github.com/DataDog/datadog-agent/pkg/security/secl@v0.55.0-devel.0.20240517055856-10c4965fea94/model/accessors_unix.go (about) 1 // Unless explicitly stated otherwise all files in this repository are licensed 2 // under the Apache License Version 2.0. 3 // This product includes software developed at Datadog (https://www.datadoghq.com/). 4 // Copyright 2022-present Datadog, Inc. 5 // Code generated - DO NOT EDIT. 6 7 //go:build unix 8 9 package model 10 11 import ( 12 "github.com/DataDog/datadog-agent/pkg/security/secl/compiler/eval" 13 "net" 14 "reflect" 15 ) 16 17 func (m *Model) GetIterator(field eval.Field) (eval.Iterator, error) { 18 switch field { 19 case "process.ancestors": 20 return &ProcessAncestorsIterator{}, nil 21 case "ptrace.tracee.ancestors": 22 return &ProcessAncestorsIterator{}, nil 23 case "signal.target.ancestors": 24 return &ProcessAncestorsIterator{}, nil 25 } 26 return nil, &eval.ErrIteratorNotSupported{Field: field} 27 } 28 func (m *Model) GetEventTypes() []eval.EventType { 29 return []eval.EventType{ 30 eval.EventType("bind"), 31 eval.EventType("bpf"), 32 eval.EventType("capset"), 33 eval.EventType("chdir"), 34 eval.EventType("chmod"), 35 eval.EventType("chown"), 36 eval.EventType("dns"), 37 eval.EventType("exec"), 38 eval.EventType("exit"), 39 eval.EventType("link"), 40 eval.EventType("load_module"), 41 eval.EventType("mkdir"), 42 eval.EventType("mmap"), 43 eval.EventType("mount"), 44 eval.EventType("mprotect"), 45 eval.EventType("open"), 46 eval.EventType("ptrace"), 47 eval.EventType("removexattr"), 48 eval.EventType("rename"), 49 eval.EventType("rmdir"), 50 eval.EventType("selinux"), 51 eval.EventType("setgid"), 52 eval.EventType("setuid"), 53 eval.EventType("setxattr"), 54 eval.EventType("signal"), 55 eval.EventType("splice"), 56 eval.EventType("unlink"), 57 eval.EventType("unload_module"), 58 eval.EventType("utimes"), 59 } 60 } 61 func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Evaluator, error) { 62 switch field { 63 case "bind.addr.family": 64 return &eval.IntEvaluator{ 65 EvalFnc: func(ctx *eval.Context) int { 66 ev := ctx.Event.(*Event) 67 return int(ev.Bind.AddrFamily) 68 }, 69 Field: field, 70 Weight: eval.FunctionWeight, 71 }, nil 72 case "bind.addr.ip": 73 return &eval.CIDREvaluator{ 74 EvalFnc: func(ctx *eval.Context) net.IPNet { 75 ev := ctx.Event.(*Event) 76 return ev.Bind.Addr.IPNet 77 }, 78 Field: field, 79 Weight: eval.FunctionWeight, 80 }, nil 81 case "bind.addr.port": 82 return &eval.IntEvaluator{ 83 EvalFnc: func(ctx *eval.Context) int { 84 ev := ctx.Event.(*Event) 85 return int(ev.Bind.Addr.Port) 86 }, 87 Field: field, 88 Weight: eval.FunctionWeight, 89 }, nil 90 case "bind.retval": 91 return &eval.IntEvaluator{ 92 EvalFnc: func(ctx *eval.Context) int { 93 ev := ctx.Event.(*Event) 94 return int(ev.Bind.SyscallEvent.Retval) 95 }, 96 Field: field, 97 Weight: eval.FunctionWeight, 98 }, nil 99 case "bpf.cmd": 100 return &eval.IntEvaluator{ 101 EvalFnc: func(ctx *eval.Context) int { 102 ev := ctx.Event.(*Event) 103 return int(ev.BPF.Cmd) 104 }, 105 Field: field, 106 Weight: eval.FunctionWeight, 107 }, nil 108 case "bpf.map.name": 109 return &eval.StringEvaluator{ 110 EvalFnc: func(ctx *eval.Context) string { 111 ev := ctx.Event.(*Event) 112 return ev.BPF.Map.Name 113 }, 114 Field: field, 115 Weight: eval.FunctionWeight, 116 }, nil 117 case "bpf.map.type": 118 return &eval.IntEvaluator{ 119 EvalFnc: func(ctx *eval.Context) int { 120 ev := ctx.Event.(*Event) 121 return int(ev.BPF.Map.Type) 122 }, 123 Field: field, 124 Weight: eval.FunctionWeight, 125 }, nil 126 case "bpf.prog.attach_type": 127 return &eval.IntEvaluator{ 128 EvalFnc: func(ctx *eval.Context) int { 129 ev := ctx.Event.(*Event) 130 return int(ev.BPF.Program.AttachType) 131 }, 132 Field: field, 133 Weight: eval.FunctionWeight, 134 }, nil 135 case "bpf.prog.helpers": 136 return &eval.IntArrayEvaluator{ 137 EvalFnc: func(ctx *eval.Context) []int { 138 ev := ctx.Event.(*Event) 139 result := make([]int, len(ev.BPF.Program.Helpers)) 140 for i, v := range ev.BPF.Program.Helpers { 141 result[i] = int(v) 142 } 143 return result 144 }, 145 Field: field, 146 Weight: eval.FunctionWeight, 147 }, nil 148 case "bpf.prog.name": 149 return &eval.StringEvaluator{ 150 EvalFnc: func(ctx *eval.Context) string { 151 ev := ctx.Event.(*Event) 152 return ev.BPF.Program.Name 153 }, 154 Field: field, 155 Weight: eval.FunctionWeight, 156 }, nil 157 case "bpf.prog.tag": 158 return &eval.StringEvaluator{ 159 EvalFnc: func(ctx *eval.Context) string { 160 ev := ctx.Event.(*Event) 161 return ev.BPF.Program.Tag 162 }, 163 Field: field, 164 Weight: eval.FunctionWeight, 165 }, nil 166 case "bpf.prog.type": 167 return &eval.IntEvaluator{ 168 EvalFnc: func(ctx *eval.Context) int { 169 ev := ctx.Event.(*Event) 170 return int(ev.BPF.Program.Type) 171 }, 172 Field: field, 173 Weight: eval.FunctionWeight, 174 }, nil 175 case "bpf.retval": 176 return &eval.IntEvaluator{ 177 EvalFnc: func(ctx *eval.Context) int { 178 ev := ctx.Event.(*Event) 179 return int(ev.BPF.SyscallEvent.Retval) 180 }, 181 Field: field, 182 Weight: eval.FunctionWeight, 183 }, nil 184 case "capset.cap_effective": 185 return &eval.IntEvaluator{ 186 EvalFnc: func(ctx *eval.Context) int { 187 ev := ctx.Event.(*Event) 188 return int(ev.Capset.CapEffective) 189 }, 190 Field: field, 191 Weight: eval.FunctionWeight, 192 }, nil 193 case "capset.cap_permitted": 194 return &eval.IntEvaluator{ 195 EvalFnc: func(ctx *eval.Context) int { 196 ev := ctx.Event.(*Event) 197 return int(ev.Capset.CapPermitted) 198 }, 199 Field: field, 200 Weight: eval.FunctionWeight, 201 }, nil 202 case "chdir.file.change_time": 203 return &eval.IntEvaluator{ 204 EvalFnc: func(ctx *eval.Context) int { 205 ev := ctx.Event.(*Event) 206 return int(ev.Chdir.File.FileFields.CTime) 207 }, 208 Field: field, 209 Weight: eval.FunctionWeight, 210 }, nil 211 case "chdir.file.filesystem": 212 return &eval.StringEvaluator{ 213 EvalFnc: func(ctx *eval.Context) string { 214 ev := ctx.Event.(*Event) 215 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Chdir.File) 216 }, 217 Field: field, 218 Weight: eval.HandlerWeight, 219 }, nil 220 case "chdir.file.gid": 221 return &eval.IntEvaluator{ 222 EvalFnc: func(ctx *eval.Context) int { 223 ev := ctx.Event.(*Event) 224 return int(ev.Chdir.File.FileFields.GID) 225 }, 226 Field: field, 227 Weight: eval.FunctionWeight, 228 }, nil 229 case "chdir.file.group": 230 return &eval.StringEvaluator{ 231 EvalFnc: func(ctx *eval.Context) string { 232 ev := ctx.Event.(*Event) 233 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Chdir.File.FileFields) 234 }, 235 Field: field, 236 Weight: eval.HandlerWeight, 237 }, nil 238 case "chdir.file.hashes": 239 return &eval.StringArrayEvaluator{ 240 EvalFnc: func(ctx *eval.Context) []string { 241 ev := ctx.Event.(*Event) 242 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Chdir.File) 243 }, 244 Field: field, 245 Weight: 999 * eval.HandlerWeight, 246 }, nil 247 case "chdir.file.in_upper_layer": 248 return &eval.BoolEvaluator{ 249 EvalFnc: func(ctx *eval.Context) bool { 250 ev := ctx.Event.(*Event) 251 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Chdir.File.FileFields) 252 }, 253 Field: field, 254 Weight: eval.HandlerWeight, 255 }, nil 256 case "chdir.file.inode": 257 return &eval.IntEvaluator{ 258 EvalFnc: func(ctx *eval.Context) int { 259 ev := ctx.Event.(*Event) 260 return int(ev.Chdir.File.FileFields.PathKey.Inode) 261 }, 262 Field: field, 263 Weight: eval.FunctionWeight, 264 }, nil 265 case "chdir.file.mode": 266 return &eval.IntEvaluator{ 267 EvalFnc: func(ctx *eval.Context) int { 268 ev := ctx.Event.(*Event) 269 return int(ev.Chdir.File.FileFields.Mode) 270 }, 271 Field: field, 272 Weight: eval.FunctionWeight, 273 }, nil 274 case "chdir.file.modification_time": 275 return &eval.IntEvaluator{ 276 EvalFnc: func(ctx *eval.Context) int { 277 ev := ctx.Event.(*Event) 278 return int(ev.Chdir.File.FileFields.MTime) 279 }, 280 Field: field, 281 Weight: eval.FunctionWeight, 282 }, nil 283 case "chdir.file.mount_id": 284 return &eval.IntEvaluator{ 285 EvalFnc: func(ctx *eval.Context) int { 286 ev := ctx.Event.(*Event) 287 return int(ev.Chdir.File.FileFields.PathKey.MountID) 288 }, 289 Field: field, 290 Weight: eval.FunctionWeight, 291 }, nil 292 case "chdir.file.name": 293 return &eval.StringEvaluator{ 294 OpOverrides: ProcessSymlinkBasename, 295 EvalFnc: func(ctx *eval.Context) string { 296 ev := ctx.Event.(*Event) 297 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Chdir.File) 298 }, 299 Field: field, 300 Weight: eval.HandlerWeight, 301 }, nil 302 case "chdir.file.name.length": 303 return &eval.IntEvaluator{ 304 OpOverrides: ProcessSymlinkBasename, 305 EvalFnc: func(ctx *eval.Context) int { 306 ev := ctx.Event.(*Event) 307 return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Chdir.File)) 308 }, 309 Field: field, 310 Weight: eval.HandlerWeight, 311 }, nil 312 case "chdir.file.package.name": 313 return &eval.StringEvaluator{ 314 EvalFnc: func(ctx *eval.Context) string { 315 ev := ctx.Event.(*Event) 316 return ev.FieldHandlers.ResolvePackageName(ev, &ev.Chdir.File) 317 }, 318 Field: field, 319 Weight: eval.HandlerWeight, 320 }, nil 321 case "chdir.file.package.source_version": 322 return &eval.StringEvaluator{ 323 EvalFnc: func(ctx *eval.Context) string { 324 ev := ctx.Event.(*Event) 325 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Chdir.File) 326 }, 327 Field: field, 328 Weight: eval.HandlerWeight, 329 }, nil 330 case "chdir.file.package.version": 331 return &eval.StringEvaluator{ 332 EvalFnc: func(ctx *eval.Context) string { 333 ev := ctx.Event.(*Event) 334 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Chdir.File) 335 }, 336 Field: field, 337 Weight: eval.HandlerWeight, 338 }, nil 339 case "chdir.file.path": 340 return &eval.StringEvaluator{ 341 OpOverrides: ProcessSymlinkPathname, 342 EvalFnc: func(ctx *eval.Context) string { 343 ev := ctx.Event.(*Event) 344 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Chdir.File) 345 }, 346 Field: field, 347 Weight: eval.HandlerWeight, 348 }, nil 349 case "chdir.file.path.length": 350 return &eval.IntEvaluator{ 351 OpOverrides: ProcessSymlinkPathname, 352 EvalFnc: func(ctx *eval.Context) int { 353 ev := ctx.Event.(*Event) 354 return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Chdir.File)) 355 }, 356 Field: field, 357 Weight: eval.HandlerWeight, 358 }, nil 359 case "chdir.file.rights": 360 return &eval.IntEvaluator{ 361 EvalFnc: func(ctx *eval.Context) int { 362 ev := ctx.Event.(*Event) 363 return int(ev.FieldHandlers.ResolveRights(ev, &ev.Chdir.File.FileFields)) 364 }, 365 Field: field, 366 Weight: eval.HandlerWeight, 367 }, nil 368 case "chdir.file.uid": 369 return &eval.IntEvaluator{ 370 EvalFnc: func(ctx *eval.Context) int { 371 ev := ctx.Event.(*Event) 372 return int(ev.Chdir.File.FileFields.UID) 373 }, 374 Field: field, 375 Weight: eval.FunctionWeight, 376 }, nil 377 case "chdir.file.user": 378 return &eval.StringEvaluator{ 379 EvalFnc: func(ctx *eval.Context) string { 380 ev := ctx.Event.(*Event) 381 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Chdir.File.FileFields) 382 }, 383 Field: field, 384 Weight: eval.HandlerWeight, 385 }, nil 386 case "chdir.retval": 387 return &eval.IntEvaluator{ 388 EvalFnc: func(ctx *eval.Context) int { 389 ev := ctx.Event.(*Event) 390 return int(ev.Chdir.SyscallEvent.Retval) 391 }, 392 Field: field, 393 Weight: eval.FunctionWeight, 394 }, nil 395 case "chmod.file.change_time": 396 return &eval.IntEvaluator{ 397 EvalFnc: func(ctx *eval.Context) int { 398 ev := ctx.Event.(*Event) 399 return int(ev.Chmod.File.FileFields.CTime) 400 }, 401 Field: field, 402 Weight: eval.FunctionWeight, 403 }, nil 404 case "chmod.file.destination.mode": 405 return &eval.IntEvaluator{ 406 EvalFnc: func(ctx *eval.Context) int { 407 ev := ctx.Event.(*Event) 408 return int(ev.Chmod.Mode) 409 }, 410 Field: field, 411 Weight: eval.FunctionWeight, 412 }, nil 413 case "chmod.file.destination.rights": 414 return &eval.IntEvaluator{ 415 EvalFnc: func(ctx *eval.Context) int { 416 ev := ctx.Event.(*Event) 417 return int(ev.Chmod.Mode) 418 }, 419 Field: field, 420 Weight: eval.FunctionWeight, 421 }, nil 422 case "chmod.file.filesystem": 423 return &eval.StringEvaluator{ 424 EvalFnc: func(ctx *eval.Context) string { 425 ev := ctx.Event.(*Event) 426 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Chmod.File) 427 }, 428 Field: field, 429 Weight: eval.HandlerWeight, 430 }, nil 431 case "chmod.file.gid": 432 return &eval.IntEvaluator{ 433 EvalFnc: func(ctx *eval.Context) int { 434 ev := ctx.Event.(*Event) 435 return int(ev.Chmod.File.FileFields.GID) 436 }, 437 Field: field, 438 Weight: eval.FunctionWeight, 439 }, nil 440 case "chmod.file.group": 441 return &eval.StringEvaluator{ 442 EvalFnc: func(ctx *eval.Context) string { 443 ev := ctx.Event.(*Event) 444 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Chmod.File.FileFields) 445 }, 446 Field: field, 447 Weight: eval.HandlerWeight, 448 }, nil 449 case "chmod.file.hashes": 450 return &eval.StringArrayEvaluator{ 451 EvalFnc: func(ctx *eval.Context) []string { 452 ev := ctx.Event.(*Event) 453 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Chmod.File) 454 }, 455 Field: field, 456 Weight: 999 * eval.HandlerWeight, 457 }, nil 458 case "chmod.file.in_upper_layer": 459 return &eval.BoolEvaluator{ 460 EvalFnc: func(ctx *eval.Context) bool { 461 ev := ctx.Event.(*Event) 462 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Chmod.File.FileFields) 463 }, 464 Field: field, 465 Weight: eval.HandlerWeight, 466 }, nil 467 case "chmod.file.inode": 468 return &eval.IntEvaluator{ 469 EvalFnc: func(ctx *eval.Context) int { 470 ev := ctx.Event.(*Event) 471 return int(ev.Chmod.File.FileFields.PathKey.Inode) 472 }, 473 Field: field, 474 Weight: eval.FunctionWeight, 475 }, nil 476 case "chmod.file.mode": 477 return &eval.IntEvaluator{ 478 EvalFnc: func(ctx *eval.Context) int { 479 ev := ctx.Event.(*Event) 480 return int(ev.Chmod.File.FileFields.Mode) 481 }, 482 Field: field, 483 Weight: eval.FunctionWeight, 484 }, nil 485 case "chmod.file.modification_time": 486 return &eval.IntEvaluator{ 487 EvalFnc: func(ctx *eval.Context) int { 488 ev := ctx.Event.(*Event) 489 return int(ev.Chmod.File.FileFields.MTime) 490 }, 491 Field: field, 492 Weight: eval.FunctionWeight, 493 }, nil 494 case "chmod.file.mount_id": 495 return &eval.IntEvaluator{ 496 EvalFnc: func(ctx *eval.Context) int { 497 ev := ctx.Event.(*Event) 498 return int(ev.Chmod.File.FileFields.PathKey.MountID) 499 }, 500 Field: field, 501 Weight: eval.FunctionWeight, 502 }, nil 503 case "chmod.file.name": 504 return &eval.StringEvaluator{ 505 OpOverrides: ProcessSymlinkBasename, 506 EvalFnc: func(ctx *eval.Context) string { 507 ev := ctx.Event.(*Event) 508 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Chmod.File) 509 }, 510 Field: field, 511 Weight: eval.HandlerWeight, 512 }, nil 513 case "chmod.file.name.length": 514 return &eval.IntEvaluator{ 515 OpOverrides: ProcessSymlinkBasename, 516 EvalFnc: func(ctx *eval.Context) int { 517 ev := ctx.Event.(*Event) 518 return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Chmod.File)) 519 }, 520 Field: field, 521 Weight: eval.HandlerWeight, 522 }, nil 523 case "chmod.file.package.name": 524 return &eval.StringEvaluator{ 525 EvalFnc: func(ctx *eval.Context) string { 526 ev := ctx.Event.(*Event) 527 return ev.FieldHandlers.ResolvePackageName(ev, &ev.Chmod.File) 528 }, 529 Field: field, 530 Weight: eval.HandlerWeight, 531 }, nil 532 case "chmod.file.package.source_version": 533 return &eval.StringEvaluator{ 534 EvalFnc: func(ctx *eval.Context) string { 535 ev := ctx.Event.(*Event) 536 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Chmod.File) 537 }, 538 Field: field, 539 Weight: eval.HandlerWeight, 540 }, nil 541 case "chmod.file.package.version": 542 return &eval.StringEvaluator{ 543 EvalFnc: func(ctx *eval.Context) string { 544 ev := ctx.Event.(*Event) 545 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Chmod.File) 546 }, 547 Field: field, 548 Weight: eval.HandlerWeight, 549 }, nil 550 case "chmod.file.path": 551 return &eval.StringEvaluator{ 552 OpOverrides: ProcessSymlinkPathname, 553 EvalFnc: func(ctx *eval.Context) string { 554 ev := ctx.Event.(*Event) 555 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Chmod.File) 556 }, 557 Field: field, 558 Weight: eval.HandlerWeight, 559 }, nil 560 case "chmod.file.path.length": 561 return &eval.IntEvaluator{ 562 OpOverrides: ProcessSymlinkPathname, 563 EvalFnc: func(ctx *eval.Context) int { 564 ev := ctx.Event.(*Event) 565 return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Chmod.File)) 566 }, 567 Field: field, 568 Weight: eval.HandlerWeight, 569 }, nil 570 case "chmod.file.rights": 571 return &eval.IntEvaluator{ 572 EvalFnc: func(ctx *eval.Context) int { 573 ev := ctx.Event.(*Event) 574 return int(ev.FieldHandlers.ResolveRights(ev, &ev.Chmod.File.FileFields)) 575 }, 576 Field: field, 577 Weight: eval.HandlerWeight, 578 }, nil 579 case "chmod.file.uid": 580 return &eval.IntEvaluator{ 581 EvalFnc: func(ctx *eval.Context) int { 582 ev := ctx.Event.(*Event) 583 return int(ev.Chmod.File.FileFields.UID) 584 }, 585 Field: field, 586 Weight: eval.FunctionWeight, 587 }, nil 588 case "chmod.file.user": 589 return &eval.StringEvaluator{ 590 EvalFnc: func(ctx *eval.Context) string { 591 ev := ctx.Event.(*Event) 592 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Chmod.File.FileFields) 593 }, 594 Field: field, 595 Weight: eval.HandlerWeight, 596 }, nil 597 case "chmod.retval": 598 return &eval.IntEvaluator{ 599 EvalFnc: func(ctx *eval.Context) int { 600 ev := ctx.Event.(*Event) 601 return int(ev.Chmod.SyscallEvent.Retval) 602 }, 603 Field: field, 604 Weight: eval.FunctionWeight, 605 }, nil 606 case "chown.file.change_time": 607 return &eval.IntEvaluator{ 608 EvalFnc: func(ctx *eval.Context) int { 609 ev := ctx.Event.(*Event) 610 return int(ev.Chown.File.FileFields.CTime) 611 }, 612 Field: field, 613 Weight: eval.FunctionWeight, 614 }, nil 615 case "chown.file.destination.gid": 616 return &eval.IntEvaluator{ 617 EvalFnc: func(ctx *eval.Context) int { 618 ev := ctx.Event.(*Event) 619 return int(ev.Chown.GID) 620 }, 621 Field: field, 622 Weight: eval.FunctionWeight, 623 }, nil 624 case "chown.file.destination.group": 625 return &eval.StringEvaluator{ 626 EvalFnc: func(ctx *eval.Context) string { 627 ev := ctx.Event.(*Event) 628 return ev.FieldHandlers.ResolveChownGID(ev, &ev.Chown) 629 }, 630 Field: field, 631 Weight: eval.HandlerWeight, 632 }, nil 633 case "chown.file.destination.uid": 634 return &eval.IntEvaluator{ 635 EvalFnc: func(ctx *eval.Context) int { 636 ev := ctx.Event.(*Event) 637 return int(ev.Chown.UID) 638 }, 639 Field: field, 640 Weight: eval.FunctionWeight, 641 }, nil 642 case "chown.file.destination.user": 643 return &eval.StringEvaluator{ 644 EvalFnc: func(ctx *eval.Context) string { 645 ev := ctx.Event.(*Event) 646 return ev.FieldHandlers.ResolveChownUID(ev, &ev.Chown) 647 }, 648 Field: field, 649 Weight: eval.HandlerWeight, 650 }, nil 651 case "chown.file.filesystem": 652 return &eval.StringEvaluator{ 653 EvalFnc: func(ctx *eval.Context) string { 654 ev := ctx.Event.(*Event) 655 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Chown.File) 656 }, 657 Field: field, 658 Weight: eval.HandlerWeight, 659 }, nil 660 case "chown.file.gid": 661 return &eval.IntEvaluator{ 662 EvalFnc: func(ctx *eval.Context) int { 663 ev := ctx.Event.(*Event) 664 return int(ev.Chown.File.FileFields.GID) 665 }, 666 Field: field, 667 Weight: eval.FunctionWeight, 668 }, nil 669 case "chown.file.group": 670 return &eval.StringEvaluator{ 671 EvalFnc: func(ctx *eval.Context) string { 672 ev := ctx.Event.(*Event) 673 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Chown.File.FileFields) 674 }, 675 Field: field, 676 Weight: eval.HandlerWeight, 677 }, nil 678 case "chown.file.hashes": 679 return &eval.StringArrayEvaluator{ 680 EvalFnc: func(ctx *eval.Context) []string { 681 ev := ctx.Event.(*Event) 682 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Chown.File) 683 }, 684 Field: field, 685 Weight: 999 * eval.HandlerWeight, 686 }, nil 687 case "chown.file.in_upper_layer": 688 return &eval.BoolEvaluator{ 689 EvalFnc: func(ctx *eval.Context) bool { 690 ev := ctx.Event.(*Event) 691 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Chown.File.FileFields) 692 }, 693 Field: field, 694 Weight: eval.HandlerWeight, 695 }, nil 696 case "chown.file.inode": 697 return &eval.IntEvaluator{ 698 EvalFnc: func(ctx *eval.Context) int { 699 ev := ctx.Event.(*Event) 700 return int(ev.Chown.File.FileFields.PathKey.Inode) 701 }, 702 Field: field, 703 Weight: eval.FunctionWeight, 704 }, nil 705 case "chown.file.mode": 706 return &eval.IntEvaluator{ 707 EvalFnc: func(ctx *eval.Context) int { 708 ev := ctx.Event.(*Event) 709 return int(ev.Chown.File.FileFields.Mode) 710 }, 711 Field: field, 712 Weight: eval.FunctionWeight, 713 }, nil 714 case "chown.file.modification_time": 715 return &eval.IntEvaluator{ 716 EvalFnc: func(ctx *eval.Context) int { 717 ev := ctx.Event.(*Event) 718 return int(ev.Chown.File.FileFields.MTime) 719 }, 720 Field: field, 721 Weight: eval.FunctionWeight, 722 }, nil 723 case "chown.file.mount_id": 724 return &eval.IntEvaluator{ 725 EvalFnc: func(ctx *eval.Context) int { 726 ev := ctx.Event.(*Event) 727 return int(ev.Chown.File.FileFields.PathKey.MountID) 728 }, 729 Field: field, 730 Weight: eval.FunctionWeight, 731 }, nil 732 case "chown.file.name": 733 return &eval.StringEvaluator{ 734 OpOverrides: ProcessSymlinkBasename, 735 EvalFnc: func(ctx *eval.Context) string { 736 ev := ctx.Event.(*Event) 737 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Chown.File) 738 }, 739 Field: field, 740 Weight: eval.HandlerWeight, 741 }, nil 742 case "chown.file.name.length": 743 return &eval.IntEvaluator{ 744 OpOverrides: ProcessSymlinkBasename, 745 EvalFnc: func(ctx *eval.Context) int { 746 ev := ctx.Event.(*Event) 747 return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Chown.File)) 748 }, 749 Field: field, 750 Weight: eval.HandlerWeight, 751 }, nil 752 case "chown.file.package.name": 753 return &eval.StringEvaluator{ 754 EvalFnc: func(ctx *eval.Context) string { 755 ev := ctx.Event.(*Event) 756 return ev.FieldHandlers.ResolvePackageName(ev, &ev.Chown.File) 757 }, 758 Field: field, 759 Weight: eval.HandlerWeight, 760 }, nil 761 case "chown.file.package.source_version": 762 return &eval.StringEvaluator{ 763 EvalFnc: func(ctx *eval.Context) string { 764 ev := ctx.Event.(*Event) 765 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Chown.File) 766 }, 767 Field: field, 768 Weight: eval.HandlerWeight, 769 }, nil 770 case "chown.file.package.version": 771 return &eval.StringEvaluator{ 772 EvalFnc: func(ctx *eval.Context) string { 773 ev := ctx.Event.(*Event) 774 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Chown.File) 775 }, 776 Field: field, 777 Weight: eval.HandlerWeight, 778 }, nil 779 case "chown.file.path": 780 return &eval.StringEvaluator{ 781 OpOverrides: ProcessSymlinkPathname, 782 EvalFnc: func(ctx *eval.Context) string { 783 ev := ctx.Event.(*Event) 784 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Chown.File) 785 }, 786 Field: field, 787 Weight: eval.HandlerWeight, 788 }, nil 789 case "chown.file.path.length": 790 return &eval.IntEvaluator{ 791 OpOverrides: ProcessSymlinkPathname, 792 EvalFnc: func(ctx *eval.Context) int { 793 ev := ctx.Event.(*Event) 794 return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Chown.File)) 795 }, 796 Field: field, 797 Weight: eval.HandlerWeight, 798 }, nil 799 case "chown.file.rights": 800 return &eval.IntEvaluator{ 801 EvalFnc: func(ctx *eval.Context) int { 802 ev := ctx.Event.(*Event) 803 return int(ev.FieldHandlers.ResolveRights(ev, &ev.Chown.File.FileFields)) 804 }, 805 Field: field, 806 Weight: eval.HandlerWeight, 807 }, nil 808 case "chown.file.uid": 809 return &eval.IntEvaluator{ 810 EvalFnc: func(ctx *eval.Context) int { 811 ev := ctx.Event.(*Event) 812 return int(ev.Chown.File.FileFields.UID) 813 }, 814 Field: field, 815 Weight: eval.FunctionWeight, 816 }, nil 817 case "chown.file.user": 818 return &eval.StringEvaluator{ 819 EvalFnc: func(ctx *eval.Context) string { 820 ev := ctx.Event.(*Event) 821 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Chown.File.FileFields) 822 }, 823 Field: field, 824 Weight: eval.HandlerWeight, 825 }, nil 826 case "chown.retval": 827 return &eval.IntEvaluator{ 828 EvalFnc: func(ctx *eval.Context) int { 829 ev := ctx.Event.(*Event) 830 return int(ev.Chown.SyscallEvent.Retval) 831 }, 832 Field: field, 833 Weight: eval.FunctionWeight, 834 }, nil 835 case "container.created_at": 836 return &eval.IntEvaluator{ 837 EvalFnc: func(ctx *eval.Context) int { 838 ev := ctx.Event.(*Event) 839 return int(ev.FieldHandlers.ResolveContainerCreatedAt(ev, ev.BaseEvent.ContainerContext)) 840 }, 841 Field: field, 842 Weight: eval.HandlerWeight, 843 }, nil 844 case "container.id": 845 return &eval.StringEvaluator{ 846 EvalFnc: func(ctx *eval.Context) string { 847 ev := ctx.Event.(*Event) 848 return ev.FieldHandlers.ResolveContainerID(ev, ev.BaseEvent.ContainerContext) 849 }, 850 Field: field, 851 Weight: eval.HandlerWeight, 852 }, nil 853 case "container.tags": 854 return &eval.StringArrayEvaluator{ 855 EvalFnc: func(ctx *eval.Context) []string { 856 ev := ctx.Event.(*Event) 857 return ev.FieldHandlers.ResolveContainerTags(ev, ev.BaseEvent.ContainerContext) 858 }, 859 Field: field, 860 Weight: 9999 * eval.HandlerWeight, 861 }, nil 862 case "dns.id": 863 return &eval.IntEvaluator{ 864 EvalFnc: func(ctx *eval.Context) int { 865 ev := ctx.Event.(*Event) 866 return int(ev.DNS.ID) 867 }, 868 Field: field, 869 Weight: eval.FunctionWeight, 870 }, nil 871 case "dns.question.class": 872 return &eval.IntEvaluator{ 873 EvalFnc: func(ctx *eval.Context) int { 874 ev := ctx.Event.(*Event) 875 return int(ev.DNS.Class) 876 }, 877 Field: field, 878 Weight: eval.FunctionWeight, 879 }, nil 880 case "dns.question.count": 881 return &eval.IntEvaluator{ 882 EvalFnc: func(ctx *eval.Context) int { 883 ev := ctx.Event.(*Event) 884 return int(ev.DNS.Count) 885 }, 886 Field: field, 887 Weight: eval.FunctionWeight, 888 }, nil 889 case "dns.question.length": 890 return &eval.IntEvaluator{ 891 EvalFnc: func(ctx *eval.Context) int { 892 ev := ctx.Event.(*Event) 893 return int(ev.DNS.Size) 894 }, 895 Field: field, 896 Weight: eval.FunctionWeight, 897 }, nil 898 case "dns.question.name": 899 return &eval.StringEvaluator{ 900 OpOverrides: eval.CaseInsensitiveCmp, 901 EvalFnc: func(ctx *eval.Context) string { 902 ev := ctx.Event.(*Event) 903 return ev.DNS.Name 904 }, 905 Field: field, 906 Weight: eval.FunctionWeight, 907 }, nil 908 case "dns.question.name.length": 909 return &eval.IntEvaluator{ 910 OpOverrides: eval.CaseInsensitiveCmp, 911 EvalFnc: func(ctx *eval.Context) int { 912 ev := ctx.Event.(*Event) 913 return len(ev.DNS.Name) 914 }, 915 Field: field, 916 Weight: eval.FunctionWeight, 917 }, nil 918 case "dns.question.type": 919 return &eval.IntEvaluator{ 920 EvalFnc: func(ctx *eval.Context) int { 921 ev := ctx.Event.(*Event) 922 return int(ev.DNS.Type) 923 }, 924 Field: field, 925 Weight: eval.FunctionWeight, 926 }, nil 927 case "event.async": 928 return &eval.BoolEvaluator{ 929 EvalFnc: func(ctx *eval.Context) bool { 930 ev := ctx.Event.(*Event) 931 return ev.FieldHandlers.ResolveAsync(ev) 932 }, 933 Field: field, 934 Weight: eval.HandlerWeight, 935 }, nil 936 case "event.origin": 937 return &eval.StringEvaluator{ 938 EvalFnc: func(ctx *eval.Context) string { 939 ev := ctx.Event.(*Event) 940 return ev.BaseEvent.Origin 941 }, 942 Field: field, 943 Weight: eval.FunctionWeight, 944 }, nil 945 case "event.os": 946 return &eval.StringEvaluator{ 947 EvalFnc: func(ctx *eval.Context) string { 948 ev := ctx.Event.(*Event) 949 return ev.BaseEvent.Os 950 }, 951 Field: field, 952 Weight: eval.FunctionWeight, 953 }, nil 954 case "event.service": 955 return &eval.StringEvaluator{ 956 EvalFnc: func(ctx *eval.Context) string { 957 ev := ctx.Event.(*Event) 958 return ev.FieldHandlers.ResolveService(ev, &ev.BaseEvent) 959 }, 960 Field: field, 961 Weight: eval.HandlerWeight, 962 }, nil 963 case "event.timestamp": 964 return &eval.IntEvaluator{ 965 EvalFnc: func(ctx *eval.Context) int { 966 ev := ctx.Event.(*Event) 967 return int(ev.FieldHandlers.ResolveEventTimestamp(ev, &ev.BaseEvent)) 968 }, 969 Field: field, 970 Weight: eval.HandlerWeight, 971 }, nil 972 case "exec.args": 973 return &eval.StringEvaluator{ 974 EvalFnc: func(ctx *eval.Context) string { 975 ev := ctx.Event.(*Event) 976 return ev.FieldHandlers.ResolveProcessArgs(ev, ev.Exec.Process) 977 }, 978 Field: field, 979 Weight: 500 * eval.HandlerWeight, 980 }, nil 981 case "exec.args_flags": 982 return &eval.StringArrayEvaluator{ 983 EvalFnc: func(ctx *eval.Context) []string { 984 ev := ctx.Event.(*Event) 985 return ev.FieldHandlers.ResolveProcessArgsFlags(ev, ev.Exec.Process) 986 }, 987 Field: field, 988 Weight: eval.HandlerWeight, 989 }, nil 990 case "exec.args_options": 991 return &eval.StringArrayEvaluator{ 992 EvalFnc: func(ctx *eval.Context) []string { 993 ev := ctx.Event.(*Event) 994 return ev.FieldHandlers.ResolveProcessArgsOptions(ev, ev.Exec.Process) 995 }, 996 Field: field, 997 Weight: eval.HandlerWeight, 998 }, nil 999 case "exec.args_truncated": 1000 return &eval.BoolEvaluator{ 1001 EvalFnc: func(ctx *eval.Context) bool { 1002 ev := ctx.Event.(*Event) 1003 return ev.FieldHandlers.ResolveProcessArgsTruncated(ev, ev.Exec.Process) 1004 }, 1005 Field: field, 1006 Weight: eval.HandlerWeight, 1007 }, nil 1008 case "exec.argv": 1009 return &eval.StringArrayEvaluator{ 1010 EvalFnc: func(ctx *eval.Context) []string { 1011 ev := ctx.Event.(*Event) 1012 return ev.FieldHandlers.ResolveProcessArgv(ev, ev.Exec.Process) 1013 }, 1014 Field: field, 1015 Weight: 500 * eval.HandlerWeight, 1016 }, nil 1017 case "exec.argv0": 1018 return &eval.StringEvaluator{ 1019 EvalFnc: func(ctx *eval.Context) string { 1020 ev := ctx.Event.(*Event) 1021 return ev.FieldHandlers.ResolveProcessArgv0(ev, ev.Exec.Process) 1022 }, 1023 Field: field, 1024 Weight: 100 * eval.HandlerWeight, 1025 }, nil 1026 case "exec.cap_effective": 1027 return &eval.IntEvaluator{ 1028 EvalFnc: func(ctx *eval.Context) int { 1029 ev := ctx.Event.(*Event) 1030 return int(ev.Exec.Process.Credentials.CapEffective) 1031 }, 1032 Field: field, 1033 Weight: eval.FunctionWeight, 1034 }, nil 1035 case "exec.cap_permitted": 1036 return &eval.IntEvaluator{ 1037 EvalFnc: func(ctx *eval.Context) int { 1038 ev := ctx.Event.(*Event) 1039 return int(ev.Exec.Process.Credentials.CapPermitted) 1040 }, 1041 Field: field, 1042 Weight: eval.FunctionWeight, 1043 }, nil 1044 case "exec.comm": 1045 return &eval.StringEvaluator{ 1046 EvalFnc: func(ctx *eval.Context) string { 1047 ev := ctx.Event.(*Event) 1048 return ev.Exec.Process.Comm 1049 }, 1050 Field: field, 1051 Weight: eval.FunctionWeight, 1052 }, nil 1053 case "exec.container.id": 1054 return &eval.StringEvaluator{ 1055 EvalFnc: func(ctx *eval.Context) string { 1056 ev := ctx.Event.(*Event) 1057 return ev.Exec.Process.ContainerID 1058 }, 1059 Field: field, 1060 Weight: eval.FunctionWeight, 1061 }, nil 1062 case "exec.created_at": 1063 return &eval.IntEvaluator{ 1064 EvalFnc: func(ctx *eval.Context) int { 1065 ev := ctx.Event.(*Event) 1066 return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, ev.Exec.Process)) 1067 }, 1068 Field: field, 1069 Weight: eval.HandlerWeight, 1070 }, nil 1071 case "exec.egid": 1072 return &eval.IntEvaluator{ 1073 EvalFnc: func(ctx *eval.Context) int { 1074 ev := ctx.Event.(*Event) 1075 return int(ev.Exec.Process.Credentials.EGID) 1076 }, 1077 Field: field, 1078 Weight: eval.FunctionWeight, 1079 }, nil 1080 case "exec.egroup": 1081 return &eval.StringEvaluator{ 1082 EvalFnc: func(ctx *eval.Context) string { 1083 ev := ctx.Event.(*Event) 1084 return ev.Exec.Process.Credentials.EGroup 1085 }, 1086 Field: field, 1087 Weight: eval.FunctionWeight, 1088 }, nil 1089 case "exec.envp": 1090 return &eval.StringArrayEvaluator{ 1091 EvalFnc: func(ctx *eval.Context) []string { 1092 ev := ctx.Event.(*Event) 1093 return ev.FieldHandlers.ResolveProcessEnvp(ev, ev.Exec.Process) 1094 }, 1095 Field: field, 1096 Weight: 100 * eval.HandlerWeight, 1097 }, nil 1098 case "exec.envs": 1099 return &eval.StringArrayEvaluator{ 1100 EvalFnc: func(ctx *eval.Context) []string { 1101 ev := ctx.Event.(*Event) 1102 return ev.FieldHandlers.ResolveProcessEnvs(ev, ev.Exec.Process) 1103 }, 1104 Field: field, 1105 Weight: 100 * eval.HandlerWeight, 1106 }, nil 1107 case "exec.envs_truncated": 1108 return &eval.BoolEvaluator{ 1109 EvalFnc: func(ctx *eval.Context) bool { 1110 ev := ctx.Event.(*Event) 1111 return ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, ev.Exec.Process) 1112 }, 1113 Field: field, 1114 Weight: eval.HandlerWeight, 1115 }, nil 1116 case "exec.euid": 1117 return &eval.IntEvaluator{ 1118 EvalFnc: func(ctx *eval.Context) int { 1119 ev := ctx.Event.(*Event) 1120 return int(ev.Exec.Process.Credentials.EUID) 1121 }, 1122 Field: field, 1123 Weight: eval.FunctionWeight, 1124 }, nil 1125 case "exec.euser": 1126 return &eval.StringEvaluator{ 1127 EvalFnc: func(ctx *eval.Context) string { 1128 ev := ctx.Event.(*Event) 1129 return ev.Exec.Process.Credentials.EUser 1130 }, 1131 Field: field, 1132 Weight: eval.FunctionWeight, 1133 }, nil 1134 case "exec.file.change_time": 1135 return &eval.IntEvaluator{ 1136 EvalFnc: func(ctx *eval.Context) int { 1137 ev := ctx.Event.(*Event) 1138 if !ev.Exec.Process.IsNotKworker() { 1139 return 0 1140 } 1141 return int(ev.Exec.Process.FileEvent.FileFields.CTime) 1142 }, 1143 Field: field, 1144 Weight: eval.FunctionWeight, 1145 }, nil 1146 case "exec.file.filesystem": 1147 return &eval.StringEvaluator{ 1148 EvalFnc: func(ctx *eval.Context) string { 1149 ev := ctx.Event.(*Event) 1150 if !ev.Exec.Process.IsNotKworker() { 1151 return "" 1152 } 1153 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Exec.Process.FileEvent) 1154 }, 1155 Field: field, 1156 Weight: eval.HandlerWeight, 1157 }, nil 1158 case "exec.file.gid": 1159 return &eval.IntEvaluator{ 1160 EvalFnc: func(ctx *eval.Context) int { 1161 ev := ctx.Event.(*Event) 1162 if !ev.Exec.Process.IsNotKworker() { 1163 return 0 1164 } 1165 return int(ev.Exec.Process.FileEvent.FileFields.GID) 1166 }, 1167 Field: field, 1168 Weight: eval.FunctionWeight, 1169 }, nil 1170 case "exec.file.group": 1171 return &eval.StringEvaluator{ 1172 EvalFnc: func(ctx *eval.Context) string { 1173 ev := ctx.Event.(*Event) 1174 if !ev.Exec.Process.IsNotKworker() { 1175 return "" 1176 } 1177 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Exec.Process.FileEvent.FileFields) 1178 }, 1179 Field: field, 1180 Weight: eval.HandlerWeight, 1181 }, nil 1182 case "exec.file.hashes": 1183 return &eval.StringArrayEvaluator{ 1184 EvalFnc: func(ctx *eval.Context) []string { 1185 ev := ctx.Event.(*Event) 1186 if !ev.Exec.Process.IsNotKworker() { 1187 return []string{} 1188 } 1189 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Exec.Process.FileEvent) 1190 }, 1191 Field: field, 1192 Weight: 999 * eval.HandlerWeight, 1193 }, nil 1194 case "exec.file.in_upper_layer": 1195 return &eval.BoolEvaluator{ 1196 EvalFnc: func(ctx *eval.Context) bool { 1197 ev := ctx.Event.(*Event) 1198 if !ev.Exec.Process.IsNotKworker() { 1199 return false 1200 } 1201 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Exec.Process.FileEvent.FileFields) 1202 }, 1203 Field: field, 1204 Weight: eval.HandlerWeight, 1205 }, nil 1206 case "exec.file.inode": 1207 return &eval.IntEvaluator{ 1208 EvalFnc: func(ctx *eval.Context) int { 1209 ev := ctx.Event.(*Event) 1210 if !ev.Exec.Process.IsNotKworker() { 1211 return 0 1212 } 1213 return int(ev.Exec.Process.FileEvent.FileFields.PathKey.Inode) 1214 }, 1215 Field: field, 1216 Weight: eval.FunctionWeight, 1217 }, nil 1218 case "exec.file.mode": 1219 return &eval.IntEvaluator{ 1220 EvalFnc: func(ctx *eval.Context) int { 1221 ev := ctx.Event.(*Event) 1222 if !ev.Exec.Process.IsNotKworker() { 1223 return 0 1224 } 1225 return int(ev.Exec.Process.FileEvent.FileFields.Mode) 1226 }, 1227 Field: field, 1228 Weight: eval.FunctionWeight, 1229 }, nil 1230 case "exec.file.modification_time": 1231 return &eval.IntEvaluator{ 1232 EvalFnc: func(ctx *eval.Context) int { 1233 ev := ctx.Event.(*Event) 1234 if !ev.Exec.Process.IsNotKworker() { 1235 return 0 1236 } 1237 return int(ev.Exec.Process.FileEvent.FileFields.MTime) 1238 }, 1239 Field: field, 1240 Weight: eval.FunctionWeight, 1241 }, nil 1242 case "exec.file.mount_id": 1243 return &eval.IntEvaluator{ 1244 EvalFnc: func(ctx *eval.Context) int { 1245 ev := ctx.Event.(*Event) 1246 if !ev.Exec.Process.IsNotKworker() { 1247 return 0 1248 } 1249 return int(ev.Exec.Process.FileEvent.FileFields.PathKey.MountID) 1250 }, 1251 Field: field, 1252 Weight: eval.FunctionWeight, 1253 }, nil 1254 case "exec.file.name": 1255 return &eval.StringEvaluator{ 1256 OpOverrides: ProcessSymlinkBasename, 1257 EvalFnc: func(ctx *eval.Context) string { 1258 ev := ctx.Event.(*Event) 1259 if !ev.Exec.Process.IsNotKworker() { 1260 return "" 1261 } 1262 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exec.Process.FileEvent) 1263 }, 1264 Field: field, 1265 Weight: eval.HandlerWeight, 1266 }, nil 1267 case "exec.file.name.length": 1268 return &eval.IntEvaluator{ 1269 OpOverrides: ProcessSymlinkBasename, 1270 EvalFnc: func(ctx *eval.Context) int { 1271 ev := ctx.Event.(*Event) 1272 return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exec.Process.FileEvent)) 1273 }, 1274 Field: field, 1275 Weight: eval.HandlerWeight, 1276 }, nil 1277 case "exec.file.package.name": 1278 return &eval.StringEvaluator{ 1279 EvalFnc: func(ctx *eval.Context) string { 1280 ev := ctx.Event.(*Event) 1281 if !ev.Exec.Process.IsNotKworker() { 1282 return "" 1283 } 1284 return ev.FieldHandlers.ResolvePackageName(ev, &ev.Exec.Process.FileEvent) 1285 }, 1286 Field: field, 1287 Weight: eval.HandlerWeight, 1288 }, nil 1289 case "exec.file.package.source_version": 1290 return &eval.StringEvaluator{ 1291 EvalFnc: func(ctx *eval.Context) string { 1292 ev := ctx.Event.(*Event) 1293 if !ev.Exec.Process.IsNotKworker() { 1294 return "" 1295 } 1296 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Exec.Process.FileEvent) 1297 }, 1298 Field: field, 1299 Weight: eval.HandlerWeight, 1300 }, nil 1301 case "exec.file.package.version": 1302 return &eval.StringEvaluator{ 1303 EvalFnc: func(ctx *eval.Context) string { 1304 ev := ctx.Event.(*Event) 1305 if !ev.Exec.Process.IsNotKworker() { 1306 return "" 1307 } 1308 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Exec.Process.FileEvent) 1309 }, 1310 Field: field, 1311 Weight: eval.HandlerWeight, 1312 }, nil 1313 case "exec.file.path": 1314 return &eval.StringEvaluator{ 1315 OpOverrides: ProcessSymlinkPathname, 1316 EvalFnc: func(ctx *eval.Context) string { 1317 ev := ctx.Event.(*Event) 1318 if !ev.Exec.Process.IsNotKworker() { 1319 return "" 1320 } 1321 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Exec.Process.FileEvent) 1322 }, 1323 Field: field, 1324 Weight: eval.HandlerWeight, 1325 }, nil 1326 case "exec.file.path.length": 1327 return &eval.IntEvaluator{ 1328 OpOverrides: ProcessSymlinkPathname, 1329 EvalFnc: func(ctx *eval.Context) int { 1330 ev := ctx.Event.(*Event) 1331 return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Exec.Process.FileEvent)) 1332 }, 1333 Field: field, 1334 Weight: eval.HandlerWeight, 1335 }, nil 1336 case "exec.file.rights": 1337 return &eval.IntEvaluator{ 1338 EvalFnc: func(ctx *eval.Context) int { 1339 ev := ctx.Event.(*Event) 1340 if !ev.Exec.Process.IsNotKworker() { 1341 return 0 1342 } 1343 return int(ev.FieldHandlers.ResolveRights(ev, &ev.Exec.Process.FileEvent.FileFields)) 1344 }, 1345 Field: field, 1346 Weight: eval.HandlerWeight, 1347 }, nil 1348 case "exec.file.uid": 1349 return &eval.IntEvaluator{ 1350 EvalFnc: func(ctx *eval.Context) int { 1351 ev := ctx.Event.(*Event) 1352 if !ev.Exec.Process.IsNotKworker() { 1353 return 0 1354 } 1355 return int(ev.Exec.Process.FileEvent.FileFields.UID) 1356 }, 1357 Field: field, 1358 Weight: eval.FunctionWeight, 1359 }, nil 1360 case "exec.file.user": 1361 return &eval.StringEvaluator{ 1362 EvalFnc: func(ctx *eval.Context) string { 1363 ev := ctx.Event.(*Event) 1364 if !ev.Exec.Process.IsNotKworker() { 1365 return "" 1366 } 1367 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Exec.Process.FileEvent.FileFields) 1368 }, 1369 Field: field, 1370 Weight: eval.HandlerWeight, 1371 }, nil 1372 case "exec.fsgid": 1373 return &eval.IntEvaluator{ 1374 EvalFnc: func(ctx *eval.Context) int { 1375 ev := ctx.Event.(*Event) 1376 return int(ev.Exec.Process.Credentials.FSGID) 1377 }, 1378 Field: field, 1379 Weight: eval.FunctionWeight, 1380 }, nil 1381 case "exec.fsgroup": 1382 return &eval.StringEvaluator{ 1383 EvalFnc: func(ctx *eval.Context) string { 1384 ev := ctx.Event.(*Event) 1385 return ev.Exec.Process.Credentials.FSGroup 1386 }, 1387 Field: field, 1388 Weight: eval.FunctionWeight, 1389 }, nil 1390 case "exec.fsuid": 1391 return &eval.IntEvaluator{ 1392 EvalFnc: func(ctx *eval.Context) int { 1393 ev := ctx.Event.(*Event) 1394 return int(ev.Exec.Process.Credentials.FSUID) 1395 }, 1396 Field: field, 1397 Weight: eval.FunctionWeight, 1398 }, nil 1399 case "exec.fsuser": 1400 return &eval.StringEvaluator{ 1401 EvalFnc: func(ctx *eval.Context) string { 1402 ev := ctx.Event.(*Event) 1403 return ev.Exec.Process.Credentials.FSUser 1404 }, 1405 Field: field, 1406 Weight: eval.FunctionWeight, 1407 }, nil 1408 case "exec.gid": 1409 return &eval.IntEvaluator{ 1410 EvalFnc: func(ctx *eval.Context) int { 1411 ev := ctx.Event.(*Event) 1412 return int(ev.Exec.Process.Credentials.GID) 1413 }, 1414 Field: field, 1415 Weight: eval.FunctionWeight, 1416 }, nil 1417 case "exec.group": 1418 return &eval.StringEvaluator{ 1419 EvalFnc: func(ctx *eval.Context) string { 1420 ev := ctx.Event.(*Event) 1421 return ev.Exec.Process.Credentials.Group 1422 }, 1423 Field: field, 1424 Weight: eval.FunctionWeight, 1425 }, nil 1426 case "exec.interpreter.file.change_time": 1427 return &eval.IntEvaluator{ 1428 EvalFnc: func(ctx *eval.Context) int { 1429 ev := ctx.Event.(*Event) 1430 if !ev.Exec.Process.HasInterpreter() { 1431 return 0 1432 } 1433 return int(ev.Exec.Process.LinuxBinprm.FileEvent.FileFields.CTime) 1434 }, 1435 Field: field, 1436 Weight: eval.FunctionWeight, 1437 }, nil 1438 case "exec.interpreter.file.filesystem": 1439 return &eval.StringEvaluator{ 1440 EvalFnc: func(ctx *eval.Context) string { 1441 ev := ctx.Event.(*Event) 1442 if !ev.Exec.Process.HasInterpreter() { 1443 return "" 1444 } 1445 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Exec.Process.LinuxBinprm.FileEvent) 1446 }, 1447 Field: field, 1448 Weight: eval.HandlerWeight, 1449 }, nil 1450 case "exec.interpreter.file.gid": 1451 return &eval.IntEvaluator{ 1452 EvalFnc: func(ctx *eval.Context) int { 1453 ev := ctx.Event.(*Event) 1454 if !ev.Exec.Process.HasInterpreter() { 1455 return 0 1456 } 1457 return int(ev.Exec.Process.LinuxBinprm.FileEvent.FileFields.GID) 1458 }, 1459 Field: field, 1460 Weight: eval.FunctionWeight, 1461 }, nil 1462 case "exec.interpreter.file.group": 1463 return &eval.StringEvaluator{ 1464 EvalFnc: func(ctx *eval.Context) string { 1465 ev := ctx.Event.(*Event) 1466 if !ev.Exec.Process.HasInterpreter() { 1467 return "" 1468 } 1469 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Exec.Process.LinuxBinprm.FileEvent.FileFields) 1470 }, 1471 Field: field, 1472 Weight: eval.HandlerWeight, 1473 }, nil 1474 case "exec.interpreter.file.hashes": 1475 return &eval.StringArrayEvaluator{ 1476 EvalFnc: func(ctx *eval.Context) []string { 1477 ev := ctx.Event.(*Event) 1478 if !ev.Exec.Process.HasInterpreter() { 1479 return []string{} 1480 } 1481 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Exec.Process.LinuxBinprm.FileEvent) 1482 }, 1483 Field: field, 1484 Weight: 999 * eval.HandlerWeight, 1485 }, nil 1486 case "exec.interpreter.file.in_upper_layer": 1487 return &eval.BoolEvaluator{ 1488 EvalFnc: func(ctx *eval.Context) bool { 1489 ev := ctx.Event.(*Event) 1490 if !ev.Exec.Process.HasInterpreter() { 1491 return false 1492 } 1493 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Exec.Process.LinuxBinprm.FileEvent.FileFields) 1494 }, 1495 Field: field, 1496 Weight: eval.HandlerWeight, 1497 }, nil 1498 case "exec.interpreter.file.inode": 1499 return &eval.IntEvaluator{ 1500 EvalFnc: func(ctx *eval.Context) int { 1501 ev := ctx.Event.(*Event) 1502 if !ev.Exec.Process.HasInterpreter() { 1503 return 0 1504 } 1505 return int(ev.Exec.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode) 1506 }, 1507 Field: field, 1508 Weight: eval.FunctionWeight, 1509 }, nil 1510 case "exec.interpreter.file.mode": 1511 return &eval.IntEvaluator{ 1512 EvalFnc: func(ctx *eval.Context) int { 1513 ev := ctx.Event.(*Event) 1514 if !ev.Exec.Process.HasInterpreter() { 1515 return 0 1516 } 1517 return int(ev.Exec.Process.LinuxBinprm.FileEvent.FileFields.Mode) 1518 }, 1519 Field: field, 1520 Weight: eval.FunctionWeight, 1521 }, nil 1522 case "exec.interpreter.file.modification_time": 1523 return &eval.IntEvaluator{ 1524 EvalFnc: func(ctx *eval.Context) int { 1525 ev := ctx.Event.(*Event) 1526 if !ev.Exec.Process.HasInterpreter() { 1527 return 0 1528 } 1529 return int(ev.Exec.Process.LinuxBinprm.FileEvent.FileFields.MTime) 1530 }, 1531 Field: field, 1532 Weight: eval.FunctionWeight, 1533 }, nil 1534 case "exec.interpreter.file.mount_id": 1535 return &eval.IntEvaluator{ 1536 EvalFnc: func(ctx *eval.Context) int { 1537 ev := ctx.Event.(*Event) 1538 if !ev.Exec.Process.HasInterpreter() { 1539 return 0 1540 } 1541 return int(ev.Exec.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID) 1542 }, 1543 Field: field, 1544 Weight: eval.FunctionWeight, 1545 }, nil 1546 case "exec.interpreter.file.name": 1547 return &eval.StringEvaluator{ 1548 OpOverrides: ProcessSymlinkBasename, 1549 EvalFnc: func(ctx *eval.Context) string { 1550 ev := ctx.Event.(*Event) 1551 if !ev.Exec.Process.HasInterpreter() { 1552 return "" 1553 } 1554 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exec.Process.LinuxBinprm.FileEvent) 1555 }, 1556 Field: field, 1557 Weight: eval.HandlerWeight, 1558 }, nil 1559 case "exec.interpreter.file.name.length": 1560 return &eval.IntEvaluator{ 1561 OpOverrides: ProcessSymlinkBasename, 1562 EvalFnc: func(ctx *eval.Context) int { 1563 ev := ctx.Event.(*Event) 1564 return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exec.Process.LinuxBinprm.FileEvent)) 1565 }, 1566 Field: field, 1567 Weight: eval.HandlerWeight, 1568 }, nil 1569 case "exec.interpreter.file.package.name": 1570 return &eval.StringEvaluator{ 1571 EvalFnc: func(ctx *eval.Context) string { 1572 ev := ctx.Event.(*Event) 1573 if !ev.Exec.Process.HasInterpreter() { 1574 return "" 1575 } 1576 return ev.FieldHandlers.ResolvePackageName(ev, &ev.Exec.Process.LinuxBinprm.FileEvent) 1577 }, 1578 Field: field, 1579 Weight: eval.HandlerWeight, 1580 }, nil 1581 case "exec.interpreter.file.package.source_version": 1582 return &eval.StringEvaluator{ 1583 EvalFnc: func(ctx *eval.Context) string { 1584 ev := ctx.Event.(*Event) 1585 if !ev.Exec.Process.HasInterpreter() { 1586 return "" 1587 } 1588 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Exec.Process.LinuxBinprm.FileEvent) 1589 }, 1590 Field: field, 1591 Weight: eval.HandlerWeight, 1592 }, nil 1593 case "exec.interpreter.file.package.version": 1594 return &eval.StringEvaluator{ 1595 EvalFnc: func(ctx *eval.Context) string { 1596 ev := ctx.Event.(*Event) 1597 if !ev.Exec.Process.HasInterpreter() { 1598 return "" 1599 } 1600 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Exec.Process.LinuxBinprm.FileEvent) 1601 }, 1602 Field: field, 1603 Weight: eval.HandlerWeight, 1604 }, nil 1605 case "exec.interpreter.file.path": 1606 return &eval.StringEvaluator{ 1607 OpOverrides: ProcessSymlinkPathname, 1608 EvalFnc: func(ctx *eval.Context) string { 1609 ev := ctx.Event.(*Event) 1610 if !ev.Exec.Process.HasInterpreter() { 1611 return "" 1612 } 1613 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Exec.Process.LinuxBinprm.FileEvent) 1614 }, 1615 Field: field, 1616 Weight: eval.HandlerWeight, 1617 }, nil 1618 case "exec.interpreter.file.path.length": 1619 return &eval.IntEvaluator{ 1620 OpOverrides: ProcessSymlinkPathname, 1621 EvalFnc: func(ctx *eval.Context) int { 1622 ev := ctx.Event.(*Event) 1623 return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Exec.Process.LinuxBinprm.FileEvent)) 1624 }, 1625 Field: field, 1626 Weight: eval.HandlerWeight, 1627 }, nil 1628 case "exec.interpreter.file.rights": 1629 return &eval.IntEvaluator{ 1630 EvalFnc: func(ctx *eval.Context) int { 1631 ev := ctx.Event.(*Event) 1632 if !ev.Exec.Process.HasInterpreter() { 1633 return 0 1634 } 1635 return int(ev.FieldHandlers.ResolveRights(ev, &ev.Exec.Process.LinuxBinprm.FileEvent.FileFields)) 1636 }, 1637 Field: field, 1638 Weight: eval.HandlerWeight, 1639 }, nil 1640 case "exec.interpreter.file.uid": 1641 return &eval.IntEvaluator{ 1642 EvalFnc: func(ctx *eval.Context) int { 1643 ev := ctx.Event.(*Event) 1644 if !ev.Exec.Process.HasInterpreter() { 1645 return 0 1646 } 1647 return int(ev.Exec.Process.LinuxBinprm.FileEvent.FileFields.UID) 1648 }, 1649 Field: field, 1650 Weight: eval.FunctionWeight, 1651 }, nil 1652 case "exec.interpreter.file.user": 1653 return &eval.StringEvaluator{ 1654 EvalFnc: func(ctx *eval.Context) string { 1655 ev := ctx.Event.(*Event) 1656 if !ev.Exec.Process.HasInterpreter() { 1657 return "" 1658 } 1659 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Exec.Process.LinuxBinprm.FileEvent.FileFields) 1660 }, 1661 Field: field, 1662 Weight: eval.HandlerWeight, 1663 }, nil 1664 case "exec.is_kworker": 1665 return &eval.BoolEvaluator{ 1666 EvalFnc: func(ctx *eval.Context) bool { 1667 ev := ctx.Event.(*Event) 1668 return ev.Exec.Process.PIDContext.IsKworker 1669 }, 1670 Field: field, 1671 Weight: eval.FunctionWeight, 1672 }, nil 1673 case "exec.is_thread": 1674 return &eval.BoolEvaluator{ 1675 EvalFnc: func(ctx *eval.Context) bool { 1676 ev := ctx.Event.(*Event) 1677 return ev.Exec.Process.IsThread 1678 }, 1679 Field: field, 1680 Weight: eval.FunctionWeight, 1681 }, nil 1682 case "exec.pid": 1683 return &eval.IntEvaluator{ 1684 EvalFnc: func(ctx *eval.Context) int { 1685 ev := ctx.Event.(*Event) 1686 return int(ev.Exec.Process.PIDContext.Pid) 1687 }, 1688 Field: field, 1689 Weight: eval.FunctionWeight, 1690 }, nil 1691 case "exec.ppid": 1692 return &eval.IntEvaluator{ 1693 EvalFnc: func(ctx *eval.Context) int { 1694 ev := ctx.Event.(*Event) 1695 return int(ev.Exec.Process.PPid) 1696 }, 1697 Field: field, 1698 Weight: eval.FunctionWeight, 1699 }, nil 1700 case "exec.tid": 1701 return &eval.IntEvaluator{ 1702 EvalFnc: func(ctx *eval.Context) int { 1703 ev := ctx.Event.(*Event) 1704 return int(ev.Exec.Process.PIDContext.Tid) 1705 }, 1706 Field: field, 1707 Weight: eval.FunctionWeight, 1708 }, nil 1709 case "exec.tty_name": 1710 return &eval.StringEvaluator{ 1711 EvalFnc: func(ctx *eval.Context) string { 1712 ev := ctx.Event.(*Event) 1713 return ev.Exec.Process.TTYName 1714 }, 1715 Field: field, 1716 Weight: eval.FunctionWeight, 1717 }, nil 1718 case "exec.uid": 1719 return &eval.IntEvaluator{ 1720 EvalFnc: func(ctx *eval.Context) int { 1721 ev := ctx.Event.(*Event) 1722 return int(ev.Exec.Process.Credentials.UID) 1723 }, 1724 Field: field, 1725 Weight: eval.FunctionWeight, 1726 }, nil 1727 case "exec.user": 1728 return &eval.StringEvaluator{ 1729 EvalFnc: func(ctx *eval.Context) string { 1730 ev := ctx.Event.(*Event) 1731 return ev.Exec.Process.Credentials.User 1732 }, 1733 Field: field, 1734 Weight: eval.FunctionWeight, 1735 }, nil 1736 case "exec.user_session.k8s_groups": 1737 return &eval.StringArrayEvaluator{ 1738 EvalFnc: func(ctx *eval.Context) []string { 1739 ev := ctx.Event.(*Event) 1740 return ev.FieldHandlers.ResolveK8SGroups(ev, &ev.Exec.Process.UserSession) 1741 }, 1742 Field: field, 1743 Weight: eval.HandlerWeight, 1744 }, nil 1745 case "exec.user_session.k8s_uid": 1746 return &eval.StringEvaluator{ 1747 EvalFnc: func(ctx *eval.Context) string { 1748 ev := ctx.Event.(*Event) 1749 return ev.FieldHandlers.ResolveK8SUID(ev, &ev.Exec.Process.UserSession) 1750 }, 1751 Field: field, 1752 Weight: eval.HandlerWeight, 1753 }, nil 1754 case "exec.user_session.k8s_username": 1755 return &eval.StringEvaluator{ 1756 EvalFnc: func(ctx *eval.Context) string { 1757 ev := ctx.Event.(*Event) 1758 return ev.FieldHandlers.ResolveK8SUsername(ev, &ev.Exec.Process.UserSession) 1759 }, 1760 Field: field, 1761 Weight: eval.HandlerWeight, 1762 }, nil 1763 case "exit.args": 1764 return &eval.StringEvaluator{ 1765 EvalFnc: func(ctx *eval.Context) string { 1766 ev := ctx.Event.(*Event) 1767 return ev.FieldHandlers.ResolveProcessArgs(ev, ev.Exit.Process) 1768 }, 1769 Field: field, 1770 Weight: 500 * eval.HandlerWeight, 1771 }, nil 1772 case "exit.args_flags": 1773 return &eval.StringArrayEvaluator{ 1774 EvalFnc: func(ctx *eval.Context) []string { 1775 ev := ctx.Event.(*Event) 1776 return ev.FieldHandlers.ResolveProcessArgsFlags(ev, ev.Exit.Process) 1777 }, 1778 Field: field, 1779 Weight: eval.HandlerWeight, 1780 }, nil 1781 case "exit.args_options": 1782 return &eval.StringArrayEvaluator{ 1783 EvalFnc: func(ctx *eval.Context) []string { 1784 ev := ctx.Event.(*Event) 1785 return ev.FieldHandlers.ResolveProcessArgsOptions(ev, ev.Exit.Process) 1786 }, 1787 Field: field, 1788 Weight: eval.HandlerWeight, 1789 }, nil 1790 case "exit.args_truncated": 1791 return &eval.BoolEvaluator{ 1792 EvalFnc: func(ctx *eval.Context) bool { 1793 ev := ctx.Event.(*Event) 1794 return ev.FieldHandlers.ResolveProcessArgsTruncated(ev, ev.Exit.Process) 1795 }, 1796 Field: field, 1797 Weight: eval.HandlerWeight, 1798 }, nil 1799 case "exit.argv": 1800 return &eval.StringArrayEvaluator{ 1801 EvalFnc: func(ctx *eval.Context) []string { 1802 ev := ctx.Event.(*Event) 1803 return ev.FieldHandlers.ResolveProcessArgv(ev, ev.Exit.Process) 1804 }, 1805 Field: field, 1806 Weight: 500 * eval.HandlerWeight, 1807 }, nil 1808 case "exit.argv0": 1809 return &eval.StringEvaluator{ 1810 EvalFnc: func(ctx *eval.Context) string { 1811 ev := ctx.Event.(*Event) 1812 return ev.FieldHandlers.ResolveProcessArgv0(ev, ev.Exit.Process) 1813 }, 1814 Field: field, 1815 Weight: 100 * eval.HandlerWeight, 1816 }, nil 1817 case "exit.cap_effective": 1818 return &eval.IntEvaluator{ 1819 EvalFnc: func(ctx *eval.Context) int { 1820 ev := ctx.Event.(*Event) 1821 return int(ev.Exit.Process.Credentials.CapEffective) 1822 }, 1823 Field: field, 1824 Weight: eval.FunctionWeight, 1825 }, nil 1826 case "exit.cap_permitted": 1827 return &eval.IntEvaluator{ 1828 EvalFnc: func(ctx *eval.Context) int { 1829 ev := ctx.Event.(*Event) 1830 return int(ev.Exit.Process.Credentials.CapPermitted) 1831 }, 1832 Field: field, 1833 Weight: eval.FunctionWeight, 1834 }, nil 1835 case "exit.cause": 1836 return &eval.IntEvaluator{ 1837 EvalFnc: func(ctx *eval.Context) int { 1838 ev := ctx.Event.(*Event) 1839 return int(ev.Exit.Cause) 1840 }, 1841 Field: field, 1842 Weight: eval.FunctionWeight, 1843 }, nil 1844 case "exit.code": 1845 return &eval.IntEvaluator{ 1846 EvalFnc: func(ctx *eval.Context) int { 1847 ev := ctx.Event.(*Event) 1848 return int(ev.Exit.Code) 1849 }, 1850 Field: field, 1851 Weight: eval.FunctionWeight, 1852 }, nil 1853 case "exit.comm": 1854 return &eval.StringEvaluator{ 1855 EvalFnc: func(ctx *eval.Context) string { 1856 ev := ctx.Event.(*Event) 1857 return ev.Exit.Process.Comm 1858 }, 1859 Field: field, 1860 Weight: eval.FunctionWeight, 1861 }, nil 1862 case "exit.container.id": 1863 return &eval.StringEvaluator{ 1864 EvalFnc: func(ctx *eval.Context) string { 1865 ev := ctx.Event.(*Event) 1866 return ev.Exit.Process.ContainerID 1867 }, 1868 Field: field, 1869 Weight: eval.FunctionWeight, 1870 }, nil 1871 case "exit.created_at": 1872 return &eval.IntEvaluator{ 1873 EvalFnc: func(ctx *eval.Context) int { 1874 ev := ctx.Event.(*Event) 1875 return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, ev.Exit.Process)) 1876 }, 1877 Field: field, 1878 Weight: eval.HandlerWeight, 1879 }, nil 1880 case "exit.egid": 1881 return &eval.IntEvaluator{ 1882 EvalFnc: func(ctx *eval.Context) int { 1883 ev := ctx.Event.(*Event) 1884 return int(ev.Exit.Process.Credentials.EGID) 1885 }, 1886 Field: field, 1887 Weight: eval.FunctionWeight, 1888 }, nil 1889 case "exit.egroup": 1890 return &eval.StringEvaluator{ 1891 EvalFnc: func(ctx *eval.Context) string { 1892 ev := ctx.Event.(*Event) 1893 return ev.Exit.Process.Credentials.EGroup 1894 }, 1895 Field: field, 1896 Weight: eval.FunctionWeight, 1897 }, nil 1898 case "exit.envp": 1899 return &eval.StringArrayEvaluator{ 1900 EvalFnc: func(ctx *eval.Context) []string { 1901 ev := ctx.Event.(*Event) 1902 return ev.FieldHandlers.ResolveProcessEnvp(ev, ev.Exit.Process) 1903 }, 1904 Field: field, 1905 Weight: 100 * eval.HandlerWeight, 1906 }, nil 1907 case "exit.envs": 1908 return &eval.StringArrayEvaluator{ 1909 EvalFnc: func(ctx *eval.Context) []string { 1910 ev := ctx.Event.(*Event) 1911 return ev.FieldHandlers.ResolveProcessEnvs(ev, ev.Exit.Process) 1912 }, 1913 Field: field, 1914 Weight: 100 * eval.HandlerWeight, 1915 }, nil 1916 case "exit.envs_truncated": 1917 return &eval.BoolEvaluator{ 1918 EvalFnc: func(ctx *eval.Context) bool { 1919 ev := ctx.Event.(*Event) 1920 return ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, ev.Exit.Process) 1921 }, 1922 Field: field, 1923 Weight: eval.HandlerWeight, 1924 }, nil 1925 case "exit.euid": 1926 return &eval.IntEvaluator{ 1927 EvalFnc: func(ctx *eval.Context) int { 1928 ev := ctx.Event.(*Event) 1929 return int(ev.Exit.Process.Credentials.EUID) 1930 }, 1931 Field: field, 1932 Weight: eval.FunctionWeight, 1933 }, nil 1934 case "exit.euser": 1935 return &eval.StringEvaluator{ 1936 EvalFnc: func(ctx *eval.Context) string { 1937 ev := ctx.Event.(*Event) 1938 return ev.Exit.Process.Credentials.EUser 1939 }, 1940 Field: field, 1941 Weight: eval.FunctionWeight, 1942 }, nil 1943 case "exit.file.change_time": 1944 return &eval.IntEvaluator{ 1945 EvalFnc: func(ctx *eval.Context) int { 1946 ev := ctx.Event.(*Event) 1947 if !ev.Exit.Process.IsNotKworker() { 1948 return 0 1949 } 1950 return int(ev.Exit.Process.FileEvent.FileFields.CTime) 1951 }, 1952 Field: field, 1953 Weight: eval.FunctionWeight, 1954 }, nil 1955 case "exit.file.filesystem": 1956 return &eval.StringEvaluator{ 1957 EvalFnc: func(ctx *eval.Context) string { 1958 ev := ctx.Event.(*Event) 1959 if !ev.Exit.Process.IsNotKworker() { 1960 return "" 1961 } 1962 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Exit.Process.FileEvent) 1963 }, 1964 Field: field, 1965 Weight: eval.HandlerWeight, 1966 }, nil 1967 case "exit.file.gid": 1968 return &eval.IntEvaluator{ 1969 EvalFnc: func(ctx *eval.Context) int { 1970 ev := ctx.Event.(*Event) 1971 if !ev.Exit.Process.IsNotKworker() { 1972 return 0 1973 } 1974 return int(ev.Exit.Process.FileEvent.FileFields.GID) 1975 }, 1976 Field: field, 1977 Weight: eval.FunctionWeight, 1978 }, nil 1979 case "exit.file.group": 1980 return &eval.StringEvaluator{ 1981 EvalFnc: func(ctx *eval.Context) string { 1982 ev := ctx.Event.(*Event) 1983 if !ev.Exit.Process.IsNotKworker() { 1984 return "" 1985 } 1986 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Exit.Process.FileEvent.FileFields) 1987 }, 1988 Field: field, 1989 Weight: eval.HandlerWeight, 1990 }, nil 1991 case "exit.file.hashes": 1992 return &eval.StringArrayEvaluator{ 1993 EvalFnc: func(ctx *eval.Context) []string { 1994 ev := ctx.Event.(*Event) 1995 if !ev.Exit.Process.IsNotKworker() { 1996 return []string{} 1997 } 1998 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Exit.Process.FileEvent) 1999 }, 2000 Field: field, 2001 Weight: 999 * eval.HandlerWeight, 2002 }, nil 2003 case "exit.file.in_upper_layer": 2004 return &eval.BoolEvaluator{ 2005 EvalFnc: func(ctx *eval.Context) bool { 2006 ev := ctx.Event.(*Event) 2007 if !ev.Exit.Process.IsNotKworker() { 2008 return false 2009 } 2010 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Exit.Process.FileEvent.FileFields) 2011 }, 2012 Field: field, 2013 Weight: eval.HandlerWeight, 2014 }, nil 2015 case "exit.file.inode": 2016 return &eval.IntEvaluator{ 2017 EvalFnc: func(ctx *eval.Context) int { 2018 ev := ctx.Event.(*Event) 2019 if !ev.Exit.Process.IsNotKworker() { 2020 return 0 2021 } 2022 return int(ev.Exit.Process.FileEvent.FileFields.PathKey.Inode) 2023 }, 2024 Field: field, 2025 Weight: eval.FunctionWeight, 2026 }, nil 2027 case "exit.file.mode": 2028 return &eval.IntEvaluator{ 2029 EvalFnc: func(ctx *eval.Context) int { 2030 ev := ctx.Event.(*Event) 2031 if !ev.Exit.Process.IsNotKworker() { 2032 return 0 2033 } 2034 return int(ev.Exit.Process.FileEvent.FileFields.Mode) 2035 }, 2036 Field: field, 2037 Weight: eval.FunctionWeight, 2038 }, nil 2039 case "exit.file.modification_time": 2040 return &eval.IntEvaluator{ 2041 EvalFnc: func(ctx *eval.Context) int { 2042 ev := ctx.Event.(*Event) 2043 if !ev.Exit.Process.IsNotKworker() { 2044 return 0 2045 } 2046 return int(ev.Exit.Process.FileEvent.FileFields.MTime) 2047 }, 2048 Field: field, 2049 Weight: eval.FunctionWeight, 2050 }, nil 2051 case "exit.file.mount_id": 2052 return &eval.IntEvaluator{ 2053 EvalFnc: func(ctx *eval.Context) int { 2054 ev := ctx.Event.(*Event) 2055 if !ev.Exit.Process.IsNotKworker() { 2056 return 0 2057 } 2058 return int(ev.Exit.Process.FileEvent.FileFields.PathKey.MountID) 2059 }, 2060 Field: field, 2061 Weight: eval.FunctionWeight, 2062 }, nil 2063 case "exit.file.name": 2064 return &eval.StringEvaluator{ 2065 OpOverrides: ProcessSymlinkBasename, 2066 EvalFnc: func(ctx *eval.Context) string { 2067 ev := ctx.Event.(*Event) 2068 if !ev.Exit.Process.IsNotKworker() { 2069 return "" 2070 } 2071 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exit.Process.FileEvent) 2072 }, 2073 Field: field, 2074 Weight: eval.HandlerWeight, 2075 }, nil 2076 case "exit.file.name.length": 2077 return &eval.IntEvaluator{ 2078 OpOverrides: ProcessSymlinkBasename, 2079 EvalFnc: func(ctx *eval.Context) int { 2080 ev := ctx.Event.(*Event) 2081 return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exit.Process.FileEvent)) 2082 }, 2083 Field: field, 2084 Weight: eval.HandlerWeight, 2085 }, nil 2086 case "exit.file.package.name": 2087 return &eval.StringEvaluator{ 2088 EvalFnc: func(ctx *eval.Context) string { 2089 ev := ctx.Event.(*Event) 2090 if !ev.Exit.Process.IsNotKworker() { 2091 return "" 2092 } 2093 return ev.FieldHandlers.ResolvePackageName(ev, &ev.Exit.Process.FileEvent) 2094 }, 2095 Field: field, 2096 Weight: eval.HandlerWeight, 2097 }, nil 2098 case "exit.file.package.source_version": 2099 return &eval.StringEvaluator{ 2100 EvalFnc: func(ctx *eval.Context) string { 2101 ev := ctx.Event.(*Event) 2102 if !ev.Exit.Process.IsNotKworker() { 2103 return "" 2104 } 2105 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Exit.Process.FileEvent) 2106 }, 2107 Field: field, 2108 Weight: eval.HandlerWeight, 2109 }, nil 2110 case "exit.file.package.version": 2111 return &eval.StringEvaluator{ 2112 EvalFnc: func(ctx *eval.Context) string { 2113 ev := ctx.Event.(*Event) 2114 if !ev.Exit.Process.IsNotKworker() { 2115 return "" 2116 } 2117 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Exit.Process.FileEvent) 2118 }, 2119 Field: field, 2120 Weight: eval.HandlerWeight, 2121 }, nil 2122 case "exit.file.path": 2123 return &eval.StringEvaluator{ 2124 OpOverrides: ProcessSymlinkPathname, 2125 EvalFnc: func(ctx *eval.Context) string { 2126 ev := ctx.Event.(*Event) 2127 if !ev.Exit.Process.IsNotKworker() { 2128 return "" 2129 } 2130 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Exit.Process.FileEvent) 2131 }, 2132 Field: field, 2133 Weight: eval.HandlerWeight, 2134 }, nil 2135 case "exit.file.path.length": 2136 return &eval.IntEvaluator{ 2137 OpOverrides: ProcessSymlinkPathname, 2138 EvalFnc: func(ctx *eval.Context) int { 2139 ev := ctx.Event.(*Event) 2140 return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Exit.Process.FileEvent)) 2141 }, 2142 Field: field, 2143 Weight: eval.HandlerWeight, 2144 }, nil 2145 case "exit.file.rights": 2146 return &eval.IntEvaluator{ 2147 EvalFnc: func(ctx *eval.Context) int { 2148 ev := ctx.Event.(*Event) 2149 if !ev.Exit.Process.IsNotKworker() { 2150 return 0 2151 } 2152 return int(ev.FieldHandlers.ResolveRights(ev, &ev.Exit.Process.FileEvent.FileFields)) 2153 }, 2154 Field: field, 2155 Weight: eval.HandlerWeight, 2156 }, nil 2157 case "exit.file.uid": 2158 return &eval.IntEvaluator{ 2159 EvalFnc: func(ctx *eval.Context) int { 2160 ev := ctx.Event.(*Event) 2161 if !ev.Exit.Process.IsNotKworker() { 2162 return 0 2163 } 2164 return int(ev.Exit.Process.FileEvent.FileFields.UID) 2165 }, 2166 Field: field, 2167 Weight: eval.FunctionWeight, 2168 }, nil 2169 case "exit.file.user": 2170 return &eval.StringEvaluator{ 2171 EvalFnc: func(ctx *eval.Context) string { 2172 ev := ctx.Event.(*Event) 2173 if !ev.Exit.Process.IsNotKworker() { 2174 return "" 2175 } 2176 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Exit.Process.FileEvent.FileFields) 2177 }, 2178 Field: field, 2179 Weight: eval.HandlerWeight, 2180 }, nil 2181 case "exit.fsgid": 2182 return &eval.IntEvaluator{ 2183 EvalFnc: func(ctx *eval.Context) int { 2184 ev := ctx.Event.(*Event) 2185 return int(ev.Exit.Process.Credentials.FSGID) 2186 }, 2187 Field: field, 2188 Weight: eval.FunctionWeight, 2189 }, nil 2190 case "exit.fsgroup": 2191 return &eval.StringEvaluator{ 2192 EvalFnc: func(ctx *eval.Context) string { 2193 ev := ctx.Event.(*Event) 2194 return ev.Exit.Process.Credentials.FSGroup 2195 }, 2196 Field: field, 2197 Weight: eval.FunctionWeight, 2198 }, nil 2199 case "exit.fsuid": 2200 return &eval.IntEvaluator{ 2201 EvalFnc: func(ctx *eval.Context) int { 2202 ev := ctx.Event.(*Event) 2203 return int(ev.Exit.Process.Credentials.FSUID) 2204 }, 2205 Field: field, 2206 Weight: eval.FunctionWeight, 2207 }, nil 2208 case "exit.fsuser": 2209 return &eval.StringEvaluator{ 2210 EvalFnc: func(ctx *eval.Context) string { 2211 ev := ctx.Event.(*Event) 2212 return ev.Exit.Process.Credentials.FSUser 2213 }, 2214 Field: field, 2215 Weight: eval.FunctionWeight, 2216 }, nil 2217 case "exit.gid": 2218 return &eval.IntEvaluator{ 2219 EvalFnc: func(ctx *eval.Context) int { 2220 ev := ctx.Event.(*Event) 2221 return int(ev.Exit.Process.Credentials.GID) 2222 }, 2223 Field: field, 2224 Weight: eval.FunctionWeight, 2225 }, nil 2226 case "exit.group": 2227 return &eval.StringEvaluator{ 2228 EvalFnc: func(ctx *eval.Context) string { 2229 ev := ctx.Event.(*Event) 2230 return ev.Exit.Process.Credentials.Group 2231 }, 2232 Field: field, 2233 Weight: eval.FunctionWeight, 2234 }, nil 2235 case "exit.interpreter.file.change_time": 2236 return &eval.IntEvaluator{ 2237 EvalFnc: func(ctx *eval.Context) int { 2238 ev := ctx.Event.(*Event) 2239 if !ev.Exit.Process.HasInterpreter() { 2240 return 0 2241 } 2242 return int(ev.Exit.Process.LinuxBinprm.FileEvent.FileFields.CTime) 2243 }, 2244 Field: field, 2245 Weight: eval.FunctionWeight, 2246 }, nil 2247 case "exit.interpreter.file.filesystem": 2248 return &eval.StringEvaluator{ 2249 EvalFnc: func(ctx *eval.Context) string { 2250 ev := ctx.Event.(*Event) 2251 if !ev.Exit.Process.HasInterpreter() { 2252 return "" 2253 } 2254 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Exit.Process.LinuxBinprm.FileEvent) 2255 }, 2256 Field: field, 2257 Weight: eval.HandlerWeight, 2258 }, nil 2259 case "exit.interpreter.file.gid": 2260 return &eval.IntEvaluator{ 2261 EvalFnc: func(ctx *eval.Context) int { 2262 ev := ctx.Event.(*Event) 2263 if !ev.Exit.Process.HasInterpreter() { 2264 return 0 2265 } 2266 return int(ev.Exit.Process.LinuxBinprm.FileEvent.FileFields.GID) 2267 }, 2268 Field: field, 2269 Weight: eval.FunctionWeight, 2270 }, nil 2271 case "exit.interpreter.file.group": 2272 return &eval.StringEvaluator{ 2273 EvalFnc: func(ctx *eval.Context) string { 2274 ev := ctx.Event.(*Event) 2275 if !ev.Exit.Process.HasInterpreter() { 2276 return "" 2277 } 2278 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Exit.Process.LinuxBinprm.FileEvent.FileFields) 2279 }, 2280 Field: field, 2281 Weight: eval.HandlerWeight, 2282 }, nil 2283 case "exit.interpreter.file.hashes": 2284 return &eval.StringArrayEvaluator{ 2285 EvalFnc: func(ctx *eval.Context) []string { 2286 ev := ctx.Event.(*Event) 2287 if !ev.Exit.Process.HasInterpreter() { 2288 return []string{} 2289 } 2290 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Exit.Process.LinuxBinprm.FileEvent) 2291 }, 2292 Field: field, 2293 Weight: 999 * eval.HandlerWeight, 2294 }, nil 2295 case "exit.interpreter.file.in_upper_layer": 2296 return &eval.BoolEvaluator{ 2297 EvalFnc: func(ctx *eval.Context) bool { 2298 ev := ctx.Event.(*Event) 2299 if !ev.Exit.Process.HasInterpreter() { 2300 return false 2301 } 2302 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Exit.Process.LinuxBinprm.FileEvent.FileFields) 2303 }, 2304 Field: field, 2305 Weight: eval.HandlerWeight, 2306 }, nil 2307 case "exit.interpreter.file.inode": 2308 return &eval.IntEvaluator{ 2309 EvalFnc: func(ctx *eval.Context) int { 2310 ev := ctx.Event.(*Event) 2311 if !ev.Exit.Process.HasInterpreter() { 2312 return 0 2313 } 2314 return int(ev.Exit.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode) 2315 }, 2316 Field: field, 2317 Weight: eval.FunctionWeight, 2318 }, nil 2319 case "exit.interpreter.file.mode": 2320 return &eval.IntEvaluator{ 2321 EvalFnc: func(ctx *eval.Context) int { 2322 ev := ctx.Event.(*Event) 2323 if !ev.Exit.Process.HasInterpreter() { 2324 return 0 2325 } 2326 return int(ev.Exit.Process.LinuxBinprm.FileEvent.FileFields.Mode) 2327 }, 2328 Field: field, 2329 Weight: eval.FunctionWeight, 2330 }, nil 2331 case "exit.interpreter.file.modification_time": 2332 return &eval.IntEvaluator{ 2333 EvalFnc: func(ctx *eval.Context) int { 2334 ev := ctx.Event.(*Event) 2335 if !ev.Exit.Process.HasInterpreter() { 2336 return 0 2337 } 2338 return int(ev.Exit.Process.LinuxBinprm.FileEvent.FileFields.MTime) 2339 }, 2340 Field: field, 2341 Weight: eval.FunctionWeight, 2342 }, nil 2343 case "exit.interpreter.file.mount_id": 2344 return &eval.IntEvaluator{ 2345 EvalFnc: func(ctx *eval.Context) int { 2346 ev := ctx.Event.(*Event) 2347 if !ev.Exit.Process.HasInterpreter() { 2348 return 0 2349 } 2350 return int(ev.Exit.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID) 2351 }, 2352 Field: field, 2353 Weight: eval.FunctionWeight, 2354 }, nil 2355 case "exit.interpreter.file.name": 2356 return &eval.StringEvaluator{ 2357 OpOverrides: ProcessSymlinkBasename, 2358 EvalFnc: func(ctx *eval.Context) string { 2359 ev := ctx.Event.(*Event) 2360 if !ev.Exit.Process.HasInterpreter() { 2361 return "" 2362 } 2363 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exit.Process.LinuxBinprm.FileEvent) 2364 }, 2365 Field: field, 2366 Weight: eval.HandlerWeight, 2367 }, nil 2368 case "exit.interpreter.file.name.length": 2369 return &eval.IntEvaluator{ 2370 OpOverrides: ProcessSymlinkBasename, 2371 EvalFnc: func(ctx *eval.Context) int { 2372 ev := ctx.Event.(*Event) 2373 return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exit.Process.LinuxBinprm.FileEvent)) 2374 }, 2375 Field: field, 2376 Weight: eval.HandlerWeight, 2377 }, nil 2378 case "exit.interpreter.file.package.name": 2379 return &eval.StringEvaluator{ 2380 EvalFnc: func(ctx *eval.Context) string { 2381 ev := ctx.Event.(*Event) 2382 if !ev.Exit.Process.HasInterpreter() { 2383 return "" 2384 } 2385 return ev.FieldHandlers.ResolvePackageName(ev, &ev.Exit.Process.LinuxBinprm.FileEvent) 2386 }, 2387 Field: field, 2388 Weight: eval.HandlerWeight, 2389 }, nil 2390 case "exit.interpreter.file.package.source_version": 2391 return &eval.StringEvaluator{ 2392 EvalFnc: func(ctx *eval.Context) string { 2393 ev := ctx.Event.(*Event) 2394 if !ev.Exit.Process.HasInterpreter() { 2395 return "" 2396 } 2397 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Exit.Process.LinuxBinprm.FileEvent) 2398 }, 2399 Field: field, 2400 Weight: eval.HandlerWeight, 2401 }, nil 2402 case "exit.interpreter.file.package.version": 2403 return &eval.StringEvaluator{ 2404 EvalFnc: func(ctx *eval.Context) string { 2405 ev := ctx.Event.(*Event) 2406 if !ev.Exit.Process.HasInterpreter() { 2407 return "" 2408 } 2409 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Exit.Process.LinuxBinprm.FileEvent) 2410 }, 2411 Field: field, 2412 Weight: eval.HandlerWeight, 2413 }, nil 2414 case "exit.interpreter.file.path": 2415 return &eval.StringEvaluator{ 2416 OpOverrides: ProcessSymlinkPathname, 2417 EvalFnc: func(ctx *eval.Context) string { 2418 ev := ctx.Event.(*Event) 2419 if !ev.Exit.Process.HasInterpreter() { 2420 return "" 2421 } 2422 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Exit.Process.LinuxBinprm.FileEvent) 2423 }, 2424 Field: field, 2425 Weight: eval.HandlerWeight, 2426 }, nil 2427 case "exit.interpreter.file.path.length": 2428 return &eval.IntEvaluator{ 2429 OpOverrides: ProcessSymlinkPathname, 2430 EvalFnc: func(ctx *eval.Context) int { 2431 ev := ctx.Event.(*Event) 2432 return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Exit.Process.LinuxBinprm.FileEvent)) 2433 }, 2434 Field: field, 2435 Weight: eval.HandlerWeight, 2436 }, nil 2437 case "exit.interpreter.file.rights": 2438 return &eval.IntEvaluator{ 2439 EvalFnc: func(ctx *eval.Context) int { 2440 ev := ctx.Event.(*Event) 2441 if !ev.Exit.Process.HasInterpreter() { 2442 return 0 2443 } 2444 return int(ev.FieldHandlers.ResolveRights(ev, &ev.Exit.Process.LinuxBinprm.FileEvent.FileFields)) 2445 }, 2446 Field: field, 2447 Weight: eval.HandlerWeight, 2448 }, nil 2449 case "exit.interpreter.file.uid": 2450 return &eval.IntEvaluator{ 2451 EvalFnc: func(ctx *eval.Context) int { 2452 ev := ctx.Event.(*Event) 2453 if !ev.Exit.Process.HasInterpreter() { 2454 return 0 2455 } 2456 return int(ev.Exit.Process.LinuxBinprm.FileEvent.FileFields.UID) 2457 }, 2458 Field: field, 2459 Weight: eval.FunctionWeight, 2460 }, nil 2461 case "exit.interpreter.file.user": 2462 return &eval.StringEvaluator{ 2463 EvalFnc: func(ctx *eval.Context) string { 2464 ev := ctx.Event.(*Event) 2465 if !ev.Exit.Process.HasInterpreter() { 2466 return "" 2467 } 2468 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Exit.Process.LinuxBinprm.FileEvent.FileFields) 2469 }, 2470 Field: field, 2471 Weight: eval.HandlerWeight, 2472 }, nil 2473 case "exit.is_kworker": 2474 return &eval.BoolEvaluator{ 2475 EvalFnc: func(ctx *eval.Context) bool { 2476 ev := ctx.Event.(*Event) 2477 return ev.Exit.Process.PIDContext.IsKworker 2478 }, 2479 Field: field, 2480 Weight: eval.FunctionWeight, 2481 }, nil 2482 case "exit.is_thread": 2483 return &eval.BoolEvaluator{ 2484 EvalFnc: func(ctx *eval.Context) bool { 2485 ev := ctx.Event.(*Event) 2486 return ev.Exit.Process.IsThread 2487 }, 2488 Field: field, 2489 Weight: eval.FunctionWeight, 2490 }, nil 2491 case "exit.pid": 2492 return &eval.IntEvaluator{ 2493 EvalFnc: func(ctx *eval.Context) int { 2494 ev := ctx.Event.(*Event) 2495 return int(ev.Exit.Process.PIDContext.Pid) 2496 }, 2497 Field: field, 2498 Weight: eval.FunctionWeight, 2499 }, nil 2500 case "exit.ppid": 2501 return &eval.IntEvaluator{ 2502 EvalFnc: func(ctx *eval.Context) int { 2503 ev := ctx.Event.(*Event) 2504 return int(ev.Exit.Process.PPid) 2505 }, 2506 Field: field, 2507 Weight: eval.FunctionWeight, 2508 }, nil 2509 case "exit.tid": 2510 return &eval.IntEvaluator{ 2511 EvalFnc: func(ctx *eval.Context) int { 2512 ev := ctx.Event.(*Event) 2513 return int(ev.Exit.Process.PIDContext.Tid) 2514 }, 2515 Field: field, 2516 Weight: eval.FunctionWeight, 2517 }, nil 2518 case "exit.tty_name": 2519 return &eval.StringEvaluator{ 2520 EvalFnc: func(ctx *eval.Context) string { 2521 ev := ctx.Event.(*Event) 2522 return ev.Exit.Process.TTYName 2523 }, 2524 Field: field, 2525 Weight: eval.FunctionWeight, 2526 }, nil 2527 case "exit.uid": 2528 return &eval.IntEvaluator{ 2529 EvalFnc: func(ctx *eval.Context) int { 2530 ev := ctx.Event.(*Event) 2531 return int(ev.Exit.Process.Credentials.UID) 2532 }, 2533 Field: field, 2534 Weight: eval.FunctionWeight, 2535 }, nil 2536 case "exit.user": 2537 return &eval.StringEvaluator{ 2538 EvalFnc: func(ctx *eval.Context) string { 2539 ev := ctx.Event.(*Event) 2540 return ev.Exit.Process.Credentials.User 2541 }, 2542 Field: field, 2543 Weight: eval.FunctionWeight, 2544 }, nil 2545 case "exit.user_session.k8s_groups": 2546 return &eval.StringArrayEvaluator{ 2547 EvalFnc: func(ctx *eval.Context) []string { 2548 ev := ctx.Event.(*Event) 2549 return ev.FieldHandlers.ResolveK8SGroups(ev, &ev.Exit.Process.UserSession) 2550 }, 2551 Field: field, 2552 Weight: eval.HandlerWeight, 2553 }, nil 2554 case "exit.user_session.k8s_uid": 2555 return &eval.StringEvaluator{ 2556 EvalFnc: func(ctx *eval.Context) string { 2557 ev := ctx.Event.(*Event) 2558 return ev.FieldHandlers.ResolveK8SUID(ev, &ev.Exit.Process.UserSession) 2559 }, 2560 Field: field, 2561 Weight: eval.HandlerWeight, 2562 }, nil 2563 case "exit.user_session.k8s_username": 2564 return &eval.StringEvaluator{ 2565 EvalFnc: func(ctx *eval.Context) string { 2566 ev := ctx.Event.(*Event) 2567 return ev.FieldHandlers.ResolveK8SUsername(ev, &ev.Exit.Process.UserSession) 2568 }, 2569 Field: field, 2570 Weight: eval.HandlerWeight, 2571 }, nil 2572 case "link.file.change_time": 2573 return &eval.IntEvaluator{ 2574 EvalFnc: func(ctx *eval.Context) int { 2575 ev := ctx.Event.(*Event) 2576 return int(ev.Link.Source.FileFields.CTime) 2577 }, 2578 Field: field, 2579 Weight: eval.FunctionWeight, 2580 }, nil 2581 case "link.file.destination.change_time": 2582 return &eval.IntEvaluator{ 2583 EvalFnc: func(ctx *eval.Context) int { 2584 ev := ctx.Event.(*Event) 2585 return int(ev.Link.Target.FileFields.CTime) 2586 }, 2587 Field: field, 2588 Weight: eval.FunctionWeight, 2589 }, nil 2590 case "link.file.destination.filesystem": 2591 return &eval.StringEvaluator{ 2592 EvalFnc: func(ctx *eval.Context) string { 2593 ev := ctx.Event.(*Event) 2594 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Link.Target) 2595 }, 2596 Field: field, 2597 Weight: eval.HandlerWeight, 2598 }, nil 2599 case "link.file.destination.gid": 2600 return &eval.IntEvaluator{ 2601 EvalFnc: func(ctx *eval.Context) int { 2602 ev := ctx.Event.(*Event) 2603 return int(ev.Link.Target.FileFields.GID) 2604 }, 2605 Field: field, 2606 Weight: eval.FunctionWeight, 2607 }, nil 2608 case "link.file.destination.group": 2609 return &eval.StringEvaluator{ 2610 EvalFnc: func(ctx *eval.Context) string { 2611 ev := ctx.Event.(*Event) 2612 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Link.Target.FileFields) 2613 }, 2614 Field: field, 2615 Weight: eval.HandlerWeight, 2616 }, nil 2617 case "link.file.destination.hashes": 2618 return &eval.StringArrayEvaluator{ 2619 EvalFnc: func(ctx *eval.Context) []string { 2620 ev := ctx.Event.(*Event) 2621 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Link.Target) 2622 }, 2623 Field: field, 2624 Weight: 999 * eval.HandlerWeight, 2625 }, nil 2626 case "link.file.destination.in_upper_layer": 2627 return &eval.BoolEvaluator{ 2628 EvalFnc: func(ctx *eval.Context) bool { 2629 ev := ctx.Event.(*Event) 2630 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Link.Target.FileFields) 2631 }, 2632 Field: field, 2633 Weight: eval.HandlerWeight, 2634 }, nil 2635 case "link.file.destination.inode": 2636 return &eval.IntEvaluator{ 2637 EvalFnc: func(ctx *eval.Context) int { 2638 ev := ctx.Event.(*Event) 2639 return int(ev.Link.Target.FileFields.PathKey.Inode) 2640 }, 2641 Field: field, 2642 Weight: eval.FunctionWeight, 2643 }, nil 2644 case "link.file.destination.mode": 2645 return &eval.IntEvaluator{ 2646 EvalFnc: func(ctx *eval.Context) int { 2647 ev := ctx.Event.(*Event) 2648 return int(ev.Link.Target.FileFields.Mode) 2649 }, 2650 Field: field, 2651 Weight: eval.FunctionWeight, 2652 }, nil 2653 case "link.file.destination.modification_time": 2654 return &eval.IntEvaluator{ 2655 EvalFnc: func(ctx *eval.Context) int { 2656 ev := ctx.Event.(*Event) 2657 return int(ev.Link.Target.FileFields.MTime) 2658 }, 2659 Field: field, 2660 Weight: eval.FunctionWeight, 2661 }, nil 2662 case "link.file.destination.mount_id": 2663 return &eval.IntEvaluator{ 2664 EvalFnc: func(ctx *eval.Context) int { 2665 ev := ctx.Event.(*Event) 2666 return int(ev.Link.Target.FileFields.PathKey.MountID) 2667 }, 2668 Field: field, 2669 Weight: eval.FunctionWeight, 2670 }, nil 2671 case "link.file.destination.name": 2672 return &eval.StringEvaluator{ 2673 OpOverrides: ProcessSymlinkBasename, 2674 EvalFnc: func(ctx *eval.Context) string { 2675 ev := ctx.Event.(*Event) 2676 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Link.Target) 2677 }, 2678 Field: field, 2679 Weight: eval.HandlerWeight, 2680 }, nil 2681 case "link.file.destination.name.length": 2682 return &eval.IntEvaluator{ 2683 OpOverrides: ProcessSymlinkBasename, 2684 EvalFnc: func(ctx *eval.Context) int { 2685 ev := ctx.Event.(*Event) 2686 return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Link.Target)) 2687 }, 2688 Field: field, 2689 Weight: eval.HandlerWeight, 2690 }, nil 2691 case "link.file.destination.package.name": 2692 return &eval.StringEvaluator{ 2693 EvalFnc: func(ctx *eval.Context) string { 2694 ev := ctx.Event.(*Event) 2695 return ev.FieldHandlers.ResolvePackageName(ev, &ev.Link.Target) 2696 }, 2697 Field: field, 2698 Weight: eval.HandlerWeight, 2699 }, nil 2700 case "link.file.destination.package.source_version": 2701 return &eval.StringEvaluator{ 2702 EvalFnc: func(ctx *eval.Context) string { 2703 ev := ctx.Event.(*Event) 2704 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Link.Target) 2705 }, 2706 Field: field, 2707 Weight: eval.HandlerWeight, 2708 }, nil 2709 case "link.file.destination.package.version": 2710 return &eval.StringEvaluator{ 2711 EvalFnc: func(ctx *eval.Context) string { 2712 ev := ctx.Event.(*Event) 2713 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Link.Target) 2714 }, 2715 Field: field, 2716 Weight: eval.HandlerWeight, 2717 }, nil 2718 case "link.file.destination.path": 2719 return &eval.StringEvaluator{ 2720 OpOverrides: ProcessSymlinkPathname, 2721 EvalFnc: func(ctx *eval.Context) string { 2722 ev := ctx.Event.(*Event) 2723 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Link.Target) 2724 }, 2725 Field: field, 2726 Weight: eval.HandlerWeight, 2727 }, nil 2728 case "link.file.destination.path.length": 2729 return &eval.IntEvaluator{ 2730 OpOverrides: ProcessSymlinkPathname, 2731 EvalFnc: func(ctx *eval.Context) int { 2732 ev := ctx.Event.(*Event) 2733 return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Link.Target)) 2734 }, 2735 Field: field, 2736 Weight: eval.HandlerWeight, 2737 }, nil 2738 case "link.file.destination.rights": 2739 return &eval.IntEvaluator{ 2740 EvalFnc: func(ctx *eval.Context) int { 2741 ev := ctx.Event.(*Event) 2742 return int(ev.FieldHandlers.ResolveRights(ev, &ev.Link.Target.FileFields)) 2743 }, 2744 Field: field, 2745 Weight: eval.HandlerWeight, 2746 }, nil 2747 case "link.file.destination.uid": 2748 return &eval.IntEvaluator{ 2749 EvalFnc: func(ctx *eval.Context) int { 2750 ev := ctx.Event.(*Event) 2751 return int(ev.Link.Target.FileFields.UID) 2752 }, 2753 Field: field, 2754 Weight: eval.FunctionWeight, 2755 }, nil 2756 case "link.file.destination.user": 2757 return &eval.StringEvaluator{ 2758 EvalFnc: func(ctx *eval.Context) string { 2759 ev := ctx.Event.(*Event) 2760 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Link.Target.FileFields) 2761 }, 2762 Field: field, 2763 Weight: eval.HandlerWeight, 2764 }, nil 2765 case "link.file.filesystem": 2766 return &eval.StringEvaluator{ 2767 EvalFnc: func(ctx *eval.Context) string { 2768 ev := ctx.Event.(*Event) 2769 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Link.Source) 2770 }, 2771 Field: field, 2772 Weight: eval.HandlerWeight, 2773 }, nil 2774 case "link.file.gid": 2775 return &eval.IntEvaluator{ 2776 EvalFnc: func(ctx *eval.Context) int { 2777 ev := ctx.Event.(*Event) 2778 return int(ev.Link.Source.FileFields.GID) 2779 }, 2780 Field: field, 2781 Weight: eval.FunctionWeight, 2782 }, nil 2783 case "link.file.group": 2784 return &eval.StringEvaluator{ 2785 EvalFnc: func(ctx *eval.Context) string { 2786 ev := ctx.Event.(*Event) 2787 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Link.Source.FileFields) 2788 }, 2789 Field: field, 2790 Weight: eval.HandlerWeight, 2791 }, nil 2792 case "link.file.hashes": 2793 return &eval.StringArrayEvaluator{ 2794 EvalFnc: func(ctx *eval.Context) []string { 2795 ev := ctx.Event.(*Event) 2796 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Link.Source) 2797 }, 2798 Field: field, 2799 Weight: 999 * eval.HandlerWeight, 2800 }, nil 2801 case "link.file.in_upper_layer": 2802 return &eval.BoolEvaluator{ 2803 EvalFnc: func(ctx *eval.Context) bool { 2804 ev := ctx.Event.(*Event) 2805 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Link.Source.FileFields) 2806 }, 2807 Field: field, 2808 Weight: eval.HandlerWeight, 2809 }, nil 2810 case "link.file.inode": 2811 return &eval.IntEvaluator{ 2812 EvalFnc: func(ctx *eval.Context) int { 2813 ev := ctx.Event.(*Event) 2814 return int(ev.Link.Source.FileFields.PathKey.Inode) 2815 }, 2816 Field: field, 2817 Weight: eval.FunctionWeight, 2818 }, nil 2819 case "link.file.mode": 2820 return &eval.IntEvaluator{ 2821 EvalFnc: func(ctx *eval.Context) int { 2822 ev := ctx.Event.(*Event) 2823 return int(ev.Link.Source.FileFields.Mode) 2824 }, 2825 Field: field, 2826 Weight: eval.FunctionWeight, 2827 }, nil 2828 case "link.file.modification_time": 2829 return &eval.IntEvaluator{ 2830 EvalFnc: func(ctx *eval.Context) int { 2831 ev := ctx.Event.(*Event) 2832 return int(ev.Link.Source.FileFields.MTime) 2833 }, 2834 Field: field, 2835 Weight: eval.FunctionWeight, 2836 }, nil 2837 case "link.file.mount_id": 2838 return &eval.IntEvaluator{ 2839 EvalFnc: func(ctx *eval.Context) int { 2840 ev := ctx.Event.(*Event) 2841 return int(ev.Link.Source.FileFields.PathKey.MountID) 2842 }, 2843 Field: field, 2844 Weight: eval.FunctionWeight, 2845 }, nil 2846 case "link.file.name": 2847 return &eval.StringEvaluator{ 2848 OpOverrides: ProcessSymlinkBasename, 2849 EvalFnc: func(ctx *eval.Context) string { 2850 ev := ctx.Event.(*Event) 2851 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Link.Source) 2852 }, 2853 Field: field, 2854 Weight: eval.HandlerWeight, 2855 }, nil 2856 case "link.file.name.length": 2857 return &eval.IntEvaluator{ 2858 OpOverrides: ProcessSymlinkBasename, 2859 EvalFnc: func(ctx *eval.Context) int { 2860 ev := ctx.Event.(*Event) 2861 return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Link.Source)) 2862 }, 2863 Field: field, 2864 Weight: eval.HandlerWeight, 2865 }, nil 2866 case "link.file.package.name": 2867 return &eval.StringEvaluator{ 2868 EvalFnc: func(ctx *eval.Context) string { 2869 ev := ctx.Event.(*Event) 2870 return ev.FieldHandlers.ResolvePackageName(ev, &ev.Link.Source) 2871 }, 2872 Field: field, 2873 Weight: eval.HandlerWeight, 2874 }, nil 2875 case "link.file.package.source_version": 2876 return &eval.StringEvaluator{ 2877 EvalFnc: func(ctx *eval.Context) string { 2878 ev := ctx.Event.(*Event) 2879 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Link.Source) 2880 }, 2881 Field: field, 2882 Weight: eval.HandlerWeight, 2883 }, nil 2884 case "link.file.package.version": 2885 return &eval.StringEvaluator{ 2886 EvalFnc: func(ctx *eval.Context) string { 2887 ev := ctx.Event.(*Event) 2888 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Link.Source) 2889 }, 2890 Field: field, 2891 Weight: eval.HandlerWeight, 2892 }, nil 2893 case "link.file.path": 2894 return &eval.StringEvaluator{ 2895 OpOverrides: ProcessSymlinkPathname, 2896 EvalFnc: func(ctx *eval.Context) string { 2897 ev := ctx.Event.(*Event) 2898 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Link.Source) 2899 }, 2900 Field: field, 2901 Weight: eval.HandlerWeight, 2902 }, nil 2903 case "link.file.path.length": 2904 return &eval.IntEvaluator{ 2905 OpOverrides: ProcessSymlinkPathname, 2906 EvalFnc: func(ctx *eval.Context) int { 2907 ev := ctx.Event.(*Event) 2908 return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Link.Source)) 2909 }, 2910 Field: field, 2911 Weight: eval.HandlerWeight, 2912 }, nil 2913 case "link.file.rights": 2914 return &eval.IntEvaluator{ 2915 EvalFnc: func(ctx *eval.Context) int { 2916 ev := ctx.Event.(*Event) 2917 return int(ev.FieldHandlers.ResolveRights(ev, &ev.Link.Source.FileFields)) 2918 }, 2919 Field: field, 2920 Weight: eval.HandlerWeight, 2921 }, nil 2922 case "link.file.uid": 2923 return &eval.IntEvaluator{ 2924 EvalFnc: func(ctx *eval.Context) int { 2925 ev := ctx.Event.(*Event) 2926 return int(ev.Link.Source.FileFields.UID) 2927 }, 2928 Field: field, 2929 Weight: eval.FunctionWeight, 2930 }, nil 2931 case "link.file.user": 2932 return &eval.StringEvaluator{ 2933 EvalFnc: func(ctx *eval.Context) string { 2934 ev := ctx.Event.(*Event) 2935 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Link.Source.FileFields) 2936 }, 2937 Field: field, 2938 Weight: eval.HandlerWeight, 2939 }, nil 2940 case "link.retval": 2941 return &eval.IntEvaluator{ 2942 EvalFnc: func(ctx *eval.Context) int { 2943 ev := ctx.Event.(*Event) 2944 return int(ev.Link.SyscallEvent.Retval) 2945 }, 2946 Field: field, 2947 Weight: eval.FunctionWeight, 2948 }, nil 2949 case "load_module.args": 2950 return &eval.StringEvaluator{ 2951 EvalFnc: func(ctx *eval.Context) string { 2952 ev := ctx.Event.(*Event) 2953 return ev.FieldHandlers.ResolveModuleArgs(ev, &ev.LoadModule) 2954 }, 2955 Field: field, 2956 Weight: eval.HandlerWeight, 2957 }, nil 2958 case "load_module.args_truncated": 2959 return &eval.BoolEvaluator{ 2960 EvalFnc: func(ctx *eval.Context) bool { 2961 ev := ctx.Event.(*Event) 2962 return ev.LoadModule.ArgsTruncated 2963 }, 2964 Field: field, 2965 Weight: eval.FunctionWeight, 2966 }, nil 2967 case "load_module.argv": 2968 return &eval.StringArrayEvaluator{ 2969 EvalFnc: func(ctx *eval.Context) []string { 2970 ev := ctx.Event.(*Event) 2971 return ev.FieldHandlers.ResolveModuleArgv(ev, &ev.LoadModule) 2972 }, 2973 Field: field, 2974 Weight: eval.HandlerWeight, 2975 }, nil 2976 case "load_module.file.change_time": 2977 return &eval.IntEvaluator{ 2978 EvalFnc: func(ctx *eval.Context) int { 2979 ev := ctx.Event.(*Event) 2980 return int(ev.LoadModule.File.FileFields.CTime) 2981 }, 2982 Field: field, 2983 Weight: eval.FunctionWeight, 2984 }, nil 2985 case "load_module.file.filesystem": 2986 return &eval.StringEvaluator{ 2987 EvalFnc: func(ctx *eval.Context) string { 2988 ev := ctx.Event.(*Event) 2989 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.LoadModule.File) 2990 }, 2991 Field: field, 2992 Weight: eval.HandlerWeight, 2993 }, nil 2994 case "load_module.file.gid": 2995 return &eval.IntEvaluator{ 2996 EvalFnc: func(ctx *eval.Context) int { 2997 ev := ctx.Event.(*Event) 2998 return int(ev.LoadModule.File.FileFields.GID) 2999 }, 3000 Field: field, 3001 Weight: eval.FunctionWeight, 3002 }, nil 3003 case "load_module.file.group": 3004 return &eval.StringEvaluator{ 3005 EvalFnc: func(ctx *eval.Context) string { 3006 ev := ctx.Event.(*Event) 3007 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.LoadModule.File.FileFields) 3008 }, 3009 Field: field, 3010 Weight: eval.HandlerWeight, 3011 }, nil 3012 case "load_module.file.hashes": 3013 return &eval.StringArrayEvaluator{ 3014 EvalFnc: func(ctx *eval.Context) []string { 3015 ev := ctx.Event.(*Event) 3016 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.LoadModule.File) 3017 }, 3018 Field: field, 3019 Weight: 999 * eval.HandlerWeight, 3020 }, nil 3021 case "load_module.file.in_upper_layer": 3022 return &eval.BoolEvaluator{ 3023 EvalFnc: func(ctx *eval.Context) bool { 3024 ev := ctx.Event.(*Event) 3025 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.LoadModule.File.FileFields) 3026 }, 3027 Field: field, 3028 Weight: eval.HandlerWeight, 3029 }, nil 3030 case "load_module.file.inode": 3031 return &eval.IntEvaluator{ 3032 EvalFnc: func(ctx *eval.Context) int { 3033 ev := ctx.Event.(*Event) 3034 return int(ev.LoadModule.File.FileFields.PathKey.Inode) 3035 }, 3036 Field: field, 3037 Weight: eval.FunctionWeight, 3038 }, nil 3039 case "load_module.file.mode": 3040 return &eval.IntEvaluator{ 3041 EvalFnc: func(ctx *eval.Context) int { 3042 ev := ctx.Event.(*Event) 3043 return int(ev.LoadModule.File.FileFields.Mode) 3044 }, 3045 Field: field, 3046 Weight: eval.FunctionWeight, 3047 }, nil 3048 case "load_module.file.modification_time": 3049 return &eval.IntEvaluator{ 3050 EvalFnc: func(ctx *eval.Context) int { 3051 ev := ctx.Event.(*Event) 3052 return int(ev.LoadModule.File.FileFields.MTime) 3053 }, 3054 Field: field, 3055 Weight: eval.FunctionWeight, 3056 }, nil 3057 case "load_module.file.mount_id": 3058 return &eval.IntEvaluator{ 3059 EvalFnc: func(ctx *eval.Context) int { 3060 ev := ctx.Event.(*Event) 3061 return int(ev.LoadModule.File.FileFields.PathKey.MountID) 3062 }, 3063 Field: field, 3064 Weight: eval.FunctionWeight, 3065 }, nil 3066 case "load_module.file.name": 3067 return &eval.StringEvaluator{ 3068 OpOverrides: ProcessSymlinkBasename, 3069 EvalFnc: func(ctx *eval.Context) string { 3070 ev := ctx.Event.(*Event) 3071 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.LoadModule.File) 3072 }, 3073 Field: field, 3074 Weight: eval.HandlerWeight, 3075 }, nil 3076 case "load_module.file.name.length": 3077 return &eval.IntEvaluator{ 3078 OpOverrides: ProcessSymlinkBasename, 3079 EvalFnc: func(ctx *eval.Context) int { 3080 ev := ctx.Event.(*Event) 3081 return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.LoadModule.File)) 3082 }, 3083 Field: field, 3084 Weight: eval.HandlerWeight, 3085 }, nil 3086 case "load_module.file.package.name": 3087 return &eval.StringEvaluator{ 3088 EvalFnc: func(ctx *eval.Context) string { 3089 ev := ctx.Event.(*Event) 3090 return ev.FieldHandlers.ResolvePackageName(ev, &ev.LoadModule.File) 3091 }, 3092 Field: field, 3093 Weight: eval.HandlerWeight, 3094 }, nil 3095 case "load_module.file.package.source_version": 3096 return &eval.StringEvaluator{ 3097 EvalFnc: func(ctx *eval.Context) string { 3098 ev := ctx.Event.(*Event) 3099 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.LoadModule.File) 3100 }, 3101 Field: field, 3102 Weight: eval.HandlerWeight, 3103 }, nil 3104 case "load_module.file.package.version": 3105 return &eval.StringEvaluator{ 3106 EvalFnc: func(ctx *eval.Context) string { 3107 ev := ctx.Event.(*Event) 3108 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.LoadModule.File) 3109 }, 3110 Field: field, 3111 Weight: eval.HandlerWeight, 3112 }, nil 3113 case "load_module.file.path": 3114 return &eval.StringEvaluator{ 3115 OpOverrides: ProcessSymlinkPathname, 3116 EvalFnc: func(ctx *eval.Context) string { 3117 ev := ctx.Event.(*Event) 3118 return ev.FieldHandlers.ResolveFilePath(ev, &ev.LoadModule.File) 3119 }, 3120 Field: field, 3121 Weight: eval.HandlerWeight, 3122 }, nil 3123 case "load_module.file.path.length": 3124 return &eval.IntEvaluator{ 3125 OpOverrides: ProcessSymlinkPathname, 3126 EvalFnc: func(ctx *eval.Context) int { 3127 ev := ctx.Event.(*Event) 3128 return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.LoadModule.File)) 3129 }, 3130 Field: field, 3131 Weight: eval.HandlerWeight, 3132 }, nil 3133 case "load_module.file.rights": 3134 return &eval.IntEvaluator{ 3135 EvalFnc: func(ctx *eval.Context) int { 3136 ev := ctx.Event.(*Event) 3137 return int(ev.FieldHandlers.ResolveRights(ev, &ev.LoadModule.File.FileFields)) 3138 }, 3139 Field: field, 3140 Weight: eval.HandlerWeight, 3141 }, nil 3142 case "load_module.file.uid": 3143 return &eval.IntEvaluator{ 3144 EvalFnc: func(ctx *eval.Context) int { 3145 ev := ctx.Event.(*Event) 3146 return int(ev.LoadModule.File.FileFields.UID) 3147 }, 3148 Field: field, 3149 Weight: eval.FunctionWeight, 3150 }, nil 3151 case "load_module.file.user": 3152 return &eval.StringEvaluator{ 3153 EvalFnc: func(ctx *eval.Context) string { 3154 ev := ctx.Event.(*Event) 3155 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.LoadModule.File.FileFields) 3156 }, 3157 Field: field, 3158 Weight: eval.HandlerWeight, 3159 }, nil 3160 case "load_module.loaded_from_memory": 3161 return &eval.BoolEvaluator{ 3162 EvalFnc: func(ctx *eval.Context) bool { 3163 ev := ctx.Event.(*Event) 3164 return ev.LoadModule.LoadedFromMemory 3165 }, 3166 Field: field, 3167 Weight: eval.FunctionWeight, 3168 }, nil 3169 case "load_module.name": 3170 return &eval.StringEvaluator{ 3171 EvalFnc: func(ctx *eval.Context) string { 3172 ev := ctx.Event.(*Event) 3173 return ev.LoadModule.Name 3174 }, 3175 Field: field, 3176 Weight: eval.FunctionWeight, 3177 }, nil 3178 case "load_module.retval": 3179 return &eval.IntEvaluator{ 3180 EvalFnc: func(ctx *eval.Context) int { 3181 ev := ctx.Event.(*Event) 3182 return int(ev.LoadModule.SyscallEvent.Retval) 3183 }, 3184 Field: field, 3185 Weight: eval.FunctionWeight, 3186 }, nil 3187 case "mkdir.file.change_time": 3188 return &eval.IntEvaluator{ 3189 EvalFnc: func(ctx *eval.Context) int { 3190 ev := ctx.Event.(*Event) 3191 return int(ev.Mkdir.File.FileFields.CTime) 3192 }, 3193 Field: field, 3194 Weight: eval.FunctionWeight, 3195 }, nil 3196 case "mkdir.file.destination.mode": 3197 return &eval.IntEvaluator{ 3198 EvalFnc: func(ctx *eval.Context) int { 3199 ev := ctx.Event.(*Event) 3200 return int(ev.Mkdir.Mode) 3201 }, 3202 Field: field, 3203 Weight: eval.FunctionWeight, 3204 }, nil 3205 case "mkdir.file.destination.rights": 3206 return &eval.IntEvaluator{ 3207 EvalFnc: func(ctx *eval.Context) int { 3208 ev := ctx.Event.(*Event) 3209 return int(ev.Mkdir.Mode) 3210 }, 3211 Field: field, 3212 Weight: eval.FunctionWeight, 3213 }, nil 3214 case "mkdir.file.filesystem": 3215 return &eval.StringEvaluator{ 3216 EvalFnc: func(ctx *eval.Context) string { 3217 ev := ctx.Event.(*Event) 3218 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Mkdir.File) 3219 }, 3220 Field: field, 3221 Weight: eval.HandlerWeight, 3222 }, nil 3223 case "mkdir.file.gid": 3224 return &eval.IntEvaluator{ 3225 EvalFnc: func(ctx *eval.Context) int { 3226 ev := ctx.Event.(*Event) 3227 return int(ev.Mkdir.File.FileFields.GID) 3228 }, 3229 Field: field, 3230 Weight: eval.FunctionWeight, 3231 }, nil 3232 case "mkdir.file.group": 3233 return &eval.StringEvaluator{ 3234 EvalFnc: func(ctx *eval.Context) string { 3235 ev := ctx.Event.(*Event) 3236 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Mkdir.File.FileFields) 3237 }, 3238 Field: field, 3239 Weight: eval.HandlerWeight, 3240 }, nil 3241 case "mkdir.file.hashes": 3242 return &eval.StringArrayEvaluator{ 3243 EvalFnc: func(ctx *eval.Context) []string { 3244 ev := ctx.Event.(*Event) 3245 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Mkdir.File) 3246 }, 3247 Field: field, 3248 Weight: 999 * eval.HandlerWeight, 3249 }, nil 3250 case "mkdir.file.in_upper_layer": 3251 return &eval.BoolEvaluator{ 3252 EvalFnc: func(ctx *eval.Context) bool { 3253 ev := ctx.Event.(*Event) 3254 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Mkdir.File.FileFields) 3255 }, 3256 Field: field, 3257 Weight: eval.HandlerWeight, 3258 }, nil 3259 case "mkdir.file.inode": 3260 return &eval.IntEvaluator{ 3261 EvalFnc: func(ctx *eval.Context) int { 3262 ev := ctx.Event.(*Event) 3263 return int(ev.Mkdir.File.FileFields.PathKey.Inode) 3264 }, 3265 Field: field, 3266 Weight: eval.FunctionWeight, 3267 }, nil 3268 case "mkdir.file.mode": 3269 return &eval.IntEvaluator{ 3270 EvalFnc: func(ctx *eval.Context) int { 3271 ev := ctx.Event.(*Event) 3272 return int(ev.Mkdir.File.FileFields.Mode) 3273 }, 3274 Field: field, 3275 Weight: eval.FunctionWeight, 3276 }, nil 3277 case "mkdir.file.modification_time": 3278 return &eval.IntEvaluator{ 3279 EvalFnc: func(ctx *eval.Context) int { 3280 ev := ctx.Event.