nil - case "process.created_at": - return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, &ev.BaseEvent.ProcessContext.Process)), nil - case "process.envp": - return ev.FieldHandlers.ResolveProcessEnvp(ev, &ev.BaseEvent.ProcessContext.Process), nil - case "process.envs": - return ev.FieldHandlers.ResolveProcessEnvs(ev, &ev.BaseEvent.ProcessContext.Process), nil - case "process.file.name": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent), nil - case "process.file.name.length": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent), nil - case "process.file.path": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent), nil - case "process.file.path.length": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent), nil - case "process.parent.cmdline": - if !ev.BaseEvent.ProcessContext.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveProcessCmdLine(ev, ev.BaseEvent.ProcessContext.Parent), nil - case "process.parent.container.id": - if !ev.BaseEvent.ProcessContext.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.BaseEvent.ProcessContext.Parent.ContainerID, nil - case "process.parent.created_at": - if !ev.BaseEvent.ProcessContext.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, ev.BaseEvent.ProcessContext.Parent)), nil - case "process.parent.envp": - if !ev.BaseEvent.ProcessContext.HasParent() { - return []string{}, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveProcessEnvp(ev, ev.BaseEvent.ProcessContext.Parent), nil - case "process.parent.envs": - if !ev.BaseEvent.ProcessContext.HasParent() { - return []string{}, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveProcessEnvs(ev, ev.BaseEvent.ProcessContext.Parent), nil - case "process.parent.file.name": - if !ev.BaseEvent.ProcessContext.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent), nil - case "process.parent.file.name.length": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent), nil - case "process.parent.file.path": - if !ev.BaseEvent.ProcessContext.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent), nil - case "process.parent.file.path.length": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent), nil - case "process.parent.pid": - if !ev.BaseEvent.ProcessContext.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.BaseEvent.ProcessContext.Parent.PIDContext.Pid), nil - case "process.parent.ppid": - if !ev.BaseEvent.ProcessContext.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.BaseEvent.ProcessContext.Parent.PPid), nil - case "process.parent.user": - if !ev.BaseEvent.ProcessContext.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveUser(ev, ev.BaseEvent.ProcessContext.Parent), nil - case "process.parent.user_sid": - if !ev.BaseEvent.ProcessContext.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.BaseEvent.ProcessContext.Parent.OwnerSidString, nil - case "process.pid": - return int(ev.BaseEvent.ProcessContext.Process.PIDContext.Pid), nil - case "process.ppid": - return int(ev.BaseEvent.ProcessContext.Process.PPid), nil - case "process.user": - return ev.FieldHandlers.ResolveUser(ev, &ev.BaseEvent.ProcessContext.Process), nil - case "process.user_sid": - return ev.BaseEvent.ProcessContext.Process.OwnerSidString, nil - case "rename.file.destination.device_path": - return ev.FieldHandlers.ResolveFimFilePath(ev, &ev.RenameFile.New), nil - case "rename.file.destination.device_path.length": - return ev.FieldHandlers.ResolveFimFilePath(ev, &ev.RenameFile.New), nil - case "rename.file.destination.name": - return ev.FieldHandlers.ResolveFimFileBasename(ev, &ev.RenameFile.New), nil - case "rename.file.destination.name.length": - return ev.FieldHandlers.ResolveFimFileBasename(ev, &ev.RenameFile.New), nil - case "rename.file.destination.path": - return ev.FieldHandlers.ResolveFileUserPath(ev, &ev.RenameFile.New), nil - case "rename.file.destination.path.length": - return ev.FieldHandlers.ResolveFileUserPath(ev, &ev.RenameFile.New), nil - case "rename.file.device_path": - return ev.FieldHandlers.ResolveFimFilePath(ev, &ev.RenameFile.Old), nil - case "rename.file.device_path.length": - return ev.FieldHandlers.ResolveFimFilePath(ev, &ev.RenameFile.Old), nil - case "rename.file.name": - return ev.FieldHandlers.ResolveFimFileBasename(ev, &ev.RenameFile.Old), nil - case "rename.file.name.length": - return ev.FieldHandlers.ResolveFimFileBasename(ev, &ev.RenameFile.Old), nil - case "rename.file.path": - return