Skip to content

Commit

Permalink
update(event): update event schema
Browse files Browse the repository at this point in the history 
Rename pgid to vpgid, add a separate pgid field in execve exit events

Signed-off-by: Grzegorz Nosek <[email protected]>
  • Loading branch information
@gnosek @poiana
gnosek authored and poiana committed Oct 21, 2024
1 parent e044e1e commit 07b3340
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 12 deletions.
14 changes: 8 additions & 6 deletions falco_event/api/event_table.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1644,7 +1644,7 @@ const struct ppm_event_info g_event_info[] = {
[PPME_SYSCALL_EXECVE_19_X] = {"execve",
EC_PROCESS | EC_SYSCALL,
EF_MODIFIES_STATE,
28,
29,
{{"res", PT_ERRNO, PF_DEC},
{"exe", PT_CHARBUF, PF_NA},
{"args", PT_BYTEBUF, PF_NA},
Expand All @@ -1662,7 +1662,7 @@ const struct ppm_event_info g_event_info[] = {
{"cgroups", PT_BYTEBUF, PF_NA},
{"env", PT_BYTEBUF, PF_NA},
{"tty", PT_UINT32, PF_DEC},
{"pgid", PT_PID, PF_DEC},
{"vpgid", PT_PID, PF_DEC},
{"loginuid", PT_UID, PF_DEC},
{"flags", PT_FLAGS32, PF_HEX, execve_flags},
{"cap_inheritable", PT_UINT64, PF_HEX},
Expand All @@ -1672,7 +1672,8 @@ const struct ppm_event_info g_event_info[] = {
{"exe_ino_ctime", PT_ABSTIME, PF_DEC},
{"exe_ino_mtime", PT_ABSTIME, PF_DEC},
{"uid", PT_UID, PF_DEC},
{"trusted_exepath", PT_FSPATH, PF_NA}}},
{"trusted_exepath", PT_FSPATH, PF_NA},
{"pgid", PT_PID, PF_NA}}},
[PPME_SYSCALL_SETPGID_E] = {"setpgid",
EC_PROCESS | EC_SYSCALL,
EF_MODIFIES_STATE,
Expand Down Expand Up @@ -1863,7 +1864,7 @@ const struct ppm_event_info g_event_info[] = {
[PPME_SYSCALL_EXECVEAT_X] = {"execveat",
EC_PROCESS | EC_SYSCALL,
EF_MODIFIES_STATE,
28,
29,
{{"res", PT_ERRNO, PF_DEC},
{"exe", PT_CHARBUF, PF_NA},
{"args", PT_BYTEBUF, PF_NA},
Expand All @@ -1881,7 +1882,7 @@ const struct ppm_event_info g_event_info[] = {
{"cgroups", PT_BYTEBUF, PF_NA},
{"env", PT_BYTEBUF, PF_NA},
{"tty", PT_UINT32, PF_DEC},
{"pgid", PT_PID, PF_DEC},
{"vpgid", PT_PID, PF_DEC},
{"loginuid", PT_UID, PF_DEC},
{"flags", PT_FLAGS32, PF_HEX, execve_flags},
{"cap_inheritable", PT_UINT64, PF_HEX},
Expand All @@ -1891,7 +1892,8 @@ const struct ppm_event_info g_event_info[] = {
{"exe_ino_ctime", PT_ABSTIME, PF_DEC},
{"exe_ino_mtime", PT_ABSTIME, PF_DEC},
{"uid", PT_UID, PF_DEC},
{"trusted_exepath", PT_FSPATH, PF_NA}}},
{"trusted_exepath", PT_FSPATH, PF_NA},
{"pgid", PT_PID, PF_NA}}},
[PPME_SYSCALL_COPY_FILE_RANGE_E] = {"copy_file_range",
EC_FILE | EC_SYSCALL,
EF_USES_FD | EF_READS_FROM_FD | EF_WRITES_TO_FD,
Expand Down
14 changes: 8 additions & 6 deletions falco_event/src/events/types.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1596,7 +1596,7 @@ event_info! {
[PPME_SYSCALL_EXECVE_19_X] = {"execve",
EC_PROCESS | EC_SYSCALL,
EF_MODIFIES_STATE,
28,
29,
{{"res", PT_ERRNO, PF_DEC},
{"exe", PT_CHARBUF, PF_NA},
{"args", PT_BYTEBUF, PF_NA},
Expand All @@ -1614,7 +1614,7 @@ event_info! {
{"cgroups", PT_BYTEBUF, PF_NA},
{"env", PT_BYTEBUF, PF_NA},
{"tty", PT_UINT32, PF_DEC},
{"pgid", PT_PID, PF_DEC},
{"vpgid", PT_PID, PF_DEC},
{"loginuid", PT_UID, PF_DEC},
{"flags", PT_FLAGS32, PF_HEX, execve_flags},
{"cap_inheritable", PT_UINT64, PF_HEX},
Expand All @@ -1624,7 +1624,8 @@ event_info! {
{"exe_ino_ctime", PT_ABSTIME, PF_DEC},
{"exe_ino_mtime", PT_ABSTIME, PF_DEC},
{"uid", PT_UID, PF_DEC},
{"trusted_exepath", PT_FSPATH, PF_NA}}},
{"trusted_exepath", PT_FSPATH, PF_NA},
{"pgid", PT_PID, PF_NA}}},
[PPME_SYSCALL_SETPGID_E] = {"setpgid",
EC_PROCESS | EC_SYSCALL,
EF_MODIFIES_STATE,
Expand Down Expand Up @@ -1815,7 +1816,7 @@ event_info! {
[PPME_SYSCALL_EXECVEAT_X] = {"execveat",
EC_PROCESS | EC_SYSCALL,
EF_MODIFIES_STATE,
28,
29,
{{"res", PT_ERRNO, PF_DEC},
{"exe", PT_CHARBUF, PF_NA},
{"args", PT_BYTEBUF, PF_NA},
Expand All @@ -1833,7 +1834,7 @@ event_info! {
{"cgroups", PT_BYTEBUF, PF_NA},
{"env", PT_BYTEBUF, PF_NA},
{"tty", PT_UINT32, PF_DEC},
{"pgid", PT_PID, PF_DEC},
{"vpgid", PT_PID, PF_DEC},
{"loginuid", PT_UID, PF_DEC},
{"flags", PT_FLAGS32, PF_HEX, execve_flags},
{"cap_inheritable", PT_UINT64, PF_HEX},
Expand All @@ -1843,7 +1844,8 @@ event_info! {
{"exe_ino_ctime", PT_ABSTIME, PF_DEC},
{"exe_ino_mtime", PT_ABSTIME, PF_DEC},
{"uid", PT_UID, PF_DEC},
{"trusted_exepath", PT_FSPATH, PF_NA}}},
{"trusted_exepath", PT_FSPATH, PF_NA},
{"pgid", PT_PID, PF_NA}}},
[PPME_SYSCALL_COPY_FILE_RANGE_E] = {"copy_file_range",
EC_FILE | EC_SYSCALL,
EF_USES_FD | EF_READS_FROM_FD | EF_WRITES_TO_FD,
Expand Down

0 comments on commit 07b3340

Please sign in to comment.