(*Event) 3281 return int(ev.Mkdir.File.FileFields.MTime) 3282 }, 3283 Field: field, 3284 Weight: eval.FunctionWeight, 3285 }, nil 3286 case "mkdir.file.mount_id": 3287 return &eval.IntEvaluator{ 3288 EvalFnc: func(ctx *eval.Context) int { 3289 ev := ctx.Event.(*Event) 3290 return int(ev.Mkdir.File.FileFields.PathKey.MountID) 3291 }, 3292 Field: field, 3293 Weight: eval.FunctionWeight, 3294 }, nil 3295 case "mkdir.file.name": 3296 return &eval.StringEvaluator{ 3297 OpOverrides: ProcessSymlinkBasename, 3298 EvalFnc: func(ctx *eval.Context) string { 3299 ev := ctx.Event.(*Event) 3300 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Mkdir.File) 3301 }, 3302 Field: field, 3303 Weight: eval.HandlerWeight, 3304 }, nil 3305 case "mkdir.file.name.length": 3306 return &eval.IntEvaluator{ 3307 OpOverrides: ProcessSymlinkBasename, 3308 EvalFnc: func(ctx *eval.Context) int { 3309 ev := ctx.Event.(*Event) 3310 return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Mkdir.File)) 3311 }, 3312 Field: field, 3313 Weight: eval.HandlerWeight, 3314 }, nil 3315 case "mkdir.file.package.name": 3316 return &eval.StringEvaluator{ 3317 EvalFnc: func(ctx *eval.Context) string { 3318 ev := ctx.Event.(*Event) 3319 return ev.FieldHandlers.ResolvePackageName(ev, &ev.Mkdir.File) 3320 }, 3321 Field: field, 3322 Weight: eval.HandlerWeight, 3323 }, nil 3324 case "mkdir.file.package.source_version": 3325 return &eval.StringEvaluator{ 3326 EvalFnc: func(ctx *eval.Context) string { 3327 ev := ctx.Event.(*Event) 3328 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Mkdir.File) 3329 }, 3330 Field: field, 3331 Weight: eval.HandlerWeight, 3332 }, nil 3333 case "mkdir.file.package.version": 3334 return &eval.StringEvaluator{ 3335 EvalFnc: func(ctx *eval.Context) string { 3336 ev := ctx.Event.(*Event) 3337 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Mkdir.File) 3338 }, 3339 Field: field, 3340 Weight: eval.HandlerWeight, 3341 }, nil 3342 case "mkdir.file.path": 3343 return &eval.StringEvaluator{ 3344 OpOverrides: ProcessSymlinkPathname, 3345 EvalFnc: func(ctx *eval.Context) string { 3346 ev := ctx.Event.(*Event) 3347 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Mkdir.File) 3348 }, 3349 Field: field, 3350 Weight: eval.HandlerWeight, 3351 }, nil 3352 case "mkdir.file.path.length": 3353 return &eval.IntEvaluator{ 3354 OpOverrides: ProcessSymlinkPathname, 3355 EvalFnc: func(ctx *eval.Context) int { 3356 ev := ctx.Event.(*Event) 3357 return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Mkdir.File)) 3358 }, 3359 Field: field, 3360 Weight: eval.HandlerWeight, 3361 }, nil 3362 case "mkdir.file.rights": 3363 return &eval.IntEvaluator{ 3364 EvalFnc: func(ctx *eval.Context) int { 3365 ev := ctx.Event.(*Event) 3366 return int(ev.FieldHandlers.ResolveRights(ev, &ev.Mkdir.File.FileFields)) 3367 }, 3368 Field: field, 3369 Weight: eval.HandlerWeight, 3370 }, nil 3371 case "mkdir.file.uid": 3372 return &eval.IntEvaluator{ 3373 EvalFnc: func(ctx *eval.Context) int { 3374 ev := ctx.Event.(*Event) 3375 return int(ev.Mkdir.File.FileFields.UID) 3376 }, 3377 Field: field, 3378 Weight: eval.FunctionWeight, 3379 }, nil 3380 case "mkdir.file.user": 3381 return &eval.StringEvaluator{ 3382 EvalFnc: func(ctx *eval.Context) string { 3383 ev := ctx.Event.(*Event) 3384 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Mkdir.File.FileFields) 3385 }, 3386 Field: field, 3387 Weight: eval.HandlerWeight, 3388 }, nil 3389 case "mkdir.retval": 3390 return &eval.IntEvaluator{ 3391 EvalFnc: func(ctx *eval.Context) int { 3392 ev := ctx.Event.(*Event) 3393 return int(ev.Mkdir.SyscallEvent.Retval) 3394 }, 3395 Field: field, 3396 Weight: eval.FunctionWeight, 3397 }, nil 3398 case "mmap.file.change_time": 3399 return &eval.IntEvaluator{ 3400 EvalFnc: func(ctx *eval.Context) int { 3401 ev := ctx.Event.(*Event) 3402 return int(ev.MMap.File.FileFields.CTime) 3403 }, 3404 Field: field, 3405 Weight: eval.FunctionWeight, 3406 }, nil 3407 case "mmap.file.filesystem": 3408 return &eval.StringEvaluator{ 3409 EvalFnc: func(ctx *eval.Context) string { 3410 ev := ctx.Event.(*Event) 3411 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.MMap.File) 3412 }, 3413 Field: field, 3414 Weight: eval.HandlerWeight, 3415 }, nil 3416 case "mmap.file.gid": 3417 return &eval.IntEvaluator{ 3418 EvalFnc: func(ctx *eval.Context) int { 3419 ev := ctx.Event.(*Event) 3420 return int(ev.MMap.File.FileFields.GID) 3421 }, 3422 Field: field, 3423 Weight: eval.FunctionWeight, 3424 }, nil 3425 case "mmap.file.group": 3426 return &eval.StringEvaluator{ 3427 EvalFnc: func(ctx *eval.Context) string { 3428 ev := ctx.Event.(*Event) 3429 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.MMap.File.FileFields) 3430 }, 3431 Field: field, 3432 Weight: eval.HandlerWeight, 3433 }, nil 3434 case "mmap.file.hashes": 3435 return &eval.StringArrayEvaluator{ 3436 EvalFnc: func(ctx *eval.Context) []string { 3437 ev := ctx.Event.(*Event) 3438 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.MMap.File) 3439 }, 3440 Field: field, 3441 Weight: 999 * eval.HandlerWeight, 3442 }, nil 3443 case "mmap.file.in_upper_layer": 3444 return &eval.BoolEvaluator{ 3445 EvalFnc: func(ctx *eval.Context) bool { 3446 ev := ctx.Event.(*Event) 3447 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.MMap.File.FileFields) 3448 }, 3449 Field: field, 3450 Weight: eval.HandlerWeight, 3451 }, nil 3452 case "mmap.file.inode": 3453 return &eval.IntEvaluator{ 3454 EvalFnc: func(ctx *eval.Context) int { 3455 ev := ctx.Event.(*Event) 3456 return int(ev.MMap.File.FileFields.PathKey.Inode) 3457 }, 3458 Field: field, 3459 Weight: eval.FunctionWeight, 3460 }, nil 3461 case "mmap.file.mode": 3462 return &eval.IntEvaluator{ 3463 EvalFnc: func(ctx *eval.Context) int { 3464 ev := ctx.Event.(*Event) 3465 return int(ev.MMap.File.FileFields.Mode) 3466 }, 3467 Field: field, 3468 Weight: eval.FunctionWeight, 3469 }, nil 3470 case "mmap.file.modification_time": 3471 return &eval.IntEvaluator{ 3472 EvalFnc: func(ctx *eval.Context) int { 3473 ev := ctx.Event.(*Event) 3474 return int(ev.MMap.File.FileFields.MTime) 3475 }, 3476 Field: field, 3477 Weight: eval.FunctionWeight, 3478 }, nil 3479 case "mmap.file.mount_id": 3480 return &eval.IntEvaluator{ 3481 EvalFnc: func(ctx *eval.Context) int { 3482 ev := ctx.Event.(*Event) 3483 return int(ev.MMap.File.FileFields.PathKey.MountID) 3484 }, 3485 Field: field, 3486 Weight: eval.FunctionWeight, 3487 }, nil 3488 case "mmap.file.name": 3489 return &eval.StringEvaluator{ 3490 OpOverrides: ProcessSymlinkBasename, 3491 EvalFnc: func(ctx *eval.Context) string { 3492 ev := ctx.Event.(*Event) 3493 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.MMap.File) 3494 }, 3495 Field: field, 3496 Weight: eval.HandlerWeight, 3497 }, nil 3498 case "mmap.file.name.length": 3499 return &eval.IntEvaluator{ 3500 OpOverrides: ProcessSymlinkBasename, 3501 EvalFnc: func(ctx *eval.Context) int { 3502 ev := ctx.Event.(*Event) 3503 return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.MMap.File)) 3504 }, 3505 Field: field, 3506 Weight: eval.HandlerWeight, 3507 }, nil 3508 case "mmap.file.package.name": 3509 return &eval.StringEvaluator{ 3510 EvalFnc: func(ctx *eval.Context) string { 3511 ev := ctx.Event.(*Event) 3512 return ev.FieldHandlers.ResolvePackageName(ev, &ev.MMap.File) 3513 }, 3514 Field: field, 3515 Weight: eval.HandlerWeight, 3516 }, nil 3517 case "mmap.file.package.source_version": 3518 return &eval.StringEvaluator{ 3519 EvalFnc: func(ctx *eval.Context) string { 3520 ev := ctx.Event.(*Event) 3521 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.MMap.File) 3522 }, 3523 Field: field, 3524 Weight: eval.HandlerWeight, 3525 }, nil 3526 case "mmap.file.package.version": 3527 return &eval.StringEvaluator{ 3528 EvalFnc: func(ctx *eval.Context) string { 3529 ev := ctx.Event.(*Event) 3530 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.MMap.File) 3531 }, 3532 Field: field, 3533 Weight: eval.HandlerWeight, 3534 }, nil 3535 case "mmap.file.path": 3536 return &eval.StringEvaluator{ 3537 OpOverrides: ProcessSymlinkPathname, 3538 EvalFnc: func(ctx *eval.Context) string { 3539 ev := ctx.Event.(*Event) 3540 return ev.FieldHandlers.ResolveFilePath(ev, &ev.MMap.File) 3541 }, 3542 Field: field, 3543 Weight: eval.HandlerWeight, 3544 }, nil 3545 case "mmap.file.path.length": 3546 return &eval.IntEvaluator{ 3547 OpOverrides: ProcessSymlinkPathname, 3548 EvalFnc: func(ctx *eval.Context) int { 3549 ev := ctx.Event.(*Event) 3550 return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.MMap.File)) 3551 }, 3552 Field: field, 3553 Weight: eval.HandlerWeight, 3554 }, nil 3555 case "mmap.file.rights": 3556 return &eval.IntEvaluator{ 3557 EvalFnc: func(ctx *eval.Context) int { 3558 ev := ctx.Event.(*Event) 3559 return int(ev.FieldHandlers.ResolveRights(ev, &ev.MMap.File.FileFields)) 3560 }, 3561 Field: field, 3562 Weight: eval.HandlerWeight, 3563 }, nil 3564 case "mmap.file.uid": 3565 return &eval.IntEvaluator{ 3566 EvalFnc: func(ctx *eval.Context) int { 3567 ev := ctx.Event.(*Event) 3568 return int(ev.MMap.File.FileFields.UID) 3569 }, 3570 Field: field, 3571 Weight: eval.FunctionWeight, 3572 }, nil 3573 case "mmap.file.user": 3574 return &eval.StringEvaluator{ 3575 EvalFnc: func(ctx *eval.Context) string { 3576 ev := ctx.Event.(*Event) 3577 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.MMap.File.FileFields) 3578 }, 3579 Field: field, 3580 Weight: eval.HandlerWeight, 3581 }, nil 3582 case "mmap.flags": 3583 return &eval.IntEvaluator{ 3584 EvalFnc: func(ctx *eval.Context) int { 3585 ev := ctx.Event.(*Event) 3586 return int(ev.MMap.Flags) 3587 }, 3588 Field: field, 3589 Weight: eval.FunctionWeight, 3590 }, nil 3591 case "mmap.protection": 3592 return &eval.IntEvaluator{ 3593 EvalFnc: func(ctx *eval.Context) int { 3594 ev := ctx.Event.(*Event) 3595 return int(ev.MMap.Protection) 3596 }, 3597 Field: field, 3598 Weight: eval.FunctionWeight, 3599 }, nil 3600 case "mmap.retval": 3601 return &eval.IntEvaluator{ 3602 EvalFnc: func(ctx *eval.Context) int { 3603 ev := ctx.Event.(*Event) 3604 return int(ev.MMap.SyscallEvent.Retval) 3605 }, 3606 Field: field, 3607 Weight: eval.FunctionWeight, 3608 }, nil 3609 case "mount.fs_type": 3610 return &eval.StringEvaluator{ 3611 EvalFnc: func(ctx *eval.Context) string { 3612 ev := ctx.Event.(*Event) 3613 return ev.Mount.Mount.FSType 3614 }, 3615 Field: field, 3616 Weight: eval.FunctionWeight, 3617 }, nil 3618 case "mount.mountpoint.path": 3619 return &eval.StringEvaluator{ 3620 EvalFnc: func(ctx *eval.Context) string { 3621 ev := ctx.Event.(*Event) 3622 return ev.FieldHandlers.ResolveMountPointPath(ev, &ev.Mount) 3623 }, 3624 Field: field, 3625 Weight: eval.HandlerWeight, 3626 }, nil 3627 case "mount.retval": 3628 return &eval.IntEvaluator{ 3629 EvalFnc: func(ctx *eval.Context) int { 3630 ev := ctx.Event.(*Event) 3631 return int(ev.Mount.SyscallEvent.Retval) 3632 }, 3633 Field: field, 3634 Weight: eval.FunctionWeight, 3635 }, nil 3636 case "mount.root.path": 3637 return &eval.StringEvaluator{ 3638 EvalFnc: func(ctx *eval.Context) string { 3639 ev := ctx.Event.(*Event) 3640 return ev.FieldHandlers.ResolveMountRootPath(ev, &ev.Mount) 3641 }, 3642 Field: field, 3643 Weight: eval.HandlerWeight, 3644 }, nil 3645 case "mount.source.path": 3646 return &eval.StringEvaluator{ 3647 EvalFnc: func(ctx *eval.Context) string { 3648 ev := ctx.Event.(*Event) 3649 return ev.FieldHandlers.ResolveMountSourcePath(ev, &ev.Mount) 3650 }, 3651 Field: field, 3652 Weight: eval.HandlerWeight, 3653 }, nil 3654 case "mprotect.req_protection": 3655 return &eval.IntEvaluator{ 3656 EvalFnc: func(ctx *eval.Context) int { 3657 ev := ctx.Event.(*Event) 3658 return ev.MProtect.ReqProtection 3659 }, 3660 Field: field, 3661 Weight: eval.FunctionWeight, 3662 }, nil 3663 case "mprotect.retval": 3664 return &eval.IntEvaluator{ 3665 EvalFnc: func(ctx *eval.Context) int { 3666 ev := ctx.Event.(*Event) 3667 return int(ev.MProtect.SyscallEvent.Retval) 3668 }, 3669 Field: field, 3670 Weight: eval.FunctionWeight, 3671 }, nil 3672 case "mprotect.vm_protection": 3673 return &eval.IntEvaluator{ 3674 EvalFnc: func(ctx *eval.Context) int { 3675 ev := ctx.Event.(*Event) 3676 return ev.MProtect.VMProtection 3677 }, 3678 Field: field, 3679 Weight: eval.FunctionWeight, 3680 }, nil 3681 case "network.destination.ip": 3682 return &eval.CIDREvaluator{ 3683 EvalFnc: func(ctx *eval.Context) net.IPNet { 3684 ev := ctx.Event.(*Event) 3685 return ev.NetworkContext.Destination.IPNet 3686 }, 3687 Field: field, 3688 Weight: eval.FunctionWeight, 3689 }, nil 3690 case "network.destination.port": 3691 return &eval.IntEvaluator{ 3692 EvalFnc: func(ctx *eval.Context) int { 3693 ev := ctx.Event.(*Event) 3694 return int(ev.NetworkContext.Destination.Port) 3695 }, 3696 Field: field, 3697 Weight: eval.FunctionWeight, 3698 }, nil 3699 case "network.device.ifindex": 3700 return &eval.IntEvaluator{ 3701 EvalFnc: func(ctx *eval.Context) int { 3702 ev := ctx.Event.(*Event) 3703 return int(ev.NetworkContext.Device.IfIndex) 3704 }, 3705 Field: field, 3706 Weight: eval.FunctionWeight, 3707 }, nil 3708 case "network.device.ifname": 3709 return &eval.StringEvaluator{ 3710 EvalFnc: func(ctx *eval.Context) string { 3711 ev := ctx.Event.(*Event) 3712 return ev.FieldHandlers.ResolveNetworkDeviceIfName(ev, &ev.NetworkContext.Device) 3713 }, 3714 Field: field, 3715 Weight: eval.HandlerWeight, 3716 }, nil 3717 case "network.l3_protocol": 3718 return &eval.IntEvaluator{ 3719 EvalFnc: func(ctx *eval.Context) int { 3720 ev := ctx.Event.(*Event) 3721 return int(ev.NetworkContext.L3Protocol) 3722 }, 3723 Field: field, 3724 Weight: eval.FunctionWeight, 3725 }, nil 3726 case "network.l4_protocol": 3727 return &eval.IntEvaluator{ 3728 EvalFnc: func(ctx *eval.Context) int { 3729 ev := ctx.Event.(*Event) 3730 return int(ev.NetworkContext.L4Protocol) 3731 }, 3732 Field: field, 3733 Weight: eval.FunctionWeight, 3734 }, nil 3735 case "network.size": 3736 return &eval.IntEvaluator{ 3737 EvalFnc: func(ctx *eval.Context) int { 3738 ev := ctx.Event.(*Event) 3739 return int(ev.NetworkContext.Size) 3740 }, 3741 Field: field, 3742 Weight: eval.FunctionWeight, 3743 }, nil 3744 case "network.source.ip": 3745 return &eval.CIDREvaluator{ 3746 EvalFnc: func(ctx *eval.Context) net.IPNet { 3747 ev := ctx.Event.(*Event) 3748 return ev.NetworkContext.Source.IPNet 3749 }, 3750 Field: field, 3751 Weight: eval.FunctionWeight, 3752 }, nil 3753 case "network.source.port": 3754 return &eval.IntEvaluator{ 3755 EvalFnc: func(ctx *eval.Context) int { 3756 ev := ctx.Event.(*Event) 3757 return int(ev.NetworkContext.Source.Port) 3758 }, 3759 Field: field, 3760 Weight: eval.FunctionWeight, 3761 }, nil 3762 case "open.file.change_time": 3763 return &eval.IntEvaluator{ 3764 EvalFnc: func(ctx *eval.Context) int { 3765 ev := ctx.Event.(*Event) 3766 return int(ev.Open.File.FileFields.CTime) 3767 }, 3768 Field: field, 3769 Weight: eval.FunctionWeight, 3770 }, nil 3771 case "open.file.destination.mode": 3772 return &eval.IntEvaluator{ 3773 EvalFnc: func(ctx *eval.Context) int { 3774 ev := ctx.Event.(*Event) 3775 return int(ev.Open.Mode) 3776 }, 3777 Field: field, 3778 Weight: eval.FunctionWeight, 3779 }, nil 3780 case "open.file.filesystem": 3781 return &eval.StringEvaluator{ 3782 EvalFnc: func(ctx *eval.Context) string { 3783 ev := ctx.Event.(*Event) 3784 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Open.File) 3785 }, 3786 Field: field, 3787 Weight: eval.HandlerWeight, 3788 }, nil 3789 case "open.file.gid": 3790 return &eval.IntEvaluator{ 3791 EvalFnc: func(ctx *eval.Context) int { 3792 ev := ctx.Event.(*Event) 3793 return int(ev.Open.File.FileFields.GID) 3794 }, 3795 Field: field, 3796 Weight: eval.FunctionWeight, 3797 }, nil 3798 case "open.file.group": 3799 return &eval.StringEvaluator{ 3800 EvalFnc: func(ctx *eval.Context) string { 3801 ev := ctx.Event.(*Event) 3802 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Open.File.FileFields) 3803 }, 3804 Field: field, 3805 Weight: eval.HandlerWeight, 3806 }, nil 3807 case "open.file.hashes": 3808 return &eval.StringArrayEvaluator{ 3809 EvalFnc: func(ctx *eval.Context) []string { 3810 ev := ctx.Event.(*Event) 3811 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Open.File) 3812 }, 3813 Field: field, 3814 Weight: 999 * eval.HandlerWeight, 3815 }, nil 3816 case "open.file.in_upper_layer": 3817 return &eval.BoolEvaluator{ 3818 EvalFnc: func(ctx *eval.Context) bool { 3819 ev := ctx.Event.(*Event) 3820 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Open.File.FileFields) 3821 }, 3822 Field: field, 3823 Weight: eval.HandlerWeight, 3824 }, nil 3825 case "open.file.inode": 3826 return &eval.IntEvaluator{ 3827 EvalFnc: func(ctx *eval.Context) int { 3828 ev := ctx.Event.(*Event) 3829 return int(ev.Open.File.FileFields.PathKey.Inode) 3830 }, 3831 Field: field, 3832 Weight: eval.FunctionWeight, 3833 }, nil 3834 case "open.file.mode": 3835 return &eval.IntEvaluator{ 3836 EvalFnc: func(ctx *eval.Context) int { 3837 ev := ctx.Event.(*Event) 3838 return int(ev.Open.File.FileFields.Mode) 3839 }, 3840 Field: field, 3841 Weight: eval.FunctionWeight, 3842 }, nil 3843 case "open.file.modification_time": 3844 return &eval.IntEvaluator{ 3845 EvalFnc: func(ctx *eval.Context) int { 3846 ev := ctx.Event.(*Event) 3847 return int(ev.Open.File.FileFields.MTime) 3848 }, 3849 Field: field, 3850 Weight: eval.FunctionWeight, 3851 }, nil 3852 case "open.file.mount_id": 3853 return &eval.IntEvaluator{ 3854 EvalFnc: func(ctx *eval.Context) int { 3855 ev := ctx.Event.(*Event) 3856 return int(ev.Open.File.FileFields.PathKey.MountID) 3857 }, 3858 Field: field, 3859 Weight: eval.FunctionWeight, 3860 }, nil 3861 case "open.file.name": 3862 return &eval.StringEvaluator{ 3863 OpOverrides: ProcessSymlinkBasename, 3864 EvalFnc: func(ctx *eval.Context) string { 3865 ev := ctx.Event.(*Event) 3866 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Open.File) 3867 }, 3868 Field: field, 3869 Weight: eval.HandlerWeight, 3870 }, nil 3871 case "open.file.name.length": 3872 return &eval.IntEvaluator{ 3873 OpOverrides: ProcessSymlinkBasename, 3874 EvalFnc: func(ctx *eval.Context) int { 3875 ev := ctx.Event.(*Event) 3876 return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Open.File)) 3877 }, 3878 Field: field, 3879 Weight: eval.HandlerWeight, 3880 }, nil 3881 case "open.file.package.name": 3882 return &eval.StringEvaluator{ 3883 EvalFnc: func(ctx *eval.Context) string { 3884 ev := ctx.Event.(*Event) 3885 return ev.FieldHandlers.ResolvePackageName(ev, &ev.Open.File) 3886 }, 3887 Field: field, 3888 Weight: eval.HandlerWeight, 3889 }, nil 3890 case "open.file.package.source_version": 3891 return &eval.StringEvaluator{ 3892 EvalFnc: func(ctx *eval.Context) string { 3893 ev := ctx.Event.(*Event) 3894 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Open.File) 3895 }, 3896 Field: field, 3897 Weight: eval.HandlerWeight, 3898 }, nil 3899 case "open.file.package.version": 3900 return &eval.StringEvaluator{ 3901 EvalFnc: func(ctx *eval.Context) string { 3902 ev := ctx.Event.(*Event) 3903 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Open.File) 3904 }, 3905 Field: field, 3906 Weight: eval.HandlerWeight, 3907 }, nil 3908 case "open.file.path": 3909 return &eval.StringEvaluator{ 3910 OpOverrides: ProcessSymlinkPathname, 3911 EvalFnc: func(ctx *eval.Context) string { 3912 ev := ctx.Event.(*Event) 3913 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Open.File) 3914 }, 3915 Field: field, 3916 Weight: eval.HandlerWeight, 3917 }, nil 3918 case "open.file.path.length": 3919 return &eval.IntEvaluator{ 3920 OpOverrides: ProcessSymlinkPathname, 3921 EvalFnc: func(ctx *eval.Context) int { 3922 ev := ctx.Event.(*Event) 3923 return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Open.File)) 3924 }, 3925 Field: field, 3926 Weight: eval.HandlerWeight, 3927 }, nil 3928 case "open.file.rights": 3929 return &eval.IntEvaluator{ 3930 EvalFnc: func(ctx *eval.Context) int { 3931 ev := ctx.Event.(*Event) 3932 return int(ev.FieldHandlers.ResolveRights(ev, &ev.Open.File.FileFields)) 3933 }, 3934 Field: field, 3935 Weight: eval.HandlerWeight, 3936 }, nil 3937 case "open.file.uid": 3938 return &eval.IntEvaluator{ 3939 EvalFnc: func(ctx *eval.Context) int { 3940 ev := ctx.Event.(*Event) 3941 return int(ev.Open.File.FileFields.UID) 3942 }, 3943 Field: field, 3944 Weight: eval.FunctionWeight, 3945 }, nil 3946 case "open.file.user": 3947 return &eval.StringEvaluator{ 3948 EvalFnc: func(ctx *eval.Context) string { 3949 ev := ctx.Event.(*Event) 3950 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Open.File.FileFields) 3951 }, 3952 Field: field, 3953 Weight: eval.HandlerWeight, 3954 }, nil 3955 case "open.flags": 3956 return &eval.IntEvaluator{ 3957 EvalFnc: func(ctx *eval.Context) int { 3958 ev := ctx.Event.(*Event) 3959 return int(ev.Open.Flags) 3960 }, 3961 Field: field, 3962 Weight: eval.FunctionWeight, 3963 }, nil 3964 case "open.retval": 3965 return &eval.IntEvaluator{ 3966 EvalFnc: func(ctx *eval.Context) int { 3967 ev := ctx.Event.(*Event) 3968 return int(ev.Open.SyscallEvent.Retval) 3969 }, 3970 Field: field, 3971 Weight: eval.FunctionWeight, 3972 }, nil 3973 case "process.ancestors.args": 3974 return &eval.StringArrayEvaluator{ 3975 EvalFnc: func(ctx *eval.Context) []string { 3976 ev := ctx.Event.(*Event) 3977 if result, ok := ctx.StringCache[field]; ok { 3978 return result 3979 } 3980 var results []string 3981 iterator := &ProcessAncestorsIterator{} 3982 value := iterator.Front(ctx) 3983 for value != nil { 3984 element := (*ProcessCacheEntry)(value) 3985 result := ev.FieldHandlers.ResolveProcessArgs(ev, &element.ProcessContext.Process) 3986 results = append(results, result) 3987 value = iterator.Next() 3988 } 3989 ctx.StringCache[field] = results 3990 return results 3991 }, Field: field, 3992 Weight: 500 * eval.IteratorWeight, 3993 }, nil 3994 case "process.ancestors.args_flags": 3995 return &eval.StringArrayEvaluator{ 3996 EvalFnc: func(ctx *eval.Context) []string { 3997 ev := ctx.Event.(*Event) 3998 if result, ok := ctx.StringCache[field]; ok { 3999 return result 4000 } 4001 var results []string 4002 iterator := &ProcessAncestorsIterator{} 4003 value := iterator.Front(ctx) 4004 for value != nil { 4005 element := (*ProcessCacheEntry)(value) 4006 result := ev.FieldHandlers.ResolveProcessArgsFlags(ev, &element.ProcessContext.Process) 4007 results = append(results, result...) 4008 value = iterator.Next() 4009 } 4010 ctx.StringCache[field] = results 4011 return results 4012 }, Field: field, 4013 Weight: eval.IteratorWeight, 4014 }, nil 4015 case "process.ancestors.args_options": 4016 return &eval.StringArrayEvaluator{ 4017 EvalFnc: func(ctx *eval.Context) []string { 4018 ev := ctx.Event.(*Event) 4019 if result, ok := ctx.StringCache[field]; ok { 4020 return result 4021 } 4022 var results []string 4023 iterator := &ProcessAncestorsIterator{} 4024 value := iterator.Front(ctx) 4025 for value != nil { 4026 element := (*ProcessCacheEntry)(value) 4027 result := ev.FieldHandlers.ResolveProcessArgsOptions(ev, &element.ProcessContext.Process) 4028 results = append(results, result...) 4029 value = iterator.Next() 4030 } 4031 ctx.StringCache[field] = results 4032 return results 4033 }, Field: field, 4034 Weight: eval.IteratorWeight, 4035 }, nil 4036 case "process.ancestors.args_truncated": 4037 return &eval.BoolArrayEvaluator{ 4038 EvalFnc: func(ctx *eval.Context) []bool { 4039 ev := ctx.Event.(*Event) 4040 if result, ok := ctx.BoolCache[field]; ok { 4041 return result 4042 } 4043 var results []bool 4044 iterator := &ProcessAncestorsIterator{} 4045 value := iterator.Front(ctx) 4046 for value != nil { 4047 element := (*ProcessCacheEntry)(value) 4048 result := ev.FieldHandlers.ResolveProcessArgsTruncated(ev, &element.ProcessContext.Process) 4049 results = append(results, result) 4050 value = iterator.Next() 4051 } 4052 ctx.BoolCache[field] = results 4053 return results 4054 }, Field: field, 4055 Weight: eval.IteratorWeight, 4056 }, nil 4057 case "process.ancestors.argv": 4058 return &eval.StringArrayEvaluator{ 4059 EvalFnc: func(ctx *eval.Context) []string { 4060 ev := ctx.Event.(*Event) 4061 if result, ok := ctx.StringCache[field]; ok { 4062 return result 4063 } 4064 var results []string 4065 iterator := &ProcessAncestorsIterator{} 4066 value := iterator.Front(ctx) 4067 for value != nil { 4068 element := (*ProcessCacheEntry)(value) 4069 result := ev.FieldHandlers.ResolveProcessArgv(ev, &element.ProcessContext.Process) 4070 results = append(results, result...) 4071 value = iterator.Next() 4072 } 4073 ctx.StringCache[field] = results 4074 return results 4075 }, Field: field, 4076 Weight: 500 * eval.IteratorWeight, 4077 }, nil 4078 case "process.ancestors.argv0": 4079 return &eval.StringArrayEvaluator{ 4080 EvalFnc: func(ctx *eval.Context) []string { 4081 ev := ctx.Event.(*Event) 4082 if result, ok := ctx.StringCache[field]; ok { 4083 return result 4084 } 4085 var results []string 4086 iterator := &ProcessAncestorsIterator{} 4087 value := iterator.Front(ctx) 4088 for value != nil { 4089 element := (*ProcessCacheEntry)(value) 4090 result := ev.FieldHandlers.ResolveProcessArgv0(ev, &element.ProcessContext.Process) 4091 results = append(results, result) 4092 value = iterator.Next() 4093 } 4094 ctx.StringCache[field] = results 4095 return results 4096 }, Field: field, 4097 Weight: 100 * eval.IteratorWeight, 4098 }, nil 4099 case "process.ancestors.cap_effective": 4100 return &eval.IntArrayEvaluator{ 4101 EvalFnc: func(ctx *eval.Context) []int { 4102 if result, ok := ctx.IntCache[field]; ok { 4103 return result 4104 } 4105 var results []int 4106 iterator := &ProcessAncestorsIterator{} 4107 value := iterator.Front(ctx) 4108 for value != nil { 4109 element := (*ProcessCacheEntry)(value) 4110 result := int(element.ProcessContext.Process.Credentials.CapEffective) 4111 results = append(results, result) 4112 value = iterator.Next() 4113 } 4114 ctx.IntCache[field] = results 4115 return results 4116 }, Field: field, 4117 Weight: eval.IteratorWeight, 4118 }, nil 4119 case "process.ancestors.cap_permitted": 4120 return &eval.IntArrayEvaluator{ 4121 EvalFnc: func(ctx *eval.Context) []int { 4122 if result, ok := ctx.IntCache[field]; ok { 4123 return result 4124 } 4125 var results []int 4126 iterator := &ProcessAncestorsIterator{} 4127 value := iterator.Front(ctx) 4128 for value != nil { 4129 element := (*ProcessCacheEntry)(value) 4130 result := int(element.ProcessContext.Process.Credentials.CapPermitted) 4131 results = append(results, result) 4132 value = iterator.Next() 4133 } 4134 ctx.IntCache[field] = results 4135 return results 4136 }, Field: field, 4137 Weight: eval.IteratorWeight, 4138 }, nil 4139 case "process.ancestors.comm": 4140 return &eval.StringArrayEvaluator{ 4141 EvalFnc: func(ctx *eval.Context) []string { 4142 if result, ok := ctx.StringCache[field]; ok { 4143 return result 4144 } 4145 var results []string 4146 iterator := &ProcessAncestorsIterator{} 4147 value := iterator.Front(ctx) 4148 for value != nil { 4149 element := (*ProcessCacheEntry)(value) 4150 result := element.ProcessContext.Process.Comm 4151 results = append(results, result) 4152 value = iterator.Next() 4153 } 4154 ctx.StringCache[field] = results 4155 return results 4156 }, Field: field, 4157 Weight: eval.IteratorWeight, 4158 }, nil 4159 case "process.ancestors.container.id": 4160 return &eval.StringArrayEvaluator{ 4161 EvalFnc: func(ctx *eval.Context) []string { 4162 if result, ok := ctx.StringCache[field]; ok { 4163 return result 4164 } 4165 var results []string 4166 iterator := &ProcessAncestorsIterator{} 4167 value := iterator.Front(ctx) 4168 for value != nil { 4169 element := (*ProcessCacheEntry)(value) 4170 result := element.ProcessContext.Process.ContainerID 4171 results = append(results, result) 4172 value = iterator.Next() 4173 } 4174 ctx.StringCache[field] = results 4175 return results 4176 }, Field: field, 4177 Weight: eval.IteratorWeight, 4178 }, nil 4179 case "process.ancestors.created_at": 4180 return &eval.IntArrayEvaluator{ 4181 EvalFnc: func(ctx *eval.Context) []int { 4182 ev := ctx.Event.(*Event) 4183 if result, ok := ctx.IntCache[field]; ok { 4184 return result 4185 } 4186 var results []int 4187 iterator := &ProcessAncestorsIterator{} 4188 value := iterator.Front(ctx) 4189 for value != nil { 4190 element := (*ProcessCacheEntry)(value) 4191 result := int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, &element.ProcessContext.Process)) 4192 results = append(results, result) 4193 value = iterator.Next() 4194 } 4195 ctx.IntCache[field] = results 4196 return results 4197 }, Field: field, 4198 Weight: eval.IteratorWeight, 4199 }, nil 4200 case "process.ancestors.egid": 4201 return &eval.IntArrayEvaluator{ 4202 EvalFnc: func(ctx *eval.Context) []int { 4203 if result, ok := ctx.IntCache[field]; ok { 4204 return result 4205 } 4206 var results []int 4207 iterator := &ProcessAncestorsIterator{} 4208 value := iterator.Front(ctx) 4209 for value != nil { 4210 element := (*ProcessCacheEntry)(value) 4211 result := int(element.ProcessContext.Process.Credentials.EGID) 4212 results = append(results, result) 4213 value = iterator.Next() 4214 } 4215 ctx.IntCache[field] = results 4216 return results 4217 }, Field: field, 4218 Weight: eval.IteratorWeight, 4219 }, nil 4220 case "process.ancestors.egroup": 4221 return &eval.StringArrayEvaluator{ 4222 EvalFnc: func(ctx *eval.Context) []string { 4223 if result, ok := ctx.StringCache[field]; ok { 4224 return result 4225 } 4226 var results []string 4227 iterator := &ProcessAncestorsIterator{} 4228 value := iterator.Front(ctx) 4229 for value != nil { 4230 element := (*ProcessCacheEntry)(value) 4231 result := element.ProcessContext.Process.Credentials.EGroup 4232 results = append(results, result) 4233 value = iterator.Next() 4234 } 4235 ctx.StringCache[field] = results 4236 return results 4237 }, Field: field, 4238 Weight: eval.IteratorWeight, 4239 }, nil 4240 case "process.ancestors.envp": 4241 return &eval.StringArrayEvaluator{ 4242 EvalFnc: func(ctx *eval.Context) []string { 4243 ev := ctx.Event.(*Event) 4244 if result, ok := ctx.StringCache[field]; ok { 4245 return result 4246 } 4247 var results []string 4248 iterator := &ProcessAncestorsIterator{} 4249 value := iterator.Front(ctx) 4250 for value != nil { 4251 element := (*ProcessCacheEntry)(value) 4252 result := ev.FieldHandlers.ResolveProcessEnvp(ev, &element.ProcessContext.Process) 4253 results = append(results, result...) 4254 value = iterator.Next() 4255 } 4256 ctx.StringCache[field] = results 4257 return results 4258 }, Field: field, 4259 Weight: 100 * eval.IteratorWeight, 4260 }, nil 4261 case "process.ancestors.envs": 4262 return &eval.StringArrayEvaluator{ 4263 EvalFnc: func(ctx *eval.Context) []string { 4264 ev := ctx.Event.(*Event) 4265 if result, ok := ctx.StringCache[field]; ok { 4266 return result 4267 } 4268 var results []string 4269 iterator := &ProcessAncestorsIterator{} 4270 value := iterator.Front(ctx) 4271 for value != nil { 4272 element := (*ProcessCacheEntry)(value) 4273 result := ev.FieldHandlers.ResolveProcessEnvs(ev, &element.ProcessContext.Process) 4274 results = append(results, result...) 4275 value = iterator.Next() 4276 } 4277 ctx.StringCache[field] = results 4278 return results 4279 }, Field: field, 4280 Weight: 100 * eval.IteratorWeight, 4281 }, nil 4282 case "process.ancestors.envs_truncated": 4283 return &eval.BoolArrayEvaluator{ 4284 EvalFnc: func(ctx *eval.Context) []bool { 4285 ev := ctx.Event.(*Event) 4286 if result, ok := ctx.BoolCache[field]; ok { 4287 return result 4288 } 4289 var results []bool 4290 iterator := &ProcessAncestorsIterator{} 4291 value := iterator.Front(ctx) 4292 for value != nil { 4293 element := (*ProcessCacheEntry)(value) 4294 result := ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, &element.ProcessContext.Process) 4295 results = append(results, result) 4296 value = iterator.Next() 4297 } 4298 ctx.BoolCache[field] = results 4299 return results 4300 }, Field: field, 4301 Weight: eval.IteratorWeight, 4302 }, nil 4303 case "process.ancestors.euid": 4304 return &eval.IntArrayEvaluator{ 4305 EvalFnc: func(ctx *eval.Context) []int { 4306 if result, ok := ctx.IntCache[field]; ok { 4307 return result 4308 } 4309 var results []int 4310 iterator := &ProcessAncestorsIterator{} 4311 value := iterator.Front(ctx) 4312 for value != nil { 4313 element := (*ProcessCacheEntry)(value) 4314 result := int(element.ProcessContext.Process.Credentials.EUID) 4315 results = append(results, result) 4316 value = iterator.Next() 4317 } 4318 ctx.IntCache[field] = results 4319 return results 4320 }, Field: field, 4321 Weight: eval.IteratorWeight, 4322 }, nil 4323 case "process.ancestors.euser": 4324 return &eval.StringArrayEvaluator{ 4325 EvalFnc: func(ctx *eval.Context) []string { 4326 if result, ok := ctx.StringCache[field]; ok { 4327 return result 4328 } 4329 var results []string 4330 iterator := &ProcessAncestorsIterator{} 4331 value := iterator.Front(ctx) 4332 for value != nil { 4333 element := (*ProcessCacheEntry)(value) 4334 result := element.ProcessContext.Process.Credentials.EUser 4335 results = append(results, result) 4336 value = iterator.Next() 4337 } 4338 ctx.StringCache[field] = results 4339 return results 4340 }, Field: field, 4341 Weight: eval.IteratorWeight, 4342 }, nil 4343 case "process.ancestors.file.change_time": 4344 return &eval.IntArrayEvaluator{ 4345 EvalFnc: func(ctx *eval.Context) []int { 4346 if result, ok := ctx.IntCache[field]; ok { 4347 return result 4348 } 4349 var results []int 4350 iterator := &ProcessAncestorsIterator{} 4351 value := iterator.Front(ctx) 4352 for value != nil { 4353 element := (*ProcessCacheEntry)(value) 4354 if !element.ProcessContext.Process.IsNotKworker() { 4355 results = append(results, 0) 4356 value = iterator.Next() 4357 continue 4358 } 4359 result := int(element.ProcessContext.Process.FileEvent.FileFields.CTime) 4360 results = append(results, result) 4361 value = iterator.Next() 4362 } 4363 ctx.IntCache[field] = results 4364 return results 4365 }, Field: field, 4366 Weight: eval.IteratorWeight, 4367 }, nil 4368 case "process.ancestors.file.filesystem": 4369 return &eval.StringArrayEvaluator{ 4370 EvalFnc: func(ctx *eval.Context) []string { 4371 ev := ctx.Event.(*Event) 4372 if result, ok := ctx.StringCache[field]; ok { 4373 return result 4374 } 4375 var results []string 4376 iterator := &ProcessAncestorsIterator{} 4377 value := iterator.Front(ctx) 4378 for value != nil { 4379 element := (*ProcessCacheEntry)(value) 4380 if !element.ProcessContext.Process.IsNotKworker() { 4381 results = append(results, "") 4382 value = iterator.Next() 4383 continue 4384 } 4385 result := ev.FieldHandlers.ResolveFileFilesystem(ev, &element.ProcessContext.Process.FileEvent) 4386 results = append(results, result) 4387 value = iterator.Next() 4388 } 4389 ctx.StringCache[field] = results 4390 return results 4391 }, Field: field, 4392 Weight: eval.IteratorWeight, 4393 }, nil 4394 case "process.ancestors.file.gid": 4395 return &eval.IntArrayEvaluator{ 4396 EvalFnc: func(ctx *eval.Context) []int { 4397 if result, ok := ctx.IntCache[field]; ok { 4398 return result 4399 } 4400 var results []int 4401 iterator := &ProcessAncestorsIterator{} 4402 value := iterator.Front(ctx) 4403 for value != nil { 4404 element := (*ProcessCacheEntry)(value) 4405 if !element.ProcessContext.Process.IsNotKworker() { 4406 results = append(results, 0) 4407 value = iterator.Next() 4408 continue 4409 } 4410 result := int(element.ProcessContext.Process.FileEvent.FileFields.GID) 4411 results = append(results, result) 4412 value = iterator.Next() 4413 } 4414 ctx.IntCache[field] = results 4415 return results 4416 }, Field: field, 4417 Weight: eval.IteratorWeight, 4418 }, nil 4419 case "process.ancestors.file.group": 4420 return &eval.StringArrayEvaluator{ 4421 EvalFnc: func(ctx *eval.Context) []string { 4422 ev := ctx.Event.(*Event) 4423 if result, ok := ctx.StringCache[field]; ok { 4424 return result 4425 } 4426 var results []string 4427 iterator := &ProcessAncestorsIterator{} 4428 value := iterator.Front(ctx) 4429 for value != nil { 4430 element := (*ProcessCacheEntry)(value) 4431 if !element.ProcessContext.Process.IsNotKworker() { 4432 results = append(results, "") 4433 value = iterator.Next() 4434 continue 4435 } 4436 result := ev.FieldHandlers.ResolveFileFieldsGroup(ev, &element.ProcessContext.Process.FileEvent.FileFields) 4437 results = append(results, result) 4438 value = iterator.Next() 4439 } 4440 ctx.StringCache[field] = results 4441 return results 4442 }, Field: field, 4443 Weight: eval.IteratorWeight, 4444 }, nil 4445 case "process.ancestors.file.hashes": 4446 return &eval.StringArrayEvaluator{ 4447 EvalFnc: func(ctx *eval.Context) []string { 4448 ev := ctx.Event.(*Event) 4449 if result, ok := ctx.StringCache[field]; ok { 4450 return result 4451 } 4452 var results []string 4453 iterator := &ProcessAncestorsIterator{} 4454 value := iterator.Front(ctx) 4455 for value != nil { 4456 element := (*ProcessCacheEntry)(value) 4457 if !element.ProcessContext.Process.IsNotKworker() { 4458 results = append(results, "") 4459 value = iterator.Next() 4460 continue 4461 } 4462 result := ev.FieldHandlers.ResolveHashesFromEvent(ev, &element.ProcessContext.Process.FileEvent) 4463 results = append(results, result...) 4464 value = iterator.Next() 4465 } 4466 ctx.StringCache[field] = results 4467 return results 4468 }, Field: field, 4469 Weight: 999 * eval.IteratorWeight, 4470 }, nil 4471 case "process.ancestors.file.in_upper_layer": 4472 return &eval.BoolArrayEvaluator{ 4473 EvalFnc: func(ctx *eval.Context) []bool { 4474 ev := ctx.Event.(*Event) 4475 if result, ok := ctx.BoolCache[field]; ok { 4476 return result 4477 } 4478 var results []bool 4479 iterator := &ProcessAncestorsIterator{} 4480 value := iterator.Front(ctx) 4481 for value != nil { 4482 element := (*ProcessCacheEntry)(value) 4483 if !element.ProcessContext.Process.IsNotKworker() { 4484 results = append(results, false) 4485 value = iterator.Next() 4486 continue 4487 } 4488 result := ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &element.ProcessContext.Process.FileEvent.FileFields) 4489 results = append(results, result) 4490 value = iterator.Next() 4491 } 4492 ctx.BoolCache[field] = results 4493 return results 4494 }, Field: field, 4495 Weight: eval.IteratorWeight, 4496 }, nil 4497 case "process.ancestors.file.inode": 4498 return &eval.IntArrayEvaluator{ 4499 EvalFnc: func(ctx *eval.Context) []int { 4500 if result, ok := ctx.IntCache[field]; ok { 4501 return result 4502 } 4503 var results []int 4504 iterator := &ProcessAncestorsIterator{} 4505 value := iterator.Front(ctx) 4506 for value != nil { 4507 element := (*ProcessCacheEntry)(value) 4508 if !element.ProcessContext.Process.IsNotKworker() { 4509 results = append(results, 0) 4510 value = iterator.Next() 4511 continue 4512 } 4513 result := int(element.ProcessContext.Process.FileEvent.FileFields.PathKey.Inode) 4514 results = append(results, result) 4515 value = iterator.Next() 4516 } 4517 ctx.IntCache[field] = results 4518 return results 4519 }, Field: field, 4520 Weight: eval.IteratorWeight, 4521 }, nil 4522 case "process.ancestors.file.mode": 4523 return &eval.IntArrayEvaluator{ 4524 EvalFnc: func(ctx *eval.Context) []int { 4525 if result, ok := ctx.IntCache[field]; ok { 4526 return result 4527 } 4528 var results []int 4529 iterator := &ProcessAncestorsIterator{} 4530 value := iterator.Front(ctx) 4531 for value != nil { 4532 element := (*ProcessCacheEntry)(value) 4533 if !element.ProcessContext.Process.IsNotKworker() { 4534 results = append(results, 0) 4535 value = iterator.Next() 4536 continue 4537 } 4538 result := int(element.ProcessContext.Process.FileEvent.FileFields.Mode) 4539 results = append(results, result) 4540 value = iterator.Next() 4541 } 4542 ctx.IntCache[field] = results 4543 return results 4544 }, Field: field, 4545 Weight: eval.IteratorWeight, 4546 }, nil 4547 case "process.ancestors.file.modification_time": 4548 return &eval.IntArrayEvaluator{ 4549 EvalFnc: func(ctx *eval.Context) []int { 4550 if result, ok := ctx.IntCache[field]; ok { 4551 return result 4552 } 4553 var results []int 4554 iterator := &ProcessAncestorsIterator{} 4555 value := iterator.Front(ctx) 4556 for value != nil { 4557 element := (*ProcessCacheEntry)(value) 4558 if !element.ProcessContext.Process.IsNotKworker() { 4559 results = append(results, 0) 4560 value = iterator.Next() 4561 continue 4562 } 4563 result := int(element.ProcessContext.Process.FileEvent.FileFields.MTime) 4564 results = append(results, result) 4565 value = iterator.Next() 4566 } 4567 ctx.IntCache[field] = results 4568 return results 4569 }, Field: field, 4570 Weight: eval.IteratorWeight, 4571 }, nil 4572 case "process.ancestors.file.mount_id": 4573 return &eval.IntArrayEvaluator{ 4574 EvalFnc: func(ctx *eval.Context) []int { 4575 if result, ok := ctx.IntCache[field]; ok { 4576 return result 4577 } 4578 var results []int 4579 iterator := &ProcessAncestorsIterator{} 4580 value := iterator.Front(ctx) 4581 for value != nil { 4582 element := (*ProcessCacheEntry)(value) 4583 if !element.ProcessContext.Process.IsNotKworker() { 4584 results = append(results, 0) 4585 value = iterator.Next() 4586 continue 4587 } 4588 result := int(element.ProcessContext.Process.FileEvent.FileFields.PathKey.MountID) 4589 results = append(results, result) 4590 value = iterator.Next() 4591 } 4592 ctx.IntCache[field] = results 4593 return results 4594 }, Field: field, 4595 Weight: eval.IteratorWeight, 4596 }, nil 4597 case "process.ancestors.file.name": 4598 return &eval.StringArrayEvaluator{ 4599 OpOverrides: ProcessSymlinkBasename, 4600 EvalFnc: func(ctx *eval.Context) []string { 4601 ev := ctx.Event.(*Event) 4602 if result, ok := ctx.StringCache[field]; ok { 4603 return result 4604 } 4605 var results []string 4606 iterator := &ProcessAncestorsIterator{} 4607 value := iterator.Front(ctx) 4608 for value != nil { 4609 element := (*ProcessCacheEntry)(value) 4610 if !element.ProcessContext.Process.IsNotKworker() { 4611 results = append(results, "") 4612 value = iterator.Next() 4613 continue 4614 } 4615 result := ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.FileEvent) 4616 results = append(results, result) 4617 value = iterator.Next() 4618 } 4619 ctx.StringCache[field] = results 4620 return results 4621 }, Field: field, 4622 Weight: eval.IteratorWeight, 4623 }, nil 4624 case "process.ancestors.file.name.length": 4625 return &eval.IntArrayEvaluator{ 4626 OpOverrides: ProcessSymlinkBasename, 4627 EvalFnc: func(ctx *eval.Context) []int { 4628 ev := ctx.Event.(*Event) 4629 if result, ok := ctx.IntCache[field]; ok { 4630 return result 4631 } 4632 var results []int 4633 iterator := &ProcessAncestorsIterator{} 4634 value := iterator.Front(ctx) 4635 for value != nil { 4636 element := (*ProcessCacheEntry)(value) 4637 result := len(ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.FileEvent)) 4638 results = append(results, result) 4639 value = iterator.Next() 4640 } 4641 ctx.IntCache[field] = results 4642 return results 4643 }, Field: field, 4644 Weight: eval.IteratorWeight, 4645 }, nil 4646 case "process.ancestors.file.package.name": 4647 return &eval.StringArrayEvaluator{ 4648 EvalFnc: func(ctx *eval.Context) []string { 4649 ev := ctx.Event.(*Event) 4650 if result, ok := ctx.StringCache[field]; ok { 4651 return result 4652 } 4653 var results []string 4654 iterator := &ProcessAncestorsIterator{} 4655 value := iterator.Front(ctx) 4656 for value != nil { 4657 element := (*ProcessCacheEntry)(value) 4658 if !element.ProcessContext.Process.IsNotKworker() { 4659 results = append(results, "") 4660 value = iterator.Next() 4661 continue 4662 } 4663 result := ev.FieldHandlers.ResolvePackageName(ev, &element.ProcessContext.Process.FileEvent) 4664 results = append(results, result) 4665 value = iterator.Next() 4666 } 4667 ctx.StringCache[field] = results 4668 return results 4669 }, Field: field, 4670 Weight: eval.IteratorWeight, 4671 }, nil 4672 case "process.ancestors.file.package.source_version": 4673 return &eval.StringArrayEvaluator{ 4674 EvalFnc: func(ctx *eval.Context) []string { 4675 ev := ctx.Event.(*Event) 4676 if result, ok := ctx.StringCache[field]; ok { 4677 return result 4678 } 4679 var results []string 4680 iterator := &ProcessAncestorsIterator{} 4681 value := iterator.Front(ctx) 4682 for value != nil { 4683 element := (*ProcessCacheEntry)(value) 4684 if !element.ProcessContext.Process.IsNotKworker() { 4685 results = append(results, "") 4686 value = iterator.Next() 4687 continue 4688 } 4689 result := ev.FieldHandlers.ResolvePackageSourceVersion(ev, &element.ProcessContext.Process.FileEvent) 4690 results = append(results, result) 4691 value = iterator.Next() 4692 } 4693 ctx.StringCache[field] = results 4694 return results 4695 }, Field: field, 4696 Weight: eval.IteratorWeight, 4697 }, nil 4698 case "process.ancestors.file.package.version": 4699 return &eval.StringArrayEvaluator{ 4700 EvalFnc: func(ctx *eval.Context) []string { 4701 ev := ctx.Event.(*Event) 4702 if result, ok := ctx.StringCache[field]; ok { 4703 return result 4704 } 4705 var results []string 4706 iterator := &ProcessAncestorsIterator{} 4707 value := iterator.Front(ctx) 4708 for value != nil { 4709 element := (*ProcessCacheEntry)(value) 4710 if !element.ProcessContext.Process.IsNotKworker() { 4711 results = append(results, "") 4712 value = iterator.Next() 4713 continue 4714 } 4715 result := ev.FieldHandlers.ResolvePackageVersion(ev, &element.ProcessContext.Process.FileEvent) 4716 results = append(results, result) 4717 value = iterator.Next() 4718 } 4719 ctx.StringCache[field] = results 4720 return results 4721 }, Field: field, 4722 Weight: eval.IteratorWeight, 4723 }, nil 4724 case "process.ancestors.file.path": 4725 return &eval.StringArrayEvaluator{ 4726 OpOverrides: ProcessSymlinkPathname, 4727 EvalFnc: func(ctx *eval.Context) []string { 4728 ev := ctx.Event.(*Event) 4729 if result, ok := ctx.StringCache[field]; ok { 4730 return result 4731 } 4732 var results []string 4733 iterator := &ProcessAncestorsIterator{} 4734 value := iterator.Front(ctx) 4735 for value != nil { 4736 element := (*ProcessCacheEntry)(value) 4737 if !element.ProcessContext.Process.IsNotKworker() { 4738 results = append(results, "") 4739 value = iterator.Next() 4740 continue 4741 } 4742 result := ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.FileEvent) 4743 results = append(results, result) 4744 value = iterator.Next() 4745 } 4746 ctx.StringCache[field] = results 4747 return results 4748 }, Field: field, 4749 Weight: eval.IteratorWeight, 4750 }, nil 4751 case "process.ancestors.file.path.length": 4752 return &eval.IntArrayEvaluator{ 4753 OpOverrides: ProcessSymlinkPathname, 4754 EvalFnc: func(ctx *eval.Context) []int { 4755 ev := ctx.Event.(*Event) 4756 if result, ok := ctx.IntCache[field]; ok { 4757 return result 4758 } 4759 var results []int 4760 iterator := &ProcessAncestorsIterator{} 4761 value := iterator.Front(ctx) 4762 for value != nil { 4763 element := (*ProcessCacheEntry)(value) 4764 result := len(ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.FileEvent)) 4765 results = append(results, result) 4766 value = iterator.Next() 4767 } 4768 ctx.IntCache[field] = results 4769 return results 4770 }, Field: field, 4771 Weight: eval.IteratorWeight, 4772 }, nil 4773 case "process.ancestors.file.rights": 4774 return &eval.IntArrayEvaluator{ 4775 EvalFnc: func(ctx *eval.Context) []int { 4776 ev := ctx.Event.(*Event) 4777 if result, ok := ctx.IntCache[field]; ok { 4778 return result 4779 } 4780 var results []int 4781 iterator := &ProcessAncestorsIterator{} 4782 value := iterator.Front(ctx) 4783 for value != nil { 4784 element := (*ProcessCacheEntry)(value) 4785 if !element.ProcessContext.Process.IsNotKworker() { 4786 results = append(results, 0) 4787 value = iterator.Next() 4788 continue 4789 } 4790 result := int(ev.FieldHandlers.ResolveRights(ev, &element.ProcessContext.Process.FileEvent.FileFields)) 4791 results = append(results, result) 4792 value = iterator.Next() 4793 } 4794 ctx.IntCache[field] = results 4795 return results 4796 }, Field: field, 4797 Weight: eval.IteratorWeight, 4798 }, nil 4799 case "process.ancestors.file.uid": 4800 return &eval.IntArrayEvaluator{ 4801 EvalFnc: func(ctx *eval.Context) []int { 4802 if result, ok := ctx.IntCache[field]; ok { 4803 return result 4804 } 4805 var results []int 4806 iterator := &ProcessAncestorsIterator{} 4807 value := iterator.Front(ctx) 4808 for value != nil { 4809 element := (*ProcessCacheEntry)(value) 4810 if !element.ProcessContext.Process.IsNotKworker() { 4811 results = append(results, 0) 4812 value = iterator.Next() 4813 continue 4814 } 4815 result := int(element.ProcessContext.Process.FileEvent.FileFields.UID) 4816 results = append(results, result) 4817 value = iterator.Next() 4818 } 4819 ctx.IntCache[field] = results 4820 return results 4821 }, Field: field, 4822 Weight: eval.IteratorWeight, 4823 }, nil 4824 case "process.ancestors.file.user": 4825 return &eval.StringArrayEvaluator{ 4826 EvalFnc: func(ctx *eval.Context) []string { 4827 ev := ctx.Event.(*Event) 4828 if result, ok := ctx.StringCache[field]; ok { 4829 return result 4830 } 4831 var results []string 4832 iterator := &ProcessAncestorsIterator{} 4833 value := iterator.Front(ctx) 4834 for value != nil { 4835 element := (*ProcessCacheEntry)(value) 4836 if !element.ProcessContext.Process.IsNotKworker() { 4837 results = append(results, "") 4838 value = iterator.Next() 4839 continue 4840 } 4841 result := ev.FieldHandlers.ResolveFileFieldsUser(ev, &element.ProcessContext.Process.FileEvent.FileFields) 4842 results = append(results, result) 4843 value = iterator.Next() 4844 } 4845 ctx.StringCache[field] = results 4846 return results 4847 }, Field: field, 4848 Weight: eval.IteratorWeight, 4849 }, nil 4850 case "process.ancestors.fsgid": 4851 return &eval.IntArrayEvaluator{ 4852 EvalFnc: func(ctx *eval.Context) []int { 4853 if result, ok := ctx.IntCache[field]; ok { 4854 return result 4855 } 4856 var results []int 4857 iterator := &ProcessAncestorsIterator{} 4858 value := iterator.Front(ctx) 4859 for value != nil { 4860 element := (*ProcessCacheEntry)(value) 4861 result := int(element.ProcessContext.Process.Credentials.FSGID) 4862 results = append(results, result) 4863 value = iterator.Next() 4864 } 4865 ctx.IntCache[field] = results 4866 return results 4867 }, Field: field, 4868 Weight: eval.IteratorWeight, 4869 }, nil 4870 case "process.ancestors.fsgroup": 4871 return &eval.StringArrayEvaluator{ 4872 EvalFnc: func(ctx *eval.Context) []string { 4873 if result, ok := ctx.StringCache[field]; ok { 4874 return result 4875 } 4876 var results []string 4877 iterator := &ProcessAncestorsIterator{} 4878 value := iterator.Front(ctx) 4879 for value != nil { 4880 element := (*ProcessCacheEntry)(value) 4881 result := element.ProcessContext.Process.Credentials.FSGroup 4882 results = append(results, result) 4883 value = iterator.Next() 4884 } 4885 ctx.StringCache[field] = results 4886 return results 4887 }, Field: field, 4888 Weight: eval.IteratorWeight, 4889 }, nil 4890 case "process.ancestors.fsuid": 4891 return &eval.IntArrayEvaluator{ 4892 EvalFnc: func(ctx *eval.Context) []int { 4893 if result, ok := ctx.IntCache[field]; ok { 4894 return result 4895 } 4896 var results []int 4897 iterator := &ProcessAncestorsIterator{} 4898 value := iterator.Front(ctx) 4899 for value != nil { 4900 element := (*ProcessCacheEntry)(value) 4901 result := int(element.ProcessContext.Process.Credentials.FSUID) 4902 results = append(results, result) 4903 value = iterator.Next() 4904 } 4905 ctx.IntCache[field] = results 4906 return results 4907 }, Field: field, 4908 Weight: eval.IteratorWeight, 4909 }, nil 4910 case "process.ancestors.fsuser": 4911 return &eval.StringArrayEvaluator{ 4912 EvalFnc: func(ctx *eval.Context) []string { 4913 if result, ok := ctx.StringCache[field]; ok { 4914 return result 4915 } 4916 var results []string 4917 iterator := &ProcessAncestorsIterator{} 4918 value := iterator.Front(ctx) 4919 for value != nil { 4920 element := (*ProcessCacheEntry)(value) 4921 result := element.ProcessContext.Process.Credentials.FSUser 4922 results = append(results, result) 4923 value = iterator.Next() 4924 } 4925 ctx.StringCache[field] = results 4926 return results 4927 }, Field: field, 4928 Weight: eval.IteratorWeight, 4929 }, nil 4930 case "process.ancestors.gid": 4931 return &eval.IntArrayEvaluator{ 4932 EvalFnc: func(ctx *eval.Context) []int { 4933 if result, ok := ctx.IntCache[field]; ok { 4934 return result 4935 } 4936 var results []int 4937 iterator := &ProcessAncestorsIterator{} 4938 value := iterator.Front(ctx) 4939 for value != nil { 4940 element := (*ProcessCacheEntry)(value) 4941 result := int(element.ProcessContext.Process.Credentials.GID) 4942 results = append(results, result) 4943 value = iterator.Next() 4944 } 4945 ctx.IntCache[field] = results 4946 return results 4947 }, Field: field, 4948 Weight: eval.IteratorWeight, 4949 }, nil 4950 case "process.ancestors.group": 4951 return &eval.StringArrayEvaluator{ 4952 EvalFnc: func(ctx *eval.Context) []string { 4953 if result, ok := ctx.StringCache[field]; ok { 4954 return result 4955 } 4956 var results []string 4957 iterator := &ProcessAncestorsIterator{} 4958 value := iterator.Front(ctx) 4959 for value != nil { 4960 element := (*ProcessCacheEntry)(value) 4961 result := element.ProcessContext.Process.Credentials.Group 4962 results = append(results, result) 4963 value = iterator.Next() 4964 } 4965 ctx.StringCache[field] = results 4966 return results 4967 }, Field: field, 4968 Weight: eval.IteratorWeight, 4969 }, nil 4970 case "process.ancestors.interpreter.file.change_time": 4971 return &eval.IntArrayEvaluator{ 4972 EvalFnc: func(ctx *eval.Context) []int { 4973 if result, ok := ctx.IntCache[field]; ok { 4974 return result 4975 } 4976 var results []int 4977 iterator := &ProcessAncestorsIterator{} 4978 value := iterator.Front(ctx) 4979 for value != nil { 4980 element := (*ProcessCacheEntry)(value) 4981 if !element.ProcessContext.Process.HasInterpreter() { 4982 results = append(results, 0) 4983 value = iterator.Next() 4984 continue 4985 } 4986 result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.CTime) 4987 results = append(results, result) 4988 value = iterator.Next() 4989 } 4990 ctx.IntCache[field] = results 4991 return results 4992 }, Field: field, 4993 Weight: eval.IteratorWeight, 4994 }, nil 4995 case "process.ancestors.interpreter.file.filesystem": 4996 return &eval.StringArrayEvaluator{ 4997 EvalFnc: func(ctx *eval.Context) []string { 4998 ev := ctx.Event.(*Event) 4999 if result, ok := ctx.StringCache[field]; ok { 5000 return result 5001 } 5002 var results []string 5003 iterator := &ProcessAncestorsIterator{} 5004 value := iterator.Front(ctx) 5005 for value != nil { 5006 element := (*ProcessCacheEntry)(value) 5007 if !element.ProcessContext.Process.HasInterpreter() { 5008 results = append(results, "") 5009 value = iterator.Next() 5010 continue 5011 } 5012 result := ev.FieldHandlers.ResolveFileFilesystem(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) 5013 results = append(results, result) 5014 value = iterator.Next() 5015 } 5016 ctx.StringCache[field] = results 5017 return results 5018 }, Field: field, 5019 Weight: eval.IteratorWeight, 5020 }, nil 5021 case "process.ancestors.interpreter.file.gid": 5022 return &eval.IntArrayEvaluator{ 5023 EvalFnc: func(ctx *eval.Context) []int { 5024 if result, ok := ctx.IntCache[field]; ok { 5025 return result 5026 } 5027 var results []int 5028 iterator := &ProcessAncestorsIterator{} 5029 value := iterator.Front(ctx) 5030 for value != nil { 5031 element := (*ProcessCacheEntry)(value) 5032 if !element.ProcessContext.Process.HasInterpreter() { 5033 results = append(results, 0) 5034 value = iterator.Next() 5035 continue 5036 } 5037 result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.GID) 5038 results = append(results, result) 5039 value = iterator.Next() 5040 } 5041 ctx.IntCache[field] = results 5042 return results 5043 }, Field: field, 5044 Weight: eval.IteratorWeight, 5045 }, nil 5046 case "process.ancestors.interpreter.file.group": 5047 return &eval.StringArrayEvaluator{ 5048 EvalFnc: func(ctx *eval.Context) []string { 5049 ev := ctx.Event.(*Event) 5050 if result, ok := ctx.StringCache[field]; ok { 5051 return result 5052 } 5053 var results []string 5054 iterator := &ProcessAncestorsIterator{} 5055 value := iterator.Front(ctx) 5056 for value != nil { 5057 element := (*ProcessCacheEntry)(value) 5058 if !element.ProcessContext.Process.HasInterpreter() { 5059 results = append(results, "") 5060 value = iterator.Next() 5061 continue 5062 } 5063 result := ev.FieldHandlers.ResolveFileFieldsGroup(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields) 5064 results = append(results, result) 5065 value = iterator.Next() 5066 } 5067 ctx.StringCache[field] = results 5068 return results 5069 }, Field: field, 5070 Weight: eval.IteratorWeight, 5071 }, nil 5072 case "process.ancestors.interpreter.file.hashes": 5073 return &eval.StringArrayEvaluator{ 5074 EvalFnc: func(ctx *eval.Context) []string { 5075 ev := ctx.Event.(*Event) 5076 if result, ok := ctx.StringCache[field]; ok { 5077 return result 5078 } 5079 var results []string 5080 iterator := &ProcessAncestorsIterator{} 5081 value := iterator.Front(ctx) 5082 for value != nil { 5083 element := (*ProcessCacheEntry)(value) 5084 if !element.ProcessContext.Process.HasInterpreter() { 5085 results = append(results, "") 5086 value = iterator.Next() 5087 continue 5088 } 5089 result := ev.FieldHandlers.ResolveHashesFromEvent(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) 5090 results = append(results, result...) 5091 value = iterator.Next() 5092 } 5093 ctx.StringCache[field] = results 5094 return results 5095 }, Field: field, 5096 Weight: 999 * eval.IteratorWeight, 5097 }, nil 5098 case "process.ancestors.interpreter.file.in_upper_layer": 5099 return &eval.BoolArrayEvaluator{ 5100 EvalFnc: func(ctx *eval.Context) []bool { 5101 ev := ctx.Event.(*Event) 5102 if result, ok := ctx.BoolCache[field]; ok { 5103 return result 5104 } 5105 var results []bool 5106 iterator := &ProcessAncestorsIterator{} 5107 value := iterator.Front(ctx) 5108 for value != nil { 5109 element := (*ProcessCacheEntry)(value) 5110 if !element.ProcessContext.Process.HasInterpreter() { 5111 results = append(results, false) 5112 value = iterator.Next() 5113 continue 5114 } 5115 result := ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields) 5116 results = append(results, result) 5117 value = iterator.Next() 5118 } 5119 ctx.BoolCache[field] = results 5120 return results 5121 }, Field: field, 5122 Weight: eval.IteratorWeight, 5123 }, nil 5124 case "process.ancestors.interpreter.file.inode": 5125 return &eval.IntArrayEvaluator{ 5126 EvalFnc: func(ctx *eval.Context) []int { 5127 if result, ok := ctx.IntCache[field]; ok { 5128 return result 5129 } 5130 var results []int 5131 iterator := &ProcessAncestorsIterator{} 5132 value := iterator.Front(ctx) 5133 for value != nil { 5134 element := (*ProcessCacheEntry)(value) 5135 if !element.ProcessContext.Process.HasInterpreter() { 5136 results = append(results, 0) 5137 value = iterator.Next() 5138 continue 5139 } 5140 result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode) 5141 results = append(results, result) 5142 value = iterator.Next() 5143 } 5144 ctx.IntCache[field] = results 5145 return results 5146 }, Field: field, 5147 Weight: eval.IteratorWeight, 5148 }, nil 5149 case "process.ancestors.interpreter.file.mode": 5150 return &eval.IntArrayEvaluator{ 5151 EvalFnc: func(ctx *eval.Context) []int { 5152 if result, ok := ctx.IntCache[field]; ok { 5153 return result 5154 } 5155 var results []int 5156 iterator := &ProcessAncestorsIterator{} 5157 value := iterator.Front(ctx) 5158 for value != nil { 5159 element := (*ProcessCacheEntry)(value) 5160 if !element.ProcessContext.Process.HasInterpreter() { 5161 results = append(results, 0) 5162 value = iterator.Next() 5163 continue 5164 } 5165 result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.Mode) 5166 results = append(results, result) 5167 value = iterator.Next() 5168 } 5169 ctx.IntCache[field] = results 5170 return results 5171 }, Field: field, 5172 Weight: eval.IteratorWeight, 5173 }, nil 5174 case "process.ancestors.interpreter.file.modification_time": 5175 return &eval.IntArrayEvaluator{ 5176 EvalFnc: func(ctx *eval.Context) []int { 5177 if result, ok := ctx.IntCache[field]; ok { 5178 return result 5179 } 5180 var results []int 5181 iterator := &ProcessAncestorsIterator{} 5182 value := iterator.Front(ctx) 5183 for value != nil { 5184 element := (*ProcessCacheEntry)(value) 5185 if !element.ProcessContext.Process.HasInterpreter() { 5186 results = append(results, 0) 5187 value = iterator.Next() 5188 continue 5189 } 5190 result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.MTime) 5191 results = append(results, result) 5192 value = iterator.Next() 5193 } 5194 ctx.IntCache[field] = results 5195 return results 5196 }, Field: field, 5197 Weight: eval.IteratorWeight, 5198 }, nil 5199 case "process.ancestors.interpreter.file.mount_id": 5200 return &eval.IntArrayEvaluator{ 5201 EvalFnc: func(ctx *eval.Context) []int { 5202 if result, ok := ctx.IntCache[field]; ok { 5203 return result 5204 } 5205 var results []int 5206 iterator := &ProcessAncestorsIterator{} 5207 value := iterator.Front(ctx) 5208 for value != nil { 5209 element := (*ProcessCacheEntry)(value) 5210 if !element.ProcessContext.Process.HasInterpreter() { 5211 results = append(results, 0) 5212 value = iterator.Next() 5213 continue 5214 } 5215 result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID) 5216 results = append(results, result) 5217 value = iterator.Next() 5218 } 5219 ctx.IntCache[field] = results 5220 return results 5221 }, Field: field, 5222 Weight: eval.IteratorWeight, 5223 }, nil 5224 case "process.ancestors.interpreter.file.name": 5225 return &eval.StringArrayEvaluator{ 5226 OpOverrides: ProcessSymlinkBasename, 5227 EvalFnc: func(ctx *eval.Context) []string { 5228 ev := ctx.Event.(*Event) 5229 if result, ok := ctx.StringCache[field]; ok { 5230 return result 5231 } 5232 var results []string 5233 iterator := &ProcessAncestorsIterator{} 5234 value := iterator.Front(ctx) 5235 for value != nil { 5236 element := (*ProcessCacheEntry)(value) 5237 if !element.ProcessContext.Process.HasInterpreter() { 5238 results = append(results, "") 5239 value = iterator.Next() 5240 continue 5241 } 5242 result := ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) 5243 results = append(results, result) 5244 value = iterator.Next() 5245 } 5246 ctx.StringCache[field] = results 5247 return results 5248 }, Field: field, 5249 Weight: eval.IteratorWeight, 5250 }, nil 5251 case "process.ancestors.interpreter.file.name.length": 5252 return &eval.IntArrayEvaluator{ 5253 OpOverrides: ProcessSymlinkBasename, 5254 EvalFnc: func(ctx *eval.Context) []int { 5255 ev := ctx.Event.(*Event) 5256 if result, ok := ctx.IntCache[field]; ok { 5257 return result 5258 } 5259 var results []int 5260 iterator := &ProcessAncestorsIterator{} 5261 value := iterator.Front(ctx) 5262 for value != nil { 5263 element := (*ProcessCacheEntry)(value) 5264 result := len(ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent)) 5265 results = append(results, result) 5266 value = iterator.Next() 5267 } 5268 ctx.IntCache[field] = results 5269 return results 5270 }, Field: field, 5271 Weight: eval.IteratorWeight, 5272 }, nil 5273 case "process.ancestors.interpreter.file.package.name": 5274 return &eval.StringArrayEvaluator{ 5275 EvalFnc: func(ctx *eval.Context) []string { 5276 ev := ctx.Event.(*Event) 5277 if result, ok := ctx.StringCache[field]; ok { 5278 return result 5279 } 5280 var results []string 5281 iterator := &ProcessAncestorsIterator{} 5282 value := iterator.Front(ctx) 5283 for value != nil { 5284 element := (*ProcessCacheEntry)(value) 5285 if !element.ProcessContext.Process.HasInterpreter() { 5286 results = append(results, "") 5287 value = iterator.Next() 5288 continue 5289 } 5290 result := ev.FieldHandlers.ResolvePackageName(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) 5291 results = append(results, result) 5292 value = iterator.Next() 5293 } 5294 ctx.StringCache[field] = results 5295 return results 5296 }, Field: field, 5297 Weight: eval.IteratorWeight, 5298 }, nil 5299 case "process.ancestors.interpreter.file.package.source_version": 5300 return &eval.StringArrayEvaluator{ 5301 EvalFnc: func(ctx *eval.Context) []string { 5302 ev := ctx.Event.(*Event) 5303 if result, ok := ctx.StringCache[field]; ok { 5304 return result 5305 } 5306 var results []string 5307 iterator := &ProcessAncestorsIterator{} 5308 value := iterator.Front(ctx) 5309 for value != nil { 5310 element := (*ProcessCacheEntry)(value) 5311 if !element.ProcessContext.Process.HasInterpreter() { 5312 results = append(results, "") 5313 value = iterator.Next() 5314 continue 5315 } 5316 result := ev.FieldHandlers.ResolvePackageSourceVersion(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) 5317 results = append(results, result) 5318 value = iterator.Next() 5319 } 5320 ctx.StringCache[field] = results 5321 return results 5322 }, Field: field, 5323 Weight: eval.IteratorWeight, 5324 }, nil 5325 case "process.ancestors.interpreter.file.package.version": 5326 return &eval.StringArrayEvaluator{ 5327 EvalFnc: func(ctx *eval.Context) []string { 5328 ev := ctx.Event.(*Event) 5329 if result, ok := ctx.StringCache[field]; ok { 5330 return result 5331 } 5332 var results []string 5333 iterator := &ProcessAncestorsIterator{} 5334 value := iterator.Front(ctx) 5335 for value != nil { 5336 element := (*ProcessCacheEntry)(value) 5337 if !element.ProcessContext.Process.HasInterpreter() { 5338 results = append(results, "") 5339 value = iterator.Next() 5340 continue 5341 } 5342 result := ev.FieldHandlers.ResolvePackageVersion(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) 5343 results = append(results, result) 5344 value = iterator.Next() 5345 } 5346 ctx.StringCache[field] = results 5347 return results 5348 }, Field: field, 5349 Weight: eval.IteratorWeight, 5350 }, nil 5351 case "process.ancestors.interpreter.file.path": 5352 return &eval.StringArrayEvaluator{ 5353 OpOverrides: ProcessSymlinkPathname, 5354 EvalFnc: func(ctx *eval.Context) []string { 5355 ev := ctx.Event.(*Event) 5356 if result, ok := ctx.StringCache[field]; ok { 5357 return result 5358 } 5359 var results []string 5360 iterator := &ProcessAncestorsIterator{} 5361 value := iterator.Front(ctx) 5362 for value != nil { 5363 element := (*ProcessCacheEntry)(value) 5364 if !element.ProcessContext.Process.HasInterpreter() { 5365 results = append(results, "") 5366 value = iterator.Next() 5367 continue 5368 } 5369 result := ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) 5370 results = append(results, result) 5371 value = iterator.Next() 5372 } 5373 ctx.StringCache[field] = results 5374 return results 5375 }, Field: field, 5376 Weight: eval.IteratorWeight, 5377 }, nil 5378 case "process.ancestors.interpreter.file.path.length": 5379 return &eval.IntArrayEvaluator{ 5380 OpOverrides: ProcessSymlinkPathname, 5381 EvalFnc: func(ctx *eval.Context) []int { 5382 ev := ctx.Event.(*Event) 5383 if result, ok := ctx.IntCache[field]; ok { 5384 return result 5385 } 5386 var results []int 5387 iterator := &ProcessAncestorsIterator{} 5388 value := iterator.Front(ctx) 5389 for value != nil { 5390 element := (*ProcessCacheEntry)(value) 5391 result := len(ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent)) 5392 results = append(results, result) 5393 value = iterator.Next() 5394 } 5395 ctx.IntCache[field] = results 5396 return results 5397 }, Field: field, 5398 Weight: eval.IteratorWeight, 5399 }, nil 5400 case "process.ancestors.interpreter.file.rights": 5401 return &eval.IntArrayEvaluator{ 5402 EvalFnc: func(ctx *eval.Context) []int { 5403 ev := ctx.Event.(*Event) 5404 if result, ok := ctx.IntCache[field]; ok { 5405 return result 5406 } 5407 var results []int 5408 iterator := &ProcessAncestorsIterator{} 5409 value := iterator.Front(ctx) 5410 for value != nil { 5411 element := (*ProcessCacheEntry)(value) 5412 if !element.ProcessContext.Process.HasInterpreter() { 5413 results = append(results, 0) 5414 value = iterator.Next() 5415 continue 5416 } 5417 result := int(ev.FieldHandlers.ResolveRights(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields)) 5418 results = append(results, result) 5419 value = iterator.Next() 5420 } 5421 ctx.IntCache[field] = results 5422 return results 5423 }, Field: field, 5424 Weight: eval.IteratorWeight, 5425 }, nil 5426 case "process.ancestors.interpreter.file.uid": 5427 return &eval.IntArrayEvaluator{ 5428 EvalFnc: func(ctx *eval.Context) []int { 5429 if result, ok := ctx.IntCache[field]; ok { 5430 return result 5431 } 5432 var results []int 5433 iterator := &ProcessAncestorsIterator{} 5434 value := iterator.Front(ctx) 5435 for value != nil { 5436 element := (*ProcessCacheEntry)(value) 5437 if !element.ProcessContext.Process.HasInterpreter() { 5438 results = append(results, 0) 5439 value = iterator.Next() 5440 continue 5441 } 5442 result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.UID) 5443 results = append(results, result) 5444 value = iterator.Next() 5445 } 5446 ctx.IntCache[field] = results 5447 return results 5448 }, Field: field, 5449 Weight: eval.IteratorWeight, 5450 }, nil 5451 case "process.ancestors.interpreter.file.user": 5452 return &eval.StringArrayEvaluator{ 5453 EvalFnc: func(ctx *eval.Context) []string { 5454 ev := ctx.Event.(*Event) 5455 if result, ok := ctx.StringCache[field]; ok { 5456 return result 5457 } 5458 var results []string 5459 iterator := &ProcessAncestorsIterator{} 5460 value := iterator.Front(ctx) 5461 for value != nil { 5462 element := (*ProcessCacheEntry)(value) 5463 if !element.ProcessContext.Process.HasInterpreter() { 5464 results = append(results, "") 5465 value = iterator.Next() 5466 continue 5467 } 5468 result := ev.FieldHandlers.ResolveFileFieldsUser(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields) 5469 results = append(results, result) 5470 value = iterator.Next() 5471 } 5472 ctx.StringCache[field] = results 5473 return results 5474 }, Field: field, 5475 Weight: eval.IteratorWeight, 5476 }, nil 5477 case "process.ancestors.is_kworker": 5478 return &eval.BoolArrayEvaluator{ 5479 EvalFnc: func(ctx *eval.Context) []bool { 5480 if result, ok := ctx.BoolCache[field]; ok { 5481 return result 5482 } 5483 var results []bool 5484 iterator := &ProcessAncestorsIterator{} 5485 value := iterator.Front(ctx) 5486 for value != nil { 5487 element := (*ProcessCacheEntry)(value) 5488 result := element.ProcessContext.Process.PIDContext.IsKworker 5489 results = append(results, result) 5490 value = iterator.Next() 5491 } 5492 ctx.BoolCache[field] = results 5493 return results 5494 }, Field: field, 5495 Weight: eval.IteratorWeight, 5496 }, nil 5497 case "process.ancestors.is_thread": 5498 return &eval.BoolArrayEvaluator{ 5499 EvalFnc: func(ctx *eval.Context) []bool { 5500 if result, ok := ctx.BoolCache[field]; ok { 5501 return result 5502 } 5503 var results []bool 5504 iterator := &ProcessAncestorsIterator{} 5505 value := iterator.Front(ctx) 5506 for value != nil { 5507 element := (*ProcessCacheEntry)(value) 5508 result := element.ProcessContext.Process.IsThread 5509 results = append(results, result) 5510 value = iterator.Next() 5511 } 5512 ctx.BoolCache[field] = results 5513 return results 5514 }, Field: field, 5515 Weight: eval.IteratorWeight, 5516 }, nil 5517 case "process.ancestors.pid": 5518 return &eval.IntArrayEvaluator{ 5519 EvalFnc: func(ctx *eval.Context) []int { 5520 if result, ok := ctx.IntCache[field]; ok { 5521 return result 5522 } 5523 var results []int 5524 iterator := &ProcessAncestorsIterator{} 5525 value := iterator.Front(ctx) 5526 for value != nil { 5527 element := (*ProcessCacheEntry)(value) 5528 result := int(element.ProcessContext.Process.PIDContext.Pid) 5529 results = append(results, result) 5530 value = iterator.Next() 5531 } 5532 ctx.IntCache[field] = results 5533 return results 5534 }, Field: field, 5535 Weight: eval.IteratorWeight, 5536 }, nil 5537 case "process.ancestors.ppid": 5538 return &eval.IntArrayEvaluator{ 5539 EvalFnc: func(ctx *eval.Context) []int { 5540 if result, ok := ctx.IntCache[field]; ok { 5541 return result 5542 } 5543 var results []int 5544 iterator := &ProcessAncestorsIterator{} 5545 value := iterator.Front(ctx) 5546 for value != nil { 5547 element := (*ProcessCacheEntry)(value) 5548 result := int(element.ProcessContext.Process.PPid) 5549 results = append(results, result) 5550 value = iterator.Next() 5551 } 5552 ctx.IntCache[field] = results 5553 return results 5554 }, Field: field, 5555 Weight: eval.IteratorWeight, 5556 }, nil 5557 case "process.ancestors.tid": 5558 return &eval.IntArrayEvaluator{ 5559 EvalFnc: func(ctx *eval.Context) []int { 5560 if result, ok := ctx.IntCache[field]; ok { 5561 return result 5562 } 5563 var results []int 5564 iterator := &ProcessAncestorsIterator{} 5565 value := iterator.Front(ctx) 5566 for value != nil { 5567 element := (*ProcessCacheEntry)(value) 5568 result := int(element.ProcessContext.Process.PIDContext.Tid) 5569 results = append(results, result) 5570 value = iterator.Next() 5571 } 5572 ctx.IntCache[field] = results 5573 return results 5574 }, Field: field, 5575 Weight: eval.IteratorWeight, 5576 }, nil 5577 case "process.ancestors.tty_name": 5578 return &eval.StringArrayEvaluator{ 5579 EvalFnc: func(ctx *eval.Context) []string { 5580 if result, ok := ctx.StringCache[field]; ok { 5581 return result 5582 } 5583 var results []string 5584 iterator := &ProcessAncestorsIterator{} 5585 value := iterator.Front(ctx) 5586 for value != nil { 5587 element := (*ProcessCacheEntry)(value) 5588 result := element.ProcessContext.Process.TTYName 5589 results = append(results, result) 5590 value = iterator.Next() 5591 } 5592 ctx.StringCache[field] = results 5593 return results 5594 }, Field: field, 5595 Weight: eval.IteratorWeight, 5596 }, nil 5597 case "process.ancestors.uid": 5598 return &eval.IntArrayEvaluator{ 5599 EvalFnc: func(ctx *eval.Context) []int { 5600 if result, ok := ctx.IntCache[field]; ok { 5601 return result 5602 } 5603 var results []int 5604 iterator := &ProcessAncestorsIterator{} 5605 value := iterator.Front(ctx) 5606 for value != nil { 5607 element := (*ProcessCacheEntry)(value) 5608 result := int(element.ProcessContext.Process.Credentials.UID) 5609 results = append(results, result) 5610 value = iterator.Next() 5611 } 5612 ctx.IntCache[field] = results 5613 return results 5614 }, Field: field, 5615 Weight: eval.IteratorWeight, 5616 }, nil 5617 case "process.ancestors.user": 5618 return &eval.StringArrayEvaluator{ 5619 EvalFnc: func(ctx *eval.Context) []string { 5620 if result, ok := ctx.StringCache[field]; ok { 5621 return result 5622 } 5623 var results []string 5624 iterator := &ProcessAncestorsIterator{} 5625 value := iterator.Front(ctx) 5626 for value != nil { 5627 element := (*ProcessCacheEntry)(value) 5628 result := element.ProcessContext.Process.Credentials.User 5629 results = append(results, result) 5630 value = iterator.Next() 5631 } 5632 ctx.StringCache[field] = results 5633 return results 5634 }, Field: field, 5635 Weight: eval.IteratorWeight, 5636 }, nil 5637 case "process.ancestors.user_session.k8s_groups": 5638 return &eval.StringArrayEvaluator{ 5639 EvalFnc: func(ctx *eval.Context) []string { 5640 ev := ctx.Event.(*Event) 5641 if result, ok := ctx.StringCache[field]; ok { 5642 return result 5643 } 5644 var results []string 5645 iterator := &ProcessAncestorsIterator{} 5646 value := iterator.Front(ctx) 5647 for value != nil { 5648 element := (*ProcessCacheEntry)(value) 5649 result := ev.FieldHandlers.ResolveK8SGroups(ev, &element.ProcessContext.Process.UserSession) 5650 results = append(results, result...) 5651 value = iterator.Next() 5652 } 5653 ctx.StringCache[field] = results 5654 return results 5655 }, Field: field, 5656 Weight: eval.IteratorWeight, 5657 }, nil 5658 case "process.ancestors.user_session.k8s_uid": 5659 return &eval.StringArrayEvaluator{ 5660 EvalFnc: func(ctx *eval.Context) []string { 5661 ev := ctx.Event.(*Event) 5662 if result, ok := ctx.StringCache[field]; ok { 5663 return result 5664 } 5665 var results []string 5666 iterator := &ProcessAncestorsIterator{} 5667 value := iterator.Front(ctx) 5668 for value != nil { 5669 element := (*ProcessCacheEntry)(value) 5670 result := ev.FieldHandlers.ResolveK8SUID(ev, &element.ProcessContext.Process.UserSession) 5671 results = append(results, result) 5672 value = iterator.Next() 5673 } 5674 ctx.StringCache[field] = results 5675 return results 5676 }, Field: field, 5677 Weight: eval.IteratorWeight, 5678 }, nil 5679 case "process.ancestors.user_session.k8s_username": 5680 return &eval.StringArrayEvaluator{ 5681 EvalFnc: func(ctx *eval.Context) []string { 5682 ev := ctx.Event.(*Event) 5683 if result, ok := ctx.StringCache[field]; ok { 5684 return result 5685 } 5686 var results []string 5687 iterator := &ProcessAncestorsIterator{} 5688 value := iterator.Front(ctx) 5689 for value != nil { 5690 element := (*ProcessCacheEntry)(value) 5691 result := ev.FieldHandlers.ResolveK8SUsername(ev, &element.ProcessContext.Process.UserSession) 5692 results = append(results, result) 5693 value = iterator.Next() 5694 } 5695 ctx.StringCache[field] = results 5696 return results 5697 }, Field: field, 5698 Weight: eval.IteratorWeight, 5699 }, nil 5700 case "process.args": 5701 return &eval.StringEvaluator{ 5702 EvalFnc: func(ctx *eval.Context) string { 5703 ev := ctx.Event.(*Event) 5704 return ev.FieldHandlers.ResolveProcessArgs(ev, &ev.BaseEvent.ProcessContext.Process) 5705 }, 5706 Field: field, 5707 Weight: 500 * eval.HandlerWeight, 5708 }, nil 5709 case "process.args_flags": 5710 return &eval.StringArrayEvaluator{ 5711 EvalFnc: func(ctx *eval.Context) []string { 5712 ev := ctx.Event.(*Event) 5713 return ev.FieldHandlers.ResolveProcessArgsFlags(ev, &ev.BaseEvent.ProcessContext.Process) 5714 }, 5715 Field: field, 5716 Weight: eval.HandlerWeight, 5717 }, nil 5718 case "process.args_options": 5719 return &eval.StringArrayEvaluator{ 5720 EvalFnc: func(ctx *eval.Context) []string { 5721 ev := ctx.Event.(*Event) 5722 return ev.FieldHandlers.ResolveProcessArgsOptions(ev, &ev.BaseEvent.ProcessContext.Process) 5723 }, 5724 Field: field, 5725 Weight: eval.HandlerWeight, 5726 }, nil 5727 case "process.args_truncated": 5728 return &eval.BoolEvaluator{ 5729 EvalFnc: func(ctx *eval.Context) bool { 5730 ev := ctx.Event.(*Event) 5731 return ev.FieldHandlers.ResolveProcessArgsTruncated(ev, &ev.BaseEvent.ProcessContext.Process) 5732 }, 5733 Field: field, 5734 Weight: eval.HandlerWeight, 5735 }, nil 5736 case "process.argv": 5737 return &eval.StringArrayEvaluator{ 5738 EvalFnc: func(ctx *eval.Context) []string { 5739 ev := ctx.Event.(*Event) 5740 return ev.FieldHandlers.ResolveProcessArgv(ev, &ev.BaseEvent.ProcessContext.Process) 5741 }, 5742 Field: field, 5743 Weight: 500 * eval.HandlerWeight, 5744 }, nil 5745 case "process.argv0": 5746 return &eval.StringEvaluator{ 5747 EvalFnc: func(ctx *eval.Context) string { 5748 ev := ctx.Event.(*Event) 5749 return ev.FieldHandlers.ResolveProcessArgv0(ev, &ev.BaseEvent.ProcessContext.Process) 5750 }, 5751 Field: field, 5752 Weight: 100 * eval.HandlerWeight, 5753 }, nil 5754 case "process.cap_effective": 5755 return &eval.IntEvaluator{ 5756 EvalFnc: func(ctx *eval.Context) int { 5757 ev := ctx.Event.(*Event) 5758 return int(ev.BaseEvent.ProcessContext.Process.Credentials.CapEffective) 5759 }, 5760 Field: field, 5761 Weight: eval.FunctionWeight, 5762 }, nil 5763 case "process.cap_permitted": 5764 return &eval.IntEvaluator{ 5765 EvalFnc: func(ctx *eval.Context) int { 5766 ev := ctx.Event.(*Event) 5767 return int(ev.BaseEvent.ProcessContext.Process.Credentials.CapPermitted) 5768 }, 5769 Field: field, 5770 Weight: eval.FunctionWeight, 5771 }, nil 5772 case "process.comm": 5773 return &eval.StringEvaluator{ 5774 EvalFnc: func(ctx *eval.Context) string { 5775 ev := ctx.Event.(*Event) 5776 return ev.BaseEvent.ProcessContext.Process.Comm 5777 }, 5778 Field: field, 5779 Weight: eval.FunctionWeight, 5780 }, nil 5781 case "process.container.id": 5782 return &eval.StringEvaluator{ 5783 EvalFnc: func(ctx *eval.Context) string { 5784 ev := ctx.Event.(*Event) 5785 return ev.BaseEvent.ProcessContext.Process.ContainerID 5786 }, 5787 Field: field, 5788 Weight: eval.FunctionWeight, 5789 }, nil 5790 case "process.created_at": 5791 return &eval.IntEvaluator{ 5792 EvalFnc: func(ctx *eval.Context) int { 5793 ev := ctx.Event.(*Event) 5794 return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, &ev.BaseEvent.ProcessContext.Process)) 5795 }, 5796 Field: field, 5797 Weight: eval.HandlerWeight, 5798 }, nil 5799 case "process.egid": 5800 return &eval.IntEvaluator{ 5801 EvalFnc: func(ctx *eval.Context) int { 5802 ev := ctx.Event.(*Event) 5803 return int(ev.BaseEvent.ProcessContext.Process.Credentials.EGID) 5804 }, 5805 Field: field, 5806 Weight: eval.FunctionWeight, 5807 }, nil 5808 case "process.egroup": 5809 return &eval.StringEvaluator{ 5810 EvalFnc: func(ctx *eval.Context) string { 5811 ev := ctx.Event.(*Event) 5812 return ev.BaseEvent.ProcessContext.Process.Credentials.EGroup 5813 }, 5814 Field: field, 5815 Weight: eval.FunctionWeight, 5816 }, nil 5817 case "process.envp": 5818 return &eval.StringArrayEvaluator{ 5819 EvalFnc: func(ctx *eval.Context) []string { 5820 ev := ctx.Event.(*Event) 5821 return ev.FieldHandlers.ResolveProcessEnvp(ev, &ev.BaseEvent.ProcessContext.Process) 5822 }, 5823 Field: field, 5824 Weight: 100 * eval.HandlerWeight, 5825 }, nil 5826 case "process.envs": 5827 return &eval.StringArrayEvaluator{ 5828 EvalFnc: func(ctx *eval.Context) []string { 5829 ev := ctx.Event.(*Event) 5830 return ev.FieldHandlers.ResolveProcessEnvs(ev, &ev.BaseEvent.ProcessContext.Process) 5831 }, 5832 Field: field, 5833 Weight: 100 * eval.HandlerWeight, 5834 }, nil 5835 case "process.envs_truncated": 5836 return &eval.BoolEvaluator{ 5837 EvalFnc: func(ctx *eval.Context) bool { 5838 ev := ctx.Event.(*Event) 5839 return ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, &ev.BaseEvent.ProcessContext.Process) 5840 }, 5841 Field: field, 5842 Weight: eval.HandlerWeight, 5843 }, nil 5844 case "process.euid": 5845 return &eval.IntEvaluator{ 5846 EvalFnc: func(ctx *eval.Context) int { 5847 ev := ctx.Event.(*Event) 5848 return int(ev.BaseEvent.ProcessContext.Process.Credentials.EUID) 5849 }, 5850 Field: field, 5851 Weight: eval.FunctionWeight, 5852 }, nil 5853 case "process.euser": 5854 return &eval.StringEvaluator{ 5855 EvalFnc: func(ctx *eval.Context) string { 5856 ev := ctx.Event.(*Event) 5857 return ev.BaseEvent.ProcessContext.Process.Credentials.EUser 5858 }, 5859 Field: field, 5860 Weight: eval.FunctionWeight, 5861 }, nil 5862 case "process.file.change_time": 5863 return &eval.IntEvaluator{ 5864 EvalFnc: func(ctx *eval.Context) int { 5865 ev := ctx.Event.(*Event) 5866 if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { 5867 return 0 5868 } 5869 return int(ev.BaseEvent.ProcessContext.Process.FileEvent.FileFields.CTime) 5870 }, 5871 Field: field, 5872 Weight: eval.FunctionWeight, 5873 }, nil 5874 case "process.file.filesystem": 5875 return &eval.StringEvaluator{ 5876 EvalFnc: func(ctx *eval.Context) string { 5877 ev := ctx.Event.(*Event) 5878 if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { 5879 return "" 5880 } 5881 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent) 5882 }, 5883 Field: field, 5884 Weight: eval.HandlerWeight, 5885 }, nil 5886 case "process.file.gid": 5887 return &eval.IntEvaluator{ 5888 EvalFnc: func(ctx *eval.Context) int { 5889 ev := ctx.Event.(*Event) 5890 if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { 5891 return 0 5892 } 5893 return int(ev.BaseEvent.ProcessContext.Process.FileEvent.FileFields.GID) 5894 }, 5895 Field: field, 5896 Weight: eval.FunctionWeight, 5897 }, nil 5898 case "process.file.group": 5899 return &eval.StringEvaluator{ 5900 EvalFnc: func(ctx *eval.Context) string { 5901 ev := ctx.Event.(*Event) 5902 if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { 5903 return "" 5904 } 5905 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent.FileFields) 5906 }, 5907 Field: field, 5908 Weight: eval.HandlerWeight, 5909 }, nil 5910 case "process.file.hashes": 5911 return &eval.StringArrayEvaluator{ 5912 EvalFnc: func(ctx *eval.Context) []string { 5913 ev := ctx.Event.(*Event) 5914 if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { 5915 return []string{} 5916 } 5917 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent) 5918 }, 5919 Field: field, 5920 Weight: 999 * eval.HandlerWeight, 5921 }, nil 5922 case "process.file.in_upper_layer": 5923 return &eval.BoolEvaluator{ 5924 EvalFnc: func(ctx *eval.Context) bool { 5925 ev := ctx.Event.(*Event) 5926 if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { 5927 return false 5928 } 5929 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent.FileFields) 5930 }, 5931 Field: field, 5932 Weight: eval.HandlerWeight, 5933 }, nil 5934 case "process.file.inode": 5935 return &eval.IntEvaluator{ 5936 EvalFnc: func(ctx *eval.Context) int { 5937 ev := ctx.Event.(*Event) 5938 if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { 5939 return 0 5940 } 5941 return int(ev.BaseEvent.ProcessContext.Process.FileEvent.FileFields.PathKey.Inode) 5942 }, 5943 Field: field, 5944 Weight: eval.FunctionWeight, 5945 }, nil 5946 case "process.file.mode": 5947 return &eval.IntEvaluator{ 5948 EvalFnc: func(ctx *eval.Context) int { 5949 ev := ctx.Event.(*Event) 5950 if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { 5951 return 0 5952 } 5953 return int(ev.BaseEvent.ProcessContext.Process.FileEvent.FileFields.Mode) 5954 }, 5955 Field: field, 5956 Weight: eval.FunctionWeight, 5957 }, nil 5958 case "process.file.modification_time": 5959 return &eval.IntEvaluator{ 5960 EvalFnc: func(ctx *eval.Context) int { 5961 ev := ctx.Event.(*Event) 5962 if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { 5963 return 0 5964 } 5965 return int(ev.BaseEvent.ProcessContext.Process.FileEvent.FileFields.MTime) 5966 }, 5967 Field: field, 5968 Weight: eval.FunctionWeight, 5969 }, nil 5970 case "process.file.mount_id": 5971 return &eval.IntEvaluator{ 5972 EvalFnc: func(ctx *eval.Context) int { 5973 ev := ctx.Event.(*Event) 5974 if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { 5975 return 0 5976 } 5977 return int(ev.BaseEvent.ProcessContext.Process.FileEvent.FileFields.PathKey.MountID) 5978 }, 5979 Field: field, 5980 Weight: eval.FunctionWeight, 5981 }, nil 5982 case "process.file.name": 5983 return &eval.StringEvaluator{ 5984 OpOverrides: ProcessSymlinkBasename, 5985 EvalFnc: func(ctx *eval.Context) string { 5986 ev := ctx.Event.(*Event) 5987 if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { 5988 return "" 5989 } 5990 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent) 5991 }, 5992 Field: field, 5993 Weight: eval.HandlerWeight, 5994 }, nil 5995 case "process.file.name.length": 5996 return &eval.IntEvaluator{ 5997 OpOverrides: ProcessSymlinkBasename, 5998 EvalFnc: func(ctx *eval.Context) int { 5999 ev := ctx.Event.(*Event) 6000 return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent)) 6001 }, 6002 Field: field, 6003 Weight: eval.HandlerWeight, 6004 }, nil 6005 case "process.file.package.name": 6006 return &eval.StringEvaluator{ 6007 EvalFnc: func(ctx *eval.Context) string { 6008 ev := ctx.Event.(*Event) 6009 if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { 6010 return "" 6011 } 6012 return ev.FieldHandlers.ResolvePackageName(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent) 6013 }, 6014 Field: field, 6015 Weight: eval.HandlerWeight, 6016 }, nil 6017 case "process.file.package.source_version": 6018 return &eval.StringEvaluator{ 6019 EvalFnc: func(ctx *eval.Context) string { 6020 ev := ctx.Event.(*Event) 6021 if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { 6022 return "" 6023 } 6024 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent) 6025 }, 6026 Field: field, 6027 Weight: eval.HandlerWeight, 6028 }, nil 6029 case "process.file.package.version": 6030 return &eval.StringEvaluator{ 6031 EvalFnc: func(ctx *eval.Context) string { 6032 ev := ctx.Event.(*Event) 6033 if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { 6034 return "" 6035 } 6036 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent) 6037 }, 6038 Field: field, 6039 Weight: eval.HandlerWeight, 6040 }, nil 6041 case "process.file.path": 6042 return &eval.StringEvaluator{ 6043 OpOverrides: ProcessSymlinkPathname, 6044 EvalFnc: func(ctx *eval.Context) string { 6045 ev := ctx.Event.(*Event) 6046 if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { 6047 return "" 6048 } 6049 return ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent) 6050 }, 6051 Field: field, 6052 Weight: eval.HandlerWeight, 6053 }, nil 6054 case "process.file.path.length": 6055 return &eval.IntEvaluator{ 6056 OpOverrides: ProcessSymlinkPathname, 6057 EvalFnc: func(ctx *eval.Context) int { 6058 ev := ctx.Event.(*Event) 6059 return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent)) 6060 }, 6061 Field: field, 6062 Weight: eval.HandlerWeight, 6063 }, nil 6064 case "process.file.rights": 6065 return &eval.IntEvaluator{ 6066 EvalFnc: func(ctx *eval.Context) int { 6067 ev := ctx.Event.(*Event) 6068 if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { 6069 return 0 6070 } 6071 return int(ev.FieldHandlers.ResolveRights(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent.FileFields)) 6072 }, 6073 Field: field, 6074 Weight: eval.HandlerWeight, 6075 }, nil 6076 case "process.file.uid": 6077 return &eval.IntEvaluator{ 6078 EvalFnc: func(ctx *eval.Context) int { 6079 ev := ctx.Event.(*Event) 6080 if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { 6081 return 0 6082 } 6083 return int(ev.BaseEvent.ProcessContext.Process.FileEvent.FileFields.UID) 6084 }, 6085 Field: field, 6086 Weight: eval.FunctionWeight, 6087 }, nil 6088 case "process.file.user": 6089 return &eval.StringEvaluator{ 6090 EvalFnc: func(ctx *eval.Context) string { 6091 ev := ctx.Event.(*Event) 6092 if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { 6093 return "" 6094 } 6095 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent.FileFields) 6096 }, 6097 Field: field, 6098 Weight: eval.HandlerWeight, 6099 }, nil 6100 case "process.fsgid": 6101 return &eval.IntEvaluator{ 6102 EvalFnc: func(ctx *eval.Context) int { 6103 ev := ctx.Event.(*Event) 6104 return int(ev.BaseEvent.ProcessContext.Process.Credentials.FSGID) 6105 }, 6106 Field: field, 6107 Weight: eval.FunctionWeight, 6108 }, nil 6109 case "process.fsgroup": 6110 return &eval.StringEvaluator{ 6111 EvalFnc: func(ctx *eval.Context) string { 6112 ev := ctx.Event.(*Event) 6113 return ev.BaseEvent.ProcessContext.Process.Credentials.FSGroup 6114 }, 6115 Field: field, 6116 Weight: eval.FunctionWeight, 6117 }, nil 6118 case "process.fsuid": 6119 return &eval.IntEvaluator{ 6120 EvalFnc: func(ctx *eval.Context) int { 6121 ev := ctx.Event.(*Event) 6122 return int(ev.BaseEvent.ProcessContext.Process.Credentials.FSUID) 6123 }, 6124 Field: field, 6125 Weight: eval.FunctionWeight, 6126 }, nil 6127 case "process.fsuser": 6128 return &eval.StringEvaluator{ 6129 EvalFnc: func(ctx *eval.Context) string { 6130 ev := ctx.Event.(*Event) 6131 return ev.BaseEvent.ProcessContext.Process.Credentials.FSUser 6132 }, 6133 Field: field, 6134 Weight: eval.FunctionWeight, 6135 }, nil 6136 case "process.gid": 6137 return &eval.IntEvaluator{ 6138 EvalFnc: func(ctx *eval.Context) int { 6139 ev := ctx.Event.(*Event) 6140 return int(ev.BaseEvent.ProcessContext.Process.Credentials.GID) 6141 }, 6142 Field: field, 6143 Weight: eval.FunctionWeight, 6144 }, nil 6145 case "process.group": 6146 return &eval.StringEvaluator{ 6147 EvalFnc: func(ctx *eval.Context) string { 6148 ev := ctx.Event.(*Event) 6149 return ev.BaseEvent.ProcessContext.Process.Credentials.Group 6150 }, 6151 Field: field, 6152 Weight: eval.FunctionWeight, 6153 }, nil 6154 case "process.interpreter.file.change_time": 6155 return &eval.IntEvaluator{ 6156 EvalFnc: func(ctx *eval.Context) int { 6157 ev := ctx.Event.(*Event) 6158 if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { 6159 return 0 6160 } 6161 return int(ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.CTime) 6162 }, 6163 Field: field, 6164 Weight: eval.FunctionWeight, 6165 }, nil 6166 case "process.interpreter.file.filesystem": 6167 return &eval.StringEvaluator{ 6168 EvalFnc: func(ctx *eval.Context) string { 6169 ev := ctx.Event.(*Event) 6170 if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { 6171 return "" 6172 } 6173 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent) 6174 }, 6175 Field: field, 6176 Weight: eval.HandlerWeight, 6177 }, nil 6178 case "process.interpreter.file.gid": 6179 return &eval.IntEvaluator{ 6180 EvalFnc: func(ctx *eval.Context) int { 6181 ev := ctx.Event.(*Event) 6182 if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { 6183 return 0 6184 } 6185 return int(ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.GID) 6186 }, 6187 Field: field, 6188 Weight: eval.FunctionWeight, 6189 }, nil 6190 case "process.interpreter.file.group": 6191 return &eval.StringEvaluator{ 6192 EvalFnc: func(ctx *eval.Context) string { 6193 ev := ctx.Event.(*Event) 6194 if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { 6195 return "" 6196 } 6197 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields) 6198 }, 6199 Field: field, 6200 Weight: eval.HandlerWeight, 6201 }, nil 6202 case "process.interpreter.file.hashes": 6203 return &eval.StringArrayEvaluator{ 6204 EvalFnc: func(ctx *eval.Context) []string { 6205 ev := ctx.Event.(*Event) 6206 if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { 6207 return []string{} 6208 } 6209 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent) 6210 }, 6211 Field: field, 6212 Weight: 999 * eval.HandlerWeight, 6213 }, nil 6214 case "process.interpreter.file.in_upper_layer": 6215 return &eval.BoolEvaluator{ 6216 EvalFnc: func(ctx *eval.Context) bool { 6217 ev := ctx.Event.(*Event) 6218 if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { 6219 return false 6220 } 6221 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields) 6222 }, 6223 Field: field, 6224 Weight: eval.HandlerWeight, 6225 }, nil 6226 case "process.interpreter.file.inode": 6227 return &eval.IntEvaluator{ 6228 EvalFnc: func(ctx *eval.Context) int { 6229 ev := ctx.Event.(*Event) 6230 if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { 6231 return 0 6232 } 6233 return int(ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode) 6234 }, 6235 Field: field, 6236 Weight: eval.FunctionWeight, 6237 }, nil 6238 case "process.interpreter.file.mode": 6239 return &eval.IntEvaluator{ 6240 EvalFnc: func(ctx *eval.Context) int { 6241 ev := ctx.Event.(*Event) 6242 if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { 6243 return 0 6244 } 6245 return int(ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.Mode) 6246 }, 6247 Field: field, 6248 Weight: eval.FunctionWeight, 6249 }, nil 6250 case "process.interpreter.file.modification_time": 6251 return &eval.IntEvaluator{ 6252 EvalFnc: func(ctx *eval.Context) int { 6253 ev := ctx.Event.(*Event) 6254 if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { 6255 return 0 6256 } 6257 return int(ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.MTime) 6258 }, 6259 Field: field, 6260 Weight: eval.FunctionWeight, 6261 }, nil 6262 case "process.interpreter.file.mount_id": 6263 return &eval.IntEvaluator{ 6264 EvalFnc: func(ctx *eval.Context) int { 6265 ev := ctx.Event.(*Event) 6266 if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { 6267 return 0 6268 } 6269 return int(ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID) 6270 }, 6271 Field: field, 6272 Weight: eval.FunctionWeight, 6273 }, nil 6274 case "process.interpreter.file.name": 6275 return &eval.StringEvaluator{ 6276 OpOverrides: ProcessSymlinkBasename, 6277 EvalFnc: func(ctx *eval.Context) string { 6278 ev := ctx.Event.(*Event) 6279 if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { 6280 return "" 6281 } 6282 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent) 6283 }, 6284 Field: field, 6285 Weight: eval.HandlerWeight, 6286 }, nil 6287 case "process.interpreter.file.name.length": 6288 return &eval.IntEvaluator{ 6289 OpOverrides: ProcessSymlinkBasename, 6290 EvalFnc: func(ctx *eval.Context) int { 6291 ev := ctx.Event.(*Event) 6292 return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent)) 6293 }, 6294 Field: field, 6295 Weight: eval.HandlerWeight, 6296 }, nil 6297 case "process.interpreter.file.package.name": 6298 return &eval.StringEvaluator{ 6299 EvalFnc: func(ctx *eval.Context) string { 6300 ev := ctx.Event.(*Event) 6301 if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { 6302 return "" 6303 } 6304 return ev.FieldHandlers.ResolvePackageName(ev, &ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent) 6305 }, 6306 Field: field, 6307 Weight: eval.HandlerWeight, 6308 }, nil 6309 case "process.interpreter.file.package.source_version": 6310 return &eval.StringEvaluator{ 6311 EvalFnc: func(ctx *eval.Context) string { 6312 ev := ctx.Event.(*Event) 6313 if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { 6314 return "" 6315 } 6316 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent) 6317 }, 6318 Field: field, 6319 Weight: eval.HandlerWeight, 6320 }, nil 6321 case "process.interpreter.file.package.version": 6322 return &eval.StringEvaluator{ 6323 EvalFnc: func(ctx *eval.Context) string { 6324 ev := ctx.Event.(*Event) 6325 if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { 6326 return "" 6327 } 6328 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent) 6329 }, 6330 Field: field, 6331 Weight: eval.HandlerWeight, 6332 }, nil 6333 case "process.interpreter.file.path": 6334 return &eval.StringEvaluator{ 6335 OpOverrides: ProcessSymlinkPathname, 6336 EvalFnc: func(ctx *eval.Context) string { 6337 ev := ctx.Event.(*Event) 6338 if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { 6339 return "" 6340 } 6341 return ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent) 6342 }, 6343 Field: field, 6344 Weight: eval.HandlerWeight, 6345 }, nil 6346 case "process.interpreter.file.path.length": 6347 return &eval.IntEvaluator{ 6348 OpOverrides: ProcessSymlinkPathname, 6349 EvalFnc: func(ctx *eval.Context) int { 6350 ev := ctx.Event.(*Event) 6351 return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent)) 6352 }, 6353 Field: field, 6354 Weight: eval.HandlerWeight, 6355 }, nil 6356 case "process.interpreter.file.rights": 6357 return &eval.IntEvaluator{ 6358 EvalFnc: func(ctx *eval.Context) int { 6359 ev := ctx.Event.(*Event) 6360 if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { 6361 return 0 6362 } 6363 return int(ev.FieldHandlers.ResolveRights(ev, &ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields)) 6364 }, 6365 Field: field, 6366 Weight: eval.HandlerWeight, 6367 }, nil 6368 case "process.interpreter.file.uid": 6369 return &eval.IntEvaluator{ 6370 EvalFnc: func(ctx *eval.Context) int { 6371 ev := ctx.Event.(*Event) 6372 if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { 6373 return 0 6374 } 6375 return int(ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.UID) 6376 }, 6377 Field: field, 6378 Weight: eval.FunctionWeight, 6379 }, nil 6380 case "process.interpreter.file.user": 6381 return &eval.StringEvaluator{ 6382 EvalFnc: func(ctx *eval.Context) string { 6383 ev := ctx.Event.(*Event) 6384 if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { 6385 return "" 6386 } 6387 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields) 6388 }, 6389 Field: field, 6390 Weight: eval.HandlerWeight, 6391 }, nil 6392 case "process.is_kworker": 6393 return &eval.BoolEvaluator{ 6394 EvalFnc: func(ctx *eval.Context) bool { 6395 ev := ctx.Event.