ev.FieldHandlers.ResolveFileUserPath(ev, &ev.RenameFile.Old), nil - case "rename.file.path.length": - return ev.FieldHandlers.ResolveFileUserPath(ev, &ev.RenameFile.Old), nil - case "set.registry.key_name": - return ev.SetRegistryKeyValue.Registry.KeyName, nil - case "set.registry.key_name.length": - return len(ev.SetRegistryKeyValue.Registry.KeyName), nil - case "set.registry.key_path": - return ev.SetRegistryKeyValue.Registry.KeyPath, nil - case "set.registry.key_path.length": - return len(ev.SetRegistryKeyValue.Registry.KeyPath), nil - case "set.registry.value_name": - return ev.SetRegistryKeyValue.ValueName, nil - case "set.registry.value_name.length": - return len(ev.SetRegistryKeyValue.ValueName), nil - case "set.value_name": - return ev.SetRegistryKeyValue.ValueName, nil - case "set_key_value.registry.key_name": - return ev.SetRegistryKeyValue.Registry.KeyName, nil - case "set_key_value.registry.key_name.length": - return len(ev.SetRegistryKeyValue.Registry.KeyName), nil - case "set_key_value.registry.key_path": - return ev.SetRegistryKeyValue.Registry.KeyPath, nil - case "set_key_value.registry.key_path.length": - return len(ev.SetRegistryKeyValue.Registry.KeyPath), nil - case "set_key_value.registry.value_name": - return ev.SetRegistryKeyValue.ValueName, nil - case "set_key_value.registry.value_name.length": - return len(ev.SetRegistryKeyValue.ValueName), nil - case "set_key_value.value_name": - return ev.SetRegistryKeyValue.ValueName, nil - case "write.file.device_path": - return ev.FieldHandlers.ResolveFimFilePath(ev, &ev.WriteFile.File), nil - case "write.file.device_path.length": - return ev.FieldHandlers.ResolveFimFilePath(ev, &ev.WriteFile.File), nil - case "write.file.name": - return ev.FieldHandlers.ResolveFimFileBasename(ev, &ev.WriteFile.File), nil - case "write.file.name.length": - return ev.FieldHandlers.ResolveFimFileBasename(ev, &ev.WriteFile.File), nil - case "write.file.path": - return ev.FieldHandlers.ResolveFileUserPath(ev, &ev.WriteFile.File), nil - case "write.file.path.length": - return ev.FieldHandlers.ResolveFileUserPath(ev, &ev.WriteFile.File), nil + m := &Model{} + evaluator, err := m.GetEvaluator(field, "") + if err != nil { + return nil, err } - return nil, &eval.ErrFieldNotFound{Field: field} + ctx := eval.NewContext(ev) + value := evaluator.Eval(ctx) + if ctx.Error != nil { + return nil, ctx.Error + } + return value, nil } func (ev *Event) GetFieldMetadata(field eval.Field) (eval.EventType, reflect.Kind, error) { switch field { diff --git a/pkg/security/seclwin/model/accessors_win.go b/pkg/security/seclwin/model/accessors_win.go index b9e4ad9b5e0b91..dd0213622672f2 100644 --- a/pkg/security/seclwin/model/accessors_win.go +++ b/pkg/security/seclwin/model/accessors_win.go @@ -18,7 +18,7 @@ import ( var _ = math.MaxUint16 var _ = net.IP{} -func (m *Model) GetEventTypes() []eval.EventType { +func (_ *Model) GetEventTypes() []eval.EventType { return []eval.EventType{ eval.EventType("change_permission"), eval.EventType("create"), @@ -33,12 +33,12 @@ func (m *Model) GetEventTypes() []eval.EventType { eval.EventType("write"), } } -func (m *Model) GetFieldRestrictions(field eval.Field) []eval.EventType { +func (_ *Model) GetFieldRestrictions(field eval.Field) []eval.EventType { switch field { } return nil } -func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Evaluator, error) { +func (_ *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Evaluator, error) { switch field { case "change_permission.new_sd": return &eval.StringEvaluator{ @@ -1341,6 +1341,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveProcessCmdLine(ev, ev.BaseEvent.ProcessContext.Parent) @@ -1354,6 +1355,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.BaseEvent.ProcessContext.Parent.ContainerID @@ -1367,6 +1369,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, ev.BaseEvent.ProcessContext.Parent)) @@ -1380,6 +1383,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return []string{} } return ev.FieldHandlers.ResolveProcessEnvp(ev, ev.BaseEvent.ProcessContext.Parent) @@ -1393,6 +1397,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return []string{} } return ev.FieldHandlers.ResolveProcessEnvs(ev, ev.BaseEvent.ProcessContext.Parent) @@ -1407,6 +1412,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent) @@ -1432,6 +1438,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent) @@ -1456,6 +1463,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.BaseEvent.ProcessContext.Parent.PIDContext.Pid) @@ -1469,6 +1477,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return 0 } return int(ev.BaseEvent.ProcessContext.Parent.PPid) @@ -1482,6 +1491,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.FieldHandlers.ResolveUser(ev, ev.BaseEvent.ProcessContext.Parent) @@ -1495,6 +1505,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { + ctx.Error = &eval.ErrNotSupported{Field: field} return "" } return ev.BaseEvent.ProcessContext.Parent.OwnerSidString @@ -2043,456 +2054,17 @@ func (ev *Event) GetFields() []eval.Field { } } func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) { - switch field { - case "change_permission.new_sd": - return ev.FieldHandlers.ResolveNewSecurityDescriptor(ev, &ev.ChangePermission), nil - case "change_permission.old_sd": - return ev.FieldHandlers.ResolveOldSecurityDescriptor(ev, &ev.ChangePermission), nil - case "change_permission.path": - return ev.ChangePermission.ObjectName, nil - case "change_permission.type": - return ev.ChangePermission.ObjectType, nil - case "change_permission.user_domain": - return ev.ChangePermission.UserDomain, nil - case "change_permission.username": - return ev.ChangePermission.UserName, nil - case "container.created_at": - return int(ev.FieldHandlers.ResolveContainerCreatedAt(ev, ev.BaseEvent.ContainerContext)), nil - case "container.id": - return ev.FieldHandlers.ResolveContainerID(ev, ev.BaseEvent.ContainerContext), nil - case "container.runtime": - return ev.FieldHandlers.ResolveContainerRuntime(ev, ev.BaseEvent.ContainerContext), nil - case "container.tags": - return ev.FieldHandlers.ResolveContainerTags(ev, ev.BaseEvent.ContainerContext), nil - case "create.file.device_path": - return ev.FieldHandlers.ResolveFimFilePath(ev, &ev.CreateNewFile.File), nil - case "create.file.device_path.length": - return ev.FieldHandlers.ResolveFimFilePath(ev, &ev.CreateNewFile.File), nil - case "create.file.name": - return ev.FieldHandlers.ResolveFimFileBasename(ev, &ev.CreateNewFile.File), nil - case "create.file.name.length": - return ev.FieldHandlers.ResolveFimFileBasename(ev, &ev.CreateNewFile.File), nil - case "create.file.path": - return ev.FieldHandlers.ResolveFileUserPath(ev, &ev.CreateNewFile.File), nil - case "create.file.path.length": - return ev.FieldHandlers.ResolveFileUserPath(ev, &ev.CreateNewFile.File), nil - case "create.registry.key_name": - return ev.CreateRegistryKey.Registry.KeyName, nil - case "create.registry.key_name.length": - return len(ev.CreateRegistryKey.Registry.KeyName), nil - case "create.registry.key_path": - return ev.CreateRegistryKey.Registry.KeyPath, nil - case "create.registry.key_path.length": - return len(ev.CreateRegistryKey.Registry.KeyPath), nil - case "create_key.registry.key_name": - return ev.CreateRegistryKey.Registry.KeyName, nil - case "create_key.registry.key_name.length": - return len(ev.CreateRegistryKey.Registry.KeyName), nil - case "create_key.registry.key_path": - return ev.CreateRegistryKey.Registry.KeyPath, nil - case "create_key.registry.key_path.length": - return len(ev.CreateRegistryKey.Registry.KeyPath), nil - case "delete.file.device_path": - return ev.FieldHandlers.ResolveFimFilePath(ev, &ev.DeleteFile.File), nil - case "delete.file.device_path.length": - return ev.FieldHandlers.ResolveFimFilePath(ev, &ev.DeleteFile.File), nil - case "delete.file.name": - return ev.FieldHandlers.ResolveFimFileBasename(ev, &ev.DeleteFile.File), nil - case "delete.file.name.length": - return ev.FieldHandlers.ResolveFimFileBasename(ev, &ev.DeleteFile.File), nil - case "delete.file.path": - return ev.FieldHandlers.ResolveFileUserPath(ev, &ev.DeleteFile.File), nil - case "delete.file.path.length": - return ev.FieldHandlers.ResolveFileUserPath(ev, &ev.DeleteFile.File), nil - case "delete.registry.key_name": - return ev.DeleteRegistryKey.Registry.KeyName, nil - case "delete.registry.key_name.length": - return len(ev.DeleteRegistryKey.Registry.KeyName), nil - case "delete.registry.key_path": - return ev.DeleteRegistryKey.Registry.KeyPath, nil - case "delete.registry.key_path.length": - return len(ev.DeleteRegistryKey.Registry.KeyPath), nil - case "delete_key.registry.key_name": - return ev.DeleteRegistryKey.Registry.KeyName, nil - case "delete_key.registry.key_name.length": - return len(ev.DeleteRegistryKey.Registry.KeyName), nil - case "delete_key.registry.key_path": - return