(*Event) 6396 return ev.BaseEvent.ProcessContext.Process.PIDContext.IsKworker 6397 }, 6398 Field: field, 6399 Weight: eval.FunctionWeight, 6400 }, nil 6401 case "process.is_thread": 6402 return &eval.BoolEvaluator{ 6403 EvalFnc: func(ctx *eval.Context) bool { 6404 ev := ctx.Event.(*Event) 6405 return ev.BaseEvent.ProcessContext.Process.IsThread 6406 }, 6407 Field: field, 6408 Weight: eval.FunctionWeight, 6409 }, nil 6410 case "process.parent.args": 6411 return &eval.StringEvaluator{ 6412 EvalFnc: func(ctx *eval.Context) string { 6413 ev := ctx.Event.(*Event) 6414 if !ev.BaseEvent.ProcessContext.HasParent() { 6415 return "" 6416 } 6417 return ev.FieldHandlers.ResolveProcessArgs(ev, ev.BaseEvent.ProcessContext.Parent) 6418 }, 6419 Field: field, 6420 Weight: 500 * eval.HandlerWeight, 6421 }, nil 6422 case "process.parent.args_flags": 6423 return &eval.StringArrayEvaluator{ 6424 EvalFnc: func(ctx *eval.Context) []string { 6425 ev := ctx.Event.(*Event) 6426 if !ev.BaseEvent.ProcessContext.HasParent() { 6427 return []string{} 6428 } 6429 return ev.FieldHandlers.ResolveProcessArgsFlags(ev, ev.BaseEvent.ProcessContext.Parent) 6430 }, 6431 Field: field, 6432 Weight: eval.HandlerWeight, 6433 }, nil 6434 case "process.parent.args_options": 6435 return &eval.StringArrayEvaluator{ 6436 EvalFnc: func(ctx *eval.Context) []string { 6437 ev := ctx.Event.(*Event) 6438 if !ev.BaseEvent.ProcessContext.HasParent() { 6439 return []string{} 6440 } 6441 return ev.FieldHandlers.ResolveProcessArgsOptions(ev, ev.BaseEvent.ProcessContext.Parent) 6442 }, 6443 Field: field, 6444 Weight: eval.HandlerWeight, 6445 }, nil 6446 case "process.parent.args_truncated": 6447 return &eval.BoolEvaluator{ 6448 EvalFnc: func(ctx *eval.Context) bool { 6449 ev := ctx.Event.(*Event) 6450 if !ev.BaseEvent.ProcessContext.HasParent() { 6451 return false 6452 } 6453 return ev.FieldHandlers.ResolveProcessArgsTruncated(ev, ev.BaseEvent.ProcessContext.Parent) 6454 }, 6455 Field: field, 6456 Weight: eval.HandlerWeight, 6457 }, nil 6458 case "process.parent.argv": 6459 return &eval.StringArrayEvaluator{ 6460 EvalFnc: func(ctx *eval.Context) []string { 6461 ev := ctx.Event.(*Event) 6462 if !ev.BaseEvent.ProcessContext.HasParent() { 6463 return []string{} 6464 } 6465 return ev.FieldHandlers.ResolveProcessArgv(ev, ev.BaseEvent.ProcessContext.Parent) 6466 }, 6467 Field: field, 6468 Weight: 500 * eval.HandlerWeight, 6469 }, nil 6470 case "process.parent.argv0": 6471 return &eval.StringEvaluator{ 6472 EvalFnc: func(ctx *eval.Context) string { 6473 ev := ctx.Event.(*Event) 6474 if !ev.BaseEvent.ProcessContext.HasParent() { 6475 return "" 6476 } 6477 return ev.FieldHandlers.ResolveProcessArgv0(ev, ev.BaseEvent.ProcessContext.Parent) 6478 }, 6479 Field: field, 6480 Weight: 100 * eval.HandlerWeight, 6481 }, nil 6482 case "process.parent.cap_effective": 6483 return &eval.IntEvaluator{ 6484 EvalFnc: func(ctx *eval.Context) int { 6485 ev := ctx.Event.(*Event) 6486 if !ev.BaseEvent.ProcessContext.HasParent() { 6487 return 0 6488 } 6489 return int(ev.BaseEvent.ProcessContext.Parent.Credentials.CapEffective) 6490 }, 6491 Field: field, 6492 Weight: eval.FunctionWeight, 6493 }, nil 6494 case "process.parent.cap_permitted": 6495 return &eval.IntEvaluator{ 6496 EvalFnc: func(ctx *eval.Context) int { 6497 ev := ctx.Event.(*Event) 6498 if !ev.BaseEvent.ProcessContext.HasParent() { 6499 return 0 6500 } 6501 return int(ev.BaseEvent.ProcessContext.Parent.Credentials.CapPermitted) 6502 }, 6503 Field: field, 6504 Weight: eval.FunctionWeight, 6505 }, nil 6506 case "process.parent.comm": 6507 return &eval.StringEvaluator{ 6508 EvalFnc: func(ctx *eval.Context) string { 6509 ev := ctx.Event.(*Event) 6510 if !ev.BaseEvent.ProcessContext.HasParent() { 6511 return "" 6512 } 6513 return ev.BaseEvent.ProcessContext.Parent.Comm 6514 }, 6515 Field: field, 6516 Weight: eval.FunctionWeight, 6517 }, nil 6518 case "process.parent.container.id": 6519 return &eval.StringEvaluator{ 6520 EvalFnc: func(ctx *eval.Context) string { 6521 ev := ctx.Event.(*Event) 6522 if !ev.BaseEvent.ProcessContext.HasParent() { 6523 return "" 6524 } 6525 return ev.BaseEvent.ProcessContext.Parent.ContainerID 6526 }, 6527 Field: field, 6528 Weight: eval.FunctionWeight, 6529 }, nil 6530 case "process.parent.created_at": 6531 return &eval.IntEvaluator{ 6532 EvalFnc: func(ctx *eval.Context) int { 6533 ev := ctx.Event.(*Event) 6534 if !ev.BaseEvent.ProcessContext.HasParent() { 6535 return 0 6536 } 6537 return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, ev.BaseEvent.ProcessContext.Parent)) 6538 }, 6539 Field: field, 6540 Weight: eval.HandlerWeight, 6541 }, nil 6542 case "process.parent.egid": 6543 return &eval.IntEvaluator{ 6544 EvalFnc: func(ctx *eval.Context) int { 6545 ev := ctx.Event.(*Event) 6546 if !ev.BaseEvent.ProcessContext.HasParent() { 6547 return 0 6548 } 6549 return int(ev.BaseEvent.ProcessContext.Parent.Credentials.EGID) 6550 }, 6551 Field: field, 6552 Weight: eval.FunctionWeight, 6553 }, nil 6554 case "process.parent.egroup": 6555 return &eval.StringEvaluator{ 6556 EvalFnc: func(ctx *eval.Context) string { 6557 ev := ctx.Event.(*Event) 6558 if !ev.BaseEvent.ProcessContext.HasParent() { 6559 return "" 6560 } 6561 return ev.BaseEvent.ProcessContext.Parent.Credentials.EGroup 6562 }, 6563 Field: field, 6564 Weight: eval.FunctionWeight, 6565 }, nil 6566 case "process.parent.envp": 6567 return &eval.StringArrayEvaluator{ 6568 EvalFnc: func(ctx *eval.Context) []string { 6569 ev := ctx.Event.(*Event) 6570 if !ev.BaseEvent.ProcessContext.HasParent() { 6571 return []string{} 6572 } 6573 return ev.FieldHandlers.ResolveProcessEnvp(ev, ev.BaseEvent.ProcessContext.Parent) 6574 }, 6575 Field: field, 6576 Weight: 100 * eval.HandlerWeight, 6577 }, nil 6578 case "process.parent.envs": 6579 return &eval.StringArrayEvaluator{ 6580 EvalFnc: func(ctx *eval.Context) []string { 6581 ev := ctx.Event.(*Event) 6582 if !ev.BaseEvent.ProcessContext.HasParent() { 6583 return []string{} 6584 } 6585 return ev.FieldHandlers.ResolveProcessEnvs(ev, ev.BaseEvent.ProcessContext.Parent) 6586 }, 6587 Field: field, 6588 Weight: 100 * eval.HandlerWeight, 6589 }, nil 6590 case "process.parent.envs_truncated": 6591 return &eval.BoolEvaluator{ 6592 EvalFnc: func(ctx *eval.Context) bool { 6593 ev := ctx.Event.(*Event) 6594 if !ev.BaseEvent.ProcessContext.HasParent() { 6595 return false 6596 } 6597 return ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, ev.BaseEvent.ProcessContext.Parent) 6598 }, 6599 Field: field, 6600 Weight: eval.HandlerWeight, 6601 }, nil 6602 case "process.parent.euid": 6603 return &eval.IntEvaluator{ 6604 EvalFnc: func(ctx *eval.Context) int { 6605 ev := ctx.Event.(*Event) 6606 if !ev.BaseEvent.ProcessContext.HasParent() { 6607 return 0 6608 } 6609 return int(ev.BaseEvent.ProcessContext.Parent.Credentials.EUID) 6610 }, 6611 Field: field, 6612 Weight: eval.FunctionWeight, 6613 }, nil 6614 case "process.parent.euser": 6615 return &eval.StringEvaluator{ 6616 EvalFnc: func(ctx *eval.Context) string { 6617 ev := ctx.Event.(*Event) 6618 if !ev.BaseEvent.ProcessContext.HasParent() { 6619 return "" 6620 } 6621 return ev.BaseEvent.ProcessContext.Parent.Credentials.EUser 6622 }, 6623 Field: field, 6624 Weight: eval.FunctionWeight, 6625 }, nil 6626 case "process.parent.file.change_time": 6627 return &eval.IntEvaluator{ 6628 EvalFnc: func(ctx *eval.Context) int { 6629 ev := ctx.Event.(*Event) 6630 if !ev.BaseEvent.ProcessContext.HasParent() { 6631 return 0 6632 } 6633 if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { 6634 return 0 6635 } 6636 return int(ev.BaseEvent.ProcessContext.Parent.FileEvent.FileFields.CTime) 6637 }, 6638 Field: field, 6639 Weight: eval.FunctionWeight, 6640 }, nil 6641 case "process.parent.file.filesystem": 6642 return &eval.StringEvaluator{ 6643 EvalFnc: func(ctx *eval.Context) string { 6644 ev := ctx.Event.(*Event) 6645 if !ev.BaseEvent.ProcessContext.HasParent() { 6646 return "" 6647 } 6648 if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { 6649 return "" 6650 } 6651 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent) 6652 }, 6653 Field: field, 6654 Weight: eval.HandlerWeight, 6655 }, nil 6656 case "process.parent.file.gid": 6657 return &eval.IntEvaluator{ 6658 EvalFnc: func(ctx *eval.Context) int { 6659 ev := ctx.Event.(*Event) 6660 if !ev.BaseEvent.ProcessContext.HasParent() { 6661 return 0 6662 } 6663 if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { 6664 return 0 6665 } 6666 return int(ev.BaseEvent.ProcessContext.Parent.FileEvent.FileFields.GID) 6667 }, 6668 Field: field, 6669 Weight: eval.FunctionWeight, 6670 }, nil 6671 case "process.parent.file.group": 6672 return &eval.StringEvaluator{ 6673 EvalFnc: func(ctx *eval.Context) string { 6674 ev := ctx.Event.(*Event) 6675 if !ev.BaseEvent.ProcessContext.HasParent() { 6676 return "" 6677 } 6678 if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { 6679 return "" 6680 } 6681 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent.FileFields) 6682 }, 6683 Field: field, 6684 Weight: eval.HandlerWeight, 6685 }, nil 6686 case "process.parent.file.hashes": 6687 return &eval.StringArrayEvaluator{ 6688 EvalFnc: func(ctx *eval.Context) []string { 6689 ev := ctx.Event.(*Event) 6690 if !ev.BaseEvent.ProcessContext.HasParent() { 6691 return []string{} 6692 } 6693 if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { 6694 return []string{} 6695 } 6696 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent) 6697 }, 6698 Field: field, 6699 Weight: 999 * eval.HandlerWeight, 6700 }, nil 6701 case "process.parent.file.in_upper_layer": 6702 return &eval.BoolEvaluator{ 6703 EvalFnc: func(ctx *eval.Context) bool { 6704 ev := ctx.Event.(*Event) 6705 if !ev.BaseEvent.ProcessContext.HasParent() { 6706 return false 6707 } 6708 if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { 6709 return false 6710 } 6711 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent.FileFields) 6712 }, 6713 Field: field, 6714 Weight: eval.HandlerWeight, 6715 }, nil 6716 case "process.parent.file.inode": 6717 return &eval.IntEvaluator{ 6718 EvalFnc: func(ctx *eval.Context) int { 6719 ev := ctx.Event.(*Event) 6720 if !ev.BaseEvent.ProcessContext.HasParent() { 6721 return 0 6722 } 6723 if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { 6724 return 0 6725 } 6726 return int(ev.BaseEvent.ProcessContext.Parent.FileEvent.FileFields.PathKey.Inode) 6727 }, 6728 Field: field, 6729 Weight: eval.FunctionWeight, 6730 }, nil 6731 case "process.parent.file.mode": 6732 return &eval.IntEvaluator{ 6733 EvalFnc: func(ctx *eval.Context) int { 6734 ev := ctx.Event.(*Event) 6735 if !ev.BaseEvent.ProcessContext.HasParent() { 6736 return 0 6737 } 6738 if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { 6739 return 0 6740 } 6741 return int(ev.BaseEvent.ProcessContext.Parent.FileEvent.FileFields.Mode) 6742 }, 6743 Field: field, 6744 Weight: eval.FunctionWeight, 6745 }, nil 6746 case "process.parent.file.modification_time": 6747 return &eval.IntEvaluator{ 6748 EvalFnc: func(ctx *eval.Context) int { 6749 ev := ctx.Event.(*Event) 6750 if !ev.BaseEvent.ProcessContext.HasParent() { 6751 return 0 6752 } 6753 if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { 6754 return 0 6755 } 6756 return int(ev.BaseEvent.ProcessContext.Parent.FileEvent.FileFields.MTime) 6757 }, 6758 Field: field, 6759 Weight: eval.FunctionWeight, 6760 }, nil 6761 case "process.parent.file.mount_id": 6762 return &eval.IntEvaluator{ 6763 EvalFnc: func(ctx *eval.Context) int { 6764 ev := ctx.Event.(*Event) 6765 if !ev.BaseEvent.ProcessContext.HasParent() { 6766 return 0 6767 } 6768 if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { 6769 return 0 6770 } 6771 return int(ev.BaseEvent.ProcessContext.Parent.FileEvent.FileFields.PathKey.MountID) 6772 }, 6773 Field: field, 6774 Weight: eval.FunctionWeight, 6775 }, nil 6776 case "process.parent.file.name": 6777 return &eval.StringEvaluator{ 6778 OpOverrides: ProcessSymlinkBasename, 6779 EvalFnc: func(ctx *eval.Context) string { 6780 ev := ctx.Event.(*Event) 6781 if !ev.BaseEvent.ProcessContext.HasParent() { 6782 return "" 6783 } 6784 if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { 6785 return "" 6786 } 6787 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent) 6788 }, 6789 Field: field, 6790 Weight: eval.HandlerWeight, 6791 }, nil 6792 case "process.parent.file.name.length": 6793 return &eval.IntEvaluator{ 6794 OpOverrides: ProcessSymlinkBasename, 6795 EvalFnc: func(ctx *eval.Context) int { 6796 ev := ctx.Event.(*Event) 6797 return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent)) 6798 }, 6799 Field: field, 6800 Weight: eval.HandlerWeight, 6801 }, nil 6802 case "process.parent.file.package.name": 6803 return &eval.StringEvaluator{ 6804 EvalFnc: func(ctx *eval.Context) string { 6805 ev := ctx.Event.(*Event) 6806 if !ev.BaseEvent.ProcessContext.HasParent() { 6807 return "" 6808 } 6809 if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { 6810 return "" 6811 } 6812 return ev.FieldHandlers.ResolvePackageName(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent) 6813 }, 6814 Field: field, 6815 Weight: eval.HandlerWeight, 6816 }, nil 6817 case "process.parent.file.package.source_version": 6818 return &eval.StringEvaluator{ 6819 EvalFnc: func(ctx *eval.Context) string { 6820 ev := ctx.Event.(*Event) 6821 if !ev.BaseEvent.ProcessContext.HasParent() { 6822 return "" 6823 } 6824 if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { 6825 return "" 6826 } 6827 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent) 6828 }, 6829 Field: field, 6830 Weight: eval.HandlerWeight, 6831 }, nil 6832 case "process.parent.file.package.version": 6833 return &eval.StringEvaluator{ 6834 EvalFnc: func(ctx *eval.Context) string { 6835 ev := ctx.Event.(*Event) 6836 if !ev.BaseEvent.ProcessContext.HasParent() { 6837 return "" 6838 } 6839 if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { 6840 return "" 6841 } 6842 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent) 6843 }, 6844 Field: field, 6845 Weight: eval.HandlerWeight, 6846 }, nil 6847 case "process.parent.file.path": 6848 return &eval.StringEvaluator{ 6849 OpOverrides: ProcessSymlinkPathname, 6850 EvalFnc: func(ctx *eval.Context) string { 6851 ev := ctx.Event.(*Event) 6852 if !ev.BaseEvent.ProcessContext.HasParent() { 6853 return "" 6854 } 6855 if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { 6856 return "" 6857 } 6858 return ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent) 6859 }, 6860 Field: field, 6861 Weight: eval.HandlerWeight, 6862 }, nil 6863 case "process.parent.file.path.length": 6864 return &eval.IntEvaluator{ 6865 OpOverrides: ProcessSymlinkPathname, 6866 EvalFnc: func(ctx *eval.Context) int { 6867 ev := ctx.Event.(*Event) 6868 return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent)) 6869 }, 6870 Field: field, 6871 Weight: eval.HandlerWeight, 6872 }, nil 6873 case "process.parent.file.rights": 6874 return &eval.IntEvaluator{ 6875 EvalFnc: func(ctx *eval.Context) int { 6876 ev := ctx.Event.(*Event) 6877 if !ev.BaseEvent.ProcessContext.HasParent() { 6878 return 0 6879 } 6880 if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { 6881 return 0 6882 } 6883 return int(ev.FieldHandlers.ResolveRights(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent.FileFields)) 6884 }, 6885 Field: field, 6886 Weight: eval.HandlerWeight, 6887 }, nil 6888 case "process.parent.file.uid": 6889 return &eval.IntEvaluator{ 6890 EvalFnc: func(ctx *eval.Context) int { 6891 ev := ctx.Event.(*Event) 6892 if !ev.BaseEvent.ProcessContext.HasParent() { 6893 return 0 6894 } 6895 if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { 6896 return 0 6897 } 6898 return int(ev.BaseEvent.ProcessContext.Parent.FileEvent.FileFields.UID) 6899 }, 6900 Field: field, 6901 Weight: eval.FunctionWeight, 6902 }, nil 6903 case "process.parent.file.user": 6904 return &eval.StringEvaluator{ 6905 EvalFnc: func(ctx *eval.Context) string { 6906 ev := ctx.Event.(*Event) 6907 if !ev.BaseEvent.ProcessContext.HasParent() { 6908 return "" 6909 } 6910 if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { 6911 return "" 6912 } 6913 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent.FileFields) 6914 }, 6915 Field: field, 6916 Weight: eval.HandlerWeight, 6917 }, nil 6918 case "process.parent.fsgid": 6919 return &eval.IntEvaluator{ 6920 EvalFnc: func(ctx *eval.Context) int { 6921 ev := ctx.Event.(*Event) 6922 if !ev.BaseEvent.ProcessContext.HasParent() { 6923 return 0 6924 } 6925 return int(ev.BaseEvent.ProcessContext.Parent.Credentials.FSGID) 6926 }, 6927 Field: field, 6928 Weight: eval.FunctionWeight, 6929 }, nil 6930 case "process.parent.fsgroup": 6931 return &eval.StringEvaluator{ 6932 EvalFnc: func(ctx *eval.Context) string { 6933 ev := ctx.Event.(*Event) 6934 if !ev.BaseEvent.ProcessContext.HasParent() { 6935 return "" 6936 } 6937 return ev.BaseEvent.ProcessContext.Parent.Credentials.FSGroup 6938 }, 6939 Field: field, 6940 Weight: eval.FunctionWeight, 6941 }, nil 6942 case "process.parent.fsuid": 6943 return &eval.IntEvaluator{ 6944 EvalFnc: func(ctx *eval.Context) int { 6945 ev := ctx.Event.(*Event) 6946 if !ev.BaseEvent.ProcessContext.HasParent() { 6947 return 0 6948 } 6949 return int(ev.BaseEvent.ProcessContext.Parent.Credentials.FSUID) 6950 }, 6951 Field: field, 6952 Weight: eval.FunctionWeight, 6953 }, nil 6954 case "process.parent.fsuser": 6955 return &eval.StringEvaluator{ 6956 EvalFnc: func(ctx *eval.Context) string { 6957 ev := ctx.Event.(*Event) 6958 if !ev.BaseEvent.ProcessContext.HasParent() { 6959 return "" 6960 } 6961 return ev.BaseEvent.ProcessContext.Parent.Credentials.FSUser 6962 }, 6963 Field: field, 6964 Weight: eval.FunctionWeight, 6965 }, nil 6966 case "process.parent.gid": 6967 return &eval.IntEvaluator{ 6968 EvalFnc: func(ctx *eval.Context) int { 6969 ev := ctx.Event.(*Event) 6970 if !ev.BaseEvent.ProcessContext.HasParent() { 6971 return 0 6972 } 6973 return int(ev.BaseEvent.ProcessContext.Parent.Credentials.GID) 6974 }, 6975 Field: field, 6976 Weight: eval.FunctionWeight, 6977 }, nil 6978 case "process.parent.group": 6979 return &eval.StringEvaluator{ 6980 EvalFnc: func(ctx *eval.Context) string { 6981 ev := ctx.Event.(*Event) 6982 if !ev.BaseEvent.ProcessContext.HasParent() { 6983 return "" 6984 } 6985 return ev.BaseEvent.ProcessContext.Parent.Credentials.Group 6986 }, 6987 Field: field, 6988 Weight: eval.FunctionWeight, 6989 }, nil 6990 case "process.parent.interpreter.file.change_time": 6991 return &eval.IntEvaluator{ 6992 EvalFnc: func(ctx *eval.Context) int { 6993 ev := ctx.Event.(*Event) 6994 if !ev.BaseEvent.ProcessContext.HasParent() { 6995 return 0 6996 } 6997 if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { 6998 return 0 6999 } 7000 return int(ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields.CTime) 7001 }, 7002 Field: field, 7003 Weight: eval.FunctionWeight, 7004 }, nil 7005 case "process.parent.interpreter.file.filesystem": 7006 return &eval.StringEvaluator{ 7007 EvalFnc: func(ctx *eval.Context) string { 7008 ev := ctx.Event.(*Event) 7009 if !ev.BaseEvent.ProcessContext.HasParent() { 7010 return "" 7011 } 7012 if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { 7013 return "" 7014 } 7015 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent) 7016 }, 7017 Field: field, 7018 Weight: eval.HandlerWeight, 7019 }, nil 7020 case "process.parent.interpreter.file.gid": 7021 return &eval.IntEvaluator{ 7022 EvalFnc: func(ctx *eval.Context) int { 7023 ev := ctx.Event.(*Event) 7024 if !ev.BaseEvent.ProcessContext.HasParent() { 7025 return 0 7026 } 7027 if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { 7028 return 0 7029 } 7030 return int(ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields.GID) 7031 }, 7032 Field: field, 7033 Weight: eval.FunctionWeight, 7034 }, nil 7035 case "process.parent.interpreter.file.group": 7036 return &eval.StringEvaluator{ 7037 EvalFnc: func(ctx *eval.Context) string { 7038 ev := ctx.Event.(*Event) 7039 if !ev.BaseEvent.ProcessContext.HasParent() { 7040 return "" 7041 } 7042 if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { 7043 return "" 7044 } 7045 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields) 7046 }, 7047 Field: field, 7048 Weight: eval.HandlerWeight, 7049 }, nil 7050 case "process.parent.interpreter.file.hashes": 7051 return &eval.StringArrayEvaluator{ 7052 EvalFnc: func(ctx *eval.Context) []string { 7053 ev := ctx.Event.(*Event) 7054 if !ev.BaseEvent.ProcessContext.HasParent() { 7055 return []string{} 7056 } 7057 if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { 7058 return []string{} 7059 } 7060 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent) 7061 }, 7062 Field: field, 7063 Weight: 999 * eval.HandlerWeight, 7064 }, nil 7065 case "process.parent.interpreter.file.in_upper_layer": 7066 return &eval.BoolEvaluator{ 7067 EvalFnc: func(ctx *eval.Context) bool { 7068 ev := ctx.Event.(*Event) 7069 if !ev.BaseEvent.ProcessContext.HasParent() { 7070 return false 7071 } 7072 if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { 7073 return false 7074 } 7075 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields) 7076 }, 7077 Field: field, 7078 Weight: eval.HandlerWeight, 7079 }, nil 7080 case "process.parent.interpreter.file.inode": 7081 return &eval.IntEvaluator{ 7082 EvalFnc: func(ctx *eval.Context) int { 7083 ev := ctx.Event.(*Event) 7084 if !ev.BaseEvent.ProcessContext.HasParent() { 7085 return 0 7086 } 7087 if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { 7088 return 0 7089 } 7090 return int(ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields.PathKey.Inode) 7091 }, 7092 Field: field, 7093 Weight: eval.FunctionWeight, 7094 }, nil 7095 case "process.parent.interpreter.file.mode": 7096 return &eval.IntEvaluator{ 7097 EvalFnc: func(ctx *eval.Context) int { 7098 ev := ctx.Event.(*Event) 7099 if !ev.BaseEvent.ProcessContext.HasParent() { 7100 return 0 7101 } 7102 if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { 7103 return 0 7104 } 7105 return int(ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields.Mode) 7106 }, 7107 Field: field, 7108 Weight: eval.FunctionWeight, 7109 }, nil 7110 case "process.parent.interpreter.file.modification_time": 7111 return &eval.IntEvaluator{ 7112 EvalFnc: func(ctx *eval.Context) int { 7113 ev := ctx.Event.(*Event) 7114 if !ev.BaseEvent.ProcessContext.HasParent() { 7115 return 0 7116 } 7117 if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { 7118 return 0 7119 } 7120 return int(ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields.MTime) 7121 }, 7122 Field: field, 7123 Weight: eval.FunctionWeight, 7124 }, nil 7125 case "process.parent.interpreter.file.mount_id": 7126 return &eval.IntEvaluator{ 7127 EvalFnc: func(ctx *eval.Context) int { 7128 ev := ctx.Event.(*Event) 7129 if !ev.BaseEvent.ProcessContext.HasParent() { 7130 return 0 7131 } 7132 if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { 7133 return 0 7134 } 7135 return int(ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields.PathKey.MountID) 7136 }, 7137 Field: field, 7138 Weight: eval.FunctionWeight, 7139 }, nil 7140 case "process.parent.interpreter.file.name": 7141 return &eval.StringEvaluator{ 7142 OpOverrides: ProcessSymlinkBasename, 7143 EvalFnc: func(ctx *eval.Context) string { 7144 ev := ctx.Event.(*Event) 7145 if !ev.BaseEvent.ProcessContext.HasParent() { 7146 return "" 7147 } 7148 if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { 7149 return "" 7150 } 7151 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent) 7152 }, 7153 Field: field, 7154 Weight: eval.HandlerWeight, 7155 }, nil 7156 case "process.parent.interpreter.file.name.length": 7157 return &eval.IntEvaluator{ 7158 OpOverrides: ProcessSymlinkBasename, 7159 EvalFnc: func(ctx *eval.Context) int { 7160 ev := ctx.Event.(*Event) 7161 return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent)) 7162 }, 7163 Field: field, 7164 Weight: eval.HandlerWeight, 7165 }, nil 7166 case "process.parent.interpreter.file.package.name": 7167 return &eval.StringEvaluator{ 7168 EvalFnc: func(ctx *eval.Context) string { 7169 ev := ctx.Event.(*Event) 7170 if !ev.BaseEvent.ProcessContext.HasParent() { 7171 return "" 7172 } 7173 if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { 7174 return "" 7175 } 7176 return ev.FieldHandlers.ResolvePackageName(ev, &ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent) 7177 }, 7178 Field: field, 7179 Weight: eval.HandlerWeight, 7180 }, nil 7181 case "process.parent.interpreter.file.package.source_version": 7182 return &eval.StringEvaluator{ 7183 EvalFnc: func(ctx *eval.Context) string { 7184 ev := ctx.Event.(*Event) 7185 if !ev.BaseEvent.ProcessContext.HasParent() { 7186 return "" 7187 } 7188 if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { 7189 return "" 7190 } 7191 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent) 7192 }, 7193 Field: field, 7194 Weight: eval.HandlerWeight, 7195 }, nil 7196 case "process.parent.interpreter.file.package.version": 7197 return &eval.StringEvaluator{ 7198 EvalFnc: func(ctx *eval.Context) string { 7199 ev := ctx.Event.(*Event) 7200 if !ev.BaseEvent.ProcessContext.HasParent() { 7201 return "" 7202 } 7203 if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { 7204 return "" 7205 } 7206 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent) 7207 }, 7208 Field: field, 7209 Weight: eval.HandlerWeight, 7210 }, nil 7211 case "process.parent.interpreter.file.path": 7212 return &eval.StringEvaluator{ 7213 OpOverrides: ProcessSymlinkPathname, 7214 EvalFnc: func(ctx *eval.Context) string { 7215 ev := ctx.Event.(*Event) 7216 if !ev.BaseEvent.ProcessContext.HasParent() { 7217 return "" 7218 } 7219 if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { 7220 return "" 7221 } 7222 return ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent) 7223 }, 7224 Field: field, 7225 Weight: eval.HandlerWeight, 7226 }, nil 7227 case "process.parent.interpreter.file.path.length": 7228 return &eval.IntEvaluator{ 7229 OpOverrides: ProcessSymlinkPathname, 7230 EvalFnc: func(ctx *eval.Context) int { 7231 ev := ctx.Event.(*Event) 7232 return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent)) 7233 }, 7234 Field: field, 7235 Weight: eval.HandlerWeight, 7236 }, nil 7237 case "process.parent.interpreter.file.rights": 7238 return &eval.IntEvaluator{ 7239 EvalFnc: func(ctx *eval.Context) int { 7240 ev := ctx.Event.(*Event) 7241 if !ev.BaseEvent.ProcessContext.HasParent() { 7242 return 0 7243 } 7244 if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { 7245 return 0 7246 } 7247 return int(ev.FieldHandlers.ResolveRights(ev, &ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields)) 7248 }, 7249 Field: field, 7250 Weight: eval.HandlerWeight, 7251 }, nil 7252 case "process.parent.interpreter.file.uid": 7253 return &eval.IntEvaluator{ 7254 EvalFnc: func(ctx *eval.Context) int { 7255 ev := ctx.Event.(*Event) 7256 if !ev.BaseEvent.ProcessContext.HasParent() { 7257 return 0 7258 } 7259 if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { 7260 return 0 7261 } 7262 return int(ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields.UID) 7263 }, 7264 Field: field, 7265 Weight: eval.FunctionWeight, 7266 }, nil 7267 case "process.parent.interpreter.file.user": 7268 return &eval.StringEvaluator{ 7269 EvalFnc: func(ctx *eval.Context) string { 7270 ev := ctx.Event.(*Event) 7271 if !ev.BaseEvent.ProcessContext.HasParent() { 7272 return "" 7273 } 7274 if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { 7275 return "" 7276 } 7277 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields) 7278 }, 7279 Field: field, 7280 Weight: eval.HandlerWeight, 7281 }, nil 7282 case "process.parent.is_kworker": 7283 return &eval.BoolEvaluator{ 7284 EvalFnc: func(ctx *eval.Context) bool { 7285 ev := ctx.Event.(*Event) 7286 if !ev.BaseEvent.ProcessContext.HasParent() { 7287 return false 7288 } 7289 return ev.BaseEvent.ProcessContext.Parent.PIDContext.IsKworker 7290 }, 7291 Field: field, 7292 Weight: eval.FunctionWeight, 7293 }, nil 7294 case "process.parent.is_thread": 7295 return &eval.BoolEvaluator{ 7296 EvalFnc: func(ctx *eval.Context) bool { 7297 ev := ctx.Event.(*Event) 7298 if !ev.BaseEvent.ProcessContext.HasParent() { 7299 return false 7300 } 7301 return ev.BaseEvent.ProcessContext.Parent.IsThread 7302 }, 7303 Field: field, 7304 Weight: eval.FunctionWeight, 7305 }, nil 7306 case "process.parent.pid": 7307 return &eval.IntEvaluator{ 7308 EvalFnc: func(ctx *eval.Context) int { 7309 ev := ctx.Event.(*Event) 7310 if !ev.BaseEvent.ProcessContext.HasParent() { 7311 return 0 7312 } 7313 return int(ev.BaseEvent.ProcessContext.Parent.PIDContext.Pid) 7314 }, 7315 Field: field, 7316 Weight: eval.FunctionWeight, 7317 }, nil 7318 case "process.parent.ppid": 7319 return &eval.IntEvaluator{ 7320 EvalFnc: func(ctx *eval.Context) int { 7321 ev := ctx.Event.(*Event) 7322 if !ev.BaseEvent.ProcessContext.HasParent() { 7323 return 0 7324 } 7325 return int(ev.BaseEvent.ProcessContext.Parent.PPid) 7326 }, 7327 Field: field, 7328 Weight: eval.FunctionWeight, 7329 }, nil 7330 case "process.parent.tid": 7331 return &eval.IntEvaluator{ 7332 EvalFnc: func(ctx *eval.Context) int { 7333 ev := ctx.Event.(*Event) 7334 if !ev.BaseEvent.ProcessContext.HasParent() { 7335 return 0 7336 } 7337 return int(ev.BaseEvent.ProcessContext.Parent.PIDContext.Tid) 7338 }, 7339 Field: field, 7340 Weight: eval.FunctionWeight, 7341 }, nil 7342 case "process.parent.tty_name": 7343 return &eval.StringEvaluator{ 7344 EvalFnc: func(ctx *eval.Context) string { 7345 ev := ctx.Event.(*Event) 7346 if !ev.BaseEvent.ProcessContext.HasParent() { 7347 return "" 7348 } 7349 return ev.BaseEvent.ProcessContext.Parent.TTYName 7350 }, 7351 Field: field, 7352 Weight: eval.FunctionWeight, 7353 }, nil 7354 case "process.parent.uid": 7355 return &eval.IntEvaluator{ 7356 EvalFnc: func(ctx *eval.Context) int { 7357 ev := ctx.Event.(*Event) 7358 if !ev.BaseEvent.ProcessContext.HasParent() { 7359 return 0 7360 } 7361 return int(ev.BaseEvent.ProcessContext.Parent.Credentials.UID) 7362 }, 7363 Field: field, 7364 Weight: eval.FunctionWeight, 7365 }, nil 7366 case "process.parent.user": 7367 return &eval.StringEvaluator{ 7368 EvalFnc: func(ctx *eval.Context) string { 7369 ev := ctx.Event.(*Event) 7370 if !ev.BaseEvent.ProcessContext.HasParent() { 7371 return "" 7372 } 7373 return ev.BaseEvent.ProcessContext.Parent.Credentials.User 7374 }, 7375 Field: field, 7376 Weight: eval.FunctionWeight, 7377 }, nil 7378 case "process.parent.user_session.k8s_groups": 7379 return &eval.StringArrayEvaluator{ 7380 EvalFnc: func(ctx *eval.Context) []string { 7381 ev := ctx.Event.(*Event) 7382 if !ev.BaseEvent.ProcessContext.HasParent() { 7383 return []string{} 7384 } 7385 return ev.FieldHandlers.ResolveK8SGroups(ev, &ev.BaseEvent.ProcessContext.Parent.UserSession) 7386 }, 7387 Field: field, 7388 Weight: eval.HandlerWeight, 7389 }, nil 7390 case "process.parent.user_session.k8s_uid": 7391 return &eval.StringEvaluator{ 7392 EvalFnc: func(ctx *eval.Context) string { 7393 ev := ctx.Event.(*Event) 7394 if !ev.BaseEvent.ProcessContext.HasParent() { 7395 return "" 7396 } 7397 return ev.FieldHandlers.ResolveK8SUID(ev, &ev.BaseEvent.ProcessContext.Parent.UserSession) 7398 }, 7399 Field: field, 7400 Weight: eval.HandlerWeight, 7401 }, nil 7402 case "process.parent.user_session.k8s_username": 7403 return &eval.StringEvaluator{ 7404 EvalFnc: func(ctx *eval.Context) string { 7405 ev := ctx.Event.(*Event) 7406 if !ev.BaseEvent.ProcessContext.HasParent() { 7407 return "" 7408 } 7409 return ev.FieldHandlers.ResolveK8SUsername(ev, &ev.BaseEvent.ProcessContext.Parent.UserSession) 7410 }, 7411 Field: field, 7412 Weight: eval.HandlerWeight, 7413 }, nil 7414 case "process.pid": 7415 return &eval.IntEvaluator{ 7416 EvalFnc: func(ctx *eval.Context) int { 7417 ev := ctx.Event.(*Event) 7418 return int(ev.BaseEvent.ProcessContext.Process.PIDContext.Pid) 7419 }, 7420 Field: field, 7421 Weight: eval.FunctionWeight, 7422 }, nil 7423 case "process.ppid": 7424 return &eval.IntEvaluator{ 7425 EvalFnc: func(ctx *eval.Context) int { 7426 ev := ctx.Event.(*Event) 7427 return int(ev.BaseEvent.ProcessContext.Process.PPid) 7428 }, 7429 Field: field, 7430 Weight: eval.FunctionWeight, 7431 }, nil 7432 case "process.tid": 7433 return &eval.IntEvaluator{ 7434 EvalFnc: func(ctx *eval.Context) int { 7435 ev := ctx.Event.(*Event) 7436 return int(ev.BaseEvent.ProcessContext.Process.PIDContext.Tid) 7437 }, 7438 Field: field, 7439 Weight: eval.FunctionWeight, 7440 }, nil 7441 case "process.tty_name": 7442 return &eval.StringEvaluator{ 7443 EvalFnc: func(ctx *eval.Context) string { 7444 ev := ctx.Event.(*Event) 7445 return ev.BaseEvent.ProcessContext.Process.TTYName 7446 }, 7447 Field: field, 7448 Weight: eval.FunctionWeight, 7449 }, nil 7450 case "process.uid": 7451 return &eval.IntEvaluator{ 7452 EvalFnc: func(ctx *eval.Context) int { 7453 ev := ctx.Event.(*Event) 7454 return int(ev.BaseEvent.ProcessContext.Process.Credentials.UID) 7455 }, 7456 Field: field, 7457 Weight: eval.FunctionWeight, 7458 }, nil 7459 case "process.user": 7460 return &eval.StringEvaluator{ 7461 EvalFnc: func(ctx *eval.Context) string { 7462 ev := ctx.Event.(*Event) 7463 return ev.BaseEvent.ProcessContext.Process.Credentials.User 7464 }, 7465 Field: field, 7466 Weight: eval.FunctionWeight, 7467 }, nil 7468 case "process.user_session.k8s_groups": 7469 return &eval.StringArrayEvaluator{ 7470 EvalFnc: func(ctx *eval.Context) []string { 7471 ev := ctx.Event.(*Event) 7472 return ev.FieldHandlers.ResolveK8SGroups(ev, &ev.BaseEvent.ProcessContext.Process.UserSession) 7473 }, 7474 Field: field, 7475 Weight: eval.HandlerWeight, 7476 }, nil 7477 case "process.user_session.k8s_uid": 7478 return &eval.StringEvaluator{ 7479 EvalFnc: func(ctx *eval.Context) string { 7480 ev := ctx.Event.(*Event) 7481 return ev.FieldHandlers.ResolveK8SUID(ev, &ev.BaseEvent.ProcessContext.Process.UserSession) 7482 }, 7483 Field: field, 7484 Weight: eval.HandlerWeight, 7485 }, nil 7486 case "process.user_session.k8s_username": 7487 return &eval.StringEvaluator{ 7488 EvalFnc: func(ctx *eval.Context) string { 7489 ev := ctx.Event.(*Event) 7490 return ev.FieldHandlers.ResolveK8SUsername(ev, &ev.BaseEvent.ProcessContext.Process.UserSession) 7491 }, 7492 Field: field, 7493 Weight: eval.HandlerWeight, 7494 }, nil 7495 case "ptrace.request": 7496 return &eval.IntEvaluator{ 7497 EvalFnc: func(ctx *eval.Context) int { 7498 ev := ctx.Event.(*Event) 7499 return int(ev.PTrace.Request) 7500 }, 7501 Field: field, 7502 Weight: eval.FunctionWeight, 7503 }, nil 7504 case "ptrace.retval": 7505 return &eval.IntEvaluator{ 7506 EvalFnc: func(ctx *eval.Context) int { 7507 ev := ctx.Event.(*Event) 7508 return int(ev.PTrace.SyscallEvent.Retval) 7509 }, 7510 Field: field, 7511 Weight: eval.FunctionWeight, 7512 }, nil 7513 case "ptrace.tracee.ancestors.args": 7514 return &eval.StringArrayEvaluator{ 7515 EvalFnc: func(ctx *eval.Context) []string { 7516 ev := ctx.Event.(*Event) 7517 if result, ok := ctx.StringCache[field]; ok { 7518 return result 7519 } 7520 var results []string 7521 iterator := &ProcessAncestorsIterator{} 7522 value := iterator.Front(ctx) 7523 for value != nil { 7524 element := (*ProcessCacheEntry)(value) 7525 result := ev.FieldHandlers.ResolveProcessArgs(ev, &element.ProcessContext.Process) 7526 results = append(results, result) 7527 value = iterator.Next() 7528 } 7529 ctx.StringCache[field] = results 7530 return results 7531 }, Field: field, 7532 Weight: 500 * eval.IteratorWeight, 7533 }, nil 7534 case "ptrace.tracee.ancestors.args_flags": 7535 return &eval.StringArrayEvaluator{ 7536 EvalFnc: func(ctx *eval.Context) []string { 7537 ev := ctx.Event.(*Event) 7538 if result, ok := ctx.StringCache[field]; ok { 7539 return result 7540 } 7541 var results []string 7542 iterator := &ProcessAncestorsIterator{} 7543 value := iterator.Front(ctx) 7544 for value != nil { 7545 element := (*ProcessCacheEntry)(value) 7546 result := ev.FieldHandlers.ResolveProcessArgsFlags(ev, &element.ProcessContext.Process) 7547 results = append(results, result...) 7548 value = iterator.Next() 7549 } 7550 ctx.StringCache[field] = results 7551 return results 7552 }, Field: field, 7553 Weight: eval.IteratorWeight, 7554 }, nil 7555 case "ptrace.tracee.ancestors.args_options": 7556 return &eval.StringArrayEvaluator{ 7557 EvalFnc: func(ctx *eval.Context) []string { 7558 ev := ctx.Event.(*Event) 7559 if result, ok := ctx.StringCache[field]; ok { 7560 return result 7561 } 7562 var results []string 7563 iterator := &ProcessAncestorsIterator{} 7564 value := iterator.Front(ctx) 7565 for value != nil { 7566 element := (*ProcessCacheEntry)(value) 7567 result := ev.FieldHandlers.ResolveProcessArgsOptions(ev, &element.ProcessContext.Process) 7568 results = append(results, result...) 7569 value = iterator.Next() 7570 } 7571 ctx.StringCache[field] = results 7572 return results 7573 }, Field: field, 7574 Weight: eval.IteratorWeight, 7575 }, nil 7576 case "ptrace.tracee.ancestors.args_truncated": 7577 return &eval.BoolArrayEvaluator{ 7578 EvalFnc: func(ctx *eval.Context) []bool { 7579 ev := ctx.Event.(*Event) 7580 if result, ok := ctx.BoolCache[field]; ok { 7581 return result 7582 } 7583 var results []bool 7584 iterator := &ProcessAncestorsIterator{} 7585 value := iterator.Front(ctx) 7586 for value != nil { 7587 element := (*ProcessCacheEntry)(value) 7588 result := ev.FieldHandlers.ResolveProcessArgsTruncated(ev, &element.ProcessContext.Process) 7589 results = append(results, result) 7590 value = iterator.Next() 7591 } 7592 ctx.BoolCache[field] = results 7593 return results 7594 }, Field: field, 7595 Weight: eval.IteratorWeight, 7596 }, nil 7597 case "ptrace.tracee.ancestors.argv": 7598 return &eval.StringArrayEvaluator{ 7599 EvalFnc: func(ctx *eval.Context) []string { 7600 ev := ctx.Event.(*Event) 7601 if result, ok := ctx.StringCache[field]; ok { 7602 return result 7603 } 7604 var results []string 7605 iterator := &ProcessAncestorsIterator{} 7606 value := iterator.Front(ctx) 7607 for value != nil { 7608 element := (*ProcessCacheEntry)(value) 7609 result := ev.FieldHandlers.ResolveProcessArgv(ev, &element.ProcessContext.Process) 7610 results = append(results, result...) 7611 value = iterator.Next() 7612 } 7613 ctx.StringCache[field] = results 7614 return results 7615 }, Field: field, 7616 Weight: 500 * eval.IteratorWeight, 7617 }, nil 7618 case "ptrace.tracee.ancestors.argv0": 7619 return &eval.StringArrayEvaluator{ 7620 EvalFnc: func(ctx *eval.Context) []string { 7621 ev := ctx.Event.(*Event) 7622 if result, ok := ctx.StringCache[field]; ok { 7623 return result 7624 } 7625 var results []string 7626 iterator := &ProcessAncestorsIterator{} 7627 value := iterator.Front(ctx) 7628 for value != nil { 7629 element := (*ProcessCacheEntry)(value) 7630 result := ev.FieldHandlers.ResolveProcessArgv0(ev, &element.ProcessContext.Process) 7631 results = append(results, result) 7632 value = iterator.Next() 7633 } 7634 ctx.StringCache[field] = results 7635 return results 7636 }, Field: field, 7637 Weight: 100 * eval.IteratorWeight, 7638 }, nil 7639 case "ptrace.tracee.ancestors.cap_effective": 7640 return &eval.IntArrayEvaluator{ 7641 EvalFnc: func(ctx *eval.Context) []int { 7642 if result, ok := ctx.IntCache[field]; ok { 7643 return result 7644 } 7645 var results []int 7646 iterator := &ProcessAncestorsIterator{} 7647 value := iterator.Front(ctx) 7648 for value != nil { 7649 element := (*ProcessCacheEntry)(value) 7650 result := int(element.ProcessContext.Process.Credentials.CapEffective) 7651 results = append(results, result) 7652 value = iterator.Next() 7653 } 7654 ctx.IntCache[field] = results 7655 return results 7656 }, Field: field, 7657 Weight: eval.IteratorWeight, 7658 }, nil 7659 case "ptrace.tracee.ancestors.cap_permitted": 7660 return &eval.IntArrayEvaluator{ 7661 EvalFnc: func(ctx *eval.Context) []int { 7662 if result, ok := ctx.IntCache[field]; ok { 7663 return result 7664 } 7665 var results []int 7666 iterator := &ProcessAncestorsIterator{} 7667 value := iterator.Front(ctx) 7668 for value != nil { 7669 element := (*ProcessCacheEntry)(value) 7670 result := int(element.ProcessContext.Process.Credentials.CapPermitted) 7671 results = append(results, result) 7672 value = iterator.Next() 7673 } 7674 ctx.IntCache[field] = results 7675 return results 7676 }, Field: field, 7677 Weight: eval.IteratorWeight, 7678 }, nil 7679 case "ptrace.tracee.ancestors.comm": 7680 return &eval.StringArrayEvaluator{ 7681 EvalFnc: func(ctx *eval.Context) []string { 7682 if result, ok := ctx.StringCache[field]; ok { 7683 return result 7684 } 7685 var results []string 7686 iterator := &ProcessAncestorsIterator{} 7687 value := iterator.Front(ctx) 7688 for value != nil { 7689 element := (*ProcessCacheEntry)(value) 7690 result := element.ProcessContext.Process.Comm 7691 results = append(results, result) 7692 value = iterator.Next() 7693 } 7694 ctx.StringCache[field] = results 7695 return results 7696 }, Field: field, 7697 Weight: eval.IteratorWeight, 7698 }, nil 7699 case "ptrace.tracee.ancestors.container.id": 7700 return &eval.StringArrayEvaluator{ 7701 EvalFnc: func(ctx *eval.Context) []string { 7702 if result, ok := ctx.StringCache[field]; ok { 7703 return result 7704 } 7705 var results []string 7706 iterator := &ProcessAncestorsIterator{} 7707 value := iterator.Front(ctx) 7708 for value != nil { 7709 element := (*ProcessCacheEntry)(value) 7710 result := element.ProcessContext.Process.ContainerID 7711 results = append(results, result) 7712 value = iterator.Next() 7713 } 7714 ctx.StringCache[field] = results 7715 return results 7716 }, Field: field, 7717 Weight: eval.IteratorWeight, 7718 }, nil 7719 case "ptrace.tracee.ancestors.created_at": 7720 return &eval.IntArrayEvaluator{ 7721 EvalFnc: func(ctx *eval.Context) []int { 7722 ev := ctx.Event.(*Event) 7723 if result, ok := ctx.IntCache[field]; ok { 7724 return result 7725 } 7726 var results []int 7727 iterator := &ProcessAncestorsIterator{} 7728 value := iterator.Front(ctx) 7729 for value != nil { 7730 element := (*ProcessCacheEntry)(value) 7731 result := int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, &element.ProcessContext.Process)) 7732 results = append(results, result) 7733 value = iterator.Next() 7734 } 7735 ctx.IntCache[field] = results 7736 return results 7737 }, Field: field, 7738 Weight: eval.IteratorWeight, 7739 }, nil 7740 case "ptrace.tracee.ancestors.egid": 7741 return &eval.IntArrayEvaluator{ 7742 EvalFnc: func(ctx *eval.Context) []int { 7743 if result, ok := ctx.IntCache[field]; ok { 7744 return result 7745 } 7746 var results []int 7747 iterator := &ProcessAncestorsIterator{} 7748 value := iterator.Front(ctx) 7749 for value != nil { 7750 element := (*ProcessCacheEntry)(value) 7751 result := int(element.ProcessContext.Process.Credentials.EGID) 7752 results = append(results, result) 7753 value = iterator.Next() 7754 } 7755 ctx.IntCache[field] = results 7756 return results 7757 }, Field: field, 7758 Weight: eval.IteratorWeight, 7759 }, nil 7760 case "ptrace.tracee.ancestors.egroup": 7761 return &eval.StringArrayEvaluator{ 7762 EvalFnc: func(ctx *eval.Context) []string { 7763 if result, ok := ctx.StringCache[field]; ok { 7764 return result 7765 } 7766 var results []string 7767 iterator := &ProcessAncestorsIterator{} 7768 value := iterator.Front(ctx) 7769 for value != nil { 7770 element := (*ProcessCacheEntry)(value) 7771 result := element.ProcessContext.Process.Credentials.EGroup 7772 results = append(results, result) 7773 value = iterator.Next() 7774 } 7775 ctx.StringCache[field] = results 7776 return results 7777 }, Field: field, 7778 Weight: eval.IteratorWeight, 7779 }, nil 7780 case "ptrace.tracee.ancestors.envp": 7781 return &eval.StringArrayEvaluator{ 7782 EvalFnc: func(ctx *eval.Context) []string { 7783 ev := ctx.Event.(*Event) 7784 if result, ok := ctx.StringCache[field]; ok { 7785 return result 7786 } 7787 var results []string 7788 iterator := &ProcessAncestorsIterator{} 7789 value := iterator.Front(ctx) 7790 for value != nil { 7791 element := (*ProcessCacheEntry)(value) 7792 result := ev.FieldHandlers.ResolveProcessEnvp(ev, &element.ProcessContext.Process) 7793 results = append(results, result...) 7794 value = iterator.Next() 7795 } 7796 ctx.StringCache[field] = results 7797 return results 7798 }, Field: field, 7799 Weight: 100 * eval.IteratorWeight, 7800 }, nil 7801 case "ptrace.tracee.ancestors.envs": 7802 return &eval.StringArrayEvaluator{ 7803 EvalFnc: func(ctx *eval.Context) []string { 7804 ev := ctx.Event.(*Event) 7805 if result, ok := ctx.StringCache[field]; ok { 7806 return result 7807 } 7808 var results []string 7809 iterator := &ProcessAncestorsIterator{} 7810 value := iterator.Front(ctx) 7811 for value != nil { 7812 element := (*ProcessCacheEntry)(value) 7813 result := ev.FieldHandlers.ResolveProcessEnvs(ev, &element.ProcessContext.Process) 7814 results = append(results, result...) 7815 value = iterator.Next() 7816 } 7817 ctx.StringCache[field] = results 7818 return results 7819 }, Field: field, 7820 Weight: 100 * eval.IteratorWeight, 7821 }, nil 7822 case "ptrace.tracee.ancestors.envs_truncated": 7823 return &eval.BoolArrayEvaluator{ 7824 EvalFnc: func(ctx *eval.Context) []bool { 7825 ev := ctx.Event.(*Event) 7826 if result, ok := ctx.BoolCache[field]; ok { 7827 return result 7828 } 7829 var results []bool 7830 iterator := &ProcessAncestorsIterator{} 7831 value := iterator.Front(ctx) 7832 for value != nil { 7833 element := (*ProcessCacheEntry)(value) 7834 result := ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, &element.ProcessContext.Process) 7835 results = append(results, result) 7836 value = iterator.Next() 7837 } 7838 ctx.BoolCache[field] = results 7839 return results 7840 }, Field: field, 7841 Weight: eval.IteratorWeight, 7842 }, nil 7843 case "ptrace.tracee.ancestors.euid": 7844 return &eval.IntArrayEvaluator{ 7845 EvalFnc: func(ctx *eval.Context) []int { 7846 if result, ok := ctx.IntCache[field]; ok { 7847 return result 7848 } 7849 var results []int 7850 iterator := &ProcessAncestorsIterator{} 7851 value := iterator.Front(ctx) 7852 for value != nil { 7853 element := (*ProcessCacheEntry)(value) 7854 result := int(element.ProcessContext.Process.Credentials.EUID) 7855 results = append(results, result) 7856 value = iterator.Next() 7857 } 7858 ctx.IntCache[field] = results 7859 return results 7860 }, Field: field, 7861 Weight: eval.IteratorWeight, 7862 }, nil 7863 case "ptrace.tracee.ancestors.euser": 7864 return &eval.StringArrayEvaluator{ 7865 EvalFnc: func(ctx *eval.Context) []string { 7866 if result, ok := ctx.StringCache[field]; ok { 7867 return result 7868 } 7869 var results []string 7870 iterator := &ProcessAncestorsIterator{} 7871 value := iterator.Front(ctx) 7872 for value != nil { 7873 element := (*ProcessCacheEntry)(value) 7874 result := element.ProcessContext.Process.Credentials.EUser 7875 results = append(results, result) 7876 value = iterator.Next() 7877 } 7878 ctx.StringCache[field] = results 7879 return results 7880 }, Field: field, 7881 Weight: eval.IteratorWeight, 7882 }, nil 7883 case "ptrace.tracee.ancestors.file.change_time": 7884 return &eval.IntArrayEvaluator{ 7885 EvalFnc: func(ctx *eval.Context) []int { 7886 if result, ok := ctx.IntCache[field]; ok { 7887 return result 7888 } 7889 var results []int 7890 iterator := &ProcessAncestorsIterator{} 7891 value := iterator.Front(ctx) 7892 for value != nil { 7893 element := (*ProcessCacheEntry)(value) 7894 if !element.ProcessContext.Process.IsNotKworker() { 7895 results = append(results, 0) 7896 value = iterator.Next() 7897 continue 7898 } 7899 result := int(element.ProcessContext.Process.FileEvent.FileFields.CTime) 7900 results = append(results, result) 7901 value = iterator.Next() 7902 } 7903 ctx.IntCache[field] = results 7904 return results 7905 }, Field: field, 7906 Weight: eval.IteratorWeight, 7907 }, nil 7908 case "ptrace.tracee.ancestors.file.filesystem": 7909 return &eval.StringArrayEvaluator{ 7910 EvalFnc: func(ctx *eval.Context) []string { 7911 ev := ctx.Event.(*Event) 7912 if result, ok := ctx.StringCache[field]; ok { 7913 return result 7914 } 7915 var results []string 7916 iterator := &ProcessAncestorsIterator{} 7917 value := iterator.Front(ctx) 7918 for value != nil { 7919 element := (*ProcessCacheEntry)(value) 7920 if !element.ProcessContext.Process.IsNotKworker() { 7921 results = append(results, "") 7922 value = iterator.Next() 7923 continue 7924 } 7925 result := ev.FieldHandlers.ResolveFileFilesystem(ev, &element.ProcessContext.Process.FileEvent) 7926 results = append(results, result) 7927 value = iterator.Next() 7928 } 7929 ctx.StringCache[field] = results 7930 return results 7931 }, Field: field, 7932 Weight: eval.IteratorWeight, 7933 }, nil 7934 case "ptrace.tracee.ancestors.file.gid": 7935 return &eval.IntArrayEvaluator{ 7936 EvalFnc: func(ctx *eval.Context) []int { 7937 if result, ok := ctx.IntCache[field]; ok { 7938 return result 7939 } 7940 var results []int 7941 iterator := &ProcessAncestorsIterator{} 7942 value := iterator.Front(ctx) 7943 for value != nil { 7944 element := (*ProcessCacheEntry)(value) 7945 if !element.ProcessContext.Process.IsNotKworker() { 7946 results = append(results, 0) 7947 value = iterator.Next() 7948 continue 7949 } 7950 result := int(element.ProcessContext.Process.FileEvent.FileFields.GID) 7951 results = append(results, result) 7952 value = iterator.Next() 7953 } 7954 ctx.IntCache[field] = results 7955 return results 7956 }, Field: field, 7957 Weight: eval.IteratorWeight, 7958 }, nil 7959 case "ptrace.tracee.ancestors.file.group": 7960 return &eval.StringArrayEvaluator{ 7961 EvalFnc: func(ctx *eval.Context) []string { 7962 ev := ctx.Event.(*Event) 7963 if result, ok := ctx.StringCache[field]; ok { 7964 return result 7965 } 7966 var results []string 7967 iterator := &ProcessAncestorsIterator{} 7968 value := iterator.Front(ctx) 7969 for value != nil { 7970 element := (*ProcessCacheEntry)(value) 7971 if !element.ProcessContext.Process.IsNotKworker() { 7972 results = append(results, "") 7973 value = iterator.Next() 7974 continue 7975 } 7976 result := ev.FieldHandlers.ResolveFileFieldsGroup(ev, &element.ProcessContext.Process.FileEvent.FileFields) 7977 results = append(results, result) 7978 value = iterator.Next() 7979 } 7980 ctx.StringCache[field] = results 7981 return results 7982 }, Field: field, 7983 Weight: eval.IteratorWeight, 7984 }, nil 7985 case "ptrace.tracee.ancestors.file.hashes": 7986 return &eval.StringArrayEvaluator{ 7987 EvalFnc: func(ctx *eval.Context) []string { 7988 ev := ctx.Event.(*Event) 7989 if result, ok := ctx.StringCache[field]; ok { 7990 return result 7991 } 7992 var results []string 7993 iterator := &ProcessAncestorsIterator{} 7994 value := iterator.Front(ctx) 7995 for value != nil { 7996 element := (*ProcessCacheEntry)(value) 7997 if !element.ProcessContext.Process.IsNotKworker() { 7998 results = append(results, "") 7999 value = iterator.Next() 8000 continue 8001 } 8002 result := ev.FieldHandlers.ResolveHashesFromEvent(ev, &element.ProcessContext.Process.FileEvent) 8003 results = append(results, result...) 8004 value = iterator.Next() 8005 } 8006 ctx.StringCache[field] = results 8007 return results 8008 }, Field: field, 8009 Weight: 999 * eval.IteratorWeight, 8010 }, nil 8011 case "ptrace.tracee.ancestors.file.in_upper_layer": 8012 return &eval.BoolArrayEvaluator{ 8013 EvalFnc: func(ctx *eval.Context) []bool { 8014 ev := ctx.Event.(*Event) 8015 if result, ok := ctx.BoolCache[field]; ok { 8016 return result 8017 } 8018 var results []bool 8019 iterator := &ProcessAncestorsIterator{} 8020 value := iterator.Front(ctx) 8021 for value != nil { 8022 element := (*ProcessCacheEntry)(value) 8023 if !element.ProcessContext.Process.IsNotKworker() { 8024 results = append(results, false) 8025 value = iterator.Next() 8026 continue 8027 } 8028 result := ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &element.ProcessContext.Process.FileEvent.FileFields) 8029 results = append(results, result) 8030 value = iterator.Next() 8031 } 8032 ctx.BoolCache[field] = results 8033 return results 8034 }, Field: field, 8035 Weight: eval.IteratorWeight, 8036 }, nil 8037 case "ptrace.tracee.ancestors.file.inode": 8038 return &eval.IntArrayEvaluator{ 8039 EvalFnc: func(ctx *eval.Context) []int { 8040 if result, ok := ctx.IntCache[field]; ok { 8041 return result 8042 } 8043 var results []int 8044 iterator := &ProcessAncestorsIterator{} 8045 value := iterator.Front(ctx) 8046 for value != nil { 8047 element := (*ProcessCacheEntry)(value) 8048 if !element.ProcessContext.Process.IsNotKworker() { 8049 results = append(results, 0) 8050 value = iterator.Next() 8051 continue 8052 } 8053 result := int(element.ProcessContext.Process.FileEvent.FileFields.PathKey.Inode) 8054 results = append(results, result) 8055 value = iterator.Next() 8056 } 8057 ctx.IntCache[field] = results 8058 return results 8059 }, Field: field, 8060 Weight: eval.IteratorWeight, 8061 }, nil 8062 case "ptrace.tracee.ancestors.file.mode": 8063 return &eval.IntArrayEvaluator{ 8064 EvalFnc: func(ctx *eval.Context) []int { 8065 if result, ok := ctx.IntCache[field]; ok { 8066 return result 8067 } 8068 var results []int 8069 iterator := &ProcessAncestorsIterator{} 8070 value := iterator.Front(ctx) 8071 for value != nil { 8072 element := (*ProcessCacheEntry)(value) 8073 if !element.ProcessContext.Process.IsNotKworker() { 8074 results = append(results, 0) 8075 value = iterator.Next() 8076 continue 8077 } 8078 result := int(element.ProcessContext.Process.FileEvent.FileFields.Mode) 8079 results = append(results, result) 8080 value = iterator.Next() 8081 } 8082 ctx.IntCache[field] = results 8083 return results 8084 }, Field: field, 8085 Weight: eval.IteratorWeight, 8086 }, nil 8087 case "ptrace.tracee.ancestors.file.modification_time": 8088 return &eval.IntArrayEvaluator{ 8089 EvalFnc: func(ctx *eval.Context) []int { 8090 if result, ok := ctx.IntCache[field]; ok { 8091 return result 8092 } 8093 var results []int 8094 iterator := &ProcessAncestorsIterator{} 8095 value := iterator.Front(ctx) 8096 for value != nil { 8097 element := (*ProcessCacheEntry)(value) 8098 if !element.ProcessContext.Process.IsNotKworker() { 8099 results = append(results, 0) 8100 value = iterator.Next() 8101 continue 8102 } 8103 result := int(element.ProcessContext.Process.FileEvent.FileFields.MTime) 8104 results = append(results, result) 8105 value = iterator.Next() 8106 } 8107 ctx.IntCache[field] = results 8108 return results 8109 }, Field: field, 8110 Weight: eval.IteratorWeight, 8111 }, nil 8112 case "ptrace.tracee.ancestors.file.mount_id": 8113 return &eval.IntArrayEvaluator{ 8114 EvalFnc: func(ctx *eval.Context) []int { 8115 if result, ok := ctx.IntCache[field]; ok { 8116 return result 8117 } 8118 var results []int 8119 iterator := &ProcessAncestorsIterator{} 8120 value := iterator.Front(ctx) 8121 for value != nil { 8122 element := (*ProcessCacheEntry)(value) 8123 if !element.ProcessContext.Process.IsNotKworker() { 8124 results = append(results, 0) 8125 value = iterator.Next() 8126 continue 8127 } 8128 result := int(element.ProcessContext.Process.FileEvent.FileFields.PathKey.MountID) 8129 results = append(results, result) 8130 value = iterator.Next() 8131 } 8132 ctx.IntCache[field] = results 8133 return results 8134 }, Field: field, 8135 Weight: eval.IteratorWeight, 8136 }, nil 8137 case "ptrace.tracee.ancestors.file.name": 8138 return &eval.StringArrayEvaluator{ 8139 OpOverrides: ProcessSymlinkBasename, 8140 EvalFnc: func(ctx *eval.Context) []string { 8141 ev := ctx.Event.(*Event) 8142 if result, ok := ctx.StringCache[field]; ok { 8143 return result 8144 } 8145 var results []string 8146 iterator := &ProcessAncestorsIterator{} 8147 value := iterator.Front(ctx) 8148 for value != nil { 8149 element := (*ProcessCacheEntry)(value) 8150 if !element.ProcessContext.Process.IsNotKworker() { 8151 results = append(results, "") 8152 value = iterator.Next() 8153 continue 8154 } 8155 result := ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.FileEvent) 8156 results = append(results, result) 8157 value = iterator.Next() 8158 } 8159 ctx.StringCache[field] = results 8160 return results 8161 }, Field: field, 8162 Weight: eval.IteratorWeight, 8163 }, nil 8164 case "ptrace.tracee.ancestors.file.name.length": 8165 return &eval.IntArrayEvaluator{ 8166 OpOverrides: ProcessSymlinkBasename, 8167 EvalFnc: func(ctx *eval.Context) []int { 8168 ev := ctx.Event.(*Event) 8169 if result, ok := ctx.IntCache[field]; ok { 8170 return result 8171 } 8172 var results []int 8173 iterator := &ProcessAncestorsIterator{} 8174 value := iterator.Front(ctx) 8175 for value != nil { 8176 element := (*ProcessCacheEntry)(value) 8177 result := len(ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.FileEvent)) 8178 results = append(results, result) 8179 value = iterator.Next() 8180 } 8181 ctx.IntCache[field] = results 8182 return results 8183 }, Field: field, 8184 Weight: eval.IteratorWeight, 8185 }, nil 8186 case "ptrace.tracee.ancestors.file.package.name": 8187 return &eval.StringArrayEvaluator{ 8188 EvalFnc: func(ctx *eval.Context) []string { 8189 ev := ctx.Event.(*Event) 8190 if result, ok := ctx.StringCache[field]; ok { 8191 return result 8192 } 8193 var results []string 8194 iterator := &ProcessAncestorsIterator{} 8195 value := iterator.Front(ctx) 8196 for value != nil { 8197 element := (*ProcessCacheEntry)(value) 8198 if !element.ProcessContext.Process.IsNotKworker() { 8199 results = append(results, "") 8200 value = iterator.Next() 8201 continue 8202 } 8203 result := ev.FieldHandlers.ResolvePackageName(ev, &element.ProcessContext.Process.FileEvent) 8204 results = append(results, result) 8205 value = iterator.Next() 8206 } 8207 ctx.StringCache[field] = results 8208 return results 8209 }, Field: field, 8210 Weight: eval.IteratorWeight, 8211 }, nil 8212 case "ptrace.tracee.ancestors.file.package.source_version": 8213 return &eval.StringArrayEvaluator{ 8214 EvalFnc: func(ctx *eval.Context) []string { 8215 ev := ctx.Event.(*Event) 8216 if result, ok := ctx.StringCache[field]; ok { 8217 return result 8218 } 8219 var results []string 8220 iterator := &ProcessAncestorsIterator{} 8221 value := iterator.Front(ctx) 8222 for value != nil { 8223 element := (*ProcessCacheEntry)(value) 8224 if !element.ProcessContext.Process.IsNotKworker() { 8225 results = append(results, "") 8226 value = iterator.Next() 8227 continue 8228 } 8229 result := ev.FieldHandlers.ResolvePackageSourceVersion(ev, &element.ProcessContext.Process.FileEvent) 8230 results = append(results, result) 8231 value = iterator.Next() 8232 } 8233 ctx.StringCache[field] = results 8234 return results 8235 }, Field: field, 8236 Weight: eval.IteratorWeight, 8237 }, nil 8238 case "ptrace.tracee.ancestors.file.package.version": 8239 return &eval.StringArrayEvaluator{ 8240 EvalFnc: func(ctx *eval.Context) []string { 8241 ev := ctx.Event.(*Event) 8242 if result, ok := ctx.StringCache[field]; ok { 8243 return result 8244 } 8245 var results []string 8246 iterator := &ProcessAncestorsIterator{} 8247 value := iterator.Front(ctx) 8248 for value != nil { 8249 element := (*ProcessCacheEntry)(value) 8250 if !element.ProcessContext.Process.IsNotKworker() { 8251 results = append(results, "") 8252 value = iterator.Next() 8253 continue 8254 } 8255 result := ev.FieldHandlers.ResolvePackageVersion(ev, &element.ProcessContext.Process.FileEvent) 8256 results = append(results, result) 8257 value = iterator.Next() 8258 } 8259 ctx.StringCache[field] = results 8260 return results 8261 }, Field: field, 8262 Weight: eval.IteratorWeight, 8263 }, nil 8264 case "ptrace.tracee.ancestors.file.path": 8265 return &eval.StringArrayEvaluator{ 8266 OpOverrides: ProcessSymlinkPathname, 8267 EvalFnc: func(ctx *eval.Context) []string { 8268 ev := ctx.Event.(*Event) 8269 if result, ok := ctx.StringCache[field]; ok { 8270 return result 8271 } 8272 var results []string 8273 iterator := &ProcessAncestorsIterator{} 8274 value := iterator.Front(ctx) 8275 for value != nil { 8276 element := (*ProcessCacheEntry)(value) 8277 if !element.ProcessContext.Process.IsNotKworker() { 8278 results = append(results, "") 8279 value = iterator.Next() 8280 continue 8281 } 8282 result := ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.FileEvent) 8283 results = append(results, result) 8284 value = iterator.Next() 8285 } 8286 ctx.StringCache[field] = results 8287 return results 8288 }, Field: field, 8289 Weight: eval.IteratorWeight, 8290 }, nil 8291 case "ptrace.tracee.ancestors.file.path.length": 8292 return &eval.IntArrayEvaluator{ 8293 OpOverrides: ProcessSymlinkPathname, 8294 EvalFnc: func(ctx *eval.Context) []int { 8295 ev := ctx.Event.(*Event) 8296 if result, ok := ctx.IntCache[field]; ok { 8297 return result 8298 } 8299 var results []int 8300 iterator := &ProcessAncestorsIterator{} 8301 value := iterator.Front(ctx) 8302 for value != nil { 8303 element := (*ProcessCacheEntry)(value) 8304 result := len(ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.FileEvent)) 8305 results = append(results, result) 8306 value = iterator.Next() 8307 } 8308 ctx.IntCache[field] = results 8309 return results 8310 }, Field: field, 8311 Weight: eval.IteratorWeight, 8312 }, nil 8313 case "ptrace.tracee.ancestors.file.rights": 8314 return &eval.IntArrayEvaluator{ 8315 EvalFnc: func(ctx *eval.Context) []int { 8316 ev := ctx.Event.(*Event) 8317 if result, ok := ctx.IntCache[field]; ok { 8318 return result 8319 } 8320 var results []int 8321 iterator := &ProcessAncestorsIterator{} 8322 value := iterator.Front(ctx) 8323 for value != nil { 8324 element := (*ProcessCacheEntry)(value) 8325 if !element.ProcessContext.Process.IsNotKworker() { 8326 results = append(results, 0) 8327 value = iterator.Next() 8328 continue 8329 } 8330 result := int(ev.FieldHandlers.ResolveRights(ev, &element.ProcessContext.Process.FileEvent.FileFields)) 8331 results = append(results, result) 8332 value = iterator.Next() 8333 } 8334 ctx.IntCache[field] = results 8335 return results 8336 }, Field: field, 8337 Weight: eval.IteratorWeight, 8338 }, nil 8339 case "ptrace.tracee.ancestors.file.uid": 8340 return &eval.IntArrayEvaluator{ 8341 EvalFnc: func(ctx *eval.Context) []int { 8342 if result, ok := ctx.IntCache[field]; ok { 8343 return result 8344 } 8345 var results []int 8346 iterator := &ProcessAncestorsIterator{} 8347 value := iterator.Front(ctx) 8348 for value != nil { 8349 element := (*ProcessCacheEntry)(value) 8350 if !element.ProcessContext.Process.IsNotKworker() { 8351 results = append(results, 0) 8352 value = iterator.Next() 8353 continue 8354 } 8355 result := int(element.ProcessContext.Process.FileEvent.FileFields.UID) 8356 results = append(results, result) 8357 value = iterator.Next() 8358 } 8359 ctx.IntCache[field] = results 8360 return results 8361 }, Field: field, 8362 Weight: eval.IteratorWeight, 8363 }, nil 8364 case "ptrace.tracee.ancestors.file.user": 8365 return &eval.StringArrayEvaluator{ 8366 EvalFnc: func(ctx *eval.Context) []string { 8367 ev := ctx.Event.(*Event) 8368 if result, ok := ctx.StringCache[field]; ok { 8369 return result 8370 } 8371 var results []string 8372 iterator := &ProcessAncestorsIterator{} 8373 value := iterator.Front(ctx) 8374 for value != nil { 8375 element := (*ProcessCacheEntry)(value) 8376 if !element.ProcessContext.Process.IsNotKworker() { 8377 results = append(results, "") 8378 value = iterator.Next() 8379 continue 8380 } 8381 result := ev.FieldHandlers.ResolveFileFieldsUser(ev, &element.ProcessContext.Process.FileEvent.FileFields) 8382 results = append(results, result) 8383 value = iterator.Next() 8384 } 8385 ctx.StringCache[field] = results 8386 return results 8387 }, Field: field, 8388 Weight: eval.IteratorWeight, 8389 }, nil 8390 case "ptrace.tracee.ancestors.fsgid": 8391 return &eval.IntArrayEvaluator{ 8392 EvalFnc: func(ctx *eval.Context) []int { 8393 if result, ok := ctx.IntCache[field]; ok { 8394 return result 8395 } 8396 var results []int 8397 iterator := &ProcessAncestorsIterator{} 8398 value := iterator.Front(ctx) 8399 for value != nil { 8400 element := (*ProcessCacheEntry)(value) 8401 result := int(element.ProcessContext.Process.Credentials.FSGID) 8402 results = append(results, result) 8403 value = iterator.Next() 8404 } 8405 ctx.IntCache[field] = results 8406 return results 8407 }, Field: field, 8408 Weight: eval.IteratorWeight, 8409 }, nil 8410 case "ptrace.tracee.ancestors.fsgroup": 8411 return &eval.StringArrayEvaluator{ 8412 EvalFnc: func(ctx *eval.Context) []string { 8413 if result, ok := ctx.StringCache[field]; ok { 8414 return result 8415 } 8416 var results []string 8417 iterator := &ProcessAncestorsIterator{} 8418 value := iterator.Front(ctx) 8419 for value != nil { 8420 element := (*ProcessCacheEntry)(value) 8421 result := element.ProcessContext.Process.Credentials.FSGroup 8422 results = append(results, result) 8423 value = iterator.Next() 8424 } 8425 ctx.StringCache[field] = results 8426 return results 8427 }, Field: field, 8428 Weight: eval.IteratorWeight, 8429 }, nil 8430 case "ptrace.tracee.ancestors.fsuid": 8431 return &eval.IntArrayEvaluator{ 8432 EvalFnc: func(ctx *eval.Context) []int { 8433 if result, ok := ctx.IntCache[field]; ok { 8434 return result 8435 } 8436 var results []int 8437 iterator := &ProcessAncestorsIterator{} 8438 value := iterator.Front(ctx) 8439 for value != nil { 8440 element := (*ProcessCacheEntry)(value) 8441 result := int(element.ProcessContext.Process.Credentials.FSUID) 8442 results = append(results, result) 8443 value = iterator.Next() 8444 } 8445 ctx.IntCache[field] = results 8446 return results 8447 }, Field: field, 8448 Weight: eval.IteratorWeight, 8449 }, nil 8450 case "ptrace.tracee.ancestors.fsuser": 8451 return &eval.StringArrayEvaluator{ 8452 EvalFnc: func(ctx *eval.Context) []string { 8453 if result, ok := ctx.StringCache[field]; ok { 8454 return result 8455 } 8456 var results []string 8457 iterator := &ProcessAncestorsIterator{} 8458 value := iterator.Front(ctx) 8459 for value != nil { 8460 element := (*ProcessCacheEntry)(value) 8461 result := element.ProcessContext.Process.Credentials.FSUser 8462 results = append(results, result) 8463 value = iterator.Next() 8464 } 8465 ctx.StringCache[field] = results 8466 return results 8467 }, Field: field, 8468 Weight: eval.IteratorWeight, 8469 }, nil 8470 case "ptrace.tracee.ancestors.gid": 8471 return &eval.IntArrayEvaluator{ 8472 EvalFnc: func(ctx *eval.Context) []int { 8473 if result, ok := ctx.IntCache[field]; ok { 8474 return result 8475 } 8476 var results []int 8477 iterator := &ProcessAncestorsIterator{} 8478 value := iterator.Front(ctx) 8479 for value != nil { 8480 element := (*ProcessCacheEntry)(value) 8481 result := int(element.ProcessContext.Process.Credentials.GID) 8482 results = append(results, result) 8483 value = iterator.Next() 8484 } 8485 ctx.IntCache[field] = results 8486 return results 8487 }, Field: field, 8488 Weight: eval.IteratorWeight, 8489 }, nil 8490 case "ptrace.tracee.ancestors.group": 8491 return &eval.StringArrayEvaluator{ 8492 EvalFnc: func(ctx *eval.Context) []string { 8493 if result, ok := ctx.StringCache[field]; ok { 8494 return result 8495 } 8496 var results []string 8497 iterator := &ProcessAncestorsIterator{} 8498 value := iterator.Front(ctx) 8499 for value != nil { 8500 element := (*ProcessCacheEntry)(value) 8501 result := element.ProcessContext.Process.Credentials.Group 8502 results = append(results, result) 8503 value = iterator.Next() 8504 } 8505 ctx.StringCache[field] = results 8506 return results 8507 }, Field: field, 8508 Weight: eval.IteratorWeight, 8509 }, nil 8510 case "ptrace.tracee.ancestors.interpreter.file.change_time": 8511 return &eval.IntArrayEvaluator{ 8512 EvalFnc: func(ctx *eval.Context) []int { 8513 if result, ok := ctx.IntCache[field]; ok { 8514 return result 8515 } 8516 var results []int 8517 iterator := &ProcessAncestorsIterator{} 8518 value := iterator.Front(ctx) 8519 for value != nil { 8520 element := (*ProcessCacheEntry)(value) 8521 if !element.ProcessContext.Process.HasInterpreter() { 8522 results = append(results, 0) 8523 value = iterator.Next() 8524 continue 8525 } 8526 result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.CTime) 8527 results = append(results, result) 8528 value = iterator.Next() 8529 } 8530 ctx.IntCache[field] = results 8531 return results 8532 }, Field: field, 8533 Weight: eval.IteratorWeight, 8534 }, nil 8535 case "ptrace.tracee.ancestors.interpreter.file.filesystem": 8536 return &eval.StringArrayEvaluator{ 8537 EvalFnc: func(ctx *eval.Context) []string { 8538 ev := ctx.Event.(*Event) 8539 if result, ok := ctx.StringCache[field]; ok { 8540 return result 8541 } 8542 var results []string 8543 iterator := &ProcessAncestorsIterator{} 8544 value := iterator.Front(ctx) 8545 for value != nil { 8546 element := (*ProcessCacheEntry)(value) 8547 if !element.ProcessContext.Process.HasInterpreter() { 8548 results = append(results, "") 8549 value = iterator.Next() 8550 continue 8551 } 8552 result := ev.FieldHandlers.ResolveFileFilesystem(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) 8553 results = append(results, result) 8554 value = iterator.Next() 8555 } 8556 ctx.StringCache[field] = results 8557 return results 8558 }, Field: field, 8559 Weight: eval.IteratorWeight, 8560 }, nil 8561 case "ptrace.tracee.ancestors.interpreter.file.gid": 8562 return &eval.IntArrayEvaluator{ 8563 EvalFnc: func(ctx *eval.Context) []int { 8564 if result, ok := ctx.IntCache[field]; ok { 8565 return result 8566 } 8567 var results []int 8568 iterator := &ProcessAncestorsIterator{} 8569 value := iterator.Front(ctx) 8570 for value != nil { 8571 element := (*ProcessCacheEntry)(value) 8572 if !element.ProcessContext.Process.HasInterpreter() { 8573 results = append(results, 0) 8574 value = iterator.Next() 8575 continue 8576 } 8577 result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.GID) 8578 results = append(results, result) 8579 value = iterator.Next() 8580 } 8581 ctx.IntCache[field] = results 8582 return results 8583 }, Field: field, 8584 Weight: eval.IteratorWeight, 8585 }, nil 8586 case "ptrace.tracee.ancestors.interpreter.file.group": 8587 return &eval.StringArrayEvaluator{ 8588 EvalFnc: func(ctx *eval.Context) []string { 8589 ev := ctx.Event.(*Event) 8590 if result, ok := ctx.StringCache[field]; ok { 8591 return result 8592 } 8593 var results []string 8594 iterator := &ProcessAncestorsIterator{} 8595 value := iterator.Front(ctx) 8596 for value != nil { 8597 element := (*ProcessCacheEntry)(value) 8598 if !element.ProcessContext.Process.HasInterpreter() { 8599 results = append(results, "") 8600 value = iterator.Next() 8601 continue 8602 } 8603 result := ev.FieldHandlers.ResolveFileFieldsGroup(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields) 8604 results = append(results, result) 8605 value = iterator.Next() 8606 } 8607 ctx.StringCache[field] = results 8608 return results 8609 }, Field: field, 8610 Weight: eval.IteratorWeight, 8611 }, nil 8612 case "ptrace.tracee.ancestors.interpreter.file.hashes": 8613 return &eval.StringArrayEvaluator{ 8614 EvalFnc: func(ctx *eval.Context) []string { 8615 ev := ctx.Event.(*Event) 8616 if result, ok := ctx.StringCache[field]; ok { 8617 return result 8618 } 8619 var results []string 8620 iterator := &ProcessAncestorsIterator{} 8621 value := iterator.Front(ctx) 8622 for value != nil { 8623 element := (*ProcessCacheEntry)(value) 8624 if !element.ProcessContext.Process.HasInterpreter() { 8625 results = append(results, "") 8626 value = iterator.Next() 8627 continue 8628 } 8629 result := ev.FieldHandlers.ResolveHashesFromEvent(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) 8630 results = append(results, result...) 8631 value = iterator.Next() 8632 } 8633 ctx.StringCache[field] = results 8634 return results 8635 }, Field: field, 8636 Weight: 999 * eval.IteratorWeight, 8637 }, nil 8638 case "ptrace.tracee.ancestors.interpreter.file.in_upper_layer": 8639 return &eval.BoolArrayEvaluator{ 8640 EvalFnc: func(ctx *eval.Context) []bool { 8641 ev := ctx.Event.(*Event) 8642 if result, ok := ctx.BoolCache[field]; ok { 8643 return result 8644 } 8645 var results []bool 8646 iterator := &ProcessAncestorsIterator{} 8647 value := iterator.Front(ctx) 8648 for value != nil { 8649 element := (*ProcessCacheEntry)(value) 8650 if !element.ProcessContext.Process.HasInterpreter() { 8651 results = append(results, false) 8652 value = iterator.Next() 8653 continue 8654 } 8655 result := ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields) 8656 results = append(results, result) 8657 value = iterator.Next() 8658 } 8659 ctx.BoolCache[field] = results 8660 return results 8661 }, Field: field, 8662 Weight: eval.IteratorWeight, 8663 }, nil 8664 case "ptrace.tracee.ancestors.interpreter.file.inode": 8665 return &eval.IntArrayEvaluator{ 8666 EvalFnc: func(ctx *eval.Context) []int { 8667 if result, ok := ctx.IntCache[field]; ok { 8668 return result 8669 } 8670 var results []int 8671 iterator := &ProcessAncestorsIterator{} 8672 value := iterator.Front(ctx) 8673 for value != nil { 8674 element := (*ProcessCacheEntry)(value) 8675 if !element.ProcessContext.Process.HasInterpreter() { 8676 results = append(results, 0) 8677 value = iterator.Next() 8678 continue 8679 } 8680 result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode) 8681 results = append(results, result) 8682 value = iterator.Next() 8683 } 8684 ctx.IntCache[field] = results 8685 return results 8686 }, Field: field, 8687 Weight: eval.IteratorWeight, 8688 }, nil 8689 case "ptrace.tracee.ancestors.interpreter.file.mode": 8690 return &eval.IntArrayEvaluator{ 8691 EvalFnc: func(ctx *eval.Context) []int { 8692 if result, ok := ctx.IntCache[field]; ok { 8693 return result 8694 } 8695 var results []int 8696 iterator := &ProcessAncestorsIterator{} 8697 value := iterator.Front(ctx) 8698 for value != nil { 8699 element := (*ProcessCacheEntry)(value) 8700 if !element.ProcessContext.Process.HasInterpreter() { 8701 results = append(results, 0) 8702 value = iterator.Next() 8703 continue 8704 } 8705 result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.Mode) 8706 results = append(results, result) 8707 value = iterator.Next() 8708 } 8709 ctx.IntCache[field] = results 8710 return results 8711 }, Field: field, 8712 Weight: eval.IteratorWeight, 8713 }, nil 8714 case "ptrace.tracee.ancestors.interpreter.file.modification_time": 8715 return &eval.IntArrayEvaluator{ 8716 EvalFnc: func(ctx *eval.Context) []int { 8717 if result, ok := ctx.IntCache[field]; ok { 8718 return result 8719 } 8720 var results []int 8721 iterator := &ProcessAncestorsIterator{} 8722 value := iterator.Front(ctx) 8723 for value != nil { 8724 element := (*ProcessCacheEntry)(value) 8725 if !element.ProcessContext.Process.HasInterpreter() { 8726 results = append(results, 0) 8727 value = iterator.Next() 8728 continue 8729 } 8730 result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.MTime) 8731 results = append(results, result) 8732 value = iterator.Next() 8733 } 8734 ctx.IntCache[field] = results 8735 return results 8736 }, Field: field, 8737 Weight: eval.IteratorWeight, 8738 }, nil 8739 case "ptrace.tracee.ancestors.interpreter.file.mount_id": 8740 return &eval.IntArrayEvaluator{ 8741 EvalFnc: func(ctx *eval.Context) []int { 8742 if result, ok := ctx.IntCache[field]; ok { 8743 return result 8744 } 8745 var results []int 8746 iterator := &ProcessAncestorsIterator{} 8747 value := iterator.Front(ctx) 8748 for value != nil { 8749 element := (*ProcessCacheEntry)(value) 8750 if !element.ProcessContext.Process.HasInterpreter() { 8751 results = append(results, 0) 8752 value = iterator.Next() 8753 continue 8754 } 8755 result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID) 8756 results = append(results, result) 8757 value = iterator.Next() 8758 } 8759 ctx.IntCache[field] = results 8760 return results 8761 }, Field: field, 8762 Weight: eval.IteratorWeight, 8763 }, nil 8764 case "ptrace.tracee.ancestors.interpreter.file.name": 8765 return &eval.StringArrayEvaluator{ 8766 OpOverrides: ProcessSymlinkBasename, 8767 EvalFnc: func(ctx *eval.Context) []string { 8768 ev := ctx.Event.(*Event) 8769 if result, ok := ctx.StringCache[field]; ok { 8770 return result 8771 } 8772 var results []string 8773 iterator := &ProcessAncestorsIterator{} 8774 value := iterator.Front(ctx) 8775 for value != nil { 8776 element := (*ProcessCacheEntry)(value) 8777 if !element.ProcessContext.Process.HasInterpreter() { 8778 results = append(results, "") 8779 value = iterator.Next() 8780 continue 8781 } 8782 result := ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) 8783 results = append(results, result) 8784 value = iterator.Next() 8785 } 8786 ctx.StringCache[field] = results 8787 return results 8788 }, Field: field, 8789 Weight: eval.IteratorWeight, 8790 }, nil 8791 case "ptrace.tracee.ancestors.interpreter.file.name.length": 8792 return &eval.IntArrayEvaluator{ 8793 OpOverrides: ProcessSymlinkBasename, 8794 EvalFnc: func(ctx *eval.Context) []int { 8795 ev := ctx.Event.(*Event) 8796 if result, ok := ctx.IntCache[field]; ok { 8797 return result 8798 } 8799 var results []int 8800 iterator := &ProcessAncestorsIterator{} 8801 value := iterator.Front(ctx) 8802 for value != nil { 8803 element := (*ProcessCacheEntry)(value) 8804 result := len(ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent)) 8805 results = append(results, result) 8806 value = iterator.Next() 8807 } 8808 ctx.IntCache[field] = results 8809 return results 8810 }, Field: field, 8811 Weight: eval.IteratorWeight, 8812 }, nil 8813 case "ptrace.tracee.ancestors.interpreter.file.package.name": 8814 return &eval.StringArrayEvaluator{ 8815 EvalFnc: func(ctx *eval.Context) []string { 8816 ev := ctx.Event.(*Event) 8817 if result, ok := ctx.StringCache[field]; ok { 8818 return result 8819 } 8820 var results []string 8821 iterator := &ProcessAncestorsIterator{} 8822 value := iterator.Front(ctx) 8823 for value != nil { 8824 element := (*ProcessCacheEntry)(value) 8825 if !element.ProcessContext.Process.HasInterpreter() { 8826 results = append(results, "") 8827 value = iterator.Next() 8828 continue 8829 } 8830 result := ev.FieldHandlers.ResolvePackageName(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) 8831 results = append(results, result) 8832 value = iterator.Next() 8833 } 8834 ctx.StringCache[field] = results 8835 return results 8836 }, Field: field, 8837 Weight: eval.IteratorWeight, 8838 }, nil 8839 case "ptrace.tracee.ancestors.interpreter.file.package.source_version": 8840 return &eval.StringArrayEvaluator{ 8841 EvalFnc: func(ctx *eval.Context) []string { 8842 ev := ctx.Event.(*Event) 8843 if result, ok := ctx.StringCache[field]; ok { 8844 return result 8845 } 8846 var results []string 8847 iterator := &ProcessAncestorsIterator{} 8848 value := iterator.Front(ctx) 8849 for value != nil { 8850 element := (*ProcessCacheEntry)(value) 8851 if !element.ProcessContext.Process.HasInterpreter() { 8852 results = append(results, "") 8853 value = iterator.Next() 8854 continue 8855 } 8856 result := ev.FieldHandlers.ResolvePackageSourceVersion(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) 8857 results = append(results, result) 8858 value = iterator.Next() 8859 } 8860 ctx.StringCache[field] = results 8861 return results 8862 }, Field: field, 8863 Weight: eval.IteratorWeight, 8864 }, nil 8865 case "ptrace.tracee.ancestors.interpreter.file.package.version": 8866 return &eval.StringArrayEvaluator{ 8867 EvalFnc: func(ctx *eval.Context) []string { 8868 ev := ctx.Event.(*Event) 8869 if result, ok := ctx.StringCache[field]; ok { 8870 return result 8871 } 8872 var results []string 8873 iterator := &ProcessAncestorsIterator{} 8874 value := iterator.Front(ctx) 8875 for value != nil { 8876 element := (*ProcessCacheEntry)(value) 8877 if !element.ProcessContext.Process.HasInterpreter() { 8878 results = append(results, "") 8879 value = iterator.Next() 8880 continue 8881 } 8882 result := ev.FieldHandlers.ResolvePackageVersion(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) 8883 results = append(results, result) 8884 value = iterator.Next() 8885 } 8886 ctx.StringCache[field] = results 8887 return results 8888 }, Field: field, 8889 Weight: eval.IteratorWeight, 8890 }, nil 8891 case "ptrace.tracee.ancestors.interpreter.file.path": 8892 return &eval.StringArrayEvaluator{ 8893 OpOverrides: ProcessSymlinkPathname, 8894 EvalFnc: func(ctx *eval.Context) []string { 8895 ev := ctx.Event.(*Event) 8896 if result, ok := ctx.StringCache[field]; ok { 8897 return result 8898 } 8899 var results []string 8900 iterator := &ProcessAncestorsIterator{} 8901 value := iterator.Front(ctx) 8902 for value != nil { 8903 element := (*ProcessCacheEntry)(value) 8904 if !element.ProcessContext.Process.HasInterpreter() { 8905 results = append(results, "") 8906 value = iterator.Next() 8907 continue 8908 } 8909 result := ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) 8910 results = append(results, result) 8911 value = iterator.Next() 8912 } 8913 ctx.StringCache[field] = results 8914 return results 8915 }, Field: field, 8916 Weight: eval.IteratorWeight, 8917 }, nil 8918 case "ptrace.tracee.ancestors.interpreter.file.path.length": 8919 return &eval.IntArrayEvaluator{ 8920 OpOverrides: ProcessSymlinkPathname, 8921 EvalFnc: func(ctx *eval.Context) []int { 8922 ev := ctx.Event.(*Event) 8923 if result, ok := ctx.IntCache[field]; ok { 8924 return result 8925 } 8926 var results []int 8927 iterator := &ProcessAncestorsIterator{} 8928 value := iterator.Front(ctx) 8929 for value != nil { 8930 element := (*ProcessCacheEntry)(value) 8931 result := len(ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent)) 8932 results = append(results, result) 8933 value = iterator.Next() 8934 } 8935 ctx.IntCache[field] = results 8936 return results 8937 }, Field: field, 8938 Weight: eval.IteratorWeight, 8939 }, nil 8940 case "ptrace.tracee.ancestors.interpreter.file.rights": 8941 return &eval.IntArrayEvaluator{ 8942 EvalFnc: func(ctx *eval.Context) []int { 8943 ev := ctx.Event.(*Event) 8944 if result, ok := ctx.IntCache[field]; ok { 8945 return result 8946 } 8947 var results []int 8948 iterator := &ProcessAncestorsIterator{} 8949 value := iterator.Front(ctx) 8950 for value != nil { 8951 element := (*ProcessCacheEntry)(value) 8952 if !element.ProcessContext.Process.HasInterpreter() { 8953 results = append(results, 0) 8954 value = iterator.Next() 8955 continue 8956 } 8957 result := int(ev.FieldHandlers.ResolveRights(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields)) 8958 results = append(results, result) 8959 value = iterator.Next() 8960 } 8961 ctx.IntCache[field] = results 8962 return results 8963 }, Field: field, 8964 Weight: eval.IteratorWeight, 8965 }, nil 8966 case "ptrace.tracee.ancestors.interpreter.file.uid": 8967 return &eval.IntArrayEvaluator{ 8968 EvalFnc: func(ctx *eval.Context) []int { 8969 if result, ok := ctx.IntCache[field]; ok { 8970 return result 8971 } 8972 var results []int 8973 iterator := &ProcessAncestorsIterator{} 8974 value := iterator.Front(ctx) 8975 for value != nil { 8976 element := (*ProcessCacheEntry)(value) 8977 if !element.ProcessContext.Process.HasInterpreter() { 8978 results = append(results, 0) 8979 value = iterator.Next() 8980 continue 8981 } 8982 result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.UID) 8983 results = append(results, result) 8984 value = iterator.Next() 8985 } 8986 ctx.IntCache[field] = results 8987 return results 8988 }, Field: field, 8989 Weight: eval.IteratorWeight, 8990 }, nil 8991 case "ptrace.tracee.ancestors.interpreter.file.user": 8992 return &eval.StringArrayEvaluator{ 8993 EvalFnc: func(ctx *eval.Context) []string { 8994 ev := ctx.Event.(*Event) 8995 if result, ok := ctx.StringCache[field]; ok { 8996 return result 8997 } 8998 var results []string 8999 iterator := &ProcessAncestorsIterator{} 9000 value := iterator.Front(ctx) 9001 for value != nil { 9002 element := (*ProcessCacheEntry)(value) 9003 if !element.ProcessContext.Process.HasInterpreter() { 9004 results = append(results, "") 9005 value = iterator.Next() 9006 continue 9007 } 9008 result := ev.FieldHandlers.ResolveFileFieldsUser(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields) 9009 results = append(results, result) 9010 value = iterator.Next() 9011 } 9012 ctx.StringCache[field] = results 9013 return results 9014 }, Field: field, 9015 Weight: eval.IteratorWeight, 9016 }, nil 9017 case "ptrace.tracee.ancestors.is_kworker": 9018 return &eval.BoolArrayEvaluator{ 9019 EvalFnc: func(ctx *eval.Context) []bool { 9020 if result, ok := ctx.BoolCache[field]; ok { 9021 return result 9022 } 9023 var results []bool 9024 iterator := &ProcessAncestorsIterator{} 9025 value := iterator.Front(ctx) 9026 for value != nil { 9027 element := (*ProcessCacheEntry)(value) 9028 result := element.ProcessContext.Process.PIDContext.IsKworker 9029 results = append(results, result) 9030 value = iterator.Next() 9031 } 9032 ctx.BoolCache[field] = results 9033 return results 9034 }, Field: field, 9035 Weight: eval.IteratorWeight, 9036 }, nil 9037 case "ptrace.tracee.ancestors.is_thread": 9038 return &eval.BoolArrayEvaluator{ 9039 EvalFnc: func(ctx *eval.Context) []bool { 9040 if result, ok := ctx.BoolCache[field]; ok { 9041 return result 9042 } 9043 var results []bool 9044 iterator := &ProcessAncestorsIterator{} 9045 value := iterator.Front(ctx) 9046 for value != nil { 9047 element := (*ProcessCacheEntry)(value) 9048 result := element.ProcessContext.Process.IsThread 9049 results = append(results, result) 9050 value = iterator.Next() 9051 } 9052 ctx.BoolCache[field] = results 9053 return results 9054 }, Field: field, 9055 Weight: eval.IteratorWeight, 9056 }, nil 9057 case "ptrace.tracee.ancestors.pid": 9058 return &eval.IntArrayEvaluator{ 9059 EvalFnc: func(ctx *eval.Context) []int { 9060 if result, ok := ctx.IntCache[field]; ok { 9061 return result 9062 } 9063 var results []int 9064 iterator := &ProcessAncestorsIterator{} 9065 value := iterator.Front(ctx) 9066 for value != nil { 9067 element := (*ProcessCacheEntry)(value) 9068 result := int(element.ProcessContext.Process.PIDContext.Pid) 9069 results = append(results, result) 9070 value = iterator.Next() 9071 } 9072 ctx.IntCache[field] = results 9073 return results 9074 }, Field: field, 9075 Weight: eval.IteratorWeight, 9076 }, nil 9077 case "ptrace.tracee.ancestors.ppid": 9078 return &eval.IntArrayEvaluator{ 9079 EvalFnc: func(ctx *eval.Context) []int { 9080 if result, ok := ctx.IntCache[field]; ok { 9081 return result 9082 } 9083 var results []int 9084 iterator := &ProcessAncestorsIterator{} 9085 value := iterator.Front(ctx) 9086 for value != nil { 9087 element := (*ProcessCacheEntry)(value) 9088 result := int(element.ProcessContext.Process.PPid) 9089 results = append(results, result) 9090 value = iterator.Next() 9091 } 9092 ctx.IntCache[field] = results 9093 return results 9094 }, Field: field, 9095 Weight: eval.IteratorWeight, 9096 }, nil 9097 case "ptrace.tracee.ancestors.tid": 9098 return &eval.IntArrayEvaluator{ 9099 EvalFnc: func(ctx *eval.Context) []int { 9100 if result, ok := ctx.IntCache[field]; ok { 9101 return result 9102 } 9103 var results []int 9104 iterator := &ProcessAncestorsIterator{} 9105 value := iterator.Front(ctx) 9106 for value != nil { 9107 element := (*ProcessCacheEntry)(value) 9108 result := int(element.ProcessContext.Process.PIDContext.Tid) 9109 results = append(results, result) 9110 value = iterator.Next() 9111 } 9112 ctx.IntCache[field] = results 9113 return results 9114 }, Field: field, 9115 Weight: eval.IteratorWeight, 9116 }, nil 9117 case "ptrace.tracee.ancestors.tty_name": 9118 return &eval.StringArrayEvaluator{ 9119 EvalFnc: func(ctx *eval.Context) []string { 9120 if result, ok := ctx.StringCache[field]; ok { 9121 return result 9122 } 9123 var results []string 9124 iterator := &ProcessAncestorsIterator{} 9125 value := iterator.Front(ctx) 9126 for value != nil { 9127 element := (*ProcessCacheEntry)(value) 9128 result := element.ProcessContext.Process.TTYName 9129 results = append(results, result) 9130 value = iterator.Next() 9131 } 9132 ctx.StringCache[field] = results 9133 return results 9134 }, Field: field, 9135 Weight: eval.IteratorWeight, 9136 }, nil 9137 case "ptrace.tracee.ancestors.uid": 9138 return &eval.IntArrayEvaluator{ 9139 EvalFnc: func(ctx *eval.Context) []int { 9140 if result, ok := ctx.IntCache[field]; ok { 9141 return result 9142 } 9143 var results []int 9144 iterator := &ProcessAncestorsIterator{} 9145 value := iterator.Front(ctx) 9146 for value != nil { 9147 element := (*ProcessCacheEntry)(value) 9148 result := int(element.ProcessContext.Process.Credentials.UID) 9149 results = append(results, result) 9150 value = iterator.Next() 9151 } 9152 ctx.IntCache[field] = results 9153 return results 9154 }, Field: field, 9155 Weight: eval.IteratorWeight, 9156 }, nil 9157 case "ptrace.tracee.ancestors.user": 9158 return &eval.StringArrayEvaluator{ 9159 EvalFnc: func(ctx *eval.Context) []string { 9160 if result, ok := ctx.StringCache[field]; ok { 9161 return result 9162 } 9163 var results []string 9164 iterator := &ProcessAncestorsIterator{} 9165 value := iterator.Front(ctx) 9166 for value != nil { 9167 element := (*ProcessCacheEntry)(value) 9168 result := element.ProcessContext.Process.Credentials.User 9169 results = append(results, result) 9170 value = iterator.Next() 9171 } 9172 ctx.StringCache[field] = results 9173 return results 9174 }, Field: field, 9175 Weight: eval.IteratorWeight, 9176 }, nil 9177 case "ptrace.tracee.ancestors.user_session.k8s_groups": 9178 return &eval.StringArrayEvaluator{ 9179 EvalFnc: func(ctx *eval.Context) []string { 9180 ev := ctx.Event.(*Event) 9181 if result, ok := ctx.StringCache[field]; ok { 9182 return result 9183 } 9184 var results []string 9185 iterator := &ProcessAncestorsIterator{} 9186 value := iterator.Front(ctx) 9187 for value != nil { 9188 element := (*ProcessCacheEntry)(value) 9189 result := ev.FieldHandlers.ResolveK8SGroups(ev, &element.ProcessContext.Process.UserSession) 9190 results = append(results, result...) 9191 value = iterator.Next() 9192 } 9193 ctx.StringCache[field] = results 9194 return results 9195 }, Field: field, 9196 Weight: eval.IteratorWeight, 9197 }, nil 9198 case "ptrace.tracee.ancestors.user_session.k8s_uid": 9199 return &eval.StringArrayEvaluator{ 9200 EvalFnc: func(ctx *eval.Context) []string { 9201 ev := ctx.Event.(*Event) 9202 if result, ok := ctx.StringCache[field]; ok { 9203 return result 9204 } 9205 var results []string 9206 iterator := &ProcessAncestorsIterator{} 9207 value := iterator.Front(ctx) 9208 for value != nil { 9209 element := (*ProcessCacheEntry)(value) 9210 result := ev.FieldHandlers.ResolveK8SUID(ev, &element.ProcessContext.Process.UserSession) 9211 results = append(results, result) 9212 value = iterator.Next() 9213 } 9214 ctx.StringCache[field] = results 9215 return results 9216 }, Field: field, 9217 Weight: eval.IteratorWeight, 9218 }, nil 9219 case "ptrace.tracee.ancestors.user_session.k8s_username": 9220 return &eval.StringArrayEvaluator{ 9221 EvalFnc: func(ctx *eval.Context) []string { 9222 ev := ctx.Event.(*Event) 9223 if result, ok := ctx.StringCache[field]; ok { 9224 return result 9225 } 9226 var results []string 9227 iterator := &ProcessAncestorsIterator{} 9228 value := iterator.Front(ctx) 9229 for value != nil { 9230 element := (*ProcessCacheEntry)(value) 9231 result := ev.FieldHandlers.ResolveK8SUsername(ev, &element.ProcessContext.Process.UserSession) 9232 results = append(results, result) 9233 value = iterator.Next() 9234 } 9235 ctx.StringCache[field] = results 9236 return results 9237 }, Field: field, 9238 Weight: eval.IteratorWeight, 9239 }, nil 9240 case "ptrace.tracee.args": 9241 return &eval.StringEvaluator{ 9242 EvalFnc: func(ctx *eval.Context) string { 9243 ev := ctx.Event.(*Event) 9244 return ev.FieldHandlers.ResolveProcessArgs(ev, &ev.PTrace.Tracee.Process) 9245 }, 9246 Field: field, 9247 Weight: 500 * eval.HandlerWeight, 9248 }, nil 9249 case "ptrace.tracee.args_flags": 9250 return &eval.StringArrayEvaluator{ 9251 EvalFnc: func(ctx *eval.Context) []string { 9252 ev := ctx.Event.(*Event) 9253 return ev.FieldHandlers.ResolveProcessArgsFlags(ev, &ev.PTrace.Tracee.Process) 9254 }, 9255 Field: field, 9256 Weight: eval.HandlerWeight, 9257 }, nil 9258 case "ptrace.tracee.args_options": 9259 return &eval.StringArrayEvaluator{ 9260 EvalFnc: func(ctx *eval.Context) []string { 9261 ev := ctx.Event.(*Event) 9262 return ev.FieldHandlers.ResolveProcessArgsOptions(ev, &ev.PTrace.Tracee.Process) 9263 }, 9264 Field: field, 9265 Weight: eval.HandlerWeight, 9266 }, nil 9267 case "ptrace.tracee.args_truncated": 9268 return &eval.BoolEvaluator{ 9269 EvalFnc: func(ctx *eval.Context) bool { 9270 ev := ctx.Event.(*Event) 9271 return ev.FieldHandlers.ResolveProcessArgsTruncated(ev, &ev.PTrace.Tracee.Process) 9272 }, 9273 Field: field, 9274 Weight: eval.HandlerWeight, 9275 }, nil 9276 case "ptrace.tracee.argv": 9277 return &eval.StringArrayEvaluator{ 9278 EvalFnc: func(ctx *eval.Context) []string { 9279 ev := ctx.Event.(*Event) 9280 return ev.FieldHandlers.ResolveProcessArgv(ev, &ev.PTrace.Tracee.Process) 9281 }, 9282 Field: field, 9283 Weight: 500 * eval.HandlerWeight, 9284 }, nil 9285 case "ptrace.tracee.argv0": 9286 return &eval.StringEvaluator{ 9287 EvalFnc: func(ctx *eval.Context) string { 9288 ev := ctx.Event.(*Event) 9289 return ev.FieldHandlers.ResolveProcessArgv0(ev, &ev.PTrace.Tracee.Process) 9290 }, 9291 Field: field, 9292 Weight: 100 * eval.HandlerWeight, 9293 }, nil 9294 case "ptrace.tracee.cap_effective": 9295 return &eval.IntEvaluator{ 9296 EvalFnc: func(ctx *eval.Context) int { 9297 ev := ctx.Event.(*Event) 9298 return int(ev.PTrace.Tracee.Process.Credentials.CapEffective) 9299 }, 9300 Field: field, 9301 Weight: eval.FunctionWeight, 9302 }, nil 9303 case "ptrace.tracee.cap_permitted": 9304 return &eval.IntEvaluator{ 9305 EvalFnc: func(ctx *eval.Context) int { 9306 ev := ctx.Event.(*Event) 9307 return int(ev.PTrace.Tracee.Process.Credentials.CapPermitted) 9308 }, 9309 Field: field, 9310 Weight: eval.FunctionWeight, 9311 }, nil 9312 case "ptrace.tracee.comm": 9313 return &eval.StringEvaluator{ 9314 EvalFnc: func(ctx *eval.Context) string { 9315 ev := ctx.Event.(*Event) 9316 return ev.PTrace.Tracee.Process.Comm 9317 }, 9318 Field: field, 9319 Weight: eval.FunctionWeight, 9320 }, nil 9321 case "ptrace.tracee.container.id": 9322 return &eval.StringEvaluator{ 9323 EvalFnc: func(ctx *eval.Context) string { 9324 ev := ctx.Event.(*Event) 9325 return ev.PTrace.Tracee.Process.ContainerID 9326 }, 9327 Field: field, 9328 Weight: eval.FunctionWeight, 9329 }, nil 9330 case "ptrace.tracee.created_at": 9331 return &eval.IntEvaluator{ 9332 EvalFnc: func(ctx *eval.Context) int { 9333 ev := ctx.Event.(*Event) 9334 return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, &ev.PTrace.Tracee.Process)) 9335 }, 9336 Field: field, 9337 Weight: eval.HandlerWeight, 9338 }, nil 9339 case "ptrace.tracee.egid": 9340 return &eval.IntEvaluator{ 9341 EvalFnc: func(ctx *eval.Context) int { 9342 ev := ctx.Event.(*Event) 9343 return int(ev.PTrace.Tracee.Process.Credentials.EGID) 9344 }, 9345 Field: field, 9346 Weight: eval.FunctionWeight, 9347 }, nil 9348 case "ptrace.tracee.egroup": 9349 return &eval.StringEvaluator{ 9350 EvalFnc: func(ctx *eval.Context) string { 9351 ev := ctx.Event.(*Event) 9352 return ev.PTrace.Tracee.Process.Credentials.EGroup 9353 }, 9354 Field: field, 9355 Weight: eval.FunctionWeight, 9356 }, nil 9357 case "ptrace.tracee.envp": 9358 return &eval.StringArrayEvaluator{ 9359 EvalFnc: func(ctx *eval.Context) []string { 9360 ev := ctx.Event.(*Event) 9361 return ev.FieldHandlers.ResolveProcessEnvp(ev, &ev.PTrace.Tracee.Process) 9362 }, 9363 Field: field, 9364 Weight: 100 * eval.HandlerWeight, 9365 }, nil 9366 case "ptrace.tracee.envs": 9367 return &eval.StringArrayEvaluator{ 9368 EvalFnc: func(ctx *eval.Context) []string { 9369 ev := ctx.Event.(*Event) 9370 return ev.FieldHandlers.ResolveProcessEnvs(ev, &ev.PTrace.Tracee.Process) 9371 }, 9372 Field: field, 9373 Weight: 100 * eval.HandlerWeight, 9374 }, nil 9375 case "ptrace.tracee.envs_truncated": 9376 return &eval.BoolEvaluator{ 9377 EvalFnc: func(ctx *eval.Context) bool { 9378 ev := ctx.Event.(*Event) 9379 return ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, &ev.PTrace.Tracee.Process) 9380 }, 9381 Field: field, 9382 Weight: eval.HandlerWeight, 9383 }, nil 9384 case "ptrace.tracee.euid": 9385 return &eval.IntEvaluator{ 9386 EvalFnc: func(ctx *eval.Context) int { 9387 ev := ctx.Event.(*Event) 9388 return int(ev.PTrace.Tracee.Process.Credentials.EUID) 9389 }, 9390 Field: field, 9391 Weight: eval.FunctionWeight, 9392 }, nil 9393 case "ptrace.tracee.euser": 9394 return &eval.StringEvaluator{ 9395 EvalFnc: func(ctx *eval.Context) string { 9396 ev := ctx.Event.(*Event) 9397 return ev.PTrace.Tracee.Process.Credentials.EUser 9398 }, 9399 Field: field, 9400 Weight: eval.FunctionWeight, 9401 }, nil 9402 case "ptrace.tracee.file.change_time": 9403 return &eval.IntEvaluator{ 9404 EvalFnc: func(ctx *eval.Context) int { 9405 ev := ctx.Event.(*Event) 9406 if !ev.PTrace.Tracee.Process.IsNotKworker() { 9407 return 0 9408 } 9409 return int(ev.PTrace.Tracee.Process.FileEvent.FileFields.CTime) 9410 }, 9411 Field: field, 9412 Weight: eval.FunctionWeight, 9413 }, nil 9414 case "ptrace.tracee.file.filesystem": 9415 return &eval.StringEvaluator{ 9416 EvalFnc: func(ctx *eval.Context) string { 9417 ev := ctx.Event.(*Event) 9418 if !ev.PTrace.Tracee.Process.IsNotKworker() { 9419 return "" 9420 } 9421 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.PTrace.Tracee.Process.FileEvent) 9422 }, 9423 Field: field, 9424 Weight: eval.HandlerWeight, 9425 }, nil 9426 case "ptrace.tracee.file.gid": 9427 return &eval.IntEvaluator{ 9428 EvalFnc: func(ctx *eval.Context) int { 9429 ev := ctx.Event.(*Event) 9430 if !ev.PTrace.Tracee.Process.IsNotKworker() { 9431 return 0 9432 } 9433 return int(ev.PTrace.Tracee.Process.FileEvent.FileFields.GID) 9434 }, 9435 Field: field, 9436 Weight: eval.FunctionWeight, 9437 }, nil 9438 case "ptrace.tracee.file.group": 9439 return &eval.StringEvaluator{ 9440 EvalFnc: func(ctx *eval.Context) string { 9441 ev := ctx.Event.(*Event) 9442 if !ev.PTrace.Tracee.Process.IsNotKworker() { 9443 return "" 9444 } 9445 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.PTrace.Tracee.Process.FileEvent.FileFields) 9446 }, 9447 Field: field, 9448 Weight: eval.HandlerWeight, 9449 }, nil 9450 case "ptrace.tracee.file.hashes": 9451 return &eval.StringArrayEvaluator{ 9452 EvalFnc: func(ctx *eval.Context) []string { 9453 ev := ctx.Event.(*Event) 9454 if !ev.PTrace.Tracee.Process.IsNotKworker() { 9455 return []string{} 9456 } 9457 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.PTrace.Tracee.Process.FileEvent) 9458 }, 9459 Field: field, 9460 Weight: 999 * eval.HandlerWeight, 9461 }, nil 9462 case "ptrace.tracee.file.in_upper_layer": 9463 return &eval.BoolEvaluator{ 9464 EvalFnc: func(ctx *eval.Context) bool { 9465 ev := ctx.Event.(*Event) 9466 if !ev.PTrace.Tracee.Process.IsNotKworker() { 9467 return false 9468 } 9469 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.PTrace.Tracee.Process.FileEvent.FileFields) 9470 }, 9471 Field: field, 9472 Weight: eval.HandlerWeight, 9473 }, nil 9474 case "ptrace.tracee.file.inode": 9475 return &eval.IntEvaluator{ 9476 EvalFnc: func(ctx *eval.Context) int { 9477 ev := ctx.Event.(*Event) 9478 if !ev.PTrace.Tracee.Process.IsNotKworker() { 9479 return 0 9480 } 9481 return int(ev.PTrace.Tracee.Process.FileEvent.FileFields.PathKey.Inode) 9482 }, 9483 Field: field, 9484 Weight: eval.FunctionWeight, 9485 }, nil 9486 case "ptrace.tracee.file.mode": 9487 return &eval.IntEvaluator{ 9488 EvalFnc: func(ctx *eval.Context) int { 9489 ev := ctx.Event.(*Event) 9490 if !ev.PTrace.Tracee.Process.IsNotKworker() { 9491 return 0 9492 } 9493 return int(ev.PTrace.Tracee.Process.FileEvent.FileFields.Mode) 9494 }, 9495 Field: field, 9496 Weight: eval.FunctionWeight, 9497 }, nil 9498 case "ptrace.tracee.file.modification_time": 9499 return &eval.IntEvaluator{ 9500 EvalFnc: func(ctx *eval.Context) int { 9501 ev := ctx.Event.(*Event) 9502 if !ev.PTrace.Tracee.Process.IsNotKworker() { 9503 return 0 9504 } 9505 return int(ev.PTrace.Tracee.Process.FileEvent.FileFields.MTime) 9506 }, 9507 Field: field, 9508 Weight: eval.FunctionWeight, 9509 }, nil 9510 case "ptrace.tracee.file.mount_id": 9511 return &eval.IntEvaluator{ 9512 EvalFnc: func(ctx *eval.Context) int { 9513 ev := ctx.Event.(*Event) 9514 if !ev.PTrace.Tracee.Process.IsNotKworker() { 9515 return 0 9516 } 9517 return int(ev.PTrace.Tracee.Process.FileEvent.FileFields.PathKey.MountID) 9518 }, 9519 Field: field, 9520 Weight: eval.FunctionWeight, 9521 }, nil 9522 case "ptrace.tracee.file.name": 9523 return &eval.StringEvaluator{ 9524 OpOverrides: ProcessSymlinkBasename, 9525 EvalFnc: func(ctx *eval.Context) string { 9526 ev := ctx.Event.(*Event) 9527 if !ev.PTrace.Tracee.Process.IsNotKworker() { 9528 return "" 9529 } 9530 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.PTrace.Tracee.Process.FileEvent) 9531 }, 9532 Field: field, 9533 Weight: eval.HandlerWeight, 9534 }, nil 9535 case "ptrace.tracee.file.name.length": 9536 return &eval.IntEvaluator{ 9537 OpOverrides: ProcessSymlinkBasename, 9538 EvalFnc: func(ctx *eval.Context) int { 9539 ev := ctx.Event.(*Event) 9540 return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.PTrace.Tracee.Process.FileEvent)) 9541 }, 9542 Field: field, 9543 Weight: eval.HandlerWeight, 9544 }, nil 9545 case "ptrace.tracee.file.package.name": 9546 return &eval.StringEvaluator{ 9547 EvalFnc: func(ctx *eval.Context) string { 9548 ev := ctx.Event.(*Event) 9549 if !ev.PTrace.Tracee.Process.IsNotKworker() { 9550 return "" 9551 } 9552 return ev.FieldHandlers.ResolvePackageName(ev, &ev.PTrace.Tracee.Process.FileEvent) 9553 }, 9554 Field: field, 9555 Weight: eval.HandlerWeight, 9556 }, nil 9557 case "ptrace.tracee.file.package.source_version": 9558 return &eval.StringEvaluator{ 9559 EvalFnc: func(ctx *eval.Context) string { 9560 ev := ctx.Event.(*Event) 9561 if !ev.PTrace.Tracee.Process.IsNotKworker() { 9562 return "" 9563 } 9564 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.PTrace.Tracee.Process.FileEvent) 9565 }, 9566 Field: field, 9567 Weight: eval.HandlerWeight, 9568 }, nil 9569 case "ptrace.tracee.file.package.version": 9570 return &eval.StringEvaluator{ 9571 EvalFnc: func(ctx *eval.Context) string { 9572 ev := ctx.Event.(*Event) 9573 if !ev.PTrace.Tracee.Process.IsNotKworker() { 9574 return "" 9575 } 9576 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.PTrace.Tracee.Process.FileEvent) 9577 }, 9578 Field: field, 9579 Weight: eval.HandlerWeight, 9580 }, nil 9581 case "ptrace.tracee.file.path": 9582 return &eval.StringEvaluator{ 9583 OpOverrides: ProcessSymlinkPathname, 9584 EvalFnc: func(ctx *eval.Context) string { 9585 ev := ctx.Event.(*Event) 9586 if !ev.PTrace.Tracee.Process.IsNotKworker() { 9587 return "" 9588 } 9589 return ev.FieldHandlers.ResolveFilePath(ev, &ev.PTrace.Tracee.Process.FileEvent) 9590 }, 9591 Field: field, 9592 Weight: eval.HandlerWeight, 9593 }, nil 9594 case "ptrace.tracee.file.path.length": 9595 return &eval.IntEvaluator{ 9596 OpOverrides: ProcessSymlinkPathname, 9597 EvalFnc: func(ctx *eval.Context) int { 9598 ev := ctx.Event.(*Event) 9599 return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.PTrace.Tracee.Process.FileEvent)) 9600 }, 9601 Field: field, 9602 Weight: eval.HandlerWeight, 9603 }, nil 9604 case "ptrace.tracee.file.rights": 9605 return &eval.IntEvaluator{ 9606 EvalFnc: func(ctx *eval.Context) int { 9607 ev := ctx.Event.(*Event) 9608 if !ev.PTrace.Tracee.Process.IsNotKworker() { 9609 return 0 9610 } 9611 return int(ev.FieldHandlers.ResolveRights(ev, &ev.PTrace.Tracee.Process.FileEvent.FileFields)) 9612 }, 9613 Field: field, 9614 Weight: eval.HandlerWeight, 9615 }, nil 9616 case "ptrace.tracee.file.uid": 9617 return &eval.IntEvaluator{ 9618 EvalFnc: func(ctx *eval.Context) int { 9619 ev := ctx.Event.(*Event) 9620 if !ev.PTrace.Tracee.Process.IsNotKworker() { 9621 return 0 9622 } 9623 return int(ev.PTrace.Tracee.Process.FileEvent.FileFields.UID) 9624 }, 9625 Field: field, 9626 Weight: eval.FunctionWeight, 9627 }, nil 9628 case "ptrace.tracee.file.user": 9629 return &eval.StringEvaluator{ 9630 EvalFnc: func(ctx *eval.Context) string { 9631 ev := ctx.Event.(*Event) 9632 if !ev.PTrace.Tracee.Process.IsNotKworker() { 9633 return "" 9634 } 9635 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.PTrace.Tracee.Process.FileEvent.FileFields) 9636 }, 9637 Field: field, 9638 Weight: eval.HandlerWeight, 9639 }, nil 9640 case "ptrace.tracee.fsgid": 9641 return &eval.IntEvaluator{ 9642 EvalFnc: func(ctx *eval.Context) int { 9643 ev := ctx.Event.(*Event) 9644 return int(ev.PTrace.Tracee.Process.Credentials.FSGID) 9645 }, 9646 Field: field, 9647 Weight: eval.FunctionWeight, 9648 }, nil 9649 case "ptrace.tracee.fsgroup": 9650 return &eval.StringEvaluator{ 9651 EvalFnc: func(ctx *eval.Context) string { 9652 ev := ctx.Event.(*Event) 9653 return ev.PTrace.Tracee.Process.Credentials.FSGroup 9654 }, 9655 Field: field, 9656 Weight: eval.FunctionWeight, 9657 }, nil 9658 case "ptrace.tracee.fsuid": 9659 return &eval.IntEvaluator{ 9660 EvalFnc: func(ctx *eval.Context) int { 9661 ev := ctx.Event.(*Event) 9662 return int(ev.PTrace.Tracee.Process.Credentials.FSUID) 9663 }, 9664 Field: field, 9665 Weight: eval.FunctionWeight, 9666 }, nil 9667 case "ptrace.tracee.fsuser": 9668 return &eval.StringEvaluator{ 9669 EvalFnc: func(ctx *eval.Context) string { 9670 ev := ctx.Event.(*Event) 9671 return ev.PTrace.Tracee.Process.Credentials.FSUser 9672 }, 9673 Field: field, 9674 Weight: eval.FunctionWeight, 9675 }, nil 9676 case "ptrace.tracee.gid": 9677 return &eval.IntEvaluator{ 9678 EvalFnc: func(ctx *eval.Context) int { 9679 ev := ctx.Event.(*Event) 9680 return int(ev.PTrace.Tracee.Process.Credentials.GID) 9681 }, 9682 Field: field, 9683 Weight: eval.FunctionWeight, 9684 }, nil 9685 case "ptrace.tracee.group": 9686 return &eval.StringEvaluator{ 9687 EvalFnc: func(ctx *eval.Context) string { 9688 ev := ctx.Event.(*Event) 9689 return ev.PTrace.Tracee.Process.Credentials.Group 9690 }, 9691 Field: field, 9692 Weight: eval.FunctionWeight, 9693 }, nil 9694 case "ptrace.tracee.interpreter.file.change_time": 9695 return &eval.IntEvaluator{ 9696 EvalFnc: func(ctx *eval.Context) int { 9697 ev := ctx.Event.(*Event) 9698 if !ev.PTrace.Tracee.Process.HasInterpreter() { 9699 return 0 9700 } 9701 return int(ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields.CTime) 9702 }, 9703 Field: field, 9704 Weight: eval.FunctionWeight, 9705 }, nil 9706 case "ptrace.tracee.interpreter.file.filesystem": 9707 return &eval.StringEvaluator{ 9708 EvalFnc: func(ctx *eval.Context) string { 9709 ev := ctx.Event.(*Event) 9710 if !ev.PTrace.Tracee.Process.HasInterpreter() { 9711 return "" 9712 } 9713 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent) 9714 }, 9715 Field: field, 9716 Weight: eval.HandlerWeight, 9717 }, nil 9718 case "ptrace.tracee.interpreter.file.gid": 9719 return &eval.IntEvaluator{ 9720 EvalFnc: func(ctx *eval.Context) int { 9721 ev := ctx.Event.(*Event) 9722 if !ev.PTrace.Tracee.Process.HasInterpreter() { 9723 return 0 9724 } 9725 return int(ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields.GID) 9726 }, 9727 Field: field, 9728 Weight: eval.FunctionWeight, 9729 }, nil 9730 case "ptrace.tracee.interpreter.file.group": 9731 return &eval.StringEvaluator{ 9732 EvalFnc: func(ctx *eval.Context) string { 9733 ev := ctx.Event.(*Event) 9734 if !ev.PTrace.Tracee.Process.HasInterpreter() { 9735 return "" 9736 } 9737 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields) 9738 }, 9739 Field: field, 9740 Weight: eval.HandlerWeight, 9741 }, nil 9742 case "ptrace.tracee.interpreter.file.hashes": 9743 return &eval.StringArrayEvaluator{ 9744 EvalFnc: func(ctx *eval.Context) []string { 9745 ev := ctx.Event.(*Event) 9746 if !ev.PTrace.Tracee.Process.HasInterpreter() { 9747 return []string{} 9748 } 9749 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent) 9750 }, 9751 Field: field, 9752 Weight: 999 * eval.HandlerWeight, 9753 }, nil 9754 case "ptrace.tracee.interpreter.file.in_upper_layer": 9755 return &eval.BoolEvaluator{ 9756 EvalFnc: func(ctx *eval.Context) bool { 9757 ev := ctx.Event.(*Event) 9758 if !ev.PTrace.Tracee.Process.HasInterpreter() { 9759 return false 9760 } 9761 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields) 9762 }, 9763 Field: field, 9764 Weight: eval.HandlerWeight, 9765 }, nil 9766 case "ptrace.tracee.interpreter.file.inode": 9767 return &eval.IntEvaluator{ 9768 EvalFnc: func(ctx *eval.Context) int { 9769 ev := ctx.Event.(*Event) 9770 if !ev.PTrace.Tracee.Process.HasInterpreter() { 9771 return 0 9772 } 9773 return int(ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode) 9774 }, 9775 Field: field, 9776 Weight: eval.FunctionWeight, 9777 }, nil 9778 case "ptrace.tracee.interpreter.file.mode": 9779 return &eval.IntEvaluator{ 9780 EvalFnc: func(ctx *eval.Context) int { 9781 ev := ctx.Event.(*Event) 9782 if !ev.PTrace.Tracee.Process.HasInterpreter() { 9783 return 0 9784 } 9785 return int(ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields.Mode) 9786 }, 9787 Field: field, 9788 Weight: eval.FunctionWeight, 9789 }, nil 9790 case "ptrace.tracee.interpreter.file.modification_time": 9791 return &eval.IntEvaluator{ 9792 EvalFnc: func(ctx *eval.Context) int { 9793 ev := ctx.Event.(*Event) 9794 if !ev.PTrace.Tracee.Process.HasInterpreter() { 9795 return 0 9796 } 9797 return int(ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields.MTime) 9798 }, 9799 Field: field, 9800 Weight: eval.FunctionWeight, 9801 }, nil 9802 case "ptrace.tracee.interpreter.file.mount_id": 9803 return &eval.IntEvaluator{ 9804 EvalFnc: func(ctx *eval.Context) int { 9805 ev := ctx.Event.(*Event) 9806 if !ev.PTrace.Tracee.Process.HasInterpreter() { 9807 return 0 9808 } 9809 return int(ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID) 9810 }, 9811 Field: field, 9812 Weight: eval.FunctionWeight, 9813 }, nil 9814 case "ptrace.tracee.interpreter.file.name": 9815 return &eval.StringEvaluator{ 9816 OpOverrides: ProcessSymlinkBasename, 9817 EvalFnc: func(ctx *eval.Context) string { 9818 ev := ctx.Event.(*Event) 9819 if !ev.PTrace.Tracee.Process.HasInterpreter() { 9820 return "" 9821 } 9822 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent) 9823 }, 9824 Field: field, 9825 Weight: eval.HandlerWeight, 9826 }, nil 9827 case "ptrace.tracee.interpreter.file.name.length": 9828 return &eval.IntEvaluator{ 9829 OpOverrides: ProcessSymlinkBasename, 9830 EvalFnc: func(ctx *eval.Context) int { 9831 ev := ctx.Event.(*Event) 9832 return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent)) 9833 }, 9834 Field: field, 9835 Weight: eval.HandlerWeight, 9836 }, nil 9837 case "ptrace.tracee.interpreter.file.package.name": 9838 return &eval.StringEvaluator{ 9839 EvalFnc: func(ctx *eval.Context) string { 9840 ev := ctx.Event.(*Event) 9841 if !ev.PTrace.Tracee.Process.HasInterpreter() { 9842 return "" 9843 } 9844 return ev.FieldHandlers.ResolvePackageName(ev, &ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent) 9845 }, 9846 Field: field, 9847 Weight: eval.HandlerWeight, 9848 }, nil 9849 case "ptrace.tracee.interpreter.file.package.source_version": 9850 return &eval.StringEvaluator{ 9851 EvalFnc: func(ctx *eval.Context) string { 9852 ev := ctx.Event.(*Event) 9853 if !ev.PTrace.Tracee.Process.HasInterpreter() { 9854 return "" 9855 } 9856 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent) 9857 }, 9858 Field: field, 9859 Weight: eval.HandlerWeight, 9860 }, nil 9861 case "ptrace.tracee.interpreter.file.package.version": 9862 return &eval.StringEvaluator{ 9863 EvalFnc: func(ctx *eval.Context) string { 9864 ev := ctx.Event.(*Event) 9865 if !ev.PTrace.Tracee.Process.HasInterpreter() { 9866 return "" 9867 } 9868 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent) 9869 }, 9870 Field: field, 9871 Weight: eval.HandlerWeight, 9872 }, nil 9873 case "ptrace.tracee.interpreter.file.path": 9874 return &eval.StringEvaluator{ 9875 OpOverrides: ProcessSymlinkPathname, 9876 EvalFnc: func(ctx *eval.Context) string { 9877 ev := ctx.Event.(*Event) 9878 if !ev.PTrace.Tracee.Process.HasInterpreter() { 9879 return "" 9880 } 9881 return ev.FieldHandlers.ResolveFilePath(ev, &ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent) 9882 }, 9883 Field: field, 9884 Weight: eval.HandlerWeight, 9885 }, nil 9886 case "ptrace.tracee.interpreter.file.path.length": 9887 return &eval.IntEvaluator{ 9888 OpOverrides: ProcessSymlinkPathname, 9889 EvalFnc: func(ctx *eval.Context) int { 9890 ev := ctx.Event.(*Event) 9891 return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent)) 9892 }, 9893 Field: field, 9894 Weight: eval.HandlerWeight, 9895 }, nil 9896 case "ptrace.tracee.interpreter.file.rights": 9897 return &eval.IntEvaluator{ 9898 EvalFnc: func(ctx *eval.Context) int { 9899 ev := ctx.Event.(*Event) 9900 if !ev.PTrace.Tracee.Process.HasInterpreter() { 9901 return 0 9902 } 9903 return int(ev.FieldHandlers.ResolveRights(ev, &ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields)) 9904 }, 9905 Field: field, 9906 Weight: eval.HandlerWeight, 9907 }, nil 9908 case "ptrace.tracee.interpreter.file.uid": 9909 return &eval.IntEvaluator{ 9910 EvalFnc: func(ctx *eval.Context) int { 9911 ev := ctx.Event.(*Event) 9912 if !ev.PTrace.Tracee.Process.HasInterpreter() { 9913 return 0 9914 } 9915 return int(ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields.UID) 9916 }, 9917 Field: field, 9918 Weight: eval.FunctionWeight, 9919 }, nil 9920 case "ptrace.tracee.interpreter.file.user": 9921 return &eval.StringEvaluator{ 9922 EvalFnc: func(ctx *eval.Context) string { 9923 ev := ctx.Event.(*Event) 9924 if !ev.PTrace.Tracee.Process.HasInterpreter() { 9925 return "" 9926 } 9927 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields) 9928 }, 9929 Field: field, 9930 Weight: eval.HandlerWeight, 9931 }, nil 9932 case "ptrace.tracee.is_kworker": 9933 return &eval.BoolEvaluator{ 9934 EvalFnc: func(ctx *eval.Context) bool { 9935 ev := ctx.Event.(*Event) 9936 return ev.PTrace.Tracee.Process.PIDContext.IsKworker 9937 }, 9938 Field: field, 9939 Weight: eval.FunctionWeight, 9940 }, nil 9941 case "ptrace.tracee.is_thread": 9942 return &eval.BoolEvaluator{ 9943 EvalFnc: func(ctx *eval.Context) bool { 9944 ev := ctx.Event.(*Event) 9945 return ev.PTrace.Tracee.Process.IsThread 9946 }, 9947 Field: field, 9948 Weight: eval.FunctionWeight, 9949 }, nil 9950 case "ptrace.tracee.parent.args": 9951 return &eval.StringEvaluator{ 9952 EvalFnc: func(ctx *eval.Context) string { 9953 ev := ctx.Event.(*Event) 9954 if !ev.PTrace.Tracee.HasParent() { 9955 return "" 9956 } 9957 return ev.FieldHandlers.ResolveProcessArgs(ev, ev.PTrace.Tracee.Parent) 9958 }, 9959 Field: field, 9960 Weight: 500 * eval.HandlerWeight, 9961 }, nil 9962 case "ptrace.tracee.parent.args_flags": 9963 return &eval.StringArrayEvaluator{ 9964 EvalFnc: func(ctx *eval.Context) []string { 9965 ev := ctx.Event.(*Event) 9966 if !ev.PTrace.Tracee.HasParent() { 9967 return []string{} 9968 } 9969 return ev.FieldHandlers.ResolveProcessArgsFlags(ev, ev.PTrace.Tracee.Parent) 9970 }, 9971 Field: field, 9972 Weight: eval.HandlerWeight, 9973 }, nil 9974 case "ptrace.tracee.parent.args_options": 9975 return &eval.StringArrayEvaluator{ 9976 EvalFnc: func(ctx *eval.Context) []string { 9977 ev := ctx.Event.(*Event) 9978 if !ev.PTrace.Tracee.HasParent() { 9979 return []string{} 9980 } 9981 return ev.FieldHandlers.ResolveProcessArgsOptions(ev, ev.PTrace.Tracee.Parent) 9982 }, 9983 Field: field, 9984 Weight: eval.HandlerWeight, 9985 }, nil 9986 case "ptrace.tracee.parent.args_truncated": 9987 return &eval.BoolEvaluator{ 9988 EvalFnc: func(ctx *eval.Context) bool { 9989 ev := ctx.Event.(*Event) 9990 if !ev.PTrace.Tracee.HasParent() { 9991 return false 9992 } 9993 return ev.FieldHandlers.ResolveProcessArgsTruncated(ev, ev.PTrace.Tracee.Parent) 9994 }, 9995 Field: field, 9996 Weight: eval.HandlerWeight, 9997 }, nil 9998 case "ptrace.tracee.parent.argv": 9999 return &eval.StringArrayEvaluator{ 10000 EvalFnc: func(ctx *eval.Context) []string { 10001 ev := ctx.Event.(*Event) 10002 if !ev.PTrace.Tracee.HasParent() { 10003 return []string{} 10004 } 10005 return ev.FieldHandlers.ResolveProcessArgv(ev, ev.PTrace.Tracee.Parent) 10006 }, 10007 Field: field, 10008 Weight: 500 * eval.HandlerWeight, 10009 }, nil 10010 case "ptrace.tracee.parent.argv0": 10011 return &eval.StringEvaluator{ 10012 EvalFnc: func(ctx *eval.Context) string { 10013 ev := ctx.Event.(*Event) 10014 if !ev.PTrace.Tracee.HasParent() { 10015 return "" 10016 } 10017 return ev.FieldHandlers.ResolveProcessArgv0(ev, ev.PTrace.Tracee.Parent) 10018 }, 10019 Field: field, 10020 Weight: 100 * eval.HandlerWeight, 10021 }, nil 10022 case "ptrace.tracee.parent.cap_effective": 10023 return &eval.IntEvaluator{ 10024 EvalFnc: func(ctx *eval.Context) int { 10025 ev := ctx.Event.(*Event) 10026 if !ev.PTrace.Tracee.HasParent() { 10027 return 0 10028 } 10029 return int(ev.PTrace.Tracee.Parent.Credentials.CapEffective) 10030 }, 10031 Field: field, 10032 Weight: eval.FunctionWeight, 10033 }, nil 10034 case "ptrace.tracee.parent.cap_permitted": 10035 return &eval.IntEvaluator{ 10036 EvalFnc: func(ctx *eval.Context) int { 10037 ev := ctx.Event.(*Event) 10038 if !ev.PTrace.Tracee.HasParent() { 10039 return 0 10040 } 10041 return int(ev.PTrace.Tracee.Parent.Credentials.CapPermitted) 10042 }, 10043 Field: field, 10044 Weight: eval.FunctionWeight, 10045 }, nil 10046 case "ptrace.tracee.parent.comm": 10047 return &eval.StringEvaluator{ 10048 EvalFnc: func(ctx *eval.Context) string { 10049 ev := ctx.Event.(*Event) 10050 if !ev.PTrace.Tracee.HasParent() { 10051 return "" 10052 } 10053 return ev.PTrace.Tracee.Parent.Comm 10054 }, 10055 Field: field, 10056 Weight: eval.FunctionWeight, 10057 }, nil 10058 case "ptrace.tracee.parent.container.id": 10059 return &eval.StringEvaluator{ 10060 EvalFnc: func(ctx *eval.Context) string { 10061 ev := ctx.Event.(*Event) 10062 if !ev.PTrace.Tracee.HasParent() { 10063 return "" 10064 } 10065 return ev.PTrace.Tracee.Parent.ContainerID 10066 }, 10067 Field: field, 10068 Weight: eval.FunctionWeight, 10069 }, nil 10070 case "ptrace.tracee.parent.created_at": 10071 return &eval.IntEvaluator{ 10072 EvalFnc: func(ctx *eval.Context) int { 10073 ev := ctx.Event.(*Event) 10074 if !ev.PTrace.Tracee.HasParent() { 10075 return 0 10076 } 10077 return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, ev.PTrace.Tracee.Parent)) 10078 }, 10079 Field: field, 10080 Weight: eval.HandlerWeight, 10081 }, nil 10082 case "ptrace.tracee.parent.egid": 10083 return &eval.IntEvaluator{ 10084 EvalFnc: func(ctx *eval.Context) int { 10085 ev := ctx.Event.(*Event) 10086 if !ev.PTrace.Tracee.HasParent() { 10087 return 0 10088 } 10089 return int(ev.PTrace.Tracee.Parent.Credentials.EGID) 10090 }, 10091 Field: field, 10092 Weight: eval.FunctionWeight, 10093 }, nil 10094 case "ptrace.tracee.parent.egroup": 10095 return &eval.StringEvaluator{ 10096 EvalFnc: func(ctx *eval.Context) string { 10097 ev := ctx.Event.(*Event) 10098 if !ev.PTrace.Tracee.HasParent() { 10099 return "" 10100 } 10101 return ev.PTrace.Tracee.Parent.Credentials.EGroup 10102 }, 10103 Field: field, 10104 Weight: eval.FunctionWeight, 10105 }, nil 10106 case "ptrace.tracee.parent.envp": 10107 return &eval.StringArrayEvaluator{ 10108 EvalFnc: func(ctx *eval.Context) []string { 10109 ev := ctx.Event.(*Event) 10110 if !ev.PTrace.Tracee.HasParent() { 10111 return []string{} 10112 } 10113 return ev.FieldHandlers.ResolveProcessEnvp(ev, ev.PTrace.Tracee.Parent) 10114 }, 10115 Field: field, 10116 Weight: 100 * eval.HandlerWeight, 10117 }, nil 10118 case "ptrace.tracee.parent.envs": 10119 return &eval.StringArrayEvaluator{ 10120 EvalFnc: func(ctx *eval.Context) []string { 10121 ev := ctx.Event.(*Event) 10122 if !ev.PTrace.Tracee.HasParent() { 10123 return []string{} 10124 } 10125 return ev.FieldHandlers.ResolveProcessEnvs(ev, ev.PTrace.Tracee.Parent) 10126 }, 10127 Field: field, 10128 Weight: 100 * eval.HandlerWeight, 10129 }, nil 10130 case "ptrace.tracee.parent.envs_truncated": 10131 return &eval.BoolEvaluator{ 10132 EvalFnc: func(ctx *eval.Context) bool { 10133 ev := ctx.Event.(*Event) 10134 if !ev.PTrace.Tracee.HasParent() { 10135 return false 10136 } 10137 return ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, ev.PTrace.Tracee.Parent) 10138 }, 10139 Field: field, 10140 Weight: eval.HandlerWeight, 10141 }, nil 10142 case "ptrace.tracee.parent.euid": 10143 return &eval.IntEvaluator{ 10144 EvalFnc: func(ctx *eval.Context) int { 10145 ev := ctx.Event.(*Event) 10146 if !ev.PTrace.Tracee.HasParent() { 10147 return 0 10148 } 10149 return int(ev.PTrace.Tracee.Parent.Credentials.EUID) 10150 }, 10151 Field: field, 10152 Weight: eval.FunctionWeight, 10153 }, nil 10154 case "ptrace.tracee.parent.euser": 10155 return &eval.StringEvaluator{ 10156 EvalFnc: func(ctx *eval.Context) string { 10157 ev := ctx.Event.(*Event) 10158 if !ev.PTrace.Tracee.HasParent() { 10159 return "" 10160 } 10161 return ev.PTrace.Tracee.Parent.Credentials.EUser 10162 }, 10163 Field: field, 10164 Weight: eval.FunctionWeight, 10165 }, nil 10166 case "ptrace.tracee.parent.file.change_time": 10167 return &eval.IntEvaluator{ 10168 EvalFnc: func(ctx *eval.Context) int { 10169 ev := ctx.Event.(*Event) 10170 if !ev.PTrace.Tracee.HasParent() { 10171 return 0 10172 } 10173 if !ev.PTrace.Tracee.Parent.IsNotKworker() { 10174 return 0 10175 } 10176 return int(ev.PTrace.Tracee.Parent.FileEvent.FileFields.CTime) 10177 }, 10178 Field: field, 10179 Weight: eval.FunctionWeight, 10180 }, nil 10181 case "ptrace.tracee.parent.file.filesystem": 10182 return &eval.StringEvaluator{ 10183 EvalFnc: func(ctx *eval.Context) string { 10184 ev := ctx.Event.(*Event) 10185 if !ev.PTrace.Tracee.HasParent() { 10186 return "" 10187 } 10188 if !ev.PTrace.Tracee.Parent.IsNotKworker() { 10189 return "" 10190 } 10191 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.PTrace.Tracee.Parent.FileEvent) 10192 }, 10193 Field: field, 10194 Weight: eval.HandlerWeight, 10195 }, nil 10196 case "ptrace.tracee.parent.file.gid": 10197 return &eval.IntEvaluator{ 10198 EvalFnc: func(ctx *eval.Context) int { 10199 ev := ctx.Event.(*Event) 10200 if !ev.PTrace.Tracee.HasParent() { 10201 return 0 10202 } 10203 if !ev.PTrace.Tracee.Parent.IsNotKworker() { 10204 return 0 10205 } 10206 return int(ev.PTrace.Tracee.Parent.FileEvent.FileFields.GID) 10207 }, 10208 Field: field, 10209 Weight: eval.FunctionWeight, 10210 }, nil 10211 case "ptrace.tracee.parent.file.group": 10212 return &eval.StringEvaluator{ 10213 EvalFnc: func(ctx *eval.Context) string { 10214 ev := ctx.Event.(*Event) 10215 if !ev.PTrace.Tracee.HasParent() { 10216 return "" 10217 } 10218 if !ev.PTrace.Tracee.Parent.IsNotKworker() { 10219 return "" 10220 } 10221 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.PTrace.Tracee.Parent.FileEvent.FileFields) 10222 }, 10223 Field: field, 10224 Weight: eval.HandlerWeight, 10225 }, nil 10226 case "ptrace.tracee.parent.file.hashes": 10227 return &eval.StringArrayEvaluator{ 10228 EvalFnc: func(ctx *eval.Context) []string { 10229 ev := ctx.Event.(*Event) 10230 if !ev.PTrace.Tracee.HasParent() { 10231 return []string{} 10232 } 10233 if !ev.PTrace.Tracee.Parent.IsNotKworker() { 10234 return []string{} 10235 } 10236 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.PTrace.Tracee.Parent.FileEvent) 10237 }, 10238 Field: field, 10239 Weight: 999 * eval.HandlerWeight, 10240 }, nil 10241 case "ptrace.tracee.parent.file.in_upper_layer": 10242 return &eval.BoolEvaluator{ 10243 EvalFnc: func(ctx *eval.Context) bool { 10244 ev := ctx.Event.(*Event) 10245 if !ev.PTrace.Tracee.HasParent() { 10246 return false 10247 } 10248 if !ev.PTrace.Tracee.Parent.IsNotKworker() { 10249 return false 10250 } 10251 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.PTrace.Tracee.Parent.FileEvent.FileFields) 10252 }, 10253 Field: field, 10254 Weight: eval.HandlerWeight, 10255 }, nil 10256 case "ptrace.tracee.parent.file.inode": 10257 return &eval.IntEvaluator{ 10258 EvalFnc: func(ctx *eval.Context) int { 10259 ev := ctx.Event.(*Event) 10260 if !ev.PTrace.Tracee.HasParent() { 10261 return 0 10262 } 10263 if !ev.PTrace.Tracee.Parent.IsNotKworker() { 10264 return 0 10265 } 10266 return int(ev.PTrace.Tracee.Parent.FileEvent.FileFields.PathKey.Inode) 10267 }, 10268 Field: field, 10269 Weight: eval.FunctionWeight, 10270 }, nil 10271 case "ptrace.tracee.parent.file.mode": 10272 return &eval.IntEvaluator{ 10273 EvalFnc: func(ctx *eval.Context) int { 10274 ev := ctx.Event.(*Event) 10275 if !ev.PTrace.Tracee.HasParent() { 10276 return 0 10277 } 10278 if !ev.PTrace.Tracee.Parent.IsNotKworker() { 10279 return 0 10280 } 10281 return int(ev.PTrace.Tracee.Parent.FileEvent.FileFields.Mode) 10282 }, 10283 Field: field, 10284 Weight: eval.FunctionWeight, 10285 }, nil 10286 case "ptrace.tracee.parent.file.modification_time": 10287 return &eval.IntEvaluator{ 10288 EvalFnc: func(ctx *eval.Context) int { 10289 ev := ctx.Event.(*Event) 10290 if !ev.PTrace.Tracee.HasParent() { 10291 return 0 10292 } 10293 if !ev.PTrace.Tracee.Parent.IsNotKworker() { 10294 return 0 10295 } 10296 return int(ev.PTrace.Tracee.Parent.FileEvent.FileFields.MTime) 10297 }, 10298 Field: field, 10299 Weight: eval.FunctionWeight, 10300 }, nil 10301 case "ptrace.tracee.parent.file.mount_id": 10302 return &eval.IntEvaluator{ 10303 EvalFnc: func(ctx *eval.Context) int { 10304 ev := ctx.Event.(*Event) 10305 if !ev.PTrace.Tracee.HasParent() { 10306 return 0 10307 } 10308 if !ev.PTrace.Tracee.Parent.IsNotKworker() { 10309 return 0 10310 } 10311 return int(ev.PTrace.Tracee.Parent.FileEvent.FileFields.PathKey.MountID) 10312 }, 10313 Field: field, 10314 Weight: eval.FunctionWeight, 10315 }, nil 10316 case "ptrace.tracee.parent.file.name": 10317 return &eval.StringEvaluator{ 10318 OpOverrides: ProcessSymlinkBasename, 10319 EvalFnc: func(ctx *eval.Context) string { 10320 ev := ctx.Event.(*Event) 10321 if !ev.PTrace.Tracee.HasParent() { 10322 return "" 10323 } 10324 if !ev.PTrace.Tracee.Parent.IsNotKworker() { 10325 return "" 10326 } 10327 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.PTrace.Tracee.Parent.FileEvent) 10328 }, 10329 Field: field, 10330 Weight: eval.HandlerWeight, 10331 }, nil 10332 case "ptrace.tracee.parent.file.name.length": 10333 return &eval.IntEvaluator{ 10334 OpOverrides: ProcessSymlinkBasename, 10335 EvalFnc: func(ctx *eval.Context) int { 10336 ev := ctx.Event.(*Event) 10337 return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.PTrace.Tracee.Parent.FileEvent)) 10338 }, 10339 Field: field, 10340 Weight: eval.HandlerWeight, 10341 }, nil 10342 case "ptrace.tracee.parent.file.package.name": 10343 return &eval.StringEvaluator{ 10344 EvalFnc: func(ctx *eval.Context) string { 10345 ev := ctx.Event.(*Event) 10346 if !ev.PTrace.Tracee.HasParent() { 10347 return "" 10348 } 10349 if !ev.PTrace.Tracee.Parent.IsNotKworker() { 10350 return "" 10351 } 10352 return ev.FieldHandlers.ResolvePackageName(ev, &ev.PTrace.Tracee.Parent.FileEvent) 10353 }, 10354 Field: field, 10355 Weight: eval.HandlerWeight, 10356 }, nil 10357 case "ptrace.tracee.parent.file.package.source_version": 10358 return &eval.StringEvaluator{ 10359 EvalFnc: func(ctx *eval.Context) string { 10360 ev := ctx.Event.(*Event) 10361 if !ev.PTrace.Tracee.HasParent() { 10362 return "" 10363 } 10364 if !ev.PTrace.Tracee.Parent.IsNotKworker() { 10365 return "" 10366 } 10367 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.PTrace.Tracee.Parent.FileEvent) 10368 }, 10369 Field: field, 10370 Weight: eval.HandlerWeight, 10371 }, nil 10372 case "ptrace.tracee.parent.file.package.version": 10373 return &eval.StringEvaluator{ 10374 EvalFnc: func(ctx *eval.Context) string { 10375 ev := ctx.Event.(*Event) 10376 if !ev.PTrace.Tracee.HasParent() { 10377 return "" 10378 } 10379 if !ev.PTrace.Tracee.Parent.IsNotKworker() { 10380 return "" 10381 } 10382 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.PTrace.Tracee.Parent.FileEvent) 10383 }, 10384 Field: field, 10385 Weight: eval.HandlerWeight, 10386 }, nil 10387 case "ptrace.tracee.parent.file.path": 10388 return &eval.StringEvaluator{ 10389 OpOverrides: ProcessSymlinkPathname, 10390 EvalFnc: func(ctx *eval.Context) string { 10391 ev := ctx.Event.(*Event) 10392 if !ev.PTrace.Tracee.HasParent() { 10393 return "" 10394 } 10395 if !ev.PTrace.Tracee.Parent.IsNotKworker() { 10396 return "" 10397 } 10398 return ev.FieldHandlers.ResolveFilePath(ev, &ev.PTrace.Tracee.Parent.FileEvent) 10399 }, 10400 Field: field, 10401 Weight: eval.HandlerWeight, 10402 }, nil 10403 case "ptrace.tracee.parent.file.path.length": 10404 return &eval.IntEvaluator{ 10405 OpOverrides: ProcessSymlinkPathname, 10406 EvalFnc: func(ctx *eval.Context) int { 10407 ev := ctx.Event.(*Event) 10408 return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.PTrace.Tracee.Parent.FileEvent)) 10409 }, 10410 Field: field, 10411 Weight: eval.HandlerWeight, 10412 }, nil 10413 case "ptrace.tracee.parent.file.rights": 10414 return &eval.IntEvaluator{ 10415 EvalFnc: func(ctx *eval.Context) int { 10416 ev := ctx.Event.(*Event) 10417 if !ev.PTrace.Tracee.HasParent() { 10418 return 0 10419 } 10420 if !ev.PTrace.Tracee.Parent.IsNotKworker() { 10421 return 0 10422 } 10423 return int(ev.FieldHandlers.ResolveRights(ev, &ev.PTrace.Tracee.Parent.FileEvent.FileFields)) 10424 }, 10425 Field: field, 10426 Weight: eval.HandlerWeight, 10427 }, nil 10428 case "ptrace.tracee.parent.file.uid": 10429 return &eval.IntEvaluator{ 10430 EvalFnc: func(ctx *eval.Context) int { 10431 ev := ctx.Event.(*Event) 10432 if !ev.PTrace.Tracee.HasParent() { 10433 return 0 10434 } 10435 if !ev.PTrace.Tracee.Parent.IsNotKworker() { 10436 return 0 10437 } 10438 return int(ev.PTrace.Tracee.Parent.FileEvent.FileFields.UID) 10439 }, 10440 Field: field, 10441 Weight: eval.FunctionWeight, 10442 }, nil 10443 case "ptrace.tracee.parent.file.user": 10444 return &eval.StringEvaluator{ 10445 EvalFnc: func(ctx *eval.Context) string { 10446 ev := ctx.Event.(*Event) 10447 if !ev.PTrace.Tracee.HasParent() { 10448 return "" 10449 } 10450 if !ev.PTrace.Tracee.Parent.IsNotKworker() { 10451 return "" 10452 } 10453 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.PTrace.Tracee.Parent.FileEvent.FileFields) 10454 }, 10455 Field: field, 10456 Weight: eval.HandlerWeight, 10457 }, nil 10458 case "ptrace.tracee.parent.fsgid": 10459 return &eval.IntEvaluator{ 10460 EvalFnc: func(ctx *eval.Context) int { 10461 ev := ctx.Event.(*Event) 10462 if !ev.PTrace.Tracee.HasParent() { 10463 return 0 10464 } 10465 return int(ev.PTrace.Tracee.Parent.Credentials.FSGID) 10466 }, 10467 Field: field, 10468 Weight: eval.FunctionWeight, 10469 }, nil 10470 case "ptrace.tracee.parent.fsgroup": 10471 return &eval.StringEvaluator{ 10472 EvalFnc: func(ctx *eval.Context) string { 10473 ev := ctx.Event.(*Event) 10474 if !ev.PTrace.Tracee.HasParent() { 10475 return "" 10476 } 10477 return ev.PTrace.Tracee.Parent.Credentials.FSGroup 10478 }, 10479 Field: field, 10480 Weight: eval.FunctionWeight, 10481 }, nil 10482 case "ptrace.tracee.parent.fsuid": 10483 return &eval.IntEvaluator{ 10484 EvalFnc: func(ctx *eval.Context) int { 10485 ev := ctx.Event.(*Event) 10486 if !ev.PTrace.Tracee.HasParent() { 10487 return 0 10488 } 10489 return int(ev.PTrace.Tracee.Parent.Credentials.FSUID) 10490 }, 10491 Field: field, 10492 Weight: eval.FunctionWeight, 10493 }, nil 10494 case "ptrace.tracee.parent.fsuser": 10495 return &eval.StringEvaluator{ 10496 EvalFnc: func(ctx *eval.Context) string { 10497 ev := ctx.Event.(*Event) 10498 if !ev.PTrace.Tracee.HasParent() { 10499 return "" 10500 } 10501 return ev.PTrace.Tracee.Parent.Credentials.FSUser 10502 }, 10503 Field: field, 10504 Weight: eval.FunctionWeight, 10505 }, nil 10506 case "ptrace.tracee.parent.gid": 10507 return &eval.IntEvaluator{ 10508 EvalFnc: func(ctx *eval.Context) int { 10509 ev := ctx.Event.(*Event) 10510 if !ev.PTrace.Tracee.HasParent() { 10511 return 0 10512 } 10513 return int(ev.PTrace.Tracee.Parent.Credentials.GID) 10514 }, 10515 Field: field, 10516 Weight: eval.FunctionWeight, 10517 }, nil 10518 case "ptrace.tracee.parent.group": 10519 return &eval.StringEvaluator{ 10520 EvalFnc: func(ctx *eval.Context) string { 10521 ev := ctx.Event.(*Event) 10522 if !ev.PTrace.Tracee.HasParent() { 10523 return "" 10524 } 10525 return ev.PTrace.Tracee.Parent.Credentials.Group 10526 }, 10527 Field: field, 10528 Weight: eval.FunctionWeight, 10529 }, nil 10530 case "ptrace.tracee.parent.interpreter.file.change_time": 10531 return &eval.IntEvaluator{ 10532 EvalFnc: func(ctx *eval.Context) int { 10533 ev := ctx.Event.(*Event) 10534 if !ev.PTrace.Tracee.HasParent() { 10535 return 0 10536 } 10537 if !ev.PTrace.Tracee.Parent.HasInterpreter() { 10538 return 0 10539 } 10540 return int(ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields.CTime) 10541 }, 10542 Field: field, 10543 Weight: eval.FunctionWeight, 10544 }, nil 10545 case "ptrace.tracee.parent.interpreter.file.filesystem": 10546 return &eval.StringEvaluator{ 10547 EvalFnc: func(ctx *eval.Context) string { 10548 ev := ctx.Event.(*Event) 10549 if !ev.PTrace.Tracee.HasParent() { 10550 return "" 10551 } 10552 if !ev.PTrace.Tracee.Parent.HasInterpreter() { 10553 return "" 10554 } 10555 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent) 10556 }, 10557 Field: field, 10558 Weight: eval.HandlerWeight, 10559 }, nil 10560 case "ptrace.tracee.parent.interpreter.file.gid": 10561 return &eval.IntEvaluator{ 10562 EvalFnc: func(ctx *eval.Context) int { 10563 ev := ctx.Event.(*Event) 10564 if !ev.PTrace.Tracee.HasParent() { 10565 return 0 10566 } 10567 if !ev.PTrace.Tracee.Parent.HasInterpreter() { 10568 return 0 10569 } 10570 return int(ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields.GID) 10571 }, 10572 Field: field, 10573 Weight: eval.FunctionWeight, 10574 }, nil 10575 case "ptrace.tracee.parent.interpreter.file.group": 10576 return &eval.StringEvaluator{ 10577 EvalFnc: func(ctx *eval.Context) string { 10578 ev := ctx.Event.(*Event) 10579 if !ev.PTrace.Tracee.HasParent() { 10580 return "" 10581 } 10582 if !ev.PTrace.Tracee.Parent.HasInterpreter() { 10583 return "" 10584 } 10585 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields) 10586 }, 10587 Field: field, 10588 Weight: eval.HandlerWeight, 10589 }, nil 10590 case "ptrace.tracee.parent.interpreter.file.hashes": 10591 return &eval.StringArrayEvaluator{ 10592 EvalFnc: func(ctx *eval.Context) []string { 10593 ev := ctx.Event.(*Event) 10594 if !ev.PTrace.Tracee.HasParent() { 10595 return []string{} 10596 } 10597 if !ev.PTrace.Tracee.Parent.HasInterpreter() { 10598 return []string{} 10599 } 10600 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent) 10601 }, 10602 Field: field, 10603 Weight: 999 * eval.HandlerWeight, 10604 }, nil 10605 case "ptrace.tracee.parent.interpreter.file.in_upper_layer": 10606 return &eval.BoolEvaluator{ 10607 EvalFnc: func(ctx *eval.Context) bool { 10608 ev := ctx.Event.(*Event) 10609 if !ev.PTrace.Tracee.HasParent() { 10610 return false 10611 } 10612 if !ev.PTrace.Tracee.Parent.HasInterpreter() { 10613 return false 10614 } 10615 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields) 10616 }, 10617 Field: field, 10618 Weight: eval.HandlerWeight, 10619 }, nil 10620 case "ptrace.tracee.parent.interpreter.file.inode": 10621 return &eval.IntEvaluator{ 10622 EvalFnc: func(ctx *eval.Context) int { 10623 ev := ctx.Event.(*Event) 10624 if !ev.PTrace.Tracee.HasParent() { 10625 return 0 10626 } 10627 if !ev.PTrace.Tracee.Parent.HasInterpreter() { 10628 return 0 10629 } 10630 return int(ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields.PathKey.Inode) 10631 }, 10632 Field: field, 10633 Weight: eval.FunctionWeight, 10634 }, nil 10635 case "ptrace.tracee.parent.interpreter.file.mode": 10636 return &eval.IntEvaluator{ 10637 EvalFnc: func(ctx *eval.Context) int { 10638 ev := ctx.Event.(*Event) 10639 if !ev.PTrace.Tracee.HasParent() { 10640 return 0 10641 } 10642 if !ev.PTrace.Tracee.Parent.HasInterpreter() { 10643 return 0 10644 } 10645 return int(ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields.Mode) 10646 }, 10647 Field: field, 10648 Weight: eval.FunctionWeight, 10649 }, nil 10650 case "ptrace.tracee.parent.interpreter.file.modification_time": 10651 return &eval.IntEvaluator{ 10652 EvalFnc: func(ctx *eval.Context) int { 10653 ev := ctx.Event.(*Event) 10654 if !ev.PTrace.Tracee.HasParent() { 10655 return 0 10656 } 10657 if !ev.PTrace.Tracee.Parent.HasInterpreter() { 10658 return 0 10659 } 10660 return int(ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields.MTime) 10661 }, 10662 Field: field, 10663 Weight: eval.FunctionWeight, 10664 }, nil 10665 case "ptrace.tracee.parent.interpreter.file.mount_id": 10666 return &eval.IntEvaluator{ 10667 EvalFnc: func(ctx *eval.Context) int { 10668 ev := ctx.Event.(*Event) 10669 if !ev.PTrace.Tracee.HasParent() { 10670 return 0 10671 } 10672 if !ev.PTrace.Tracee.Parent.HasInterpreter() { 10673 return 0 10674 } 10675 return int(ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields.PathKey.MountID) 10676 }, 10677 Field: field, 10678 Weight: eval.FunctionWeight, 10679 }, nil 10680 case "ptrace.tracee.parent.interpreter.file.name": 10681 return &eval.StringEvaluator{ 10682 OpOverrides: ProcessSymlinkBasename, 10683 EvalFnc: func(ctx *eval.Context) string { 10684 ev := ctx.Event.(*Event) 10685 if !ev.PTrace.Tracee.HasParent() { 10686 return "" 10687 } 10688 if !ev.PTrace.Tracee.Parent.HasInterpreter() { 10689 return "" 10690 } 10691 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent) 10692 }, 10693 Field: field, 10694 Weight: eval.HandlerWeight, 10695 }, nil 10696 case "ptrace.tracee.parent.interpreter.file.name.length": 10697 return &eval.IntEvaluator{ 10698 OpOverrides: ProcessSymlinkBasename, 10699 EvalFnc: func(ctx *eval.Context) int { 10700 ev := ctx.Event.(*Event) 10701 return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent)) 10702 }, 10703 Field: field, 10704 Weight: eval.HandlerWeight, 10705 }, nil 10706 case "ptrace.tracee.parent.interpreter.file.package.name": 10707 return &eval.StringEvaluator{ 10708 EvalFnc: func(ctx *eval.Context) string { 10709 ev := ctx.Event.(*Event) 10710 if !ev.PTrace.Tracee.HasParent() { 10711 return "" 10712 } 10713 if !ev.PTrace.Tracee.Parent.HasInterpreter() { 10714 return "" 10715 } 10716 return ev.FieldHandlers.ResolvePackageName(ev, &ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent) 10717 }, 10718 Field: field, 10719 Weight: eval.HandlerWeight, 10720 }, nil 10721 case "ptrace.tracee.parent.interpreter.file.package.source_version": 10722 return &eval.StringEvaluator{ 10723 EvalFnc: func(ctx *eval.Context) string { 10724 ev := ctx.Event.(*Event) 10725 if !ev.PTrace.Tracee.HasParent() { 10726 return "" 10727 } 10728 if !ev.PTrace.Tracee.Parent.HasInterpreter() { 10729 return "" 10730 } 10731 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent) 10732 }, 10733 Field: field, 10734 Weight: eval.HandlerWeight, 10735 }, nil 10736 case "ptrace.tracee.parent.interpreter.file.package.version": 10737 return &eval.StringEvaluator{ 10738 EvalFnc: func(ctx *eval.Context) string { 10739 ev := ctx.Event.(*Event) 10740 if !ev.PTrace.Tracee.HasParent() { 10741 return "" 10742 } 10743 if !ev.PTrace.Tracee.Parent.HasInterpreter() { 10744 return "" 10745 } 10746 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent) 10747 }, 10748 Field: field, 10749 Weight: eval.HandlerWeight, 10750 }, nil 10751 case "ptrace.tracee.parent.interpreter.file.path": 10752 return &eval.StringEvaluator{ 10753 OpOverrides: ProcessSymlinkPathname, 10754 EvalFnc: func(ctx *eval.Context) string { 10755 ev := ctx.Event.(*Event) 10756 if !ev.PTrace.Tracee.HasParent() { 10757 return "" 10758 } 10759 if !ev.PTrace.Tracee.Parent.HasInterpreter() { 10760 return "" 10761 } 10762 return ev.FieldHandlers.ResolveFilePath(ev, &ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent) 10763 }, 10764 Field: field, 10765 Weight: eval.HandlerWeight, 10766 }, nil 10767 case "ptrace.tracee.parent.interpreter.file.path.length": 10768 return &eval.IntEvaluator{ 10769 OpOverrides: ProcessSymlinkPathname, 10770 EvalFnc: func(ctx *eval.Context) int { 10771 ev := ctx.Event.(*Event) 10772 return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent)) 10773 }, 10774 Field: field, 10775 Weight: eval.HandlerWeight, 10776 }, nil 10777 case "ptrace.tracee.parent.interpreter.file.rights": 10778 return &eval.IntEvaluator{ 10779 EvalFnc: func(ctx *eval.Context) int { 10780 ev := ctx.Event.(*Event) 10781 if !ev.PTrace.Tracee.HasParent() { 10782 return 0 10783 } 10784 if !ev.PTrace.Tracee.Parent.HasInterpreter() { 10785 return 0 10786 } 10787 return int(ev.FieldHandlers.ResolveRights(ev, &ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields)) 10788 }, 10789 Field: field, 10790 Weight: eval.HandlerWeight, 10791 }, nil 10792 case "ptrace.tracee.parent.interpreter.file.uid": 10793 return &eval.IntEvaluator{ 10794 EvalFnc: func(ctx *eval.Context) int { 10795 ev := ctx.Event.(*Event) 10796 if !ev.PTrace.Tracee.HasParent() { 10797 return 0 10798 } 10799 if !ev.PTrace.Tracee.Parent.HasInterpreter() { 10800 return 0 10801 } 10802 return int(ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields.UID) 10803 }, 10804 Field: field, 10805 Weight: eval.FunctionWeight, 10806 }, nil 10807 case "ptrace.tracee.parent.interpreter.file.user": 10808 return &eval.StringEvaluator{ 10809 EvalFnc: func(ctx *eval.Context) string { 10810 ev := ctx.Event.(*Event) 10811 if !ev.PTrace.Tracee.HasParent() { 10812 return "" 10813 } 10814 if !ev.PTrace.Tracee.Parent.HasInterpreter() { 10815 return "" 10816 } 10817 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields) 10818 }, 10819 Field: field, 10820 Weight: eval.HandlerWeight, 10821 }, nil 10822 case "ptrace.tracee.parent.is_kworker": 10823 return &eval.BoolEvaluator{ 10824 EvalFnc: func(ctx *eval.Context) bool { 10825 ev := ctx.Event.(*Event) 10826 if !ev.PTrace.Tracee.HasParent() { 10827 return false 10828 } 10829 return ev.PTrace.Tracee.Parent.PIDContext.IsKworker 10830 }, 10831 Field: field, 10832 Weight: eval.FunctionWeight, 10833 }, nil 10834 case "ptrace.tracee.parent.is_thread": 10835 return &eval.BoolEvaluator{ 10836 EvalFnc: func(ctx *eval.Context) bool { 10837 ev := ctx.Event.(*Event) 10838 if !ev.PTrace.Tracee.HasParent() { 10839 return false 10840 } 10841 return ev.PTrace.Tracee.Parent.IsThread 10842 }, 10843 Field: field, 10844 Weight: eval.FunctionWeight, 10845 }, nil 10846 case "ptrace.tracee.parent.pid": 10847 return &eval.IntEvaluator{ 10848 EvalFnc: func(ctx *eval.Context) int { 10849 ev := ctx.Event.(*Event) 10850 if !ev.PTrace.Tracee.HasParent() { 10851 return 0 10852 } 10853 return int(ev.PTrace.Tracee.Parent.PIDContext.Pid) 10854 }, 10855 Field: field, 10856 Weight: eval.FunctionWeight, 10857 }, nil 10858 case "ptrace.tracee.parent.ppid": 10859 return &eval.IntEvaluator{ 10860 EvalFnc: func(ctx *eval.Context) int { 10861 ev := ctx.Event.(*Event) 10862 if !ev.PTrace.Tracee.HasParent() { 10863 return 0 10864 } 10865 return int(ev.PTrace.Tracee.Parent.PPid) 10866 }, 10867 Field: field, 10868 Weight: eval.FunctionWeight, 10869 }, nil 10870 case "ptrace.tracee.parent.tid": 10871 return &eval.IntEvaluator{ 10872 EvalFnc: func(ctx *eval.Context) int { 10873 ev := ctx.Event.(*Event) 10874 if !ev.PTrace.Tracee.HasParent() { 10875 return 0 10876 } 10877 return int(ev.PTrace.Tracee.Parent.PIDContext.Tid) 10878 }, 10879 Field: field, 10880 Weight: eval.FunctionWeight, 10881 }, nil 10882 case "ptrace.tracee.parent.tty_name": 10883 return &eval.StringEvaluator{ 10884 EvalFnc: func(ctx *eval.Context) string { 10885 ev := ctx.Event.(*Event) 10886 if !ev.PTrace.Tracee.HasParent() { 10887 return "" 10888 } 10889 return ev.PTrace.Tracee.Parent.TTYName 10890 }, 10891 Field: field, 10892 Weight: eval.FunctionWeight, 10893 }, nil 10894 case "ptrace.tracee.parent.uid": 10895 return &eval.IntEvaluator{ 10896 EvalFnc: func(ctx *eval.Context) int { 10897 ev := ctx.Event.(*Event) 10898 if !ev.PTrace.Tracee.HasParent() { 10899 return 0 10900 } 10901 return int(ev.PTrace.Tracee.Parent.Credentials.UID) 10902 }, 10903 Field: field, 10904 Weight: eval.FunctionWeight, 10905 }, nil 10906 case "ptrace.tracee.parent.user": 10907 return &eval.StringEvaluator{ 10908 EvalFnc: func(ctx *eval.Context) string { 10909 ev := ctx.Event.(*Event) 10910 if !ev.PTrace.Tracee.HasParent() { 10911 return "" 10912 } 10913 return ev.PTrace.Tracee.Parent.Credentials.User 10914 }, 10915 Field: field, 10916 Weight: eval.FunctionWeight, 10917 }, nil 10918 case "ptrace.tracee.parent.user_session.k8s_groups": 10919 return &eval.StringArrayEvaluator{ 10920 EvalFnc: func(ctx *eval.Context) []string { 10921 ev := ctx.Event.(*Event) 10922 if !ev.PTrace.Tracee.HasParent() { 10923 return []string{} 10924 } 10925 return ev.FieldHandlers.ResolveK8SGroups(ev, &ev.PTrace.Tracee.Parent.UserSession) 10926 }, 10927 Field: field, 10928 Weight: eval.HandlerWeight, 10929 }, nil 10930 case "ptrace.tracee.parent.user_session.k8s_uid": 10931 return &eval.StringEvaluator{ 10932 EvalFnc: func(ctx *eval.Context) string { 10933 ev := ctx.Event.(*Event) 10934 if !ev.PTrace.Tracee.HasParent() { 10935 return "" 10936 } 10937 return ev.FieldHandlers.ResolveK8SUID(ev, &ev.PTrace.Tracee.Parent.UserSession) 10938 }, 10939 Field: field, 10940 Weight: eval.HandlerWeight, 10941 }, nil 10942 case "ptrace.tracee.parent.user_session.k8s_username": 10943 return &eval.StringEvaluator{ 10944 EvalFnc: func(ctx *eval.Context) string { 10945 ev := ctx.Event.(*Event) 10946 if !ev.PTrace.Tracee.HasParent() { 10947 return "" 10948 } 10949 return ev.FieldHandlers.ResolveK8SUsername(ev, &ev.PTrace.Tracee.Parent.UserSession) 10950 }, 10951 Field: field, 10952 Weight: eval.HandlerWeight, 10953 }, nil 10954 case "ptrace.tracee.pid": 10955 return &eval.IntEvaluator{ 10956 EvalFnc: func(ctx *eval.Context) int { 10957 ev := ctx.Event.(*Event) 10958 return int(ev.PTrace.Tracee.Process.PIDContext.Pid) 10959 }, 10960 Field: field, 10961 Weight: eval.FunctionWeight, 10962 }, nil 10963 case "ptrace.tracee.ppid": 10964 return &eval.IntEvaluator{ 10965 EvalFnc: func(ctx *eval.Context) int { 10966 ev := ctx.Event.(*Event) 10967 return int(ev.PTrace.Tracee.Process.PPid) 10968 }, 10969 Field: field, 10970 Weight: eval.FunctionWeight, 10971 }, nil 10972 case "ptrace.tracee.tid": 10973 return &eval.IntEvaluator{ 10974 EvalFnc: func(ctx *eval.Context) int { 10975 ev := ctx.Event.(*Event) 10976 return int(ev.PTrace.Tracee.Process.PIDContext.Tid) 10977 }, 10978 Field: field, 10979 Weight: eval.FunctionWeight, 10980 }, nil 10981 case "ptrace.tracee.tty_name": 10982 return &eval.StringEvaluator{ 10983 EvalFnc: func(ctx *eval.Context) string { 10984 ev := ctx.Event.(*Event) 10985 return ev.PTrace.Tracee.Process.TTYName 10986 }, 10987 Field: field, 10988 Weight: eval.FunctionWeight, 10989 }, nil 10990 case "ptrace.tracee.uid": 10991 return &eval.IntEvaluator{ 10992 EvalFnc: func(ctx *eval.Context) int { 10993 ev := ctx.Event.(*Event) 10994 return int(ev.PTrace.Tracee.Process.Credentials.UID) 10995 }, 10996 Field: field, 10997 Weight: eval.FunctionWeight, 10998 }, nil 10999 case "ptrace.tracee.user": 11000 return &eval.StringEvaluator{ 11001 EvalFnc: func(ctx *eval.Context) string { 11002 ev := ctx.Event.(*Event) 11003 return ev.PTrace.Tracee.Process.Credentials.User 11004 }, 11005 Field: field, 11006 Weight: eval.FunctionWeight, 11007 }, nil 11008 case "ptrace.tracee.user_session.k8s_groups": 11009 return &eval.StringArrayEvaluator{ 11010 EvalFnc: func(ctx *eval.Context) []string { 11011 ev := ctx.Event.(*Event) 11012 return ev.FieldHandlers.ResolveK8SGroups(ev, &ev.PTrace.Tracee.Process.UserSession) 11013 }, 11014 Field: field, 11015 Weight: eval.HandlerWeight, 11016 }, nil 11017 case "ptrace.tracee.user_session.k8s_uid": 11018 return &eval.StringEvaluator{ 11019 EvalFnc: func(ctx *eval.Context) string { 11020 ev := ctx.Event.(*Event) 11021 return ev.FieldHandlers.ResolveK8SUID(ev, &ev.PTrace.Tracee.Process.UserSession) 11022 }, 11023 Field: field, 11024 Weight: eval.HandlerWeight, 11025 }, nil 11026 case "ptrace.tracee.user_session.k8s_username": 11027 return &eval.StringEvaluator{ 11028 EvalFnc: func(ctx *eval.Context) string { 11029 ev := ctx.Event.(*Event) 11030 return ev.FieldHandlers.ResolveK8SUsername(ev, &ev.PTrace.Tracee.Process.UserSession) 11031 }, 11032 Field: field, 11033 Weight: eval.HandlerWeight, 11034 }, nil 11035 case "removexattr.file.change_time": 11036 return &eval.IntEvaluator{ 11037 EvalFnc: func(ctx *eval.Context) int { 11038 ev := ctx.Event.(*Event) 11039 return int(ev.RemoveXAttr.File.FileFields.CTime) 11040 }, 11041 Field: field, 11042 Weight: eval.FunctionWeight, 11043 }, nil 11044 case "removexattr.file.destination.name": 11045 return &eval.StringEvaluator{ 11046 EvalFnc: func(ctx *eval.Context) string { 11047 ev := ctx.Event.(*Event) 11048 return ev.FieldHandlers.ResolveXAttrName(ev, &ev.RemoveXAttr) 11049 }, 11050 Field: field, 11051 Weight: eval.HandlerWeight, 11052 }, nil 11053 case "removexattr.file.destination.namespace": 11054 return &eval.StringEvaluator{ 11055 EvalFnc: func(ctx *eval.Context) string { 11056 ev := ctx.Event.(*Event) 11057 return ev.FieldHandlers.ResolveXAttrNamespace(ev, &ev.RemoveXAttr) 11058 }, 11059 Field: field, 11060 Weight: eval.HandlerWeight, 11061 }, nil 11062 case "removexattr.file.filesystem": 11063 return &eval.StringEvaluator{ 11064 EvalFnc: func(ctx *eval.Context) string { 11065 ev := ctx.Event.(*Event) 11066 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.RemoveXAttr.File) 11067 }, 11068 Field: field, 11069 Weight: eval.HandlerWeight, 11070 }, nil 11071 case "removexattr.file.gid": 11072 return &eval.IntEvaluator{ 11073 EvalFnc: func(ctx *eval.Context) int { 11074 ev := ctx.Event.(*Event) 11075 return int(ev.RemoveXAttr.File.FileFields.GID) 11076 }, 11077 Field: field, 11078 Weight: eval.FunctionWeight, 11079 }, nil 11080 case "removexattr.file.group": 11081 return &eval.StringEvaluator{ 11082 EvalFnc: func(ctx *eval.Context) string { 11083 ev := ctx.Event.(*Event) 11084 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.RemoveXAttr.File.FileFields) 11085 }, 11086 Field: field, 11087 Weight: eval.HandlerWeight, 11088 }, nil 11089 case "removexattr.file.hashes": 11090 return &eval.StringArrayEvaluator{ 11091 EvalFnc: func(ctx *eval.Context) []string { 11092 ev := ctx.Event.(*Event) 11093 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.RemoveXAttr.File) 11094 }, 11095 Field: field, 11096 Weight: 999 * eval.HandlerWeight, 11097 }, nil 11098 case "removexattr.file.in_upper_layer": 11099 return &eval.BoolEvaluator{ 11100 EvalFnc: func(ctx *eval.Context) bool { 11101 ev := ctx.Event.(*Event) 11102 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.RemoveXAttr.File.FileFields) 11103 }, 11104 Field: field, 11105 Weight: eval.HandlerWeight, 11106 }, nil 11107 case "removexattr.file.inode": 11108 return &eval.IntEvaluator{ 11109 EvalFnc: func(ctx *eval.Context) int { 11110 ev := ctx.Event.(*Event) 11111 return int(ev.RemoveXAttr.File.FileFields.PathKey.Inode) 11112 }, 11113 Field: field, 11114 Weight: eval.FunctionWeight, 11115 }, nil 11116 case "removexattr.file.mode": 11117 return &eval.IntEvaluator{ 11118 EvalFnc: func(ctx *eval.Context) int { 11119 ev := ctx.Event.(*Event) 11120 return int(ev.RemoveXAttr.File.FileFields.Mode) 11121 }, 11122 Field: field, 11123 Weight: eval.FunctionWeight, 11124 }, nil 11125 case "removexattr.file.modification_time": 11126 return &eval.IntEvaluator{ 11127 EvalFnc: func(ctx *eval.Context) int { 11128 ev := ctx.Event.(*Event) 11129 return int(ev.RemoveXAttr.File.FileFields.MTime) 11130 }, 11131 Field: field, 11132 Weight: eval.FunctionWeight, 11133 }, nil 11134 case "removexattr.file.mount_id": 11135 return &eval.IntEvaluator{ 11136 EvalFnc: func(ctx *eval.Context) int { 11137 ev := ctx.Event.(*Event) 11138 return int(ev.RemoveXAttr.File.FileFields.PathKey.MountID) 11139 }, 11140 Field: field, 11141 Weight: eval.FunctionWeight, 11142 }, nil 11143 case "removexattr.file.name": 11144 return &eval.StringEvaluator{ 11145 OpOverrides: ProcessSymlinkBasename, 11146 EvalFnc: func(ctx *eval.Context) string { 11147 ev := ctx.Event.(*Event) 11148 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.RemoveXAttr.File) 11149 }, 11150 Field: field, 11151 Weight: eval.HandlerWeight, 11152 }, nil 11153 case "removexattr.file.name.length": 11154 return &eval.IntEvaluator{ 11155 OpOverrides: ProcessSymlinkBasename, 11156 EvalFnc: func(ctx *eval.Context) int { 11157 ev := ctx.Event.(*Event) 11158 return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.RemoveXAttr.File)) 11159 }, 11160 Field: field, 11161 Weight: eval.HandlerWeight, 11162 }, nil 11163 case "removexattr.file.package.name": 11164 return &eval.StringEvaluator{ 11165 EvalFnc: func(ctx *eval.Context) string { 11166 ev := ctx.Event.(*Event) 11167 return ev.FieldHandlers.ResolvePackageName(ev, &ev.RemoveXAttr.File) 11168 }, 11169 Field: field, 11170 Weight: eval.HandlerWeight, 11171 }, nil 11172 case "removexattr.file.package.source_version": 11173 return &eval.StringEvaluator{ 11174 EvalFnc: func(ctx *eval.Context) string { 11175 ev := ctx.Event.(*Event) 11176 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.RemoveXAttr.File) 11177 }, 11178 Field: field, 11179 Weight: eval.HandlerWeight, 11180 }, nil 11181 case "removexattr.file.package.version": 11182 return &eval.StringEvaluator{ 11183 EvalFnc: func(ctx *eval.Context) string { 11184 ev := ctx.Event.(*Event) 11185 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.RemoveXAttr.File) 11186 }, 11187 Field: field, 11188 Weight: eval.HandlerWeight, 11189 }, nil 11190 case "removexattr.file.path": 11191 return &eval.StringEvaluator{ 11192 OpOverrides: ProcessSymlinkPathname, 11193 EvalFnc: func(ctx *eval.Context) string { 11194 ev := ctx.Event.(*Event) 11195 return ev.FieldHandlers.ResolveFilePath(ev, &ev.RemoveXAttr.File) 11196 }, 11197 Field: field, 11198 Weight: eval.HandlerWeight, 11199 }, nil 11200 case "removexattr.file.path.length": 11201 return &eval.IntEvaluator{ 11202 OpOverrides: ProcessSymlinkPathname, 11203 EvalFnc: func(ctx *eval.Context) int { 11204 ev := ctx.Event.(*Event) 11205 return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.RemoveXAttr.File)) 11206 }, 11207 Field: field, 11208 Weight: eval.HandlerWeight, 11209 }, nil 11210 case "removexattr.file.rights": 11211 return &eval.IntEvaluator{ 11212 EvalFnc: func(ctx *eval.Context) int { 11213 ev := ctx.Event.(*Event) 11214 return int(ev.FieldHandlers.ResolveRights(ev, &ev.RemoveXAttr.File.FileFields)) 11215 }, 11216 Field: field, 11217 Weight: eval.HandlerWeight, 11218 }, nil 11219 case "removexattr.file.uid": 11220 return &eval.IntEvaluator{ 11221 EvalFnc: func(ctx *eval.Context) int { 11222 ev := ctx.Event.(*Event) 11223 return int(ev.RemoveXAttr.File.FileFields.UID) 11224 }, 11225 Field: field, 11226 Weight: eval.FunctionWeight, 11227 }, nil 11228 case "removexattr.file.user": 11229 return &eval.StringEvaluator{ 11230 EvalFnc: func(ctx *eval.Context) string { 11231 ev := ctx.Event.(*Event) 11232 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.RemoveXAttr.File.FileFields) 11233 }, 11234 Field: field, 11235 Weight: eval.HandlerWeight, 11236 }, nil 11237 case "removexattr.retval": 11238 return &eval.IntEvaluator{ 11239 EvalFnc: func(ctx *eval.Context) int { 11240 ev := ctx.Event.(*Event) 11241 return int(ev.RemoveXAttr.SyscallEvent.Retval) 11242 }, 11243 Field: field, 11244 Weight: eval.FunctionWeight, 11245 }, nil 11246 case "rename.file.change_time": 11247 return &eval.IntEvaluator{ 11248 EvalFnc: func(ctx *eval.Context) int { 11249 ev := ctx.Event.(*Event) 11250 return int(ev.Rename.Old.FileFields.CTime) 11251 }, 11252 Field: field, 11253 Weight: eval.FunctionWeight, 11254 }, nil 11255 case "rename.file.destination.change_time": 11256 return &eval.IntEvaluator{ 11257 EvalFnc: func(ctx *eval.Context) int { 11258 ev := ctx.Event.(*Event) 11259 return int(ev.Rename.New.FileFields.CTime) 11260 }, 11261 Field: field, 11262 Weight: eval.FunctionWeight, 11263 }, nil 11264 case "rename.file.destination.filesystem": 11265 return &eval.StringEvaluator{ 11266 EvalFnc: func(ctx *eval.Context) string { 11267 ev := ctx.Event.(*Event) 11268 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Rename.New) 11269 }, 11270 Field: field, 11271 Weight: eval.HandlerWeight, 11272 }, nil 11273 case "rename.file.destination.gid": 11274 return &eval.IntEvaluator{ 11275 EvalFnc: func(ctx *eval.Context) int { 11276 ev := ctx.Event.(*Event) 11277 return int(ev.Rename.New.FileFields.GID) 11278 }, 11279 Field: field, 11280 Weight: eval.FunctionWeight, 11281 }, nil 11282 case "rename.file.destination.group": 11283 return &eval.StringEvaluator{ 11284 EvalFnc: func(ctx *eval.Context) string { 11285 ev := ctx.Event.(*Event) 11286 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Rename.New.FileFields) 11287 }, 11288 Field: field, 11289 Weight: eval.HandlerWeight, 11290 }, nil 11291 case "rename.file.destination.hashes": 11292 return &eval.StringArrayEvaluator{ 11293 EvalFnc: func(ctx *eval.Context) []string { 11294 ev := ctx.Event.(*Event) 11295 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Rename.New) 11296 }, 11297 Field: field, 11298 Weight: 999 * eval.HandlerWeight, 11299 }, nil 11300 case "rename.file.destination.in_upper_layer": 11301 return &eval.BoolEvaluator{ 11302 EvalFnc: func(ctx *eval.Context) bool { 11303 ev := ctx.Event.(*Event) 11304 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Rename.New.FileFields) 11305 }, 11306 Field: field, 11307 Weight: eval.HandlerWeight, 11308 }, nil 11309 case "rename.file.destination.inode": 11310 return &eval.IntEvaluator{ 11311 EvalFnc: func(ctx *eval.Context) int { 11312 ev := ctx.Event.(*Event) 11313 return int(ev.Rename.New.FileFields.PathKey.Inode) 11314 }, 11315 Field: field, 11316 Weight: eval.FunctionWeight, 11317 }, nil 11318 case "rename.file.destination.mode": 11319 return &eval.IntEvaluator{ 11320 EvalFnc: func(ctx *eval.Context) int { 11321 ev := ctx.Event.(*Event) 11322 return int(ev.Rename.New.FileFields.Mode) 11323 }, 11324 Field: field, 11325 Weight: eval.FunctionWeight, 11326 }, nil 11327 case "rename.file.destination.modification_time": 11328 return &eval.IntEvaluator{ 11329 EvalFnc: func(ctx *eval.Context) int { 11330 ev := ctx.Event.(*Event) 11331 return int(ev.Rename.New.FileFields.MTime) 11332 }, 11333 Field: field, 11334 Weight: eval.FunctionWeight, 11335 }, nil 11336 case "rename.file.destination.mount_id": 11337 return &eval.IntEvaluator{ 11338 EvalFnc: func(ctx *eval.Context) int { 11339 ev := ctx.Event.(*Event) 11340 return int(ev.Rename.New.FileFields.PathKey.MountID) 11341 }, 11342 Field: field, 11343 Weight: eval.FunctionWeight, 11344 }, nil 11345 case "rename.file.destination.name": 11346 return &eval.StringEvaluator{ 11347 OpOverrides: ProcessSymlinkBasename, 11348 EvalFnc: func(ctx *eval.Context) string { 11349 ev := ctx.Event.(*Event) 11350 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Rename.New) 11351 }, 11352 Field: field, 11353 Weight: eval.HandlerWeight, 11354 }, nil 11355 case "rename.file.destination.name.length": 11356 return &eval.IntEvaluator{ 11357 OpOverrides: ProcessSymlinkBasename, 11358 EvalFnc: func(ctx *eval.Context) int { 11359 ev := ctx.Event.(*Event) 11360 return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Rename.New)) 11361 }, 11362 Field: field, 11363 Weight: eval.HandlerWeight, 11364 }, nil 11365 case "rename.file.destination.package.name": 11366 return &eval.StringEvaluator{ 11367 EvalFnc: func(ctx *eval.Context) string { 11368 ev := ctx.Event.(*Event) 11369 return ev.FieldHandlers.ResolvePackageName(ev, &ev.Rename.New) 11370 }, 11371 Field: field, 11372 Weight: eval.HandlerWeight, 11373 }, nil 11374 case "rename.file.destination.package.source_version": 11375 return &eval.StringEvaluator{ 11376 EvalFnc: func(ctx *eval.Context) string { 11377 ev := ctx.Event.(*Event) 11378 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Rename.New) 11379 }, 11380 Field: field, 11381 Weight: eval.HandlerWeight, 11382 }, nil 11383 case "rename.file.destination.package.version": 11384 return &eval.StringEvaluator{ 11385 EvalFnc: func(ctx *eval.Context) string { 11386 ev := ctx.Event.(*Event) 11387 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Rename.New) 11388 }, 11389 Field: field, 11390 Weight: eval.HandlerWeight, 11391 }, nil 11392 case "rename.file.destination.path": 11393 return &eval.StringEvaluator{ 11394 OpOverrides: ProcessSymlinkPathname, 11395 EvalFnc: func(ctx *eval.Context) string { 11396 ev := ctx.Event.(*Event) 11397 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Rename.New) 11398 }, 11399 Field: field, 11400 Weight: eval.HandlerWeight, 11401 }, nil 11402 case "rename.file.destination.path.length": 11403 return &eval.IntEvaluator{ 11404 OpOverrides: ProcessSymlinkPathname, 11405 EvalFnc: func(ctx *eval.Context) int { 11406 ev := ctx.Event.(*Event) 11407 return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Rename.New)) 11408 }, 11409 Field: field, 11410 Weight: eval.HandlerWeight, 11411 }, nil 11412 case "rename.file.destination.rights": 11413 return &eval.IntEvaluator{ 11414 EvalFnc: func(ctx *eval.Context) int { 11415 ev := ctx.Event.(*Event) 11416 return int(ev.FieldHandlers.ResolveRights(ev, &ev.Rename.New.FileFields)) 11417 }, 11418 Field: field, 11419 Weight: eval.HandlerWeight, 11420 }, nil 11421 case "rename.file.destination.uid": 11422 return &eval.IntEvaluator{ 11423 EvalFnc: func(ctx *eval.Context) int { 11424 ev := ctx.Event.(*Event) 11425 return int(ev.Rename.New.FileFields.UID) 11426 }, 11427 Field: field, 11428 Weight: eval.FunctionWeight, 11429 }, nil 11430 case "rename.file.destination.user": 11431 return &eval.StringEvaluator{ 11432 EvalFnc: func(ctx *eval.Context) string { 11433 ev := ctx.Event.(*Event) 11434 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Rename.New.FileFields) 11435 }, 11436 Field: field, 11437 Weight: eval.HandlerWeight, 11438 }, nil 11439 case "rename.file.filesystem": 11440 return &eval.StringEvaluator{ 11441 EvalFnc: func(ctx *eval.Context) string { 11442 ev := ctx.Event.(*Event) 11443 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Rename.Old) 11444 }, 11445 Field: field, 11446 Weight: eval.HandlerWeight, 11447 }, nil 11448 case "rename.file.gid": 11449 return &eval.IntEvaluator{ 11450 EvalFnc: func(ctx *eval.Context) int { 11451 ev := ctx.Event.(*Event) 11452 return int(ev.Rename.Old.FileFields.GID) 11453 }, 11454 Field: field, 11455 Weight: eval.FunctionWeight, 11456 }, nil 11457 case "rename.file.group": 11458 return &eval.StringEvaluator{ 11459 EvalFnc: func(ctx *eval.Context) string { 11460 ev := ctx.Event.(*Event) 11461 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Rename.Old.FileFields) 11462 }, 11463 Field: field, 11464 Weight: eval.HandlerWeight, 11465 }, nil 11466 case "rename.file.hashes": 11467 return &eval.StringArrayEvaluator{ 11468 EvalFnc: func(ctx *eval.Context) []string { 11469 ev := ctx.Event.(*Event) 11470 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Rename.Old) 11471 }, 11472 Field: field, 11473 Weight: 999 * eval.HandlerWeight, 11474 }, nil 11475 case "rename.file.in_upper_layer": 11476 return &eval.BoolEvaluator{ 11477 EvalFnc: func(ctx *eval.Context) bool { 11478 ev := ctx.Event.(*Event) 11479 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Rename.Old.FileFields) 11480 }, 11481 Field: field, 11482 Weight: eval.HandlerWeight, 11483 }, nil 11484 case "rename.file.inode": 11485 return &eval.IntEvaluator{ 11486 EvalFnc: func(ctx *eval.Context) int { 11487 ev := ctx.Event.(*Event) 11488 return int(ev.Rename.Old.FileFields.PathKey.Inode) 11489 }, 11490 Field: field, 11491 Weight: eval.FunctionWeight, 11492 }, nil 11493 case "rename.file.mode": 11494 return &eval.IntEvaluator{ 11495 EvalFnc: func(ctx *eval.Context) int { 11496 ev := ctx.Event.(*Event) 11497 return int(ev.Rename.Old.FileFields.Mode) 11498 }, 11499 Field: field, 11500 Weight: eval.FunctionWeight, 11501 }, nil 11502 case "rename.file.modification_time": 11503 return &eval.IntEvaluator{ 11504 EvalFnc: func(ctx *eval.Context) int { 11505 ev := ctx.Event.(*Event) 11506 return int(ev.Rename.Old.FileFields.MTime) 11507 }, 11508 Field: field, 11509 Weight: eval.FunctionWeight, 11510 }, nil 11511 case "rename.file.mount_id": 11512 return &eval.IntEvaluator{ 11513 EvalFnc: func(ctx *eval.Context) int { 11514 ev := ctx.Event.(*Event) 11515 return int(ev.Rename.Old.FileFields.PathKey.MountID) 11516 }, 11517 Field: field, 11518 Weight: eval.FunctionWeight, 11519 }, nil 11520 case "rename.file.name": 11521 return &eval.StringEvaluator{ 11522 OpOverrides: ProcessSymlinkBasename, 11523 EvalFnc: func(ctx *eval.Context) string { 11524 ev := ctx.Event.(*Event) 11525 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Rename.Old) 11526 }, 11527 Field: field, 11528 Weight: eval.HandlerWeight, 11529 }, nil 11530 case "rename.file.name.length": 11531 return &eval.IntEvaluator{ 11532 OpOverrides: ProcessSymlinkBasename, 11533 EvalFnc: func(ctx *eval.Context) int { 11534 ev := ctx.Event.(*Event) 11535 return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Rename.Old)) 11536 }, 11537 Field: field, 11538 Weight: eval.HandlerWeight, 11539 }, nil 11540 case "rename.file.package.name": 11541 return &eval.StringEvaluator{ 11542 EvalFnc: func(ctx *eval.Context) string { 11543 ev := ctx.Event.(*Event) 11544 return ev.FieldHandlers.ResolvePackageName(ev, &ev.Rename.Old) 11545 }, 11546 Field: field, 11547 Weight: eval.HandlerWeight, 11548 }, nil 11549 case "rename.file.package.source_version": 11550 return &eval.StringEvaluator{ 11551 EvalFnc: func(ctx *eval.Context) string { 11552 ev := ctx.Event.(*Event) 11553 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Rename.Old) 11554 }, 11555 Field: field, 11556 Weight: eval.HandlerWeight, 11557 }, nil 11558 case "rename.file.package.version": 11559 return &eval.StringEvaluator{ 11560 EvalFnc: func(ctx *eval.Context) string { 11561 ev := ctx.Event.(*Event) 11562 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Rename.Old) 11563 }, 11564 Field: field, 11565 Weight: eval.HandlerWeight, 11566 }, nil 11567 case "rename.file.path": 11568 return &eval.StringEvaluator{ 11569 OpOverrides: ProcessSymlinkPathname, 11570 EvalFnc: func(ctx *eval.Context) string { 11571 ev := ctx.Event.(*Event) 11572 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Rename.Old) 11573 }, 11574 Field: field, 11575 Weight: eval.HandlerWeight, 11576 }, nil 11577 case "rename.file.path.length": 11578 return &eval.IntEvaluator{ 11579 OpOverrides: ProcessSymlinkPathname, 11580 EvalFnc: func(ctx *eval.Context) int { 11581 ev := ctx.Event.(*Event) 11582 return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Rename.Old)) 11583 }, 11584 Field: field, 11585 Weight: eval.HandlerWeight, 11586 }, nil 11587 case "rename.file.rights": 11588 return &eval.IntEvaluator{ 11589 EvalFnc: func(ctx *eval.Context) int { 11590 ev := ctx.Event.(*Event) 11591 return int(ev.FieldHandlers.ResolveRights(ev, &ev.Rename.Old.FileFields)) 11592 }, 11593 Field: field, 11594 Weight: eval.HandlerWeight, 11595 }, nil 11596 case "rename.file.uid": 11597 return &eval.IntEvaluator{ 11598 EvalFnc: func(ctx *eval.Context) int { 11599 ev := ctx.Event.(*Event) 11600 return int(ev.Rename.Old.FileFields.UID) 11601 }, 11602 Field: field, 11603 Weight: eval.FunctionWeight, 11604 }, nil 11605 case "rename.file.user": 11606 return &eval.StringEvaluator{ 11607 EvalFnc: func(ctx *eval.Context) string { 11608 ev := ctx.Event.(*Event) 11609 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Rename.Old.FileFields) 11610 }, 11611 Field: field, 11612 Weight: eval.HandlerWeight, 11613 }, nil 11614 case "rename.retval": 11615 return &eval.IntEvaluator{ 11616 EvalFnc: func(ctx *eval.Context) int { 11617 ev := ctx.Event.(*Event) 11618 return int(ev.Rename.SyscallEvent.Retval) 11619 }, 11620 Field: field, 11621 Weight: eval.FunctionWeight, 11622 }, nil 11623 case "rmdir.file.change_time": 11624 return &eval.IntEvaluator{ 11625 EvalFnc: func(ctx *eval.Context) int { 11626 ev := ctx.Event.(*Event) 11627 return int(ev.Rmdir.File.FileFields.CTime) 11628 }, 11629 Field: field, 11630 Weight: eval.FunctionWeight, 11631 }, nil 11632 case "rmdir.file.filesystem": 11633 return &eval.StringEvaluator{ 11634 EvalFnc: func(ctx *eval.Context) string { 11635 ev := ctx.Event.(*Event) 11636 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Rmdir.File) 11637 }, 11638 Field: field, 11639 Weight: eval.HandlerWeight, 11640 }, nil 11641 case "rmdir.file.gid": 11642 return &eval.IntEvaluator{ 11643 EvalFnc: func(ctx *eval.Context) int { 11644 ev := ctx.Event.(*Event) 11645 return int(ev.Rmdir.File.FileFields.GID) 11646 }, 11647 Field: field, 11648 Weight: eval.FunctionWeight, 11649 }, nil 11650 case "rmdir.file.group": 11651 return &eval.StringEvaluator{ 11652 EvalFnc: func(ctx *eval.Context) string { 11653 ev := ctx.Event.(*Event) 11654 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Rmdir.File.FileFields) 11655 }, 11656 Field: field, 11657 Weight: eval.HandlerWeight, 11658 }, nil 11659 case "rmdir.file.hashes": 11660 return &eval.StringArrayEvaluator{ 11661 EvalFnc: func(ctx *eval.Context) []string { 11662 ev := ctx.Event.(*Event) 11663 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Rmdir.File) 11664 }, 11665 Field: field, 11666 Weight: 999 * eval.HandlerWeight, 11667 }, nil 11668 case "rmdir.file.in_upper_layer": 11669 return &eval.BoolEvaluator{ 11670 EvalFnc: func(ctx *eval.Context) bool { 11671 ev := ctx.Event.(*Event) 11672 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Rmdir.File.FileFields) 11673 }, 11674 Field: field, 11675 Weight: eval.HandlerWeight, 11676 }, nil 11677 case "rmdir.file.inode": 11678 return &eval.IntEvaluator{ 11679 EvalFnc: func(ctx *eval.Context) int { 11680 ev := ctx.Event.(*Event) 11681 return int(ev.Rmdir.File.FileFields.PathKey.Inode) 11682 }, 11683 Field: field, 11684 Weight: eval.FunctionWeight, 11685 }, nil 11686 case "rmdir.file.mode": 11687 return &eval.IntEvaluator{ 11688 EvalFnc: func(ctx *eval.Context) int { 11689 ev := ctx.Event.(*Event) 11690 return int(ev.Rmdir.File.FileFields.Mode) 11691 }, 11692 Field: field, 11693 Weight: eval.FunctionWeight, 11694 }, nil 11695 case "rmdir.file.modification_time": 11696 return &eval.IntEvaluator{ 11697 EvalFnc: func(ctx *eval.Context) int { 11698 ev := ctx.Event.(*Event) 11699 return int(ev.Rmdir.File.FileFields.MTime) 11700 }, 11701 Field: field, 11702 Weight: eval.FunctionWeight, 11703 }, nil 11704 case "rmdir.file.mount_id": 11705 return &eval.IntEvaluator{ 11706 EvalFnc: func(ctx *eval.Context) int { 11707 ev := ctx.Event.(*Event) 11708 return int(ev.Rmdir.File.FileFields.PathKey.MountID) 11709 }, 11710 Field: field, 11711 Weight: eval.FunctionWeight, 11712 }, nil 11713 case "rmdir.file.name": 11714 return &eval.StringEvaluator{ 11715 OpOverrides: ProcessSymlinkBasename, 11716 EvalFnc: func(ctx *eval.Context) string { 11717 ev := ctx.Event.(*Event) 11718 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Rmdir.File) 11719 }, 11720 Field: field, 11721 Weight: eval.HandlerWeight, 11722 }, nil 11723 case "rmdir.file.name.length": 11724 return &eval.IntEvaluator{ 11725 OpOverrides: ProcessSymlinkBasename, 11726 EvalFnc: func(ctx *eval.Context) int { 11727 ev := ctx.Event.(*Event) 11728 return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Rmdir.File)) 11729 }, 11730 Field: field, 11731 Weight: eval.HandlerWeight, 11732 }, nil 11733 case "rmdir.file.package.name": 11734 return &eval.StringEvaluator{ 11735 EvalFnc: func(ctx *eval.Context) string { 11736 ev := ctx.Event.(*Event) 11737 return ev.FieldHandlers.ResolvePackageName(ev, &ev.Rmdir.File) 11738 }, 11739 Field: field, 11740 Weight: eval.HandlerWeight, 11741 }, nil 11742 case "rmdir.file.package.source_version": 11743 return &eval.StringEvaluator{ 11744 EvalFnc: func(ctx *eval.Context) string { 11745 ev := ctx.Event.(*Event) 11746 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Rmdir.File) 11747 }, 11748 Field: field, 11749 Weight: eval.HandlerWeight, 11750 }, nil 11751 case "rmdir.file.package.version": 11752 return &eval.StringEvaluator{ 11753 EvalFnc: func(ctx *eval.Context) string { 11754 ev := ctx.Event.(*Event) 11755 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Rmdir.File) 11756 }, 11757 Field: field, 11758 Weight: eval.HandlerWeight, 11759 }, nil 11760 case "rmdir.file.path": 11761 return &eval.StringEvaluator{ 11762 OpOverrides: ProcessSymlinkPathname, 11763 EvalFnc: func(ctx *eval.Context) string { 11764 ev := ctx.Event.(*Event) 11765 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Rmdir.File) 11766 }, 11767 Field: field, 11768 Weight: eval.HandlerWeight, 11769 }, nil 11770 case "rmdir.file.path.length": 11771 return &eval.IntEvaluator{ 11772 OpOverrides: ProcessSymlinkPathname, 11773 EvalFnc: func(ctx *eval.Context) int { 11774 ev := ctx.Event.(*Event) 11775 return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Rmdir.File)) 11776 }, 11777 Field: field, 11778 Weight: eval.HandlerWeight, 11779 }, nil 11780 case "rmdir.file.rights": 11781 return &eval.IntEvaluator{ 11782 EvalFnc: func(ctx *eval.Context) int { 11783 ev := ctx.Event.(*Event) 11784 return int(ev.FieldHandlers.ResolveRights(ev, &ev.Rmdir.File.FileFields)) 11785 }, 11786 Field: field, 11787 Weight: eval.HandlerWeight, 11788 }, nil 11789 case "rmdir.file.uid": 11790 return &eval.IntEvaluator{ 11791 EvalFnc: func(ctx *eval.Context) int { 11792 ev := ctx.Event.(*Event) 11793 return int(ev.Rmdir.File.FileFields.UID) 11794 }, 11795 Field: field, 11796 Weight: eval.FunctionWeight, 11797 }, nil 11798 case "rmdir.file.user": 11799 return &eval.StringEvaluator{ 11800 EvalFnc: func(ctx *eval.Context) string { 11801 ev := ctx.Event.(*Event) 11802 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Rmdir.File.FileFields) 11803 }, 11804 Field: field, 11805 Weight: eval.HandlerWeight, 11806 }, nil 11807 case "rmdir.retval": 11808 return &eval.IntEvaluator{ 11809 EvalFnc: func(ctx *eval.Context) int { 11810 ev := ctx.Event.(*Event) 11811 return int(ev.Rmdir.SyscallEvent.Retval) 11812 }, 11813 Field: field, 11814 Weight: eval.FunctionWeight, 11815 }, nil 11816 case "selinux.bool.name": 11817 return &eval.StringEvaluator{ 11818 EvalFnc: func(ctx *eval.Context) string { 11819 ev := ctx.Event.(*Event) 11820 return ev.FieldHandlers.ResolveSELinuxBoolName(ev, &ev.SELinux) 11821 }, 11822 Field: field, 11823 Weight: eval.HandlerWeight, 11824 }, nil 11825 case "selinux.bool.state": 11826 return &eval.StringEvaluator{ 11827 EvalFnc: func(ctx *eval.Context) string { 11828 ev := ctx.Event.(*Event) 11829 return ev.SELinux.BoolChangeValue 11830 }, 11831 Field: field, 11832 Weight: eval.FunctionWeight, 11833 }, nil 11834 case "selinux.bool_commit.state": 11835 return &eval.BoolEvaluator{ 11836 EvalFnc: func(ctx *eval.Context) bool { 11837 ev := ctx.Event.(*Event) 11838 return ev.SELinux.BoolCommitValue 11839 }, 11840 Field: field, 11841 Weight: eval.FunctionWeight, 11842 }, nil 11843 case "selinux.enforce.status": 11844 return &eval.StringEvaluator{ 11845 EvalFnc: func(ctx *eval.Context) string { 11846 ev := ctx.Event.(*Event) 11847 return ev.SELinux.EnforceStatus 11848 }, 11849 Field: field, 11850 Weight: eval.FunctionWeight, 11851 }, nil 11852 case "setgid.egid": 11853 return &eval.IntEvaluator{ 11854 EvalFnc: func(ctx *eval.Context) int { 11855 ev := ctx.Event.(*Event) 11856 return int(ev.SetGID.EGID) 11857 }, 11858 Field: field, 11859 Weight: eval.FunctionWeight, 11860 }, nil 11861 case "setgid.egroup": 11862 return &eval.StringEvaluator{ 11863 EvalFnc: func(ctx *eval.Context) string { 11864 ev := ctx.Event.(*Event) 11865 return ev.FieldHandlers.ResolveSetgidEGroup(ev, &ev.SetGID) 11866 }, 11867 Field: field, 11868 Weight: eval.HandlerWeight, 11869 }, nil 11870 case "setgid.fsgid": 11871 return &eval.IntEvaluator{ 11872 EvalFnc: func(ctx *eval.Context) int { 11873 ev := ctx.Event.(*Event) 11874 return int(ev.SetGID.FSGID) 11875 }, 11876 Field: field, 11877 Weight: eval.FunctionWeight, 11878 }, nil 11879 case "setgid.fsgroup": 11880 return &eval.StringEvaluator{ 11881 EvalFnc: func(ctx *eval.Context) string { 11882 ev := ctx.Event.(*Event) 11883 return ev.FieldHandlers.ResolveSetgidFSGroup(ev, &ev.SetGID) 11884 }, 11885 Field: field, 11886 Weight: eval.HandlerWeight, 11887 }, nil 11888 case "setgid.gid": 11889 return &eval.IntEvaluator{ 11890 EvalFnc: func(ctx *eval.Context) int { 11891 ev := ctx.Event.(*Event) 11892 return int(ev.SetGID.GID) 11893 }, 11894 Field: field, 11895 Weight: eval.FunctionWeight, 11896 }, nil 11897 case "setgid.group": 11898 return &eval.StringEvaluator{ 11899 EvalFnc: func(ctx *eval.Context) string { 11900 ev := ctx.Event.(*Event) 11901 return ev.FieldHandlers.ResolveSetgidGroup(ev, &ev.SetGID) 11902 }, 11903 Field: field, 11904 Weight: eval.HandlerWeight, 11905 }, nil 11906 case "setuid.euid": 11907 return &eval.IntEvaluator{ 11908 EvalFnc: func(ctx *eval.Context) int { 11909 ev := ctx.Event.(*Event) 11910 return int(ev.SetUID.EUID) 11911 }, 11912 Field: field, 11913 Weight: eval.FunctionWeight, 11914 }, nil 11915 case "setuid.euser": 11916 return &eval.StringEvaluator{ 11917 EvalFnc: func(ctx *eval.Context) string { 11918 ev := ctx.Event.(*Event) 11919 return ev.FieldHandlers.ResolveSetuidEUser(ev, &ev.SetUID) 11920 }, 11921 Field: field, 11922 Weight: eval.HandlerWeight, 11923 }, nil 11924 case "setuid.fsuid": 11925 return &eval.IntEvaluator{ 11926 EvalFnc: func(ctx *eval.Context) int { 11927 ev := ctx.Event.(*Event) 11928 return int(ev.SetUID.FSUID) 11929 }, 11930 Field: field, 11931 Weight: eval.FunctionWeight, 11932 }, nil 11933 case "setuid.fsuser": 11934 return &eval.StringEvaluator{ 11935 EvalFnc: func(ctx *eval.Context) string { 11936 ev := ctx.Event.(*Event) 11937 return ev.FieldHandlers.ResolveSetuidFSUser(ev, &ev.SetUID) 11938 }, 11939 Field: field, 11940 Weight: eval.HandlerWeight, 11941 }, nil 11942 case "setuid.uid": 11943 return &eval.IntEvaluator{ 11944 EvalFnc: func(ctx *eval.Context) int { 11945 ev := ctx.Event.(*Event) 11946 return int(ev.SetUID.UID) 11947 }, 11948 Field: field, 11949 Weight: eval.FunctionWeight, 11950 }, nil 11951 case "setuid.user": 11952 return &eval.StringEvaluator{ 11953 EvalFnc: func(ctx *eval.Context) string { 11954 ev := ctx.Event.(*Event) 11955 return ev.FieldHandlers.ResolveSetuidUser(ev, &ev.SetUID) 11956 }, 11957 Field: field, 11958 Weight: eval.HandlerWeight, 11959 }, nil 11960 case "setxattr.file.change_time": 11961 return &eval.IntEvaluator{ 11962 EvalFnc: func(ctx *eval.Context) int { 11963 ev := ctx.Event.(*Event) 11964 return int(ev.SetXAttr.File.FileFields.CTime) 11965 }, 11966 Field: field, 11967 Weight: eval.FunctionWeight, 11968 }, nil 11969 case "setxattr.file.destination.name": 11970 return &eval.StringEvaluator{ 11971 EvalFnc: func(ctx *eval.Context) string { 11972 ev := ctx.Event.(*Event) 11973 return ev.FieldHandlers.ResolveXAttrName(ev, &ev.SetXAttr) 11974 }, 11975 Field: field, 11976 Weight: eval.HandlerWeight, 11977 }, nil 11978 case "setxattr.file.destination.namespace": 11979 return &eval.StringEvaluator{ 11980 EvalFnc: func(ctx *eval.Context) string { 11981 ev := ctx.Event.(*Event) 11982 return ev.FieldHandlers.ResolveXAttrNamespace(ev, &ev.SetXAttr) 11983 }, 11984 Field: field, 11985 Weight: eval.HandlerWeight, 11986 }, nil 11987 case "setxattr.file.filesystem": 11988 return &eval.StringEvaluator{ 11989 EvalFnc: func(ctx *eval.Context) string { 11990 ev := ctx.Event.(*Event) 11991 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.SetXAttr.File) 11992 }, 11993 Field: field, 11994 Weight: eval.HandlerWeight, 11995 }, nil 11996 case "setxattr.file.gid": 11997 return &eval.IntEvaluator{ 11998 EvalFnc: func(ctx *eval.Context) int { 11999 ev := ctx.Event.(*Event) 12000 return int(ev.SetXAttr.File.FileFields.GID) 12001 }, 12002 Field: field, 12003 Weight: eval.FunctionWeight, 12004 }, nil 12005 case "setxattr.file.group": 12006 return &eval.StringEvaluator{ 12007 EvalFnc: func(ctx *eval.Context) string { 12008 ev := ctx.Event.(*Event) 12009 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.SetXAttr.File.FileFields) 12010 }, 12011 Field: field, 12012 Weight: eval.HandlerWeight, 12013 }, nil 12014 case "setxattr.file.hashes": 12015 return &eval.StringArrayEvaluator{ 12016 EvalFnc: func(ctx *eval.Context) []string { 12017 ev := ctx.Event.(*Event) 12018 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.SetXAttr.File) 12019 }, 12020 Field: field, 12021 Weight: 999 * eval.HandlerWeight, 12022 }, nil 12023 case "setxattr.file.in_upper_layer": 12024 return &eval.BoolEvaluator{ 12025 EvalFnc: func(ctx *eval.Context) bool { 12026 ev := ctx.Event.(*Event) 12027 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.SetXAttr.File.FileFields) 12028 }, 12029 Field: field, 12030 Weight: eval.HandlerWeight, 12031 }, nil 12032 case "setxattr.file.inode": 12033 return &eval.IntEvaluator{ 12034 EvalFnc: func(ctx *eval.Context) int { 12035 ev := ctx.Event.(*Event) 12036 return int(ev.SetXAttr.File.FileFields.PathKey.Inode) 12037 }, 12038 Field: field, 12039 Weight: eval.FunctionWeight, 12040 }, nil 12041 case "setxattr.file.mode": 12042 return &eval.IntEvaluator{ 12043 EvalFnc: func(ctx *eval.Context) int { 12044 ev := ctx.Event.(*Event) 12045 return int(ev.SetXAttr.File.FileFields.Mode) 12046 }, 12047 Field: field, 12048 Weight: eval.FunctionWeight, 12049 }, nil 12050 case "setxattr.file.modification_time": 12051 return &eval.IntEvaluator{ 12052 EvalFnc: func(ctx *eval.Context) int { 12053 ev := ctx.Event.(*Event) 12054 return int(ev.SetXAttr.File.FileFields.MTime) 12055 }, 12056 Field: field, 12057 Weight: eval.FunctionWeight, 12058 }, nil 12059 case "setxattr.file.mount_id": 12060 return &eval.IntEvaluator{ 12061 EvalFnc: func(ctx *eval.Context) int { 12062 ev := ctx.Event.(*Event) 12063 return int(ev.SetXAttr.File.FileFields.PathKey.MountID) 12064 }, 12065 Field: field, 12066 Weight: eval.FunctionWeight, 12067 }, nil 12068 case "setxattr.file.name": 12069 return &eval.StringEvaluator{ 12070 OpOverrides: ProcessSymlinkBasename, 12071 EvalFnc: func(ctx *eval.Context) string { 12072 ev := ctx.Event.(*Event) 12073 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.SetXAttr.File) 12074 }, 12075 Field: field, 12076 Weight: eval.HandlerWeight, 12077 }, nil 12078 case "setxattr.file.name.length": 12079 return &eval.IntEvaluator{ 12080 OpOverrides: ProcessSymlinkBasename, 12081 EvalFnc: func(ctx *eval.Context) int { 12082 ev := ctx.Event.(*Event) 12083 return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.SetXAttr.File)) 12084 }, 12085 Field: field, 12086 Weight: eval.HandlerWeight, 12087 }, nil 12088 case "setxattr.file.package.name": 12089 return &eval.StringEvaluator{ 12090 EvalFnc: func(ctx *eval.Context) string { 12091 ev := ctx.Event.(*Event) 12092 return ev.FieldHandlers.ResolvePackageName(ev, &ev.SetXAttr.File) 12093 }, 12094 Field: field, 12095 Weight: eval.HandlerWeight, 12096 }, nil 12097 case "setxattr.file.package.source_version": 12098 return &eval.StringEvaluator{ 12099 EvalFnc: func(ctx *eval.Context) string { 12100 ev := ctx.Event.(*Event) 12101 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.SetXAttr.File) 12102 }, 12103 Field: field, 12104 Weight: eval.HandlerWeight, 12105 }, nil 12106 case "setxattr.file.package.version": 12107 return &eval.StringEvaluator{ 12108 EvalFnc: func(ctx *eval.Context) string { 12109 ev := ctx.Event.(*Event) 12110 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.SetXAttr.File) 12111 }, 12112 Field: field, 12113 Weight: eval.HandlerWeight, 12114 }, nil 12115 case "setxattr.file.path": 12116 return &eval.StringEvaluator{ 12117 OpOverrides: ProcessSymlinkPathname, 12118 EvalFnc: func(ctx *eval.Context) string { 12119 ev := ctx.Event.(*Event) 12120 return ev.FieldHandlers.ResolveFilePath(ev, &ev.SetXAttr.File) 12121 }, 12122 Field: field, 12123 Weight: eval.HandlerWeight, 12124 }, nil 12125 case "setxattr.file.path.length": 12126 return &eval.IntEvaluator{ 12127 OpOverrides: ProcessSymlinkPathname, 12128 EvalFnc: func(ctx *eval.Context) int { 12129 ev := ctx.Event.(*Event) 12130 return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.SetXAttr.File)) 12131 }, 12132 Field: field, 12133 Weight: eval.HandlerWeight, 12134 }, nil 12135 case "setxattr.file.rights": 12136 return &eval.IntEvaluator{ 12137 EvalFnc: func(ctx *eval.Context) int { 12138 ev := ctx.Event.(*Event) 12139 return int(ev.FieldHandlers.ResolveRights(ev, &ev.SetXAttr.File.FileFields)) 12140 }, 12141 Field: field, 12142 Weight: eval.HandlerWeight, 12143 }, nil 12144 case "setxattr.file.uid": 12145 return &eval.IntEvaluator{ 12146 EvalFnc: func(ctx *eval.Context) int { 12147 ev := ctx.Event.(*Event) 12148 return int(ev.SetXAttr.File.FileFields.UID) 12149 }, 12150 Field: field, 12151 Weight: eval.FunctionWeight, 12152 }, nil 12153 case "setxattr.file.user": 12154 return &eval.StringEvaluator{ 12155 EvalFnc: func(ctx *eval.Context) string { 12156 ev := ctx.Event.(*Event) 12157 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.SetXAttr.File.FileFields) 12158 }, 12159 Field: field, 12160 Weight: eval.HandlerWeight, 12161 }, nil 12162 case "setxattr.retval": 12163 return &eval.IntEvaluator{ 12164 EvalFnc: func(ctx *eval.Context) int { 12165 ev := ctx.Event.(*Event) 12166 return int(ev.SetXAttr.SyscallEvent.Retval) 12167 }, 12168 Field: field, 12169 Weight: eval.FunctionWeight, 12170 }, nil 12171 case "signal.pid": 12172 return &eval.IntEvaluator{ 12173 EvalFnc: func(ctx *eval.Context) int { 12174 ev := ctx.Event.(*Event) 12175 return int(ev.Signal.PID) 12176 }, 12177 Field: field, 12178 Weight: eval.FunctionWeight, 12179 }, nil 12180 case "signal.retval": 12181 return &eval.IntEvaluator{ 12182 EvalFnc: func(ctx *eval.Context) int { 12183 ev := ctx.Event.(*Event) 12184 return int(ev.Signal.SyscallEvent.Retval) 12185 }, 12186 Field: field, 12187 Weight: eval.FunctionWeight, 12188 }, nil 12189 case "signal.target.ancestors.args": 12190 return &eval.StringArrayEvaluator{ 12191 EvalFnc: func(ctx *eval.Context) []string { 12192 ev := ctx.Event.(*Event) 12193 if result, ok := ctx.StringCache[field]; ok { 12194 return result 12195 } 12196 var results []string 12197 iterator := &ProcessAncestorsIterator{} 12198 value := iterator.Front(ctx) 12199 for value != nil { 12200 element := (*ProcessCacheEntry)(value) 12201 result := ev.FieldHandlers.ResolveProcessArgs(ev, &element.ProcessContext.Process) 12202 results = append(results, result) 12203 value = iterator.Next() 12204 } 12205 ctx.StringCache[field] = results 12206 return results 12207 }, Field: field, 12208 Weight: 500 * eval.IteratorWeight, 12209 }, nil 12210 case "signal.target.ancestors.args_flags": 12211 return &eval.StringArrayEvaluator{ 12212 EvalFnc: func(ctx *eval.Context) []string { 12213 ev := ctx.Event.(*Event) 12214 if result, ok := ctx.StringCache[field]; ok { 12215 return result 12216 } 12217 var results []string 12218 iterator := &ProcessAncestorsIterator{} 12219 value := iterator.Front(ctx) 12220 for value != nil { 12221 element := (*ProcessCacheEntry)(value) 12222 result := ev.FieldHandlers.ResolveProcessArgsFlags(ev, &element.ProcessContext.Process) 12223 results = append(results, result...) 12224 value = iterator.Next() 12225 } 12226 ctx.StringCache[field] = results 12227 return results 12228 }, Field: field, 12229 Weight: eval.IteratorWeight, 12230 }, nil 12231 case "signal.target.ancestors.args_options": 12232 return &eval.StringArrayEvaluator{ 12233 EvalFnc: func(ctx *eval.Context) []string { 12234 ev := ctx.Event.(*Event) 12235 if result, ok := ctx.StringCache[field]; ok { 12236 return result 12237 } 12238 var results []string 12239 iterator := &ProcessAncestorsIterator{} 12240 value := iterator.Front(ctx) 12241 for value != nil { 12242 element := (*ProcessCacheEntry)(value) 12243 result := ev.FieldHandlers.ResolveProcessArgsOptions(ev, &element.ProcessContext.Process) 12244 results = append(results, result...) 12245 value = iterator.Next() 12246 } 12247 ctx.StringCache[field] = results 12248 return results 12249 }, Field: field, 12250 Weight: eval.IteratorWeight, 12251 }, nil 12252 case "signal.target.ancestors.args_truncated": 12253 return &eval.BoolArrayEvaluator{ 12254 EvalFnc: func(ctx *eval.Context) []bool { 12255 ev := ctx.Event.(*Event) 12256 if result, ok := ctx.BoolCache[field]; ok { 12257 return result 12258 } 12259 var results []bool 12260 iterator := &ProcessAncestorsIterator{} 12261 value := iterator.Front(ctx) 12262 for value != nil { 12263 element := (*ProcessCacheEntry)(value) 12264 result := ev.FieldHandlers.ResolveProcessArgsTruncated(ev, &element.ProcessContext.Process) 12265 results = append(results, result) 12266 value = iterator.Next() 12267 } 12268 ctx.BoolCache[field] = results 12269 return results 12270 }, Field: field, 12271 Weight: eval.IteratorWeight, 12272 }, nil 12273 case "signal.target.ancestors.argv": 12274 return &eval.StringArrayEvaluator{ 12275 EvalFnc: func(ctx *eval.Context) []string { 12276 ev := ctx.Event.(*Event) 12277 if result, ok := ctx.StringCache[field]; ok { 12278 return result 12279 } 12280 var results []string 12281 iterator := &ProcessAncestorsIterator{} 12282 value := iterator.Front(ctx) 12283 for value != nil { 12284 element := (*ProcessCacheEntry)(value) 12285 result := ev.FieldHandlers.ResolveProcessArgv(ev, &element.ProcessContext.Process) 12286 results = append(results, result...) 12287 value = iterator.Next() 12288 } 12289 ctx.StringCache[field] = results 12290 return results 12291 }, Field: field, 12292 Weight: 500 * eval.IteratorWeight, 12293 }, nil 12294 case "signal.target.ancestors.argv0": 12295 return &eval.StringArrayEvaluator{ 12296 EvalFnc: func(ctx *eval.Context) []string { 12297 ev := ctx.Event.(*Event) 12298 if result, ok := ctx.StringCache[field]; ok { 12299 return result 12300 } 12301 var results []string 12302 iterator := &ProcessAncestorsIterator{} 12303 value := iterator.Front(ctx) 12304 for value != nil { 12305 element := (*ProcessCacheEntry)(value) 12306 result := ev.FieldHandlers.ResolveProcessArgv0(ev, &element.ProcessContext.Process) 12307 results = append(results, result) 12308 value = iterator.Next() 12309 } 12310 ctx.StringCache[field] = results 12311 return results 12312 }, Field: field, 12313 Weight: 100 * eval.IteratorWeight, 12314 }, nil 12315 case "signal.target.ancestors.cap_effective": 12316 return &eval.IntArrayEvaluator{ 12317 EvalFnc: func(ctx *eval.Context) []int { 12318 if result, ok := ctx.IntCache[field]; ok { 12319 return result 12320 } 12321 var results []int 12322 iterator := &ProcessAncestorsIterator{} 12323 value := iterator.Front(ctx) 12324 for value != nil { 12325 element := (*ProcessCacheEntry)(value) 12326 result := int(element.ProcessContext.Process.Credentials.CapEffective) 12327 results = append(results, result) 12328 value = iterator.Next() 12329 } 12330 ctx.IntCache[field] = results 12331 return results 12332 }, Field: field, 12333 Weight: eval.IteratorWeight, 12334 }, nil 12335 case "signal.target.ancestors.cap_permitted": 12336 return &eval.IntArrayEvaluator{ 12337 EvalFnc: func(ctx *eval.Context) []int { 12338 if result, ok := ctx.IntCache[field]; ok { 12339 return result 12340 } 12341 var results []int 12342 iterator := &ProcessAncestorsIterator{} 12343 value := iterator.Front(ctx) 12344 for value != nil { 12345 element := (*ProcessCacheEntry)(value) 12346 result := int(element.ProcessContext.Process.Credentials.CapPermitted) 12347 results = append(results, result) 12348 value = iterator.Next() 12349 } 12350 ctx.IntCache[field] = results 12351 return results 12352 }, Field: field, 12353 Weight: eval.IteratorWeight, 12354 }, nil 12355 case "signal.target.ancestors.comm": 12356 return &eval.StringArrayEvaluator{ 12357 EvalFnc: func(ctx *eval.Context) []string { 12358 if result, ok := ctx.StringCache[field]; ok { 12359 return result 12360 } 12361 var results []string 12362 iterator := &ProcessAncestorsIterator{} 12363 value := iterator.Front(ctx) 12364 for value != nil { 12365 element := (*ProcessCacheEntry)(value) 12366 result := element.ProcessContext.Process.Comm 12367 results = append(results, result) 12368 value = iterator.Next() 12369 } 12370 ctx.StringCache[field] = results 12371 return results 12372 }, Field: field, 12373 Weight: eval.IteratorWeight, 12374 }, nil 12375 case "signal.target.ancestors.container.id": 12376 return &eval.StringArrayEvaluator{ 12377 EvalFnc: func(ctx *eval.Context) []string { 12378 if result, ok := ctx.StringCache[field]; ok { 12379 return result 12380 } 12381 var results []string 12382 iterator := &ProcessAncestorsIterator{} 12383 value := iterator.Front(ctx) 12384 for value != nil { 12385 element := (*ProcessCacheEntry)(value) 12386 result := element.ProcessContext.Process.ContainerID 12387 results = append(results, result) 12388 value = iterator.Next() 12389 } 12390 ctx.StringCache[field] = results 12391 return results 12392 }, Field: field, 12393 Weight: eval.IteratorWeight, 12394 }, nil 12395 case "signal.target.ancestors.created_at": 12396 return &eval.IntArrayEvaluator{ 12397 EvalFnc: func(ctx *eval.Context) []int { 12398 ev := ctx.Event.(*Event) 12399 if result, ok := ctx.IntCache[field]; ok { 12400 return result 12401 } 12402 var results []int 12403 iterator := &ProcessAncestorsIterator{} 12404 value := iterator.Front(ctx) 12405 for value != nil { 12406 element := (*ProcessCacheEntry)(value) 12407 result := int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, &element.ProcessContext.Process)) 12408 results = append(results, result) 12409 value = iterator.Next() 12410 } 12411 ctx.IntCache[field] = results 12412 return results 12413 }, Field: field, 12414 Weight: eval.IteratorWeight, 12415 }, nil 12416 case "signal.target.ancestors.egid": 12417 return &eval.IntArrayEvaluator{ 12418 EvalFnc: func(ctx *eval.Context) []int { 12419 if result, ok := ctx.IntCache[field]; ok { 12420 return result 12421 } 12422 var results []int 12423 iterator := &ProcessAncestorsIterator{} 12424 value := iterator.Front(ctx) 12425 for value != nil { 12426 element := (*ProcessCacheEntry)(value) 12427 result := int(element.ProcessContext.Process.Credentials.EGID) 12428 results = append(results, result) 12429 value = iterator.Next() 12430 } 12431 ctx.IntCache[field] = results 12432 return results 12433 }, Field: field, 12434 Weight: eval.IteratorWeight, 12435 }, nil 12436 case "signal.target.ancestors.egroup": 12437 return &eval.StringArrayEvaluator{ 12438 EvalFnc: func(ctx *eval.Context) []string { 12439 if result, ok := ctx.StringCache[field]; ok { 12440 return result 12441 } 12442 var results []string 12443 iterator := &ProcessAncestorsIterator{} 12444 value := iterator.Front(ctx) 12445 for value != nil { 12446 element := (*ProcessCacheEntry)(value) 12447 result := element.ProcessContext.Process.Credentials.EGroup 12448 results = append(results, result) 12449 value = iterator.Next() 12450 } 12451 ctx.StringCache[field] = results 12452 return results 12453 }, Field: field, 12454 Weight: eval.IteratorWeight, 12455 }, nil 12456 case "signal.target.ancestors.envp": 12457 return &eval.StringArrayEvaluator{ 12458 EvalFnc: func(ctx *eval.Context) []string { 12459 ev := ctx.Event.(*Event) 12460 if result, ok := ctx.StringCache[field]; ok { 12461 return result 12462 } 12463 var results []string 12464 iterator := &ProcessAncestorsIterator{} 12465 value := iterator.Front(ctx) 12466 for value != nil { 12467 element := (*ProcessCacheEntry)(value) 12468 result := ev.FieldHandlers.ResolveProcessEnvp(ev, &element.ProcessContext.Process) 12469 results = append(results, result...) 12470 value = iterator.Next() 12471 } 12472 ctx.StringCache[field] = results 12473 return results 12474 }, Field: field, 12475 Weight: 100 * eval.IteratorWeight, 12476 }, nil 12477 case "signal.target.ancestors.envs": 12478 return &eval.StringArrayEvaluator{ 12479 EvalFnc: func(ctx *eval.Context) []string { 12480 ev := ctx.Event.(*Event) 12481 if result, ok := ctx.StringCache[field]; ok { 12482 return result 12483 } 12484 var results []string 12485 iterator := &ProcessAncestorsIterator{} 12486 value := iterator.Front(ctx) 12487 for value != nil { 12488 element := (*ProcessCacheEntry)(value) 12489 result := ev.FieldHandlers.ResolveProcessEnvs(ev, &element.ProcessContext.Process) 12490 results = append(results, result...) 12491 value = iterator.Next() 12492 } 12493 ctx.StringCache[field] = results 12494 return results 12495 }, Field: field, 12496 Weight: 100 * eval.IteratorWeight, 12497 }, nil 12498 case "signal.target.ancestors.envs_truncated": 12499 return &eval.BoolArrayEvaluator{ 12500 EvalFnc: func(ctx *eval.Context) []bool { 12501 ev := ctx.Event.(*Event) 12502 if result, ok := ctx.BoolCache[field]; ok { 12503 return result 12504 } 12505 var results []bool 12506 iterator := &ProcessAncestorsIterator{} 12507 value := iterator.Front(ctx) 12508 for value != nil { 12509 element := (*ProcessCacheEntry)(value) 12510 result := ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, &element.ProcessContext.Process) 12511 results = append(results, result) 12512 value = iterator.Next() 12513 } 12514 ctx.BoolCache[field] = results 12515 return results 12516 }, Field: field, 12517 Weight: eval.IteratorWeight, 12518 }, nil 12519 case "signal.target.ancestors.euid": 12520 return &eval.IntArrayEvaluator{ 12521 EvalFnc: func(ctx *eval.Context) []int { 12522 if result, ok := ctx.IntCache[field]; ok { 12523 return result 12524 } 12525 var results []int 12526 iterator := &ProcessAncestorsIterator{} 12527 value := iterator.Front(ctx) 12528 for value != nil { 12529 element := (*ProcessCacheEntry)(value) 12530 result := int(element.ProcessContext.Process.Credentials.EUID) 12531 results = append(results, result) 12532 value = iterator.Next() 12533 } 12534 ctx.IntCache[field] = results 12535 return results 12536 }, Field: field, 12537 Weight: eval.IteratorWeight, 12538 }, nil 12539 case "signal.target.ancestors.euser": 12540 return &eval.StringArrayEvaluator{ 12541 EvalFnc: func(ctx *eval.Context) []string { 12542 if result, ok := ctx.StringCache[field]; ok { 12543 return result 12544 } 12545 var results []string 12546 iterator := &ProcessAncestorsIterator{} 12547 value := iterator.Front(ctx) 12548 for value != nil { 12549 element := (*ProcessCacheEntry)(value) 12550 result := element.ProcessContext.Process.Credentials.EUser 12551 results = append(results, result) 12552 value = iterator.Next() 12553 } 12554 ctx.StringCache[field] = results 12555 return results 12556 }, Field: field, 12557 Weight: eval.IteratorWeight, 12558 }, nil 12559 case "signal.target.ancestors.file.change_time": 12560 return &eval.IntArrayEvaluator{ 12561 EvalFnc: func(ctx *eval.Context) []int { 12562 if result, ok := ctx.IntCache[field]; ok { 12563 return result 12564 } 12565 var results []int 12566 iterator := &ProcessAncestorsIterator{} 12567 value := iterator.Front(ctx) 12568 for value != nil { 12569 element := (*ProcessCacheEntry)(value) 12570 if !element.ProcessContext.Process.IsNotKworker() { 12571 results = append(results, 0) 12572 value = iterator.Next() 12573 continue 12574 } 12575 result := int(element.ProcessContext.Process.FileEvent.FileFields.CTime) 12576 results = append(results, result) 12577 value = iterator.Next() 12578 } 12579 ctx.IntCache[field] = results 12580 return results 12581 }, Field: field, 12582 Weight: eval.IteratorWeight, 12583 }, nil 12584 case "signal.target.ancestors.file.filesystem": 12585 return &eval.StringArrayEvaluator{ 12586 EvalFnc: func(ctx *eval.Context) []string { 12587 ev := ctx.Event.