ev.DeleteRegistryKey.Registry.KeyPath, nil - case "delete_key.registry.key_path.length": - return len(ev.DeleteRegistryKey.Registry.KeyPath), nil - case "event.hostname": - return ev.FieldHandlers.ResolveHostname(ev, &ev.BaseEvent), nil - case "event.origin": - return ev.BaseEvent.Origin, nil - case "event.os": - return ev.BaseEvent.Os, nil - case "event.service": - return ev.FieldHandlers.ResolveService(ev, &ev.BaseEvent), nil - case "event.timestamp": - return int(ev.FieldHandlers.ResolveEventTimestamp(ev, &ev.BaseEvent)), nil - case "exec.cmdline": - return ev.FieldHandlers.ResolveProcessCmdLine(ev, ev.Exec.Process), nil - case "exec.container.id": - return ev.Exec.Process.ContainerID, nil - case "exec.created_at": - return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, ev.Exec.Process)), nil - case "exec.envp": - return ev.FieldHandlers.ResolveProcessEnvp(ev, ev.Exec.Process), nil - case "exec.envs": - return ev.FieldHandlers.ResolveProcessEnvs(ev, ev.Exec.Process), nil - case "exec.file.name": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exec.Process.FileEvent), nil - case "exec.file.name.length": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exec.Process.FileEvent), nil - case "exec.file.path": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Exec.Process.FileEvent), nil - case "exec.file.path.length": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Exec.Process.FileEvent), nil - case "exec.pid": - return int(ev.Exec.Process.PIDContext.Pid), nil - case "exec.ppid": - return int(ev.Exec.Process.PPid), nil - case "exec.user": - return ev.FieldHandlers.ResolveUser(ev, ev.Exec.Process), nil - case "exec.user_sid": - return ev.Exec.Process.OwnerSidString, nil - case "exit.cause": - return int(ev.Exit.Cause), nil - case "exit.cmdline": - return ev.FieldHandlers.ResolveProcessCmdLine(ev, ev.Exit.Process), nil - case "exit.code": - return int(ev.Exit.Code), nil - case "exit.container.id": - return ev.Exit.Process.ContainerID, nil - case "exit.created_at": - return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, ev.Exit.Process)), nil - case "exit.envp": - return ev.FieldHandlers.ResolveProcessEnvp(ev, ev.Exit.Process), nil - case "exit.envs": - return ev.FieldHandlers.ResolveProcessEnvs(ev, ev.Exit.Process), nil - case "exit.file.name": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exit.Process.FileEvent), nil - case "exit.file.name.length": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exit.Process.FileEvent), nil - case "exit.file.path": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Exit.Process.FileEvent), nil - case "exit.file.path.length": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.Exit.Process.FileEvent), nil - case "exit.pid": - return int(ev.Exit.Process.PIDContext.Pid), nil - case "exit.ppid": - return int(ev.Exit.Process.PPid), nil - case "exit.user": - return ev.FieldHandlers.ResolveUser(ev, ev.Exit.Process), nil - case "exit.user_sid": - return ev.Exit.Process.OwnerSidString, nil - case "open.registry.key_name": - return ev.OpenRegistryKey.Registry.KeyName, nil - case "open.registry.key_name.length": - return len(ev.OpenRegistryKey.Registry.KeyName), nil - case "open.registry.key_path": - return ev.OpenRegistryKey.Registry.KeyPath, nil - case "open.registry.key_path.length": - return len(ev.OpenRegistryKey.Registry.KeyPath), nil - case "open_key.registry.key_name": - return ev.OpenRegistryKey.Registry.KeyName, nil - case "open_key.registry.key_name.length": - return len(ev.OpenRegistryKey.Registry.KeyName), nil - case "open_key.registry.key_path": - return ev.OpenRegistryKey.Registry.KeyPath, nil - case "open_key.registry.key_path.length": - return len(ev.OpenRegistryKey.Registry.KeyPath), nil - case "process.ancestors.cmdline": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveProcessCmdLine(ev, &element.ProcessContext.Process) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.container.id": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := element.ProcessContext.Process.ContainerID - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.created_at": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, &element.ProcessContext.Process)) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.envp": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveProcessEnvp(ev, &element.ProcessContext.Process) - values = append(values, result...) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.envs": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveProcessEnvs(ev, &element.ProcessContext.Process) - values = append(values, result...) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.file.name": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.FileEvent) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.file.name.length": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.FileEvent), nil - case "process.ancestors.file.path": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.FileEvent) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.file.path.length": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.FileEvent), nil - case "process.ancestors.length": - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - return iterator.Len(ctx), nil - case "process.ancestors.pid": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.PIDContext.Pid) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.ppid": - var values []int - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := int(element.ProcessContext.Process.PPid) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.user": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := ev.FieldHandlers.ResolveUser(ev, &element.ProcessContext.Process) - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.ancestors.user_sid": - var values []string - ctx := eval.NewContext(ev) - iterator := &ProcessAncestorsIterator{} - ptr := iterator.Front(ctx) - for ptr != nil { - element := ptr - result := element.ProcessContext.Process.OwnerSidString - values = append(values, result) - ptr = iterator.Next() - } - return values, nil - case "process.cmdline": - return ev.FieldHandlers.ResolveProcessCmdLine(ev, &ev.BaseEvent.ProcessContext.Process), nil - case "process.container.id": - return ev.BaseEvent.ProcessContext.Process.ContainerID, nil - case "process.created_at": - return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, &ev.BaseEvent.ProcessContext.Process)), nil - case "process.envp": - return ev.FieldHandlers.ResolveProcessEnvp(ev, &ev.BaseEvent.ProcessContext.Process), nil - case "process.envs": - return ev.FieldHandlers.ResolveProcessEnvs(ev, &ev.BaseEvent.ProcessContext.Process), nil - case "process.file.name": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent), nil - case "process.file.name.length": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent), nil - case "process.file.path": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent), nil - case "process.file.path.length": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent), nil - case "process.parent.cmdline": - if !ev.BaseEvent.ProcessContext.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveProcessCmdLine(ev, ev.BaseEvent.ProcessContext.Parent), nil - case "process.parent.container.id": - if !ev.BaseEvent.ProcessContext.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.BaseEvent.ProcessContext.Parent.ContainerID, nil - case "process.parent.created_at": - if !ev.BaseEvent.ProcessContext.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, ev.BaseEvent.ProcessContext.Parent)), nil - case "process.parent.envp": - if !ev.BaseEvent.ProcessContext.HasParent() { - return []string{}, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveProcessEnvp(ev, ev.BaseEvent.ProcessContext.Parent), nil - case "process.parent.envs": - if !ev.BaseEvent.ProcessContext.HasParent() { - return []string{}, &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveProcessEnvs(ev, ev.BaseEvent.ProcessContext.Parent), nil - case "process.parent.file.name": - if !ev.BaseEvent.ProcessContext.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent), nil - case "process.parent.file.name.length": - return ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent), nil - case "process.parent.file.path": - if !ev.BaseEvent.ProcessContext.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent), nil - case "process.parent.file.path.length": - return ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent), nil - case "process.parent.pid": - if !ev.BaseEvent.ProcessContext.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.BaseEvent.ProcessContext.Parent.PIDContext.Pid), nil - case "process.parent.ppid": - if !ev.BaseEvent.ProcessContext.HasParent() { - return 0, &eval.ErrNotSupported{Field: field} - } - return int(ev.BaseEvent.ProcessContext.Parent.PPid), nil - case "process.parent.user": - if !ev.BaseEvent.ProcessContext.