(*Event) 12588 if result, ok := ctx.StringCache[field]; ok { 12589 return result 12590 } 12591 var results []string 12592 iterator := &ProcessAncestorsIterator{} 12593 value := iterator.Front(ctx) 12594 for value != nil { 12595 element := (*ProcessCacheEntry)(value) 12596 if !element.ProcessContext.Process.IsNotKworker() { 12597 results = append(results, "") 12598 value = iterator.Next() 12599 continue 12600 } 12601 result := ev.FieldHandlers.ResolveFileFilesystem(ev, &element.ProcessContext.Process.FileEvent) 12602 results = append(results, result) 12603 value = iterator.Next() 12604 } 12605 ctx.StringCache[field] = results 12606 return results 12607 }, Field: field, 12608 Weight: eval.IteratorWeight, 12609 }, nil 12610 case "signal.target.ancestors.file.gid": 12611 return &eval.IntArrayEvaluator{ 12612 EvalFnc: func(ctx *eval.Context) []int { 12613 if result, ok := ctx.IntCache[field]; ok { 12614 return result 12615 } 12616 var results []int 12617 iterator := &ProcessAncestorsIterator{} 12618 value := iterator.Front(ctx) 12619 for value != nil { 12620 element := (*ProcessCacheEntry)(value) 12621 if !element.ProcessContext.Process.IsNotKworker() { 12622 results = append(results, 0) 12623 value = iterator.Next() 12624 continue 12625 } 12626 result := int(element.ProcessContext.Process.FileEvent.FileFields.GID) 12627 results = append(results, result) 12628 value = iterator.Next() 12629 } 12630 ctx.IntCache[field] = results 12631 return results 12632 }, Field: field, 12633 Weight: eval.IteratorWeight, 12634 }, nil 12635 case "signal.target.ancestors.file.group": 12636 return &eval.StringArrayEvaluator{ 12637 EvalFnc: func(ctx *eval.Context) []string { 12638 ev := ctx.Event.(*Event) 12639 if result, ok := ctx.StringCache[field]; ok { 12640 return result 12641 } 12642 var results []string 12643 iterator := &ProcessAncestorsIterator{} 12644 value := iterator.Front(ctx) 12645 for value != nil { 12646 element := (*ProcessCacheEntry)(value) 12647 if !element.ProcessContext.Process.IsNotKworker() { 12648 results = append(results, "") 12649 value = iterator.Next() 12650 continue 12651 } 12652 result := ev.FieldHandlers.ResolveFileFieldsGroup(ev, &element.ProcessContext.Process.FileEvent.FileFields) 12653 results = append(results, result) 12654 value = iterator.Next() 12655 } 12656 ctx.StringCache[field] = results 12657 return results 12658 }, Field: field, 12659 Weight: eval.IteratorWeight, 12660 }, nil 12661 case "signal.target.ancestors.file.hashes": 12662 return &eval.StringArrayEvaluator{ 12663 EvalFnc: func(ctx *eval.Context) []string { 12664 ev := ctx.Event.(*Event) 12665 if result, ok := ctx.StringCache[field]; ok { 12666 return result 12667 } 12668 var results []string 12669 iterator := &ProcessAncestorsIterator{} 12670 value := iterator.Front(ctx) 12671 for value != nil { 12672 element := (*ProcessCacheEntry)(value) 12673 if !element.ProcessContext.Process.IsNotKworker() { 12674 results = append(results, "") 12675 value = iterator.Next() 12676 continue 12677 } 12678 result := ev.FieldHandlers.ResolveHashesFromEvent(ev, &element.ProcessContext.Process.FileEvent) 12679 results = append(results, result...) 12680 value = iterator.Next() 12681 } 12682 ctx.StringCache[field] = results 12683 return results 12684 }, Field: field, 12685 Weight: 999 * eval.IteratorWeight, 12686 }, nil 12687 case "signal.target.ancestors.file.in_upper_layer": 12688 return &eval.BoolArrayEvaluator{ 12689 EvalFnc: func(ctx *eval.Context) []bool { 12690 ev := ctx.Event.(*Event) 12691 if result, ok := ctx.BoolCache[field]; ok { 12692 return result 12693 } 12694 var results []bool 12695 iterator := &ProcessAncestorsIterator{} 12696 value := iterator.Front(ctx) 12697 for value != nil { 12698 element := (*ProcessCacheEntry)(value) 12699 if !element.ProcessContext.Process.IsNotKworker() { 12700 results = append(results, false) 12701 value = iterator.Next() 12702 continue 12703 } 12704 result := ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &element.ProcessContext.Process.FileEvent.FileFields) 12705 results = append(results, result) 12706 value = iterator.Next() 12707 } 12708 ctx.BoolCache[field] = results 12709 return results 12710 }, Field: field, 12711 Weight: eval.IteratorWeight, 12712 }, nil 12713 case "signal.target.ancestors.file.inode": 12714 return &eval.IntArrayEvaluator{ 12715 EvalFnc: func(ctx *eval.Context) []int { 12716 if result, ok := ctx.IntCache[field]; ok { 12717 return result 12718 } 12719 var results []int 12720 iterator := &ProcessAncestorsIterator{} 12721 value := iterator.Front(ctx) 12722 for value != nil { 12723 element := (*ProcessCacheEntry)(value) 12724 if !element.ProcessContext.Process.IsNotKworker() { 12725 results = append(results, 0) 12726 value = iterator.Next() 12727 continue 12728 } 12729 result := int(element.ProcessContext.Process.FileEvent.FileFields.PathKey.Inode) 12730 results = append(results, result) 12731 value = iterator.Next() 12732 } 12733 ctx.IntCache[field] = results 12734 return results 12735 }, Field: field, 12736 Weight: eval.IteratorWeight, 12737 }, nil 12738 case "signal.target.ancestors.file.mode": 12739 return &eval.IntArrayEvaluator{ 12740 EvalFnc: func(ctx *eval.Context) []int { 12741 if result, ok := ctx.IntCache[field]; ok { 12742 return result 12743 } 12744 var results []int 12745 iterator := &ProcessAncestorsIterator{} 12746 value := iterator.Front(ctx) 12747 for value != nil { 12748 element := (*ProcessCacheEntry)(value) 12749 if !element.ProcessContext.Process.IsNotKworker() { 12750 results = append(results, 0) 12751 value = iterator.Next() 12752 continue 12753 } 12754 result := int(element.ProcessContext.Process.FileEvent.FileFields.Mode) 12755 results = append(results, result) 12756 value = iterator.Next() 12757 } 12758 ctx.IntCache[field] = results 12759 return results 12760 }, Field: field, 12761 Weight: eval.IteratorWeight, 12762 }, nil 12763 case "signal.target.ancestors.file.modification_time": 12764 return &eval.IntArrayEvaluator{ 12765 EvalFnc: func(ctx *eval.Context) []int { 12766 if result, ok := ctx.IntCache[field]; ok { 12767 return result 12768 } 12769 var results []int 12770 iterator := &ProcessAncestorsIterator{} 12771 value := iterator.Front(ctx) 12772 for value != nil { 12773 element := (*ProcessCacheEntry)(value) 12774 if !element.ProcessContext.Process.IsNotKworker() { 12775 results = append(results, 0) 12776 value = iterator.Next() 12777 continue 12778 } 12779 result := int(element.ProcessContext.Process.FileEvent.FileFields.MTime) 12780 results = append(results, result) 12781 value = iterator.Next() 12782 } 12783 ctx.IntCache[field] = results 12784 return results 12785 }, Field: field, 12786 Weight: eval.IteratorWeight, 12787 }, nil 12788 case "signal.target.ancestors.file.mount_id": 12789 return &eval.IntArrayEvaluator{ 12790 EvalFnc: func(ctx *eval.Context) []int { 12791 if result, ok := ctx.IntCache[field]; ok { 12792 return result 12793 } 12794 var results []int 12795 iterator := &ProcessAncestorsIterator{} 12796 value := iterator.Front(ctx) 12797 for value != nil { 12798 element := (*ProcessCacheEntry)(value) 12799 if !element.ProcessContext.Process.IsNotKworker() { 12800 results = append(results, 0) 12801 value = iterator.Next() 12802 continue 12803 } 12804 result := int(element.ProcessContext.Process.FileEvent.FileFields.PathKey.MountID) 12805 results = append(results, result) 12806 value = iterator.Next() 12807 } 12808 ctx.IntCache[field] = results 12809 return results 12810 }, Field: field, 12811 Weight: eval.IteratorWeight, 12812 }, nil 12813 case "signal.target.ancestors.file.name": 12814 return &eval.StringArrayEvaluator{ 12815 OpOverrides: ProcessSymlinkBasename, 12816 EvalFnc: func(ctx *eval.Context) []string { 12817 ev := ctx.Event.(*Event) 12818 if result, ok := ctx.StringCache[field]; ok { 12819 return result 12820 } 12821 var results []string 12822 iterator := &ProcessAncestorsIterator{} 12823 value := iterator.Front(ctx) 12824 for value != nil { 12825 element := (*ProcessCacheEntry)(value) 12826 if !element.ProcessContext.Process.IsNotKworker() { 12827 results = append(results, "") 12828 value = iterator.Next() 12829 continue 12830 } 12831 result := ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.FileEvent) 12832 results = append(results, result) 12833 value = iterator.Next() 12834 } 12835 ctx.StringCache[field] = results 12836 return results 12837 }, Field: field, 12838 Weight: eval.IteratorWeight, 12839 }, nil 12840 case "signal.target.ancestors.file.name.length": 12841 return &eval.IntArrayEvaluator{ 12842 OpOverrides: ProcessSymlinkBasename, 12843 EvalFnc: func(ctx *eval.Context) []int { 12844 ev := ctx.Event.(*Event) 12845 if result, ok := ctx.IntCache[field]; ok { 12846 return result 12847 } 12848 var results []int 12849 iterator := &ProcessAncestorsIterator{} 12850 value := iterator.Front(ctx) 12851 for value != nil { 12852 element := (*ProcessCacheEntry)(value) 12853 result := len(ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.FileEvent)) 12854 results = append(results, result) 12855 value = iterator.Next() 12856 } 12857 ctx.IntCache[field] = results 12858 return results 12859 }, Field: field, 12860 Weight: eval.IteratorWeight, 12861 }, nil 12862 case "signal.target.ancestors.file.package.name": 12863 return &eval.StringArrayEvaluator{ 12864 EvalFnc: func(ctx *eval.Context) []string { 12865 ev := ctx.Event.(*Event) 12866 if result, ok := ctx.StringCache[field]; ok { 12867 return result 12868 } 12869 var results []string 12870 iterator := &ProcessAncestorsIterator{} 12871 value := iterator.Front(ctx) 12872 for value != nil { 12873 element := (*ProcessCacheEntry)(value) 12874 if !element.ProcessContext.Process.IsNotKworker() { 12875 results = append(results, "") 12876 value = iterator.Next() 12877 continue 12878 } 12879 result := ev.FieldHandlers.ResolvePackageName(ev, &element.ProcessContext.Process.FileEvent) 12880 results = append(results, result) 12881 value = iterator.Next() 12882 } 12883 ctx.StringCache[field] = results 12884 return results 12885 }, Field: field, 12886 Weight: eval.IteratorWeight, 12887 }, nil 12888 case "signal.target.ancestors.file.package.source_version": 12889 return &eval.StringArrayEvaluator{ 12890 EvalFnc: func(ctx *eval.Context) []string { 12891 ev := ctx.Event.(*Event) 12892 if result, ok := ctx.StringCache[field]; ok { 12893 return result 12894 } 12895 var results []string 12896 iterator := &ProcessAncestorsIterator{} 12897 value := iterator.Front(ctx) 12898 for value != nil { 12899 element := (*ProcessCacheEntry)(value) 12900 if !element.ProcessContext.Process.IsNotKworker() { 12901 results = append(results, "") 12902 value = iterator.Next() 12903 continue 12904 } 12905 result := ev.FieldHandlers.ResolvePackageSourceVersion(ev, &element.ProcessContext.Process.FileEvent) 12906 results = append(results, result) 12907 value = iterator.Next() 12908 } 12909 ctx.StringCache[field] = results 12910 return results 12911 }, Field: field, 12912 Weight: eval.IteratorWeight, 12913 }, nil 12914 case "signal.target.ancestors.file.package.version": 12915 return &eval.StringArrayEvaluator{ 12916 EvalFnc: func(ctx *eval.Context) []string { 12917 ev := ctx.Event.(*Event) 12918 if result, ok := ctx.StringCache[field]; ok { 12919 return result 12920 } 12921 var results []string 12922 iterator := &ProcessAncestorsIterator{} 12923 value := iterator.Front(ctx) 12924 for value != nil { 12925 element := (*ProcessCacheEntry)(value) 12926 if !element.ProcessContext.Process.IsNotKworker() { 12927 results = append(results, "") 12928 value = iterator.Next() 12929 continue 12930 } 12931 result := ev.FieldHandlers.ResolvePackageVersion(ev, &element.ProcessContext.Process.FileEvent) 12932 results = append(results, result) 12933 value = iterator.Next() 12934 } 12935 ctx.StringCache[field] = results 12936 return results 12937 }, Field: field, 12938 Weight: eval.IteratorWeight, 12939 }, nil 12940 case "signal.target.ancestors.file.path": 12941 return &eval.StringArrayEvaluator{ 12942 OpOverrides: ProcessSymlinkPathname, 12943 EvalFnc: func(ctx *eval.Context) []string { 12944 ev := ctx.Event.(*Event) 12945 if result, ok := ctx.StringCache[field]; ok { 12946 return result 12947 } 12948 var results []string 12949 iterator := &ProcessAncestorsIterator{} 12950 value := iterator.Front(ctx) 12951 for value != nil { 12952 element := (*ProcessCacheEntry)(value) 12953 if !element.ProcessContext.Process.IsNotKworker() { 12954 results = append(results, "") 12955 value = iterator.Next() 12956 continue 12957 } 12958 result := ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.FileEvent) 12959 results = append(results, result) 12960 value = iterator.Next() 12961 } 12962 ctx.StringCache[field] = results 12963 return results 12964 }, Field: field, 12965 Weight: eval.IteratorWeight, 12966 }, nil 12967 case "signal.target.ancestors.file.path.length": 12968 return &eval.IntArrayEvaluator{ 12969 OpOverrides: ProcessSymlinkPathname, 12970 EvalFnc: func(ctx *eval.Context) []int { 12971 ev := ctx.Event.(*Event) 12972 if result, ok := ctx.IntCache[field]; ok { 12973 return result 12974 } 12975 var results []int 12976 iterator := &ProcessAncestorsIterator{} 12977 value := iterator.Front(ctx) 12978 for value != nil { 12979 element := (*ProcessCacheEntry)(value) 12980 result := len(ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.FileEvent)) 12981 results = append(results, result) 12982 value = iterator.Next() 12983 } 12984 ctx.IntCache[field] = results 12985 return results 12986 }, Field: field, 12987 Weight: eval.IteratorWeight, 12988 }, nil 12989 case "signal.target.ancestors.file.rights": 12990 return &eval.IntArrayEvaluator{ 12991 EvalFnc: func(ctx *eval.Context) []int { 12992 ev := ctx.Event.(*Event) 12993 if result, ok := ctx.IntCache[field]; ok { 12994 return result 12995 } 12996 var results []int 12997 iterator := &ProcessAncestorsIterator{} 12998 value := iterator.Front(ctx) 12999 for value != nil { 13000 element := (*ProcessCacheEntry)(value) 13001 if !element.ProcessContext.Process.IsNotKworker() { 13002 results = append(results, 0) 13003 value = iterator.Next() 13004 continue 13005 } 13006 result := int(ev.FieldHandlers.ResolveRights(ev, &element.ProcessContext.Process.FileEvent.FileFields)) 13007 results = append(results, result) 13008 value = iterator.Next() 13009 } 13010 ctx.IntCache[field] = results 13011 return results 13012 }, Field: field, 13013 Weight: eval.IteratorWeight, 13014 }, nil 13015 case "signal.target.ancestors.file.uid": 13016 return &eval.IntArrayEvaluator{ 13017 EvalFnc: func(ctx *eval.Context) []int { 13018 if result, ok := ctx.IntCache[field]; ok { 13019 return result 13020 } 13021 var results []int 13022 iterator := &ProcessAncestorsIterator{} 13023 value := iterator.Front(ctx) 13024 for value != nil { 13025 element := (*ProcessCacheEntry)(value) 13026 if !element.ProcessContext.Process.IsNotKworker() { 13027 results = append(results, 0) 13028 value = iterator.Next() 13029 continue 13030 } 13031 result := int(element.ProcessContext.Process.FileEvent.FileFields.UID) 13032 results = append(results, result) 13033 value = iterator.Next() 13034 } 13035 ctx.IntCache[field] = results 13036 return results 13037 }, Field: field, 13038 Weight: eval.IteratorWeight, 13039 }, nil 13040 case "signal.target.ancestors.file.user": 13041 return &eval.StringArrayEvaluator{ 13042 EvalFnc: func(ctx *eval.Context) []string { 13043 ev := ctx.Event.(*Event) 13044 if result, ok := ctx.StringCache[field]; ok { 13045 return result 13046 } 13047 var results []string 13048 iterator := &ProcessAncestorsIterator{} 13049 value := iterator.Front(ctx) 13050 for value != nil { 13051 element := (*ProcessCacheEntry)(value) 13052 if !element.ProcessContext.Process.IsNotKworker() { 13053 results = append(results, "") 13054 value = iterator.Next() 13055 continue 13056 } 13057 result := ev.FieldHandlers.ResolveFileFieldsUser(ev, &element.ProcessContext.Process.FileEvent.FileFields) 13058 results = append(results, result) 13059 value = iterator.Next() 13060 } 13061 ctx.StringCache[field] = results 13062 return results 13063 }, Field: field, 13064 Weight: eval.IteratorWeight, 13065 }, nil 13066 case "signal.target.ancestors.fsgid": 13067 return &eval.IntArrayEvaluator{ 13068 EvalFnc: func(ctx *eval.Context) []int { 13069 if result, ok := ctx.IntCache[field]; ok { 13070 return result 13071 } 13072 var results []int 13073 iterator := &ProcessAncestorsIterator{} 13074 value := iterator.Front(ctx) 13075 for value != nil { 13076 element := (*ProcessCacheEntry)(value) 13077 result := int(element.ProcessContext.Process.Credentials.FSGID) 13078 results = append(results, result) 13079 value = iterator.Next() 13080 } 13081 ctx.IntCache[field] = results 13082 return results 13083 }, Field: field, 13084 Weight: eval.IteratorWeight, 13085 }, nil 13086 case "signal.target.ancestors.fsgroup": 13087 return &eval.StringArrayEvaluator{ 13088 EvalFnc: func(ctx *eval.Context) []string { 13089 if result, ok := ctx.StringCache[field]; ok { 13090 return result 13091 } 13092 var results []string 13093 iterator := &ProcessAncestorsIterator{} 13094 value := iterator.Front(ctx) 13095 for value != nil { 13096 element := (*ProcessCacheEntry)(value) 13097 result := element.ProcessContext.Process.Credentials.FSGroup 13098 results = append(results, result) 13099 value = iterator.Next() 13100 } 13101 ctx.StringCache[field] = results 13102 return results 13103 }, Field: field, 13104 Weight: eval.IteratorWeight, 13105 }, nil 13106 case "signal.target.ancestors.fsuid": 13107 return &eval.IntArrayEvaluator{ 13108 EvalFnc: func(ctx *eval.Context) []int { 13109 if result, ok := ctx.IntCache[field]; ok { 13110 return result 13111 } 13112 var results []int 13113 iterator := &ProcessAncestorsIterator{} 13114 value := iterator.Front(ctx) 13115 for value != nil { 13116 element := (*ProcessCacheEntry)(value) 13117 result := int(element.ProcessContext.Process.Credentials.FSUID) 13118 results = append(results, result) 13119 value = iterator.Next() 13120 } 13121 ctx.IntCache[field] = results 13122 return results 13123 }, Field: field, 13124 Weight: eval.IteratorWeight, 13125 }, nil 13126 case "signal.target.ancestors.fsuser": 13127 return &eval.StringArrayEvaluator{ 13128 EvalFnc: func(ctx *eval.Context) []string { 13129 if result, ok := ctx.StringCache[field]; ok { 13130 return result 13131 } 13132 var results []string 13133 iterator := &ProcessAncestorsIterator{} 13134 value := iterator.Front(ctx) 13135 for value != nil { 13136 element := (*ProcessCacheEntry)(value) 13137 result := element.ProcessContext.Process.Credentials.FSUser 13138 results = append(results, result) 13139 value = iterator.Next() 13140 } 13141 ctx.StringCache[field] = results 13142 return results 13143 }, Field: field, 13144 Weight: eval.IteratorWeight, 13145 }, nil 13146 case "signal.target.ancestors.gid": 13147 return &eval.IntArrayEvaluator{ 13148 EvalFnc: func(ctx *eval.Context) []int { 13149 if result, ok := ctx.IntCache[field]; ok { 13150 return result 13151 } 13152 var results []int 13153 iterator := &ProcessAncestorsIterator{} 13154 value := iterator.Front(ctx) 13155 for value != nil { 13156 element := (*ProcessCacheEntry)(value) 13157 result := int(element.ProcessContext.Process.Credentials.GID) 13158 results = append(results, result) 13159 value = iterator.Next() 13160 } 13161 ctx.IntCache[field] = results 13162 return results 13163 }, Field: field, 13164 Weight: eval.IteratorWeight, 13165 }, nil 13166 case "signal.target.ancestors.group": 13167 return &eval.StringArrayEvaluator{ 13168 EvalFnc: func(ctx *eval.Context) []string { 13169 if result, ok := ctx.StringCache[field]; ok { 13170 return result 13171 } 13172 var results []string 13173 iterator := &ProcessAncestorsIterator{} 13174 value := iterator.Front(ctx) 13175 for value != nil { 13176 element := (*ProcessCacheEntry)(value) 13177 result := element.ProcessContext.Process.Credentials.Group 13178 results = append(results, result) 13179 value = iterator.Next() 13180 } 13181 ctx.StringCache[field] = results 13182 return results 13183 }, Field: field, 13184 Weight: eval.IteratorWeight, 13185 }, nil 13186 case "signal.target.ancestors.interpreter.file.change_time": 13187 return &eval.IntArrayEvaluator{ 13188 EvalFnc: func(ctx *eval.Context) []int { 13189 if result, ok := ctx.IntCache[field]; ok { 13190 return result 13191 } 13192 var results []int 13193 iterator := &ProcessAncestorsIterator{} 13194 value := iterator.Front(ctx) 13195 for value != nil { 13196 element := (*ProcessCacheEntry)(value) 13197 if !element.ProcessContext.Process.HasInterpreter() { 13198 results = append(results, 0) 13199 value = iterator.Next() 13200 continue 13201 } 13202 result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.CTime) 13203 results = append(results, result) 13204 value = iterator.Next() 13205 } 13206 ctx.IntCache[field] = results 13207 return results 13208 }, Field: field, 13209 Weight: eval.IteratorWeight, 13210 }, nil 13211 case "signal.target.ancestors.interpreter.file.filesystem": 13212 return &eval.StringArrayEvaluator{ 13213 EvalFnc: func(ctx *eval.Context) []string { 13214 ev := ctx.Event.(*Event) 13215 if result, ok := ctx.StringCache[field]; ok { 13216 return result 13217 } 13218 var results []string 13219 iterator := &ProcessAncestorsIterator{} 13220 value := iterator.Front(ctx) 13221 for value != nil { 13222 element := (*ProcessCacheEntry)(value) 13223 if !element.ProcessContext.Process.HasInterpreter() { 13224 results = append(results, "") 13225 value = iterator.Next() 13226 continue 13227 } 13228 result := ev.FieldHandlers.ResolveFileFilesystem(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) 13229 results = append(results, result) 13230 value = iterator.Next() 13231 } 13232 ctx.StringCache[field] = results 13233 return results 13234 }, Field: field, 13235 Weight: eval.IteratorWeight, 13236 }, nil 13237 case "signal.target.ancestors.interpreter.file.gid": 13238 return &eval.IntArrayEvaluator{ 13239 EvalFnc: func(ctx *eval.Context) []int { 13240 if result, ok := ctx.IntCache[field]; ok { 13241 return result 13242 } 13243 var results []int 13244 iterator := &ProcessAncestorsIterator{} 13245 value := iterator.Front(ctx) 13246 for value != nil { 13247 element := (*ProcessCacheEntry)(value) 13248 if !element.ProcessContext.Process.HasInterpreter() { 13249 results = append(results, 0) 13250 value = iterator.Next() 13251 continue 13252 } 13253 result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.GID) 13254 results = append(results, result) 13255 value = iterator.Next() 13256 } 13257 ctx.IntCache[field] = results 13258 return results 13259 }, Field: field, 13260 Weight: eval.IteratorWeight, 13261 }, nil 13262 case "signal.target.ancestors.interpreter.file.group": 13263 return &eval.StringArrayEvaluator{ 13264 EvalFnc: func(ctx *eval.Context) []string { 13265 ev := ctx.Event.(*Event) 13266 if result, ok := ctx.StringCache[field]; ok { 13267 return result 13268 } 13269 var results []string 13270 iterator := &ProcessAncestorsIterator{} 13271 value := iterator.Front(ctx) 13272 for value != nil { 13273 element := (*ProcessCacheEntry)(value) 13274 if !element.ProcessContext.Process.HasInterpreter() { 13275 results = append(results, "") 13276 value = iterator.Next() 13277 continue 13278 } 13279 result := ev.FieldHandlers.ResolveFileFieldsGroup(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields) 13280 results = append(results, result) 13281 value = iterator.Next() 13282 } 13283 ctx.StringCache[field] = results 13284 return results 13285 }, Field: field, 13286 Weight: eval.IteratorWeight, 13287 }, nil 13288 case "signal.target.ancestors.interpreter.file.hashes": 13289 return &eval.StringArrayEvaluator{ 13290 EvalFnc: func(ctx *eval.Context) []string { 13291 ev := ctx.Event.(*Event) 13292 if result, ok := ctx.StringCache[field]; ok { 13293 return result 13294 } 13295 var results []string 13296 iterator := &ProcessAncestorsIterator{} 13297 value := iterator.Front(ctx) 13298 for value != nil { 13299 element := (*ProcessCacheEntry)(value) 13300 if !element.ProcessContext.Process.HasInterpreter() { 13301 results = append(results, "") 13302 value = iterator.Next() 13303 continue 13304 } 13305 result := ev.FieldHandlers.ResolveHashesFromEvent(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) 13306 results = append(results, result...) 13307 value = iterator.Next() 13308 } 13309 ctx.StringCache[field] = results 13310 return results 13311 }, Field: field, 13312 Weight: 999 * eval.IteratorWeight, 13313 }, nil 13314 case "signal.target.ancestors.interpreter.file.in_upper_layer": 13315 return &eval.BoolArrayEvaluator{ 13316 EvalFnc: func(ctx *eval.Context) []bool { 13317 ev := ctx.Event.(*Event) 13318 if result, ok := ctx.BoolCache[field]; ok { 13319 return result 13320 } 13321 var results []bool 13322 iterator := &ProcessAncestorsIterator{} 13323 value := iterator.Front(ctx) 13324 for value != nil { 13325 element := (*ProcessCacheEntry)(value) 13326 if !element.ProcessContext.Process.HasInterpreter() { 13327 results = append(results, false) 13328 value = iterator.Next() 13329 continue 13330 } 13331 result := ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields) 13332 results = append(results, result) 13333 value = iterator.Next() 13334 } 13335 ctx.BoolCache[field] = results 13336 return results 13337 }, Field: field, 13338 Weight: eval.IteratorWeight, 13339 }, nil 13340 case "signal.target.ancestors.interpreter.file.inode": 13341 return &eval.IntArrayEvaluator{ 13342 EvalFnc: func(ctx *eval.Context) []int { 13343 if result, ok := ctx.IntCache[field]; ok { 13344 return result 13345 } 13346 var results []int 13347 iterator := &ProcessAncestorsIterator{} 13348 value := iterator.Front(ctx) 13349 for value != nil { 13350 element := (*ProcessCacheEntry)(value) 13351 if !element.ProcessContext.Process.HasInterpreter() { 13352 results = append(results, 0) 13353 value = iterator.Next() 13354 continue 13355 } 13356 result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode) 13357 results = append(results, result) 13358 value = iterator.Next() 13359 } 13360 ctx.IntCache[field] = results 13361 return results 13362 }, Field: field, 13363 Weight: eval.IteratorWeight, 13364 }, nil 13365 case "signal.target.ancestors.interpreter.file.mode": 13366 return &eval.IntArrayEvaluator{ 13367 EvalFnc: func(ctx *eval.Context) []int { 13368 if result, ok := ctx.IntCache[field]; ok { 13369 return result 13370 } 13371 var results []int 13372 iterator := &ProcessAncestorsIterator{} 13373 value := iterator.Front(ctx) 13374 for value != nil { 13375 element := (*ProcessCacheEntry)(value) 13376 if !element.ProcessContext.Process.HasInterpreter() { 13377 results = append(results, 0) 13378 value = iterator.Next() 13379 continue 13380 } 13381 result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.Mode) 13382 results = append(results, result) 13383 value = iterator.Next() 13384 } 13385 ctx.IntCache[field] = results 13386 return results 13387 }, Field: field, 13388 Weight: eval.IteratorWeight, 13389 }, nil 13390 case "signal.target.ancestors.interpreter.file.modification_time": 13391 return &eval.IntArrayEvaluator{ 13392 EvalFnc: func(ctx *eval.Context) []int { 13393 if result, ok := ctx.IntCache[field]; ok { 13394 return result 13395 } 13396 var results []int 13397 iterator := &ProcessAncestorsIterator{} 13398 value := iterator.Front(ctx) 13399 for value != nil { 13400 element := (*ProcessCacheEntry)(value) 13401 if !element.ProcessContext.Process.HasInterpreter() { 13402 results = append(results, 0) 13403 value = iterator.Next() 13404 continue 13405 } 13406 result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.MTime) 13407 results = append(results, result) 13408 value = iterator.Next() 13409 } 13410 ctx.IntCache[field] = results 13411 return results 13412 }, Field: field, 13413 Weight: eval.IteratorWeight, 13414 }, nil 13415 case "signal.target.ancestors.interpreter.file.mount_id": 13416 return &eval.IntArrayEvaluator{ 13417 EvalFnc: func(ctx *eval.Context) []int { 13418 if result, ok := ctx.IntCache[field]; ok { 13419 return result 13420 } 13421 var results []int 13422 iterator := &ProcessAncestorsIterator{} 13423 value := iterator.Front(ctx) 13424 for value != nil { 13425 element := (*ProcessCacheEntry)(value) 13426 if !element.ProcessContext.Process.HasInterpreter() { 13427 results = append(results, 0) 13428 value = iterator.Next() 13429 continue 13430 } 13431 result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID) 13432 results = append(results, result) 13433 value = iterator.Next() 13434 } 13435 ctx.IntCache[field] = results 13436 return results 13437 }, Field: field, 13438 Weight: eval.IteratorWeight, 13439 }, nil 13440 case "signal.target.ancestors.interpreter.file.name": 13441 return &eval.StringArrayEvaluator{ 13442 OpOverrides: ProcessSymlinkBasename, 13443 EvalFnc: func(ctx *eval.Context) []string { 13444 ev := ctx.Event.(*Event) 13445 if result, ok := ctx.StringCache[field]; ok { 13446 return result 13447 } 13448 var results []string 13449 iterator := &ProcessAncestorsIterator{} 13450 value := iterator.Front(ctx) 13451 for value != nil { 13452 element := (*ProcessCacheEntry)(value) 13453 if !element.ProcessContext.Process.HasInterpreter() { 13454 results = append(results, "") 13455 value = iterator.Next() 13456 continue 13457 } 13458 result := ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) 13459 results = append(results, result) 13460 value = iterator.Next() 13461 } 13462 ctx.StringCache[field] = results 13463 return results 13464 }, Field: field, 13465 Weight: eval.IteratorWeight, 13466 }, nil 13467 case "signal.target.ancestors.interpreter.file.name.length": 13468 return &eval.IntArrayEvaluator{ 13469 OpOverrides: ProcessSymlinkBasename, 13470 EvalFnc: func(ctx *eval.Context) []int { 13471 ev := ctx.Event.(*Event) 13472 if result, ok := ctx.IntCache[field]; ok { 13473 return result 13474 } 13475 var results []int 13476 iterator := &ProcessAncestorsIterator{} 13477 value := iterator.Front(ctx) 13478 for value != nil { 13479 element := (*ProcessCacheEntry)(value) 13480 result := len(ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent)) 13481 results = append(results, result) 13482 value = iterator.Next() 13483 } 13484 ctx.IntCache[field] = results 13485 return results 13486 }, Field: field, 13487 Weight: eval.IteratorWeight, 13488 }, nil 13489 case "signal.target.ancestors.interpreter.file.package.name": 13490 return &eval.StringArrayEvaluator{ 13491 EvalFnc: func(ctx *eval.Context) []string { 13492 ev := ctx.Event.(*Event) 13493 if result, ok := ctx.StringCache[field]; ok { 13494 return result 13495 } 13496 var results []string 13497 iterator := &ProcessAncestorsIterator{} 13498 value := iterator.Front(ctx) 13499 for value != nil { 13500 element := (*ProcessCacheEntry)(value) 13501 if !element.ProcessContext.Process.HasInterpreter() { 13502 results = append(results, "") 13503 value = iterator.Next() 13504 continue 13505 } 13506 result := ev.FieldHandlers.ResolvePackageName(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) 13507 results = append(results, result) 13508 value = iterator.Next() 13509 } 13510 ctx.StringCache[field] = results 13511 return results 13512 }, Field: field, 13513 Weight: eval.IteratorWeight, 13514 }, nil 13515 case "signal.target.ancestors.interpreter.file.package.source_version": 13516 return &eval.StringArrayEvaluator{ 13517 EvalFnc: func(ctx *eval.Context) []string { 13518 ev := ctx.Event.(*Event) 13519 if result, ok := ctx.StringCache[field]; ok { 13520 return result 13521 } 13522 var results []string 13523 iterator := &ProcessAncestorsIterator{} 13524 value := iterator.Front(ctx) 13525 for value != nil { 13526 element := (*ProcessCacheEntry)(value) 13527 if !element.ProcessContext.Process.HasInterpreter() { 13528 results = append(results, "") 13529 value = iterator.Next() 13530 continue 13531 } 13532 result := ev.FieldHandlers.ResolvePackageSourceVersion(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) 13533 results = append(results, result) 13534 value = iterator.Next() 13535 } 13536 ctx.StringCache[field] = results 13537 return results 13538 }, Field: field, 13539 Weight: eval.IteratorWeight, 13540 }, nil 13541 case "signal.target.ancestors.interpreter.file.package.version": 13542 return &eval.StringArrayEvaluator{ 13543 EvalFnc: func(ctx *eval.Context) []string { 13544 ev := ctx.Event.(*Event) 13545 if result, ok := ctx.StringCache[field]; ok { 13546 return result 13547 } 13548 var results []string 13549 iterator := &ProcessAncestorsIterator{} 13550 value := iterator.Front(ctx) 13551 for value != nil { 13552 element := (*ProcessCacheEntry)(value) 13553 if !element.ProcessContext.Process.HasInterpreter() { 13554 results = append(results, "") 13555 value = iterator.Next() 13556 continue 13557 } 13558 result := ev.FieldHandlers.ResolvePackageVersion(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) 13559 results = append(results, result) 13560 value = iterator.Next() 13561 } 13562 ctx.StringCache[field] = results 13563 return results 13564 }, Field: field, 13565 Weight: eval.IteratorWeight, 13566 }, nil 13567 case "signal.target.ancestors.interpreter.file.path": 13568 return &eval.StringArrayEvaluator{ 13569 OpOverrides: ProcessSymlinkPathname, 13570 EvalFnc: func(ctx *eval.Context) []string { 13571 ev := ctx.Event.(*Event) 13572 if result, ok := ctx.StringCache[field]; ok { 13573 return result 13574 } 13575 var results []string 13576 iterator := &ProcessAncestorsIterator{} 13577 value := iterator.Front(ctx) 13578 for value != nil { 13579 element := (*ProcessCacheEntry)(value) 13580 if !element.ProcessContext.Process.HasInterpreter() { 13581 results = append(results, "") 13582 value = iterator.Next() 13583 continue 13584 } 13585 result := ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) 13586 results = append(results, result) 13587 value = iterator.Next() 13588 } 13589 ctx.StringCache[field] = results 13590 return results 13591 }, Field: field, 13592 Weight: eval.IteratorWeight, 13593 }, nil 13594 case "signal.target.ancestors.interpreter.file.path.length": 13595 return &eval.IntArrayEvaluator{ 13596 OpOverrides: ProcessSymlinkPathname, 13597 EvalFnc: func(ctx *eval.Context) []int { 13598 ev := ctx.Event.(*Event) 13599 if result, ok := ctx.IntCache[field]; ok { 13600 return result 13601 } 13602 var results []int 13603 iterator := &ProcessAncestorsIterator{} 13604 value := iterator.Front(ctx) 13605 for value != nil { 13606 element := (*ProcessCacheEntry)(value) 13607 result := len(ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent)) 13608 results = append(results, result) 13609 value = iterator.Next() 13610 } 13611 ctx.IntCache[field] = results 13612 return results 13613 }, Field: field, 13614 Weight: eval.IteratorWeight, 13615 }, nil 13616 case "signal.target.ancestors.interpreter.file.rights": 13617 return &eval.IntArrayEvaluator{ 13618 EvalFnc: func(ctx *eval.Context) []int { 13619 ev := ctx.Event.(*Event) 13620 if result, ok := ctx.IntCache[field]; ok { 13621 return result 13622 } 13623 var results []int 13624 iterator := &ProcessAncestorsIterator{} 13625 value := iterator.Front(ctx) 13626 for value != nil { 13627 element := (*ProcessCacheEntry)(value) 13628 if !element.ProcessContext.Process.HasInterpreter() { 13629 results = append(results, 0) 13630 value = iterator.Next() 13631 continue 13632 } 13633 result := int(ev.FieldHandlers.ResolveRights(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields)) 13634 results = append(results, result) 13635 value = iterator.Next() 13636 } 13637 ctx.IntCache[field] = results 13638 return results 13639 }, Field: field, 13640 Weight: eval.IteratorWeight, 13641 }, nil 13642 case "signal.target.ancestors.interpreter.file.uid": 13643 return &eval.IntArrayEvaluator{ 13644 EvalFnc: func(ctx *eval.Context) []int { 13645 if result, ok := ctx.IntCache[field]; ok { 13646 return result 13647 } 13648 var results []int 13649 iterator := &ProcessAncestorsIterator{} 13650 value := iterator.Front(ctx) 13651 for value != nil { 13652 element := (*ProcessCacheEntry)(value) 13653 if !element.ProcessContext.Process.HasInterpreter() { 13654 results = append(results, 0) 13655 value = iterator.Next() 13656 continue 13657 } 13658 result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.UID) 13659 results = append(results, result) 13660 value = iterator.Next() 13661 } 13662 ctx.IntCache[field] = results 13663 return results 13664 }, Field: field, 13665 Weight: eval.IteratorWeight, 13666 }, nil 13667 case "signal.target.ancestors.interpreter.file.user": 13668 return &eval.StringArrayEvaluator{ 13669 EvalFnc: func(ctx *eval.Context) []string { 13670 ev := ctx.Event.(*Event) 13671 if result, ok := ctx.StringCache[field]; ok { 13672 return result 13673 } 13674 var results []string 13675 iterator := &ProcessAncestorsIterator{} 13676 value := iterator.Front(ctx) 13677 for value != nil { 13678 element := (*ProcessCacheEntry)(value) 13679 if !element.ProcessContext.Process.HasInterpreter() { 13680 results = append(results, "") 13681 value = iterator.Next() 13682 continue 13683 } 13684 result := ev.FieldHandlers.ResolveFileFieldsUser(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields) 13685 results = append(results, result) 13686 value = iterator.Next() 13687 } 13688 ctx.StringCache[field] = results 13689 return results 13690 }, Field: field, 13691 Weight: eval.IteratorWeight, 13692 }, nil 13693 case "signal.target.ancestors.is_kworker": 13694 return &eval.BoolArrayEvaluator{ 13695 EvalFnc: func(ctx *eval.Context) []bool { 13696 if result, ok := ctx.BoolCache[field]; ok { 13697 return result 13698 } 13699 var results []bool 13700 iterator := &ProcessAncestorsIterator{} 13701 value := iterator.Front(ctx) 13702 for value != nil { 13703 element := (*ProcessCacheEntry)(value) 13704 result := element.ProcessContext.Process.PIDContext.IsKworker 13705 results = append(results, result) 13706 value = iterator.Next() 13707 } 13708 ctx.BoolCache[field] = results 13709 return results 13710 }, Field: field, 13711 Weight: eval.IteratorWeight, 13712 }, nil 13713 case "signal.target.ancestors.is_thread": 13714 return &eval.BoolArrayEvaluator{ 13715 EvalFnc: func(ctx *eval.Context) []bool { 13716 if result, ok := ctx.BoolCache[field]; ok { 13717 return result 13718 } 13719 var results []bool 13720 iterator := &ProcessAncestorsIterator{} 13721 value := iterator.Front(ctx) 13722 for value != nil { 13723 element := (*ProcessCacheEntry)(value) 13724 result := element.ProcessContext.Process.IsThread 13725 results = append(results, result) 13726 value = iterator.Next() 13727 } 13728 ctx.BoolCache[field] = results 13729 return results 13730 }, Field: field, 13731 Weight: eval.IteratorWeight, 13732 }, nil 13733 case "signal.target.ancestors.pid": 13734 return &eval.IntArrayEvaluator{ 13735 EvalFnc: func(ctx *eval.Context) []int { 13736 if result, ok := ctx.IntCache[field]; ok { 13737 return result 13738 } 13739 var results []int 13740 iterator := &ProcessAncestorsIterator{} 13741 value := iterator.Front(ctx) 13742 for value != nil { 13743 element := (*ProcessCacheEntry)(value) 13744 result := int(element.ProcessContext.Process.PIDContext.Pid) 13745 results = append(results, result) 13746 value = iterator.Next() 13747 } 13748 ctx.IntCache[field] = results 13749 return results 13750 }, Field: field, 13751 Weight: eval.IteratorWeight, 13752 }, nil 13753 case "signal.target.ancestors.ppid": 13754 return &eval.IntArrayEvaluator{ 13755 EvalFnc: func(ctx *eval.Context) []int { 13756 if result, ok := ctx.IntCache[field]; ok { 13757 return result 13758 } 13759 var results []int 13760 iterator := &ProcessAncestorsIterator{} 13761 value := iterator.Front(ctx) 13762 for value != nil { 13763 element := (*ProcessCacheEntry)(value) 13764 result := int(element.ProcessContext.Process.PPid) 13765 results = append(results, result) 13766 value = iterator.Next() 13767 } 13768 ctx.IntCache[field] = results 13769 return results 13770 }, Field: field, 13771 Weight: eval.IteratorWeight, 13772 }, nil 13773 case "signal.target.ancestors.tid": 13774 return &eval.IntArrayEvaluator{ 13775 EvalFnc: func(ctx *eval.Context) []int { 13776 if result, ok := ctx.IntCache[field]; ok { 13777 return result 13778 } 13779 var results []int 13780 iterator := &ProcessAncestorsIterator{} 13781 value := iterator.Front(ctx) 13782 for value != nil { 13783 element := (*ProcessCacheEntry)(value) 13784 result := int(element.ProcessContext.Process.PIDContext.Tid) 13785 results = append(results, result) 13786 value = iterator.Next() 13787 } 13788 ctx.IntCache[field] = results 13789 return results 13790 }, Field: field, 13791 Weight: eval.IteratorWeight, 13792 }, nil 13793 case "signal.target.ancestors.tty_name": 13794 return &eval.StringArrayEvaluator{ 13795 EvalFnc: func(ctx *eval.Context) []string { 13796 if result, ok := ctx.StringCache[field]; ok { 13797 return result 13798 } 13799 var results []string 13800 iterator := &ProcessAncestorsIterator{} 13801 value := iterator.Front(ctx) 13802 for value != nil { 13803 element := (*ProcessCacheEntry)(value) 13804 result := element.ProcessContext.Process.TTYName 13805 results = append(results, result) 13806 value = iterator.Next() 13807 } 13808 ctx.StringCache[field] = results 13809 return results 13810 }, Field: field, 13811 Weight: eval.IteratorWeight, 13812 }, nil 13813 case "signal.target.ancestors.uid": 13814 return &eval.IntArrayEvaluator{ 13815 EvalFnc: func(ctx *eval.Context) []int { 13816 if result, ok := ctx.IntCache[field]; ok { 13817 return result 13818 } 13819 var results []int 13820 iterator := &ProcessAncestorsIterator{} 13821 value := iterator.Front(ctx) 13822 for value != nil { 13823 element := (*ProcessCacheEntry)(value) 13824 result := int(element.ProcessContext.Process.Credentials.UID) 13825 results = append(results, result) 13826 value = iterator.Next() 13827 } 13828 ctx.IntCache[field] = results 13829 return results 13830 }, Field: field, 13831 Weight: eval.IteratorWeight, 13832 }, nil 13833 case "signal.target.ancestors.user": 13834 return &eval.StringArrayEvaluator{ 13835 EvalFnc: func(ctx *eval.Context) []string { 13836 if result, ok := ctx.StringCache[field]; ok { 13837 return result 13838 } 13839 var results []string 13840 iterator := &ProcessAncestorsIterator{} 13841 value := iterator.Front(ctx) 13842 for value != nil { 13843 element := (*ProcessCacheEntry)(value) 13844 result := element.ProcessContext.Process.Credentials.User 13845 results = append(results, result) 13846 value = iterator.Next() 13847 } 13848 ctx.StringCache[field] = results 13849 return results 13850 }, Field: field, 13851 Weight: eval.IteratorWeight, 13852 }, nil 13853 case "signal.target.ancestors.user_session.k8s_groups": 13854 return &eval.StringArrayEvaluator{ 13855 EvalFnc: func(ctx *eval.Context) []string { 13856 ev := ctx.Event.(*Event) 13857 if result, ok := ctx.StringCache[field]; ok { 13858 return result 13859 } 13860 var results []string 13861 iterator := &ProcessAncestorsIterator{} 13862 value := iterator.Front(ctx) 13863 for value != nil { 13864 element := (*ProcessCacheEntry)(value) 13865 result := ev.FieldHandlers.ResolveK8SGroups(ev, &element.ProcessContext.Process.UserSession) 13866 results = append(results, result...) 13867 value = iterator.Next() 13868 } 13869 ctx.StringCache[field] = results 13870 return results 13871 }, Field: field, 13872 Weight: eval.IteratorWeight, 13873 }, nil 13874 case "signal.target.ancestors.user_session.k8s_uid": 13875 return &eval.StringArrayEvaluator{ 13876 EvalFnc: func(ctx *eval.Context) []string { 13877 ev := ctx.Event.(*Event) 13878 if result, ok := ctx.StringCache[field]; ok { 13879 return result 13880 } 13881 var results []string 13882 iterator := &ProcessAncestorsIterator{} 13883 value := iterator.Front(ctx) 13884 for value != nil { 13885 element := (*ProcessCacheEntry)(value) 13886 result := ev.FieldHandlers.ResolveK8SUID(ev, &element.ProcessContext.Process.UserSession) 13887 results = append(results, result) 13888 value = iterator.Next() 13889 } 13890 ctx.StringCache[field] = results 13891 return results 13892 }, Field: field, 13893 Weight: eval.IteratorWeight, 13894 }, nil 13895 case "signal.target.ancestors.user_session.k8s_username": 13896 return &eval.StringArrayEvaluator{ 13897 EvalFnc: func(ctx *eval.Context) []string { 13898 ev := ctx.Event.(*Event) 13899 if result, ok := ctx.StringCache[field]; ok { 13900 return result 13901 } 13902 var results []string 13903 iterator := &ProcessAncestorsIterator{} 13904 value := iterator.Front(ctx) 13905 for value != nil { 13906 element := (*ProcessCacheEntry)(value) 13907 result := ev.FieldHandlers.ResolveK8SUsername(ev, &element.ProcessContext.Process.UserSession) 13908 results = append(results, result) 13909 value = iterator.Next() 13910 } 13911 ctx.StringCache[field] = results 13912 return results 13913 }, Field: field, 13914 Weight: eval.IteratorWeight, 13915 }, nil 13916 case "signal.target.args": 13917 return &eval.StringEvaluator{ 13918 EvalFnc: func(ctx *eval.Context) string { 13919 ev := ctx.Event.(*Event) 13920 return ev.FieldHandlers.ResolveProcessArgs(ev, &ev.Signal.Target.Process) 13921 }, 13922 Field: field, 13923 Weight: 500 * eval.HandlerWeight, 13924 }, nil 13925 case "signal.target.args_flags": 13926 return &eval.StringArrayEvaluator{ 13927 EvalFnc: func(ctx *eval.Context) []string { 13928 ev := ctx.Event.(*Event) 13929 return ev.FieldHandlers.ResolveProcessArgsFlags(ev, &ev.Signal.Target.Process) 13930 }, 13931 Field: field, 13932 Weight: eval.HandlerWeight, 13933 }, nil 13934 case "signal.target.args_options": 13935 return &eval.StringArrayEvaluator{ 13936 EvalFnc: func(ctx *eval.Context) []string { 13937 ev := ctx.Event.(*Event) 13938 return ev.FieldHandlers.ResolveProcessArgsOptions(ev, &ev.Signal.Target.Process) 13939 }, 13940 Field: field, 13941 Weight: eval.HandlerWeight, 13942 }, nil 13943 case "signal.target.args_truncated": 13944 return &eval.BoolEvaluator{ 13945 EvalFnc: func(ctx *eval.Context) bool { 13946 ev := ctx.Event.(*Event) 13947 return ev.FieldHandlers.ResolveProcessArgsTruncated(ev, &ev.Signal.Target.Process) 13948 }, 13949 Field: field, 13950 Weight: eval.HandlerWeight, 13951 }, nil 13952 case "signal.target.argv": 13953 return &eval.StringArrayEvaluator{ 13954 EvalFnc: func(ctx *eval.Context) []string { 13955 ev := ctx.Event.(*Event) 13956 return ev.FieldHandlers.ResolveProcessArgv(ev, &ev.Signal.Target.Process) 13957 }, 13958 Field: field, 13959 Weight: 500 * eval.HandlerWeight, 13960 }, nil 13961 case "signal.target.argv0": 13962 return &eval.StringEvaluator{ 13963 EvalFnc: func(ctx *eval.Context) string { 13964 ev := ctx.Event.(*Event) 13965 return ev.FieldHandlers.ResolveProcessArgv0(ev, &ev.Signal.Target.Process) 13966 }, 13967 Field: field, 13968 Weight: 100 * eval.HandlerWeight, 13969 }, nil 13970 case "signal.target.cap_effective": 13971 return &eval.IntEvaluator{ 13972 EvalFnc: func(ctx *eval.Context) int { 13973 ev := ctx.Event.(*Event) 13974 return int(ev.Signal.Target.Process.Credentials.CapEffective) 13975 }, 13976 Field: field, 13977 Weight: eval.FunctionWeight, 13978 }, nil 13979 case "signal.target.cap_permitted": 13980 return &eval.IntEvaluator{ 13981 EvalFnc: func(ctx *eval.Context) int { 13982 ev := ctx.Event.(*Event) 13983 return int(ev.Signal.Target.Process.Credentials.CapPermitted) 13984 }, 13985 Field: field, 13986 Weight: eval.FunctionWeight, 13987 }, nil 13988 case "signal.target.comm": 13989 return &eval.StringEvaluator{ 13990 EvalFnc: func(ctx *eval.Context) string { 13991 ev := ctx.Event.(*Event) 13992 return ev.Signal.Target.Process.Comm 13993 }, 13994 Field: field, 13995 Weight: eval.FunctionWeight, 13996 }, nil 13997 case "signal.target.container.id": 13998 return &eval.StringEvaluator{ 13999 EvalFnc: func(ctx *eval.Context) string { 14000 ev := ctx.Event.(*Event) 14001 return ev.Signal.Target.Process.ContainerID 14002 }, 14003 Field: field, 14004 Weight: eval.FunctionWeight, 14005 }, nil 14006 case "signal.target.created_at": 14007 return &eval.IntEvaluator{ 14008 EvalFnc: func(ctx *eval.Context) int { 14009 ev := ctx.Event.(*Event) 14010 return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, &ev.Signal.Target.Process)) 14011 }, 14012 Field: field, 14013 Weight: eval.HandlerWeight, 14014 }, nil 14015 case "signal.target.egid": 14016 return &eval.IntEvaluator{ 14017 EvalFnc: func(ctx *eval.Context) int { 14018 ev := ctx.Event.(*Event) 14019 return int(ev.Signal.Target.Process.Credentials.EGID) 14020 }, 14021 Field: field, 14022 Weight: eval.FunctionWeight, 14023 }, nil 14024 case "signal.target.egroup": 14025 return &eval.StringEvaluator{ 14026 EvalFnc: func(ctx *eval.Context) string { 14027 ev := ctx.Event.(*Event) 14028 return ev.Signal.Target.Process.Credentials.EGroup 14029 }, 14030 Field: field, 14031 Weight: eval.FunctionWeight, 14032 }, nil 14033 case "signal.target.envp": 14034 return &eval.StringArrayEvaluator{ 14035 EvalFnc: func(ctx *eval.Context) []string { 14036 ev := ctx.Event.(*Event) 14037 return ev.FieldHandlers.ResolveProcessEnvp(ev, &ev.Signal.Target.Process) 14038 }, 14039 Field: field, 14040 Weight: 100 * eval.HandlerWeight, 14041 }, nil 14042 case "signal.target.envs": 14043 return &eval.StringArrayEvaluator{ 14044 EvalFnc: func(ctx *eval.Context) []string { 14045 ev := ctx.Event.(*Event) 14046 return ev.FieldHandlers.ResolveProcessEnvs(ev, &ev.Signal.Target.Process) 14047 }, 14048 Field: field, 14049 Weight: 100 * eval.HandlerWeight, 14050 }, nil 14051 case "signal.target.envs_truncated": 14052 return &eval.BoolEvaluator{ 14053 EvalFnc: func(ctx *eval.Context) bool { 14054 ev := ctx.Event.(*Event) 14055 return ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, &ev.Signal.Target.Process) 14056 }, 14057 Field: field, 14058 Weight: eval.HandlerWeight, 14059 }, nil 14060 case "signal.target.euid": 14061 return &eval.IntEvaluator{ 14062 EvalFnc: func(ctx *eval.Context) int { 14063 ev := ctx.Event.(*Event) 14064 return int(ev.Signal.Target.Process.Credentials.EUID) 14065 }, 14066 Field: field, 14067 Weight: eval.FunctionWeight, 14068 }, nil 14069 case "signal.target.euser": 14070 return &eval.StringEvaluator{ 14071 EvalFnc: func(ctx *eval.Context) string { 14072 ev := ctx.Event.(*Event) 14073 return ev.Signal.Target.Process.Credentials.EUser 14074 }, 14075 Field: field, 14076 Weight: eval.FunctionWeight, 14077 }, nil 14078 case "signal.target.file.change_time": 14079 return &eval.IntEvaluator{ 14080 EvalFnc: func(ctx *eval.Context) int { 14081 ev := ctx.Event.(*Event) 14082 if !ev.Signal.Target.Process.IsNotKworker() { 14083 return 0 14084 } 14085 return int(ev.Signal.Target.Process.FileEvent.FileFields.CTime) 14086 }, 14087 Field: field, 14088 Weight: eval.FunctionWeight, 14089 }, nil 14090 case "signal.target.file.filesystem": 14091 return &eval.StringEvaluator{ 14092 EvalFnc: func(ctx *eval.Context) string { 14093 ev := ctx.Event.(*Event) 14094 if !ev.Signal.Target.Process.IsNotKworker() { 14095 return "" 14096 } 14097 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Signal.Target.Process.FileEvent) 14098 }, 14099 Field: field, 14100 Weight: eval.HandlerWeight, 14101 }, nil 14102 case "signal.target.file.gid": 14103 return &eval.IntEvaluator{ 14104 EvalFnc: func(ctx *eval.Context) int { 14105 ev := ctx.Event.(*Event) 14106 if !ev.Signal.Target.Process.IsNotKworker() { 14107 return 0 14108 } 14109 return int(ev.Signal.Target.Process.FileEvent.FileFields.GID) 14110 }, 14111 Field: field, 14112 Weight: eval.FunctionWeight, 14113 }, nil 14114 case "signal.target.file.group": 14115 return &eval.StringEvaluator{ 14116 EvalFnc: func(ctx *eval.Context) string { 14117 ev := ctx.Event.(*Event) 14118 if !ev.Signal.Target.Process.IsNotKworker() { 14119 return "" 14120 } 14121 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Signal.Target.Process.FileEvent.FileFields) 14122 }, 14123 Field: field, 14124 Weight: eval.HandlerWeight, 14125 }, nil 14126 case "signal.target.file.hashes": 14127 return &eval.StringArrayEvaluator{ 14128 EvalFnc: func(ctx *eval.Context) []string { 14129 ev := ctx.Event.(*Event) 14130 if !ev.Signal.Target.Process.IsNotKworker() { 14131 return []string{} 14132 } 14133 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Signal.Target.Process.FileEvent) 14134 }, 14135 Field: field, 14136 Weight: 999 * eval.HandlerWeight, 14137 }, nil 14138 case "signal.target.file.in_upper_layer": 14139 return &eval.BoolEvaluator{ 14140 EvalFnc: func(ctx *eval.Context) bool { 14141 ev := ctx.Event.(*Event) 14142 if !ev.Signal.Target.Process.IsNotKworker() { 14143 return false 14144 } 14145 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Signal.Target.Process.FileEvent.FileFields) 14146 }, 14147 Field: field, 14148 Weight: eval.HandlerWeight, 14149 }, nil 14150 case "signal.target.file.inode": 14151 return &eval.IntEvaluator{ 14152 EvalFnc: func(ctx *eval.Context) int { 14153 ev := ctx.Event.(*Event) 14154 if !ev.Signal.Target.Process.IsNotKworker() { 14155 return 0 14156 } 14157 return int(ev.Signal.Target.Process.FileEvent.FileFields.PathKey.Inode) 14158 }, 14159 Field: field, 14160 Weight: eval.FunctionWeight, 14161 }, nil 14162 case "signal.target.file.mode": 14163 return &eval.IntEvaluator{ 14164 EvalFnc: func(ctx *eval.Context) int { 14165 ev := ctx.Event.(*Event) 14166 if !ev.Signal.Target.Process.IsNotKworker() { 14167 return 0 14168 } 14169 return int(ev.Signal.Target.Process.FileEvent.FileFields.Mode) 14170 }, 14171 Field: field, 14172 Weight: eval.FunctionWeight, 14173 }, nil 14174 case "signal.target.file.modification_time": 14175 return &eval.IntEvaluator{ 14176 EvalFnc: func(ctx *eval.Context) int { 14177 ev := ctx.Event.(*Event) 14178 if !ev.Signal.Target.Process.IsNotKworker() { 14179 return 0 14180 } 14181 return int(ev.Signal.Target.Process.FileEvent.FileFields.MTime) 14182 }, 14183 Field: field, 14184 Weight: eval.FunctionWeight, 14185 }, nil 14186 case "signal.target.file.mount_id": 14187 return &eval.IntEvaluator{ 14188 EvalFnc: func(ctx *eval.Context) int { 14189 ev := ctx.Event.(*Event) 14190 if !ev.Signal.Target.Process.IsNotKworker() { 14191 return 0 14192 } 14193 return int(ev.Signal.Target.Process.FileEvent.FileFields.PathKey.MountID) 14194 }, 14195 Field: field, 14196 Weight: eval.FunctionWeight, 14197 }, nil 14198 case "signal.target.file.name": 14199 return &eval.StringEvaluator{ 14200 OpOverrides: ProcessSymlinkBasename, 14201 EvalFnc: func(ctx *eval.Context) string { 14202 ev := ctx.Event.(*Event) 14203 if !ev.Signal.Target.Process.IsNotKworker() { 14204 return "" 14205 } 14206 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Signal.Target.Process.FileEvent) 14207 }, 14208 Field: field, 14209 Weight: eval.HandlerWeight, 14210 }, nil 14211 case "signal.target.file.name.length": 14212 return &eval.IntEvaluator{ 14213 OpOverrides: ProcessSymlinkBasename, 14214 EvalFnc: func(ctx *eval.Context) int { 14215 ev := ctx.Event.(*Event) 14216 return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Signal.Target.Process.FileEvent)) 14217 }, 14218 Field: field, 14219 Weight: eval.HandlerWeight, 14220 }, nil 14221 case "signal.target.file.package.name": 14222 return &eval.StringEvaluator{ 14223 EvalFnc: func(ctx *eval.Context) string { 14224 ev := ctx.Event.(*Event) 14225 if !ev.Signal.Target.Process.IsNotKworker() { 14226 return "" 14227 } 14228 return ev.FieldHandlers.ResolvePackageName(ev, &ev.Signal.Target.Process.FileEvent) 14229 }, 14230 Field: field, 14231 Weight: eval.HandlerWeight, 14232 }, nil 14233 case "signal.target.file.package.source_version": 14234 return &eval.StringEvaluator{ 14235 EvalFnc: func(ctx *eval.Context) string { 14236 ev := ctx.Event.(*Event) 14237 if !ev.Signal.Target.Process.IsNotKworker() { 14238 return "" 14239 } 14240 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Signal.Target.Process.FileEvent) 14241 }, 14242 Field: field, 14243 Weight: eval.HandlerWeight, 14244 }, nil 14245 case "signal.target.file.package.version": 14246 return &eval.StringEvaluator{ 14247 EvalFnc: func(ctx *eval.Context) string { 14248 ev := ctx.Event.(*Event) 14249 if !ev.Signal.Target.Process.IsNotKworker() { 14250 return "" 14251 } 14252 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Signal.Target.Process.FileEvent) 14253 }, 14254 Field: field, 14255 Weight: eval.HandlerWeight, 14256 }, nil 14257 case "signal.target.file.path": 14258 return &eval.StringEvaluator{ 14259 OpOverrides: ProcessSymlinkPathname, 14260 EvalFnc: func(ctx *eval.Context) string { 14261 ev := ctx.Event.(*Event) 14262 if !ev.Signal.Target.Process.IsNotKworker() { 14263 return "" 14264 } 14265 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Signal.Target.Process.FileEvent) 14266 }, 14267 Field: field, 14268 Weight: eval.HandlerWeight, 14269 }, nil 14270 case "signal.target.file.path.length": 14271 return &eval.IntEvaluator{ 14272 OpOverrides: ProcessSymlinkPathname, 14273 EvalFnc: func(ctx *eval.Context) int { 14274 ev := ctx.Event.(*Event) 14275 return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Signal.Target.Process.FileEvent)) 14276 }, 14277 Field: field, 14278 Weight: eval.HandlerWeight, 14279 }, nil 14280 case "signal.target.file.rights": 14281 return &eval.IntEvaluator{ 14282 EvalFnc: func(ctx *eval.Context) int { 14283 ev := ctx.Event.(*Event) 14284 if !ev.Signal.Target.Process.IsNotKworker() { 14285 return 0 14286 } 14287 return int(ev.FieldHandlers.ResolveRights(ev, &ev.Signal.Target.Process.FileEvent.FileFields)) 14288 }, 14289 Field: field, 14290 Weight: eval.HandlerWeight, 14291 }, nil 14292 case "signal.target.file.uid": 14293 return &eval.IntEvaluator{ 14294 EvalFnc: func(ctx *eval.Context) int { 14295 ev := ctx.Event.(*Event) 14296 if !ev.Signal.Target.Process.IsNotKworker() { 14297 return 0 14298 } 14299 return int(ev.Signal.Target.Process.FileEvent.FileFields.UID) 14300 }, 14301 Field: field, 14302 Weight: eval.FunctionWeight, 14303 }, nil 14304 case "signal.target.file.user": 14305 return &eval.StringEvaluator{ 14306 EvalFnc: func(ctx *eval.Context) string { 14307 ev := ctx.Event.(*Event) 14308 if !ev.Signal.Target.Process.IsNotKworker() { 14309 return "" 14310 } 14311 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Signal.Target.Process.FileEvent.FileFields) 14312 }, 14313 Field: field, 14314 Weight: eval.HandlerWeight, 14315 }, nil 14316 case "signal.target.fsgid": 14317 return &eval.IntEvaluator{ 14318 EvalFnc: func(ctx *eval.Context) int { 14319 ev := ctx.Event.(*Event) 14320 return int(ev.Signal.Target.Process.Credentials.FSGID) 14321 }, 14322 Field: field, 14323 Weight: eval.FunctionWeight, 14324 }, nil 14325 case "signal.target.fsgroup": 14326 return &eval.StringEvaluator{ 14327 EvalFnc: func(ctx *eval.Context) string { 14328 ev := ctx.Event.(*Event) 14329 return ev.Signal.Target.Process.Credentials.FSGroup 14330 }, 14331 Field: field, 14332 Weight: eval.FunctionWeight, 14333 }, nil 14334 case "signal.target.fsuid": 14335 return &eval.IntEvaluator{ 14336 EvalFnc: func(ctx *eval.Context) int { 14337 ev := ctx.Event.(*Event) 14338 return int(ev.Signal.Target.Process.Credentials.FSUID) 14339 }, 14340 Field: field, 14341 Weight: eval.FunctionWeight, 14342 }, nil 14343 case "signal.target.fsuser": 14344 return &eval.StringEvaluator{ 14345 EvalFnc: func(ctx *eval.Context) string { 14346 ev := ctx.Event.(*Event) 14347 return ev.Signal.Target.Process.Credentials.FSUser 14348 }, 14349 Field: field, 14350 Weight: eval.FunctionWeight, 14351 }, nil 14352 case "signal.target.gid": 14353 return &eval.IntEvaluator{ 14354 EvalFnc: func(ctx *eval.Context) int { 14355 ev := ctx.Event.(*Event) 14356 return int(ev.Signal.Target.Process.Credentials.GID) 14357 }, 14358 Field: field, 14359 Weight: eval.FunctionWeight, 14360 }, nil 14361 case "signal.target.group": 14362 return &eval.StringEvaluator{ 14363 EvalFnc: func(ctx *eval.Context) string { 14364 ev := ctx.Event.(*Event) 14365 return ev.Signal.Target.Process.Credentials.Group 14366 }, 14367 Field: field, 14368 Weight: eval.FunctionWeight, 14369 }, nil 14370 case "signal.target.interpreter.file.change_time": 14371 return &eval.IntEvaluator{ 14372 EvalFnc: func(ctx *eval.Context) int { 14373 ev := ctx.Event.(*Event) 14374 if !ev.Signal.Target.Process.HasInterpreter() { 14375 return 0 14376 } 14377 return int(ev.Signal.Target.Process.LinuxBinprm.FileEvent.FileFields.CTime) 14378 }, 14379 Field: field, 14380 Weight: eval.FunctionWeight, 14381 }, nil 14382 case "signal.target.interpreter.file.filesystem": 14383 return &eval.StringEvaluator{ 14384 EvalFnc: func(ctx *eval.Context) string { 14385 ev := ctx.Event.(*Event) 14386 if !ev.Signal.Target.Process.HasInterpreter() { 14387 return "" 14388 } 14389 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Signal.Target.Process.LinuxBinprm.FileEvent) 14390 }, 14391 Field: field, 14392 Weight: eval.HandlerWeight, 14393 }, nil 14394 case "signal.target.interpreter.file.gid": 14395 return &eval.IntEvaluator{ 14396 EvalFnc: func(ctx *eval.Context) int { 14397 ev := ctx.Event.(*Event) 14398 if !ev.Signal.Target.Process.HasInterpreter() { 14399 return 0 14400 } 14401 return int(ev.Signal.Target.Process.LinuxBinprm.FileEvent.FileFields.GID) 14402 }, 14403 Field: field, 14404 Weight: eval.FunctionWeight, 14405 }, nil 14406 case "signal.target.interpreter.file.group": 14407 return &eval.StringEvaluator{ 14408 EvalFnc: func(ctx *eval.Context) string { 14409 ev := ctx.Event.(*Event) 14410 if !ev.Signal.Target.Process.HasInterpreter() { 14411 return "" 14412 } 14413 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Signal.Target.Process.LinuxBinprm.FileEvent.FileFields) 14414 }, 14415 Field: field, 14416 Weight: eval.HandlerWeight, 14417 }, nil 14418 case "signal.target.interpreter.file.hashes": 14419 return &eval.StringArrayEvaluator{ 14420 EvalFnc: func(ctx *eval.Context) []string { 14421 ev := ctx.Event.(*Event) 14422 if !ev.Signal.Target.Process.HasInterpreter() { 14423 return []string{} 14424 } 14425 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Signal.Target.Process.LinuxBinprm.FileEvent) 14426 }, 14427 Field: field, 14428 Weight: 999 * eval.HandlerWeight, 14429 }, nil 14430 case "signal.target.interpreter.file.in_upper_layer": 14431 return &eval.BoolEvaluator{ 14432 EvalFnc: func(ctx *eval.Context) bool { 14433 ev := ctx.Event.(*Event) 14434 if !ev.Signal.Target.Process.HasInterpreter() { 14435 return false 14436 } 14437 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Signal.Target.Process.LinuxBinprm.FileEvent.FileFields) 14438 }, 14439 Field: field, 14440 Weight: eval.HandlerWeight, 14441 }, nil 14442 case "signal.target.interpreter.file.inode": 14443 return &eval.IntEvaluator{ 14444 EvalFnc: func(ctx *eval.Context) int { 14445 ev := ctx.Event.(*Event) 14446 if !ev.Signal.Target.Process.HasInterpreter() { 14447 return 0 14448 } 14449 return int(ev.Signal.Target.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode) 14450 }, 14451 Field: field, 14452 Weight: eval.FunctionWeight, 14453 }, nil 14454 case "signal.target.interpreter.file.mode": 14455 return &eval.IntEvaluator{ 14456 EvalFnc: func(ctx *eval.Context) int { 14457 ev := ctx.Event.(*Event) 14458 if !ev.Signal.Target.Process.HasInterpreter() { 14459 return 0 14460 } 14461 return int(ev.Signal.Target.Process.LinuxBinprm.FileEvent.FileFields.Mode) 14462 }, 14463 Field: field, 14464 Weight: eval.FunctionWeight, 14465 }, nil 14466 case "signal.target.interpreter.file.modification_time": 14467 return &eval.IntEvaluator{ 14468 EvalFnc: func(ctx *eval.Context) int { 14469 ev := ctx.Event.(*Event) 14470 if !ev.Signal.Target.Process.HasInterpreter() { 14471 return 0 14472 } 14473 return int(ev.Signal.Target.Process.LinuxBinprm.FileEvent.FileFields.MTime) 14474 }, 14475 Field: field, 14476 Weight: eval.FunctionWeight, 14477 }, nil 14478 case "signal.target.interpreter.file.mount_id": 14479 return &eval.IntEvaluator{ 14480 EvalFnc: func(ctx *eval.Context) int { 14481 ev := ctx.Event.(*Event) 14482 if !ev.Signal.Target.Process.HasInterpreter() { 14483 return 0 14484 } 14485 return int(ev.Signal.Target.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID) 14486 }, 14487 Field: field, 14488 Weight: eval.FunctionWeight, 14489 }, nil 14490 case "signal.target.interpreter.file.name": 14491 return &eval.StringEvaluator{ 14492 OpOverrides: ProcessSymlinkBasename, 14493 EvalFnc: func(ctx *eval.Context) string { 14494 ev := ctx.Event.(*Event) 14495 if !ev.Signal.Target.Process.HasInterpreter() { 14496 return "" 14497 } 14498 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Signal.Target.Process.LinuxBinprm.FileEvent) 14499 }, 14500 Field: field, 14501 Weight: eval.HandlerWeight, 14502 }, nil 14503 case "signal.target.interpreter.file.name.length": 14504 return &eval.IntEvaluator{ 14505 OpOverrides: ProcessSymlinkBasename, 14506 EvalFnc: func(ctx *eval.Context) int { 14507 ev := ctx.Event.(*Event) 14508 return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Signal.Target.Process.LinuxBinprm.FileEvent)) 14509 }, 14510 Field: field, 14511 Weight: eval.HandlerWeight, 14512 }, nil 14513 case "signal.target.interpreter.file.package.name": 14514 return &eval.StringEvaluator{ 14515 EvalFnc: func(ctx *eval.Context) string { 14516 ev := ctx.Event.(*Event) 14517 if !ev.Signal.Target.Process.HasInterpreter() { 14518 return "" 14519 } 14520 return ev.FieldHandlers.ResolvePackageName(ev, &ev.Signal.Target.Process.LinuxBinprm.FileEvent) 14521 }, 14522 Field: field, 14523 Weight: eval.HandlerWeight, 14524 }, nil 14525 case "signal.target.interpreter.file.package.source_version": 14526 return &eval.StringEvaluator{ 14527 EvalFnc: func(ctx *eval.Context) string { 14528 ev := ctx.Event.(*Event) 14529 if !ev.Signal.Target.Process.HasInterpreter() { 14530 return "" 14531 } 14532 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Signal.Target.Process.LinuxBinprm.FileEvent) 14533 }, 14534 Field: field, 14535 Weight: eval.HandlerWeight, 14536 }, nil 14537 case "signal.target.interpreter.file.package.version": 14538 return &eval.StringEvaluator{ 14539 EvalFnc: func(ctx *eval.Context) string { 14540 ev := ctx.Event.(*Event) 14541 if !ev.Signal.Target.Process.HasInterpreter() { 14542 return "" 14543 } 14544 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Signal.Target.Process.LinuxBinprm.FileEvent) 14545 }, 14546 Field: field, 14547 Weight: eval.HandlerWeight, 14548 }, nil 14549 case "signal.target.interpreter.file.path": 14550 return &eval.StringEvaluator{ 14551 OpOverrides: ProcessSymlinkPathname, 14552 EvalFnc: func(ctx *eval.Context) string { 14553 ev := ctx.Event.(*Event) 14554 if !ev.Signal.Target.Process.HasInterpreter() { 14555 return "" 14556 } 14557 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Signal.Target.Process.LinuxBinprm.FileEvent) 14558 }, 14559 Field: field, 14560 Weight: eval.HandlerWeight, 14561 }, nil 14562 case "signal.target.interpreter.file.path.length": 14563 return &eval.IntEvaluator{ 14564 OpOverrides: ProcessSymlinkPathname, 14565 EvalFnc: func(ctx *eval.Context) int { 14566 ev := ctx.Event.(*Event) 14567 return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Signal.Target.Process.LinuxBinprm.FileEvent)) 14568 }, 14569 Field: field, 14570 Weight: eval.HandlerWeight, 14571 }, nil 14572 case "signal.target.interpreter.file.rights": 14573 return &eval.IntEvaluator{ 14574 EvalFnc: func(ctx *eval.Context) int { 14575 ev := ctx.Event.(*Event) 14576 if !ev.Signal.Target.Process.HasInterpreter() { 14577 return 0 14578 } 14579 return int(ev.FieldHandlers.ResolveRights(ev, &ev.Signal.Target.Process.LinuxBinprm.FileEvent.FileFields)) 14580 }, 14581 Field: field, 14582 Weight: eval.HandlerWeight, 14583 }, nil 14584 case "signal.target.interpreter.file.uid": 14585 return &eval.IntEvaluator{ 14586 EvalFnc: func(ctx *eval.Context) int { 14587 ev := ctx.Event.(*Event) 14588 if !ev.Signal.Target.Process.HasInterpreter() { 14589 return 0 14590 } 14591 return int(ev.Signal.Target.Process.LinuxBinprm.FileEvent.FileFields.UID) 14592 }, 14593 Field: field, 14594 Weight: eval.FunctionWeight, 14595 }, nil 14596 case "signal.target.interpreter.file.user": 14597 return &eval.StringEvaluator{ 14598 EvalFnc: func(ctx *eval.Context) string { 14599 ev := ctx.Event.(*Event) 14600 if !ev.Signal.Target.Process.HasInterpreter() { 14601 return "" 14602 } 14603 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Signal.Target.Process.LinuxBinprm.FileEvent.FileFields) 14604 }, 14605 Field: field, 14606 Weight: eval.HandlerWeight, 14607 }, nil 14608 case "signal.target.is_kworker": 14609 return &eval.BoolEvaluator{ 14610 EvalFnc: func(ctx *eval.Context) bool { 14611 ev := ctx.Event.(*Event) 14612 return ev.Signal.Target.Process.PIDContext.IsKworker 14613 }, 14614 Field: field, 14615 Weight: eval.FunctionWeight, 14616 }, nil 14617 case "signal.target.is_thread": 14618 return &eval.BoolEvaluator{ 14619 EvalFnc: func(ctx *eval.Context) bool { 14620 ev := ctx.Event.(*Event) 14621 return ev.Signal.Target.Process.IsThread 14622 }, 14623 Field: field, 14624 Weight: eval.FunctionWeight, 14625 }, nil 14626 case "signal.target.parent.args": 14627 return &eval.StringEvaluator{ 14628 EvalFnc: func(ctx *eval.Context) string { 14629 ev := ctx.Event.(*Event) 14630 if !ev.Signal.Target.HasParent() { 14631 return "" 14632 } 14633 return ev.FieldHandlers.ResolveProcessArgs(ev, ev.Signal.Target.Parent) 14634 }, 14635 Field: field, 14636 Weight: 500 * eval.HandlerWeight, 14637 }, nil 14638 case "signal.target.parent.args_flags": 14639 return &eval.StringArrayEvaluator{ 14640 EvalFnc: func(ctx *eval.Context) []string { 14641 ev := ctx.Event.(*Event) 14642 if !ev.Signal.Target.HasParent() { 14643 return []string{} 14644 } 14645 return ev.FieldHandlers.ResolveProcessArgsFlags(ev, ev.Signal.Target.Parent) 14646 }, 14647 Field: field, 14648 Weight: eval.HandlerWeight, 14649 }, nil 14650 case "signal.target.parent.args_options": 14651 return &eval.StringArrayEvaluator{ 14652 EvalFnc: func(ctx *eval.Context) []string { 14653 ev := ctx.Event.(*Event) 14654 if !ev.Signal.Target.HasParent() { 14655 return []string{} 14656 } 14657 return ev.FieldHandlers.ResolveProcessArgsOptions(ev, ev.Signal.Target.Parent) 14658 }, 14659 Field: field, 14660 Weight: eval.HandlerWeight, 14661 }, nil 14662 case "signal.target.parent.args_truncated": 14663 return &eval.BoolEvaluator{ 14664 EvalFnc: func(ctx *eval.Context) bool { 14665 ev := ctx.Event.(*Event) 14666 if !ev.Signal.Target.HasParent() { 14667 return false 14668 } 14669 return ev.FieldHandlers.ResolveProcessArgsTruncated(ev, ev.Signal.Target.Parent) 14670 }, 14671 Field: field, 14672 Weight: eval.HandlerWeight, 14673 }, nil 14674 case "signal.target.parent.argv": 14675 return &eval.StringArrayEvaluator{ 14676 EvalFnc: func(ctx *eval.Context) []string { 14677 ev := ctx.Event.(*Event) 14678 if !ev.Signal.Target.HasParent() { 14679 return []string{} 14680 } 14681 return ev.FieldHandlers.ResolveProcessArgv(ev, ev.Signal.Target.Parent) 14682 }, 14683 Field: field, 14684 Weight: 500 * eval.HandlerWeight, 14685 }, nil 14686 case "signal.target.parent.argv0": 14687 return &eval.StringEvaluator{ 14688 EvalFnc: func(ctx *eval.Context) string { 14689 ev := ctx.Event.(*Event) 14690 if !ev.Signal.Target.HasParent() { 14691 return "" 14692 } 14693 return ev.FieldHandlers.ResolveProcessArgv0(ev, ev.Signal.Target.Parent) 14694 }, 14695 Field: field, 14696 Weight: 100 * eval.HandlerWeight, 14697 }, nil 14698 case "signal.target.parent.cap_effective": 14699 return &eval.IntEvaluator{ 14700 EvalFnc: func(ctx *eval.Context) int { 14701 ev := ctx.Event.(*Event) 14702 if !ev.Signal.Target.HasParent() { 14703 return 0 14704 } 14705 return int(ev.Signal.Target.Parent.Credentials.CapEffective) 14706 }, 14707 Field: field, 14708 Weight: eval.FunctionWeight, 14709 }, nil 14710 case "signal.target.parent.cap_permitted": 14711 return &eval.IntEvaluator{ 14712 EvalFnc: func(ctx *eval.Context) int { 14713 ev := ctx.Event.(*Event) 14714 if !ev.Signal.Target.HasParent() { 14715 return 0 14716 } 14717 return int(ev.Signal.Target.Parent.Credentials.CapPermitted) 14718 }, 14719 Field: field, 14720 Weight: eval.FunctionWeight, 14721 }, nil 14722 case "signal.target.parent.comm": 14723 return &eval.StringEvaluator{ 14724 EvalFnc: func(ctx *eval.Context) string { 14725 ev := ctx.Event.(*Event) 14726 if !ev.Signal.Target.HasParent() { 14727 return "" 14728 } 14729 return ev.Signal.Target.Parent.Comm 14730 }, 14731 Field: field, 14732 Weight: eval.FunctionWeight, 14733 }, nil 14734 case "signal.target.parent.container.id": 14735 return &eval.StringEvaluator{ 14736 EvalFnc: func(ctx *eval.Context) string { 14737 ev := ctx.Event.(*Event) 14738 if !ev.Signal.Target.HasParent() { 14739 return "" 14740 } 14741 return ev.Signal.Target.Parent.ContainerID 14742 }, 14743 Field: field, 14744 Weight: eval.FunctionWeight, 14745 }, nil 14746 case "signal.target.parent.created_at": 14747 return &eval.IntEvaluator{ 14748 EvalFnc: func(ctx *eval.Context) int { 14749 ev := ctx.Event.(*Event) 14750 if !ev.Signal.Target.HasParent() { 14751 return 0 14752 } 14753 return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, ev.Signal.Target.Parent)) 14754 }, 14755 Field: field, 14756 Weight: eval.HandlerWeight, 14757 }, nil 14758 case "signal.target.parent.egid": 14759 return &eval.IntEvaluator{ 14760 EvalFnc: func(ctx *eval.Context) int { 14761 ev := ctx.Event.(*Event) 14762 if !ev.Signal.Target.HasParent() { 14763 return 0 14764 } 14765 return int(ev.Signal.Target.Parent.Credentials.EGID) 14766 }, 14767 Field: field, 14768 Weight: eval.FunctionWeight, 14769 }, nil 14770 case "signal.target.parent.egroup": 14771 return &eval.StringEvaluator{ 14772 EvalFnc: func(ctx *eval.Context) string { 14773 ev := ctx.Event.(*Event) 14774 if !ev.Signal.Target.HasParent() { 14775 return "" 14776 } 14777 return ev.Signal.Target.Parent.Credentials.EGroup 14778 }, 14779 Field: field, 14780 Weight: eval.FunctionWeight, 14781 }, nil 14782 case "signal.target.parent.envp": 14783 return &eval.StringArrayEvaluator{ 14784 EvalFnc: func(ctx *eval.Context) []string { 14785 ev := ctx.Event.(*Event) 14786 if !ev.Signal.Target.HasParent() { 14787 return []string{} 14788 } 14789 return ev.FieldHandlers.ResolveProcessEnvp(ev, ev.Signal.Target.Parent) 14790 }, 14791 Field: field, 14792 Weight: 100 * eval.HandlerWeight, 14793 }, nil 14794 case "signal.target.parent.envs": 14795 return &eval.StringArrayEvaluator{ 14796 EvalFnc: func(ctx *eval.Context) []string { 14797 ev := ctx.Event.(*Event) 14798 if !ev.Signal.Target.HasParent() { 14799 return []string{} 14800 } 14801 return ev.FieldHandlers.ResolveProcessEnvs(ev, ev.Signal.Target.Parent) 14802 }, 14803 Field: field, 14804 Weight: 100 * eval.HandlerWeight, 14805 }, nil 14806 case "signal.target.parent.envs_truncated": 14807 return &eval.BoolEvaluator{ 14808 EvalFnc: func(ctx *eval.Context) bool { 14809 ev := ctx.Event.(*Event) 14810 if !ev.Signal.Target.HasParent() { 14811 return false 14812 } 14813 return ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, ev.Signal.Target.Parent) 14814 }, 14815 Field: field, 14816 Weight: eval.HandlerWeight, 14817 }, nil 14818 case "signal.target.parent.euid": 14819 return &eval.IntEvaluator{ 14820 EvalFnc: func(ctx *eval.Context) int { 14821 ev := ctx.Event.(*Event) 14822 if !ev.Signal.Target.HasParent() { 14823 return 0 14824 } 14825 return int(ev.Signal.Target.Parent.Credentials.EUID) 14826 }, 14827 Field: field, 14828 Weight: eval.FunctionWeight, 14829 }, nil 14830 case "signal.target.parent.euser": 14831 return &eval.StringEvaluator{ 14832 EvalFnc: func(ctx *eval.Context) string { 14833 ev := ctx.Event.(*Event) 14834 if !ev.Signal.Target.HasParent() { 14835 return "" 14836 } 14837 return ev.Signal.Target.Parent.Credentials.EUser 14838 }, 14839 Field: field, 14840 Weight: eval.FunctionWeight, 14841 }, nil 14842 case "signal.target.parent.file.change_time": 14843 return &eval.IntEvaluator{ 14844 EvalFnc: func(ctx *eval.Context) int { 14845 ev := ctx.Event.(*Event) 14846 if !ev.Signal.Target.HasParent() { 14847 return 0 14848 } 14849 if !ev.Signal.Target.Parent.IsNotKworker() { 14850 return 0 14851 } 14852 return int(ev.Signal.Target.Parent.FileEvent.FileFields.CTime) 14853 }, 14854 Field: field, 14855 Weight: eval.FunctionWeight, 14856 }, nil 14857 case "signal.target.parent.file.filesystem": 14858 return &eval.StringEvaluator{ 14859 EvalFnc: func(ctx *eval.Context) string { 14860 ev := ctx.Event.(*Event) 14861 if !ev.Signal.Target.HasParent() { 14862 return "" 14863 } 14864 if !ev.Signal.Target.Parent.IsNotKworker() { 14865 return "" 14866 } 14867 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Signal.Target.Parent.FileEvent) 14868 }, 14869 Field: field, 14870 Weight: eval.HandlerWeight, 14871 }, nil 14872 case "signal.target.parent.file.gid": 14873 return &eval.IntEvaluator{ 14874 EvalFnc: func(ctx *eval.Context) int { 14875 ev := ctx.Event.(*Event) 14876 if !ev.Signal.Target.HasParent() { 14877 return 0 14878 } 14879 if !ev.Signal.Target.Parent.IsNotKworker() { 14880 return 0 14881 } 14882 return int(ev.Signal.Target.Parent.FileEvent.FileFields.GID) 14883 }, 14884 Field: field, 14885 Weight: eval.FunctionWeight, 14886 }, nil 14887 case "signal.target.parent.file.group": 14888 return &eval.StringEvaluator{ 14889 EvalFnc: func(ctx *eval.Context) string { 14890 ev := ctx.Event.(*Event) 14891 if !ev.Signal.Target.HasParent() { 14892 return "" 14893 } 14894 if !ev.Signal.Target.Parent.IsNotKworker() { 14895 return "" 14896 } 14897 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Signal.Target.Parent.FileEvent.FileFields) 14898 }, 14899 Field: field, 14900 Weight: eval.HandlerWeight, 14901 }, nil 14902 case "signal.target.parent.file.hashes": 14903 return &eval.StringArrayEvaluator{ 14904 EvalFnc: func(ctx *eval.Context) []string { 14905 ev := ctx.Event.(*Event) 14906 if !ev.Signal.Target.HasParent() { 14907 return []string{} 14908 } 14909 if !ev.Signal.Target.Parent.IsNotKworker() { 14910 return []string{} 14911 } 14912 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Signal.Target.Parent.FileEvent) 14913 }, 14914 Field: field, 14915 Weight: 999 * eval.HandlerWeight, 14916 }, nil 14917 case "signal.target.parent.file.in_upper_layer": 14918 return &eval.BoolEvaluator{ 14919 EvalFnc: func(ctx *eval.Context) bool { 14920 ev := ctx.Event.(*Event) 14921 if !ev.Signal.Target.HasParent() { 14922 return false 14923 } 14924 if !ev.Signal.Target.Parent.IsNotKworker() { 14925 return false 14926 } 14927 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Signal.Target.Parent.FileEvent.FileFields) 14928 }, 14929 Field: field, 14930 Weight: eval.HandlerWeight, 14931 }, nil 14932 case "signal.target.parent.file.inode": 14933 return &eval.IntEvaluator{ 14934 EvalFnc: func(ctx *eval.Context) int { 14935 ev := ctx.Event.(*Event) 14936 if !ev.Signal.Target.HasParent() { 14937 return 0 14938 } 14939 if !ev.Signal.Target.Parent.IsNotKworker() { 14940 return 0 14941 } 14942 return int(ev.Signal.Target.Parent.FileEvent.FileFields.PathKey.Inode) 14943 }, 14944 Field: field, 14945 Weight: eval.FunctionWeight, 14946 }, nil 14947 case "signal.target.parent.file.mode": 14948 return &eval.IntEvaluator{ 14949 EvalFnc: func(ctx *eval.Context) int { 14950 ev := ctx.Event.(*Event) 14951 if !ev.Signal.Target.HasParent() { 14952 return 0 14953 } 14954 if !ev.Signal.Target.Parent.IsNotKworker() { 14955 return 0 14956 } 14957 return int(ev.Signal.Target.Parent.FileEvent.FileFields.Mode) 14958 }, 14959 Field: field, 14960 Weight: eval.FunctionWeight, 14961 }, nil 14962 case "signal.target.parent.file.modification_time": 14963 return &eval.IntEvaluator{ 14964 EvalFnc: func(ctx *eval.Context) int { 14965 ev := ctx.Event.(*Event) 14966 if !ev.Signal.Target.HasParent() { 14967 return 0 14968 } 14969 if !ev.Signal.Target.Parent.IsNotKworker() { 14970 return 0 14971 } 14972 return int(ev.Signal.Target.Parent.FileEvent.FileFields.MTime) 14973 }, 14974 Field: field, 14975 Weight: eval.FunctionWeight, 14976 }, nil 14977 case "signal.target.parent.file.mount_id": 14978 return &eval.IntEvaluator{ 14979 EvalFnc: func(ctx *eval.Context) int { 14980 ev := ctx.Event.(*Event) 14981 if !ev.Signal.Target.HasParent() { 14982 return 0 14983 } 14984 if !ev.Signal.Target.Parent.IsNotKworker() { 14985 return 0 14986 } 14987 return int(ev.Signal.Target.Parent.FileEvent.FileFields.PathKey.MountID) 14988 }, 14989 Field: field, 14990 Weight: eval.FunctionWeight, 14991 }, nil 14992 case "signal.target.parent.file.name": 14993 return &eval.StringEvaluator{ 14994 OpOverrides: ProcessSymlinkBasename, 14995 EvalFnc: func(ctx *eval.Context) string { 14996 ev := ctx.Event.(*Event) 14997 if !ev.Signal.Target.HasParent() { 14998 return "" 14999 } 15000 if !ev.Signal.Target.Parent.IsNotKworker() { 15001 return "" 15002 } 15003 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Signal.Target.Parent.FileEvent) 15004 }, 15005 Field: field, 15006 Weight: eval.HandlerWeight, 15007 }, nil 15008 case "signal.target.parent.file.name.length": 15009 return &eval.IntEvaluator{ 15010 OpOverrides: ProcessSymlinkBasename, 15011 EvalFnc: func(ctx *eval.Context) int { 15012 ev := ctx.Event.(*Event) 15013 return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Signal.Target.Parent.FileEvent)) 15014 }, 15015 Field: field, 15016 Weight: eval.HandlerWeight, 15017 }, nil 15018 case "signal.target.parent.file.package.name": 15019 return &eval.StringEvaluator{ 15020 EvalFnc: func(ctx *eval.Context) string { 15021 ev := ctx.Event.(*Event) 15022 if !ev.Signal.Target.HasParent() { 15023 return "" 15024 } 15025 if !ev.Signal.Target.Parent.IsNotKworker() { 15026 return "" 15027 } 15028 return ev.FieldHandlers.ResolvePackageName(ev, &ev.Signal.Target.Parent.FileEvent) 15029 }, 15030 Field: field, 15031 Weight: eval.HandlerWeight, 15032 }, nil 15033 case "signal.target.parent.file.package.source_version": 15034 return &eval.StringEvaluator{ 15035 EvalFnc: func(ctx *eval.Context) string { 15036 ev := ctx.Event.(*Event) 15037 if !ev.Signal.Target.HasParent() { 15038 return "" 15039 } 15040 if !ev.Signal.Target.Parent.IsNotKworker() { 15041 return "" 15042 } 15043 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Signal.Target.Parent.FileEvent) 15044 }, 15045 Field: field, 15046 Weight: eval.HandlerWeight, 15047 }, nil 15048 case "signal.target.parent.file.package.version": 15049 return &eval.StringEvaluator{ 15050 EvalFnc: func(ctx *eval.Context) string { 15051 ev := ctx.Event.(*Event) 15052 if !ev.Signal.Target.HasParent() { 15053 return "" 15054 } 15055 if !ev.Signal.Target.Parent.IsNotKworker() { 15056 return "" 15057 } 15058 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Signal.Target.Parent.FileEvent) 15059 }, 15060 Field: field, 15061 Weight: eval.HandlerWeight, 15062 }, nil 15063 case "signal.target.parent.file.path": 15064 return &eval.StringEvaluator{ 15065 OpOverrides: ProcessSymlinkPathname, 15066 EvalFnc: func(ctx *eval.Context) string { 15067 ev := ctx.Event.(*Event) 15068 if !ev.Signal.Target.HasParent() { 15069 return "" 15070 } 15071 if !ev.Signal.Target.Parent.IsNotKworker() { 15072 return "" 15073 } 15074 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Signal.Target.Parent.FileEvent) 15075 }, 15076 Field: field, 15077 Weight: eval.HandlerWeight, 15078 }, nil 15079 case "signal.target.parent.file.path.length": 15080 return &eval.IntEvaluator{ 15081 OpOverrides: ProcessSymlinkPathname, 15082 EvalFnc: func(ctx *eval.Context) int { 15083 ev := ctx.Event.(*Event) 15084 return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Signal.Target.Parent.FileEvent)) 15085 }, 15086 Field: field, 15087 Weight: eval.HandlerWeight, 15088 }, nil 15089 case "signal.target.parent.file.rights": 15090 return &eval.IntEvaluator{ 15091 EvalFnc: func(ctx *eval.Context) int { 15092 ev := ctx.Event.(*Event) 15093 if !ev.Signal.Target.HasParent() { 15094 return 0 15095 } 15096 if !ev.Signal.Target.Parent.IsNotKworker() { 15097 return 0 15098 } 15099 return int(ev.FieldHandlers.ResolveRights(ev, &ev.Signal.Target.Parent.FileEvent.FileFields)) 15100 }, 15101 Field: field, 15102 Weight: eval.HandlerWeight, 15103 }, nil 15104 case "signal.target.parent.file.uid": 15105 return &eval.IntEvaluator{ 15106 EvalFnc: func(ctx *eval.Context) int { 15107 ev := ctx.Event.(*Event) 15108 if !ev.Signal.Target.HasParent() { 15109 return 0 15110 } 15111 if !ev.Signal.Target.Parent.IsNotKworker() { 15112 return 0 15113 } 15114 return int(ev.Signal.Target.Parent.FileEvent.FileFields.UID) 15115 }, 15116 Field: field, 15117 Weight: eval.FunctionWeight, 15118 }, nil 15119 case "signal.target.parent.file.user": 15120 return &eval.StringEvaluator{ 15121 EvalFnc: func(ctx *eval.Context) string { 15122 ev := ctx.Event.(*Event) 15123 if !ev.Signal.Target.HasParent() { 15124 return "" 15125 } 15126 if !ev.Signal.Target.Parent.IsNotKworker() { 15127 return "" 15128 } 15129 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Signal.Target.Parent.FileEvent.FileFields) 15130 }, 15131 Field: field, 15132 Weight: eval.HandlerWeight, 15133 }, nil 15134 case "signal.target.parent.fsgid": 15135 return &eval.IntEvaluator{ 15136 EvalFnc: func(ctx *eval.Context) int { 15137 ev := ctx.Event.(*Event) 15138 if !ev.Signal.Target.HasParent() { 15139 return 0 15140 } 15141 return int(ev.Signal.Target.Parent.Credentials.FSGID) 15142 }, 15143 Field: field, 15144 Weight: eval.FunctionWeight, 15145 }, nil 15146 case "signal.target.parent.fsgroup": 15147 return &eval.StringEvaluator{ 15148 EvalFnc: func(ctx *eval.Context) string { 15149 ev := ctx.Event.(*Event) 15150 if !ev.Signal.Target.HasParent() { 15151 return "" 15152 } 15153 return ev.Signal.Target.Parent.Credentials.FSGroup 15154 }, 15155 Field: field, 15156 Weight: eval.FunctionWeight, 15157 }, nil 15158 case "signal.target.parent.fsuid": 15159 return &eval.IntEvaluator{ 15160 EvalFnc: func(ctx *eval.Context) int { 15161 ev := ctx.Event.(*Event) 15162 if !ev.Signal.Target.HasParent() { 15163 return 0 15164 } 15165 return int(ev.Signal.Target.Parent.Credentials.FSUID) 15166 }, 15167 Field: field, 15168 Weight: eval.FunctionWeight, 15169 }, nil 15170 case "signal.target.parent.fsuser": 15171 return &eval.StringEvaluator{ 15172 EvalFnc: func(ctx *eval.Context) string { 15173 ev := ctx.Event.(*Event) 15174 if !ev.Signal.Target.HasParent() { 15175 return "" 15176 } 15177 return ev.Signal.Target.Parent.Credentials.FSUser 15178 }, 15179 Field: field, 15180 Weight: eval.FunctionWeight, 15181 }, nil 15182 case "signal.target.parent.gid": 15183 return &eval.IntEvaluator{ 15184 EvalFnc: func(ctx *eval.Context) int { 15185 ev := ctx.Event.(*Event) 15186 if !ev.Signal.Target.HasParent() { 15187 return 0 15188 } 15189 return int(ev.Signal.Target.Parent.Credentials.GID) 15190 }, 15191 Field: field, 15192 Weight: eval.FunctionWeight, 15193 }, nil 15194 case "signal.target.parent.group": 15195 return &eval.StringEvaluator{ 15196 EvalFnc: func(ctx *eval.Context) string { 15197 ev := ctx.Event.(*Event) 15198 if !ev.Signal.Target.HasParent() { 15199 return "" 15200 } 15201 return ev.Signal.Target.Parent.Credentials.Group 15202 }, 15203 Field: field, 15204 Weight: eval.FunctionWeight, 15205 }, nil 15206 case "signal.target.parent.interpreter.file.change_time": 15207 return &eval.IntEvaluator{ 15208 EvalFnc: func(ctx *eval.Context) int { 15209 ev := ctx.Event.(*Event) 15210 if !ev.Signal.Target.HasParent() { 15211 return 0 15212 } 15213 if !ev.Signal.Target.Parent.HasInterpreter() { 15214 return 0 15215 } 15216 return int(ev.Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields.CTime) 15217 }, 15218 Field: field, 15219 Weight: eval.FunctionWeight, 15220 }, nil 15221 case "signal.target.parent.interpreter.file.filesystem": 15222 return &eval.StringEvaluator{ 15223 EvalFnc: func(ctx *eval.Context) string { 15224 ev := ctx.Event.(*Event) 15225 if !ev.Signal.Target.HasParent() { 15226 return "" 15227 } 15228 if !ev.Signal.Target.Parent.HasInterpreter() { 15229 return "" 15230 } 15231 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Signal.Target.Parent.LinuxBinprm.FileEvent) 15232 }, 15233 Field: field, 15234 Weight: eval.HandlerWeight, 15235 }, nil 15236 case "signal.target.parent.interpreter.file.gid": 15237 return &eval.IntEvaluator{ 15238 EvalFnc: func(ctx *eval.Context) int { 15239 ev := ctx.Event.(*Event) 15240 if !ev.Signal.Target.HasParent() { 15241 return 0 15242 } 15243 if !ev.Signal.Target.Parent.HasInterpreter() { 15244 return 0 15245 } 15246 return int(ev.Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields.GID) 15247 }, 15248 Field: field, 15249 Weight: eval.FunctionWeight, 15250 }, nil 15251 case "signal.target.parent.interpreter.file.group": 15252 return &eval.StringEvaluator{ 15253 EvalFnc: func(ctx *eval.Context) string { 15254 ev := ctx.Event.(*Event) 15255 if !ev.Signal.Target.HasParent() { 15256 return "" 15257 } 15258 if !ev.Signal.Target.Parent.HasInterpreter() { 15259 return "" 15260 } 15261 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields) 15262 }, 15263 Field: field, 15264 Weight: eval.HandlerWeight, 15265 }, nil 15266 case "signal.target.parent.interpreter.file.hashes": 15267 return &eval.StringArrayEvaluator{ 15268 EvalFnc: func(ctx *eval.Context) []string { 15269 ev := ctx.Event.(*Event) 15270 if !ev.Signal.Target.HasParent() { 15271 return []string{} 15272 } 15273 if !ev.Signal.Target.Parent.HasInterpreter() { 15274 return []string{} 15275 } 15276 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Signal.Target.Parent.LinuxBinprm.FileEvent) 15277 }, 15278 Field: field, 15279 Weight: 999 * eval.HandlerWeight, 15280 }, nil 15281 case "signal.target.parent.interpreter.file.in_upper_layer": 15282 return &eval.BoolEvaluator{ 15283 EvalFnc: func(ctx *eval.Context) bool { 15284 ev := ctx.Event.(*Event) 15285 if !ev.Signal.Target.HasParent() { 15286 return false 15287 } 15288 if !ev.Signal.Target.Parent.HasInterpreter() { 15289 return false 15290 } 15291 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields) 15292 }, 15293 Field: field, 15294 Weight: eval.HandlerWeight, 15295 }, nil 15296 case "signal.target.parent.interpreter.file.inode": 15297 return &eval.IntEvaluator{ 15298 EvalFnc: func(ctx *eval.Context) int { 15299 ev := ctx.Event.(*Event) 15300 if !ev.Signal.Target.HasParent() { 15301 return 0 15302 } 15303 if !ev.Signal.Target.Parent.HasInterpreter() { 15304 return 0 15305 } 15306 return int(ev.Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields.PathKey.Inode) 15307 }, 15308 Field: field, 15309 Weight: eval.FunctionWeight, 15310 }, nil 15311 case "signal.target.parent.interpreter.file.mode": 15312 return &eval.IntEvaluator{ 15313 EvalFnc: func(ctx *eval.Context) int { 15314 ev := ctx.Event.(*Event) 15315 if !ev.Signal.Target.HasParent() { 15316 return 0 15317 } 15318 if !ev.Signal.Target.Parent.HasInterpreter() { 15319 return 0 15320 } 15321 return int(ev.Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields.Mode) 15322 }, 15323 Field: field, 15324 Weight: eval.FunctionWeight, 15325 }, nil 15326 case "signal.target.parent.interpreter.file.modification_time": 15327 return &eval.IntEvaluator{ 15328 EvalFnc: func(ctx *eval.Context) int { 15329 ev := ctx.Event.(*Event) 15330 if !ev.Signal.Target.HasParent() { 15331 return 0 15332 } 15333 if !ev.Signal.Target.Parent.HasInterpreter() { 15334 return 0 15335 } 15336 return int(ev.Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields.MTime) 15337 }, 15338 Field: field, 15339 Weight: eval.FunctionWeight, 15340 }, nil 15341 case "signal.target.parent.interpreter.file.mount_id": 15342 return &eval.IntEvaluator{ 15343 EvalFnc: func(ctx *eval.Context) int { 15344 ev := ctx.Event.(*Event) 15345 if !ev.Signal.Target.HasParent() { 15346 return 0 15347 } 15348 if !ev.Signal.Target.Parent.HasInterpreter() { 15349 return 0 15350 } 15351 return int(ev.Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields.PathKey.MountID) 15352 }, 15353 Field: field, 15354 Weight: eval.FunctionWeight, 15355 }, nil 15356 case "signal.target.parent.interpreter.file.name": 15357 return &eval.StringEvaluator{ 15358 OpOverrides: ProcessSymlinkBasename, 15359 EvalFnc: func(ctx *eval.Context) string { 15360 ev := ctx.Event.(*Event) 15361 if !ev.Signal.Target.HasParent() { 15362 return "" 15363 } 15364 if !ev.Signal.Target.Parent.HasInterpreter() { 15365 return "" 15366 } 15367 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Signal.Target.Parent.LinuxBinprm.FileEvent) 15368 }, 15369 Field: field, 15370 Weight: eval.HandlerWeight, 15371 }, nil 15372 case "signal.target.parent.interpreter.file.name.length": 15373 return &eval.IntEvaluator{ 15374 OpOverrides: ProcessSymlinkBasename, 15375 EvalFnc: func(ctx *eval.Context) int { 15376 ev := ctx.Event.(*Event) 15377 return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Signal.Target.Parent.LinuxBinprm.FileEvent)) 15378 }, 15379 Field: field, 15380 Weight: eval.HandlerWeight, 15381 }, nil 15382 case "signal.target.parent.interpreter.file.package.name": 15383 return &eval.StringEvaluator{ 15384 EvalFnc: func(ctx *eval.Context) string { 15385 ev := ctx.Event.(*Event) 15386 if !ev.Signal.Target.HasParent() { 15387 return "" 15388 } 15389 if !ev.Signal.Target.Parent.HasInterpreter() { 15390 return "" 15391 } 15392 return ev.FieldHandlers.ResolvePackageName(ev, &ev.Signal.Target.Parent.LinuxBinprm.FileEvent) 15393 }, 15394 Field: field, 15395 Weight: eval.HandlerWeight, 15396 }, nil 15397 case "signal.target.parent.interpreter.file.package.source_version": 15398 return &eval.StringEvaluator{ 15399 EvalFnc: func(ctx *eval.Context) string { 15400 ev := ctx.Event.(*Event) 15401 if !ev.Signal.Target.HasParent() { 15402 return "" 15403 } 15404 if !ev.Signal.Target.Parent.HasInterpreter() { 15405 return "" 15406 } 15407 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Signal.Target.Parent.LinuxBinprm.FileEvent) 15408 }, 15409 Field: field, 15410 Weight: eval.HandlerWeight, 15411 }, nil 15412 case "signal.target.parent.interpreter.file.package.version": 15413 return &eval.StringEvaluator{ 15414 EvalFnc: func(ctx *eval.Context) string { 15415 ev := ctx.Event.(*Event) 15416 if !ev.Signal.Target.HasParent() { 15417 return "" 15418 } 15419 if !ev.Signal.Target.Parent.HasInterpreter() { 15420 return "" 15421 } 15422 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Signal.Target.Parent.LinuxBinprm.FileEvent) 15423 }, 15424 Field: field, 15425 Weight: eval.HandlerWeight, 15426 }, nil 15427 case "signal.target.parent.interpreter.file.path": 15428 return &eval.StringEvaluator{ 15429 OpOverrides: ProcessSymlinkPathname, 15430 EvalFnc: func(ctx *eval.Context) string { 15431 ev := ctx.Event.(*Event) 15432 if !ev.Signal.Target.HasParent() { 15433 return "" 15434 } 15435 if !ev.Signal.Target.Parent.HasInterpreter() { 15436 return "" 15437 } 15438 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Signal.Target.Parent.LinuxBinprm.FileEvent) 15439 }, 15440 Field: field, 15441 Weight: eval.HandlerWeight, 15442 }, nil 15443 case "signal.target.parent.interpreter.file.path.length": 15444 return &eval.IntEvaluator{ 15445 OpOverrides: ProcessSymlinkPathname, 15446 EvalFnc: func(ctx *eval.Context) int { 15447 ev := ctx.Event.(*Event) 15448 return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Signal.Target.Parent.LinuxBinprm.FileEvent)) 15449 }, 15450 Field: field, 15451 Weight: eval.HandlerWeight, 15452 }, nil 15453 case "signal.target.parent.interpreter.file.rights": 15454 return &eval.IntEvaluator{ 15455 EvalFnc: func(ctx *eval.Context) int { 15456 ev := ctx.Event.(*Event) 15457 if !ev.Signal.Target.HasParent() { 15458 return 0 15459 } 15460 if !ev.Signal.Target.Parent.HasInterpreter() { 15461 return 0 15462 } 15463 return int(ev.FieldHandlers.ResolveRights(ev, &ev.Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields)) 15464 }, 15465 Field: field, 15466 Weight: eval.HandlerWeight, 15467 }, nil 15468 case "signal.target.parent.interpreter.file.uid": 15469 return &eval.IntEvaluator{ 15470 EvalFnc: func(ctx *eval.Context) int { 15471 ev := ctx.Event.(*Event) 15472 if !ev.Signal.Target.HasParent() { 15473 return 0 15474 } 15475 if !ev.Signal.Target.Parent.HasInterpreter() { 15476 return 0 15477 } 15478 return int(ev.Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields.UID) 15479 }, 15480 Field: field, 15481 Weight: eval.FunctionWeight, 15482 }, nil 15483 case "signal.target.parent.interpreter.file.user": 15484 return &eval.StringEvaluator{ 15485 EvalFnc: func(ctx *eval.Context) string { 15486 ev := ctx.Event.(*Event) 15487 if !ev.Signal.Target.HasParent() { 15488 return "" 15489 } 15490 if !ev.Signal.Target.Parent.HasInterpreter() { 15491 return "" 15492 } 15493 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields) 15494 }, 15495 Field: field, 15496 Weight: eval.HandlerWeight, 15497 }, nil 15498 case "signal.target.parent.is_kworker": 15499 return &eval.BoolEvaluator{ 15500 EvalFnc: func(ctx *eval.Context) bool { 15501 ev := ctx.Event.(*Event) 15502 if !ev.Signal.Target.HasParent() { 15503 return false 15504 } 15505 return ev.Signal.Target.Parent.PIDContext.IsKworker 15506 }, 15507 Field: field, 15508 Weight: eval.FunctionWeight, 15509 }, nil 15510 case "signal.target.parent.is_thread": 15511 return &eval.BoolEvaluator{ 15512 EvalFnc: func(ctx *eval.Context) bool { 15513 ev := ctx.Event.(*Event) 15514 if !ev.Signal.Target.HasParent() { 15515 return false 15516 } 15517 return ev.Signal.Target.Parent.IsThread 15518 }, 15519 Field: field, 15520 Weight: eval.FunctionWeight, 15521 }, nil 15522 case "signal.target.parent.pid": 15523 return &eval.IntEvaluator{ 15524 EvalFnc: func(ctx *eval.Context) int { 15525 ev := ctx.Event.(*Event) 15526 if !ev.Signal.Target.HasParent() { 15527 return 0 15528 } 15529 return int(ev.Signal.Target.Parent.PIDContext.Pid) 15530 }, 15531 Field: field, 15532 Weight: eval.FunctionWeight, 15533 }, nil 15534 case "signal.target.parent.ppid": 15535 return &eval.IntEvaluator{ 15536 EvalFnc: func(ctx *eval.Context) int { 15537 ev := ctx.Event.(*Event) 15538 if !ev.Signal.Target.HasParent() { 15539 return 0 15540 } 15541 return int(ev.Signal.Target.Parent.PPid) 15542 }, 15543 Field: field, 15544 Weight: eval.FunctionWeight, 15545 }, nil 15546 case "signal.target.parent.tid": 15547 return &eval.IntEvaluator{ 15548 EvalFnc: func(ctx *eval.Context) int { 15549 ev := ctx.Event.(*Event) 15550 if !ev.Signal.Target.HasParent() { 15551 return 0 15552 } 15553 return int(ev.Signal.Target.Parent.PIDContext.Tid) 15554 }, 15555 Field: field, 15556 Weight: eval.FunctionWeight, 15557 }, nil 15558 case "signal.target.parent.tty_name": 15559 return &eval.StringEvaluator{ 15560 EvalFnc: func(ctx *eval.Context) string { 15561 ev := ctx.Event.(*Event) 15562 if !ev.Signal.Target.HasParent() { 15563 return "" 15564 } 15565 return ev.Signal.Target.Parent.TTYName 15566 }, 15567 Field: field, 15568 Weight: eval.FunctionWeight, 15569 }, nil 15570 case "signal.target.parent.uid": 15571 return &eval.IntEvaluator{ 15572 EvalFnc: func(ctx *eval.Context) int { 15573 ev := ctx.Event.(*Event) 15574 if !ev.Signal.Target.HasParent() { 15575 return 0 15576 } 15577 return int(ev.Signal.Target.Parent.Credentials.UID) 15578 }, 15579 Field: field, 15580 Weight: eval.FunctionWeight, 15581 }, nil 15582 case "signal.target.parent.user": 15583 return &eval.StringEvaluator{ 15584 EvalFnc: func(ctx *eval.Context) string { 15585 ev := ctx.Event.(*Event) 15586 if !ev.Signal.Target.HasParent() { 15587 return "" 15588 } 15589 return ev.Signal.Target.Parent.Credentials.User 15590 }, 15591 Field: field, 15592 Weight: eval.FunctionWeight, 15593 }, nil 15594 case "signal.target.parent.user_session.k8s_groups": 15595 return &eval.StringArrayEvaluator{ 15596 EvalFnc: func(ctx *eval.Context) []string { 15597 ev := ctx.Event.