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.FieldHandlers.ResolveUser(ev, ev.BaseEvent.ProcessContext.Parent), nil - case "process.parent.user_sid": - if !ev.BaseEvent.ProcessContext.HasParent() { - return "", &eval.ErrNotSupported{Field: field} - } - return ev.BaseEvent.ProcessContext.Parent.OwnerSidString, nil - case "process.pid": - return int(ev.BaseEvent.ProcessContext.Process.PIDContext.Pid), nil - case "process.ppid": - return int(ev.BaseEvent.ProcessContext.Process.PPid), nil - case "process.user": - return ev.FieldHandlers.ResolveUser(ev, &ev.BaseEvent.ProcessContext.Process), nil - case "process.user_sid": - return ev.BaseEvent.ProcessContext.Process.OwnerSidString, nil - case "rename.file.destination.device_path": - return ev.FieldHandlers.ResolveFimFilePath(ev, &ev.RenameFile.New), nil - case "rename.file.destination.device_path.length": - return ev.FieldHandlers.ResolveFimFilePath(ev, &ev.RenameFile.New), nil - case "rename.file.destination.name": - return ev.FieldHandlers.ResolveFimFileBasename(ev, &ev.RenameFile.New), nil - case "rename.file.destination.name.length": - return ev.FieldHandlers.ResolveFimFileBasename(ev, &ev.RenameFile.New), nil - case "rename.file.destination.path": - return ev.FieldHandlers.ResolveFileUserPath(ev, &ev.RenameFile.New), nil - case "rename.file.destination.path.length": - return ev.FieldHandlers.ResolveFileUserPath(ev, &ev.RenameFile.New), nil - case "rename.file.device_path": - return ev.FieldHandlers.ResolveFimFilePath(ev, &ev.RenameFile.Old), nil - case "rename.file.device_path.length": - return ev.FieldHandlers.ResolveFimFilePath(ev, &ev.RenameFile.Old), nil - case "rename.file.name": - return ev.FieldHandlers.ResolveFimFileBasename(ev, &ev.RenameFile.Old), nil - case "rename.file.name.length": - return ev.FieldHandlers.ResolveFimFileBasename(ev, &ev.RenameFile.Old), nil - case "rename.file.path": - return ev.FieldHandlers.ResolveFileUserPath(ev, &ev.RenameFile.Old), nil - case "rename.file.path.length": - return ev.FieldHandlers.ResolveFileUserPath(ev, &ev.RenameFile.Old), nil - case "set.registry.key_name": - return ev.SetRegistryKeyValue.Registry.KeyName, nil - case "set.registry.key_name.length": - return len(ev.SetRegistryKeyValue.Registry.KeyName), nil - case "set.registry.key_path": - return ev.SetRegistryKeyValue.Registry.KeyPath, nil - case "set.registry.key_path.length": - return len(ev.SetRegistryKeyValue.Registry.KeyPath), nil - case "set.registry.value_name": - return ev.SetRegistryKeyValue.ValueName, nil - case "set.registry.value_name.length": - return len(ev.SetRegistryKeyValue.ValueName), nil - case "set.value_name": - return ev.SetRegistryKeyValue.ValueName, nil - case "set_key_value.registry.key_name": - return ev.SetRegistryKeyValue.Registry.KeyName, nil - case "set_key_value.registry.key_name.length": - return len(ev.SetRegistryKeyValue.Registry.KeyName), nil - case "set_key_value.registry.key_path": - return ev.SetRegistryKeyValue.Registry.KeyPath, nil - case "set_key_value.registry.key_path.length": - return len(ev.SetRegistryKeyValue.Registry.KeyPath), nil - case "set_key_value.registry.value_name": - return ev.SetRegistryKeyValue.ValueName, nil - case "set_key_value.registry.value_name.length": - return len(ev.SetRegistryKeyValue.ValueName), nil - case "set_key_value.value_name": - return ev.SetRegistryKeyValue.ValueName, nil - case "write.file.device_path": - return ev.FieldHandlers.ResolveFimFilePath(ev, &ev.WriteFile.File), nil - case "write.file.device_path.length": - return ev.FieldHandlers.ResolveFimFilePath(ev, &ev.WriteFile.File), nil - case "write.file.name": - return ev.FieldHandlers.ResolveFimFileBasename(ev, &ev.WriteFile.File), nil - case "write.file.name.length": - return ev.FieldHandlers.ResolveFimFileBasename(ev, &ev.WriteFile.File), nil - case "write.file.path": - return ev.FieldHandlers.ResolveFileUserPath(ev, &ev.WriteFile.File), nil - case "write.file.path.length": - return ev.FieldHandlers.ResolveFileUserPath(ev, &ev.WriteFile.File), nil + m := &Model{} + evaluator, err := m.GetEvaluator(field, "") + if err != nil { + return nil, err } - return nil, &eval.ErrFieldNotFound{Field: field} + ctx := eval.NewContext(ev) + value := evaluator.Eval(ctx) + if ctx.Error != nil { + return nil, ctx.Error + } + return value, nil } func (ev *Event) GetFieldMetadata(field eval.Field) (eval.EventType, reflect.Kind, error) { switch field {