(*Event) 15598 if !ev.Signal.Target.HasParent() { 15599 return []string{} 15600 } 15601 return ev.FieldHandlers.ResolveK8SGroups(ev, &ev.Signal.Target.Parent.UserSession) 15602 }, 15603 Field: field, 15604 Weight: eval.HandlerWeight, 15605 }, nil 15606 case "signal.target.parent.user_session.k8s_uid": 15607 return &eval.StringEvaluator{ 15608 EvalFnc: func(ctx *eval.Context) string { 15609 ev := ctx.Event.(*Event) 15610 if !ev.Signal.Target.HasParent() { 15611 return "" 15612 } 15613 return ev.FieldHandlers.ResolveK8SUID(ev, &ev.Signal.Target.Parent.UserSession) 15614 }, 15615 Field: field, 15616 Weight: eval.HandlerWeight, 15617 }, nil 15618 case "signal.target.parent.user_session.k8s_username": 15619 return &eval.StringEvaluator{ 15620 EvalFnc: func(ctx *eval.Context) string { 15621 ev := ctx.Event.(*Event) 15622 if !ev.Signal.Target.HasParent() { 15623 return "" 15624 } 15625 return ev.FieldHandlers.ResolveK8SUsername(ev, &ev.Signal.Target.Parent.UserSession) 15626 }, 15627 Field: field, 15628 Weight: eval.HandlerWeight, 15629 }, nil 15630 case "signal.target.pid": 15631 return &eval.IntEvaluator{ 15632 EvalFnc: func(ctx *eval.Context) int { 15633 ev := ctx.Event.(*Event) 15634 return int(ev.Signal.Target.Process.PIDContext.Pid) 15635 }, 15636 Field: field, 15637 Weight: eval.FunctionWeight, 15638 }, nil 15639 case "signal.target.ppid": 15640 return &eval.IntEvaluator{ 15641 EvalFnc: func(ctx *eval.Context) int { 15642 ev := ctx.Event.(*Event) 15643 return int(ev.Signal.Target.Process.PPid) 15644 }, 15645 Field: field, 15646 Weight: eval.FunctionWeight, 15647 }, nil 15648 case "signal.target.tid": 15649 return &eval.IntEvaluator{ 15650 EvalFnc: func(ctx *eval.Context) int { 15651 ev := ctx.Event.(*Event) 15652 return int(ev.Signal.Target.Process.PIDContext.Tid) 15653 }, 15654 Field: field, 15655 Weight: eval.FunctionWeight, 15656 }, nil 15657 case "signal.target.tty_name": 15658 return &eval.StringEvaluator{ 15659 EvalFnc: func(ctx *eval.Context) string { 15660 ev := ctx.Event.(*Event) 15661 return ev.Signal.Target.Process.TTYName 15662 }, 15663 Field: field, 15664 Weight: eval.FunctionWeight, 15665 }, nil 15666 case "signal.target.uid": 15667 return &eval.IntEvaluator{ 15668 EvalFnc: func(ctx *eval.Context) int { 15669 ev := ctx.Event.(*Event) 15670 return int(ev.Signal.Target.Process.Credentials.UID) 15671 }, 15672 Field: field, 15673 Weight: eval.FunctionWeight, 15674 }, nil 15675 case "signal.target.user": 15676 return &eval.StringEvaluator{ 15677 EvalFnc: func(ctx *eval.Context) string { 15678 ev := ctx.Event.(*Event) 15679 return ev.Signal.Target.Process.Credentials.User 15680 }, 15681 Field: field, 15682 Weight: eval.FunctionWeight, 15683 }, nil 15684 case "signal.target.user_session.k8s_groups": 15685 return &eval.StringArrayEvaluator{ 15686 EvalFnc: func(ctx *eval.Context) []string { 15687 ev := ctx.Event.(*Event) 15688 return ev.FieldHandlers.ResolveK8SGroups(ev, &ev.Signal.Target.Process.UserSession) 15689 }, 15690 Field: field, 15691 Weight: eval.HandlerWeight, 15692 }, nil 15693 case "signal.target.user_session.k8s_uid": 15694 return &eval.StringEvaluator{ 15695 EvalFnc: func(ctx *eval.Context) string { 15696 ev := ctx.Event.(*Event) 15697 return ev.FieldHandlers.ResolveK8SUID(ev, &ev.Signal.Target.Process.UserSession) 15698 }, 15699 Field: field, 15700 Weight: eval.HandlerWeight, 15701 }, nil 15702 case "signal.target.user_session.k8s_username": 15703 return &eval.StringEvaluator{ 15704 EvalFnc: func(ctx *eval.Context) string { 15705 ev := ctx.Event.(*Event) 15706 return ev.FieldHandlers.ResolveK8SUsername(ev, &ev.Signal.Target.Process.UserSession) 15707 }, 15708 Field: field, 15709 Weight: eval.HandlerWeight, 15710 }, nil 15711 case "signal.type": 15712 return &eval.IntEvaluator{ 15713 EvalFnc: func(ctx *eval.Context) int { 15714 ev := ctx.Event.(*Event) 15715 return int(ev.Signal.Type) 15716 }, 15717 Field: field, 15718 Weight: eval.FunctionWeight, 15719 }, nil 15720 case "splice.file.change_time": 15721 return &eval.IntEvaluator{ 15722 EvalFnc: func(ctx *eval.Context) int { 15723 ev := ctx.Event.(*Event) 15724 return int(ev.Splice.File.FileFields.CTime) 15725 }, 15726 Field: field, 15727 Weight: eval.FunctionWeight, 15728 }, nil 15729 case "splice.file.filesystem": 15730 return &eval.StringEvaluator{ 15731 EvalFnc: func(ctx *eval.Context) string { 15732 ev := ctx.Event.(*Event) 15733 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Splice.File) 15734 }, 15735 Field: field, 15736 Weight: eval.HandlerWeight, 15737 }, nil 15738 case "splice.file.gid": 15739 return &eval.IntEvaluator{ 15740 EvalFnc: func(ctx *eval.Context) int { 15741 ev := ctx.Event.(*Event) 15742 return int(ev.Splice.File.FileFields.GID) 15743 }, 15744 Field: field, 15745 Weight: eval.FunctionWeight, 15746 }, nil 15747 case "splice.file.group": 15748 return &eval.StringEvaluator{ 15749 EvalFnc: func(ctx *eval.Context) string { 15750 ev := ctx.Event.(*Event) 15751 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Splice.File.FileFields) 15752 }, 15753 Field: field, 15754 Weight: eval.HandlerWeight, 15755 }, nil 15756 case "splice.file.hashes": 15757 return &eval.StringArrayEvaluator{ 15758 EvalFnc: func(ctx *eval.Context) []string { 15759 ev := ctx.Event.(*Event) 15760 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Splice.File) 15761 }, 15762 Field: field, 15763 Weight: 999 * eval.HandlerWeight, 15764 }, nil 15765 case "splice.file.in_upper_layer": 15766 return &eval.BoolEvaluator{ 15767 EvalFnc: func(ctx *eval.Context) bool { 15768 ev := ctx.Event.(*Event) 15769 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Splice.File.FileFields) 15770 }, 15771 Field: field, 15772 Weight: eval.HandlerWeight, 15773 }, nil 15774 case "splice.file.inode": 15775 return &eval.IntEvaluator{ 15776 EvalFnc: func(ctx *eval.Context) int { 15777 ev := ctx.Event.(*Event) 15778 return int(ev.Splice.File.FileFields.PathKey.Inode) 15779 }, 15780 Field: field, 15781 Weight: eval.FunctionWeight, 15782 }, nil 15783 case "splice.file.mode": 15784 return &eval.IntEvaluator{ 15785 EvalFnc: func(ctx *eval.Context) int { 15786 ev := ctx.Event.(*Event) 15787 return int(ev.Splice.File.FileFields.Mode) 15788 }, 15789 Field: field, 15790 Weight: eval.FunctionWeight, 15791 }, nil 15792 case "splice.file.modification_time": 15793 return &eval.IntEvaluator{ 15794 EvalFnc: func(ctx *eval.Context) int { 15795 ev := ctx.Event.(*Event) 15796 return int(ev.Splice.File.FileFields.MTime) 15797 }, 15798 Field: field, 15799 Weight: eval.FunctionWeight, 15800 }, nil 15801 case "splice.file.mount_id": 15802 return &eval.IntEvaluator{ 15803 EvalFnc: func(ctx *eval.Context) int { 15804 ev := ctx.Event.(*Event) 15805 return int(ev.Splice.File.FileFields.PathKey.MountID) 15806 }, 15807 Field: field, 15808 Weight: eval.FunctionWeight, 15809 }, nil 15810 case "splice.file.name": 15811 return &eval.StringEvaluator{ 15812 OpOverrides: ProcessSymlinkBasename, 15813 EvalFnc: func(ctx *eval.Context) string { 15814 ev := ctx.Event.(*Event) 15815 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Splice.File) 15816 }, 15817 Field: field, 15818 Weight: eval.HandlerWeight, 15819 }, nil 15820 case "splice.file.name.length": 15821 return &eval.IntEvaluator{ 15822 OpOverrides: ProcessSymlinkBasename, 15823 EvalFnc: func(ctx *eval.Context) int { 15824 ev := ctx.Event.(*Event) 15825 return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Splice.File)) 15826 }, 15827 Field: field, 15828 Weight: eval.HandlerWeight, 15829 }, nil 15830 case "splice.file.package.name": 15831 return &eval.StringEvaluator{ 15832 EvalFnc: func(ctx *eval.Context) string { 15833 ev := ctx.Event.(*Event) 15834 return ev.FieldHandlers.ResolvePackageName(ev, &ev.Splice.File) 15835 }, 15836 Field: field, 15837 Weight: eval.HandlerWeight, 15838 }, nil 15839 case "splice.file.package.source_version": 15840 return &eval.StringEvaluator{ 15841 EvalFnc: func(ctx *eval.Context) string { 15842 ev := ctx.Event.(*Event) 15843 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Splice.File) 15844 }, 15845 Field: field, 15846 Weight: eval.HandlerWeight, 15847 }, nil 15848 case "splice.file.package.version": 15849 return &eval.StringEvaluator{ 15850 EvalFnc: func(ctx *eval.Context) string { 15851 ev := ctx.Event.(*Event) 15852 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Splice.File) 15853 }, 15854 Field: field, 15855 Weight: eval.HandlerWeight, 15856 }, nil 15857 case "splice.file.path": 15858 return &eval.StringEvaluator{ 15859 OpOverrides: ProcessSymlinkPathname, 15860 EvalFnc: func(ctx *eval.Context) string { 15861 ev := ctx.Event.(*Event) 15862 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Splice.File) 15863 }, 15864 Field: field, 15865 Weight: eval.HandlerWeight, 15866 }, nil 15867 case "splice.file.path.length": 15868 return &eval.IntEvaluator{ 15869 OpOverrides: ProcessSymlinkPathname, 15870 EvalFnc: func(ctx *eval.Context) int { 15871 ev := ctx.Event.(*Event) 15872 return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Splice.File)) 15873 }, 15874 Field: field, 15875 Weight: eval.HandlerWeight, 15876 }, nil 15877 case "splice.file.rights": 15878 return &eval.IntEvaluator{ 15879 EvalFnc: func(ctx *eval.Context) int { 15880 ev := ctx.Event.(*Event) 15881 return int(ev.FieldHandlers.ResolveRights(ev, &ev.Splice.File.FileFields)) 15882 }, 15883 Field: field, 15884 Weight: eval.HandlerWeight, 15885 }, nil 15886 case "splice.file.uid": 15887 return &eval.IntEvaluator{ 15888 EvalFnc: func(ctx *eval.Context) int { 15889 ev := ctx.Event.(*Event) 15890 return int(ev.Splice.File.FileFields.UID) 15891 }, 15892 Field: field, 15893 Weight: eval.FunctionWeight, 15894 }, nil 15895 case "splice.file.user": 15896 return &eval.StringEvaluator{ 15897 EvalFnc: func(ctx *eval.Context) string { 15898 ev := ctx.Event.(*Event) 15899 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Splice.File.FileFields) 15900 }, 15901 Field: field, 15902 Weight: eval.HandlerWeight, 15903 }, nil 15904 case "splice.pipe_entry_flag": 15905 return &eval.IntEvaluator{ 15906 EvalFnc: func(ctx *eval.Context) int { 15907 ev := ctx.Event.(*Event) 15908 return int(ev.Splice.PipeEntryFlag) 15909 }, 15910 Field: field, 15911 Weight: eval.FunctionWeight, 15912 }, nil 15913 case "splice.pipe_exit_flag": 15914 return &eval.IntEvaluator{ 15915 EvalFnc: func(ctx *eval.Context) int { 15916 ev := ctx.Event.(*Event) 15917 return int(ev.Splice.PipeExitFlag) 15918 }, 15919 Field: field, 15920 Weight: eval.FunctionWeight, 15921 }, nil 15922 case "splice.retval": 15923 return &eval.IntEvaluator{ 15924 EvalFnc: func(ctx *eval.Context) int { 15925 ev := ctx.Event.(*Event) 15926 return int(ev.Splice.SyscallEvent.Retval) 15927 }, 15928 Field: field, 15929 Weight: eval.FunctionWeight, 15930 }, nil 15931 case "unlink.file.change_time": 15932 return &eval.IntEvaluator{ 15933 EvalFnc: func(ctx *eval.Context) int { 15934 ev := ctx.Event.(*Event) 15935 return int(ev.Unlink.File.FileFields.CTime) 15936 }, 15937 Field: field, 15938 Weight: eval.FunctionWeight, 15939 }, nil 15940 case "unlink.file.filesystem": 15941 return &eval.StringEvaluator{ 15942 EvalFnc: func(ctx *eval.Context) string { 15943 ev := ctx.Event.(*Event) 15944 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Unlink.File) 15945 }, 15946 Field: field, 15947 Weight: eval.HandlerWeight, 15948 }, nil 15949 case "unlink.file.gid": 15950 return &eval.IntEvaluator{ 15951 EvalFnc: func(ctx *eval.Context) int { 15952 ev := ctx.Event.(*Event) 15953 return int(ev.Unlink.File.FileFields.GID) 15954 }, 15955 Field: field, 15956 Weight: eval.FunctionWeight, 15957 }, nil 15958 case "unlink.file.group": 15959 return &eval.StringEvaluator{ 15960 EvalFnc: func(ctx *eval.Context) string { 15961 ev := ctx.Event.(*Event) 15962 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Unlink.File.FileFields) 15963 }, 15964 Field: field, 15965 Weight: eval.HandlerWeight, 15966 }, nil 15967 case "unlink.file.hashes": 15968 return &eval.StringArrayEvaluator{ 15969 EvalFnc: func(ctx *eval.Context) []string { 15970 ev := ctx.Event.(*Event) 15971 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Unlink.File) 15972 }, 15973 Field: field, 15974 Weight: 999 * eval.HandlerWeight, 15975 }, nil 15976 case "unlink.file.in_upper_layer": 15977 return &eval.BoolEvaluator{ 15978 EvalFnc: func(ctx *eval.Context) bool { 15979 ev := ctx.Event.(*Event) 15980 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Unlink.File.FileFields) 15981 }, 15982 Field: field, 15983 Weight: eval.HandlerWeight, 15984 }, nil 15985 case "unlink.file.inode": 15986 return &eval.IntEvaluator{ 15987 EvalFnc: func(ctx *eval.Context) int { 15988 ev := ctx.Event.(*Event) 15989 return int(ev.Unlink.File.FileFields.PathKey.Inode) 15990 }, 15991 Field: field, 15992 Weight: eval.FunctionWeight, 15993 }, nil 15994 case "unlink.file.mode": 15995 return &eval.IntEvaluator{ 15996 EvalFnc: func(ctx *eval.Context) int { 15997 ev := ctx.Event.(*Event) 15998 return int(ev.Unlink.File.FileFields.Mode) 15999 }, 16000 Field: field, 16001 Weight: eval.FunctionWeight, 16002 }, nil 16003 case "unlink.file.modification_time": 16004 return &eval.IntEvaluator{ 16005 EvalFnc: func(ctx *eval.Context) int { 16006 ev := ctx.Event.(*Event) 16007 return int(ev.Unlink.File.FileFields.MTime) 16008 }, 16009 Field: field, 16010 Weight: eval.FunctionWeight, 16011 }, nil 16012 case "unlink.file.mount_id": 16013 return &eval.IntEvaluator{ 16014 EvalFnc: func(ctx *eval.Context) int { 16015 ev := ctx.Event.(*Event) 16016 return int(ev.Unlink.File.FileFields.PathKey.MountID) 16017 }, 16018 Field: field, 16019 Weight: eval.FunctionWeight, 16020 }, nil 16021 case "unlink.file.name": 16022 return &eval.StringEvaluator{ 16023 OpOverrides: ProcessSymlinkBasename, 16024 EvalFnc: func(ctx *eval.Context) string { 16025 ev := ctx.Event.(*Event) 16026 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Unlink.File) 16027 }, 16028 Field: field, 16029 Weight: eval.HandlerWeight, 16030 }, nil 16031 case "unlink.file.name.length": 16032 return &eval.IntEvaluator{ 16033 OpOverrides: ProcessSymlinkBasename, 16034 EvalFnc: func(ctx *eval.Context) int { 16035 ev := ctx.Event.(*Event) 16036 return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Unlink.File)) 16037 }, 16038 Field: field, 16039 Weight: eval.HandlerWeight, 16040 }, nil 16041 case "unlink.file.package.name": 16042 return &eval.StringEvaluator{ 16043 EvalFnc: func(ctx *eval.Context) string { 16044 ev := ctx.Event.(*Event) 16045 return ev.FieldHandlers.ResolvePackageName(ev, &ev.Unlink.File) 16046 }, 16047 Field: field, 16048 Weight: eval.HandlerWeight, 16049 }, nil 16050 case "unlink.file.package.source_version": 16051 return &eval.StringEvaluator{ 16052 EvalFnc: func(ctx *eval.Context) string { 16053 ev := ctx.Event.(*Event) 16054 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Unlink.File) 16055 }, 16056 Field: field, 16057 Weight: eval.HandlerWeight, 16058 }, nil 16059 case "unlink.file.package.version": 16060 return &eval.StringEvaluator{ 16061 EvalFnc: func(ctx *eval.Context) string { 16062 ev := ctx.Event.(*Event) 16063 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Unlink.File) 16064 }, 16065 Field: field, 16066 Weight: eval.HandlerWeight, 16067 }, nil 16068 case "unlink.file.path": 16069 return &eval.StringEvaluator{ 16070 OpOverrides: ProcessSymlinkPathname, 16071 EvalFnc: func(ctx *eval.Context) string { 16072 ev := ctx.Event.(*Event) 16073 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Unlink.File) 16074 }, 16075 Field: field, 16076 Weight: eval.HandlerWeight, 16077 }, nil 16078 case "unlink.file.path.length": 16079 return &eval.IntEvaluator{ 16080 OpOverrides: ProcessSymlinkPathname, 16081 EvalFnc: func(ctx *eval.Context) int { 16082 ev := ctx.Event.(*Event) 16083 return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Unlink.File)) 16084 }, 16085 Field: field, 16086 Weight: eval.HandlerWeight, 16087 }, nil 16088 case "unlink.file.rights": 16089 return &eval.IntEvaluator{ 16090 EvalFnc: func(ctx *eval.Context) int { 16091 ev := ctx.Event.(*Event) 16092 return int(ev.FieldHandlers.ResolveRights(ev, &ev.Unlink.File.FileFields)) 16093 }, 16094 Field: field, 16095 Weight: eval.HandlerWeight, 16096 }, nil 16097 case "unlink.file.uid": 16098 return &eval.IntEvaluator{ 16099 EvalFnc: func(ctx *eval.Context) int { 16100 ev := ctx.Event.(*Event) 16101 return int(ev.Unlink.File.FileFields.UID) 16102 }, 16103 Field: field, 16104 Weight: eval.FunctionWeight, 16105 }, nil 16106 case "unlink.file.user": 16107 return &eval.StringEvaluator{ 16108 EvalFnc: func(ctx *eval.Context) string { 16109 ev := ctx.Event.(*Event) 16110 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Unlink.File.FileFields) 16111 }, 16112 Field: field, 16113 Weight: eval.HandlerWeight, 16114 }, nil 16115 case "unlink.flags": 16116 return &eval.IntEvaluator{ 16117 EvalFnc: func(ctx *eval.Context) int { 16118 ev := ctx.Event.(*Event) 16119 return int(ev.Unlink.Flags) 16120 }, 16121 Field: field, 16122 Weight: eval.FunctionWeight, 16123 }, nil 16124 case "unlink.retval": 16125 return &eval.IntEvaluator{ 16126 EvalFnc: func(ctx *eval.Context) int { 16127 ev := ctx.Event.(*Event) 16128 return int(ev.Unlink.SyscallEvent.Retval) 16129 }, 16130 Field: field, 16131 Weight: eval.FunctionWeight, 16132 }, nil 16133 case "unload_module.name": 16134 return &eval.StringEvaluator{ 16135 EvalFnc: func(ctx *eval.Context) string { 16136 ev := ctx.Event.(*Event) 16137 return ev.UnloadModule.Name 16138 }, 16139 Field: field, 16140 Weight: eval.FunctionWeight, 16141 }, nil 16142 case "unload_module.retval": 16143 return &eval.IntEvaluator{ 16144 EvalFnc: func(ctx *eval.Context) int { 16145 ev := ctx.Event.(*Event) 16146 return int(ev.UnloadModule.SyscallEvent.Retval) 16147 }, 16148 Field: field, 16149 Weight: eval.FunctionWeight, 16150 }, nil 16151 case "utimes.file.change_time": 16152 return &eval.IntEvaluator{ 16153 EvalFnc: func(ctx *eval.Context) int { 16154 ev := ctx.Event.(*Event) 16155 return int(ev.Utimes.File.FileFields.CTime) 16156 }, 16157 Field: field, 16158 Weight: eval.FunctionWeight, 16159 }, nil 16160 case "utimes.file.filesystem": 16161 return &eval.StringEvaluator{ 16162 EvalFnc: func(ctx *eval.Context) string { 16163 ev := ctx.Event.(*Event) 16164 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Utimes.File) 16165 }, 16166 Field: field, 16167 Weight: eval.HandlerWeight, 16168 }, nil 16169 case "utimes.file.gid": 16170 return &eval.IntEvaluator{ 16171 EvalFnc: func(ctx *eval.Context) int { 16172 ev := ctx.Event.(*Event) 16173 return int(ev.Utimes.File.FileFields.GID) 16174 }, 16175 Field: field, 16176 Weight: eval.FunctionWeight, 16177 }, nil 16178 case "utimes.file.group": 16179 return &eval.StringEvaluator{ 16180 EvalFnc: func(ctx *eval.Context) string { 16181 ev := ctx.Event.(*Event) 16182 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Utimes.File.FileFields) 16183 }, 16184 Field: field, 16185 Weight: eval.HandlerWeight, 16186 }, nil 16187 case "utimes.file.hashes": 16188 return &eval.StringArrayEvaluator{ 16189 EvalFnc: func(ctx *eval.Context) []string { 16190 ev := ctx.Event.(*Event) 16191 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Utimes.File) 16192 }, 16193 Field: field, 16194 Weight: 999 * eval.HandlerWeight, 16195 }, nil 16196 case "utimes.file.in_upper_layer": 16197 return &eval.BoolEvaluator{ 16198 EvalFnc: func(ctx *eval.Context) bool { 16199 ev := ctx.Event.(*Event) 16200 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Utimes.File.FileFields) 16201 }, 16202 Field: field, 16203 Weight: eval.HandlerWeight, 16204 }, nil 16205 case "utimes.file.inode": 16206 return &eval.IntEvaluator{ 16207 EvalFnc: func(ctx *eval.Context) int { 16208 ev := ctx.Event.(*Event) 16209 return int(ev.Utimes.File.FileFields.PathKey.Inode) 16210 }, 16211 Field: field, 16212 Weight: eval.FunctionWeight, 16213 }, nil 16214 case "utimes.file.mode": 16215 return &eval.IntEvaluator{ 16216 EvalFnc: func(ctx *eval.Context) int { 16217 ev := ctx.Event.(*Event) 16218 return int(ev.Utimes.File.FileFields.Mode) 16219 }, 16220 Field: field, 16221 Weight: eval.FunctionWeight, 16222 }, nil 16223 case "utimes.file.modification_time": 16224 return &eval.IntEvaluator{ 16225 EvalFnc: func(ctx *eval.Context) int { 16226 ev := ctx.Event.(*Event) 16227 return int(ev.Utimes.File.FileFields.MTime) 16228 }, 16229 Field: field, 16230 Weight: eval.FunctionWeight, 16231 }, nil 16232 case "utimes.file.mount_id": 16233 return &eval.IntEvaluator{ 16234 EvalFnc: func(ctx *eval.Context) int { 16235 ev := ctx.Event.(*Event) 16236 return int(ev.Utimes.File.FileFields.PathKey.MountID) 16237 }, 16238 Field: field, 16239 Weight: eval.FunctionWeight, 16240 }, nil 16241 case "utimes.file.name": 16242 return &eval.StringEvaluator{ 16243 OpOverrides: ProcessSymlinkBasename, 16244 EvalFnc: func(ctx *eval.Context) string { 16245 ev := ctx.Event.(*Event) 16246 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Utimes.File) 16247 }, 16248 Field: field, 16249 Weight: eval.HandlerWeight, 16250 }, nil 16251 case "utimes.file.name.length": 16252 return &eval.IntEvaluator{ 16253 OpOverrides: ProcessSymlinkBasename, 16254 EvalFnc: func(ctx *eval.Context) int { 16255 ev := ctx.Event.(*Event) 16256 return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Utimes.File)) 16257 }, 16258 Field: field, 16259 Weight: eval.HandlerWeight, 16260 }, nil 16261 case "utimes.file.package.name": 16262 return &eval.StringEvaluator{ 16263 EvalFnc: func(ctx *eval.Context) string { 16264 ev := ctx.Event.(*Event) 16265 return ev.FieldHandlers.ResolvePackageName(ev, &ev.Utimes.File) 16266 }, 16267 Field: field, 16268 Weight: eval.HandlerWeight, 16269 }, nil 16270 case "utimes.file.package.source_version": 16271 return &eval.StringEvaluator{ 16272 EvalFnc: func(ctx *eval.Context) string { 16273 ev := ctx.Event.(*Event) 16274 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Utimes.File) 16275 }, 16276 Field: field, 16277 Weight: eval.HandlerWeight, 16278 }, nil 16279 case "utimes.file.package.version": 16280 return &eval.StringEvaluator{ 16281 EvalFnc: func(ctx *eval.Context) string { 16282 ev := ctx.Event.(*Event) 16283 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Utimes.File) 16284 }, 16285 Field: field, 16286 Weight: eval.HandlerWeight, 16287 }, nil 16288 case "utimes.file.path": 16289 return &eval.StringEvaluator{ 16290 OpOverrides: ProcessSymlinkPathname, 16291 EvalFnc: func(ctx *eval.Context) string { 16292 ev := ctx.Event.(*Event) 16293 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Utimes.File) 16294 }, 16295 Field: field, 16296 Weight: eval.HandlerWeight, 16297 }, nil 16298 case "utimes.file.path.length": 16299 return &eval.IntEvaluator{ 16300 OpOverrides: ProcessSymlinkPathname, 16301 EvalFnc: func(ctx *eval.Context) int { 16302 ev := ctx.Event.(*Event) 16303 return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Utimes.File)) 16304 }, 16305 Field: field, 16306 Weight: eval.HandlerWeight, 16307 }, nil 16308 case "utimes.file.rights": 16309 return &eval.IntEvaluator{ 16310 EvalFnc: func(ctx *eval.Context) int { 16311 ev := ctx.Event.(*Event) 16312 return int(ev.FieldHandlers.ResolveRights(ev, &ev.Utimes.File.FileFields)) 16313 }, 16314 Field: field, 16315 Weight: eval.HandlerWeight, 16316 }, nil 16317 case "utimes.file.uid": 16318 return &eval.IntEvaluator{ 16319 EvalFnc: func(ctx *eval.Context) int { 16320 ev := ctx.Event.(*Event) 16321 return int(ev.Utimes.File.FileFields.UID) 16322 }, 16323 Field: field, 16324 Weight: eval.FunctionWeight, 16325 }, nil 16326 case "utimes.file.user": 16327 return &eval.StringEvaluator{ 16328 EvalFnc: func(ctx *eval.Context) string { 16329 ev := ctx.Event.(*Event) 16330 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Utimes.File.FileFields) 16331 }, 16332 Field: field, 16333 Weight: eval.HandlerWeight, 16334 }, nil 16335 case "utimes.retval": 16336 return &eval.IntEvaluator{ 16337 EvalFnc: func(ctx *eval.Context) int { 16338 ev := ctx.Event.(*Event) 16339 return int(ev.Utimes.SyscallEvent.Retval) 16340 }, 16341 Field: field, 16342 Weight: eval.FunctionWeight, 16343 }, nil 16344 } 16345 return nil, &eval.ErrFieldNotFound{Field: field} 16346 } 16347 func (ev *Event) GetFields() []eval.Field { 16348 return []eval.Field{ 16349 "bind.addr.family", 16350 "bind.addr.ip", 16351 "bind.addr.port", 16352 "bind.retval", 16353 "bpf.cmd", 16354 "bpf.map.name", 16355 "bpf.map.type", 16356 "bpf.prog.attach_type", 16357 "bpf.prog.helpers", 16358 "bpf.prog.name", 16359 "bpf.prog.tag", 16360 "bpf.prog.type", 16361 "bpf.retval", 16362 "capset.cap_effective", 16363 "capset.cap_permitted", 16364 "chdir.file.change_time", 16365 "chdir.file.filesystem", 16366 "chdir.file.gid", 16367 "chdir.file.group", 16368 "chdir.file.hashes", 16369 "chdir.file.in_upper_layer", 16370 "chdir.file.inode", 16371 "chdir.file.mode", 16372 "chdir.file.modification_time", 16373 "chdir.file.mount_id", 16374 "chdir.file.name", 16375 "chdir.file.name.length", 16376 "chdir.file.package.name", 16377 "chdir.file.package.source_version", 16378 "chdir.file.package.version", 16379 "chdir.file.path", 16380 "chdir.file.path.length", 16381 "chdir.file.rights", 16382 "chdir.file.uid", 16383 "chdir.file.user", 16384 "chdir.retval", 16385 "chmod.file.change_time", 16386 "chmod.file.destination.mode", 16387 "chmod.file.destination.rights", 16388 "chmod.file.filesystem", 16389 "chmod.file.gid", 16390 "chmod.file.group", 16391 "chmod.file.hashes", 16392 "chmod.file.in_upper_layer", 16393 "chmod.file.inode", 16394 "chmod.file.mode", 16395 "chmod.file.modification_time", 16396 "chmod.file.mount_id", 16397 "chmod.file.name", 16398 "chmod.file.name.length", 16399 "chmod.file.package.name", 16400 "chmod.file.package.source_version", 16401 "chmod.file.package.version", 16402 "chmod.file.path", 16403 "chmod.file.path.length", 16404 "chmod.file.rights", 16405 "chmod.file.uid", 16406 "chmod.file.user", 16407 "chmod.retval", 16408 "chown.file.change_time", 16409 "chown.file.destination.gid", 16410 "chown.file.destination.group", 16411 "chown.file.destination.uid", 16412 "chown.file.destination.user", 16413 "chown.file.filesystem", 16414 "chown.file.gid", 16415 "chown.file.group", 16416 "chown.file.hashes", 16417 "chown.file.in_upper_layer", 16418 "chown.file.inode", 16419 "chown.file.mode", 16420 "chown.file.modification_time", 16421 "chown.file.mount_id", 16422 "chown.file.name", 16423 "chown.file.name.length", 16424 "chown.file.package.name", 16425 "chown.file.package.source_version", 16426 "chown.file.package.version", 16427 "chown.file.path", 16428 "chown.file.path.length", 16429 "chown.file.rights", 16430 "chown.file.uid", 16431 "chown.file.user", 16432 "chown.retval", 16433 "container.created_at", 16434 "container.id", 16435 "container.tags", 16436 "dns.id", 16437 "dns.question.class", 16438 "dns.question.count", 16439 "dns.question.length", 16440 "dns.question.name", 16441 "dns.question.name.length", 16442 "dns.question.type", 16443 "event.async", 16444 "event.origin", 16445 "event.os", 16446 "event.service", 16447 "event.timestamp", 16448 "exec.args", 16449 "exec.args_flags", 16450 "exec.args_options", 16451 "exec.args_truncated", 16452 "exec.argv", 16453 "exec.argv0", 16454 "exec.cap_effective", 16455 "exec.cap_permitted", 16456 "exec.comm", 16457 "exec.container.id", 16458 "exec.created_at", 16459 "exec.egid", 16460 "exec.egroup", 16461 "exec.envp", 16462 "exec.envs", 16463 "exec.envs_truncated", 16464 "exec.euid", 16465 "exec.euser", 16466 "exec.file.change_time", 16467 "exec.file.filesystem", 16468 "exec.file.gid", 16469 "exec.file.group", 16470 "exec.file.hashes", 16471 "exec.file.in_upper_layer", 16472 "exec.file.inode", 16473 "exec.file.mode", 16474 "exec.file.modification_time", 16475 "exec.file.mount_id", 16476 "exec.file.name", 16477 "exec.file.name.length", 16478 "exec.file.package.name", 16479 "exec.file.package.source_version", 16480 "exec.file.package.version", 16481 "exec.file.path", 16482 "exec.file.path.length", 16483 "exec.file.rights", 16484 "exec.file.uid", 16485 "exec.file.user", 16486 "exec.fsgid", 16487 "exec.fsgroup", 16488 "exec.fsuid", 16489 "exec.fsuser", 16490 "exec.gid", 16491 "exec.group", 16492 "exec.interpreter.file.change_time", 16493 "exec.interpreter.file.filesystem", 16494 "exec.interpreter.file.gid", 16495 "exec.interpreter.file.group", 16496 "exec.interpreter.file.hashes", 16497 "exec.interpreter.file.in_upper_layer", 16498 "exec.interpreter.file.inode", 16499 "exec.interpreter.file.mode", 16500 "exec.interpreter.file.modification_time", 16501 "exec.interpreter.file.mount_id", 16502 "exec.interpreter.file.name", 16503 "exec.interpreter.file.name.length", 16504 "exec.interpreter.file.package.name", 16505 "exec.interpreter.file.package.source_version", 16506 "exec.interpreter.file.package.version", 16507 "exec.interpreter.file.path", 16508 "exec.interpreter.file.path.length", 16509 "exec.interpreter.file.rights", 16510 "exec.interpreter.file.uid", 16511 "exec.interpreter.file.user", 16512 "exec.is_kworker", 16513 "exec.is_thread", 16514 "exec.pid", 16515 "exec.ppid", 16516 "exec.tid", 16517 "exec.tty_name", 16518 "exec.uid", 16519 "exec.user", 16520 "exec.user_session.k8s_groups", 16521 "exec.user_session.k8s_uid", 16522 "exec.user_session.k8s_username", 16523 "exit.args", 16524 "exit.args_flags", 16525 "exit.args_options", 16526 "exit.args_truncated", 16527 "exit.argv", 16528 "exit.argv0", 16529 "exit.cap_effective", 16530 "exit.cap_permitted", 16531 "exit.cause", 16532 "exit.code", 16533 "exit.comm", 16534 "exit.container.id", 16535 "exit.created_at", 16536 "exit.egid", 16537 "exit.egroup", 16538 "exit.envp", 16539 "exit.envs", 16540 "exit.envs_truncated", 16541 "exit.euid", 16542 "exit.euser", 16543 "exit.file.change_time", 16544 "exit.file.filesystem", 16545 "exit.file.gid", 16546 "exit.file.group", 16547 "exit.file.hashes", 16548 "exit.file.in_upper_layer", 16549 "exit.file.inode", 16550 "exit.file.mode", 16551 "exit.file.modification_time", 16552 "exit.file.mount_id", 16553 "exit.file.name", 16554 "exit.file.name.length", 16555 "exit.file.package.name", 16556 "exit.file.package.source_version", 16557 "exit.file.package.version", 16558 "exit.file.path", 16559 "exit.file.path.length", 16560 "exit.file.rights", 16561 "exit.file.uid", 16562 "exit.file.user", 16563 "exit.fsgid", 16564 "exit.fsgroup", 16565 "exit.fsuid", 16566 "exit.fsuser", 16567 "exit.gid", 16568 "exit.group", 16569 "exit.interpreter.file.change_time", 16570 "exit.interpreter.file.filesystem", 16571 "exit.interpreter.file.gid", 16572 "exit.interpreter.file.group", 16573 "exit.interpreter.file.hashes", 16574 "exit.interpreter.file.in_upper_layer", 16575 "exit.interpreter.file.inode", 16576 "exit.interpreter.file.mode", 16577 "exit.interpreter.file.modification_time", 16578 "exit.interpreter.file.mount_id", 16579 "exit.interpreter.file.name", 16580 "exit.interpreter.file.name.length", 16581 "exit.interpreter.file.package.name", 16582 "exit.interpreter.file.package.source_version", 16583 "exit.interpreter.file.package.version", 16584 "exit.interpreter.file.path", 16585 "exit.interpreter.file.path.length", 16586 "exit.interpreter.file.rights", 16587 "exit.interpreter.file.uid", 16588 "exit.interpreter.file.user", 16589 "exit.is_kworker", 16590 "exit.is_thread", 16591 "exit.pid", 16592 "exit.ppid", 16593 "exit.tid", 16594 "exit.tty_name", 16595 "exit.uid", 16596 "exit.user", 16597 "exit.user_session.k8s_groups", 16598 "exit.user_session.k8s_uid", 16599 "exit.user_session.k8s_username", 16600 "link.file.change_time", 16601 "link.file.destination.change_time", 16602 "link.file.destination.filesystem", 16603 "link.file.destination.gid", 16604 "link.file.destination.group", 16605 "link.file.destination.hashes", 16606 "link.file.destination.in_upper_layer", 16607 "link.file.destination.inode", 16608 "link.file.destination.mode", 16609 "link.file.destination.modification_time", 16610 "link.file.destination.mount_id", 16611 "link.file.destination.name", 16612 "link.file.destination.name.length", 16613 "link.file.destination.package.name", 16614 "link.file.destination.package.source_version", 16615 "link.file.destination.package.version", 16616 "link.file.destination.path", 16617 "link.file.destination.path.length", 16618 "link.file.destination.rights", 16619 "link.file.destination.uid", 16620 "link.file.destination.user", 16621 "link.file.filesystem", 16622 "link.file.gid", 16623 "link.file.group", 16624 "link.file.hashes", 16625 "link.file.in_upper_layer", 16626 "link.file.inode", 16627 "link.file.mode", 16628 "link.file.modification_time", 16629 "link.file.mount_id", 16630 "link.file.name", 16631 "link.file.name.length", 16632 "link.file.package.name", 16633 "link.file.package.source_version", 16634 "link.file.package.version", 16635 "link.file.path", 16636 "link.file.path.length", 16637 "link.file.rights", 16638 "link.file.uid", 16639 "link.file.user", 16640 "link.retval", 16641 "load_module.args", 16642 "load_module.args_truncated", 16643 "load_module.argv", 16644 "load_module.file.change_time", 16645 "load_module.file.filesystem", 16646 "load_module.file.gid", 16647 "load_module.file.group", 16648 "load_module.file.hashes", 16649 "load_module.file.in_upper_layer", 16650 "load_module.file.inode", 16651 "load_module.file.mode", 16652 "load_module.file.modification_time", 16653 "load_module.file.mount_id", 16654 "load_module.file.name", 16655 "load_module.file.name.length", 16656 "load_module.file.package.name", 16657 "load_module.file.package.source_version", 16658 "load_module.file.package.version", 16659 "load_module.file.path", 16660 "load_module.file.path.length", 16661 "load_module.file.rights", 16662 "load_module.file.uid", 16663 "load_module.file.user", 16664 "load_module.loaded_from_memory", 16665 "load_module.name", 16666 "load_module.retval", 16667 "mkdir.file.change_time", 16668 "mkdir.file.destination.mode", 16669 "mkdir.file.destination.rights", 16670 "mkdir.file.filesystem", 16671 "mkdir.file.gid", 16672 "mkdir.file.group", 16673 "mkdir.file.hashes", 16674 "mkdir.file.in_upper_layer", 16675 "mkdir.file.inode", 16676 "mkdir.file.mode", 16677 "mkdir.file.modification_time", 16678 "mkdir.file.mount_id", 16679 "mkdir.file.name", 16680 "mkdir.file.name.length", 16681 "mkdir.file.package.name", 16682 "mkdir.file.package.source_version", 16683 "mkdir.file.package.version", 16684 "mkdir.file.path", 16685 "mkdir.file.path.length", 16686 "mkdir.file.rights", 16687 "mkdir.file.uid", 16688 "mkdir.file.user", 16689 "mkdir.retval", 16690 "mmap.file.change_time", 16691 "mmap.file.filesystem", 16692 "mmap.file.gid", 16693 "mmap.file.group", 16694 "mmap.file.hashes", 16695 "mmap.file.in_upper_layer", 16696 "mmap.file.inode", 16697 "mmap.file.mode", 16698 "mmap.file.modification_time", 16699 "mmap.file.mount_id", 16700 "mmap.file.name", 16701 "mmap.file.name.length", 16702 "mmap.file.package.name", 16703 "mmap.file.package.source_version", 16704 "mmap.file.package.version", 16705 "mmap.file.path", 16706 "mmap.file.path.length", 16707 "mmap.file.rights", 16708 "mmap.file.uid", 16709 "mmap.file.user", 16710 "mmap.flags", 16711 "mmap.protection", 16712 "mmap.retval", 16713 "mount.fs_type", 16714 "mount.mountpoint.path", 16715 "mount.retval", 16716 "mount.root.path", 16717 "mount.source.path", 16718 "mprotect.req_protection", 16719 "mprotect.retval", 16720 "mprotect.vm_protection", 16721 "network.destination.ip", 16722 "network.destination.port", 16723 "network.device.ifindex", 16724 "network.device.ifname", 16725 "network.l3_protocol", 16726 "network.l4_protocol", 16727 "network.size", 16728 "network.source.ip", 16729 "network.source.port", 16730 "open.file.change_time", 16731 "open.file.destination.mode", 16732 "open.file.filesystem", 16733 "open.file.gid", 16734 "open.file.group", 16735 "open.file.hashes", 16736 "open.file.in_upper_layer", 16737 "open.file.inode", 16738 "open.file.mode", 16739 "open.file.modification_time", 16740 "open.file.mount_id", 16741 "open.file.name", 16742 "open.file.name.length", 16743 "open.file.package.name", 16744 "open.file.package.source_version", 16745 "open.file.package.version", 16746 "open.file.path", 16747 "open.file.path.length", 16748 "open.file.rights", 16749 "open.file.uid", 16750 "open.file.user", 16751 "open.flags", 16752 "open.retval", 16753 "process.ancestors.args", 16754 "process.ancestors.args_flags", 16755 "process.ancestors.args_options", 16756 "process.ancestors.args_truncated", 16757 "process.ancestors.argv", 16758 "process.ancestors.argv0", 16759 "process.ancestors.cap_effective", 16760 "process.ancestors.cap_permitted", 16761 "process.ancestors.comm", 16762 "process.ancestors.container.id", 16763 "process.ancestors.created_at", 16764 "process.ancestors.egid", 16765 "process.ancestors.egroup", 16766 "process.ancestors.envp", 16767 "process.ancestors.envs", 16768 "process.ancestors.envs_truncated", 16769 "process.ancestors.euid", 16770 "process.ancestors.euser", 16771 "process.ancestors.file.change_time", 16772 "process.ancestors.file.filesystem", 16773 "process.ancestors.file.gid", 16774 "process.ancestors.file.group", 16775 "process.ancestors.file.hashes", 16776 "process.ancestors.file.in_upper_layer", 16777 "process.ancestors.file.inode", 16778 "process.ancestors.file.mode", 16779 "process.ancestors.file.modification_time", 16780 "process.ancestors.file.mount_id", 16781 "process.ancestors.file.name", 16782 "process.ancestors.file.name.length", 16783 "process.ancestors.file.package.name", 16784 "process.ancestors.file.package.source_version", 16785 "process.ancestors.file.package.version", 16786 "process.ancestors.file.path", 16787 "process.ancestors.file.path.length", 16788 "process.ancestors.file.rights", 16789 "process.ancestors.file.uid", 16790 "process.ancestors.file.user", 16791 "process.ancestors.fsgid", 16792 "process.ancestors.fsgroup", 16793 "process.ancestors.fsuid", 16794 "process.ancestors.fsuser", 16795 "process.ancestors.gid", 16796 "process.ancestors.group", 16797 "process.ancestors.interpreter.file.change_time", 16798 "process.ancestors.interpreter.file.filesystem", 16799 "process.ancestors.interpreter.file.gid", 16800 "process.ancestors.interpreter.file.group", 16801 "process.ancestors.interpreter.file.hashes", 16802 "process.ancestors.interpreter.file.in_upper_layer", 16803 "process.ancestors.interpreter.file.inode", 16804 "process.ancestors.interpreter.file.mode", 16805 "process.ancestors.interpreter.file.modification_time", 16806 "process.ancestors.interpreter.file.mount_id", 16807 "process.ancestors.interpreter.file.name", 16808 "process.ancestors.interpreter.file.name.length", 16809 "process.ancestors.interpreter.file.package.name", 16810 "process.ancestors.interpreter.file.package.source_version", 16811 "process.ancestors.interpreter.file.package.version", 16812 "process.ancestors.interpreter.file.path", 16813 "process.ancestors.interpreter.file.path.length", 16814 "process.ancestors.interpreter.file.rights", 16815 "process.ancestors.interpreter.file.uid", 16816 "process.ancestors.interpreter.file.user", 16817 "process.ancestors.is_kworker", 16818 "process.ancestors.is_thread", 16819 "process.ancestors.pid", 16820 "process.ancestors.ppid", 16821 "process.ancestors.tid", 16822 "process.ancestors.tty_name", 16823 "process.ancestors.uid", 16824 "process.ancestors.user", 16825 "process.ancestors.user_session.k8s_groups", 16826 "process.ancestors.user_session.k8s_uid", 16827 "process.ancestors.user_session.k8s_username", 16828 "process.args", 16829 "process.args_flags", 16830 "process.args_options", 16831 "process.args_truncated", 16832 "process.argv", 16833 "process.argv0", 16834 "process.cap_effective", 16835 "process.cap_permitted", 16836 "process.comm", 16837 "process.container.id", 16838 "process.created_at", 16839 "process.egid", 16840 "process.egroup", 16841 "process.envp", 16842 "process.envs", 16843 "process.envs_truncated", 16844 "process.euid", 16845 "process.euser", 16846 "process.file.change_time", 16847 "process.file.filesystem", 16848 "process.file.gid", 16849 "process.file.group", 16850 "process.file.hashes", 16851 "process.file.in_upper_layer", 16852 "process.file.inode", 16853 "process.file.mode", 16854 "process.file.modification_time", 16855 "process.file.mount_id", 16856 "process.file.name", 16857 "process.file.name.length", 16858 "process.file.package.name", 16859 "process.file.package.source_version", 16860 "process.file.package.version", 16861 "process.file.path", 16862 "process.file.path.length", 16863 "process.file.rights", 16864 "process.file.uid", 16865 "process.file.user", 16866 "process.fsgid", 16867 "process.fsgroup", 16868 "process.fsuid", 16869 "process.fsuser", 16870 "process.gid", 16871 "process.group", 16872 "process.interpreter.file.change_time", 16873 "process.interpreter.file.filesystem", 16874 "process.interpreter.file.gid", 16875 "process.interpreter.file.group", 16876 "process.interpreter.file.hashes", 16877 "process.interpreter.file.in_upper_layer", 16878 "process.interpreter.file.inode", 16879 "process.interpreter.file.mode", 16880 "process.interpreter.file.modification_time", 16881 "process.interpreter.file.mount_id", 16882 "process.interpreter.file.name", 16883 "process.interpreter.file.name.length", 16884 "process.interpreter.file.package.name", 16885 "process.interpreter.file.package.source_version", 16886 "process.interpreter.file.package.version", 16887 "process.interpreter.file.path", 16888 "process.interpreter.file.path.length", 16889 "process.interpreter.file.rights", 16890 "process.interpreter.file.uid", 16891 "process.interpreter.file.user", 16892 "process.is_kworker", 16893 "process.is_thread", 16894 "process.parent.args", 16895 "process.parent.args_flags", 16896 "process.parent.args_options", 16897 "process.parent.args_truncated", 16898 "process.parent.argv", 16899 "process.parent.argv0", 16900 "process.parent.cap_effective", 16901 "process.parent.cap_permitted", 16902 "process.parent.comm", 16903 "process.parent.container.id", 16904 "process.parent.created_at", 16905 "process.parent.egid", 16906 "process.parent.egroup", 16907 "process.parent.envp", 16908 "process.parent.envs", 16909 "process.parent.envs_truncated", 16910 "process.parent.euid", 16911 "process.parent.euser", 16912 "process.parent.file.change_time", 16913 "process.parent.file.filesystem", 16914 "process.parent.file.gid", 16915 "process.parent.file.group", 16916 "process.parent.file.hashes", 16917 "process.parent.file.in_upper_layer", 16918 "process.parent.file.inode", 16919 "process.parent.file.mode", 16920 "process.parent.file.modification_time", 16921 "process.parent.file.mount_id", 16922 "process.parent.file.name", 16923 "process.parent.file.name.length", 16924 "process.parent.file.package.name", 16925 "process.parent.file.package.source_version", 16926 "process.parent.file.package.version", 16927 "process.parent.file.path", 16928 "process.parent.file.path.length", 16929 "process.parent.file.rights", 16930 "process.parent.file.uid", 16931 "process.parent.file.user", 16932 "process.parent.fsgid", 16933 "process.parent.fsgroup", 16934 "process.parent.fsuid", 16935 "process.parent.fsuser", 16936 "process.parent.gid", 16937 "process.parent.group", 16938 "process.parent.interpreter.file.change_time", 16939 "process.parent.interpreter.file.filesystem", 16940 "process.parent.interpreter.file.gid", 16941 "process.parent.interpreter.file.group", 16942 "process.parent.interpreter.file.hashes", 16943 "process.parent.interpreter.file.in_upper_layer", 16944 "process.parent.interpreter.file.inode", 16945 "process.parent.interpreter.file.mode", 16946 "process.parent.interpreter.file.modification_time", 16947 "process.parent.interpreter.file.mount_id", 16948 "process.parent.interpreter.file.name", 16949 "process.parent.interpreter.file.name.length", 16950 "process.parent.interpreter.file.package.name", 16951 "process.parent.interpreter.file.package.source_version", 16952 "process.parent.interpreter.file.package.version", 16953 "process.parent.interpreter.file.path", 16954 "process.parent.interpreter.file.path.length", 16955 "process.parent.interpreter.file.rights", 16956 "process.parent.interpreter.file.uid", 16957 "process.parent.interpreter.file.user", 16958 "process.parent.is_kworker", 16959 "process.parent.is_thread", 16960 "process.parent.pid", 16961 "process.parent.ppid", 16962 "process.parent.tid", 16963 "process.parent.tty_name", 16964 "process.parent.uid", 16965 "process.parent.user", 16966 "process.parent.user_session.k8s_groups", 16967 "process.parent.user_session.k8s_uid", 16968 "process.parent.user_session.k8s_username", 16969 "process.pid", 16970 "process.ppid", 16971 "process.tid", 16972 "process.tty_name", 16973 "process.uid", 16974 "process.user", 16975 "process.user_session.k8s_groups", 16976 "process.user_session.k8s_uid", 16977 "process.user_session.k8s_username", 16978 "ptrace.request", 16979 "ptrace.retval", 16980 "ptrace.tracee.ancestors.args", 16981 "ptrace.tracee.ancestors.args_flags", 16982 "ptrace.tracee.ancestors.args_options", 16983 "ptrace.tracee.ancestors.args_truncated", 16984 "ptrace.tracee.ancestors.argv", 16985 "ptrace.tracee.ancestors.argv0", 16986 "ptrace.tracee.ancestors.cap_effective", 16987 "ptrace.tracee.ancestors.cap_permitted", 16988 "ptrace.tracee.ancestors.comm", 16989 "ptrace.tracee.ancestors.container.id", 16990 "ptrace.tracee.ancestors.created_at", 16991 "ptrace.tracee.ancestors.egid", 16992 "ptrace.tracee.ancestors.egroup", 16993 "ptrace.tracee.ancestors.envp", 16994 "ptrace.tracee.ancestors.envs", 16995 "ptrace.tracee.ancestors.envs_truncated", 16996 "ptrace.tracee.ancestors.euid", 16997 "ptrace.tracee.ancestors.euser", 16998 "ptrace.tracee.ancestors.file.change_time", 16999 "ptrace.tracee.ancestors.file.filesystem", 17000 "ptrace.tracee.ancestors.file.gid", 17001 "ptrace.tracee.ancestors.file.group", 17002 "ptrace.tracee.ancestors.file.hashes", 17003 "ptrace.tracee.ancestors.file.in_upper_layer", 17004 "ptrace.tracee.ancestors.file.inode", 17005 "ptrace.tracee.ancestors.file.mode", 17006 "ptrace.tracee.ancestors.file.modification_time", 17007 "ptrace.tracee.ancestors.file.mount_id", 17008 "ptrace.tracee.ancestors.file.name", 17009 "ptrace.tracee.ancestors.file.name.length", 17010 "ptrace.tracee.ancestors.file.package.name", 17011 "ptrace.tracee.ancestors.file.package.source_version", 17012 "ptrace.tracee.ancestors.file.package.version", 17013 "ptrace.tracee.ancestors.file.path", 17014 "ptrace.tracee.ancestors.file.path.length", 17015 "ptrace.tracee.ancestors.file.rights", 17016 "ptrace.tracee.ancestors.file.uid", 17017 "ptrace.tracee.ancestors.file.user", 17018 "ptrace.tracee.ancestors.fsgid", 17019 "ptrace.tracee.ancestors.fsgroup", 17020 "ptrace.tracee.ancestors.fsuid", 17021 "ptrace.tracee.ancestors.fsuser", 17022 "ptrace.tracee.ancestors.gid", 17023 "ptrace.tracee.ancestors.group", 17024 "ptrace.tracee.ancestors.interpreter.file.change_time", 17025 "ptrace.tracee.ancestors.interpreter.file.filesystem", 17026 "ptrace.tracee.ancestors.interpreter.file.gid", 17027 "ptrace.tracee.ancestors.interpreter.file.group", 17028 "ptrace.tracee.ancestors.interpreter.file.hashes", 17029 "ptrace.tracee.ancestors.interpreter.file.in_upper_layer", 17030 "ptrace.tracee.ancestors.interpreter.file.inode", 17031 "ptrace.tracee.ancestors.interpreter.file.mode", 17032 "ptrace.tracee.ancestors.interpreter.file.modification_time", 17033 "ptrace.tracee.ancestors.interpreter.file.mount_id", 17034 "ptrace.tracee.ancestors.interpreter.file.name", 17035 "ptrace.tracee.ancestors.interpreter.file.name.length", 17036 "ptrace.tracee.ancestors.interpreter.file.package.name", 17037 "ptrace.tracee.ancestors.interpreter.file.package.source_version", 17038 "ptrace.tracee.ancestors.interpreter.file.package.version", 17039 "ptrace.tracee.ancestors.interpreter.file.path", 17040 "ptrace.tracee.ancestors.interpreter.file.path.length", 17041 "ptrace.tracee.ancestors.interpreter.file.rights", 17042 "ptrace.tracee.ancestors.interpreter.file.uid", 17043 "ptrace.tracee.ancestors.interpreter.file.user", 17044 "ptrace.tracee.ancestors.is_kworker", 17045 "ptrace.tracee.ancestors.is_thread", 17046 "ptrace.tracee.ancestors.pid", 17047 "ptrace.tracee.ancestors.ppid", 17048 "ptrace.tracee.ancestors.tid", 17049 "ptrace.tracee.ancestors.tty_name", 17050 "ptrace.tracee.ancestors.uid", 17051 "ptrace.tracee.ancestors.user", 17052 "ptrace.tracee.ancestors.user_session.k8s_groups", 17053 "ptrace.tracee.ancestors.user_session.k8s_uid", 17054 "ptrace.tracee.ancestors.user_session.k8s_username", 17055 "ptrace.tracee.args", 17056 "ptrace.tracee.args_flags", 17057 "ptrace.tracee.args_options", 17058 "ptrace.tracee.args_truncated", 17059 "ptrace.tracee.argv", 17060 "ptrace.tracee.argv0", 17061 "ptrace.tracee.cap_effective", 17062 "ptrace.tracee.cap_permitted", 17063 "ptrace.tracee.comm", 17064 "ptrace.tracee.container.id", 17065 "ptrace.tracee.created_at", 17066 "ptrace.tracee.egid", 17067 "ptrace.tracee.egroup", 17068 "ptrace.tracee.envp", 17069 "ptrace.tracee.envs", 17070 "ptrace.tracee.envs_truncated", 17071 "ptrace.tracee.euid", 17072 "ptrace.tracee.euser", 17073 "ptrace.tracee.file.change_time", 17074 "ptrace.tracee.file.filesystem", 17075 "ptrace.tracee.file.gid", 17076 "ptrace.tracee.file.group", 17077 "ptrace.tracee.file.hashes", 17078 "ptrace.tracee.file.in_upper_layer", 17079 "ptrace.tracee.file.inode", 17080 "ptrace.tracee.file.mode", 17081 "ptrace.tracee.file.modification_time", 17082 "ptrace.tracee.file.mount_id", 17083 "ptrace.tracee.file.name", 17084 "ptrace.tracee.file.name.length", 17085 "ptrace.tracee.file.package.name", 17086 "ptrace.tracee.file.package.source_version", 17087 "ptrace.tracee.file.package.version", 17088 "ptrace.tracee.file.path", 17089 "ptrace.tracee.file.path.length", 17090 "ptrace.tracee.file.rights", 17091 "ptrace.tracee.file.uid", 17092 "ptrace.tracee.file.user", 17093 "ptrace.tracee.fsgid", 17094 "ptrace.tracee.fsgroup", 17095 "ptrace.tracee.fsuid", 17096 "ptrace.tracee.fsuser", 17097 "ptrace.tracee.gid", 17098 "ptrace.tracee.group", 17099 "ptrace.tracee.interpreter.file.change_time", 17100 "ptrace.tracee.interpreter.file.filesystem", 17101 "ptrace.tracee.interpreter.file.gid", 17102 "ptrace.tracee.interpreter.file.group", 17103 "ptrace.tracee.interpreter.file.hashes", 17104 "ptrace.tracee.interpreter.file.in_upper_layer", 17105 "ptrace.tracee.interpreter.file.inode", 17106 "ptrace.tracee.interpreter.file.mode", 17107 "ptrace.tracee.interpreter.file.modification_time", 17108 "ptrace.tracee.interpreter.file.mount_id", 17109 "ptrace.tracee.interpreter.file.name", 17110 "ptrace.tracee.interpreter.file.name.length", 17111 "ptrace.tracee.interpreter.file.package.name", 17112 "ptrace.tracee.interpreter.file.package.source_version", 17113 "ptrace.tracee.interpreter.file.package.version", 17114 "ptrace.tracee.interpreter.file.path", 17115 "ptrace.tracee.interpreter.file.path.length", 17116 "ptrace.tracee.interpreter.file.rights", 17117 "ptrace.tracee.interpreter.file.uid", 17118 "ptrace.tracee.interpreter.file.user", 17119 "ptrace.tracee.is_kworker", 17120 "ptrace.tracee.is_thread", 17121 "ptrace.tracee.parent.args", 17122 "ptrace.tracee.parent.args_flags", 17123 "ptrace.tracee.parent.args_options", 17124 "ptrace.tracee.parent.args_truncated", 17125 "ptrace.tracee.parent.argv", 17126 "ptrace.tracee.parent.argv0", 17127 "ptrace.tracee.parent.cap_effective", 17128 "ptrace.tracee.parent.cap_permitted", 17129 "ptrace.tracee.parent.comm", 17130 "ptrace.tracee.parent.container.id", 17131 "ptrace.tracee.parent.created_at", 17132 "ptrace.tracee.parent.egid", 17133 "ptrace.tracee.parent.egroup", 17134 "ptrace.tracee.parent.envp", 17135 "ptrace.tracee.parent.envs", 17136 "ptrace.tracee.parent.envs_truncated", 17137 "ptrace.tracee.parent.euid", 17138 "ptrace.tracee.parent.euser", 17139 "ptrace.tracee.parent.file.change_time", 17140 "ptrace.tracee.parent.file.filesystem", 17141 "ptrace.tracee.parent.file.gid", 17142 "ptrace.tracee.parent.file.group", 17143 "ptrace.tracee.parent.file.hashes", 17144 "ptrace.tracee.parent.file.in_upper_layer", 17145 "ptrace.tracee.parent.file.inode", 17146 "ptrace.tracee.parent.file.mode", 17147 "ptrace.tracee.parent.file.modification_time", 17148 "ptrace.tracee.parent.file.mount_id", 17149 "ptrace.tracee.parent.file.name", 17150 "ptrace.tracee.parent.file.name.length", 17151 "ptrace.tracee.parent.file.package.name", 17152 "ptrace.tracee.parent.file.package.source_version", 17153 "ptrace.tracee.parent.file.package.version", 17154 "ptrace.tracee.parent.file.path", 17155 "ptrace.tracee.parent.file.path.length", 17156 "ptrace.tracee.parent.file.rights", 17157 "ptrace.tracee.parent.file.uid", 17158 "ptrace.tracee.parent.file.user", 17159 "ptrace.tracee.parent.fsgid", 17160 "ptrace.tracee.parent.fsgroup", 17161 "ptrace.tracee.parent.fsuid", 17162 "ptrace.tracee.parent.fsuser", 17163 "ptrace.tracee.parent.gid", 17164 "ptrace.tracee.parent.group", 17165 "ptrace.tracee.parent.interpreter.file.change_time", 17166 "ptrace.tracee.parent.interpreter.file.filesystem", 17167 "ptrace.tracee.parent.interpreter.file.gid", 17168 "ptrace.tracee.parent.interpreter.file.group", 17169 "ptrace.tracee.parent.interpreter.file.hashes", 17170 "ptrace.tracee.parent.interpreter.file.in_upper_layer", 17171 "ptrace.tracee.parent.interpreter.file.inode", 17172 "ptrace.tracee.parent.interpreter.file.mode", 17173 "ptrace.tracee.parent.interpreter.file.modification_time", 17174 "ptrace.tracee.parent.interpreter.file.mount_id", 17175 "ptrace.tracee.parent.interpreter.file.name", 17176 "ptrace.tracee.parent.interpreter.file.name.length", 17177 "ptrace.tracee.parent.interpreter.file.package.name", 17178 "ptrace.tracee.parent.interpreter.file.package.source_version", 17179 "ptrace.tracee.parent.interpreter.file.package.version", 17180 "ptrace.tracee.parent.interpreter.file.path", 17181 "ptrace.tracee.parent.interpreter.file.path.length", 17182 "ptrace.tracee.parent.interpreter.file.rights", 17183 "ptrace.tracee.parent.interpreter.file.uid", 17184 "ptrace.tracee.parent.interpreter.file.user", 17185 "ptrace.tracee.parent.is_kworker", 17186 "ptrace.tracee.parent.is_thread", 17187 "ptrace.tracee.parent.pid", 17188 "ptrace.tracee.parent.ppid", 17189 "ptrace.tracee.parent.tid", 17190 "ptrace.tracee.parent.tty_name", 17191 "ptrace.tracee.parent.uid", 17192 "ptrace.tracee.parent.user", 17193 "ptrace.tracee.parent.user_session.k8s_groups", 17194 "ptrace.tracee.parent.user_session.k8s_uid", 17195 "ptrace.tracee.parent.user_session.k8s_username", 17196 "ptrace.tracee.pid", 17197 "ptrace.tracee.ppid", 17198 "ptrace.tracee.tid", 17199 "ptrace.tracee.tty_name", 17200 "ptrace.tracee.uid", 17201 "ptrace.tracee.user", 17202 "ptrace.tracee.user_session.k8s_groups", 17203 "ptrace.tracee.user_session.k8s_uid", 17204 "ptrace.tracee.user_session.k8s_username", 17205 "removexattr.file.change_time", 17206 "removexattr.file.destination.name", 17207 "removexattr.file.destination.namespace", 17208 "removexattr.file.filesystem", 17209 "removexattr.file.gid", 17210 "removexattr.file.group", 17211 "removexattr.file.hashes", 17212 "removexattr.file.in_upper_layer", 17213 "removexattr.file.inode", 17214 "removexattr.file.mode", 17215 "removexattr.file.modification_time", 17216 "removexattr.file.mount_id", 17217 "removexattr.file.name", 17218 "removexattr.file.name.length", 17219 "removexattr.file.package.name", 17220 "removexattr.file.package.source_version", 17221 "removexattr.file.package.version", 17222 "removexattr.file.path", 17223 "removexattr.file.path.length", 17224 "removexattr.file.rights", 17225 "removexattr.file.uid", 17226 "removexattr.file.user", 17227 "removexattr.retval", 17228 "rename.file.change_time", 17229 "rename.file.destination.change_time", 17230 "rename.file.destination.filesystem", 17231 "rename.file.destination.gid", 17232 "rename.file.destination.group", 17233 "rename.file.destination.hashes", 17234 "rename.file.destination.in_upper_layer", 17235 "rename.file.destination.inode", 17236 "rename.file.destination.mode", 17237 "rename.file.destination.modification_time", 17238 "rename.file.destination.mount_id", 17239 "rename.file.destination.name", 17240 "rename.file.destination.name.length", 17241 "rename.file.destination.package.name", 17242 "rename.file.destination.package.source_version", 17243 "rename.file.destination.package.version", 17244 "rename.file.destination.path", 17245 "rename.file.destination.path.length", 17246 "rename.file.destination.rights", 17247 "rename.file.destination.uid", 17248 "rename.file.destination.user", 17249 "rename.file.filesystem", 17250 "rename.file.gid", 17251 "rename.file.group", 17252 "rename.file.hashes", 17253 "rename.file.in_upper_layer", 17254 "rename.file.inode", 17255 "rename.file.mode", 17256 "rename.file.modification_time", 17257 "rename.file.mount_id", 17258 "rename.file.name", 17259 "rename.file.name.length", 17260 "rename.file.package.name", 17261 "rename.file.package.source_version", 17262 "rename.file.package.version", 17263 "rename.file.path", 17264 "rename.file.path.length", 17265 "rename.file.rights", 17266 "rename.file.uid", 17267 "rename.file.user", 17268 "rename.retval", 17269 "rmdir.file.change_time", 17270 "rmdir.file.filesystem", 17271 "rmdir.file.gid", 17272 "rmdir.file.group", 17273 "rmdir.file.hashes", 17274 "rmdir.file.in_upper_layer", 17275 "rmdir.file.inode", 17276 "rmdir.file.mode", 17277 "rmdir.file.modification_time", 17278 "rmdir.file.mount_id", 17279 "rmdir.file.name", 17280 "rmdir.file.name.length", 17281 "rmdir.file.package.name", 17282 "rmdir.file.package.source_version", 17283 "rmdir.file.package.version", 17284 "rmdir.file.path", 17285 "rmdir.file.path.length", 17286 "rmdir.file.rights", 17287 "rmdir.file.uid", 17288 "rmdir.file.user", 17289 "rmdir.retval", 17290 "selinux.bool.name", 17291 "selinux.bool.state", 17292 "selinux.bool_commit.state", 17293 "selinux.enforce.status", 17294 "setgid.egid", 17295 "setgid.egroup", 17296 "setgid.fsgid", 17297 "setgid.fsgroup", 17298 "setgid.gid", 17299 "setgid.group", 17300 "setuid.euid", 17301 "setuid.euser", 17302 "setuid.fsuid", 17303 "setuid.fsuser", 17304 "setuid.uid", 17305 "setuid.user", 17306 "setxattr.file.change_time", 17307 "setxattr.file.destination.name", 17308 "setxattr.file.destination.namespace", 17309 "setxattr.file.filesystem", 17310 "setxattr.file.gid", 17311 "setxattr.file.group", 17312 "setxattr.file.hashes", 17313 "setxattr.file.in_upper_layer", 17314 "setxattr.file.inode", 17315 "setxattr.file.mode", 17316 "setxattr.file.modification_time", 17317 "setxattr.file.mount_id", 17318 "setxattr.file.name", 17319 "setxattr.file.name.length", 17320 "setxattr.file.package.name", 17321 "setxattr.file.package.source_version", 17322 "setxattr.file.package.version", 17323 "setxattr.file.path", 17324 "setxattr.file.path.length", 17325 "setxattr.file.rights", 17326 "setxattr.file.uid", 17327 "setxattr.file.user", 17328 "setxattr.retval", 17329 "signal.pid", 17330 "signal.retval", 17331 "signal.target.ancestors.args", 17332 "signal.target.ancestors.args_flags", 17333 "signal.target.ancestors.args_options", 17334 "signal.target.ancestors.args_truncated", 17335 "signal.target.ancestors.argv", 17336 "signal.target.ancestors.argv0", 17337 "signal.target.ancestors.cap_effective", 17338 "signal.target.ancestors.cap_permitted", 17339 "signal.target.ancestors.comm", 17340 "signal.target.ancestors.container.id", 17341 "signal.target.ancestors.created_at", 17342 "signal.target.ancestors.egid", 17343 "signal.target.ancestors.egroup", 17344 "signal.target.ancestors.envp", 17345 "signal.target.ancestors.envs", 17346 "signal.target.ancestors.envs_truncated", 17347 "signal.target.ancestors.euid", 17348 "signal.target.ancestors.euser", 17349 "signal.target.ancestors.file.change_time", 17350 "signal.target.ancestors.file.filesystem", 17351 "signal.target.ancestors.file.gid", 17352 "signal.target.ancestors.file.group", 17353 "signal.target.ancestors.file.hashes", 17354 "signal.target.ancestors.file.in_upper_layer", 17355 "signal.target.ancestors.file.inode", 17356 "signal.target.ancestors.file.mode", 17357 "signal.target.ancestors.file.modification_time", 17358 "signal.target.ancestors.file.mount_id", 17359 "signal.target.ancestors.file.name", 17360 "signal.target.ancestors.file.name.length", 17361 "signal.target.ancestors.file.package.name", 17362 "signal.target.ancestors.file.package.source_version", 17363 "signal.target.ancestors.file.package.version", 17364 "signal.target.ancestors.file.path", 17365 "signal.target.ancestors.file.path.length", 17366 "signal.target.ancestors.file.rights", 17367 "signal.target.ancestors.file.uid", 17368 "signal.target.ancestors.file.user", 17369 "signal.target.ancestors.fsgid", 17370 "signal.target.ancestors.fsgroup", 17371 "signal.target.ancestors.fsuid", 17372 "signal.target.ancestors.fsuser", 17373 "signal.target.ancestors.gid", 17374 "signal.target.ancestors.group", 17375 "signal.target.ancestors.interpreter.file.change_time", 17376 "signal.target.ancestors.interpreter.file.filesystem", 17377 "signal.target.ancestors.interpreter.file.gid", 17378 "signal.target.ancestors.interpreter.file.group", 17379 "signal.target.ancestors.interpreter.file.hashes", 17380 "signal.target.ancestors.interpreter.file.in_upper_layer", 17381 "signal.target.ancestors.interpreter.file.inode", 17382 "signal.target.ancestors.interpreter.file.mode", 17383 "signal.target.ancestors.interpreter.file.modification_time", 17384 "signal.target.ancestors.interpreter.file.mount_id", 17385 "signal.target.ancestors.interpreter.file.name", 17386 "signal.target.ancestors.interpreter.file.name.length", 17387 "signal.target.ancestors.interpreter.file.package.name", 17388 "signal.target.ancestors.interpreter.file.package.source_version", 17389 "signal.target.ancestors.interpreter.file.package.version", 17390 "signal.target.ancestors.interpreter.file.path", 17391 "signal.target.ancestors.interpreter.file.path.length", 17392 "signal.target.ancestors.interpreter.file.rights", 17393 "signal.target.ancestors.interpreter.file.uid", 17394 "signal.target.ancestors.interpreter.file.user", 17395 "signal.target.ancestors.is_kworker", 17396 "signal.target.ancestors.is_thread", 17397 "signal.target.ancestors.pid", 17398 "signal.target.ancestors.ppid", 17399 "signal.target.ancestors.tid", 17400 "signal.target.ancestors.tty_name", 17401 "signal.target.ancestors.uid", 17402 "signal.target.ancestors.user", 17403 "signal.target.ancestors.user_session.k8s_groups", 17404 "signal.target.ancestors.user_session.k8s_uid", 17405 "signal.target.ancestors.user_session.k8s_username", 17406 "signal.target.args", 17407 "signal.target.args_flags", 17408 "signal.target.args_options", 17409 "signal.target.args_truncated", 17410 "signal.target.argv", 17411 "signal.target.argv0", 17412 "signal.target.cap_effective", 17413 "signal.target.cap_permitted", 17414 "signal.target.comm", 17415 "signal.target.container.id", 17416 "signal.target.created_at", 17417 "signal.target.egid", 17418 "signal.target.egroup", 17419 "signal.target.envp", 17420 "signal.target.envs", 17421 "signal.target.envs_truncated", 17422 "signal.target.euid", 17423 "signal.target.euser", 17424 "signal.target.file.change_time", 17425 "signal.target.file.filesystem", 17426 "signal.target.file.gid", 17427 "signal.target.file.group", 17428 "signal.target.file.hashes", 17429 "signal.target.file.in_upper_layer", 17430 "signal.target.file.inode", 17431 "signal.target.file.mode", 17432 "signal.target.file.modification_time", 17433 "signal.target.file.mount_id", 17434 "signal.target.file.name", 17435 "signal.target.file.name.length", 17436 "signal.target.file.package.name", 17437 "signal.target.file.package.source_version", 17438 "signal.target.file.package.version", 17439 "signal.target.file.path", 17440 "signal.target.file.path.length", 17441 "signal.target.file.rights", 17442 "signal.target.file.uid", 17443 "signal.target.file.user", 17444 "signal.target.fsgid", 17445 "signal.target.fsgroup", 17446 "signal.target.fsuid", 17447 "signal.target.fsuser", 17448 "signal.target.gid", 17449 "signal.target.group", 17450 "signal.target.interpreter.file.change_time", 17451 "signal.target.interpreter.file.filesystem", 17452 "signal.target.interpreter.file.gid", 17453 "signal.target.interpreter.file.group", 17454 "signal.target.interpreter.file.hashes", 17455 "signal.target.interpreter.file.in_upper_layer", 17456 "signal.target.interpreter.file.inode", 17457 "signal.target.interpreter.file.mode", 17458 "signal.target.interpreter.file.modification_time", 17459 "signal.target.interpreter.file.mount_id", 17460 "signal.target.interpreter.file.name", 17461 "signal.target.interpreter.file.name.length", 17462 "signal.target.interpreter.file.package.name", 17463 "signal.target.interpreter.file.package.source_version", 17464 "signal.target.interpreter.file.package.version", 17465 "signal.target.interpreter.file.path", 17466 "signal.target.interpreter.file.path.length", 17467 "signal.target.interpreter.file.rights", 17468 "signal.target.interpreter.file.uid", 17469 "signal.target.interpreter.file.user", 17470 "signal.target.is_kworker", 17471 "signal.target.is_thread", 17472 "signal.target.parent.args", 17473 "signal.target.parent.args_flags", 17474 "signal.target.parent.args_options", 17475 "signal.target.parent.args_truncated", 17476 "signal.target.parent.argv", 17477 "signal.target.parent.argv0", 17478 "signal.target.parent.cap_effective", 17479 "signal.target.parent.cap_permitted", 17480 "signal.target.parent.comm", 17481 "signal.target.parent.container.id", 17482 "signal.target.parent.created_at", 17483 "signal.target.parent.egid", 17484 "signal.target.parent.egroup", 17485 "signal.target.parent.envp", 17486 "signal.target.parent.envs", 17487 "signal.target.parent.envs_truncated", 17488 "signal.target.parent.euid", 17489 "signal.target.parent.euser", 17490 "signal.target.parent.file.change_time", 17491 "signal.target.parent.file.filesystem", 17492 "signal.target.parent.file.gid", 17493 "signal.target.parent.file.group", 17494 "signal.target.parent.file.hashes", 17495 "signal.target.parent.file.in_upper_layer", 17496 "signal.target.parent.file.inode", 17497 "signal.target.parent.file.mode", 17498 "signal.target.parent.file.modification_time", 17499 "signal.target.parent.file.mount_id", 17500 "signal.target.parent.file.name", 17501 "signal.target.parent.file.name.length", 17502 "signal.target.parent.file.package.name", 17503 "signal.target.parent.file.package.source_version", 17504 "signal.target.parent.file.package.version", 17505 "signal.target.parent.file.path", 17506 "signal.target.parent.file.path.length", 17507 "signal.target.parent.file.rights", 17508 "signal.target.parent.file.uid", 17509 "signal.target.parent.file.user", 17510 "signal.target.parent.fsgid", 17511 "signal.target.parent.fsgroup", 17512 "signal.target.parent.fsuid", 17513 "signal.target.parent.fsuser", 17514 "signal.target.parent.gid", 17515 "signal.target.parent.group", 17516 "signal.target.parent.interpreter.file.change_time", 17517 "signal.target.parent.interpreter.file.filesystem", 17518 "signal.target.parent.interpreter.file.gid", 17519 "signal.target.parent.interpreter.file.group", 17520 "signal.target.parent.interpreter.file.hashes", 17521 "signal.target.parent.interpreter.file.in_upper_layer", 17522 "signal.target.parent.interpreter.file.inode", 17523 "signal.target.parent.interpreter.file.mode", 17524 "signal.target.parent.interpreter.file.modification_time", 17525 "signal.target.parent.interpreter.file.mount_id", 17526 "signal.target.parent.interpreter.file.name", 17527 "signal.target.parent.interpreter.file.name.length", 17528 "signal.target.parent.interpreter.file.package.name", 17529 "signal.target.parent.interpreter.file.package.source_version", 17530 "signal.target.parent.interpreter.file.package.version", 17531 "signal.target.parent.interpreter.file.path", 17532 "signal.target.parent.interpreter.file.path.length", 17533 "signal.target.parent.interpreter.file.rights", 17534 "signal.target.parent.interpreter.file.uid", 17535 "signal.target.parent.interpreter.file.user", 17536 "signal.target.parent.is_kworker", 17537 "signal.target.parent.is_thread", 17538 "signal.target.parent.pid", 17539 "signal.target.parent.ppid", 17540 "signal.target.parent.tid", 17541 "signal.target.parent.tty_name", 17542 "signal.target.parent.uid", 17543 "signal.target.parent.user", 17544 "signal.target.parent.user_session.k8s_groups", 17545 "signal.target.parent.user_session.k8s_uid", 17546 "signal.target.parent.user_session.k8s_username", 17547 "signal.target.pid", 17548 "signal.target.ppid", 17549 "signal.target.tid", 17550 "signal.target.tty_name", 17551 "signal.target.uid", 17552 "signal.target.user", 17553 "signal.target.user_session.k8s_groups", 17554 "signal.target.user_session.k8s_uid", 17555 "signal.target.user_session.k8s_username", 17556 "signal.type", 17557 "splice.file.change_time", 17558 "splice.file.filesystem", 17559 "splice.file.gid", 17560 "splice.file.group", 17561 "splice.file.hashes", 17562 "splice.file.in_upper_layer", 17563 "splice.file.inode", 17564 "splice.file.mode", 17565 "splice.file.modification_time", 17566 "splice.file.mount_id", 17567 "splice.file.name", 17568 "splice.file.name.length", 17569 "splice.file.package.name", 17570 "splice.file.package.source_version", 17571 "splice.file.package.version", 17572 "splice.file.path", 17573 "splice.file.path.length", 17574 "splice.file.rights", 17575 "splice.file.uid", 17576 "splice.file.user", 17577 "splice.pipe_entry_flag", 17578 "splice.pipe_exit_flag", 17579 "splice.retval", 17580 "unlink.file.change_time", 17581 "unlink.file.filesystem", 17582 "unlink.file.gid", 17583 "unlink.file.group", 17584 "unlink.file.hashes", 17585 "unlink.file.in_upper_layer", 17586 "unlink.file.inode", 17587 "unlink.file.mode", 17588 "unlink.file.modification_time", 17589 "unlink.file.mount_id", 17590 "unlink.file.name", 17591 "unlink.file.name.length", 17592 "unlink.file.package.name", 17593 "unlink.file.package.source_version", 17594 "unlink.file.package.version", 17595 "unlink.file.path", 17596 "unlink.file.path.length", 17597 "unlink.file.rights", 17598 "unlink.file.uid", 17599 "unlink.file.user", 17600 "unlink.flags", 17601 "unlink.retval", 17602 "unload_module.name", 17603 "unload_module.retval", 17604 "utimes.file.change_time", 17605 "utimes.file.filesystem", 17606 "utimes.file.gid", 17607 "utimes.file.group", 17608 "utimes.file.hashes", 17609 "utimes.file.in_upper_layer", 17610 "utimes.file.inode", 17611 "utimes.file.mode", 17612 "utimes.file.modification_time", 17613 "utimes.file.mount_id", 17614 "utimes.file.name", 17615 "utimes.file.name.length", 17616 "utimes.file.package.name", 17617 "utimes.file.package.source_version", 17618 "utimes.file.package.version", 17619 "utimes.file.path", 17620 "utimes.file.path.length", 17621 "utimes.file.rights", 17622 "utimes.file.uid", 17623 "utimes.file.user", 17624 "utimes.retval", 17625 } 17626 } 17627 func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) { 17628 switch field { 17629 case "bind.addr.family": 17630 return int(ev.Bind.AddrFamily), nil 17631 case "bind.addr.ip": 17632 return ev.Bind.Addr.IPNet, nil 17633 case "bind.addr.port": 17634 return int(ev.Bind.Addr.Port), nil 17635 case "bind.retval": 17636 return int(ev.Bind.SyscallEvent.Retval), nil 17637 case "bpf.cmd": 17638 return int(ev.BPF.Cmd), nil 17639 case "bpf.map.name": 17640 return ev.BPF.Map.Name, nil 17641 case "bpf.map.type": 17642 return int(ev.BPF.Map.Type), nil 17643 case "bpf.prog.attach_type": 17644 return int(ev.BPF.Program.AttachType), nil 17645 case "bpf.prog.helpers": 17646 result := make([]int, len(ev.BPF.Program.Helpers)) 17647 for i, v := range ev.BPF.Program.Helpers { 17648 result[i] = int(v) 17649 } 17650 return result, nil 17651 case "bpf.prog.name": 17652 return ev.BPF.Program.Name, nil 17653 case "bpf.prog.tag": 17654 return ev.BPF.Program.Tag, nil 17655 case "bpf.prog.type": 17656 return int(ev.BPF.Program.Type), nil 17657 case "bpf.retval": 17658 return int(ev.BPF.SyscallEvent.Retval), nil 17659 case "capset.cap_effective": 17660 return int(ev.Capset.CapEffective), nil 17661 case "capset.cap_permitted": 17662 return int(ev.Capset.CapPermitted), nil 17663 case "chdir.file.change_time": 17664 return int(ev.Chdir.File.FileFields.CTime), nil 17665 case "chdir.file.filesystem": 17666 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Chdir.File), nil 17667 case "chdir.file.gid": 17668 return int(ev.Chdir.File.FileFields.GID), nil 17669 case "chdir.file.group": 17670 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Chdir.File.FileFields), nil 17671 case "chdir.file.hashes": 17672 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Chdir.File), nil 17673 case "chdir.file.in_upper_layer": 17674 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Chdir.File.FileFields), nil 17675 case "chdir.file.inode": 17676 return int(ev.Chdir.File.FileFields.PathKey.Inode), nil 17677 case "chdir.file.mode": 17678 return int(ev.Chdir.File.FileFields.Mode), nil 17679 case "chdir.file.modification_time": 17680 return int(ev.Chdir.File.FileFields.MTime), nil 17681 case "chdir.file.mount_id": 17682 return int(ev.Chdir.File.FileFields.PathKey.MountID), nil 17683 case "chdir.file.name": 17684 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Chdir.File), nil 17685 case "chdir.file.name.length": 17686 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Chdir.File), nil 17687 case "chdir.file.package.name": 17688 return ev.FieldHandlers.ResolvePackageName(ev, &ev.Chdir.File), nil 17689 case "chdir.file.package.source_version": 17690 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Chdir.File), nil 17691 case "chdir.file.package.version": 17692 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Chdir.File), nil 17693 case "chdir.file.path": 17694 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Chdir.File), nil 17695 case "chdir.file.path.length": 17696 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Chdir.File), nil 17697 case "chdir.file.rights": 17698 return int(ev.FieldHandlers.ResolveRights(ev, &ev.Chdir.File.FileFields)), nil 17699 case "chdir.file.uid": 17700 return int(ev.Chdir.File.FileFields.UID), nil 17701 case "chdir.file.user": 17702 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Chdir.File.FileFields), nil 17703 case "chdir.retval": 17704 return int(ev.Chdir.SyscallEvent.Retval), nil 17705 case "chmod.file.change_time": 17706 return int(ev.Chmod.File.FileFields.CTime), nil 17707 case "chmod.file.destination.mode": 17708 return int(ev.Chmod.Mode), nil 17709 case "chmod.file.destination.rights": 17710 return int(ev.Chmod.Mode), nil 17711 case "chmod.file.filesystem": 17712 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Chmod.File), nil 17713 case "chmod.file.gid": 17714 return int(ev.Chmod.File.FileFields.GID), nil 17715 case "chmod.file.group": 17716 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Chmod.File.FileFields), nil 17717 case "chmod.file.hashes": 17718 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Chmod.File), nil 17719 case "chmod.file.in_upper_layer": 17720 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Chmod.File.FileFields), nil 17721 case "chmod.file.inode": 17722 return int(ev.Chmod.File.FileFields.PathKey.Inode), nil 17723 case "chmod.file.mode": 17724 return int(ev.Chmod.File.FileFields.Mode), nil 17725 case "chmod.file.modification_time": 17726 return int(ev.Chmod.File.FileFields.MTime), nil 17727 case "chmod.file.mount_id": 17728 return int(ev.Chmod.File.FileFields.PathKey.MountID), nil 17729 case "chmod.file.name": 17730 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Chmod.File), nil 17731 case "chmod.file.name.length": 17732 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Chmod.File), nil 17733 case "chmod.file.package.name": 17734 return ev.FieldHandlers.ResolvePackageName(ev, &ev.Chmod.File), nil 17735 case "chmod.file.package.source_version": 17736 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Chmod.File), nil 17737 case "chmod.file.package.version": 17738 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Chmod.File), nil 17739 case "chmod.file.path": 17740 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Chmod.File), nil 17741 case "chmod.file.path.length": 17742 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Chmod.File), nil 17743 case "chmod.file.rights": 17744 return int(ev.FieldHandlers.ResolveRights(ev, &ev.Chmod.File.FileFields)), nil 17745 case "chmod.file.uid": 17746 return int(ev.Chmod.File.FileFields.UID), nil 17747 case "chmod.file.user": 17748 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Chmod.File.FileFields), nil 17749 case "chmod.retval": 17750 return int(ev.Chmod.SyscallEvent.Retval), nil 17751 case "chown.file.change_time": 17752 return int(ev.Chown.File.FileFields.CTime), nil 17753 case "chown.file.destination.gid": 17754 return int(ev.Chown.GID), nil 17755 case "chown.file.destination.group": 17756 return ev.FieldHandlers.ResolveChownGID(ev, &ev.Chown), nil 17757 case "chown.file.destination.uid": 17758 return int(ev.Chown.UID), nil 17759 case "chown.file.destination.user": 17760 return ev.FieldHandlers.ResolveChownUID(ev, &ev.Chown), nil 17761 case "chown.file.filesystem": 17762 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Chown.File), nil 17763 case "chown.file.gid": 17764 return int(ev.Chown.File.FileFields.GID), nil 17765 case "chown.file.group": 17766 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Chown.File.FileFields), nil 17767 case "chown.file.hashes": 17768 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Chown.File), nil 17769 case "chown.file.in_upper_layer": 17770 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Chown.File.FileFields), nil 17771 case "chown.file.inode": 17772 return int(ev.Chown.File.FileFields.PathKey.Inode), nil 17773 case "chown.file.mode": 17774 return int(ev.Chown.File.FileFields.Mode), nil 17775 case "chown.file.modification_time": 17776 return int(ev.Chown.File.FileFields.MTime), nil 17777 case "chown.file.mount_id": 17778 return int(ev.Chown.File.FileFields.PathKey.MountID), nil 17779 case "chown.file.name": 17780 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Chown.File), nil 17781 case "chown.file.name.length": 17782 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Chown.File), nil 17783 case "chown.file.package.name": 17784 return ev.FieldHandlers.ResolvePackageName(ev, &ev.Chown.File), nil 17785 case "chown.file.package.source_version": 17786 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Chown.File), nil 17787 case "chown.file.package.version": 17788 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Chown.File), nil 17789 case "chown.file.path": 17790 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Chown.File), nil 17791 case "chown.file.path.length": 17792 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Chown.File), nil 17793 case "chown.file.rights": 17794 return int(ev.FieldHandlers.ResolveRights(ev, &ev.Chown.File.FileFields)), nil 17795 case "chown.file.uid": 17796 return int(ev.Chown.File.FileFields.UID), nil 17797 case "chown.file.user": 17798 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Chown.File.FileFields), nil 17799 case "chown.retval": 17800 return int(ev.Chown.SyscallEvent.Retval), nil 17801 case "container.created_at": 17802 return int(ev.FieldHandlers.ResolveContainerCreatedAt(ev, ev.BaseEvent.ContainerContext)), nil 17803 case "container.id": 17804 return ev.FieldHandlers.ResolveContainerID(ev, ev.BaseEvent.ContainerContext), nil 17805 case "container.tags": 17806 return ev.FieldHandlers.ResolveContainerTags(ev, ev.BaseEvent.ContainerContext), nil 17807 case "dns.id": 17808 return int(ev.DNS.ID), nil 17809 case "dns.question.class": 17810 return int(ev.DNS.Class), nil 17811 case "dns.question.count": 17812 return int(ev.DNS.Count), nil 17813 case "dns.question.length": 17814 return int(ev.DNS.Size), nil 17815 case "dns.question.name": 17816 return ev.DNS.Name, nil 17817 case "dns.question.name.length": 17818 return len(ev.DNS.Name), nil 17819 case "dns.question.type": 17820 return int(ev.DNS.Type), nil 17821 case "event.async": 17822 return ev.FieldHandlers.ResolveAsync(ev), nil 17823 case "event.origin": 17824 return ev.BaseEvent.Origin, nil 17825 case "event.os": 17826 return ev.BaseEvent.Os, nil 17827 case "event.service": 17828 return ev.FieldHandlers.ResolveService(ev, &ev.BaseEvent), nil 17829 case "event.timestamp": 17830 return int(ev.FieldHandlers.ResolveEventTimestamp(ev, &ev.BaseEvent)), nil 17831 case "exec.args": 17832 return ev.FieldHandlers.ResolveProcessArgs(ev, ev.Exec.Process), nil 17833 case "exec.args_flags": 17834 return ev.FieldHandlers.ResolveProcessArgsFlags(ev, ev.Exec.Process), nil 17835 case "exec.args_options": 17836 return ev.FieldHandlers.ResolveProcessArgsOptions(ev, ev.Exec.Process), nil 17837 case "exec.args_truncated": 17838 return ev.FieldHandlers.ResolveProcessArgsTruncated(ev, ev.Exec.Process), nil 17839 case "exec.argv": 17840 return ev.FieldHandlers.ResolveProcessArgv(ev, ev.Exec.Process), nil 17841 case "exec.argv0": 17842 return ev.FieldHandlers.ResolveProcessArgv0(ev, ev.Exec.Process), nil 17843 case "exec.cap_effective": 17844 return int(ev.Exec.Process.Credentials.CapEffective), nil 17845 case "exec.cap_permitted": 17846 return int(ev.Exec.Process.Credentials.CapPermitted), nil 17847 case "exec.comm": 17848 return ev.Exec.Process.Comm, nil 17849 case "exec.container.id": 17850 return ev.Exec.Process.ContainerID, nil 17851 case "exec.created_at": 17852 return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, ev.Exec.Process)), nil 17853 case "exec.egid": 17854 return int(ev.Exec.Process.Credentials.EGID), nil 17855 case "exec.egroup": 17856 return ev.Exec.Process.Credentials.EGroup, nil 17857 case "exec.envp": 17858 return ev.FieldHandlers.ResolveProcessEnvp(ev, ev.Exec.Process), nil 17859 case "exec.envs": 17860 return ev.FieldHandlers.ResolveProcessEnvs(ev, ev.Exec.Process), nil 17861 case "exec.envs_truncated": 17862 return ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, ev.Exec.Process), nil 17863 case "exec.euid": 17864 return int(ev.Exec.Process.Credentials.EUID), nil 17865 case "exec.euser": 17866 return ev.Exec.Process.Credentials.EUser, nil 17867 case "exec.file.change_time": 17868 if !ev.Exec.Process.IsNotKworker() { 17869 return 0, &eval.ErrNotSupported{Field: field} 17870 } 17871 return int(ev.Exec.Process.FileEvent.FileFields.CTime), nil 17872 case "exec.file.filesystem": 17873 if !ev.Exec.Process.IsNotKworker() { 17874 return "", &eval.ErrNotSupported{Field: field} 17875 } 17876 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Exec.Process.FileEvent), nil 17877 case "exec.file.gid": 17878 if !ev.Exec.Process.IsNotKworker() { 17879 return 0, &eval.ErrNotSupported{Field: field} 17880 } 17881 return int(ev.Exec.Process.FileEvent.FileFields.GID), nil 17882 case "exec.file.group": 17883 if !ev.Exec.Process.IsNotKworker() { 17884 return "", &eval.ErrNotSupported{Field: field} 17885 } 17886 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Exec.Process.FileEvent.FileFields), nil 17887 case "exec.file.hashes": 17888 if !ev.Exec.Process.IsNotKworker() { 17889 return []string{}, &eval.ErrNotSupported{Field: field} 17890 } 17891 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Exec.Process.FileEvent), nil 17892 case "exec.file.in_upper_layer": 17893 if !ev.Exec.Process.IsNotKworker() { 17894 return false, &eval.ErrNotSupported{Field: field} 17895 } 17896 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Exec.Process.FileEvent.FileFields), nil 17897 case "exec.file.inode": 17898 if !ev.Exec.Process.IsNotKworker() { 17899 return 0, &eval.ErrNotSupported{Field: field} 17900 } 17901 return int(ev.Exec.Process.FileEvent.FileFields.PathKey.Inode), nil 17902 case "exec.file.mode": 17903 if !ev.Exec.Process.IsNotKworker() { 17904 return 0, &eval.ErrNotSupported{Field: field} 17905 } 17906 return int(ev.Exec.Process.FileEvent.FileFields.Mode), nil 17907 case "exec.file.modification_time": 17908 if !ev.Exec.Process.IsNotKworker() { 17909 return 0, &eval.ErrNotSupported{Field: field} 17910 } 17911 return int(ev.Exec.Process.FileEvent.FileFields.MTime), nil 17912 case "exec.file.mount_id": 17913 if !ev.Exec.Process.IsNotKworker() { 17914 return 0, &eval.ErrNotSupported{Field: field} 17915 } 17916 return int(ev.Exec.Process.FileEvent.FileFields.PathKey.MountID), nil 17917 case "exec.file.name": 17918 if !ev.Exec.Process.IsNotKworker() { 17919 return "", &eval.ErrNotSupported{Field: field} 17920 } 17921 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exec.Process.FileEvent), nil 17922 case "exec.file.name.length": 17923 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exec.Process.FileEvent), nil 17924 case "exec.file.package.name": 17925 if !ev.Exec.Process.IsNotKworker() { 17926 return "", &eval.ErrNotSupported{Field: field} 17927 } 17928 return ev.FieldHandlers.ResolvePackageName(ev, &ev.Exec.Process.FileEvent), nil 17929 case "exec.file.package.source_version": 17930 if !ev.Exec.Process.IsNotKworker() { 17931 return "", &eval.ErrNotSupported{Field: field} 17932 } 17933 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Exec.Process.FileEvent), nil 17934 case "exec.file.package.version": 17935 if !ev.Exec.Process.IsNotKworker() { 17936 return "", &eval.ErrNotSupported{Field: field} 17937 } 17938 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Exec.Process.FileEvent), nil 17939 case "exec.file.path": 17940 if !ev.Exec.Process.IsNotKworker() { 17941 return "", &eval.ErrNotSupported{Field: field} 17942 } 17943 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Exec.Process.FileEvent), nil 17944 case "exec.file.path.length": 17945 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Exec.Process.FileEvent), nil 17946 case "exec.file.rights": 17947 if !ev.Exec.Process.IsNotKworker() { 17948 return 0, &eval.ErrNotSupported{Field: field} 17949 } 17950 return int(ev.FieldHandlers.ResolveRights(ev, &ev.Exec.Process.FileEvent.FileFields)), nil 17951 case "exec.file.uid": 17952 if !ev.Exec.Process.IsNotKworker() { 17953 return 0, &eval.ErrNotSupported{Field: field} 17954 } 17955 return int(ev.Exec.Process.FileEvent.FileFields.UID), nil 17956 case "exec.file.user": 17957 if !ev.Exec.Process.IsNotKworker() { 17958 return "", &eval.ErrNotSupported{Field: field} 17959 } 17960 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Exec.Process.FileEvent.FileFields), nil 17961 case "exec.fsgid": 17962 return int(ev.Exec.Process.Credentials.FSGID), nil 17963 case "exec.fsgroup": 17964 return ev.Exec.Process.Credentials.FSGroup, nil 17965 case "exec.fsuid": 17966 return int(ev.Exec.Process.Credentials.FSUID), nil 17967 case "exec.fsuser": 17968 return ev.Exec.Process.Credentials.FSUser, nil 17969 case "exec.gid": 17970 return int(ev.Exec.Process.Credentials.GID), nil 17971 case "exec.group": 17972 return ev.Exec.Process.Credentials.Group, nil 17973 case "exec.interpreter.file.change_time": 17974 if !ev.Exec.Process.HasInterpreter() { 17975 return 0, &eval.ErrNotSupported{Field: field} 17976 } 17977 return int(ev.Exec.Process.LinuxBinprm.FileEvent.FileFields.CTime), nil 17978 case "exec.interpreter.file.filesystem": 17979 if !ev.Exec.Process.HasInterpreter() { 17980 return "", &eval.ErrNotSupported{Field: field} 17981 } 17982 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Exec.Process.LinuxBinprm.FileEvent), nil 17983 case "exec.interpreter.file.gid": 17984 if !ev.Exec.Process.HasInterpreter() { 17985 return 0, &eval.ErrNotSupported{Field: field} 17986 } 17987 return int(ev.Exec.Process.LinuxBinprm.FileEvent.FileFields.GID), nil 17988 case "exec.interpreter.file.group": 17989 if !ev.Exec.Process.HasInterpreter() { 17990 return "", &eval.ErrNotSupported{Field: field} 17991 } 17992 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Exec.Process.LinuxBinprm.FileEvent.FileFields), nil 17993 case "exec.interpreter.file.hashes": 17994 if !ev.Exec.Process.HasInterpreter() { 17995 return []string{}, &eval.ErrNotSupported{Field: field} 17996 } 17997 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Exec.Process.LinuxBinprm.FileEvent), nil 17998 case "exec.interpreter.file.in_upper_layer": 17999 if !ev.Exec.Process.HasInterpreter() { 18000 return false, &eval.ErrNotSupported{Field: field} 18001 } 18002 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Exec.Process.LinuxBinprm.FileEvent.FileFields), nil 18003 case "exec.interpreter.file.inode": 18004 if !ev.Exec.Process.HasInterpreter() { 18005 return 0, &eval.ErrNotSupported{Field: field} 18006 } 18007 return int(ev.Exec.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode), nil 18008 case "exec.interpreter.file.mode": 18009 if !ev.Exec.Process.HasInterpreter() { 18010 return 0, &eval.ErrNotSupported{Field: field} 18011 } 18012 return int(ev.Exec.Process.LinuxBinprm.FileEvent.FileFields.Mode), nil 18013 case "exec.interpreter.file.modification_time": 18014 if !ev.Exec.Process.HasInterpreter() { 18015 return 0, &eval.ErrNotSupported{Field: field} 18016 } 18017 return int(ev.Exec.Process.LinuxBinprm.FileEvent.FileFields.MTime), nil 18018 case "exec.interpreter.file.mount_id": 18019 if !ev.Exec.Process.HasInterpreter() { 18020 return 0, &eval.ErrNotSupported{Field: field} 18021 } 18022 return int(ev.Exec.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID), nil 18023 case "exec.interpreter.file.name": 18024 if !ev.Exec.Process.HasInterpreter() { 18025 return "", &eval.ErrNotSupported{Field: field} 18026 } 18027 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exec.Process.LinuxBinprm.FileEvent), nil 18028 case "exec.interpreter.file.name.length": 18029 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exec.Process.LinuxBinprm.FileEvent), nil 18030 case "exec.interpreter.file.package.name": 18031 if !ev.Exec.Process.HasInterpreter() { 18032 return "", &eval.ErrNotSupported{Field: field} 18033 } 18034 return ev.FieldHandlers.ResolvePackageName(ev, &ev.Exec.Process.LinuxBinprm.FileEvent), nil 18035 case "exec.interpreter.file.package.source_version": 18036 if !ev.Exec.Process.HasInterpreter() { 18037 return "", &eval.ErrNotSupported{Field: field} 18038 } 18039 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Exec.Process.LinuxBinprm.FileEvent), nil 18040 case "exec.interpreter.file.package.version": 18041 if !ev.Exec.Process.HasInterpreter() { 18042 return "", &eval.ErrNotSupported{Field: field} 18043 } 18044 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Exec.Process.LinuxBinprm.FileEvent), nil 18045 case "exec.interpreter.file.path": 18046 if !ev.Exec.Process.HasInterpreter() { 18047 return "", &eval.ErrNotSupported{Field: field} 18048 } 18049 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Exec.Process.LinuxBinprm.FileEvent), nil 18050 case "exec.interpreter.file.path.length": 18051 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Exec.Process.LinuxBinprm.FileEvent), nil 18052 case "exec.interpreter.file.rights": 18053 if !ev.Exec.Process.HasInterpreter() { 18054 return 0, &eval.ErrNotSupported{Field: field} 18055 } 18056 return int(ev.FieldHandlers.ResolveRights(ev, &ev.Exec.Process.LinuxBinprm.FileEvent.FileFields)), nil 18057 case "exec.interpreter.file.uid": 18058 if !ev.Exec.Process.HasInterpreter() { 18059 return 0, &eval.ErrNotSupported{Field: field} 18060 } 18061 return int(ev.Exec.Process.LinuxBinprm.FileEvent.FileFields.UID), nil 18062 case "exec.interpreter.file.user": 18063 if !ev.Exec.Process.HasInterpreter() { 18064 return "", &eval.ErrNotSupported{Field: field} 18065 } 18066 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Exec.Process.LinuxBinprm.FileEvent.FileFields), nil 18067 case "exec.is_kworker": 18068 return ev.Exec.Process.PIDContext.IsKworker, nil 18069 case "exec.is_thread": 18070 return ev.Exec.Process.IsThread, nil 18071 case "exec.pid": 18072 return int(ev.Exec.Process.PIDContext.Pid), nil 18073 case "exec.ppid": 18074 return int(ev.Exec.Process.PPid), nil 18075 case "exec.tid": 18076 return int(ev.Exec.Process.PIDContext.Tid), nil 18077 case "exec.tty_name": 18078 return ev.Exec.Process.TTYName, nil 18079 case "exec.uid": 18080 return int(ev.Exec.Process.Credentials.UID), nil 18081 case "exec.user": 18082 return ev.Exec.Process.Credentials.User, nil 18083 case "exec.user_session.k8s_groups": 18084 return ev.FieldHandlers.ResolveK8SGroups(ev, &ev.Exec.Process.UserSession), nil 18085 case "exec.user_session.k8s_uid": 18086 return ev.FieldHandlers.ResolveK8SUID(ev, &ev.Exec.Process.UserSession), nil 18087 case "exec.user_session.k8s_username": 18088 return ev.FieldHandlers.ResolveK8SUsername(ev, &ev.Exec.Process.UserSession), nil 18089 case "exit.args": 18090 return ev.FieldHandlers.ResolveProcessArgs(ev, ev.Exit.Process), nil 18091 case "exit.args_flags": 18092 return ev.FieldHandlers.ResolveProcessArgsFlags(ev, ev.Exit.Process), nil 18093 case "exit.args_options": 18094 return ev.FieldHandlers.ResolveProcessArgsOptions(ev, ev.Exit.Process), nil 18095 case "exit.args_truncated": 18096 return ev.FieldHandlers.ResolveProcessArgsTruncated(ev, ev.Exit.Process), nil 18097 case "exit.argv": 18098 return ev.FieldHandlers.ResolveProcessArgv(ev, ev.Exit.Process), nil 18099 case "exit.argv0": 18100 return ev.FieldHandlers.ResolveProcessArgv0(ev, ev.Exit.Process), nil 18101 case "exit.cap_effective": 18102 return int(ev.Exit.Process.Credentials.CapEffective), nil 18103 case "exit.cap_permitted": 18104 return int(ev.Exit.Process.Credentials.CapPermitted), nil 18105 case "exit.cause": 18106 return int(ev.Exit.Cause), nil 18107 case "exit.code": 18108 return int(ev.Exit.Code), nil 18109 case "exit.comm": 18110 return ev.Exit.Process.Comm, nil 18111 case "exit.container.id": 18112 return ev.Exit.Process.ContainerID, nil 18113 case "exit.created_at": 18114 return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, ev.Exit.Process)), nil 18115 case "exit.egid": 18116 return int(ev.Exit.Process.Credentials.EGID), nil 18117 case "exit.egroup": 18118 return ev.Exit.Process.Credentials.EGroup, nil 18119 case "exit.envp": 18120 return ev.FieldHandlers.ResolveProcessEnvp(ev, ev.Exit.Process), nil 18121 case "exit.envs": 18122 return ev.FieldHandlers.ResolveProcessEnvs(ev, ev.Exit.Process), nil 18123 case "exit.envs_truncated": 18124 return ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, ev.Exit.Process), nil 18125 case "exit.euid": 18126 return int(ev.Exit.Process.Credentials.EUID), nil 18127 case "exit.euser": 18128 return ev.Exit.Process.Credentials.EUser, nil 18129 case "exit.file.change_time": 18130 if !ev.Exit.Process.IsNotKworker() { 18131 return 0, &eval.ErrNotSupported{Field: field} 18132 } 18133 return int(ev.Exit.Process.FileEvent.FileFields.CTime), nil 18134 case "exit.file.filesystem": 18135 if !ev.Exit.Process.IsNotKworker() { 18136 return "", &eval.ErrNotSupported{Field: field} 18137 } 18138 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Exit.Process.FileEvent), nil 18139 case "exit.file.gid": 18140 if !ev.Exit.Process.IsNotKworker() { 18141 return 0, &eval.ErrNotSupported{Field: field} 18142 } 18143 return int(ev.Exit.Process.FileEvent.FileFields.GID), nil 18144 case "exit.file.group": 18145 if !ev.Exit.Process.IsNotKworker() { 18146 return "", &eval.ErrNotSupported{Field: field} 18147 } 18148 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Exit.Process.FileEvent.FileFields), nil 18149 case "exit.file.hashes": 18150 if !ev.Exit.Process.IsNotKworker() { 18151 return []string{}, &eval.ErrNotSupported{Field: field} 18152 } 18153 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Exit.Process.FileEvent), nil 18154 case "exit.file.in_upper_layer": 18155 if !ev.Exit.Process.IsNotKworker() { 18156 return false, &eval.ErrNotSupported{Field: field} 18157 } 18158 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Exit.Process.FileEvent.FileFields), nil 18159 case "exit.file.inode": 18160 if !ev.Exit.Process.IsNotKworker() { 18161 return 0, &eval.ErrNotSupported{Field: field} 18162 } 18163 return int(ev.Exit.Process.FileEvent.FileFields.PathKey.Inode), nil 18164 case "exit.file.mode": 18165 if !ev.Exit.Process.IsNotKworker() { 18166 return 0, &eval.ErrNotSupported{Field: field} 18167 } 18168 return int(ev.Exit.Process.FileEvent.FileFields.Mode), nil 18169 case "exit.file.modification_time": 18170 if !ev.Exit.Process.IsNotKworker() { 18171 return 0, &eval.ErrNotSupported{Field: field} 18172 } 18173 return int(ev.Exit.Process.FileEvent.FileFields.MTime), nil 18174 case "exit.file.mount_id": 18175 if !ev.Exit.Process.IsNotKworker() { 18176 return 0, &eval.ErrNotSupported{Field: field} 18177 } 18178 return int(ev.Exit.Process.FileEvent.FileFields.PathKey.MountID), nil 18179 case "exit.file.name": 18180 if !ev.Exit.Process.IsNotKworker() { 18181 return "", &eval.ErrNotSupported{Field: field} 18182 } 18183 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exit.Process.FileEvent), nil 18184 case "exit.file.name.length": 18185 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exit.Process.FileEvent), nil 18186 case "exit.file.package.name": 18187 if !ev.Exit.Process.IsNotKworker() { 18188 return "", &eval.ErrNotSupported{Field: field} 18189 } 18190 return ev.FieldHandlers.ResolvePackageName(ev, &ev.Exit.Process.FileEvent), nil 18191 case "exit.file.package.source_version": 18192 if !ev.Exit.Process.IsNotKworker() { 18193 return "", &eval.ErrNotSupported{Field: field} 18194 } 18195 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Exit.Process.FileEvent), nil 18196 case "exit.file.package.version": 18197 if !ev.Exit.Process.IsNotKworker() { 18198 return "", &eval.ErrNotSupported{Field: field} 18199 } 18200 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Exit.Process.FileEvent), nil 18201 case "exit.file.path": 18202 if !ev.Exit.Process.IsNotKworker() { 18203 return "", &eval.ErrNotSupported{Field: field} 18204 } 18205 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Exit.Process.FileEvent), nil 18206 case "exit.file.path.length": 18207 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Exit.Process.FileEvent), nil 18208 case "exit.file.rights": 18209 if !ev.Exit.Process.IsNotKworker() { 18210 return 0, &eval.ErrNotSupported{Field: field} 18211 } 18212 return int(ev.FieldHandlers.ResolveRights(ev, &ev.Exit.Process.FileEvent.FileFields)), nil 18213 case "exit.file.uid": 18214 if !ev.Exit.Process.IsNotKworker() { 18215 return 0, &eval.ErrNotSupported{Field: field} 18216 } 18217 return int(ev.Exit.Process.FileEvent.FileFields.UID), nil 18218 case "exit.file.user": 18219 if !ev.Exit.Process.IsNotKworker() { 18220 return "", &eval.ErrNotSupported{Field: field} 18221 } 18222 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Exit.Process.FileEvent.FileFields), nil 18223 case "exit.fsgid": 18224 return int(ev.Exit.Process.Credentials.FSGID), nil 18225 case "exit.fsgroup": 18226 return ev.Exit.Process.Credentials.FSGroup, nil 18227 case "exit.fsuid": 18228 return int(ev.Exit.Process.Credentials.FSUID), nil 18229 case "exit.fsuser": 18230 return ev.Exit.Process.Credentials.FSUser, nil 18231 case "exit.gid": 18232 return int(ev.Exit.Process.Credentials.GID), nil 18233 case "exit.group": 18234 return ev.Exit.Process.Credentials.Group, nil 18235 case "exit.interpreter.file.change_time": 18236 if !ev.Exit.Process.HasInterpreter() { 18237 return 0, &eval.ErrNotSupported{Field: field} 18238 } 18239 return int(ev.Exit.Process.LinuxBinprm.FileEvent.FileFields.CTime), nil 18240 case "exit.interpreter.file.filesystem": 18241 if !ev.Exit.Process.HasInterpreter() { 18242 return "", &eval.ErrNotSupported{Field: field} 18243 } 18244 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Exit.Process.LinuxBinprm.FileEvent), nil 18245 case "exit.interpreter.file.gid": 18246 if !ev.Exit.Process.HasInterpreter() { 18247 return 0, &eval.ErrNotSupported{Field: field} 18248 } 18249 return int(ev.Exit.Process.LinuxBinprm.FileEvent.FileFields.GID), nil 18250 case "exit.interpreter.file.group": 18251 if !ev.Exit.Process.HasInterpreter() { 18252 return "", &eval.ErrNotSupported{Field: field} 18253 } 18254 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Exit.Process.LinuxBinprm.FileEvent.FileFields), nil 18255 case "exit.interpreter.file.hashes": 18256 if !ev.Exit.Process.HasInterpreter() { 18257 return []string{}, &eval.ErrNotSupported{Field: field} 18258 } 18259 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Exit.Process.LinuxBinprm.FileEvent), nil 18260 case "exit.interpreter.file.in_upper_layer": 18261 if !ev.Exit.Process.HasInterpreter() { 18262 return false, &eval.ErrNotSupported{Field: field} 18263 } 18264 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Exit.Process.LinuxBinprm.FileEvent.FileFields), nil 18265 case "exit.interpreter.file.inode": 18266 if !ev.Exit.Process.HasInterpreter() { 18267 return 0, &eval.ErrNotSupported{Field: field} 18268 } 18269 return int(ev.Exit.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode), nil 18270 case "exit.interpreter.file.mode": 18271 if !ev.Exit.Process.HasInterpreter() { 18272 return 0, &eval.ErrNotSupported{Field: field} 18273 } 18274 return int(ev.Exit.Process.LinuxBinprm.FileEvent.FileFields.Mode), nil 18275 case "exit.interpreter.file.modification_time": 18276 if !ev.Exit.Process.HasInterpreter() { 18277 return 0, &eval.ErrNotSupported{Field: field} 18278 } 18279 return int(ev.Exit.Process.LinuxBinprm.FileEvent.FileFields.MTime), nil 18280 case "exit.interpreter.file.mount_id": 18281 if !ev.Exit.Process.HasInterpreter() { 18282 return 0, &eval.ErrNotSupported{Field: field} 18283 } 18284 return int(ev.Exit.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID), nil 18285 case "exit.interpreter.file.name": 18286 if !ev.Exit.Process.HasInterpreter() { 18287 return "", &eval.ErrNotSupported{Field: field} 18288 } 18289 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exit.Process.LinuxBinprm.FileEvent), nil 18290 case "exit.interpreter.file.name.length": 18291 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exit.Process.LinuxBinprm.FileEvent), nil 18292 case "exit.interpreter.file.package.name": 18293 if !ev.Exit.Process.HasInterpreter() { 18294 return "", &eval.ErrNotSupported{Field: field} 18295 } 18296 return ev.FieldHandlers.ResolvePackageName(ev, &ev.Exit.Process.LinuxBinprm.FileEvent), nil 18297 case "exit.interpreter.file.package.source_version": 18298 if !ev.Exit.Process.HasInterpreter() { 18299 return "", &eval.ErrNotSupported{Field: field} 18300 } 18301 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Exit.Process.LinuxBinprm.FileEvent), nil 18302 case "exit.interpreter.file.package.version": 18303 if !ev.Exit.Process.HasInterpreter() { 18304 return "", &eval.ErrNotSupported{Field: field} 18305 } 18306 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Exit.Process.LinuxBinprm.FileEvent), nil 18307 case "exit.interpreter.file.path": 18308 if !ev.Exit.Process.HasInterpreter() { 18309 return "", &eval.ErrNotSupported{Field: field} 18310 } 18311 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Exit.Process.LinuxBinprm.FileEvent), nil 18312 case "exit.interpreter.file.path.length": 18313 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Exit.Process.LinuxBinprm.FileEvent), nil 18314 case "exit.interpreter.file.rights": 18315 if !ev.Exit.Process.HasInterpreter() { 18316 return 0, &eval.ErrNotSupported{Field: field} 18317 } 18318 return int(ev.FieldHandlers.ResolveRights(ev, &ev.Exit.Process.LinuxBinprm.FileEvent.FileFields)), nil 18319 case "exit.interpreter.file.uid": 18320 if !ev.Exit.Process.HasInterpreter() { 18321 return 0, &eval.ErrNotSupported{Field: field} 18322 } 18323 return int(ev.Exit.Process.LinuxBinprm.FileEvent.FileFields.UID), nil 18324 case "exit.interpreter.file.user": 18325 if !ev.Exit.Process.HasInterpreter() { 18326 return "", &eval.ErrNotSupported{Field: field} 18327 } 18328 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Exit.Process.LinuxBinprm.FileEvent.FileFields), nil 18329 case "exit.is_kworker": 18330 return ev.Exit.Process.PIDContext.IsKworker, nil 18331 case "exit.is_thread": 18332 return ev.Exit.Process.IsThread, nil 18333 case "exit.pid": 18334 return int(ev.Exit.Process.PIDContext.Pid), nil 18335 case "exit.ppid": 18336 return int(ev.Exit.Process.PPid), nil 18337 case "exit.tid": 18338 return int(ev.Exit.Process.PIDContext.Tid), nil 18339 case "exit.tty_name": 18340 return ev.Exit.Process.TTYName, nil 18341 case "exit.uid": 18342 return int(ev.Exit.Process.Credentials.UID), nil 18343 case "exit.user": 18344 return ev.Exit.Process.Credentials.User, nil 18345 case "exit.user_session.k8s_groups": 18346 return ev.FieldHandlers.ResolveK8SGroups(ev, &ev.Exit.Process.UserSession), nil 18347 case "exit.user_session.k8s_uid": 18348 return ev.FieldHandlers.ResolveK8SUID(ev, &ev.Exit.Process.UserSession), nil 18349 case "exit.user_session.k8s_username": 18350 return ev.FieldHandlers.ResolveK8SUsername(ev, &ev.Exit.Process.UserSession), nil 18351 case "link.file.change_time": 18352 return int(ev.Link.Source.FileFields.CTime), nil 18353 case "link.file.destination.change_time": 18354 return int(ev.Link.Target.FileFields.CTime), nil 18355 case "link.file.destination.filesystem": 18356 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Link.Target), nil 18357 case "link.file.destination.gid": 18358 return int(ev.Link.Target.FileFields.GID), nil 18359 case "link.file.destination.group": 18360 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Link.Target.FileFields), nil 18361 case "link.file.destination.hashes": 18362 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Link.Target), nil 18363 case "link.file.destination.in_upper_layer": 18364 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Link.Target.FileFields), nil 18365 case "link.file.destination.inode": 18366 return int(ev.Link.Target.FileFields.PathKey.Inode), nil 18367 case "link.file.destination.mode": 18368 return int(ev.Link.Target.FileFields.Mode), nil 18369 case "link.file.destination.modification_time": 18370 return int(ev.Link.Target.FileFields.MTime), nil 18371 case "link.file.destination.mount_id": 18372 return int(ev.Link.Target.FileFields.PathKey.MountID), nil 18373 case "link.file.destination.name": 18374 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Link.Target), nil 18375 case "link.file.destination.name.length": 18376 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Link.Target), nil 18377 case "link.file.destination.package.name": 18378 return ev.FieldHandlers.ResolvePackageName(ev, &ev.Link.Target), nil 18379 case "link.file.destination.package.source_version": 18380 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Link.Target), nil 18381 case "link.file.destination.package.version": 18382 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Link.Target), nil 18383 case "link.file.destination.path": 18384 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Link.Target), nil 18385 case "link.file.destination.path.length": 18386 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Link.Target), nil 18387 case "link.file.destination.rights": 18388 return int(ev.FieldHandlers.ResolveRights(ev, &ev.Link.Target.FileFields)), nil 18389 case "link.file.destination.uid": 18390 return int(ev.Link.Target.FileFields.UID), nil 18391 case "link.file.destination.user": 18392 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Link.Target.FileFields), nil 18393 case "link.file.filesystem": 18394 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Link.Source), nil 18395 case "link.file.gid": 18396 return int(ev.Link.Source.FileFields.GID), nil 18397 case "link.file.group": 18398 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Link.Source.FileFields), nil 18399 case "link.file.hashes": 18400 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Link.Source), nil 18401 case "link.file.in_upper_layer": 18402 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Link.Source.FileFields), nil 18403 case "link.file.inode": 18404 return int(ev.Link.Source.FileFields.PathKey.Inode), nil 18405 case "link.file.mode": 18406 return int(ev.Link.Source.FileFields.Mode), nil 18407 case "link.file.modification_time": 18408 return int(ev.Link.Source.FileFields.MTime), nil 18409 case "link.file.mount_id": 18410 return int(ev.Link.Source.FileFields.PathKey.MountID), nil 18411 case "link.file.name": 18412 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Link.Source), nil 18413 case "link.file.name.length": 18414 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Link.Source), nil 18415 case "link.file.package.name": 18416 return ev.FieldHandlers.ResolvePackageName(ev, &ev.Link.Source), nil 18417 case "link.file.package.source_version": 18418 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Link.Source), nil 18419 case "link.file.package.version": 18420 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Link.Source), nil 18421 case "link.file.path": 18422 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Link.Source), nil 18423 case "link.file.path.length": 18424 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Link.Source), nil 18425 case "link.file.rights": 18426 return int(ev.FieldHandlers.ResolveRights(ev, &ev.Link.Source.FileFields)), nil 18427 case "link.file.uid": 18428 return int(ev.Link.Source.FileFields.UID), nil 18429 case "link.file.user": 18430 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Link.Source.FileFields), nil 18431 case "link.retval": 18432 return int(ev.Link.SyscallEvent.Retval), nil 18433 case "load_module.args": 18434 return ev.FieldHandlers.ResolveModuleArgs(ev, &ev.LoadModule), nil 18435 case "load_module.args_truncated": 18436 return ev.LoadModule.ArgsTruncated, nil 18437 case "load_module.argv": 18438 return ev.FieldHandlers.ResolveModuleArgv(ev, &ev.LoadModule), nil 18439 case "load_module.file.change_time": 18440 return int(ev.LoadModule.File.FileFields.CTime), nil 18441 case "load_module.file.filesystem": 18442 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.LoadModule.File), nil 18443 case "load_module.file.gid": 18444 return int(ev.LoadModule.File.FileFields.GID), nil 18445 case "load_module.file.group": 18446 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.LoadModule.File.FileFields), nil 18447 case "load_module.file.hashes": 18448 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.LoadModule.File), nil 18449 case "load_module.file.in_upper_layer": 18450 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.LoadModule.File.FileFields), nil 18451 case "load_module.file.inode": 18452 return int(ev.LoadModule.File.FileFields.PathKey.Inode), nil 18453 case "load_module.file.mode": 18454 return int(ev.LoadModule.File.FileFields.Mode), nil 18455 case "load_module.file.modification_time": 18456 return int(ev.LoadModule.File.FileFields.MTime), nil 18457 case "load_module.file.mount_id": 18458 return int(ev.LoadModule.File.FileFields.PathKey.MountID), nil 18459 case "load_module.file.name": 18460 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.LoadModule.File), nil 18461 case "load_module.file.name.length": 18462 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.LoadModule.File), nil 18463 case "load_module.file.package.name": 18464 return ev.FieldHandlers.ResolvePackageName(ev, &ev.LoadModule.File), nil 18465 case "load_module.file.package.source_version": 18466 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.LoadModule.File), nil 18467 case "load_module.file.package.version": 18468 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.LoadModule.File), nil 18469 case "load_module.file.path": 18470 return ev.FieldHandlers.ResolveFilePath(ev, &ev.LoadModule.File), nil 18471 case "load_module.file.path.length": 18472 return ev.FieldHandlers.ResolveFilePath(ev, &ev.LoadModule.File), nil 18473 case "load_module.file.rights": 18474 return int(ev.FieldHandlers.ResolveRights(ev, &ev.LoadModule.File.FileFields)), nil 18475 case "load_module.file.uid": 18476 return int(ev.LoadModule.File.FileFields.UID), nil 18477 case "load_module.file.user": 18478 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.LoadModule.File.FileFields), nil 18479 case "load_module.loaded_from_memory": 18480 return ev.LoadModule.LoadedFromMemory, nil 18481 case "load_module.name": 18482 return ev.LoadModule.Name, nil 18483 case "load_module.retval": 18484 return int(ev.LoadModule.SyscallEvent.Retval), nil 18485 case "mkdir.file.change_time": 18486 return int(ev.Mkdir.File.FileFields.CTime), nil 18487 case "mkdir.file.destination.mode": 18488 return int(ev.Mkdir.Mode), nil 18489 case "mkdir.file.destination.rights": 18490 return int(ev.Mkdir.Mode), nil 18491 case "mkdir.file.filesystem": 18492 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Mkdir.File), nil 18493 case "mkdir.file.gid": 18494 return int(ev.Mkdir.File.FileFields.GID), nil 18495 case "mkdir.file.group": 18496 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Mkdir.File.FileFields), nil 18497 case "mkdir.file.hashes": 18498 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Mkdir.File), nil 18499 case "mkdir.file.in_upper_layer": 18500 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Mkdir.File.FileFields), nil 18501 case "mkdir.file.inode": 18502 return int(ev.Mkdir.File.FileFields.PathKey.Inode), nil 18503 case "mkdir.file.mode": 18504 return int(ev.Mkdir.File.FileFields.Mode), nil 18505 case "mkdir.file.modification_time": 18506 return int(ev.Mkdir.File.FileFields.MTime), nil 18507 case "mkdir.file.mount_id": 18508 return int(ev.Mkdir.File.FileFields.PathKey.MountID), nil 18509 case "mkdir.file.name": 18510 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Mkdir.File), nil 18511 case "mkdir.file.name.length": 18512 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Mkdir.File), nil 18513 case "mkdir.file.package.name": 18514 return ev.FieldHandlers.ResolvePackageName(ev, &ev.Mkdir.File), nil 18515 case "mkdir.file.package.source_version": 18516 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Mkdir.File), nil 18517 case "mkdir.file.package.version": 18518 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Mkdir.File), nil 18519 case "mkdir.file.path": 18520 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Mkdir.File), nil 18521 case "mkdir.file.path.length": 18522 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Mkdir.File), nil 18523 case "mkdir.file.rights": 18524 return int(ev.FieldHandlers.ResolveRights(ev, &ev.Mkdir.File.FileFields)), nil 18525 case "mkdir.file.uid": 18526 return int(ev.Mkdir.File.FileFields.UID), nil 18527 case "mkdir.file.user": 18528 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Mkdir.File.FileFields), nil 18529 case "mkdir.retval": 18530 return int(ev.Mkdir.SyscallEvent.Retval), nil 18531 case "mmap.file.change_time": 18532 return int(ev.MMap.File.FileFields.CTime), nil 18533 case "mmap.file.filesystem": 18534 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.MMap.File), nil 18535 case "mmap.file.gid": 18536 return int(ev.MMap.File.FileFields.GID), nil 18537 case "mmap.file.group": 18538 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.MMap.File.FileFields), nil 18539 case "mmap.file.hashes": 18540 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.MMap.File), nil 18541 case "mmap.file.in_upper_layer": 18542 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.MMap.File.FileFields), nil 18543 case "mmap.file.inode": 18544 return int(ev.MMap.File.FileFields.PathKey.Inode), nil 18545 case "mmap.file.mode": 18546 return int(ev.MMap.File.FileFields.Mode), nil 18547 case "mmap.file.modification_time": 18548 return int(ev.MMap.File.FileFields.MTime), nil 18549 case "mmap.file.mount_id": 18550 return int(ev.MMap.File.FileFields.PathKey.MountID), nil 18551 case "mmap.file.name": 18552 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.MMap.File), nil 18553 case "mmap.file.name.length": 18554 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.MMap.File), nil 18555 case "mmap.file.package.name": 18556 return ev.FieldHandlers.ResolvePackageName(ev, &ev.MMap.File), nil 18557 case "mmap.file.package.source_version": 18558 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.MMap.File), nil 18559 case "mmap.file.package.version": 18560 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.MMap.File), nil 18561 case "mmap.file.path": 18562 return ev.FieldHandlers.ResolveFilePath(ev, &ev.MMap.File), nil 18563 case "mmap.file.path.length": 18564 return ev.FieldHandlers.ResolveFilePath(ev, &ev.MMap.File), nil 18565 case "mmap.file.rights": 18566 return int(ev.FieldHandlers.ResolveRights(ev, &ev.MMap.File.FileFields)), nil 18567 case "mmap.file.uid": 18568 return int(ev.MMap.File.FileFields.UID), nil 18569 case "mmap.file.user": 18570 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.MMap.File.FileFields), nil 18571 case "mmap.flags": 18572 return int(ev.MMap.Flags), nil 18573 case "mmap.protection": 18574 return int(ev.MMap.Protection), nil 18575 case "mmap.retval": 18576 return int(ev.MMap.SyscallEvent.Retval), nil 18577 case "mount.fs_type": 18578 return ev.Mount.Mount.FSType, nil 18579 case "mount.mountpoint.path": 18580 return ev.FieldHandlers.ResolveMountPointPath(ev, &ev.Mount), nil 18581 case "mount.retval": 18582 return int(ev.Mount.SyscallEvent.Retval), nil 18583 case "mount.root.path": 18584 return ev.FieldHandlers.ResolveMountRootPath(ev, &ev.Mount), nil 18585 case "mount.source.path": 18586 return ev.FieldHandlers.ResolveMountSourcePath(ev, &ev.Mount), nil 18587 case "mprotect.req_protection": 18588 return ev.MProtect.ReqProtection, nil 18589 case "mprotect.retval": 18590 return int(ev.MProtect.SyscallEvent.Retval), nil 18591 case "mprotect.vm_protection": 18592 return ev.MProtect.VMProtection, nil 18593 case "network.destination.ip": 18594 return ev.NetworkContext.Destination.IPNet, nil 18595 case "network.destination.port": 18596 return int(ev.NetworkContext.Destination.Port), nil 18597 case "network.device.ifindex": 18598 return int(ev.NetworkContext.Device.IfIndex), nil 18599 case "network.device.ifname": 18600 return ev.FieldHandlers.ResolveNetworkDeviceIfName(ev, &ev.NetworkContext.Device), nil 18601 case "network.l3_protocol": 18602 return int(ev.NetworkContext.L3Protocol), nil 18603 case "network.l4_protocol": 18604 return int(ev.NetworkContext.L4Protocol), nil 18605 case "network.size": 18606 return int(ev.NetworkContext.Size), nil 18607 case "network.source.ip": 18608 return ev.NetworkContext.Source.IPNet, nil 18609 case "network.source.port": 18610 return int(ev.NetworkContext.Source.Port), nil 18611 case "open.file.change_time": 18612 return int(ev.Open.File.FileFields.CTime), nil 18613 case "open.file.destination.mode": 18614 return int(ev.Open.Mode), nil 18615 case "open.file.filesystem": 18616 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Open.File), nil 18617 case "open.file.gid": 18618 return int(ev.Open.File.FileFields.GID), nil 18619 case "open.file.group": 18620 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Open.File.FileFields), nil 18621 case "open.file.hashes": 18622 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Open.File), nil 18623 case "open.file.in_upper_layer": 18624 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Open.File.FileFields), nil 18625 case "open.file.inode": 18626 return int(ev.Open.File.FileFields.PathKey.Inode), nil 18627 case "open.file.mode": 18628 return int(ev.Open.File.FileFields.Mode), nil 18629 case "open.file.modification_time": 18630 return int(ev.Open.File.FileFields.MTime), nil 18631 case "open.file.mount_id": 18632 return int(ev.Open.File.FileFields.PathKey.MountID), nil 18633 case "open.file.name": 18634 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Open.File), nil 18635 case "open.file.name.length": 18636 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Open.File), nil 18637 case "open.file.package.name": 18638 return ev.FieldHandlers.ResolvePackageName(ev, &ev.Open.File), nil 18639 case "open.file.package.source_version": 18640 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Open.File), nil 18641 case "open.file.package.version": 18642 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Open.File), nil 18643 case "open.file.path": 18644 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Open.File), nil 18645 case "open.file.path.length": 18646 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Open.File), nil 18647 case "open.file.rights": 18648 return int(ev.FieldHandlers.ResolveRights(ev, &ev.Open.File.FileFields)), nil 18649 case "open.file.uid": 18650 return int(ev.Open.File.FileFields.UID), nil 18651 case "open.file.user": 18652 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Open.File.FileFields), nil 18653 case "open.flags": 18654 return int(ev.Open.Flags), nil 18655 case "open.retval": 18656 return int(ev.Open.SyscallEvent.Retval), nil 18657 case "process.ancestors.args": 18658 var values []string 18659 ctx := eval.NewContext(ev) 18660 iterator := &ProcessAncestorsIterator{} 18661 ptr := iterator.Front(ctx) 18662 for ptr != nil { 18663 element := (*ProcessCacheEntry)(ptr) 18664 result := ev.FieldHandlers.ResolveProcessArgs(ev, &element.ProcessContext.Process) 18665 values = append(values, result) 18666 ptr = iterator.Next() 18667 } 18668 return values, nil 18669 case "process.ancestors.args_flags": 18670 var values []string 18671 ctx := eval.NewContext(ev) 18672 iterator := &ProcessAncestorsIterator{} 18673 ptr := iterator.Front(ctx) 18674 for ptr != nil { 18675 element := (*ProcessCacheEntry)(ptr) 18676 result := ev.FieldHandlers.ResolveProcessArgsFlags(ev, &element.ProcessContext.Process) 18677 values = append(values, result...) 18678 ptr = iterator.Next() 18679 } 18680 return values, nil 18681 case "process.ancestors.args_options": 18682 var values []string 18683 ctx := eval.NewContext(ev) 18684 iterator := &ProcessAncestorsIterator{} 18685 ptr := iterator.Front(ctx) 18686 for ptr != nil { 18687 element := (*ProcessCacheEntry)(ptr) 18688 result := ev.FieldHandlers.ResolveProcessArgsOptions(ev, &element.ProcessContext.Process) 18689 values = append(values, result...) 18690 ptr = iterator.Next() 18691 } 18692 return values, nil 18693 case "process.ancestors.args_truncated": 18694 var values []bool 18695 ctx := eval.NewContext(ev) 18696 iterator := &ProcessAncestorsIterator{} 18697 ptr := iterator.Front(ctx) 18698 for ptr != nil { 18699 element := (*ProcessCacheEntry)(ptr) 18700 result := ev.FieldHandlers.ResolveProcessArgsTruncated(ev, &element.ProcessContext.Process) 18701 values = append(values, result) 18702 ptr = iterator.Next() 18703 } 18704 return values, nil 18705 case "process.ancestors.argv": 18706 var values []string 18707 ctx := eval.NewContext(ev) 18708 iterator := &ProcessAncestorsIterator{} 18709 ptr := iterator.Front(ctx) 18710 for ptr != nil { 18711 element := (*ProcessCacheEntry)(ptr) 18712 result := ev.FieldHandlers.ResolveProcessArgv(ev, &element.ProcessContext.Process) 18713 values = append(values, result...) 18714 ptr = iterator.Next() 18715 } 18716 return values, nil 18717 case "process.ancestors.argv0": 18718 var values []string 18719 ctx := eval.NewContext(ev) 18720 iterator := &ProcessAncestorsIterator{} 18721 ptr := iterator.Front(ctx) 18722 for ptr != nil { 18723 element := (*ProcessCacheEntry)(ptr) 18724 result := ev.FieldHandlers.ResolveProcessArgv0(ev, &element.ProcessContext.Process) 18725 values = append(values, result) 18726 ptr = iterator.Next() 18727 } 18728 return values, nil 18729 case "process.ancestors.cap_effective": 18730 var values []int 18731 ctx := eval.NewContext(ev) 18732 iterator := &ProcessAncestorsIterator{} 18733 ptr := iterator.Front(ctx) 18734 for ptr != nil { 18735 element := (*ProcessCacheEntry)(ptr) 18736 result := int(element.ProcessContext.Process.Credentials.CapEffective) 18737 values = append(values, result) 18738 ptr = iterator.Next() 18739 } 18740 return values, nil 18741 case "process.ancestors.cap_permitted": 18742 var values []int 18743 ctx := eval.NewContext(ev) 18744 iterator := &ProcessAncestorsIterator{} 18745 ptr := iterator.Front(ctx) 18746 for ptr != nil { 18747 element := (*ProcessCacheEntry)(ptr) 18748 result := int(element.ProcessContext.Process.Credentials.CapPermitted) 18749 values = append(values, result) 18750 ptr = iterator.Next() 18751 } 18752 return values, nil 18753 case "process.ancestors.comm": 18754 var values []string 18755 ctx := eval.NewContext(ev) 18756 iterator := &ProcessAncestorsIterator{} 18757 ptr := iterator.Front(ctx) 18758 for ptr != nil { 18759 element := (*ProcessCacheEntry)(ptr) 18760 result := element.ProcessContext.Process.Comm 18761 values = append(values, result) 18762 ptr = iterator.Next() 18763 } 18764 return values, nil 18765 case "process.ancestors.container.id": 18766 var values []string 18767 ctx := eval.NewContext(ev) 18768 iterator := &ProcessAncestorsIterator{} 18769 ptr := iterator.Front(ctx) 18770 for ptr != nil { 18771 element := (*ProcessCacheEntry)(ptr) 18772 result := element.ProcessContext.Process.ContainerID 18773 values = append(values, result) 18774 ptr = iterator.Next() 18775 } 18776 return values, nil 18777 case "process.ancestors.created_at": 18778 var values []int 18779 ctx := eval.NewContext(ev) 18780 iterator := &ProcessAncestorsIterator{} 18781 ptr := iterator.Front(ctx) 18782 for ptr != nil { 18783 element := (*ProcessCacheEntry)(ptr) 18784 result := int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, &element.ProcessContext.Process)) 18785 values = append(values, result) 18786 ptr = iterator.Next() 18787 } 18788 return values, nil 18789 case "process.ancestors.egid": 18790 var values []int 18791 ctx := eval.NewContext(ev) 18792 iterator := &ProcessAncestorsIterator{} 18793 ptr := iterator.Front(ctx) 18794 for ptr != nil { 18795 element := (*ProcessCacheEntry)(ptr) 18796 result := int(element.ProcessContext.Process.Credentials.EGID) 18797 values = append(values, result) 18798 ptr = iterator.Next() 18799 } 18800 return values, nil 18801 case "process.ancestors.egroup": 18802 var values []string 18803 ctx := eval.NewContext(ev) 18804 iterator := &ProcessAncestorsIterator{} 18805 ptr := iterator.Front(ctx) 18806 for ptr != nil { 18807 element := (*ProcessCacheEntry)(ptr) 18808 result := element.ProcessContext.Process.Credentials.EGroup 18809 values = append(values, result) 18810 ptr = iterator.Next() 18811 } 18812 return values, nil 18813 case "process.ancestors.envp": 18814 var values []string 18815 ctx := eval.NewContext(ev) 18816 iterator := &ProcessAncestorsIterator{} 18817 ptr := iterator.Front(ctx) 18818 for ptr != nil { 18819 element := (*ProcessCacheEntry)(ptr) 18820 result := ev.FieldHandlers.ResolveProcessEnvp(ev, &element.ProcessContext.Process) 18821 values = append(values, result...) 18822 ptr = iterator.Next() 18823 } 18824 return values, nil 18825 case "process.ancestors.envs": 18826 var values []string 18827 ctx := eval.NewContext(ev) 18828 iterator := &ProcessAncestorsIterator{} 18829 ptr := iterator.Front(ctx) 18830 for ptr != nil { 18831 element := (*ProcessCacheEntry)(ptr) 18832 result := ev.FieldHandlers.ResolveProcessEnvs(ev, &element.ProcessContext.Process) 18833 values = append(values, result...) 18834 ptr = iterator.Next() 18835 } 18836 return values, nil 18837 case "process.ancestors.envs_truncated": 18838 var values []bool 18839 ctx := eval.NewContext(ev) 18840 iterator := &ProcessAncestorsIterator{} 18841 ptr := iterator.Front(ctx) 18842 for ptr != nil { 18843 element := (*ProcessCacheEntry)(ptr) 18844 result := ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, &element.ProcessContext.Process) 18845 values = append(values, result) 18846 ptr = iterator.Next() 18847 } 18848 return values, nil 18849 case "process.ancestors.euid": 18850 var values []int 18851 ctx := eval.NewContext(ev) 18852 iterator := &ProcessAncestorsIterator{} 18853 ptr := iterator.Front(ctx) 18854 for ptr != nil { 18855 element := (*ProcessCacheEntry)(ptr) 18856 result := int(element.ProcessContext.Process.Credentials.EUID) 18857 values = append(values, result) 18858 ptr = iterator.Next() 18859 } 18860 return values, nil 18861 case "process.ancestors.euser": 18862 var values []string 18863 ctx := eval.NewContext(ev) 18864 iterator := &ProcessAncestorsIterator{} 18865 ptr := iterator.Front(ctx) 18866 for ptr != nil { 18867 element := (*ProcessCacheEntry)(ptr) 18868 result := element.ProcessContext.Process.Credentials.EUser 18869 values = append(values, result) 18870 ptr = iterator.Next() 18871 } 18872 return values, nil 18873 case "process.ancestors.file.change_time": 18874 var values []int 18875 ctx := eval.NewContext(ev) 18876 iterator := &ProcessAncestorsIterator{} 18877 ptr := iterator.Front(ctx) 18878 for ptr != nil { 18879 element := (*ProcessCacheEntry)(ptr) 18880 result := int(element.ProcessContext.Process.FileEvent.FileFields.CTime) 18881 values = append(values, result) 18882 ptr = iterator.Next() 18883 } 18884 return values, nil 18885 case "process.ancestors.file.filesystem": 18886 var values []string 18887 ctx := eval.NewContext(ev) 18888 iterator := &ProcessAncestorsIterator{} 18889 ptr := iterator.Front(ctx) 18890 for ptr != nil { 18891 element := (*ProcessCacheEntry)(ptr) 18892 result := ev.FieldHandlers.ResolveFileFilesystem(ev, &element.ProcessContext.Process.FileEvent) 18893 values = append(values, result) 18894 ptr = iterator.Next() 18895 } 18896 return values, nil 18897 case "process.ancestors.file.gid": 18898 var values []int 18899 ctx := eval.NewContext(ev) 18900 iterator := &ProcessAncestorsIterator{} 18901 ptr := iterator.Front(ctx) 18902 for ptr != nil { 18903 element := (*ProcessCacheEntry)(ptr) 18904 result := int(element.ProcessContext.Process.FileEvent.FileFields.GID) 18905 values = append(values, result) 18906 ptr = iterator.Next() 18907 } 18908 return values, nil 18909 case "process.ancestors.file.group": 18910 var values []string 18911 ctx := eval.NewContext(ev) 18912 iterator := &ProcessAncestorsIterator{} 18913 ptr := iterator.Front(ctx) 18914 for ptr != nil { 18915 element := (*ProcessCacheEntry)(ptr) 18916 result := ev.FieldHandlers.ResolveFileFieldsGroup(ev, &element.ProcessContext.Process.FileEvent.FileFields) 18917 values = append(values, result) 18918 ptr = iterator.Next() 18919 } 18920 return values, nil 18921 case "process.ancestors.file.hashes": 18922 var values []string 18923 ctx := eval.NewContext(ev) 18924 iterator := &ProcessAncestorsIterator{} 18925 ptr := iterator.Front(ctx) 18926 for ptr != nil { 18927 element := (*ProcessCacheEntry)(ptr) 18928 result := ev.FieldHandlers.ResolveHashesFromEvent(ev, &element.ProcessContext.Process.FileEvent) 18929 values = append(values, result...) 18930 ptr = iterator.Next() 18931 } 18932 return values, nil 18933 case "process.ancestors.file.in_upper_layer": 18934 var values []bool 18935 ctx := eval.NewContext(ev) 18936 iterator := &ProcessAncestorsIterator{} 18937 ptr := iterator.Front(ctx) 18938 for ptr != nil { 18939 element := (*ProcessCacheEntry)(ptr) 18940 result := ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &element.ProcessContext.Process.FileEvent.FileFields) 18941 values = append(values, result) 18942 ptr = iterator.Next() 18943 } 18944 return values, nil 18945 case "process.ancestors.file.inode": 18946 var values []int 18947 ctx := eval.NewContext(ev) 18948 iterator := &ProcessAncestorsIterator{} 18949 ptr := iterator.Front(ctx) 18950 for ptr != nil { 18951 element := (*ProcessCacheEntry)(ptr) 18952 result := int(element.ProcessContext.Process.FileEvent.FileFields.PathKey.Inode) 18953 values = append(values, result) 18954 ptr = iterator.Next() 18955 } 18956 return values, nil 18957 case "process.ancestors.file.mode": 18958 var values []int 18959 ctx := eval.NewContext(ev) 18960 iterator := &ProcessAncestorsIterator{} 18961 ptr := iterator.Front(ctx) 18962 for ptr != nil { 18963 element := (*ProcessCacheEntry)(ptr) 18964 result := int(element.ProcessContext.Process.FileEvent.FileFields.Mode) 18965 values = append(values, result) 18966 ptr = iterator.Next() 18967 } 18968 return values, nil 18969 case "process.ancestors.file.modification_time": 18970 var values []int 18971 ctx := eval.NewContext(ev) 18972 iterator := &ProcessAncestorsIterator{} 18973 ptr := iterator.Front(ctx) 18974 for ptr != nil { 18975 element := (*ProcessCacheEntry)(ptr) 18976 result := int(element.ProcessContext.Process.FileEvent.FileFields.MTime) 18977 values = append(values, result) 18978 ptr = iterator.Next() 18979 } 18980 return values, nil 18981 case "process.ancestors.file.mount_id": 18982 var values []int 18983 ctx := eval.NewContext(ev) 18984 iterator := &ProcessAncestorsIterator{} 18985 ptr := iterator.Front(ctx) 18986 for ptr != nil { 18987 element := (*ProcessCacheEntry)(ptr) 18988 result := int(element.ProcessContext.Process.FileEvent.FileFields.PathKey.MountID) 18989 values = append(values, result) 18990 ptr = iterator.Next() 18991 } 18992 return values, nil 18993 case "process.ancestors.file.name": 18994 var values []string 18995 ctx := eval.NewContext(ev) 18996 iterator := &ProcessAncestorsIterator{} 18997 ptr := iterator.Front(ctx) 18998 for ptr != nil { 18999 element := (*ProcessCacheEntry)(ptr) 19000 result := ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.FileEvent) 19001 values = append(values, result) 19002 ptr = iterator.Next() 19003 } 19004 return values, nil 19005 case "process.ancestors.file.name.length": 19006 var values []int 19007 ctx := eval.NewContext(ev) 19008 iterator := &ProcessAncestorsIterator{} 19009 ptr := iterator.Front(ctx) 19010 for ptr != nil { 19011 element := (*ProcessCacheEntry)(ptr) 19012 result := len(ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.FileEvent)) 19013 values = append(values, result) 19014 ptr = iterator.Next() 19015 } 19016 return values, nil 19017 case "process.ancestors.file.package.name": 19018 var values []string 19019 ctx := eval.NewContext(ev) 19020 iterator := &ProcessAncestorsIterator{} 19021 ptr := iterator.Front(ctx) 19022 for ptr != nil { 19023 element := (*ProcessCacheEntry)(ptr) 19024 result := ev.FieldHandlers.ResolvePackageName(ev, &element.ProcessContext.Process.FileEvent) 19025 values = append(values, result) 19026 ptr = iterator.Next() 19027 } 19028 return values, nil 19029 case "process.ancestors.file.package.source_version": 19030 var values []string 19031 ctx := eval.NewContext(ev) 19032 iterator := &ProcessAncestorsIterator{} 19033 ptr := iterator.Front(ctx) 19034 for ptr != nil { 19035 element := (*ProcessCacheEntry)(ptr) 19036 result := ev.FieldHandlers.ResolvePackageSourceVersion(ev, &element.ProcessContext.Process.FileEvent) 19037 values = append(values, result) 19038 ptr = iterator.Next() 19039 } 19040 return values, nil 19041 case "process.ancestors.file.package.version": 19042 var values []string 19043 ctx := eval.NewContext(ev) 19044 iterator := &ProcessAncestorsIterator{} 19045 ptr := iterator.Front(ctx) 19046 for ptr != nil { 19047 element := (*ProcessCacheEntry)(ptr) 19048 result := ev.FieldHandlers.ResolvePackageVersion(ev, &element.ProcessContext.Process.FileEvent) 19049 values = append(values, result) 19050 ptr = iterator.Next() 19051 } 19052 return values, nil 19053 case "process.ancestors.file.path": 19054 var values []string 19055 ctx := eval.NewContext(ev) 19056 iterator := &ProcessAncestorsIterator{} 19057 ptr := iterator.Front(ctx) 19058 for ptr != nil { 19059 element := (*ProcessCacheEntry)(ptr) 19060 result := ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.FileEvent) 19061 values = append(values, result) 19062 ptr = iterator.Next() 19063 } 19064 return values, nil 19065 case "process.ancestors.file.path.length": 19066 var values []int 19067 ctx := eval.NewContext(ev) 19068 iterator := &ProcessAncestorsIterator{} 19069 ptr := iterator.Front(ctx) 19070 for ptr != nil { 19071 element := (*ProcessCacheEntry)(ptr) 19072 result := len(ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.FileEvent)) 19073 values = append(values, result) 19074 ptr = iterator.Next() 19075 } 19076 return values, nil 19077 case "process.ancestors.file.rights": 19078 var values []int 19079 ctx := eval.NewContext(ev) 19080 iterator := &ProcessAncestorsIterator{} 19081 ptr := iterator.Front(ctx) 19082 for ptr != nil { 19083 element := (*ProcessCacheEntry)(ptr) 19084 result := int(ev.FieldHandlers.ResolveRights(ev, &element.ProcessContext.Process.FileEvent.FileFields)) 19085 values = append(values, result) 19086 ptr = iterator.Next() 19087 } 19088 return values, nil 19089 case "process.ancestors.file.uid": 19090 var values []int 19091 ctx := eval.NewContext(ev) 19092 iterator := &ProcessAncestorsIterator{} 19093 ptr := iterator.Front(ctx) 19094 for ptr != nil { 19095 element := (*ProcessCacheEntry)(ptr) 19096 result := int(element.ProcessContext.Process.FileEvent.FileFields.UID) 19097 values = append(values, result) 19098 ptr = iterator.Next() 19099 } 19100 return values, nil 19101 case "process.ancestors.file.user": 19102 var values []string 19103 ctx := eval.NewContext(ev) 19104 iterator := &ProcessAncestorsIterator{} 19105 ptr := iterator.Front(ctx) 19106 for ptr != nil { 19107 element := (*ProcessCacheEntry)(ptr) 19108 result := ev.FieldHandlers.ResolveFileFieldsUser(ev, &element.ProcessContext.Process.FileEvent.FileFields) 19109 values = append(values, result) 19110 ptr = iterator.Next() 19111 } 19112 return values, nil 19113 case "process.ancestors.fsgid": 19114 var values []int 19115 ctx := eval.NewContext(ev) 19116 iterator := &ProcessAncestorsIterator{} 19117 ptr := iterator.Front(ctx) 19118 for ptr != nil { 19119 element := (*ProcessCacheEntry)(ptr) 19120 result := int(element.ProcessContext.Process.Credentials.FSGID) 19121 values = append(values, result) 19122 ptr = iterator.Next() 19123 } 19124 return values, nil 19125 case "process.ancestors.fsgroup": 19126 var values []string 19127 ctx := eval.NewContext(ev) 19128 iterator := &ProcessAncestorsIterator{} 19129 ptr := iterator.Front(ctx) 19130 for ptr != nil { 19131 element := (*ProcessCacheEntry)(ptr) 19132 result := element.ProcessContext.Process.Credentials.FSGroup 19133 values = append(values, result) 19134 ptr = iterator.Next() 19135 } 19136 return values, nil 19137 case "process.ancestors.fsuid": 19138 var values []int 19139 ctx := eval.NewContext(ev) 19140 iterator := &ProcessAncestorsIterator{} 19141 ptr := iterator.Front(ctx) 19142 for ptr != nil { 19143 element := (*ProcessCacheEntry)(ptr) 19144 result := int(element.ProcessContext.Process.Credentials.FSUID) 19145 values = append(values, result) 19146 ptr = iterator.Next() 19147 } 19148 return values, nil 19149 case "process.ancestors.fsuser": 19150 var values []string 19151 ctx := eval.NewContext(ev) 19152 iterator := &ProcessAncestorsIterator{} 19153 ptr := iterator.Front(ctx) 19154 for ptr != nil { 19155 element := (*ProcessCacheEntry)(ptr) 19156 result := element.ProcessContext.Process.Credentials.FSUser 19157 values = append(values, result) 19158 ptr = iterator.Next() 19159 } 19160 return values, nil 19161 case "process.ancestors.gid": 19162 var values []int 19163 ctx := eval.NewContext(ev) 19164 iterator := &ProcessAncestorsIterator{} 19165 ptr := iterator.Front(ctx) 19166 for ptr != nil { 19167 element := (*ProcessCacheEntry)(ptr) 19168 result := int(element.ProcessContext.Process.Credentials.GID) 19169 values = append(values, result) 19170 ptr = iterator.Next() 19171 } 19172 return values, nil 19173 case "process.ancestors.group": 19174 var values []string 19175 ctx := eval.NewContext(ev) 19176 iterator := &ProcessAncestorsIterator{} 19177 ptr := iterator.Front(ctx) 19178 for ptr != nil { 19179 element := (*ProcessCacheEntry)(ptr) 19180 result := element.ProcessContext.Process.Credentials.Group 19181 values = append(values, result) 19182 ptr = iterator.Next() 19183 } 19184 return values, nil 19185 case "process.ancestors.interpreter.file.change_time": 19186 var values []int 19187 ctx := eval.NewContext(ev) 19188 iterator := &ProcessAncestorsIterator{} 19189 ptr := iterator.Front(ctx) 19190 for ptr != nil { 19191 element := (*ProcessCacheEntry)(ptr) 19192 result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.CTime) 19193 values = append(values, result) 19194 ptr = iterator.Next() 19195 } 19196 return values, nil 19197 case "process.ancestors.interpreter.file.filesystem": 19198 var values []string 19199 ctx := eval.NewContext(ev) 19200 iterator := &ProcessAncestorsIterator{} 19201 ptr := iterator.Front(ctx) 19202 for ptr != nil { 19203 element := (*ProcessCacheEntry)(ptr) 19204 result := ev.FieldHandlers.ResolveFileFilesystem(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) 19205 values = append(values, result) 19206 ptr = iterator.Next() 19207 } 19208 return values, nil 19209 case "process.ancestors.interpreter.file.gid": 19210 var values []int 19211 ctx := eval.NewContext(ev) 19212 iterator := &ProcessAncestorsIterator{} 19213 ptr := iterator.Front(ctx) 19214 for ptr != nil { 19215 element := (*ProcessCacheEntry)(ptr) 19216 result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.GID) 19217 values = append(values, result) 19218 ptr = iterator.Next() 19219 } 19220 return values, nil 19221 case "process.ancestors.interpreter.file.group": 19222 var values []string 19223 ctx := eval.NewContext(ev) 19224 iterator := &ProcessAncestorsIterator{} 19225 ptr := iterator.Front(ctx) 19226 for ptr != nil { 19227 element := (*ProcessCacheEntry)(ptr) 19228 result := ev.FieldHandlers.ResolveFileFieldsGroup(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields) 19229 values = append(values, result) 19230 ptr = iterator.Next() 19231 } 19232 return values, nil 19233 case "process.ancestors.interpreter.file.hashes": 19234 var values []string 19235 ctx := eval.NewContext(ev) 19236 iterator := &ProcessAncestorsIterator{} 19237 ptr := iterator.Front(ctx) 19238 for ptr != nil { 19239 element := (*ProcessCacheEntry)(ptr) 19240 result := ev.FieldHandlers.ResolveHashesFromEvent(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) 19241 values = append(values, result...) 19242 ptr = iterator.Next() 19243 } 19244 return values, nil 19245 case "process.ancestors.interpreter.file.in_upper_layer": 19246 var values []bool 19247 ctx := eval.NewContext(ev) 19248 iterator := &ProcessAncestorsIterator{} 19249 ptr := iterator.Front(ctx) 19250 for ptr != nil { 19251 element := (*ProcessCacheEntry)(ptr) 19252 result := ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields) 19253 values = append(values, result) 19254 ptr = iterator.Next() 19255 } 19256 return values, nil 19257 case "process.ancestors.interpreter.file.inode": 19258 var values []int 19259 ctx := eval.NewContext(ev) 19260 iterator := &ProcessAncestorsIterator{} 19261 ptr := iterator.Front(ctx) 19262 for ptr != nil { 19263 element := (*ProcessCacheEntry)(ptr) 19264 result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode) 19265 values = append(values, result) 19266 ptr = iterator.Next() 19267 } 19268 return values, nil 19269 case "process.ancestors.interpreter.file.mode": 19270 var values []int 19271 ctx := eval.NewContext(ev) 19272 iterator := &ProcessAncestorsIterator{} 19273 ptr := iterator.Front(ctx) 19274 for ptr != nil { 19275 element := (*ProcessCacheEntry)(ptr) 19276 result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.Mode) 19277 values = append(values, result) 19278 ptr = iterator.Next() 19279 } 19280 return values, nil 19281 case "process.ancestors.interpreter.file.modification_time": 19282 var values []int 19283 ctx := eval.NewContext(ev) 19284 iterator := &ProcessAncestorsIterator{} 19285 ptr := iterator.Front(ctx) 19286 for ptr != nil { 19287 element := (*ProcessCacheEntry)(ptr) 19288 result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.MTime) 19289 values = append(values, result) 19290 ptr = iterator.Next() 19291 } 19292 return values, nil 19293 case "process.ancestors.interpreter.file.mount_id": 19294 var values []int 19295 ctx := eval.NewContext(ev) 19296 iterator := &ProcessAncestorsIterator{} 19297 ptr := iterator.Front(ctx) 19298 for ptr != nil { 19299 element := (*ProcessCacheEntry)(ptr) 19300 result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID) 19301 values = append(values, result) 19302 ptr = iterator.Next() 19303 } 19304 return values, nil 19305 case "process.ancestors.interpreter.file.name": 19306 var values []string 19307 ctx := eval.NewContext(ev) 19308 iterator := &ProcessAncestorsIterator{} 19309 ptr := iterator.Front(ctx) 19310 for ptr != nil { 19311 element := (*ProcessCacheEntry)(ptr) 19312 result := ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) 19313 values = append(values, result) 19314 ptr = iterator.Next() 19315 } 19316 return values, nil 19317 case "process.ancestors.interpreter.file.name.length": 19318 var values []int 19319 ctx := eval.NewContext(ev) 19320 iterator := &ProcessAncestorsIterator{} 19321 ptr := iterator.Front(ctx) 19322 for ptr != nil { 19323 element := (*ProcessCacheEntry)(ptr) 19324 result := len(ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent)) 19325 values = append(values, result) 19326 ptr = iterator.Next() 19327 } 19328 return values, nil 19329 case "process.ancestors.interpreter.file.package.name": 19330 var values []string 19331 ctx := eval.NewContext(ev) 19332 iterator := &ProcessAncestorsIterator{} 19333 ptr := iterator.Front(ctx) 19334 for ptr != nil { 19335 element := (*ProcessCacheEntry)(ptr) 19336 result := ev.FieldHandlers.ResolvePackageName(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) 19337 values = append(values, result) 19338 ptr = iterator.Next() 19339 } 19340 return values, nil 19341 case "process.ancestors.interpreter.file.package.source_version": 19342 var values []string 19343 ctx := eval.NewContext(ev) 19344 iterator := &ProcessAncestorsIterator{} 19345 ptr := iterator.Front(ctx) 19346 for ptr != nil { 19347 element := (*ProcessCacheEntry)(ptr) 19348 result := ev.FieldHandlers.ResolvePackageSourceVersion(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) 19349 values = append(values, result) 19350 ptr = iterator.Next() 19351 } 19352 return values, nil 19353 case "process.ancestors.interpreter.file.package.version": 19354 var values []string 19355 ctx := eval.NewContext(ev) 19356 iterator := &ProcessAncestorsIterator{} 19357 ptr := iterator.Front(ctx) 19358 for ptr != nil { 19359 element := (*ProcessCacheEntry)(ptr) 19360 result := ev.FieldHandlers.ResolvePackageVersion(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) 19361 values = append(values, result) 19362 ptr = iterator.Next() 19363 } 19364 return values, nil 19365 case "process.ancestors.interpreter.file.path": 19366 var values []string 19367 ctx := eval.NewContext(ev) 19368 iterator := &ProcessAncestorsIterator{} 19369 ptr := iterator.Front(ctx) 19370 for ptr != nil { 19371 element := (*ProcessCacheEntry)(ptr) 19372 result := ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) 19373 values = append(values, result) 19374 ptr = iterator.Next() 19375 } 19376 return values, nil 19377 case "process.ancestors.interpreter.file.path.length": 19378 var values []int 19379 ctx := eval.NewContext(ev) 19380 iterator := &ProcessAncestorsIterator{} 19381 ptr := iterator.Front(ctx) 19382 for ptr != nil { 19383 element := (*ProcessCacheEntry)(ptr) 19384 result := len(ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent)) 19385 values = append(values, result) 19386 ptr = iterator.Next() 19387 } 19388 return values, nil 19389 case "process.ancestors.interpreter.file.rights": 19390 var values []int 19391 ctx := eval.NewContext(ev) 19392 iterator := &ProcessAncestorsIterator{} 19393 ptr := iterator.Front(ctx) 19394 for ptr != nil { 19395 element := (*ProcessCacheEntry)(ptr) 19396 result := int(ev.FieldHandlers.ResolveRights(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields)) 19397 values = append(values, result) 19398 ptr = iterator.Next() 19399 } 19400 return values, nil 19401 case "process.ancestors.interpreter.file.uid": 19402 var values []int 19403 ctx := eval.NewContext(ev) 19404 iterator := &ProcessAncestorsIterator{} 19405 ptr := iterator.Front(ctx) 19406 for ptr != nil { 19407 element := (*ProcessCacheEntry)(ptr) 19408 result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.UID) 19409 values = append(values, result) 19410 ptr = iterator.Next() 19411 } 19412 return values, nil 19413 case "process.ancestors.interpreter.file.user": 19414 var values []string 19415 ctx := eval.NewContext(ev) 19416 iterator := &ProcessAncestorsIterator{} 19417 ptr := iterator.Front(ctx) 19418 for ptr != nil { 19419 element := (*ProcessCacheEntry)(ptr) 19420 result := ev.FieldHandlers.ResolveFileFieldsUser(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields) 19421 values = append(values, result) 19422 ptr = iterator.Next() 19423 } 19424 return values, nil 19425 case "process.ancestors.is_kworker": 19426 var values []bool 19427 ctx := eval.NewContext(ev) 19428 iterator := &ProcessAncestorsIterator{} 19429 ptr := iterator.Front(ctx) 19430 for ptr != nil { 19431 element := (*ProcessCacheEntry)(ptr) 19432 result := element.ProcessContext.Process.PIDContext.IsKworker 19433 values = append(values, result) 19434 ptr = iterator.Next() 19435 } 19436 return values, nil 19437 case "process.ancestors.is_thread": 19438 var values []bool 19439 ctx := eval.NewContext(ev) 19440 iterator := &ProcessAncestorsIterator{} 19441 ptr := iterator.Front(ctx) 19442 for ptr != nil { 19443 element := (*ProcessCacheEntry)(ptr) 19444 result := element.ProcessContext.Process.IsThread 19445 values = append(values, result) 19446 ptr = iterator.Next() 19447 } 19448 return values, nil 19449 case "process.ancestors.pid": 19450 var values []int 19451 ctx := eval.NewContext(ev) 19452 iterator := &ProcessAncestorsIterator{} 19453 ptr := iterator.Front(ctx) 19454 for ptr != nil { 19455 element := (*ProcessCacheEntry)(ptr) 19456 result := int(element.ProcessContext.Process.PIDContext.Pid) 19457 values = append(values, result) 19458 ptr = iterator.Next() 19459 } 19460 return values, nil 19461 case "process.ancestors.ppid": 19462 var values []int 19463 ctx := eval.NewContext(ev) 19464 iterator := &ProcessAncestorsIterator{} 19465 ptr := iterator.Front(ctx) 19466 for ptr != nil { 19467 element := (*ProcessCacheEntry)(ptr) 19468 result := int(element.ProcessContext.Process.PPid) 19469 values = append(values, result) 19470 ptr = iterator.Next() 19471 } 19472 return values, nil 19473 case "process.ancestors.tid": 19474 var values []int 19475 ctx := eval.NewContext(ev) 19476 iterator := &ProcessAncestorsIterator{} 19477 ptr := iterator.Front(ctx) 19478 for ptr != nil { 19479 element := (*ProcessCacheEntry)(ptr) 19480 result := int(element.ProcessContext.Process.PIDContext.Tid) 19481 values = append(values, result) 19482 ptr = iterator.Next() 19483 } 19484 return values, nil 19485 case "process.ancestors.tty_name": 19486 var values []string 19487 ctx := eval.NewContext(ev) 19488 iterator := &ProcessAncestorsIterator{} 19489 ptr := iterator.Front(ctx) 19490 for ptr != nil { 19491 element := (*ProcessCacheEntry)(ptr) 19492 result := element.ProcessContext.Process.TTYName 19493 values = append(values, result) 19494 ptr = iterator.Next() 19495 } 19496 return values, nil 19497 case "process.ancestors.uid": 19498 var values []int 19499 ctx := eval.NewContext(ev) 19500 iterator := &ProcessAncestorsIterator{} 19501 ptr := iterator.Front(ctx) 19502 for ptr != nil { 19503 element := (*ProcessCacheEntry)(ptr) 19504 result := int(element.ProcessContext.Process.Credentials.UID) 19505 values = append(values, result) 19506 ptr = iterator.Next() 19507 } 19508 return values, nil 19509 case "process.ancestors.user": 19510 var values []string 19511 ctx := eval.NewContext(ev) 19512 iterator := &ProcessAncestorsIterator{} 19513 ptr := iterator.Front(ctx) 19514 for ptr != nil { 19515 element := (*ProcessCacheEntry)(ptr) 19516 result := element.ProcessContext.Process.Credentials.User 19517 values = append(values, result) 19518 ptr = iterator.Next() 19519 } 19520 return values, nil 19521 case "process.ancestors.user_session.k8s_groups": 19522 var values []string 19523 ctx := eval.NewContext(ev) 19524 iterator := &ProcessAncestorsIterator{} 19525 ptr := iterator.Front(ctx) 19526 for ptr != nil { 19527 element := (*ProcessCacheEntry)(ptr) 19528 result := ev.FieldHandlers.ResolveK8SGroups(ev, &element.ProcessContext.Process.UserSession) 19529 values = append(values, result...) 19530 ptr = iterator.Next() 19531 } 19532 return values, nil 19533 case "process.ancestors.user_session.k8s_uid": 19534 var values []string 19535 ctx := eval.NewContext(ev) 19536 iterator := &ProcessAncestorsIterator{} 19537 ptr := iterator.Front(ctx) 19538 for ptr != nil { 19539 element := (*ProcessCacheEntry)(ptr) 19540 result := ev.FieldHandlers.ResolveK8SUID(ev, &element.ProcessContext.Process.UserSession) 19541 values = append(values, result) 19542 ptr = iterator.Next() 19543 } 19544 return values, nil 19545 case "process.ancestors.user_session.k8s_username": 19546 var values []string 19547 ctx := eval.NewContext(ev) 19548 iterator := &ProcessAncestorsIterator{} 19549 ptr := iterator.Front(ctx) 19550 for ptr != nil { 19551 element := (*ProcessCacheEntry)(ptr) 19552 result := ev.FieldHandlers.ResolveK8SUsername(ev, &element.ProcessContext.Process.UserSession) 19553 values = append(values, result) 19554 ptr = iterator.Next() 19555 } 19556 return values, nil 19557 case "process.args": 19558 return ev.FieldHandlers.ResolveProcessArgs(ev, &ev.BaseEvent.ProcessContext.Process), nil 19559 case "process.args_flags": 19560 return ev.FieldHandlers.ResolveProcessArgsFlags(ev, &ev.BaseEvent.ProcessContext.Process), nil 19561 case "process.args_options": 19562 return ev.FieldHandlers.ResolveProcessArgsOptions(ev, &ev.BaseEvent.ProcessContext.Process), nil 19563 case "process.args_truncated": 19564 return ev.FieldHandlers.ResolveProcessArgsTruncated(ev, &ev.BaseEvent.ProcessContext.Process), nil 19565 case "process.argv": 19566 return ev.FieldHandlers.ResolveProcessArgv(ev, &ev.BaseEvent.ProcessContext.Process), nil 19567 case "process.argv0": 19568 return ev.FieldHandlers.ResolveProcessArgv0(ev, &ev.BaseEvent.ProcessContext.Process), nil 19569 case "process.cap_effective": 19570 return int(ev.BaseEvent.ProcessContext.Process.Credentials.CapEffective), nil 19571 case "process.cap_permitted": 19572 return int(ev.BaseEvent.ProcessContext.Process.Credentials.CapPermitted), nil 19573 case "process.comm": 19574 return ev.BaseEvent.ProcessContext.Process.Comm, nil 19575 case "process.container.id": 19576 return ev.BaseEvent.ProcessContext.Process.ContainerID, nil 19577 case "process.created_at": 19578 return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, &ev.BaseEvent.ProcessContext.Process)), nil 19579 case "process.egid": 19580 return int(ev.BaseEvent.ProcessContext.Process.Credentials.EGID), nil 19581 case "process.egroup": 19582 return ev.BaseEvent.ProcessContext.Process.Credentials.EGroup, nil 19583 case "process.envp": 19584 return ev.FieldHandlers.ResolveProcessEnvp(ev, &ev.BaseEvent.ProcessContext.Process), nil 19585 case "process.envs": 19586 return ev.FieldHandlers.ResolveProcessEnvs(ev, &ev.BaseEvent.ProcessContext.Process), nil 19587 case "process.envs_truncated": 19588 return ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, &ev.BaseEvent.ProcessContext.Process), nil 19589 case "process.euid": 19590 return int(ev.BaseEvent.ProcessContext.Process.Credentials.EUID), nil 19591 case "process.euser": 19592 return ev.BaseEvent.ProcessContext.Process.Credentials.EUser, nil 19593 case "process.file.change_time": 19594 if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { 19595 return 0, &eval.ErrNotSupported{Field: field} 19596 } 19597 return int(ev.BaseEvent.ProcessContext.Process.FileEvent.FileFields.CTime), nil 19598 case "process.file.filesystem": 19599 if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { 19600 return "", &eval.ErrNotSupported{Field: field} 19601 } 19602 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent), nil 19603 case "process.file.gid": 19604 if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { 19605 return 0, &eval.ErrNotSupported{Field: field} 19606 } 19607 return int(ev.BaseEvent.ProcessContext.Process.FileEvent.FileFields.GID), nil 19608 case "process.file.group": 19609 if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { 19610 return "", &eval.ErrNotSupported{Field: field} 19611 } 19612 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent.FileFields), nil 19613 case "process.file.hashes": 19614 if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { 19615 return []string{}, &eval.ErrNotSupported{Field: field} 19616 } 19617 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent), nil 19618 case "process.file.in_upper_layer": 19619 if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { 19620 return false, &eval.ErrNotSupported{Field: field} 19621 } 19622 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent.FileFields), nil 19623 case "process.file.inode": 19624 if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { 19625 return 0, &eval.ErrNotSupported{Field: field} 19626 } 19627 return int(ev.BaseEvent.ProcessContext.Process.FileEvent.FileFields.PathKey.Inode), nil 19628 case "process.file.mode": 19629 if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { 19630 return 0, &eval.ErrNotSupported{Field: field} 19631 } 19632 return int(ev.BaseEvent.ProcessContext.Process.FileEvent.FileFields.Mode), nil 19633 case "process.file.modification_time": 19634 if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { 19635 return 0, &eval.ErrNotSupported{Field: field} 19636 } 19637 return int(ev.BaseEvent.ProcessContext.Process.FileEvent.FileFields.MTime), nil 19638 case "process.file.mount_id": 19639 if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { 19640 return 0, &eval.ErrNotSupported{Field: field} 19641 } 19642 return int(ev.BaseEvent.ProcessContext.Process.FileEvent.FileFields.PathKey.MountID), nil 19643 case "process.file.name": 19644 if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { 19645 return "", &eval.ErrNotSupported{Field: field} 19646 } 19647 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent), nil 19648 case "process.file.name.length": 19649 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent), nil 19650 case "process.file.package.name": 19651 if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { 19652 return "", &eval.ErrNotSupported{Field: field} 19653 } 19654 return ev.FieldHandlers.ResolvePackageName(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent), nil 19655 case "process.file.package.source_version": 19656 if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { 19657 return "", &eval.ErrNotSupported{Field: field} 19658 } 19659 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent), nil 19660 case "process.file.package.version": 19661 if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { 19662 return "", &eval.ErrNotSupported{Field: field} 19663 } 19664 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent), nil 19665 case "process.file.path": 19666 if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { 19667 return "", &eval.ErrNotSupported{Field: field} 19668 } 19669 return ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent), nil 19670 case "process.file.path.length": 19671 return ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent), nil 19672 case "process.file.rights": 19673 if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { 19674 return 0, &eval.ErrNotSupported{Field: field} 19675 } 19676 return int(ev.FieldHandlers.ResolveRights(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent.FileFields)), nil 19677 case "process.file.uid": 19678 if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { 19679 return 0, &eval.ErrNotSupported{Field: field} 19680 } 19681 return int(ev.BaseEvent.ProcessContext.Process.FileEvent.FileFields.UID), nil 19682 case "process.file.user": 19683 if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { 19684 return "", &eval.ErrNotSupported{Field: field} 19685 } 19686 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent.FileFields), nil 19687 case "process.fsgid": 19688 return int(ev.BaseEvent.ProcessContext.Process.Credentials.FSGID), nil 19689 case "process.fsgroup": 19690 return ev.BaseEvent.ProcessContext.Process.Credentials.FSGroup, nil 19691 case "process.fsuid": 19692 return int(ev.BaseEvent.ProcessContext.Process.Credentials.FSUID), nil 19693 case "process.fsuser": 19694 return ev.BaseEvent.ProcessContext.Process.Credentials.FSUser, nil 19695 case "process.gid": 19696 return int(ev.BaseEvent.ProcessContext.Process.Credentials.GID), nil 19697 case "process.group": 19698 return ev.BaseEvent.ProcessContext.Process.Credentials.Group, nil 19699 case "process.interpreter.file.change_time": 19700 if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { 19701 return 0, &eval.ErrNotSupported{Field: field} 19702 } 19703 return int(ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.CTime), nil 19704 case "process.interpreter.file.filesystem": 19705 if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { 19706 return "", &eval.ErrNotSupported{Field: field} 19707 } 19708 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent), nil 19709 case "process.interpreter.file.gid": 19710 if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { 19711 return 0, &eval.ErrNotSupported{Field: field} 19712 } 19713 return int(ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.GID), nil 19714 case "process.interpreter.file.group": 19715 if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { 19716 return "", &eval.ErrNotSupported{Field: field} 19717 } 19718 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields), nil 19719 case "process.interpreter.file.hashes": 19720 if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { 19721 return []string{}, &eval.ErrNotSupported{Field: field} 19722 } 19723 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent), nil 19724 case "process.interpreter.file.in_upper_layer": 19725 if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { 19726 return false, &eval.ErrNotSupported{Field: field} 19727 } 19728 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields), nil 19729 case "process.interpreter.file.inode": 19730 if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { 19731 return 0, &eval.ErrNotSupported{Field: field} 19732 } 19733 return int(ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode), nil 19734 case "process.interpreter.file.mode": 19735 if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { 19736 return 0, &eval.ErrNotSupported{Field: field} 19737 } 19738 return int(ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.Mode), nil 19739 case "process.interpreter.file.modification_time": 19740 if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { 19741 return 0, &eval.ErrNotSupported{Field: field} 19742 } 19743 return int(ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.MTime), nil 19744 case "process.interpreter.file.mount_id": 19745 if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { 19746 return 0, &eval.ErrNotSupported{Field: field} 19747 } 19748 return int(ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID), nil 19749 case "process.interpreter.file.name": 19750 if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { 19751 return "", &eval.ErrNotSupported{Field: field} 19752 } 19753 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent), nil 19754 case "process.interpreter.file.name.length": 19755 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent), nil 19756 case "process.interpreter.file.package.name": 19757 if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { 19758 return "", &eval.ErrNotSupported{Field: field} 19759 } 19760 return ev.FieldHandlers.ResolvePackageName(ev, &ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent), nil 19761 case "process.interpreter.file.package.source_version": 19762 if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { 19763 return "", &eval.ErrNotSupported{Field: field} 19764 } 19765 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent), nil 19766 case "process.interpreter.file.package.version": 19767 if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { 19768 return "", &eval.ErrNotSupported{Field: field} 19769 } 19770 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent), nil 19771 case "process.interpreter.file.path": 19772 if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { 19773 return "", &eval.ErrNotSupported{Field: field} 19774 } 19775 return ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent), nil 19776 case "process.interpreter.file.path.length": 19777 return ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent), nil 19778 case "process.interpreter.file.rights": 19779 if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { 19780 return 0, &eval.ErrNotSupported{Field: field} 19781 } 19782 return int(ev.FieldHandlers.ResolveRights(ev, &ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields)), nil 19783 case "process.interpreter.file.uid": 19784 if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { 19785 return 0, &eval.ErrNotSupported{Field: field} 19786 } 19787 return int(ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.UID), nil 19788 case "process.interpreter.file.user": 19789 if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { 19790 return "", &eval.ErrNotSupported{Field: field} 19791 } 19792 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields), nil 19793 case "process.is_kworker": 19794 return ev.BaseEvent.ProcessContext.Process.PIDContext.IsKworker, nil 19795 case "process.is_thread": 19796 return ev.BaseEvent.ProcessContext.Process.IsThread, nil 19797 case "process.parent.args": 19798 if !ev.BaseEvent.ProcessContext.HasParent() { 19799 return "", &eval.ErrNotSupported{Field: field} 19800 } 19801 return ev.FieldHandlers.ResolveProcessArgs(ev, ev.BaseEvent.ProcessContext.Parent), nil 19802 case "process.parent.args_flags": 19803 if !ev.BaseEvent.ProcessContext.HasParent() { 19804 return []string{}, &eval.ErrNotSupported{Field: field} 19805 } 19806 return ev.FieldHandlers.ResolveProcessArgsFlags(ev, ev.BaseEvent.ProcessContext.Parent), nil 19807 case "process.parent.args_options": 19808 if !ev.BaseEvent.ProcessContext.HasParent() { 19809 return []string{}, &eval.ErrNotSupported{Field: field} 19810 } 19811 return ev.FieldHandlers.ResolveProcessArgsOptions(ev, ev.BaseEvent.ProcessContext.Parent), nil 19812 case "process.parent.args_truncated": 19813 if !ev.BaseEvent.ProcessContext.HasParent() { 19814 return false, &eval.ErrNotSupported{Field: field} 19815 } 19816 return ev.FieldHandlers.ResolveProcessArgsTruncated(ev, ev.BaseEvent.ProcessContext.Parent), nil 19817 case "process.parent.argv": 19818 if !ev.BaseEvent.ProcessContext.HasParent() { 19819 return []string{}, &eval.ErrNotSupported{Field: field} 19820 } 19821 return ev.FieldHandlers.ResolveProcessArgv(ev, ev.BaseEvent.ProcessContext.Parent), nil 19822 case "process.parent.argv0": 19823 if !ev.BaseEvent.ProcessContext.HasParent() { 19824 return "", &eval.ErrNotSupported{Field: field} 19825 } 19826 return ev.FieldHandlers.ResolveProcessArgv0(ev, ev.BaseEvent.ProcessContext.Parent), nil 19827 case "process.parent.cap_effective": 19828 if !ev.BaseEvent.ProcessContext.HasParent() { 19829 return 0, &eval.ErrNotSupported{Field: field} 19830 } 19831 return int(ev.BaseEvent.ProcessContext.Parent.Credentials.CapEffective), nil 19832 case "process.parent.cap_permitted": 19833 if !ev.BaseEvent.ProcessContext.HasParent() { 19834 return 0, &eval.ErrNotSupported{Field: field} 19835 } 19836 return int(ev.BaseEvent.ProcessContext.Parent.Credentials.CapPermitted), nil 19837 case "process.parent.comm": 19838 if !ev.BaseEvent.ProcessContext.HasParent() { 19839 return "", &eval.ErrNotSupported{Field: field} 19840 } 19841 return ev.BaseEvent.ProcessContext.Parent.Comm, nil 19842 case "process.parent.container.id": 19843 if !ev.BaseEvent.ProcessContext.HasParent() { 19844 return "", &eval.ErrNotSupported{Field: field} 19845 } 19846 return ev.BaseEvent.ProcessContext.Parent.ContainerID, nil 19847 case "process.parent.created_at": 19848 if !ev.BaseEvent.ProcessContext.HasParent() { 19849 return 0, &eval.ErrNotSupported{Field: field} 19850 } 19851 return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, ev.BaseEvent.ProcessContext.Parent)), nil 19852 case "process.parent.egid": 19853 if !ev.BaseEvent.ProcessContext.HasParent() { 19854 return 0, &eval.ErrNotSupported{Field: field} 19855 } 19856 return int(ev.BaseEvent.ProcessContext.Parent.Credentials.EGID), nil 19857 case "process.parent.egroup": 19858 if !ev.BaseEvent.ProcessContext.HasParent() { 19859 return "", &eval.ErrNotSupported{Field: field} 19860 } 19861 return ev.BaseEvent.ProcessContext.Parent.Credentials.EGroup, nil 19862 case "process.parent.envp": 19863 if !ev.BaseEvent.ProcessContext.HasParent() { 19864 return []string{}, &eval.ErrNotSupported{Field: field} 19865 } 19866 return ev.FieldHandlers.ResolveProcessEnvp(ev, ev.BaseEvent.ProcessContext.Parent), nil 19867 case "process.parent.envs": 19868 if !ev.BaseEvent.ProcessContext.HasParent() { 19869 return []string{}, &eval.ErrNotSupported{Field: field} 19870 } 19871 return ev.FieldHandlers.ResolveProcessEnvs(ev, ev.BaseEvent.ProcessContext.Parent), nil 19872 case "process.parent.envs_truncated": 19873 if !ev.BaseEvent.ProcessContext.HasParent() { 19874 return false, &eval.ErrNotSupported{Field: field} 19875 } 19876 return ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, ev.BaseEvent.ProcessContext.Parent), nil 19877 case "process.parent.euid": 19878 if !ev.BaseEvent.ProcessContext.HasParent() { 19879 return 0, &eval.ErrNotSupported{Field: field} 19880 } 19881 return int(ev.BaseEvent.ProcessContext.Parent.Credentials.EUID), nil 19882 case "process.parent.euser": 19883 if !ev.BaseEvent.ProcessContext.HasParent() { 19884 return "", &eval.ErrNotSupported{Field: field} 19885 } 19886 return ev.BaseEvent.ProcessContext.Parent.Credentials.EUser, nil 19887 case "process.parent.file.change_time": 19888 if !ev.BaseEvent.ProcessContext.HasParent() { 19889 return 0, &eval.ErrNotSupported{Field: field} 19890 } 19891 if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { 19892 return 0, &eval.ErrNotSupported{Field: field} 19893 } 19894 return int(ev.BaseEvent.ProcessContext.Parent.FileEvent.FileFields.CTime), nil 19895 case "process.parent.file.filesystem": 19896 if !ev.BaseEvent.ProcessContext.HasParent() { 19897 return "", &eval.ErrNotSupported{Field: field} 19898 } 19899 if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { 19900 return "", &eval.ErrNotSupported{Field: field} 19901 } 19902 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent), nil 19903 case "process.parent.file.gid": 19904 if !ev.BaseEvent.ProcessContext.HasParent() { 19905 return 0, &eval.ErrNotSupported{Field: field} 19906 } 19907 if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { 19908 return 0, &eval.ErrNotSupported{Field: field} 19909 } 19910 return int(ev.BaseEvent.ProcessContext.Parent.FileEvent.FileFields.GID), nil 19911 case "process.parent.file.group": 19912 if !ev.BaseEvent.ProcessContext.HasParent() { 19913 return "", &eval.ErrNotSupported{Field: field} 19914 } 19915 if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { 19916 return "", &eval.ErrNotSupported{Field: field} 19917 } 19918 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent.FileFields), nil 19919 case "process.parent.file.hashes": 19920 if !ev.BaseEvent.ProcessContext.HasParent() { 19921 return []string{}, &eval.ErrNotSupported{Field: field} 19922 } 19923 if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { 19924 return []string{}, &eval.ErrNotSupported{Field: field} 19925 } 19926 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent), nil 19927 case "process.parent.file.in_upper_layer": 19928 if !ev.BaseEvent.ProcessContext.HasParent() { 19929 return false, &eval.ErrNotSupported{Field: field} 19930 } 19931 if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { 19932 return false, &eval.ErrNotSupported{Field: field} 19933 } 19934 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent.FileFields), nil 19935 case "process.parent.file.inode": 19936 if !ev.BaseEvent.ProcessContext.HasParent() { 19937 return 0, &eval.ErrNotSupported{Field: field} 19938 } 19939 if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { 19940 return 0, &eval.ErrNotSupported{Field: field} 19941 } 19942 return int(ev.BaseEvent.ProcessContext.Parent.FileEvent.FileFields.PathKey.Inode), nil 19943 case "process.parent.file.mode": 19944 if !ev.BaseEvent.ProcessContext.HasParent() { 19945 return 0, &eval.ErrNotSupported{Field: field} 19946 } 19947 if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { 19948 return 0, &eval.ErrNotSupported{Field: field} 19949 } 19950 return int(ev.BaseEvent.ProcessContext.Parent.FileEvent.FileFields.Mode), nil 19951 case "process.parent.file.modification_time": 19952 if !ev.BaseEvent.ProcessContext.HasParent() { 19953 return 0, &eval.ErrNotSupported{Field: field} 19954 } 19955 if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { 19956 return 0, &eval.ErrNotSupported{Field: field} 19957 } 19958 return int(ev.BaseEvent.ProcessContext.Parent.FileEvent.FileFields.MTime), nil 19959 case "process.parent.file.mount_id": 19960 if !ev.BaseEvent.ProcessContext.HasParent() { 19961 return 0, &eval.ErrNotSupported{Field: field} 19962 } 19963 if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { 19964 return 0, &eval.ErrNotSupported{Field: field} 19965 } 19966 return int(ev.BaseEvent.ProcessContext.Parent.FileEvent.FileFields.PathKey.MountID), nil 19967 case "process.parent.file.name": 19968 if !ev.BaseEvent.ProcessContext.HasParent() { 19969 return "", &eval.ErrNotSupported{Field: field} 19970 } 19971 if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { 19972 return "", &eval.ErrNotSupported{Field: field} 19973 } 19974 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent), nil 19975 case "process.parent.file.name.length": 19976 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent), nil 19977 case "process.parent.file.package.name": 19978 if !ev.BaseEvent.ProcessContext.HasParent() { 19979 return "", &eval.ErrNotSupported{Field: field} 19980 } 19981 if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { 19982 return "", &eval.ErrNotSupported{Field: field} 19983 } 19984 return ev.FieldHandlers.ResolvePackageName(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent), nil 19985 case "process.parent.file.package.source_version": 19986 if !ev.BaseEvent.ProcessContext.HasParent() { 19987 return "", &eval.ErrNotSupported{Field: field} 19988 } 19989 if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { 19990 return "", &eval.ErrNotSupported{Field: field} 19991 } 19992 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent), nil 19993 case "process.parent.file.package.version": 19994 if !ev.BaseEvent.ProcessContext.HasParent() { 19995 return "", &eval.ErrNotSupported{Field: field} 19996 } 19997 if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { 19998 return "", &eval.ErrNotSupported{Field: field} 19999 } 20000 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent), nil 20001 case "process.parent.file.path": 20002 if !ev.BaseEvent.ProcessContext.HasParent() { 20003 return "", &eval.ErrNotSupported{Field: field} 20004 } 20005 if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { 20006 return "", &eval.ErrNotSupported{Field: field} 20007 } 20008 return ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent), nil 20009 case "process.parent.file.path.length": 20010 return ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent), nil 20011 case "process.parent.file.rights": 20012 if !ev.BaseEvent.ProcessContext.HasParent() { 20013 return 0, &eval.ErrNotSupported{Field: field} 20014 } 20015 if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { 20016 return 0, &eval.ErrNotSupported{Field: field} 20017 } 20018 return int(ev.FieldHandlers.ResolveRights(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent.FileFields)), nil 20019 case "process.parent.file.uid": 20020 if !ev.BaseEvent.ProcessContext.HasParent() { 20021 return 0, &eval.ErrNotSupported{Field: field} 20022 } 20023 if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { 20024 return 0, &eval.ErrNotSupported{Field: field} 20025 } 20026 return int(ev.BaseEvent.ProcessContext.Parent.FileEvent.FileFields.UID), nil 20027 case "process.parent.file.user": 20028 if !ev.BaseEvent.ProcessContext.HasParent() { 20029 return "", &eval.ErrNotSupported{Field: field} 20030 } 20031 if !ev.BaseEvent.ProcessContext.Parent.IsNotKworker() { 20032 return "", &eval.ErrNotSupported{Field: field} 20033 } 20034 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent.FileFields), nil 20035 case "process.parent.fsgid": 20036 if !ev.BaseEvent.ProcessContext.HasParent() { 20037 return 0, &eval.ErrNotSupported{Field: field} 20038 } 20039 return int(ev.BaseEvent.ProcessContext.Parent.Credentials.FSGID), nil 20040 case "process.parent.fsgroup": 20041 if !ev.BaseEvent.ProcessContext.HasParent() { 20042 return "", &eval.ErrNotSupported{Field: field} 20043 } 20044 return ev.BaseEvent.ProcessContext.Parent.Credentials.FSGroup, nil 20045 case "process.parent.fsuid": 20046 if !ev.BaseEvent.ProcessContext.HasParent() { 20047 return 0, &eval.ErrNotSupported{Field: field} 20048 } 20049 return int(ev.BaseEvent.ProcessContext.Parent.Credentials.FSUID), nil 20050 case "process.parent.fsuser": 20051 if !ev.BaseEvent.ProcessContext.HasParent() { 20052 return "", &eval.ErrNotSupported{Field: field} 20053 } 20054 return ev.BaseEvent.ProcessContext.Parent.Credentials.FSUser, nil 20055 case "process.parent.gid": 20056 if !ev.BaseEvent.ProcessContext.HasParent() { 20057 return 0, &eval.ErrNotSupported{Field: field} 20058 } 20059 return int(ev.BaseEvent.ProcessContext.Parent.Credentials.GID), nil 20060 case "process.parent.group": 20061 if !ev.BaseEvent.ProcessContext.HasParent() { 20062 return "", &eval.ErrNotSupported{Field: field} 20063 } 20064 return ev.BaseEvent.ProcessContext.Parent.Credentials.Group, nil 20065 case "process.parent.interpreter.file.change_time": 20066 if !ev.BaseEvent.ProcessContext.HasParent() { 20067 return 0, &eval.ErrNotSupported{Field: field} 20068 } 20069 if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { 20070 return 0, &eval.ErrNotSupported{Field: field} 20071 } 20072 return int(ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields.CTime), nil 20073 case "process.parent.interpreter.file.filesystem": 20074 if !ev.BaseEvent.ProcessContext.HasParent() { 20075 return "", &eval.ErrNotSupported{Field: field} 20076 } 20077 if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { 20078 return "", &eval.ErrNotSupported{Field: field} 20079 } 20080 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent), nil 20081 case "process.parent.interpreter.file.gid": 20082 if !ev.BaseEvent.ProcessContext.HasParent() { 20083 return 0, &eval.ErrNotSupported{Field: field} 20084 } 20085 if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { 20086 return 0, &eval.ErrNotSupported{Field: field} 20087 } 20088 return int(ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields.GID), nil 20089 case "process.parent.interpreter.file.group": 20090 if !ev.BaseEvent.ProcessContext.HasParent() { 20091 return "", &eval.ErrNotSupported{Field: field} 20092 } 20093 if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { 20094 return "", &eval.ErrNotSupported{Field: field} 20095 } 20096 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields), nil 20097 case "process.parent.interpreter.file.hashes": 20098 if !ev.BaseEvent.ProcessContext.HasParent() { 20099 return []string{}, &eval.ErrNotSupported{Field: field} 20100 } 20101 if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { 20102 return []string{}, &eval.ErrNotSupported{Field: field} 20103 } 20104 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent), nil 20105 case "process.parent.interpreter.file.in_upper_layer": 20106 if !ev.BaseEvent.ProcessContext.HasParent() { 20107 return false, &eval.ErrNotSupported{Field: field} 20108 } 20109 if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { 20110 return false, &eval.ErrNotSupported{Field: field} 20111 } 20112 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields), nil 20113 case "process.parent.interpreter.file.inode": 20114 if !ev.BaseEvent.ProcessContext.HasParent() { 20115 return 0, &eval.ErrNotSupported{Field: field} 20116 } 20117 if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { 20118 return 0, &eval.ErrNotSupported{Field: field} 20119 } 20120 return int(ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields.PathKey.Inode), nil 20121 case "process.parent.interpreter.file.mode": 20122 if !ev.BaseEvent.ProcessContext.HasParent() { 20123 return 0, &eval.ErrNotSupported{Field: field} 20124 } 20125 if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { 20126 return 0, &eval.ErrNotSupported{Field: field} 20127 } 20128 return int(ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields.Mode), nil 20129 case "process.parent.interpreter.file.modification_time": 20130 if !ev.BaseEvent.ProcessContext.HasParent() { 20131 return 0, &eval.ErrNotSupported{Field: field} 20132 } 20133 if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { 20134 return 0, &eval.ErrNotSupported{Field: field} 20135 } 20136 return int(ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields.MTime), nil 20137 case "process.parent.interpreter.file.mount_id": 20138 if !ev.BaseEvent.ProcessContext.HasParent() { 20139 return 0, &eval.ErrNotSupported{Field: field} 20140 } 20141 if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { 20142 return 0, &eval.ErrNotSupported{Field: field} 20143 } 20144 return int(ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields.PathKey.MountID), nil 20145 case "process.parent.interpreter.file.name": 20146 if !ev.BaseEvent.ProcessContext.HasParent() { 20147 return "", &eval.ErrNotSupported{Field: field} 20148 } 20149 if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { 20150 return "", &eval.ErrNotSupported{Field: field} 20151 } 20152 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent), nil 20153 case "process.parent.interpreter.file.name.length": 20154 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent), nil 20155 case "process.parent.interpreter.file.package.name": 20156 if !ev.BaseEvent.ProcessContext.HasParent() { 20157 return "", &eval.ErrNotSupported{Field: field} 20158 } 20159 if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { 20160 return "", &eval.ErrNotSupported{Field: field} 20161 } 20162 return ev.FieldHandlers.ResolvePackageName(ev, &ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent), nil 20163 case "process.parent.interpreter.file.package.source_version": 20164 if !ev.BaseEvent.ProcessContext.HasParent() { 20165 return "", &eval.ErrNotSupported{Field: field} 20166 } 20167 if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { 20168 return "", &eval.ErrNotSupported{Field: field} 20169 } 20170 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent), nil 20171 case "process.parent.interpreter.file.package.version": 20172 if !ev.BaseEvent.ProcessContext.HasParent() { 20173 return "", &eval.ErrNotSupported{Field: field} 20174 } 20175 if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { 20176 return "", &eval.ErrNotSupported{Field: field} 20177 } 20178 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent), nil 20179 case "process.parent.interpreter.file.path": 20180 if !ev.BaseEvent.ProcessContext.HasParent() { 20181 return "", &eval.ErrNotSupported{Field: field} 20182 } 20183 if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { 20184 return "", &eval.ErrNotSupported{Field: field} 20185 } 20186 return ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent), nil 20187 case "process.parent.interpreter.file.path.length": 20188 return ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent), nil 20189 case "process.parent.interpreter.file.rights": 20190 if !ev.BaseEvent.ProcessContext.HasParent() { 20191 return 0, &eval.ErrNotSupported{Field: field} 20192 } 20193 if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { 20194 return 0, &eval.ErrNotSupported{Field: field} 20195 } 20196 return int(ev.FieldHandlers.ResolveRights(ev, &ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields)), nil 20197 case "process.parent.interpreter.file.uid": 20198 if !ev.BaseEvent.ProcessContext.HasParent() { 20199 return 0, &eval.ErrNotSupported{Field: field} 20200 } 20201 if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { 20202 return 0, &eval.ErrNotSupported{Field: field} 20203 } 20204 return int(ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields.UID), nil 20205 case "process.parent.interpreter.file.user": 20206 if !ev.BaseEvent.ProcessContext.HasParent() { 20207 return "", &eval.ErrNotSupported{Field: field} 20208 } 20209 if !ev.BaseEvent.ProcessContext.Parent.HasInterpreter() { 20210 return "", &eval.ErrNotSupported{Field: field} 20211 } 20212 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields), nil 20213 case "process.parent.is_kworker": 20214 if !ev.BaseEvent.ProcessContext.HasParent() { 20215 return false, &eval.ErrNotSupported{Field: field} 20216 } 20217 return ev.BaseEvent.ProcessContext.Parent.PIDContext.IsKworker, nil 20218 case "process.parent.is_thread": 20219 if !ev.BaseEvent.ProcessContext.HasParent() { 20220 return false, &eval.ErrNotSupported{Field: field} 20221 } 20222 return ev.BaseEvent.ProcessContext.Parent.IsThread, nil 20223 case "process.parent.pid": 20224 if !ev.BaseEvent.ProcessContext.HasParent() { 20225 return 0, &eval.ErrNotSupported{Field: field} 20226 } 20227 return int(ev.BaseEvent.ProcessContext.Parent.PIDContext.Pid), nil 20228 case "process.parent.ppid": 20229 if !ev.BaseEvent.ProcessContext.HasParent() { 20230 return 0, &eval.ErrNotSupported{Field: field} 20231 } 20232 return int(ev.BaseEvent.ProcessContext.Parent.PPid), nil 20233 case "process.parent.tid": 20234 if !ev.BaseEvent.ProcessContext.HasParent() { 20235 return 0, &eval.ErrNotSupported{Field: field} 20236 } 20237 return int(ev.BaseEvent.ProcessContext.Parent.PIDContext.Tid), nil 20238 case "process.parent.tty_name": 20239 if !ev.BaseEvent.ProcessContext.HasParent() { 20240 return "", &eval.ErrNotSupported{Field: field} 20241 } 20242 return ev.BaseEvent.ProcessContext.Parent.TTYName, nil 20243 case "process.parent.uid": 20244 if !ev.BaseEvent.ProcessContext.HasParent() { 20245 return 0, &eval.ErrNotSupported{Field: field} 20246 } 20247 return int(ev.BaseEvent.ProcessContext.Parent.Credentials.UID), nil 20248 case "process.parent.user": 20249 if !ev.BaseEvent.ProcessContext.HasParent() { 20250 return "", &eval.ErrNotSupported{Field: field} 20251 } 20252 return ev.BaseEvent.ProcessContext.Parent.Credentials.User, nil 20253 case "process.parent.user_session.k8s_groups": 20254 if !ev.BaseEvent.ProcessContext.HasParent() { 20255 return []string{}, &eval.ErrNotSupported{Field: field} 20256 } 20257 return ev.FieldHandlers.ResolveK8SGroups(ev, &ev.BaseEvent.ProcessContext.Parent.UserSession), nil 20258 case "process.parent.user_session.k8s_uid": 20259 if !ev.BaseEvent.ProcessContext.HasParent() { 20260 return "", &eval.ErrNotSupported{Field: field} 20261 } 20262 return ev.FieldHandlers.ResolveK8SUID(ev, &ev.BaseEvent.ProcessContext.Parent.UserSession), nil 20263 case "process.parent.user_session.k8s_username": 20264 if !ev.BaseEvent.ProcessContext.HasParent() { 20265 return "", &eval.ErrNotSupported{Field: field} 20266 } 20267 return ev.FieldHandlers.ResolveK8SUsername(ev, &ev.BaseEvent.ProcessContext.Parent.UserSession), nil 20268 case "process.pid": 20269 return int(ev.BaseEvent.ProcessContext.Process.PIDContext.Pid), nil 20270 case "process.ppid": 20271 return int(ev.BaseEvent.ProcessContext.Process.PPid), nil 20272 case "process.tid": 20273 return int(ev.BaseEvent.ProcessContext.Process.PIDContext.Tid), nil 20274 case "process.tty_name": 20275 return ev.BaseEvent.ProcessContext.Process.TTYName, nil 20276 case "process.uid": 20277 return int(ev.BaseEvent.ProcessContext.Process.Credentials.UID), nil 20278 case "process.user": 20279 return ev.BaseEvent.ProcessContext.Process.Credentials.User, nil 20280 case "process.user_session.k8s_groups": 20281 return ev.FieldHandlers.ResolveK8SGroups(ev, &ev.BaseEvent.ProcessContext.Process.UserSession), nil 20282 case "process.user_session.k8s_uid": 20283 return ev.FieldHandlers.ResolveK8SUID(ev, &ev.BaseEvent.ProcessContext.Process.UserSession), nil 20284 case "process.user_session.k8s_username": 20285 return ev.FieldHandlers.ResolveK8SUsername(ev, &ev.BaseEvent.ProcessContext.Process.UserSession), nil 20286 case "ptrace.request": 20287 return int(ev.PTrace.Request), nil 20288 case "ptrace.retval": 20289 return int(ev.PTrace.SyscallEvent.Retval), nil 20290 case "ptrace.tracee.ancestors.args": 20291 var values []string 20292 ctx := eval.NewContext(ev) 20293 iterator := &ProcessAncestorsIterator{} 20294 ptr := iterator.Front(ctx) 20295 for ptr != nil { 20296 element := (*ProcessCacheEntry)(ptr) 20297 result := ev.FieldHandlers.ResolveProcessArgs(ev, &element.ProcessContext.Process) 20298 values = append(values, result) 20299 ptr = iterator.Next() 20300 } 20301 return values, nil 20302 case "ptrace.tracee.ancestors.args_flags": 20303 var values []string 20304 ctx := eval.NewContext(ev) 20305 iterator := &ProcessAncestorsIterator{} 20306 ptr := iterator.Front(ctx) 20307 for ptr != nil { 20308 element := (*ProcessCacheEntry)(ptr) 20309 result := ev.FieldHandlers.ResolveProcessArgsFlags(ev, &element.ProcessContext.Process) 20310 values = append(values, result...) 20311 ptr = iterator.Next() 20312 } 20313 return values, nil 20314 case "ptrace.tracee.ancestors.args_options": 20315 var values []string 20316 ctx := eval.NewContext(ev) 20317 iterator := &ProcessAncestorsIterator{} 20318 ptr := iterator.Front(ctx) 20319 for ptr != nil { 20320 element := (*ProcessCacheEntry)(ptr) 20321 result := ev.FieldHandlers.ResolveProcessArgsOptions(ev, &element.ProcessContext.Process) 20322 values = append(values, result...) 20323 ptr = iterator.Next() 20324 } 20325 return values, nil 20326 case "ptrace.tracee.ancestors.args_truncated": 20327 var values []bool 20328 ctx := eval.NewContext(ev) 20329 iterator := &ProcessAncestorsIterator{} 20330 ptr := iterator.Front(ctx) 20331 for ptr != nil { 20332 element := (*ProcessCacheEntry)(ptr) 20333 result := ev.FieldHandlers.ResolveProcessArgsTruncated(ev, &element.ProcessContext.Process) 20334 values = append(values, result) 20335 ptr = iterator.Next() 20336 } 20337 return values, nil 20338 case "ptrace.tracee.ancestors.argv": 20339 var values []string 20340 ctx := eval.NewContext(ev) 20341 iterator := &ProcessAncestorsIterator{} 20342 ptr := iterator.Front(ctx) 20343 for ptr != nil { 20344 element := (*ProcessCacheEntry)(ptr) 20345 result := ev.FieldHandlers.ResolveProcessArgv(ev, &element.ProcessContext.Process) 20346 values = append(values, result...) 20347 ptr = iterator.Next() 20348 } 20349 return values, nil 20350 case "ptrace.tracee.ancestors.argv0": 20351 var values []string 20352 ctx := eval.NewContext(ev) 20353 iterator := &ProcessAncestorsIterator{} 20354 ptr := iterator.Front(ctx) 20355 for ptr != nil { 20356 element := (*ProcessCacheEntry)(ptr) 20357 result := ev.FieldHandlers.ResolveProcessArgv0(ev, &element.ProcessContext.Process) 20358 values = append(values, result) 20359 ptr = iterator.Next() 20360 } 20361 return values, nil 20362 case "ptrace.tracee.ancestors.cap_effective": 20363 var values []int 20364 ctx := eval.NewContext(ev) 20365 iterator := &ProcessAncestorsIterator{} 20366 ptr := iterator.Front(ctx) 20367 for ptr != nil { 20368 element := (*ProcessCacheEntry)(ptr) 20369 result := int(element.ProcessContext.Process.Credentials.CapEffective) 20370 values = append(values, result) 20371 ptr = iterator.Next() 20372 } 20373 return values, nil 20374 case "ptrace.tracee.ancestors.cap_permitted": 20375 var values []int 20376 ctx := eval.NewContext(ev) 20377 iterator := &ProcessAncestorsIterator{} 20378 ptr := iterator.Front(ctx) 20379 for ptr != nil { 20380 element := (*ProcessCacheEntry)(ptr) 20381 result := int(element.ProcessContext.Process.Credentials.CapPermitted) 20382 values = append(values, result) 20383 ptr = iterator.Next() 20384 } 20385 return values, nil 20386 case "ptrace.tracee.ancestors.comm": 20387 var values []string 20388 ctx := eval.NewContext(ev) 20389 iterator := &ProcessAncestorsIterator{} 20390 ptr := iterator.Front(ctx) 20391 for ptr != nil { 20392 element := (*ProcessCacheEntry)(ptr) 20393 result := element.ProcessContext.Process.Comm 20394 values = append(values, result) 20395 ptr = iterator.Next() 20396 } 20397 return values, nil 20398 case "ptrace.tracee.ancestors.container.id": 20399 var values []string 20400 ctx := eval.NewContext(ev) 20401 iterator := &ProcessAncestorsIterator{} 20402 ptr := iterator.Front(ctx) 20403 for ptr != nil { 20404 element := (*ProcessCacheEntry)(ptr) 20405 result := element.ProcessContext.Process.ContainerID 20406 values = append(values, result) 20407 ptr = iterator.Next() 20408 } 20409 return values, nil 20410 case "ptrace.tracee.ancestors.created_at": 20411 var values []int 20412 ctx := eval.NewContext(ev) 20413 iterator := &ProcessAncestorsIterator{} 20414 ptr := iterator.Front(ctx) 20415 for ptr != nil { 20416 element := (*ProcessCacheEntry)(ptr) 20417 result := int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, &element.ProcessContext.Process)) 20418 values = append(values, result) 20419 ptr = iterator.Next() 20420 } 20421 return values, nil 20422 case "ptrace.tracee.ancestors.egid": 20423 var values []int 20424 ctx := eval.NewContext(ev) 20425 iterator := &ProcessAncestorsIterator{} 20426 ptr := iterator.Front(ctx) 20427 for ptr != nil { 20428 element := (*ProcessCacheEntry)(ptr) 20429 result := int(element.ProcessContext.Process.Credentials.EGID) 20430 values = append(values, result) 20431 ptr = iterator.Next() 20432 } 20433 return values, nil 20434 case "ptrace.tracee.ancestors.egroup": 20435 var values []string 20436 ctx := eval.NewContext(ev) 20437 iterator := &ProcessAncestorsIterator{} 20438 ptr := iterator.Front(ctx) 20439 for ptr != nil { 20440 element := (*ProcessCacheEntry)(ptr) 20441 result := element.ProcessContext.Process.Credentials.EGroup 20442 values = append(values, result) 20443 ptr = iterator.Next() 20444 } 20445 return values, nil 20446 case "ptrace.tracee.ancestors.envp": 20447 var values []string 20448 ctx := eval.NewContext(ev) 20449 iterator := &ProcessAncestorsIterator{} 20450 ptr := iterator.Front(ctx) 20451 for ptr != nil { 20452 element := (*ProcessCacheEntry)(ptr) 20453 result := ev.FieldHandlers.ResolveProcessEnvp(ev, &element.ProcessContext.Process) 20454 values = append(values, result...) 20455 ptr = iterator.Next() 20456 } 20457 return values, nil 20458 case "ptrace.tracee.ancestors.envs": 20459 var values []string 20460 ctx := eval.NewContext(ev) 20461 iterator := &ProcessAncestorsIterator{} 20462 ptr := iterator.Front(ctx) 20463 for ptr != nil { 20464 element := (*ProcessCacheEntry)(ptr) 20465 result := ev.FieldHandlers.ResolveProcessEnvs(ev, &element.ProcessContext.Process) 20466 values = append(values, result...) 20467 ptr = iterator.Next() 20468 } 20469 return values, nil 20470 case "ptrace.tracee.ancestors.envs_truncated": 20471 var values []bool 20472 ctx := eval.NewContext(ev) 20473 iterator := &ProcessAncestorsIterator{} 20474 ptr := iterator.Front(ctx) 20475 for ptr != nil { 20476 element := (*ProcessCacheEntry)(ptr) 20477 result := ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, &element.ProcessContext.Process) 20478 values = append(values, result) 20479 ptr = iterator.Next() 20480 } 20481 return values, nil 20482 case "ptrace.tracee.ancestors.euid": 20483 var values []int 20484 ctx := eval.NewContext(ev) 20485 iterator := &ProcessAncestorsIterator{} 20486 ptr := iterator.Front(ctx) 20487 for ptr != nil { 20488 element := (*ProcessCacheEntry)(ptr) 20489 result := int(element.ProcessContext.Process.Credentials.EUID) 20490 values = append(values, result) 20491 ptr = iterator.Next() 20492 } 20493 return values, nil 20494 case "ptrace.tracee.ancestors.euser": 20495 var values []string 20496 ctx := eval.NewContext(ev) 20497 iterator := &ProcessAncestorsIterator{} 20498 ptr := iterator.Front(ctx) 20499 for ptr != nil { 20500 element := (*ProcessCacheEntry)(ptr) 20501 result := element.ProcessContext.Process.Credentials.EUser 20502 values = append(values, result) 20503 ptr = iterator.Next() 20504 } 20505 return values, nil 20506 case "ptrace.tracee.ancestors.file.change_time": 20507 var values []int 20508 ctx := eval.NewContext(ev) 20509 iterator := &ProcessAncestorsIterator{} 20510 ptr := iterator.Front(ctx) 20511 for ptr != nil { 20512 element := (*ProcessCacheEntry)(ptr) 20513 result := int(element.ProcessContext.Process.FileEvent.FileFields.CTime) 20514 values = append(values, result) 20515 ptr = iterator.Next() 20516 } 20517 return values, nil 20518 case "ptrace.tracee.ancestors.file.filesystem": 20519 var values []string 20520 ctx := eval.NewContext(ev) 20521 iterator := &ProcessAncestorsIterator{} 20522 ptr := iterator.Front(ctx) 20523 for ptr != nil { 20524 element := (*ProcessCacheEntry)(ptr) 20525 result := ev.FieldHandlers.ResolveFileFilesystem(ev, &element.ProcessContext.Process.FileEvent) 20526 values = append(values, result) 20527 ptr = iterator.Next() 20528 } 20529 return values, nil 20530 case "ptrace.tracee.ancestors.file.gid": 20531 var values []int 20532 ctx := eval.NewContext(ev) 20533 iterator := &ProcessAncestorsIterator{} 20534 ptr := iterator.Front(ctx) 20535 for ptr != nil { 20536 element := (*ProcessCacheEntry)(ptr) 20537 result := int(element.ProcessContext.Process.FileEvent.FileFields.GID) 20538 values = append(values, result) 20539 ptr = iterator.Next() 20540 } 20541 return values, nil 20542 case "ptrace.tracee.ancestors.file.group": 20543 var values []string 20544 ctx := eval.NewContext(ev) 20545 iterator := &ProcessAncestorsIterator{} 20546 ptr := iterator.Front(ctx) 20547 for ptr != nil { 20548 element := (*ProcessCacheEntry)(ptr) 20549 result := ev.FieldHandlers.ResolveFileFieldsGroup(ev, &element.ProcessContext.Process.FileEvent.FileFields) 20550 values = append(values, result) 20551 ptr = iterator.Next() 20552 } 20553 return values, nil 20554 case "ptrace.tracee.ancestors.file.hashes": 20555 var values []string 20556 ctx := eval.NewContext(ev) 20557 iterator := &ProcessAncestorsIterator{} 20558 ptr := iterator.Front(ctx) 20559 for ptr != nil { 20560 element := (*ProcessCacheEntry)(ptr) 20561 result := ev.FieldHandlers.ResolveHashesFromEvent(ev, &element.ProcessContext.Process.FileEvent) 20562 values = append(values, result...) 20563 ptr = iterator.Next() 20564 } 20565 return values, nil 20566 case "ptrace.tracee.ancestors.file.in_upper_layer": 20567 var values []bool 20568 ctx := eval.NewContext(ev) 20569 iterator := &ProcessAncestorsIterator{} 20570 ptr := iterator.Front(ctx) 20571 for ptr != nil { 20572 element := (*ProcessCacheEntry)(ptr) 20573 result := ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &element.ProcessContext.Process.FileEvent.FileFields) 20574 values = append(values, result) 20575 ptr = iterator.Next() 20576 } 20577 return values, nil 20578 case "ptrace.tracee.ancestors.file.inode": 20579 var values []int 20580 ctx := eval.NewContext(ev) 20581 iterator := &ProcessAncestorsIterator{} 20582 ptr := iterator.Front(ctx) 20583 for ptr != nil { 20584 element := (*ProcessCacheEntry)(ptr) 20585 result := int(element.ProcessContext.Process.FileEvent.FileFields.PathKey.Inode) 20586 values = append(values, result) 20587 ptr = iterator.Next() 20588 } 20589 return values, nil 20590 case "ptrace.tracee.ancestors.file.mode": 20591 var values []int 20592 ctx := eval.NewContext(ev) 20593 iterator := &ProcessAncestorsIterator{} 20594 ptr := iterator.Front(ctx) 20595 for ptr != nil { 20596 element := (*ProcessCacheEntry)(ptr) 20597 result := int(element.ProcessContext.Process.FileEvent.FileFields.Mode) 20598 values = append(values, result) 20599 ptr = iterator.Next() 20600 } 20601 return values, nil 20602 case "ptrace.tracee.ancestors.file.modification_time": 20603 var values []int 20604 ctx := eval.NewContext(ev) 20605 iterator := &ProcessAncestorsIterator{} 20606 ptr := iterator.Front(ctx) 20607 for ptr != nil { 20608 element := (*ProcessCacheEntry)(ptr) 20609 result := int(element.ProcessContext.Process.FileEvent.FileFields.MTime) 20610 values = append(values, result) 20611 ptr = iterator.Next() 20612 } 20613 return values, nil 20614 case "ptrace.tracee.ancestors.file.mount_id": 20615 var values []int 20616 ctx := eval.NewContext(ev) 20617 iterator := &ProcessAncestorsIterator{} 20618 ptr := iterator.Front(ctx) 20619 for ptr != nil { 20620 element := (*ProcessCacheEntry)(ptr) 20621 result := int(element.ProcessContext.Process.FileEvent.FileFields.PathKey.MountID) 20622 values = append(values, result) 20623 ptr = iterator.Next() 20624 } 20625 return values, nil 20626 case "ptrace.tracee.ancestors.file.name": 20627 var values []string 20628 ctx := eval.NewContext(ev) 20629 iterator := &ProcessAncestorsIterator{} 20630 ptr := iterator.Front(ctx) 20631 for ptr != nil { 20632 element := (*ProcessCacheEntry)(ptr) 20633 result := ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.FileEvent) 20634 values = append(values, result) 20635 ptr = iterator.Next() 20636 } 20637 return values, nil 20638 case "ptrace.tracee.ancestors.file.name.length": 20639 var values []int 20640 ctx := eval.NewContext(ev) 20641 iterator := &ProcessAncestorsIterator{} 20642 ptr := iterator.Front(ctx) 20643 for ptr != nil { 20644 element := (*ProcessCacheEntry)(ptr) 20645 result := len(ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.FileEvent)) 20646 values = append(values, result) 20647 ptr = iterator.Next() 20648 } 20649 return values, nil 20650 case "ptrace.tracee.ancestors.file.package.name": 20651 var values []string 20652 ctx := eval.NewContext(ev) 20653 iterator := &ProcessAncestorsIterator{} 20654 ptr := iterator.Front(ctx) 20655 for ptr != nil { 20656 element := (*ProcessCacheEntry)(ptr) 20657 result := ev.FieldHandlers.ResolvePackageName(ev, &element.ProcessContext.Process.FileEvent) 20658 values = append(values, result) 20659 ptr = iterator.Next() 20660 } 20661 return values, nil 20662 case "ptrace.tracee.ancestors.file.package.source_version": 20663 var values []string 20664 ctx := eval.NewContext(ev) 20665 iterator := &ProcessAncestorsIterator{} 20666 ptr := iterator.Front(ctx) 20667 for ptr != nil { 20668 element := (*ProcessCacheEntry)(ptr) 20669 result := ev.FieldHandlers.ResolvePackageSourceVersion(ev, &element.ProcessContext.Process.FileEvent) 20670 values = append(values, result) 20671 ptr = iterator.Next() 20672 } 20673 return values, nil 20674 case "ptrace.tracee.ancestors.file.package.version": 20675 var values []string 20676 ctx := eval.NewContext(ev) 20677 iterator := &ProcessAncestorsIterator{} 20678 ptr := iterator.Front(ctx) 20679 for ptr != nil { 20680 element := (*ProcessCacheEntry)(ptr) 20681 result := ev.FieldHandlers.ResolvePackageVersion(ev, &element.ProcessContext.Process.FileEvent) 20682 values = append(values, result) 20683 ptr = iterator.Next() 20684 } 20685 return values, nil 20686 case "ptrace.tracee.ancestors.file.path": 20687 var values []string 20688 ctx := eval.NewContext(ev) 20689 iterator := &ProcessAncestorsIterator{} 20690 ptr := iterator.Front(ctx) 20691 for ptr != nil { 20692 element := (*ProcessCacheEntry)(ptr) 20693 result := ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.FileEvent) 20694 values = append(values, result) 20695 ptr = iterator.Next() 20696 } 20697 return values, nil 20698 case "ptrace.tracee.ancestors.file.path.length": 20699 var values []int 20700 ctx := eval.NewContext(ev) 20701 iterator := &ProcessAncestorsIterator{} 20702 ptr := iterator.Front(ctx) 20703 for ptr != nil { 20704 element := (*ProcessCacheEntry)(ptr) 20705 result := len(ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.FileEvent)) 20706 values = append(values, result) 20707 ptr = iterator.Next() 20708 } 20709 return values, nil 20710 case "ptrace.tracee.ancestors.file.rights": 20711 var values []int 20712 ctx := eval.NewContext(ev) 20713 iterator := &ProcessAncestorsIterator{} 20714 ptr := iterator.Front(ctx) 20715 for ptr != nil { 20716 element := (*ProcessCacheEntry)(ptr) 20717 result := int(ev.FieldHandlers.ResolveRights(ev, &element.ProcessContext.Process.FileEvent.FileFields)) 20718 values = append(values, result) 20719 ptr = iterator.Next() 20720 } 20721 return values, nil 20722 case "ptrace.tracee.ancestors.file.uid": 20723 var values []int 20724 ctx := eval.NewContext(ev) 20725 iterator := &ProcessAncestorsIterator{} 20726 ptr := iterator.Front(ctx) 20727 for ptr != nil { 20728 element := (*ProcessCacheEntry)(ptr) 20729 result := int(element.ProcessContext.Process.FileEvent.FileFields.UID) 20730 values = append(values, result) 20731 ptr = iterator.Next() 20732 } 20733 return values, nil 20734 case "ptrace.tracee.ancestors.file.user": 20735 var values []string 20736 ctx := eval.NewContext(ev) 20737 iterator := &ProcessAncestorsIterator{} 20738 ptr := iterator.Front(ctx) 20739 for ptr != nil { 20740 element := (*ProcessCacheEntry)(ptr) 20741 result := ev.FieldHandlers.ResolveFileFieldsUser(ev, &element.ProcessContext.Process.FileEvent.FileFields) 20742 values = append(values, result) 20743 ptr = iterator.Next() 20744 } 20745 return values, nil 20746 case "ptrace.tracee.ancestors.fsgid": 20747 var values []int 20748 ctx := eval.NewContext(ev) 20749 iterator := &ProcessAncestorsIterator{} 20750 ptr := iterator.Front(ctx) 20751 for ptr != nil { 20752 element := (*ProcessCacheEntry)(ptr) 20753 result := int(element.ProcessContext.Process.Credentials.FSGID) 20754 values = append(values, result) 20755 ptr = iterator.Next() 20756 } 20757 return values, nil 20758 case "ptrace.tracee.ancestors.fsgroup": 20759 var values []string 20760 ctx := eval.NewContext(ev) 20761 iterator := &ProcessAncestorsIterator{} 20762 ptr := iterator.Front(ctx) 20763 for ptr != nil { 20764 element := (*ProcessCacheEntry)(ptr) 20765 result := element.ProcessContext.Process.Credentials.FSGroup 20766 values = append(values, result) 20767 ptr = iterator.Next() 20768 } 20769 return values, nil 20770 case "ptrace.tracee.ancestors.fsuid": 20771 var values []int 20772 ctx := eval.NewContext(ev) 20773 iterator := &ProcessAncestorsIterator{} 20774 ptr := iterator.Front(ctx) 20775 for ptr != nil { 20776 element := (*ProcessCacheEntry)(ptr) 20777 result := int(element.ProcessContext.Process.Credentials.FSUID) 20778 values = append(values, result) 20779 ptr = iterator.Next() 20780 } 20781 return values, nil 20782 case "ptrace.tracee.ancestors.fsuser": 20783 var values []string 20784 ctx := eval.NewContext(ev) 20785 iterator := &ProcessAncestorsIterator{} 20786 ptr := iterator.Front(ctx) 20787 for ptr != nil { 20788 element := (*ProcessCacheEntry)(ptr) 20789 result := element.ProcessContext.Process.Credentials.FSUser 20790 values = append(values, result) 20791 ptr = iterator.Next() 20792 } 20793 return values, nil 20794 case "ptrace.tracee.ancestors.gid": 20795 var values []int 20796 ctx := eval.NewContext(ev) 20797 iterator := &ProcessAncestorsIterator{} 20798 ptr := iterator.Front(ctx) 20799 for ptr != nil { 20800 element := (*ProcessCacheEntry)(ptr) 20801 result := int(element.ProcessContext.Process.Credentials.GID) 20802 values = append(values, result) 20803 ptr = iterator.Next() 20804 } 20805 return values, nil 20806 case "ptrace.tracee.ancestors.group": 20807 var values []string 20808 ctx := eval.NewContext(ev) 20809 iterator := &ProcessAncestorsIterator{} 20810 ptr := iterator.Front(ctx) 20811 for ptr != nil { 20812 element := (*ProcessCacheEntry)(ptr) 20813 result := element.ProcessContext.Process.Credentials.Group 20814 values = append(values, result) 20815 ptr = iterator.Next() 20816 } 20817 return values, nil 20818 case "ptrace.tracee.ancestors.interpreter.file.change_time": 20819 var values []int 20820 ctx := eval.NewContext(ev) 20821 iterator := &ProcessAncestorsIterator{} 20822 ptr := iterator.Front(ctx) 20823 for ptr != nil { 20824 element := (*ProcessCacheEntry)(ptr) 20825 result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.CTime) 20826 values = append(values, result) 20827 ptr = iterator.Next() 20828 } 20829 return values, nil 20830 case "ptrace.tracee.ancestors.interpreter.file.filesystem": 20831 var values []string 20832 ctx := eval.NewContext(ev) 20833 iterator := &ProcessAncestorsIterator{} 20834 ptr := iterator.Front(ctx) 20835 for ptr != nil { 20836 element := (*ProcessCacheEntry)(ptr) 20837 result := ev.FieldHandlers.ResolveFileFilesystem(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) 20838 values = append(values, result) 20839 ptr = iterator.Next() 20840 } 20841 return values, nil 20842 case "ptrace.tracee.ancestors.interpreter.file.gid": 20843 var values []int 20844 ctx := eval.NewContext(ev) 20845 iterator := &ProcessAncestorsIterator{} 20846 ptr := iterator.Front(ctx) 20847 for ptr != nil { 20848 element := (*ProcessCacheEntry)(ptr) 20849 result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.GID) 20850 values = append(values, result) 20851 ptr = iterator.Next() 20852 } 20853 return values, nil 20854 case "ptrace.tracee.ancestors.interpreter.file.group": 20855 var values []string 20856 ctx := eval.NewContext(ev) 20857 iterator := &ProcessAncestorsIterator{} 20858 ptr := iterator.Front(ctx) 20859 for ptr != nil { 20860 element := (*ProcessCacheEntry)(ptr) 20861 result := ev.FieldHandlers.ResolveFileFieldsGroup(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields) 20862 values = append(values, result) 20863 ptr = iterator.Next() 20864 } 20865 return values, nil 20866 case "ptrace.tracee.ancestors.interpreter.file.hashes": 20867 var values []string 20868 ctx := eval.NewContext(ev) 20869 iterator := &ProcessAncestorsIterator{} 20870 ptr := iterator.Front(ctx) 20871 for ptr != nil { 20872 element := (*ProcessCacheEntry)(ptr) 20873 result := ev.FieldHandlers.ResolveHashesFromEvent(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) 20874 values = append(values, result...) 20875 ptr = iterator.Next() 20876 } 20877 return values, nil 20878 case "ptrace.tracee.ancestors.interpreter.file.in_upper_layer": 20879 var values []bool 20880 ctx := eval.NewContext(ev) 20881 iterator := &ProcessAncestorsIterator{} 20882 ptr := iterator.Front(ctx) 20883 for ptr != nil { 20884 element := (*ProcessCacheEntry)(ptr) 20885 result := ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields) 20886 values = append(values, result) 20887 ptr = iterator.Next() 20888 } 20889 return values, nil 20890 case "ptrace.tracee.ancestors.interpreter.file.inode": 20891 var values []int 20892 ctx := eval.NewContext(ev) 20893 iterator := &ProcessAncestorsIterator{} 20894 ptr := iterator.Front(ctx) 20895 for ptr != nil { 20896 element := (*ProcessCacheEntry)(ptr) 20897 result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode) 20898 values = append(values, result) 20899 ptr = iterator.Next() 20900 } 20901 return values, nil 20902 case "ptrace.tracee.ancestors.interpreter.file.mode": 20903 var values []int 20904 ctx := eval.NewContext(ev) 20905 iterator := &ProcessAncestorsIterator{} 20906 ptr := iterator.Front(ctx) 20907 for ptr != nil { 20908 element := (*ProcessCacheEntry)(ptr) 20909 result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.Mode) 20910 values = append(values, result) 20911 ptr = iterator.Next() 20912 } 20913 return values, nil 20914 case "ptrace.tracee.ancestors.interpreter.file.modification_time": 20915 var values []int 20916 ctx := eval.NewContext(ev) 20917 iterator := &ProcessAncestorsIterator{} 20918 ptr := iterator.Front(ctx) 20919 for ptr != nil { 20920 element := (*ProcessCacheEntry)(ptr) 20921 result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.MTime) 20922 values = append(values, result) 20923 ptr = iterator.Next() 20924 } 20925 return values, nil 20926 case "ptrace.tracee.ancestors.interpreter.file.mount_id": 20927 var values []int 20928 ctx := eval.NewContext(ev) 20929 iterator := &ProcessAncestorsIterator{} 20930 ptr := iterator.Front(ctx) 20931 for ptr != nil { 20932 element := (*ProcessCacheEntry)(ptr) 20933 result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID) 20934 values = append(values, result) 20935 ptr = iterator.Next() 20936 } 20937 return values, nil 20938 case "ptrace.tracee.ancestors.interpreter.file.name": 20939 var values []string 20940 ctx := eval.NewContext(ev) 20941 iterator := &ProcessAncestorsIterator{} 20942 ptr := iterator.Front(ctx) 20943 for ptr != nil { 20944 element := (*ProcessCacheEntry)(ptr) 20945 result := ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) 20946 values = append(values, result) 20947 ptr = iterator.Next() 20948 } 20949 return values, nil 20950 case "ptrace.tracee.ancestors.interpreter.file.name.length": 20951 var values []int 20952 ctx := eval.NewContext(ev) 20953 iterator := &ProcessAncestorsIterator{} 20954 ptr := iterator.Front(ctx) 20955 for ptr != nil { 20956 element := (*ProcessCacheEntry)(ptr) 20957 result := len(ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent)) 20958 values = append(values, result) 20959 ptr = iterator.Next() 20960 } 20961 return values, nil 20962 case "ptrace.tracee.ancestors.interpreter.file.package.name": 20963 var values []string 20964 ctx := eval.NewContext(ev) 20965 iterator := &ProcessAncestorsIterator{} 20966 ptr := iterator.Front(ctx) 20967 for ptr != nil { 20968 element := (*ProcessCacheEntry)(ptr) 20969 result := ev.FieldHandlers.ResolvePackageName(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) 20970 values = append(values, result) 20971 ptr = iterator.Next() 20972 } 20973 return values, nil 20974 case "ptrace.tracee.ancestors.interpreter.file.package.source_version": 20975 var values []string 20976 ctx := eval.NewContext(ev) 20977 iterator := &ProcessAncestorsIterator{} 20978 ptr := iterator.Front(ctx) 20979 for ptr != nil { 20980 element := (*ProcessCacheEntry)(ptr) 20981 result := ev.FieldHandlers.ResolvePackageSourceVersion(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) 20982 values = append(values, result) 20983 ptr = iterator.Next() 20984 } 20985 return values, nil 20986 case "ptrace.tracee.ancestors.interpreter.file.package.version": 20987 var values []string 20988 ctx := eval.NewContext(ev) 20989 iterator := &ProcessAncestorsIterator{} 20990 ptr := iterator.Front(ctx) 20991 for ptr != nil { 20992 element := (*ProcessCacheEntry)(ptr) 20993 result := ev.FieldHandlers.ResolvePackageVersion(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) 20994 values = append(values, result) 20995 ptr = iterator.Next() 20996 } 20997 return values, nil 20998 case "ptrace.tracee.ancestors.interpreter.file.path": 20999 var values []string 21000 ctx := eval.NewContext(ev) 21001 iterator := &ProcessAncestorsIterator{} 21002 ptr := iterator.Front(ctx) 21003 for ptr != nil { 21004 element := (*ProcessCacheEntry)(ptr) 21005 result := ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) 21006 values = append(values, result) 21007 ptr = iterator.Next() 21008 } 21009 return values, nil 21010 case "ptrace.tracee.ancestors.interpreter.file.path.length": 21011 var values []int 21012 ctx := eval.NewContext(ev) 21013 iterator := &ProcessAncestorsIterator{} 21014 ptr := iterator.Front(ctx) 21015 for ptr != nil { 21016 element := (*ProcessCacheEntry)(ptr) 21017 result := len(ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent)) 21018 values = append(values, result) 21019 ptr = iterator.Next() 21020 } 21021 return values, nil 21022 case "ptrace.tracee.ancestors.interpreter.file.rights": 21023 var values []int 21024 ctx := eval.NewContext(ev) 21025 iterator := &ProcessAncestorsIterator{} 21026 ptr := iterator.Front(ctx) 21027 for ptr != nil { 21028 element := (*ProcessCacheEntry)(ptr) 21029 result := int(ev.FieldHandlers.ResolveRights(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields)) 21030 values = append(values, result) 21031 ptr = iterator.Next() 21032 } 21033 return values, nil 21034 case "ptrace.tracee.ancestors.interpreter.file.uid": 21035 var values []int 21036 ctx := eval.NewContext(ev) 21037 iterator := &ProcessAncestorsIterator{} 21038 ptr := iterator.Front(ctx) 21039 for ptr != nil { 21040 element := (*ProcessCacheEntry)(ptr) 21041 result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.UID) 21042 values = append(values, result) 21043 ptr = iterator.Next() 21044 } 21045 return values, nil 21046 case "ptrace.tracee.ancestors.interpreter.file.user": 21047 var values []string 21048 ctx := eval.NewContext(ev) 21049 iterator := &ProcessAncestorsIterator{} 21050 ptr := iterator.Front(ctx) 21051 for ptr != nil { 21052 element := (*ProcessCacheEntry)(ptr) 21053 result := ev.FieldHandlers.ResolveFileFieldsUser(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields) 21054 values = append(values, result) 21055 ptr = iterator.Next() 21056 } 21057 return values, nil 21058 case "ptrace.tracee.ancestors.is_kworker": 21059 var values []bool 21060 ctx := eval.NewContext(ev) 21061 iterator := &ProcessAncestorsIterator{} 21062 ptr := iterator.Front(ctx) 21063 for ptr != nil { 21064 element := (*ProcessCacheEntry)(ptr) 21065 result := element.ProcessContext.Process.PIDContext.IsKworker 21066 values = append(values, result) 21067 ptr = iterator.Next() 21068 } 21069 return values, nil 21070 case "ptrace.tracee.ancestors.is_thread": 21071 var values []bool 21072 ctx := eval.NewContext(ev) 21073 iterator := &ProcessAncestorsIterator{} 21074 ptr := iterator.Front(ctx) 21075 for ptr != nil { 21076 element := (*ProcessCacheEntry)(ptr) 21077 result := element.ProcessContext.Process.IsThread 21078 values = append(values, result) 21079 ptr = iterator.Next() 21080 } 21081 return values, nil 21082 case "ptrace.tracee.ancestors.pid": 21083 var values []int 21084 ctx := eval.NewContext(ev) 21085 iterator := &ProcessAncestorsIterator{} 21086 ptr := iterator.Front(ctx) 21087 for ptr != nil { 21088 element := (*ProcessCacheEntry)(ptr) 21089 result := int(element.ProcessContext.Process.PIDContext.Pid) 21090 values = append(values, result) 21091 ptr = iterator.Next() 21092 } 21093 return values, nil 21094 case "ptrace.tracee.ancestors.ppid": 21095 var values []int 21096 ctx := eval.NewContext(ev) 21097 iterator := &ProcessAncestorsIterator{} 21098 ptr := iterator.Front(ctx) 21099 for ptr != nil { 21100 element := (*ProcessCacheEntry)(ptr) 21101 result := int(element.ProcessContext.Process.PPid) 21102 values = append(values, result) 21103 ptr = iterator.Next() 21104 } 21105 return values, nil 21106 case "ptrace.tracee.ancestors.tid": 21107 var values []int 21108 ctx := eval.NewContext(ev) 21109 iterator := &ProcessAncestorsIterator{} 21110 ptr := iterator.Front(ctx) 21111 for ptr != nil { 21112 element := (*ProcessCacheEntry)(ptr) 21113 result := int(element.ProcessContext.Process.PIDContext.Tid) 21114 values = append(values, result) 21115 ptr = iterator.Next() 21116 } 21117 return values, nil 21118 case "ptrace.tracee.ancestors.tty_name": 21119 var values []string 21120 ctx := eval.NewContext(ev) 21121 iterator := &ProcessAncestorsIterator{} 21122 ptr := iterator.Front(ctx) 21123 for ptr != nil { 21124 element := (*ProcessCacheEntry)(ptr) 21125 result := element.ProcessContext.Process.TTYName 21126 values = append(values, result) 21127 ptr = iterator.Next() 21128 } 21129 return values, nil 21130 case "ptrace.tracee.ancestors.uid": 21131 var values []int 21132 ctx := eval.NewContext(ev) 21133 iterator := &ProcessAncestorsIterator{} 21134 ptr := iterator.Front(ctx) 21135 for ptr != nil { 21136 element := (*ProcessCacheEntry)(ptr) 21137 result := int(element.ProcessContext.Process.Credentials.UID) 21138 values = append(values, result) 21139 ptr = iterator.Next() 21140 } 21141 return values, nil 21142 case "ptrace.tracee.ancestors.user": 21143 var values []string 21144 ctx := eval.NewContext(ev) 21145 iterator := &ProcessAncestorsIterator{} 21146 ptr := iterator.Front(ctx) 21147 for ptr != nil { 21148 element := (*ProcessCacheEntry)(ptr) 21149 result := element.ProcessContext.Process.Credentials.User 21150 values = append(values, result) 21151 ptr = iterator.Next() 21152 } 21153 return values, nil 21154 case "ptrace.tracee.ancestors.user_session.k8s_groups": 21155 var values []string 21156 ctx := eval.NewContext(ev) 21157 iterator := &ProcessAncestorsIterator{} 21158 ptr := iterator.Front(ctx) 21159 for ptr != nil { 21160 element := (*ProcessCacheEntry)(ptr) 21161 result := ev.FieldHandlers.ResolveK8SGroups(ev, &element.ProcessContext.Process.UserSession) 21162 values = append(values, result...) 21163 ptr = iterator.Next() 21164 } 21165 return values, nil 21166 case "ptrace.tracee.ancestors.user_session.k8s_uid": 21167 var values []string 21168 ctx := eval.NewContext(ev) 21169 iterator := &ProcessAncestorsIterator{} 21170 ptr := iterator.Front(ctx) 21171 for ptr != nil { 21172 element := (*ProcessCacheEntry)(ptr) 21173 result := ev.FieldHandlers.ResolveK8SUID(ev, &element.ProcessContext.Process.UserSession) 21174 values = append(values, result) 21175 ptr = iterator.Next() 21176 } 21177 return values, nil 21178 case "ptrace.tracee.ancestors.user_session.k8s_username": 21179 var values []string 21180 ctx := eval.NewContext(ev) 21181 iterator := &ProcessAncestorsIterator{} 21182 ptr := iterator.Front(ctx) 21183 for ptr != nil { 21184 element := (*ProcessCacheEntry)(ptr) 21185 result := ev.FieldHandlers.ResolveK8SUsername(ev, &element.ProcessContext.Process.UserSession) 21186 values = append(values, result) 21187 ptr = iterator.Next() 21188 } 21189 return values, nil 21190 case "ptrace.tracee.args": 21191 return ev.FieldHandlers.ResolveProcessArgs(ev, &ev.PTrace.Tracee.Process), nil 21192 case "ptrace.tracee.args_flags": 21193 return ev.FieldHandlers.ResolveProcessArgsFlags(ev, &ev.PTrace.Tracee.Process), nil 21194 case "ptrace.tracee.args_options": 21195 return ev.FieldHandlers.ResolveProcessArgsOptions(ev, &ev.PTrace.Tracee.Process), nil 21196 case "ptrace.tracee.args_truncated": 21197 return ev.FieldHandlers.ResolveProcessArgsTruncated(ev, &ev.PTrace.Tracee.Process), nil 21198 case "ptrace.tracee.argv": 21199 return ev.FieldHandlers.ResolveProcessArgv(ev, &ev.PTrace.Tracee.Process), nil 21200 case "ptrace.tracee.argv0": 21201 return ev.FieldHandlers.ResolveProcessArgv0(ev, &ev.PTrace.Tracee.Process), nil 21202 case "ptrace.tracee.cap_effective": 21203 return int(ev.PTrace.Tracee.Process.Credentials.CapEffective), nil 21204 case "ptrace.tracee.cap_permitted": 21205 return int(ev.PTrace.Tracee.Process.Credentials.CapPermitted), nil 21206 case "ptrace.tracee.comm": 21207 return ev.PTrace.Tracee.Process.Comm, nil 21208 case "ptrace.tracee.container.id": 21209 return ev.PTrace.Tracee.Process.ContainerID, nil 21210 case "ptrace.tracee.created_at": 21211 return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, &ev.PTrace.Tracee.Process)), nil 21212 case "ptrace.tracee.egid": 21213 return int(ev.PTrace.Tracee.Process.Credentials.EGID), nil 21214 case "ptrace.tracee.egroup": 21215 return ev.PTrace.Tracee.Process.Credentials.EGroup, nil 21216 case "ptrace.tracee.envp": 21217 return ev.FieldHandlers.ResolveProcessEnvp(ev, &ev.PTrace.Tracee.Process), nil 21218 case "ptrace.tracee.envs": 21219 return ev.FieldHandlers.ResolveProcessEnvs(ev, &ev.PTrace.Tracee.Process), nil 21220 case "ptrace.tracee.envs_truncated": 21221 return ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, &ev.PTrace.Tracee.Process), nil 21222 case "ptrace.tracee.euid": 21223 return int(ev.PTrace.Tracee.Process.Credentials.EUID), nil 21224 case "ptrace.tracee.euser": 21225 return ev.PTrace.Tracee.Process.Credentials.EUser, nil 21226 case "ptrace.tracee.file.change_time": 21227 if !ev.PTrace.Tracee.Process.IsNotKworker() { 21228 return 0, &eval.ErrNotSupported{Field: field} 21229 } 21230 return int(ev.PTrace.Tracee.Process.FileEvent.FileFields.CTime), nil 21231 case "ptrace.tracee.file.filesystem": 21232 if !ev.PTrace.Tracee.Process.IsNotKworker() { 21233 return "", &eval.ErrNotSupported{Field: field} 21234 } 21235 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.PTrace.Tracee.Process.FileEvent), nil 21236 case "ptrace.tracee.file.gid": 21237 if !ev.PTrace.Tracee.Process.IsNotKworker() { 21238 return 0, &eval.ErrNotSupported{Field: field} 21239 } 21240 return int(ev.PTrace.Tracee.Process.FileEvent.FileFields.GID), nil 21241 case "ptrace.tracee.file.group": 21242 if !ev.PTrace.Tracee.Process.IsNotKworker() { 21243 return "", &eval.ErrNotSupported{Field: field} 21244 } 21245 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.PTrace.Tracee.Process.FileEvent.FileFields), nil 21246 case "ptrace.tracee.file.hashes": 21247 if !ev.PTrace.Tracee.Process.IsNotKworker() { 21248 return []string{}, &eval.ErrNotSupported{Field: field} 21249 } 21250 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.PTrace.Tracee.Process.FileEvent), nil 21251 case "ptrace.tracee.file.in_upper_layer": 21252 if !ev.PTrace.Tracee.Process.IsNotKworker() { 21253 return false, &eval.ErrNotSupported{Field: field} 21254 } 21255 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.PTrace.Tracee.Process.FileEvent.FileFields), nil 21256 case "ptrace.tracee.file.inode": 21257 if !ev.PTrace.Tracee.Process.IsNotKworker() { 21258 return 0, &eval.ErrNotSupported{Field: field} 21259 } 21260 return int(ev.PTrace.Tracee.Process.FileEvent.FileFields.PathKey.Inode), nil 21261 case "ptrace.tracee.file.mode": 21262 if !ev.PTrace.Tracee.Process.IsNotKworker() { 21263 return 0, &eval.ErrNotSupported{Field: field} 21264 } 21265 return int(ev.PTrace.Tracee.Process.FileEvent.FileFields.Mode), nil 21266 case "ptrace.tracee.file.modification_time": 21267 if !ev.PTrace.Tracee.Process.IsNotKworker() { 21268 return 0, &eval.ErrNotSupported{Field: field} 21269 } 21270 return int(ev.PTrace.Tracee.Process.FileEvent.FileFields.MTime), nil 21271 case "ptrace.tracee.file.mount_id": 21272 if !ev.PTrace.Tracee.Process.IsNotKworker() { 21273 return 0, &eval.ErrNotSupported{Field: field} 21274 } 21275 return int(ev.PTrace.Tracee.Process.FileEvent.FileFields.PathKey.MountID), nil 21276 case "ptrace.tracee.file.name": 21277 if !ev.PTrace.Tracee.Process.IsNotKworker() { 21278 return "", &eval.ErrNotSupported{Field: field} 21279 } 21280 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.PTrace.Tracee.Process.FileEvent), nil 21281 case "ptrace.tracee.file.name.length": 21282 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.PTrace.Tracee.Process.FileEvent), nil 21283 case "ptrace.tracee.file.package.name": 21284 if !ev.PTrace.Tracee.Process.IsNotKworker() { 21285 return "", &eval.ErrNotSupported{Field: field} 21286 } 21287 return ev.FieldHandlers.ResolvePackageName(ev, &ev.PTrace.Tracee.Process.FileEvent), nil 21288 case "ptrace.tracee.file.package.source_version": 21289 if !ev.PTrace.Tracee.Process.IsNotKworker() { 21290 return "", &eval.ErrNotSupported{Field: field} 21291 } 21292 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.PTrace.Tracee.Process.FileEvent), nil 21293 case "ptrace.tracee.file.package.version": 21294 if !ev.PTrace.Tracee.Process.IsNotKworker() { 21295 return "", &eval.ErrNotSupported{Field: field} 21296 } 21297 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.PTrace.Tracee.Process.FileEvent), nil 21298 case "ptrace.tracee.file.path": 21299 if !ev.PTrace.Tracee.Process.IsNotKworker() { 21300 return "", &eval.ErrNotSupported{Field: field} 21301 } 21302 return ev.FieldHandlers.ResolveFilePath(ev, &ev.PTrace.Tracee.Process.FileEvent), nil 21303 case "ptrace.tracee.file.path.length": 21304 return ev.FieldHandlers.ResolveFilePath(ev, &ev.PTrace.Tracee.Process.FileEvent), nil 21305 case "ptrace.tracee.file.rights": 21306 if !ev.PTrace.Tracee.Process.IsNotKworker() { 21307 return 0, &eval.ErrNotSupported{Field: field} 21308 } 21309 return int(ev.FieldHandlers.ResolveRights(ev, &ev.PTrace.Tracee.Process.FileEvent.FileFields)), nil 21310 case "ptrace.tracee.file.uid": 21311 if !ev.PTrace.Tracee.Process.IsNotKworker() { 21312 return 0, &eval.ErrNotSupported{Field: field} 21313 } 21314 return int(ev.PTrace.Tracee.Process.FileEvent.FileFields.UID), nil 21315 case "ptrace.tracee.file.user": 21316 if !ev.PTrace.Tracee.Process.IsNotKworker() { 21317 return "", &eval.ErrNotSupported{Field: field} 21318 } 21319 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.PTrace.Tracee.Process.FileEvent.FileFields), nil 21320 case "ptrace.tracee.fsgid": 21321 return int(ev.PTrace.Tracee.Process.Credentials.FSGID), nil 21322 case "ptrace.tracee.fsgroup": 21323 return ev.PTrace.Tracee.Process.Credentials.FSGroup, nil 21324 case "ptrace.tracee.fsuid": 21325 return int(ev.PTrace.Tracee.Process.Credentials.FSUID), nil 21326 case "ptrace.tracee.fsuser": 21327 return ev.PTrace.Tracee.Process.Credentials.FSUser, nil 21328 case "ptrace.tracee.gid": 21329 return int(ev.PTrace.Tracee.Process.Credentials.GID), nil 21330 case "ptrace.tracee.group": 21331 return ev.PTrace.Tracee.Process.Credentials.Group, nil 21332 case "ptrace.tracee.interpreter.file.change_time": 21333 if !ev.PTrace.Tracee.Process.HasInterpreter() { 21334 return 0, &eval.ErrNotSupported{Field: field} 21335 } 21336 return int(ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields.CTime), nil 21337 case "ptrace.tracee.interpreter.file.filesystem": 21338 if !ev.PTrace.Tracee.Process.HasInterpreter() { 21339 return "", &eval.ErrNotSupported{Field: field} 21340 } 21341 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent), nil 21342 case "ptrace.tracee.interpreter.file.gid": 21343 if !ev.PTrace.Tracee.Process.HasInterpreter() { 21344 return 0, &eval.ErrNotSupported{Field: field} 21345 } 21346 return int(ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields.GID), nil 21347 case "ptrace.tracee.interpreter.file.group": 21348 if !ev.PTrace.Tracee.Process.HasInterpreter() { 21349 return "", &eval.ErrNotSupported{Field: field} 21350 } 21351 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields), nil 21352 case "ptrace.tracee.interpreter.file.hashes": 21353 if !ev.PTrace.Tracee.Process.HasInterpreter() { 21354 return []string{}, &eval.ErrNotSupported{Field: field} 21355 } 21356 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent), nil 21357 case "ptrace.tracee.interpreter.file.in_upper_layer": 21358 if !ev.PTrace.Tracee.Process.HasInterpreter() { 21359 return false, &eval.ErrNotSupported{Field: field} 21360 } 21361 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields), nil 21362 case "ptrace.tracee.interpreter.file.inode": 21363 if !ev.PTrace.Tracee.Process.HasInterpreter() { 21364 return 0, &eval.ErrNotSupported{Field: field} 21365 } 21366 return int(ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode), nil 21367 case "ptrace.tracee.interpreter.file.mode": 21368 if !ev.PTrace.Tracee.Process.HasInterpreter() { 21369 return 0, &eval.ErrNotSupported{Field: field} 21370 } 21371 return int(ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields.Mode), nil 21372 case "ptrace.tracee.interpreter.file.modification_time": 21373 if !ev.PTrace.Tracee.Process.HasInterpreter() { 21374 return 0, &eval.ErrNotSupported{Field: field} 21375 } 21376 return int(ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields.MTime), nil 21377 case "ptrace.tracee.interpreter.file.mount_id": 21378 if !ev.PTrace.Tracee.Process.HasInterpreter() { 21379 return 0, &eval.ErrNotSupported{Field: field} 21380 } 21381 return int(ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID), nil 21382 case "ptrace.tracee.interpreter.file.name": 21383 if !ev.PTrace.Tracee.Process.HasInterpreter() { 21384 return "", &eval.ErrNotSupported{Field: field} 21385 } 21386 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent), nil 21387 case "ptrace.tracee.interpreter.file.name.length": 21388 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent), nil 21389 case "ptrace.tracee.interpreter.file.package.name": 21390 if !ev.PTrace.Tracee.Process.HasInterpreter() { 21391 return "", &eval.ErrNotSupported{Field: field} 21392 } 21393 return ev.FieldHandlers.ResolvePackageName(ev, &ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent), nil 21394 case "ptrace.tracee.interpreter.file.package.source_version": 21395 if !ev.PTrace.Tracee.Process.HasInterpreter() { 21396 return "", &eval.ErrNotSupported{Field: field} 21397 } 21398 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent), nil 21399 case "ptrace.tracee.interpreter.file.package.version": 21400 if !ev.PTrace.Tracee.Process.HasInterpreter() { 21401 return "", &eval.ErrNotSupported{Field: field} 21402 } 21403 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent), nil 21404 case "ptrace.tracee.interpreter.file.path": 21405 if !ev.PTrace.Tracee.Process.HasInterpreter() { 21406 return "", &eval.ErrNotSupported{Field: field} 21407 } 21408 return ev.FieldHandlers.ResolveFilePath(ev, &ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent), nil 21409 case "ptrace.tracee.interpreter.file.path.length": 21410 return ev.FieldHandlers.ResolveFilePath(ev, &ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent), nil 21411 case "ptrace.tracee.interpreter.file.rights": 21412 if !ev.PTrace.Tracee.Process.HasInterpreter() { 21413 return 0, &eval.ErrNotSupported{Field: field} 21414 } 21415 return int(ev.FieldHandlers.ResolveRights(ev, &ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields)), nil 21416 case "ptrace.tracee.interpreter.file.uid": 21417 if !ev.PTrace.Tracee.Process.HasInterpreter() { 21418 return 0, &eval.ErrNotSupported{Field: field} 21419 } 21420 return int(ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields.UID), nil 21421 case "ptrace.tracee.interpreter.file.user": 21422 if !ev.PTrace.Tracee.Process.HasInterpreter() { 21423 return "", &eval.ErrNotSupported{Field: field} 21424 } 21425 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields), nil 21426 case "ptrace.tracee.is_kworker": 21427 return ev.PTrace.Tracee.Process.PIDContext.IsKworker, nil 21428 case "ptrace.tracee.is_thread": 21429 return ev.PTrace.Tracee.Process.IsThread, nil 21430 case "ptrace.tracee.parent.args": 21431 if !ev.PTrace.Tracee.HasParent() { 21432 return "", &eval.ErrNotSupported{Field: field} 21433 } 21434 return ev.FieldHandlers.ResolveProcessArgs(ev, ev.PTrace.Tracee.Parent), nil 21435 case "ptrace.tracee.parent.args_flags": 21436 if !ev.PTrace.Tracee.HasParent() { 21437 return []string{}, &eval.ErrNotSupported{Field: field} 21438 } 21439 return ev.FieldHandlers.ResolveProcessArgsFlags(ev, ev.PTrace.Tracee.Parent), nil 21440 case "ptrace.tracee.parent.args_options": 21441 if !ev.PTrace.Tracee.HasParent() { 21442 return []string{}, &eval.ErrNotSupported{Field: field} 21443 } 21444 return ev.FieldHandlers.ResolveProcessArgsOptions(ev, ev.PTrace.Tracee.Parent), nil 21445 case "ptrace.tracee.parent.args_truncated": 21446 if !ev.PTrace.Tracee.HasParent() { 21447 return false, &eval.ErrNotSupported{Field: field} 21448 } 21449 return ev.FieldHandlers.ResolveProcessArgsTruncated(ev, ev.PTrace.Tracee.Parent), nil 21450 case "ptrace.tracee.parent.argv": 21451 if !ev.PTrace.Tracee.HasParent() { 21452 return []string{}, &eval.ErrNotSupported{Field: field} 21453 } 21454 return ev.FieldHandlers.ResolveProcessArgv(ev, ev.PTrace.Tracee.Parent), nil 21455 case "ptrace.tracee.parent.argv0": 21456 if !ev.PTrace.Tracee.HasParent() { 21457 return "", &eval.ErrNotSupported{Field: field} 21458 } 21459 return ev.FieldHandlers.ResolveProcessArgv0(ev, ev.PTrace.Tracee.Parent), nil 21460 case "ptrace.tracee.parent.cap_effective": 21461 if !ev.PTrace.Tracee.HasParent() { 21462 return 0, &eval.ErrNotSupported{Field: field} 21463 } 21464 return int(ev.PTrace.Tracee.Parent.Credentials.CapEffective), nil 21465 case "ptrace.tracee.parent.cap_permitted": 21466 if !ev.PTrace.Tracee.HasParent() { 21467 return 0, &eval.ErrNotSupported{Field: field} 21468 } 21469 return int(ev.PTrace.Tracee.Parent.Credentials.CapPermitted), nil 21470 case "ptrace.tracee.parent.comm": 21471 if !ev.PTrace.Tracee.HasParent() { 21472 return "", &eval.ErrNotSupported{Field: field} 21473 } 21474 return ev.PTrace.Tracee.Parent.Comm, nil 21475 case "ptrace.tracee.parent.container.id": 21476 if !ev.PTrace.Tracee.HasParent() { 21477 return "", &eval.ErrNotSupported{Field: field} 21478 } 21479 return ev.PTrace.Tracee.Parent.ContainerID, nil 21480 case "ptrace.tracee.parent.created_at": 21481 if !ev.PTrace.Tracee.HasParent() { 21482 return 0, &eval.ErrNotSupported{Field: field} 21483 } 21484 return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, ev.PTrace.Tracee.Parent)), nil 21485 case "ptrace.tracee.parent.egid": 21486 if !ev.PTrace.Tracee.HasParent() { 21487 return 0, &eval.ErrNotSupported{Field: field} 21488 } 21489 return int(ev.PTrace.Tracee.Parent.Credentials.EGID), nil 21490 case "ptrace.tracee.parent.egroup": 21491 if !ev.PTrace.Tracee.HasParent() { 21492 return "", &eval.ErrNotSupported{Field: field} 21493 } 21494 return ev.PTrace.Tracee.Parent.Credentials.EGroup, nil 21495 case "ptrace.tracee.parent.envp": 21496 if !ev.PTrace.Tracee.HasParent() { 21497 return []string{}, &eval.ErrNotSupported{Field: field} 21498 } 21499 return ev.FieldHandlers.ResolveProcessEnvp(ev, ev.PTrace.Tracee.Parent), nil 21500 case "ptrace.tracee.parent.envs": 21501 if !ev.PTrace.Tracee.HasParent() { 21502 return []string{}, &eval.ErrNotSupported{Field: field} 21503 } 21504 return ev.FieldHandlers.ResolveProcessEnvs(ev, ev.PTrace.Tracee.Parent), nil 21505 case "ptrace.tracee.parent.envs_truncated": 21506 if !ev.PTrace.Tracee.HasParent() { 21507 return false, &eval.ErrNotSupported{Field: field} 21508 } 21509 return ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, ev.PTrace.Tracee.Parent), nil 21510 case "ptrace.tracee.parent.euid": 21511 if !ev.PTrace.Tracee.HasParent() { 21512 return 0, &eval.ErrNotSupported{Field: field} 21513 } 21514 return int(ev.PTrace.Tracee.Parent.Credentials.EUID), nil 21515 case "ptrace.tracee.parent.euser": 21516 if !ev.PTrace.Tracee.HasParent() { 21517 return "", &eval.ErrNotSupported{Field: field} 21518 } 21519 return ev.PTrace.Tracee.Parent.Credentials.EUser, nil 21520 case "ptrace.tracee.parent.file.change_time": 21521 if !ev.PTrace.Tracee.HasParent() { 21522 return 0, &eval.ErrNotSupported{Field: field} 21523 } 21524 if !ev.PTrace.Tracee.Parent.IsNotKworker() { 21525 return 0, &eval.ErrNotSupported{Field: field} 21526 } 21527 return int(ev.PTrace.Tracee.Parent.FileEvent.FileFields.CTime), nil 21528 case "ptrace.tracee.parent.file.filesystem": 21529 if !ev.PTrace.Tracee.HasParent() { 21530 return "", &eval.ErrNotSupported{Field: field} 21531 } 21532 if !ev.PTrace.Tracee.Parent.IsNotKworker() { 21533 return "", &eval.ErrNotSupported{Field: field} 21534 } 21535 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.PTrace.Tracee.Parent.FileEvent), nil 21536 case "ptrace.tracee.parent.file.gid": 21537 if !ev.PTrace.Tracee.HasParent() { 21538 return 0, &eval.ErrNotSupported{Field: field} 21539 } 21540 if !ev.PTrace.Tracee.Parent.IsNotKworker() { 21541 return 0, &eval.ErrNotSupported{Field: field} 21542 } 21543 return int(ev.PTrace.Tracee.Parent.FileEvent.FileFields.GID), nil 21544 case "ptrace.tracee.parent.file.group": 21545 if !ev.PTrace.Tracee.HasParent() { 21546 return "", &eval.ErrNotSupported{Field: field} 21547 } 21548 if !ev.PTrace.Tracee.Parent.IsNotKworker() { 21549 return "", &eval.ErrNotSupported{Field: field} 21550 } 21551 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.PTrace.Tracee.Parent.FileEvent.FileFields), nil 21552 case "ptrace.tracee.parent.file.hashes": 21553 if !ev.PTrace.Tracee.HasParent() { 21554 return []string{}, &eval.ErrNotSupported{Field: field} 21555 } 21556 if !ev.PTrace.Tracee.Parent.IsNotKworker() { 21557 return []string{}, &eval.ErrNotSupported{Field: field} 21558 } 21559 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.PTrace.Tracee.Parent.FileEvent), nil 21560 case "ptrace.tracee.parent.file.in_upper_layer": 21561 if !ev.PTrace.Tracee.HasParent() { 21562 return false, &eval.ErrNotSupported{Field: field} 21563 } 21564 if !ev.PTrace.Tracee.Parent.IsNotKworker() { 21565 return false, &eval.ErrNotSupported{Field: field} 21566 } 21567 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.PTrace.Tracee.Parent.FileEvent.FileFields), nil 21568 case "ptrace.tracee.parent.file.inode": 21569 if !ev.PTrace.Tracee.HasParent() { 21570 return 0, &eval.ErrNotSupported{Field: field} 21571 } 21572 if !ev.PTrace.Tracee.Parent.IsNotKworker() { 21573 return 0, &eval.ErrNotSupported{Field: field} 21574 } 21575 return int(ev.PTrace.Tracee.Parent.FileEvent.FileFields.PathKey.Inode), nil 21576 case "ptrace.tracee.parent.file.mode": 21577 if !ev.PTrace.Tracee.HasParent() { 21578 return 0, &eval.ErrNotSupported{Field: field} 21579 } 21580 if !ev.PTrace.Tracee.Parent.IsNotKworker() { 21581 return 0, &eval.ErrNotSupported{Field: field} 21582 } 21583 return int(ev.PTrace.Tracee.Parent.FileEvent.FileFields.Mode), nil 21584 case "ptrace.tracee.parent.file.modification_time": 21585 if !ev.PTrace.Tracee.HasParent() { 21586 return 0, &eval.ErrNotSupported{Field: field} 21587 } 21588 if !ev.PTrace.Tracee.Parent.IsNotKworker() { 21589 return 0, &eval.ErrNotSupported{Field: field} 21590 } 21591 return int(ev.PTrace.Tracee.Parent.FileEvent.FileFields.MTime), nil 21592 case "ptrace.tracee.parent.file.mount_id": 21593 if !ev.PTrace.Tracee.HasParent() { 21594 return 0, &eval.ErrNotSupported{Field: field} 21595 } 21596 if !ev.PTrace.Tracee.Parent.IsNotKworker() { 21597 return 0, &eval.ErrNotSupported{Field: field} 21598 } 21599 return int(ev.PTrace.Tracee.Parent.FileEvent.FileFields.PathKey.MountID), nil 21600 case "ptrace.tracee.parent.file.name": 21601 if !ev.PTrace.Tracee.HasParent() { 21602 return "", &eval.ErrNotSupported{Field: field} 21603 } 21604 if !ev.PTrace.Tracee.Parent.IsNotKworker() { 21605 return "", &eval.ErrNotSupported{Field: field} 21606 } 21607 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.PTrace.Tracee.Parent.FileEvent), nil 21608 case "ptrace.tracee.parent.file.name.length": 21609 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.PTrace.Tracee.Parent.FileEvent), nil 21610 case "ptrace.tracee.parent.file.package.name": 21611 if !ev.PTrace.Tracee.HasParent() { 21612 return "", &eval.ErrNotSupported{Field: field} 21613 } 21614 if !ev.PTrace.Tracee.Parent.IsNotKworker() { 21615 return "", &eval.ErrNotSupported{Field: field} 21616 } 21617 return ev.FieldHandlers.ResolvePackageName(ev, &ev.PTrace.Tracee.Parent.FileEvent), nil 21618 case "ptrace.tracee.parent.file.package.source_version": 21619 if !ev.PTrace.Tracee.HasParent() { 21620 return "", &eval.ErrNotSupported{Field: field} 21621 } 21622 if !ev.PTrace.Tracee.Parent.IsNotKworker() { 21623 return "", &eval.ErrNotSupported{Field: field} 21624 } 21625 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.PTrace.Tracee.Parent.FileEvent), nil 21626 case "ptrace.tracee.parent.file.package.version": 21627 if !ev.PTrace.Tracee.HasParent() { 21628 return "", &eval.ErrNotSupported{Field: field} 21629 } 21630 if !ev.PTrace.Tracee.Parent.IsNotKworker() { 21631 return "", &eval.ErrNotSupported{Field: field} 21632 } 21633 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.PTrace.Tracee.Parent.FileEvent), nil 21634 case "ptrace.tracee.parent.file.path": 21635 if !ev.PTrace.Tracee.HasParent() { 21636 return "", &eval.ErrNotSupported{Field: field} 21637 } 21638 if !ev.PTrace.Tracee.Parent.IsNotKworker() { 21639 return "", &eval.ErrNotSupported{Field: field} 21640 } 21641 return ev.FieldHandlers.ResolveFilePath(ev, &ev.PTrace.Tracee.Parent.FileEvent), nil 21642 case "ptrace.tracee.parent.file.path.length": 21643 return ev.FieldHandlers.ResolveFilePath(ev, &ev.PTrace.Tracee.Parent.FileEvent), nil 21644 case "ptrace.tracee.parent.file.rights": 21645 if !ev.PTrace.Tracee.HasParent() { 21646 return 0, &eval.ErrNotSupported{Field: field} 21647 } 21648 if !ev.PTrace.Tracee.Parent.IsNotKworker() { 21649 return 0, &eval.ErrNotSupported{Field: field} 21650 } 21651 return int(ev.FieldHandlers.ResolveRights(ev, &ev.PTrace.Tracee.Parent.FileEvent.FileFields)), nil 21652 case "ptrace.tracee.parent.file.uid": 21653 if !ev.PTrace.Tracee.HasParent() { 21654 return 0, &eval.ErrNotSupported{Field: field} 21655 } 21656 if !ev.PTrace.Tracee.Parent.IsNotKworker() { 21657 return 0, &eval.ErrNotSupported{Field: field} 21658 } 21659 return int(ev.PTrace.Tracee.Parent.FileEvent.FileFields.UID), nil 21660 case "ptrace.tracee.parent.file.user": 21661 if !ev.PTrace.Tracee.HasParent() { 21662 return "", &eval.ErrNotSupported{Field: field} 21663 } 21664 if !ev.PTrace.Tracee.Parent.IsNotKworker() { 21665 return "", &eval.ErrNotSupported{Field: field} 21666 } 21667 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.PTrace.Tracee.Parent.FileEvent.FileFields), nil 21668 case "ptrace.tracee.parent.fsgid": 21669 if !ev.PTrace.Tracee.HasParent() { 21670 return 0, &eval.ErrNotSupported{Field: field} 21671 } 21672 return int(ev.PTrace.Tracee.Parent.Credentials.FSGID), nil 21673 case "ptrace.tracee.parent.fsgroup": 21674 if !ev.PTrace.Tracee.HasParent() { 21675 return "", &eval.ErrNotSupported{Field: field} 21676 } 21677 return ev.PTrace.Tracee.Parent.Credentials.FSGroup, nil 21678 case "ptrace.tracee.parent.fsuid": 21679 if !ev.PTrace.Tracee.HasParent() { 21680 return 0, &eval.ErrNotSupported{Field: field} 21681 } 21682 return int(ev.PTrace.Tracee.Parent.Credentials.FSUID), nil 21683 case "ptrace.tracee.parent.fsuser": 21684 if !ev.PTrace.Tracee.HasParent() { 21685 return "", &eval.ErrNotSupported{Field: field} 21686 } 21687 return ev.PTrace.Tracee.Parent.Credentials.FSUser, nil 21688 case "ptrace.tracee.parent.gid": 21689 if !ev.PTrace.Tracee.HasParent() { 21690 return 0, &eval.ErrNotSupported{Field: field} 21691 } 21692 return int(ev.PTrace.Tracee.Parent.Credentials.GID), nil 21693 case "ptrace.tracee.parent.group": 21694 if !ev.PTrace.Tracee.HasParent() { 21695 return "", &eval.ErrNotSupported{Field: field} 21696 } 21697 return ev.PTrace.Tracee.Parent.Credentials.Group, nil 21698 case "ptrace.tracee.parent.interpreter.file.change_time": 21699 if !ev.PTrace.Tracee.HasParent() { 21700 return 0, &eval.ErrNotSupported{Field: field} 21701 } 21702 if !ev.PTrace.Tracee.Parent.HasInterpreter() { 21703 return 0, &eval.ErrNotSupported{Field: field} 21704 } 21705 return int(ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields.CTime), nil 21706 case "ptrace.tracee.parent.interpreter.file.filesystem": 21707 if !ev.PTrace.Tracee.HasParent() { 21708 return "", &eval.ErrNotSupported{Field: field} 21709 } 21710 if !ev.PTrace.Tracee.Parent.HasInterpreter() { 21711 return "", &eval.ErrNotSupported{Field: field} 21712 } 21713 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent), nil 21714 case "ptrace.tracee.parent.interpreter.file.gid": 21715 if !ev.PTrace.Tracee.HasParent() { 21716 return 0, &eval.ErrNotSupported{Field: field} 21717 } 21718 if !ev.PTrace.Tracee.Parent.HasInterpreter() { 21719 return 0, &eval.ErrNotSupported{Field: field} 21720 } 21721 return int(ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields.GID), nil 21722 case "ptrace.tracee.parent.interpreter.file.group": 21723 if !ev.PTrace.Tracee.HasParent() { 21724 return "", &eval.ErrNotSupported{Field: field} 21725 } 21726 if !ev.PTrace.Tracee.Parent.HasInterpreter() { 21727 return "", &eval.ErrNotSupported{Field: field} 21728 } 21729 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields), nil 21730 case "ptrace.tracee.parent.interpreter.file.hashes": 21731 if !ev.PTrace.Tracee.HasParent() { 21732 return []string{}, &eval.ErrNotSupported{Field: field} 21733 } 21734 if !ev.PTrace.Tracee.Parent.HasInterpreter() { 21735 return []string{}, &eval.ErrNotSupported{Field: field} 21736 } 21737 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent), nil 21738 case "ptrace.tracee.parent.interpreter.file.in_upper_layer": 21739 if !ev.PTrace.Tracee.HasParent() { 21740 return false, &eval.ErrNotSupported{Field: field} 21741 } 21742 if !ev.PTrace.Tracee.Parent.HasInterpreter() { 21743 return false, &eval.ErrNotSupported{Field: field} 21744 } 21745 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields), nil 21746 case "ptrace.tracee.parent.interpreter.file.inode": 21747 if !ev.PTrace.Tracee.HasParent() { 21748 return 0, &eval.ErrNotSupported{Field: field} 21749 } 21750 if !ev.PTrace.Tracee.Parent.HasInterpreter() { 21751 return 0, &eval.ErrNotSupported{Field: field} 21752 } 21753 return int(ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields.PathKey.Inode), nil 21754 case "ptrace.tracee.parent.interpreter.file.mode": 21755 if !ev.PTrace.Tracee.HasParent() { 21756 return 0, &eval.ErrNotSupported{Field: field} 21757 } 21758 if !ev.PTrace.Tracee.Parent.HasInterpreter() { 21759 return 0, &eval.ErrNotSupported{Field: field} 21760 } 21761 return int(ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields.Mode), nil 21762 case "ptrace.tracee.parent.interpreter.file.modification_time": 21763 if !ev.PTrace.Tracee.HasParent() { 21764 return 0, &eval.ErrNotSupported{Field: field} 21765 } 21766 if !ev.PTrace.Tracee.Parent.HasInterpreter() { 21767 return 0, &eval.ErrNotSupported{Field: field} 21768 } 21769 return int(ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields.MTime), nil 21770 case "ptrace.tracee.parent.interpreter.file.mount_id": 21771 if !ev.PTrace.Tracee.HasParent() { 21772 return 0, &eval.ErrNotSupported{Field: field} 21773 } 21774 if !ev.PTrace.Tracee.Parent.HasInterpreter() { 21775 return 0, &eval.ErrNotSupported{Field: field} 21776 } 21777 return int(ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields.PathKey.MountID), nil 21778 case "ptrace.tracee.parent.interpreter.file.name": 21779 if !ev.PTrace.Tracee.HasParent() { 21780 return "", &eval.ErrNotSupported{Field: field} 21781 } 21782 if !ev.PTrace.Tracee.Parent.HasInterpreter() { 21783 return "", &eval.ErrNotSupported{Field: field} 21784 } 21785 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent), nil 21786 case "ptrace.tracee.parent.interpreter.file.name.length": 21787 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent), nil 21788 case "ptrace.tracee.parent.interpreter.file.package.name": 21789 if !ev.PTrace.Tracee.HasParent() { 21790 return "", &eval.ErrNotSupported{Field: field} 21791 } 21792 if !ev.PTrace.Tracee.Parent.HasInterpreter() { 21793 return "", &eval.ErrNotSupported{Field: field} 21794 } 21795 return ev.FieldHandlers.ResolvePackageName(ev, &ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent), nil 21796 case "ptrace.tracee.parent.interpreter.file.package.source_version": 21797 if !ev.PTrace.Tracee.HasParent() { 21798 return "", &eval.ErrNotSupported{Field: field} 21799 } 21800 if !ev.PTrace.Tracee.Parent.HasInterpreter() { 21801 return "", &eval.ErrNotSupported{Field: field} 21802 } 21803 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent), nil 21804 case "ptrace.tracee.parent.interpreter.file.package.version": 21805 if !ev.PTrace.Tracee.HasParent() { 21806 return "", &eval.ErrNotSupported{Field: field} 21807 } 21808 if !ev.PTrace.Tracee.Parent.HasInterpreter() { 21809 return "", &eval.ErrNotSupported{Field: field} 21810 } 21811 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent), nil 21812 case "ptrace.tracee.parent.interpreter.file.path": 21813 if !ev.PTrace.Tracee.HasParent() { 21814 return "", &eval.ErrNotSupported{Field: field} 21815 } 21816 if !ev.PTrace.Tracee.Parent.HasInterpreter() { 21817 return "", &eval.ErrNotSupported{Field: field} 21818 } 21819 return ev.FieldHandlers.ResolveFilePath(ev, &ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent), nil 21820 case "ptrace.tracee.parent.interpreter.file.path.length": 21821 return ev.FieldHandlers.ResolveFilePath(ev, &ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent), nil 21822 case "ptrace.tracee.parent.interpreter.file.rights": 21823 if !ev.PTrace.Tracee.HasParent() { 21824 return 0, &eval.ErrNotSupported{Field: field} 21825 } 21826 if !ev.PTrace.Tracee.Parent.HasInterpreter() { 21827 return 0, &eval.ErrNotSupported{Field: field} 21828 } 21829 return int(ev.FieldHandlers.ResolveRights(ev, &ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields)), nil 21830 case "ptrace.tracee.parent.interpreter.file.uid": 21831 if !ev.PTrace.Tracee.HasParent() { 21832 return 0, &eval.ErrNotSupported{Field: field} 21833 } 21834 if !ev.PTrace.Tracee.Parent.HasInterpreter() { 21835 return 0, &eval.ErrNotSupported{Field: field} 21836 } 21837 return int(ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields.UID), nil 21838 case "ptrace.tracee.parent.interpreter.file.user": 21839 if !ev.PTrace.Tracee.HasParent() { 21840 return "", &eval.ErrNotSupported{Field: field} 21841 } 21842 if !ev.PTrace.Tracee.Parent.HasInterpreter() { 21843 return "", &eval.ErrNotSupported{Field: field} 21844 } 21845 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields), nil 21846 case "ptrace.tracee.parent.is_kworker": 21847 if !ev.PTrace.Tracee.HasParent() { 21848 return false, &eval.ErrNotSupported{Field: field} 21849 } 21850 return ev.PTrace.Tracee.Parent.PIDContext.IsKworker, nil 21851 case "ptrace.tracee.parent.is_thread": 21852 if !ev.PTrace.Tracee.HasParent() { 21853 return false, &eval.ErrNotSupported{Field: field} 21854 } 21855 return ev.PTrace.Tracee.Parent.IsThread, nil 21856 case "ptrace.tracee.parent.pid": 21857 if !ev.PTrace.Tracee.HasParent() { 21858 return 0, &eval.ErrNotSupported{Field: field} 21859 } 21860 return int(ev.PTrace.Tracee.Parent.PIDContext.Pid), nil 21861 case "ptrace.tracee.parent.ppid": 21862 if !ev.PTrace.Tracee.HasParent() { 21863 return 0, &eval.ErrNotSupported{Field: field} 21864 } 21865 return int(ev.PTrace.Tracee.Parent.PPid), nil 21866 case "ptrace.tracee.parent.tid": 21867 if !ev.PTrace.Tracee.HasParent() { 21868 return 0, &eval.ErrNotSupported{Field: field} 21869 } 21870 return int(ev.PTrace.Tracee.Parent.PIDContext.Tid), nil 21871 case "ptrace.tracee.parent.tty_name": 21872 if !ev.PTrace.Tracee.HasParent() { 21873 return "", &eval.ErrNotSupported{Field: field} 21874 } 21875 return ev.PTrace.Tracee.Parent.TTYName, nil 21876 case "ptrace.tracee.parent.uid": 21877 if !ev.PTrace.Tracee.HasParent() { 21878 return 0, &eval.ErrNotSupported{Field: field} 21879 } 21880 return int(ev.PTrace.Tracee.Parent.Credentials.UID), nil 21881 case "ptrace.tracee.parent.user": 21882 if !ev.PTrace.Tracee.HasParent() { 21883 return "", &eval.ErrNotSupported{Field: field} 21884 } 21885 return ev.PTrace.Tracee.Parent.Credentials.User, nil 21886 case "ptrace.tracee.parent.user_session.k8s_groups": 21887 if !ev.PTrace.Tracee.HasParent() { 21888 return []string{}, &eval.ErrNotSupported{Field: field} 21889 } 21890 return ev.FieldHandlers.ResolveK8SGroups(ev, &ev.PTrace.Tracee.Parent.UserSession), nil 21891 case "ptrace.tracee.parent.user_session.k8s_uid": 21892 if !ev.PTrace.Tracee.HasParent() { 21893 return "", &eval.ErrNotSupported{Field: field} 21894 } 21895 return ev.FieldHandlers.ResolveK8SUID(ev, &ev.PTrace.Tracee.Parent.UserSession), nil 21896 case "ptrace.tracee.parent.user_session.k8s_username": 21897 if !ev.PTrace.Tracee.HasParent() { 21898 return "", &eval.ErrNotSupported{Field: field} 21899 } 21900 return ev.FieldHandlers.ResolveK8SUsername(ev, &ev.PTrace.Tracee.Parent.UserSession), nil 21901 case "ptrace.tracee.pid": 21902 return int(ev.PTrace.Tracee.Process.PIDContext.Pid), nil 21903 case "ptrace.tracee.ppid": 21904 return int(ev.PTrace.Tracee.Process.PPid), nil 21905 case "ptrace.tracee.tid": 21906 return int(ev.PTrace.Tracee.Process.PIDContext.Tid), nil 21907 case "ptrace.tracee.tty_name": 21908 return ev.PTrace.Tracee.Process.TTYName, nil 21909 case "ptrace.tracee.uid": 21910 return int(ev.PTrace.Tracee.Process.Credentials.UID), nil 21911 case "ptrace.tracee.user": 21912 return ev.PTrace.Tracee.Process.Credentials.User, nil 21913 case "ptrace.tracee.user_session.k8s_groups": 21914 return ev.FieldHandlers.ResolveK8SGroups(ev, &ev.PTrace.Tracee.Process.UserSession), nil 21915 case "ptrace.tracee.user_session.k8s_uid": 21916 return ev.FieldHandlers.ResolveK8SUID(ev, &ev.PTrace.Tracee.Process.UserSession), nil 21917 case "ptrace.tracee.user_session.k8s_username": 21918 return ev.FieldHandlers.ResolveK8SUsername(ev, &ev.PTrace.Tracee.Process.UserSession), nil 21919 case "removexattr.file.change_time": 21920 return int(ev.RemoveXAttr.File.FileFields.CTime), nil 21921 case "removexattr.file.destination.name": 21922 return ev.FieldHandlers.ResolveXAttrName(ev, &ev.RemoveXAttr), nil 21923 case "removexattr.file.destination.namespace": 21924 return ev.FieldHandlers.ResolveXAttrNamespace(ev, &ev.RemoveXAttr), nil 21925 case "removexattr.file.filesystem": 21926 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.RemoveXAttr.File), nil 21927 case "removexattr.file.gid": 21928 return int(ev.RemoveXAttr.File.FileFields.GID), nil 21929 case "removexattr.file.group": 21930 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.RemoveXAttr.File.FileFields), nil 21931 case "removexattr.file.hashes": 21932 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.RemoveXAttr.File), nil 21933 case "removexattr.file.in_upper_layer": 21934 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.RemoveXAttr.File.FileFields), nil 21935 case "removexattr.file.inode": 21936 return int(ev.RemoveXAttr.File.FileFields.PathKey.Inode), nil 21937 case "removexattr.file.mode": 21938 return int(ev.RemoveXAttr.File.FileFields.Mode), nil 21939 case "removexattr.file.modification_time": 21940 return int(ev.RemoveXAttr.File.FileFields.MTime), nil 21941 case "removexattr.file.mount_id": 21942 return int(ev.RemoveXAttr.File.FileFields.PathKey.MountID), nil 21943 case "removexattr.file.name": 21944 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.RemoveXAttr.File), nil 21945 case "removexattr.file.name.length": 21946 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.RemoveXAttr.File), nil 21947 case "removexattr.file.package.name": 21948 return ev.FieldHandlers.ResolvePackageName(ev, &ev.RemoveXAttr.File), nil 21949 case "removexattr.file.package.source_version": 21950 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.RemoveXAttr.File), nil 21951 case "removexattr.file.package.version": 21952 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.RemoveXAttr.File), nil 21953 case "removexattr.file.path": 21954 return ev.FieldHandlers.ResolveFilePath(ev, &ev.RemoveXAttr.File), nil 21955 case "removexattr.file.path.length": 21956 return ev.FieldHandlers.ResolveFilePath(ev, &ev.RemoveXAttr.File), nil 21957 case "removexattr.file.rights": 21958 return int(ev.FieldHandlers.ResolveRights(ev, &ev.RemoveXAttr.File.FileFields)), nil 21959 case "removexattr.file.uid": 21960 return int(ev.RemoveXAttr.File.FileFields.UID), nil 21961 case "removexattr.file.user": 21962 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.RemoveXAttr.File.FileFields), nil 21963 case "removexattr.retval": 21964 return int(ev.RemoveXAttr.SyscallEvent.Retval), nil 21965 case "rename.file.change_time": 21966 return int(ev.Rename.Old.FileFields.CTime), nil 21967 case "rename.file.destination.change_time": 21968 return int(ev.Rename.New.FileFields.CTime), nil 21969 case "rename.file.destination.filesystem": 21970 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Rename.New), nil 21971 case "rename.file.destination.gid": 21972 return int(ev.Rename.New.FileFields.GID), nil 21973 case "rename.file.destination.group": 21974 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Rename.New.FileFields), nil 21975 case "rename.file.destination.hashes": 21976 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Rename.New), nil 21977 case "rename.file.destination.in_upper_layer": 21978 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Rename.New.FileFields), nil 21979 case "rename.file.destination.inode": 21980 return int(ev.Rename.New.FileFields.PathKey.Inode), nil 21981 case "rename.file.destination.mode": 21982 return int(ev.Rename.New.FileFields.Mode), nil 21983 case "rename.file.destination.modification_time": 21984 return int(ev.Rename.New.FileFields.MTime), nil 21985 case "rename.file.destination.mount_id": 21986 return int(ev.Rename.New.FileFields.PathKey.MountID), nil 21987 case "rename.file.destination.name": 21988 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Rename.New), nil 21989 case "rename.file.destination.name.length": 21990 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Rename.New), nil 21991 case "rename.file.destination.package.name": 21992 return ev.FieldHandlers.ResolvePackageName(ev, &ev.Rename.New), nil 21993 case "rename.file.destination.package.source_version": 21994 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Rename.New), nil 21995 case "rename.file.destination.package.version": 21996 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Rename.New), nil 21997 case "rename.file.destination.path": 21998 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Rename.New), nil 21999 case "rename.file.destination.path.length": 22000 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Rename.New), nil 22001 case "rename.file.destination.rights": 22002 return int(ev.FieldHandlers.ResolveRights(ev, &ev.Rename.New.FileFields)), nil 22003 case "rename.file.destination.uid": 22004 return int(ev.Rename.New.FileFields.UID), nil 22005 case "rename.file.destination.user": 22006 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Rename.New.FileFields), nil 22007 case "rename.file.filesystem": 22008 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Rename.Old), nil 22009 case "rename.file.gid": 22010 return int(ev.Rename.Old.FileFields.GID), nil 22011 case "rename.file.group": 22012 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Rename.Old.FileFields), nil 22013 case "rename.file.hashes": 22014 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Rename.Old), nil 22015 case "rename.file.in_upper_layer": 22016 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Rename.Old.FileFields), nil 22017 case "rename.file.inode": 22018 return int(ev.Rename.Old.FileFields.PathKey.Inode), nil 22019 case "rename.file.mode": 22020 return int(ev.Rename.Old.FileFields.Mode), nil 22021 case "rename.file.modification_time": 22022 return int(ev.Rename.Old.FileFields.MTime), nil 22023 case "rename.file.mount_id": 22024 return int(ev.Rename.Old.FileFields.PathKey.MountID), nil 22025 case "rename.file.name": 22026 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Rename.Old), nil 22027 case "rename.file.name.length": 22028 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Rename.Old), nil 22029 case "rename.file.package.name": 22030 return ev.FieldHandlers.ResolvePackageName(ev, &ev.Rename.Old), nil 22031 case "rename.file.package.source_version": 22032 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Rename.Old), nil 22033 case "rename.file.package.version": 22034 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Rename.Old), nil 22035 case "rename.file.path": 22036 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Rename.Old), nil 22037 case "rename.file.path.length": 22038 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Rename.Old), nil 22039 case "rename.file.rights": 22040 return int(ev.FieldHandlers.ResolveRights(ev, &ev.Rename.Old.FileFields)), nil 22041 case "rename.file.uid": 22042 return int(ev.Rename.Old.FileFields.UID), nil 22043 case "rename.file.user": 22044 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Rename.Old.FileFields), nil 22045 case "rename.retval": 22046 return int(ev.Rename.SyscallEvent.Retval), nil 22047 case "rmdir.file.change_time": 22048 return int(ev.Rmdir.File.FileFields.CTime), nil 22049 case "rmdir.file.filesystem": 22050 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Rmdir.File), nil 22051 case "rmdir.file.gid": 22052 return int(ev.Rmdir.File.FileFields.GID), nil 22053 case "rmdir.file.group": 22054 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Rmdir.File.FileFields), nil 22055 case "rmdir.file.hashes": 22056 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Rmdir.File), nil 22057 case "rmdir.file.in_upper_layer": 22058 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Rmdir.File.FileFields), nil 22059 case "rmdir.file.inode": 22060 return int(ev.Rmdir.File.FileFields.PathKey.Inode), nil 22061 case "rmdir.file.mode": 22062 return int(ev.Rmdir.File.FileFields.Mode), nil 22063 case "rmdir.file.modification_time": 22064 return int(ev.Rmdir.File.FileFields.MTime), nil 22065 case "rmdir.file.mount_id": 22066 return int(ev.Rmdir.File.FileFields.PathKey.MountID), nil 22067 case "rmdir.file.name": 22068 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Rmdir.File), nil 22069 case "rmdir.file.name.length": 22070 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Rmdir.File), nil 22071 case "rmdir.file.package.name": 22072 return ev.FieldHandlers.ResolvePackageName(ev, &ev.Rmdir.File), nil 22073 case "rmdir.file.package.source_version": 22074 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Rmdir.File), nil 22075 case "rmdir.file.package.version": 22076 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Rmdir.File), nil 22077 case "rmdir.file.path": 22078 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Rmdir.File), nil 22079 case "rmdir.file.path.length": 22080 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Rmdir.File), nil 22081 case "rmdir.file.rights": 22082 return int(ev.FieldHandlers.ResolveRights(ev, &ev.Rmdir.File.FileFields)), nil 22083 case "rmdir.file.uid": 22084 return int(ev.Rmdir.File.FileFields.UID), nil 22085 case "rmdir.file.user": 22086 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Rmdir.File.FileFields), nil 22087 case "rmdir.retval": 22088 return int(ev.Rmdir.SyscallEvent.Retval), nil 22089 case "selinux.bool.name": 22090 return ev.FieldHandlers.ResolveSELinuxBoolName(ev, &ev.SELinux), nil 22091 case "selinux.bool.state": 22092 return ev.SELinux.BoolChangeValue, nil 22093 case "selinux.bool_commit.state": 22094 return ev.SELinux.BoolCommitValue, nil 22095 case "selinux.enforce.status": 22096 return ev.SELinux.EnforceStatus, nil 22097 case "setgid.egid": 22098 return int(ev.SetGID.EGID), nil 22099 case "setgid.egroup": 22100 return ev.FieldHandlers.ResolveSetgidEGroup(ev, &ev.SetGID), nil 22101 case "setgid.fsgid": 22102 return int(ev.SetGID.FSGID), nil 22103 case "setgid.fsgroup": 22104 return ev.FieldHandlers.ResolveSetgidFSGroup(ev, &ev.SetGID), nil 22105 case "setgid.gid": 22106 return int(ev.SetGID.GID), nil 22107 case "setgid.group": 22108 return ev.FieldHandlers.ResolveSetgidGroup(ev, &ev.SetGID), nil 22109 case "setuid.euid": 22110 return int(ev.SetUID.EUID), nil 22111 case "setuid.euser": 22112 return ev.FieldHandlers.ResolveSetuidEUser(ev, &ev.SetUID), nil 22113 case "setuid.fsuid": 22114 return int(ev.SetUID.FSUID), nil 22115 case "setuid.fsuser": 22116 return ev.FieldHandlers.ResolveSetuidFSUser(ev, &ev.SetUID), nil 22117 case "setuid.uid": 22118 return int(ev.SetUID.UID), nil 22119 case "setuid.user": 22120 return ev.FieldHandlers.ResolveSetuidUser(ev, &ev.SetUID), nil 22121 case "setxattr.file.change_time": 22122 return int(ev.SetXAttr.File.FileFields.CTime), nil 22123 case "setxattr.file.destination.name": 22124 return ev.FieldHandlers.ResolveXAttrName(ev, &ev.SetXAttr), nil 22125 case "setxattr.file.destination.namespace": 22126 return ev.FieldHandlers.ResolveXAttrNamespace(ev, &ev.SetXAttr), nil 22127 case "setxattr.file.filesystem": 22128 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.SetXAttr.File), nil 22129 case "setxattr.file.gid": 22130 return int(ev.SetXAttr.File.FileFields.GID), nil 22131 case "setxattr.file.group": 22132 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.SetXAttr.File.FileFields), nil 22133 case "setxattr.file.hashes": 22134 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.SetXAttr.File), nil 22135 case "setxattr.file.in_upper_layer": 22136 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.SetXAttr.File.FileFields), nil 22137 case "setxattr.file.inode": 22138 return int(ev.SetXAttr.File.FileFields.PathKey.Inode), nil 22139 case "setxattr.file.mode": 22140 return int(ev.SetXAttr.File.FileFields.Mode), nil 22141 case "setxattr.file.modification_time": 22142 return int(ev.SetXAttr.File.FileFields.MTime), nil 22143 case "setxattr.file.mount_id": 22144 return int(ev.SetXAttr.File.FileFields.PathKey.MountID), nil 22145 case "setxattr.file.name": 22146 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.SetXAttr.File), nil 22147 case "setxattr.file.name.length": 22148 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.SetXAttr.File), nil 22149 case "setxattr.file.package.name": 22150 return ev.FieldHandlers.ResolvePackageName(ev, &ev.SetXAttr.File), nil 22151 case "setxattr.file.package.source_version": 22152 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.SetXAttr.File), nil 22153 case "setxattr.file.package.version": 22154 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.SetXAttr.File), nil 22155 case "setxattr.file.path": 22156 return ev.FieldHandlers.ResolveFilePath(ev, &ev.SetXAttr.File), nil 22157 case "setxattr.file.path.length": 22158 return ev.FieldHandlers.ResolveFilePath(ev, &ev.SetXAttr.File), nil 22159 case "setxattr.file.rights": 22160 return int(ev.FieldHandlers.ResolveRights(ev, &ev.SetXAttr.File.FileFields)), nil 22161 case "setxattr.file.uid": 22162 return int(ev.SetXAttr.File.FileFields.UID), nil 22163 case "setxattr.file.user": 22164 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.SetXAttr.File.FileFields), nil 22165 case "setxattr.retval": 22166 return int(ev.SetXAttr.SyscallEvent.Retval), nil 22167 case "signal.pid": 22168 return int(ev.Signal.PID), nil 22169 case "signal.retval": 22170 return int(ev.Signal.SyscallEvent.Retval), nil 22171 case "signal.target.ancestors.args": 22172 var values []string 22173 ctx := eval.NewContext(ev) 22174 iterator := &ProcessAncestorsIterator{} 22175 ptr := iterator.Front(ctx) 22176 for ptr != nil { 22177 element := (*ProcessCacheEntry)(ptr) 22178 result := ev.FieldHandlers.ResolveProcessArgs(ev, &element.ProcessContext.Process) 22179 values = append(values, result) 22180 ptr = iterator.Next() 22181 } 22182 return values, nil 22183 case "signal.target.ancestors.args_flags": 22184 var values []string 22185 ctx := eval.NewContext(ev) 22186 iterator := &ProcessAncestorsIterator{} 22187 ptr := iterator.Front(ctx) 22188 for ptr != nil { 22189 element := (*ProcessCacheEntry)(ptr) 22190 result := ev.FieldHandlers.ResolveProcessArgsFlags(ev, &element.ProcessContext.Process) 22191 values = append(values, result...) 22192 ptr = iterator.Next() 22193 } 22194 return values, nil 22195 case "signal.target.ancestors.args_options": 22196 var values []string 22197 ctx := eval.NewContext(ev) 22198 iterator := &ProcessAncestorsIterator{} 22199 ptr := iterator.Front(ctx) 22200 for ptr != nil { 22201 element := (*ProcessCacheEntry)(ptr) 22202 result := ev.FieldHandlers.ResolveProcessArgsOptions(ev, &element.ProcessContext.Process) 22203 values = append(values, result...) 22204 ptr = iterator.Next() 22205 } 22206 return values, nil 22207 case "signal.target.ancestors.args_truncated": 22208 var values []bool 22209 ctx := eval.NewContext(ev) 22210 iterator := &ProcessAncestorsIterator{} 22211 ptr := iterator.Front(ctx) 22212 for ptr != nil { 22213 element := (*ProcessCacheEntry)(ptr) 22214 result := ev.FieldHandlers.ResolveProcessArgsTruncated(ev, &element.ProcessContext.Process) 22215 values = append(values, result) 22216 ptr = iterator.Next() 22217 } 22218 return values, nil 22219 case "signal.target.ancestors.argv": 22220 var values []string 22221 ctx := eval.NewContext(ev) 22222 iterator := &ProcessAncestorsIterator{} 22223 ptr := iterator.Front(ctx) 22224 for ptr != nil { 22225 element := (*ProcessCacheEntry)(ptr) 22226 result := ev.FieldHandlers.ResolveProcessArgv(ev, &element.ProcessContext.Process) 22227 values = append(values, result...) 22228 ptr = iterator.Next() 22229 } 22230 return values, nil 22231 case "signal.target.ancestors.argv0": 22232 var values []string 22233 ctx := eval.NewContext(ev) 22234 iterator := &ProcessAncestorsIterator{} 22235 ptr := iterator.Front(ctx) 22236 for ptr != nil { 22237 element := (*ProcessCacheEntry)(ptr) 22238 result := ev.FieldHandlers.ResolveProcessArgv0(ev, &element.ProcessContext.Process) 22239 values = append(values, result) 22240 ptr = iterator.Next() 22241 } 22242 return values, nil 22243 case "signal.target.ancestors.cap_effective": 22244 var values []int 22245 ctx := eval.NewContext(ev) 22246 iterator := &ProcessAncestorsIterator{} 22247 ptr := iterator.Front(ctx) 22248 for ptr != nil { 22249 element := (*ProcessCacheEntry)(ptr) 22250 result := int(element.ProcessContext.Process.Credentials.CapEffective) 22251 values = append(values, result) 22252 ptr = iterator.Next() 22253 } 22254 return values, nil 22255 case "signal.target.ancestors.cap_permitted": 22256 var values []int 22257 ctx := eval.NewContext(ev) 22258 iterator := &ProcessAncestorsIterator{} 22259 ptr := iterator.Front(ctx) 22260 for ptr != nil { 22261 element := (*ProcessCacheEntry)(ptr) 22262 result := int(element.ProcessContext.Process.Credentials.CapPermitted) 22263 values = append(values, result) 22264 ptr = iterator.Next() 22265 } 22266 return values, nil 22267 case "signal.target.ancestors.comm": 22268 var values []string 22269 ctx := eval.NewContext(ev) 22270 iterator := &ProcessAncestorsIterator{} 22271 ptr := iterator.Front(ctx) 22272 for ptr != nil { 22273 element := (*ProcessCacheEntry)(ptr) 22274 result := element.ProcessContext.Process.Comm 22275 values = append(values, result) 22276 ptr = iterator.Next() 22277 } 22278 return values, nil 22279 case "signal.target.ancestors.container.id": 22280 var values []string 22281 ctx := eval.NewContext(ev) 22282 iterator := &ProcessAncestorsIterator{} 22283 ptr := iterator.Front(ctx) 22284 for ptr != nil { 22285 element := (*ProcessCacheEntry)(ptr) 22286 result := element.ProcessContext.Process.ContainerID 22287 values = append(values, result) 22288 ptr = iterator.Next() 22289 } 22290 return values, nil 22291 case "signal.target.ancestors.created_at": 22292 var values []int 22293 ctx := eval.NewContext(ev) 22294 iterator := &ProcessAncestorsIterator{} 22295 ptr := iterator.Front(ctx) 22296 for ptr != nil { 22297 element := (*ProcessCacheEntry)(ptr) 22298 result := int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, &element.ProcessContext.Process)) 22299 values = append(values, result) 22300 ptr = iterator.Next() 22301 } 22302 return values, nil 22303 case "signal.target.ancestors.egid": 22304 var values []int 22305 ctx := eval.NewContext(ev) 22306 iterator := &ProcessAncestorsIterator{} 22307 ptr := iterator.Front(ctx) 22308 for ptr != nil { 22309 element := (*ProcessCacheEntry)(ptr) 22310 result := int(element.ProcessContext.Process.Credentials.EGID) 22311 values = append(values, result) 22312 ptr = iterator.Next() 22313 } 22314 return values, nil 22315 case "signal.target.ancestors.egroup": 22316 var values []string 22317 ctx := eval.NewContext(ev) 22318 iterator := &ProcessAncestorsIterator{} 22319 ptr := iterator.Front(ctx) 22320 for ptr != nil { 22321 element := (*ProcessCacheEntry)(ptr) 22322 result := element.ProcessContext.Process.Credentials.EGroup 22323 values = append(values, result) 22324 ptr = iterator.Next() 22325 } 22326 return values, nil 22327 case "signal.target.ancestors.envp": 22328 var values []string 22329 ctx := eval.NewContext(ev) 22330 iterator := &ProcessAncestorsIterator{} 22331 ptr := iterator.Front(ctx) 22332 for ptr != nil { 22333 element := (*ProcessCacheEntry)(ptr) 22334 result := ev.FieldHandlers.ResolveProcessEnvp(ev, &element.ProcessContext.Process) 22335 values = append(values, result...) 22336 ptr = iterator.Next() 22337 } 22338 return values, nil 22339 case "signal.target.ancestors.envs": 22340 var values []string 22341 ctx := eval.NewContext(ev) 22342 iterator := &ProcessAncestorsIterator{} 22343 ptr := iterator.Front(ctx) 22344 for ptr != nil { 22345 element := (*ProcessCacheEntry)(ptr) 22346 result := ev.FieldHandlers.ResolveProcessEnvs(ev, &element.ProcessContext.Process) 22347 values = append(values, result...) 22348 ptr = iterator.Next() 22349 } 22350 return values, nil 22351 case "signal.target.ancestors.envs_truncated": 22352 var values []bool 22353 ctx := eval.NewContext(ev) 22354 iterator := &ProcessAncestorsIterator{} 22355 ptr := iterator.Front(ctx) 22356 for ptr != nil { 22357 element := (*ProcessCacheEntry)(ptr) 22358 result := ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, &element.ProcessContext.Process) 22359 values = append(values, result) 22360 ptr = iterator.Next() 22361 } 22362 return values, nil 22363 case "signal.target.ancestors.euid": 22364 var values []int 22365 ctx := eval.NewContext(ev) 22366 iterator := &ProcessAncestorsIterator{} 22367 ptr := iterator.Front(ctx) 22368 for ptr != nil { 22369 element := (*ProcessCacheEntry)(ptr) 22370 result := int(element.ProcessContext.Process.Credentials.EUID) 22371 values = append(values, result) 22372 ptr = iterator.Next() 22373 } 22374 return values, nil 22375 case "signal.target.ancestors.euser": 22376 var values []string 22377 ctx := eval.NewContext(ev) 22378 iterator := &ProcessAncestorsIterator{} 22379 ptr := iterator.Front(ctx) 22380 for ptr != nil { 22381 element := (*ProcessCacheEntry)(ptr) 22382 result := element.ProcessContext.Process.Credentials.EUser 22383 values = append(values, result) 22384 ptr = iterator.Next() 22385 } 22386 return values, nil 22387 case "signal.target.ancestors.file.change_time": 22388 var values []int 22389 ctx := eval.NewContext(ev) 22390 iterator := &ProcessAncestorsIterator{} 22391 ptr := iterator.Front(ctx) 22392 for ptr != nil { 22393 element := (*ProcessCacheEntry)(ptr) 22394 result := int(element.ProcessContext.Process.FileEvent.FileFields.CTime) 22395 values = append(values, result) 22396 ptr = iterator.Next() 22397 } 22398 return values, nil 22399 case "signal.target.ancestors.file.filesystem": 22400 var values []string 22401 ctx := eval.NewContext(ev) 22402 iterator := &ProcessAncestorsIterator{} 22403 ptr := iterator.Front(ctx) 22404 for ptr != nil { 22405 element := (*ProcessCacheEntry)(ptr) 22406 result := ev.FieldHandlers.ResolveFileFilesystem(ev, &element.ProcessContext.Process.FileEvent) 22407 values = append(values, result) 22408 ptr = iterator.Next() 22409 } 22410 return values, nil 22411 case "signal.target.ancestors.file.gid": 22412 var values []int 22413 ctx := eval.NewContext(ev) 22414 iterator := &ProcessAncestorsIterator{} 22415 ptr := iterator.Front(ctx) 22416 for ptr != nil { 22417 element := (*ProcessCacheEntry)(ptr) 22418 result := int(element.ProcessContext.Process.FileEvent.FileFields.GID) 22419 values = append(values, result) 22420 ptr = iterator.Next() 22421 } 22422 return values, nil 22423 case "signal.target.ancestors.file.group": 22424 var values []string 22425 ctx := eval.NewContext(ev) 22426 iterator := &ProcessAncestorsIterator{} 22427 ptr := iterator.Front(ctx) 22428 for ptr != nil { 22429 element := (*ProcessCacheEntry)(ptr) 22430 result := ev.FieldHandlers.ResolveFileFieldsGroup(ev, &element.ProcessContext.Process.FileEvent.FileFields) 22431 values = append(values, result) 22432 ptr = iterator.Next() 22433 } 22434 return values, nil 22435 case "signal.target.ancestors.file.hashes": 22436 var values []string 22437 ctx := eval.NewContext(ev) 22438 iterator := &ProcessAncestorsIterator{} 22439 ptr := iterator.Front(ctx) 22440 for ptr != nil { 22441 element := (*ProcessCacheEntry)(ptr) 22442 result := ev.FieldHandlers.ResolveHashesFromEvent(ev, &element.ProcessContext.Process.FileEvent) 22443 values = append(values, result...) 22444 ptr = iterator.Next() 22445 } 22446 return values, nil 22447 case "signal.target.ancestors.file.in_upper_layer": 22448 var values []bool 22449 ctx := eval.NewContext(ev) 22450 iterator := &ProcessAncestorsIterator{} 22451 ptr := iterator.Front(ctx) 22452 for ptr != nil { 22453 element := (*ProcessCacheEntry)(ptr) 22454 result := ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &element.ProcessContext.Process.FileEvent.FileFields) 22455 values = append(values, result) 22456 ptr = iterator.Next() 22457 } 22458 return values, nil 22459 case "signal.target.ancestors.file.inode": 22460 var values []int 22461 ctx := eval.NewContext(ev) 22462 iterator := &ProcessAncestorsIterator{} 22463 ptr := iterator.Front(ctx) 22464 for ptr != nil { 22465 element := (*ProcessCacheEntry)(ptr) 22466 result := int(element.ProcessContext.Process.FileEvent.FileFields.PathKey.Inode) 22467 values = append(values, result) 22468 ptr = iterator.Next() 22469 } 22470 return values, nil 22471 case "signal.target.ancestors.file.mode": 22472 var values []int 22473 ctx := eval.NewContext(ev) 22474 iterator := &ProcessAncestorsIterator{} 22475 ptr := iterator.Front(ctx) 22476 for ptr != nil { 22477 element := (*ProcessCacheEntry)(ptr) 22478 result := int(element.ProcessContext.Process.FileEvent.FileFields.Mode) 22479 values = append(values, result) 22480 ptr = iterator.Next() 22481 } 22482 return values, nil 22483 case "signal.target.ancestors.file.modification_time": 22484 var values []int 22485 ctx := eval.NewContext(ev) 22486 iterator := &ProcessAncestorsIterator{} 22487 ptr := iterator.Front(ctx) 22488 for ptr != nil { 22489 element := (*ProcessCacheEntry)(ptr) 22490 result := int(element.ProcessContext.Process.FileEvent.FileFields.MTime) 22491 values = append(values, result) 22492 ptr = iterator.Next() 22493 } 22494 return values, nil 22495 case "signal.target.ancestors.file.mount_id": 22496 var values []int 22497 ctx := eval.NewContext(ev) 22498 iterator := &ProcessAncestorsIterator{} 22499 ptr := iterator.Front(ctx) 22500 for ptr != nil { 22501 element := (*ProcessCacheEntry)(ptr) 22502 result := int(element.ProcessContext.Process.FileEvent.FileFields.PathKey.MountID) 22503 values = append(values, result) 22504 ptr = iterator.Next() 22505 } 22506 return values, nil 22507 case "signal.target.ancestors.file.name": 22508 var values []string 22509 ctx := eval.NewContext(ev) 22510 iterator := &ProcessAncestorsIterator{} 22511 ptr := iterator.Front(ctx) 22512 for ptr != nil { 22513 element := (*ProcessCacheEntry)(ptr) 22514 result := ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.FileEvent) 22515 values = append(values, result) 22516 ptr = iterator.Next() 22517 } 22518 return values, nil 22519 case "signal.target.ancestors.file.name.length": 22520 var values []int 22521 ctx := eval.NewContext(ev) 22522 iterator := &ProcessAncestorsIterator{} 22523 ptr := iterator.Front(ctx) 22524 for ptr != nil { 22525 element := (*ProcessCacheEntry)(ptr) 22526 result := len(ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.FileEvent)) 22527 values = append(values, result) 22528 ptr = iterator.Next() 22529 } 22530 return values, nil 22531 case "signal.target.ancestors.file.package.name": 22532 var values []string 22533 ctx := eval.NewContext(ev) 22534 iterator := &ProcessAncestorsIterator{} 22535 ptr := iterator.Front(ctx) 22536 for ptr != nil { 22537 element := (*ProcessCacheEntry)(ptr) 22538 result := ev.FieldHandlers.ResolvePackageName(ev, &element.ProcessContext.Process.FileEvent) 22539 values = append(values, result) 22540 ptr = iterator.Next() 22541 } 22542 return values, nil 22543 case "signal.target.ancestors.file.package.source_version": 22544 var values []string 22545 ctx := eval.NewContext(ev) 22546 iterator := &ProcessAncestorsIterator{} 22547 ptr := iterator.Front(ctx) 22548 for ptr != nil { 22549 element := (*ProcessCacheEntry)(ptr) 22550 result := ev.FieldHandlers.ResolvePackageSourceVersion(ev, &element.ProcessContext.Process.FileEvent) 22551 values = append(values, result) 22552 ptr = iterator.Next() 22553 } 22554 return values, nil 22555 case "signal.target.ancestors.file.package.version": 22556 var values []string 22557 ctx := eval.NewContext(ev) 22558 iterator := &ProcessAncestorsIterator{} 22559 ptr := iterator.Front(ctx) 22560 for ptr != nil { 22561 element := (*ProcessCacheEntry)(ptr) 22562 result := ev.FieldHandlers.ResolvePackageVersion(ev, &element.ProcessContext.Process.FileEvent) 22563 values = append(values, result) 22564 ptr = iterator.Next() 22565 } 22566 return values, nil 22567 case "signal.target.ancestors.file.path": 22568 var values []string 22569 ctx := eval.NewContext(ev) 22570 iterator := &ProcessAncestorsIterator{} 22571 ptr := iterator.Front(ctx) 22572 for ptr != nil { 22573 element := (*ProcessCacheEntry)(ptr) 22574 result := ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.FileEvent) 22575 values = append(values, result) 22576 ptr = iterator.Next() 22577 } 22578 return values, nil 22579 case "signal.target.ancestors.file.path.length": 22580 var values []int 22581 ctx := eval.NewContext(ev) 22582 iterator := &ProcessAncestorsIterator{} 22583 ptr := iterator.Front(ctx) 22584 for ptr != nil { 22585 element := (*ProcessCacheEntry)(ptr) 22586 result := len(ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.FileEvent)) 22587 values = append(values, result) 22588 ptr = iterator.Next() 22589 } 22590 return values, nil 22591 case "signal.target.ancestors.file.rights": 22592 var values []int 22593 ctx := eval.NewContext(ev) 22594 iterator := &ProcessAncestorsIterator{} 22595 ptr := iterator.Front(ctx) 22596 for ptr != nil { 22597 element := (*ProcessCacheEntry)(ptr) 22598 result := int(ev.FieldHandlers.ResolveRights(ev, &element.ProcessContext.Process.FileEvent.FileFields)) 22599 values = append(values, result) 22600 ptr = iterator.Next() 22601 } 22602 return values, nil 22603 case "signal.target.ancestors.file.uid": 22604 var values []int 22605 ctx := eval.NewContext(ev) 22606 iterator := &ProcessAncestorsIterator{} 22607 ptr := iterator.Front(ctx) 22608 for ptr != nil { 22609 element := (*ProcessCacheEntry)(ptr) 22610 result := int(element.ProcessContext.Process.FileEvent.FileFields.UID) 22611 values = append(values, result) 22612 ptr = iterator.Next() 22613 } 22614 return values, nil 22615 case "signal.target.ancestors.file.user": 22616 var values []string 22617 ctx := eval.NewContext(ev) 22618 iterator := &ProcessAncestorsIterator{} 22619 ptr := iterator.Front(ctx) 22620 for ptr != nil { 22621 element := (*ProcessCacheEntry)(ptr) 22622 result := ev.FieldHandlers.ResolveFileFieldsUser(ev, &element.ProcessContext.Process.FileEvent.FileFields) 22623 values = append(values, result) 22624 ptr = iterator.Next() 22625 } 22626 return values, nil 22627 case "signal.target.ancestors.fsgid": 22628 var values []int 22629 ctx := eval.NewContext(ev) 22630 iterator := &ProcessAncestorsIterator{} 22631 ptr := iterator.Front(ctx) 22632 for ptr != nil { 22633 element := (*ProcessCacheEntry)(ptr) 22634 result := int(element.ProcessContext.Process.Credentials.FSGID) 22635 values = append(values, result) 22636 ptr = iterator.Next() 22637 } 22638 return values, nil 22639 case "signal.target.ancestors.fsgroup": 22640 var values []string 22641 ctx := eval.NewContext(ev) 22642 iterator := &ProcessAncestorsIterator{} 22643 ptr := iterator.Front(ctx) 22644 for ptr != nil { 22645 element := (*ProcessCacheEntry)(ptr) 22646 result := element.ProcessContext.Process.Credentials.FSGroup 22647 values = append(values, result) 22648 ptr = iterator.Next() 22649 } 22650 return values, nil 22651 case "signal.target.ancestors.fsuid": 22652 var values []int 22653 ctx := eval.NewContext(ev) 22654 iterator := &ProcessAncestorsIterator{} 22655 ptr := iterator.Front(ctx) 22656 for ptr != nil { 22657 element := (*ProcessCacheEntry)(ptr) 22658 result := int(element.ProcessContext.Process.Credentials.FSUID) 22659 values = append(values, result) 22660 ptr = iterator.Next() 22661 } 22662 return values, nil 22663 case "signal.target.ancestors.fsuser": 22664 var values []string 22665 ctx := eval.NewContext(ev) 22666 iterator := &ProcessAncestorsIterator{} 22667 ptr := iterator.Front(ctx) 22668 for ptr != nil { 22669 element := (*ProcessCacheEntry)(ptr) 22670 result := element.ProcessContext.Process.Credentials.FSUser 22671 values = append(values, result) 22672 ptr = iterator.Next() 22673 } 22674 return values, nil 22675 case "signal.target.ancestors.gid": 22676 var values []int 22677 ctx := eval.NewContext(ev) 22678 iterator := &ProcessAncestorsIterator{} 22679 ptr := iterator.Front(ctx) 22680 for ptr != nil { 22681 element := (*ProcessCacheEntry)(ptr) 22682 result := int(element.ProcessContext.Process.Credentials.GID) 22683 values = append(values, result) 22684 ptr = iterator.Next() 22685 } 22686 return values, nil 22687 case "signal.target.ancestors.group": 22688 var values []string 22689 ctx := eval.NewContext(ev) 22690 iterator := &ProcessAncestorsIterator{} 22691 ptr := iterator.Front(ctx) 22692 for ptr != nil { 22693 element := (*ProcessCacheEntry)(ptr) 22694 result := element.ProcessContext.Process.Credentials.Group 22695 values = append(values, result) 22696 ptr = iterator.Next() 22697 } 22698 return values, nil 22699 case "signal.target.ancestors.interpreter.file.change_time": 22700 var values []int 22701 ctx := eval.NewContext(ev) 22702 iterator := &ProcessAncestorsIterator{} 22703 ptr := iterator.Front(ctx) 22704 for ptr != nil { 22705 element := (*ProcessCacheEntry)(ptr) 22706 result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.CTime) 22707 values = append(values, result) 22708 ptr = iterator.Next() 22709 } 22710 return values, nil 22711 case "signal.target.ancestors.interpreter.file.filesystem": 22712 var values []string 22713 ctx := eval.NewContext(ev) 22714 iterator := &ProcessAncestorsIterator{} 22715 ptr := iterator.Front(ctx) 22716 for ptr != nil { 22717 element := (*ProcessCacheEntry)(ptr) 22718 result := ev.FieldHandlers.ResolveFileFilesystem(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) 22719 values = append(values, result) 22720 ptr = iterator.Next() 22721 } 22722 return values, nil 22723 case "signal.target.ancestors.interpreter.file.gid": 22724 var values []int 22725 ctx := eval.NewContext(ev) 22726 iterator := &ProcessAncestorsIterator{} 22727 ptr := iterator.Front(ctx) 22728 for ptr != nil { 22729 element := (*ProcessCacheEntry)(ptr) 22730 result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.GID) 22731 values = append(values, result) 22732 ptr = iterator.Next() 22733 } 22734 return values, nil 22735 case "signal.target.ancestors.interpreter.file.group": 22736 var values []string 22737 ctx := eval.NewContext(ev) 22738 iterator := &ProcessAncestorsIterator{} 22739 ptr := iterator.Front(ctx) 22740 for ptr != nil { 22741 element := (*ProcessCacheEntry)(ptr) 22742 result := ev.FieldHandlers.ResolveFileFieldsGroup(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields) 22743 values = append(values, result) 22744 ptr = iterator.Next() 22745 } 22746 return values, nil 22747 case "signal.target.ancestors.interpreter.file.hashes": 22748 var values []string 22749 ctx := eval.NewContext(ev) 22750 iterator := &ProcessAncestorsIterator{} 22751 ptr := iterator.Front(ctx) 22752 for ptr != nil { 22753 element := (*ProcessCacheEntry)(ptr) 22754 result := ev.FieldHandlers.ResolveHashesFromEvent(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) 22755 values = append(values, result...) 22756 ptr = iterator.Next() 22757 } 22758 return values, nil 22759 case "signal.target.ancestors.interpreter.file.in_upper_layer": 22760 var values []bool 22761 ctx := eval.NewContext(ev) 22762 iterator := &ProcessAncestorsIterator{} 22763 ptr := iterator.Front(ctx) 22764 for ptr != nil { 22765 element := (*ProcessCacheEntry)(ptr) 22766 result := ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields) 22767 values = append(values, result) 22768 ptr = iterator.Next() 22769 } 22770 return values, nil 22771 case "signal.target.ancestors.interpreter.file.inode": 22772 var values []int 22773 ctx := eval.NewContext(ev) 22774 iterator := &ProcessAncestorsIterator{} 22775 ptr := iterator.Front(ctx) 22776 for ptr != nil { 22777 element := (*ProcessCacheEntry)(ptr) 22778 result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode) 22779 values = append(values, result) 22780 ptr = iterator.Next() 22781 } 22782 return values, nil 22783 case "signal.target.ancestors.interpreter.file.mode": 22784 var values []int 22785 ctx := eval.NewContext(ev) 22786 iterator := &ProcessAncestorsIterator{} 22787 ptr := iterator.Front(ctx) 22788 for ptr != nil { 22789 element := (*ProcessCacheEntry)(ptr) 22790 result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.Mode) 22791 values = append(values, result) 22792 ptr = iterator.Next() 22793 } 22794 return values, nil 22795 case "signal.target.ancestors.interpreter.file.modification_time": 22796 var values []int 22797 ctx := eval.NewContext(ev) 22798 iterator := &ProcessAncestorsIterator{} 22799 ptr := iterator.Front(ctx) 22800 for ptr != nil { 22801 element := (*ProcessCacheEntry)(ptr) 22802 result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.MTime) 22803 values = append(values, result) 22804 ptr = iterator.Next() 22805 } 22806 return values, nil 22807 case "signal.target.ancestors.interpreter.file.mount_id": 22808 var values []int 22809 ctx := eval.NewContext(ev) 22810 iterator := &ProcessAncestorsIterator{} 22811 ptr := iterator.Front(ctx) 22812 for ptr != nil { 22813 element := (*ProcessCacheEntry)(ptr) 22814 result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID) 22815 values = append(values, result) 22816 ptr = iterator.Next() 22817 } 22818 return values, nil 22819 case "signal.target.ancestors.interpreter.file.name": 22820 var values []string 22821 ctx := eval.NewContext(ev) 22822 iterator := &ProcessAncestorsIterator{} 22823 ptr := iterator.Front(ctx) 22824 for ptr != nil { 22825 element := (*ProcessCacheEntry)(ptr) 22826 result := ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) 22827 values = append(values, result) 22828 ptr = iterator.Next() 22829 } 22830 return values, nil 22831 case "signal.target.ancestors.interpreter.file.name.length": 22832 var values []int 22833 ctx := eval.NewContext(ev) 22834 iterator := &ProcessAncestorsIterator{} 22835 ptr := iterator.Front(ctx) 22836 for ptr != nil { 22837 element := (*ProcessCacheEntry)(ptr) 22838 result := len(ev.FieldHandlers.ResolveFileBasename(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent)) 22839 values = append(values, result) 22840 ptr = iterator.Next() 22841 } 22842 return values, nil 22843 case "signal.target.ancestors.interpreter.file.package.name": 22844 var values []string 22845 ctx := eval.NewContext(ev) 22846 iterator := &ProcessAncestorsIterator{} 22847 ptr := iterator.Front(ctx) 22848 for ptr != nil { 22849 element := (*ProcessCacheEntry)(ptr) 22850 result := ev.FieldHandlers.ResolvePackageName(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) 22851 values = append(values, result) 22852 ptr = iterator.Next() 22853 } 22854 return values, nil 22855 case "signal.target.ancestors.interpreter.file.package.source_version": 22856 var values []string 22857 ctx := eval.NewContext(ev) 22858 iterator := &ProcessAncestorsIterator{} 22859 ptr := iterator.Front(ctx) 22860 for ptr != nil { 22861 element := (*ProcessCacheEntry)(ptr) 22862 result := ev.FieldHandlers.ResolvePackageSourceVersion(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) 22863 values = append(values, result) 22864 ptr = iterator.Next() 22865 } 22866 return values, nil 22867 case "signal.target.ancestors.interpreter.file.package.version": 22868 var values []string 22869 ctx := eval.NewContext(ev) 22870 iterator := &ProcessAncestorsIterator{} 22871 ptr := iterator.Front(ctx) 22872 for ptr != nil { 22873 element := (*ProcessCacheEntry)(ptr) 22874 result := ev.FieldHandlers.ResolvePackageVersion(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) 22875 values = append(values, result) 22876 ptr = iterator.Next() 22877 } 22878 return values, nil 22879 case "signal.target.ancestors.interpreter.file.path": 22880 var values []string 22881 ctx := eval.NewContext(ev) 22882 iterator := &ProcessAncestorsIterator{} 22883 ptr := iterator.Front(ctx) 22884 for ptr != nil { 22885 element := (*ProcessCacheEntry)(ptr) 22886 result := ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent) 22887 values = append(values, result) 22888 ptr = iterator.Next() 22889 } 22890 return values, nil 22891 case "signal.target.ancestors.interpreter.file.path.length": 22892 var values []int 22893 ctx := eval.NewContext(ev) 22894 iterator := &ProcessAncestorsIterator{} 22895 ptr := iterator.Front(ctx) 22896 for ptr != nil { 22897 element := (*ProcessCacheEntry)(ptr) 22898 result := len(ev.FieldHandlers.ResolveFilePath(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent)) 22899 values = append(values, result) 22900 ptr = iterator.Next() 22901 } 22902 return values, nil 22903 case "signal.target.ancestors.interpreter.file.rights": 22904 var values []int 22905 ctx := eval.NewContext(ev) 22906 iterator := &ProcessAncestorsIterator{} 22907 ptr := iterator.Front(ctx) 22908 for ptr != nil { 22909 element := (*ProcessCacheEntry)(ptr) 22910 result := int(ev.FieldHandlers.ResolveRights(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields)) 22911 values = append(values, result) 22912 ptr = iterator.Next() 22913 } 22914 return values, nil 22915 case "signal.target.ancestors.interpreter.file.uid": 22916 var values []int 22917 ctx := eval.NewContext(ev) 22918 iterator := &ProcessAncestorsIterator{} 22919 ptr := iterator.Front(ctx) 22920 for ptr != nil { 22921 element := (*ProcessCacheEntry)(ptr) 22922 result := int(element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.UID) 22923 values = append(values, result) 22924 ptr = iterator.Next() 22925 } 22926 return values, nil 22927 case "signal.target.ancestors.interpreter.file.user": 22928 var values []string 22929 ctx := eval.NewContext(ev) 22930 iterator := &ProcessAncestorsIterator{} 22931 ptr := iterator.Front(ctx) 22932 for ptr != nil { 22933 element := (*ProcessCacheEntry)(ptr) 22934 result := ev.FieldHandlers.ResolveFileFieldsUser(ev, &element.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields) 22935 values = append(values, result) 22936 ptr = iterator.Next() 22937 } 22938 return values, nil 22939 case "signal.target.ancestors.is_kworker": 22940 var values []bool 22941 ctx := eval.NewContext(ev) 22942 iterator := &ProcessAncestorsIterator{} 22943 ptr := iterator.Front(ctx) 22944 for ptr != nil { 22945 element := (*ProcessCacheEntry)(ptr) 22946 result := element.ProcessContext.Process.PIDContext.IsKworker 22947 values = append(values, result) 22948 ptr = iterator.Next() 22949 } 22950 return values, nil 22951 case "signal.target.ancestors.is_thread": 22952 var values []bool 22953 ctx := eval.NewContext(ev) 22954 iterator := &ProcessAncestorsIterator{} 22955 ptr := iterator.Front(ctx) 22956 for ptr != nil { 22957 element := (*ProcessCacheEntry)(ptr) 22958 result := element.ProcessContext.Process.IsThread 22959 values = append(values, result) 22960 ptr = iterator.Next() 22961 } 22962 return values, nil 22963 case "signal.target.ancestors.pid": 22964 var values []int 22965 ctx := eval.NewContext(ev) 22966 iterator := &ProcessAncestorsIterator{} 22967 ptr := iterator.Front(ctx) 22968 for ptr != nil { 22969 element := (*ProcessCacheEntry)(ptr) 22970 result := int(element.ProcessContext.Process.PIDContext.Pid) 22971 values = append(values, result) 22972 ptr = iterator.Next() 22973 } 22974 return values, nil 22975 case "signal.target.ancestors.ppid": 22976 var values []int 22977 ctx := eval.NewContext(ev) 22978 iterator := &ProcessAncestorsIterator{} 22979 ptr := iterator.Front(ctx) 22980 for ptr != nil { 22981 element := (*ProcessCacheEntry)(ptr) 22982 result := int(element.ProcessContext.Process.PPid) 22983 values = append(values, result) 22984 ptr = iterator.Next() 22985 } 22986 return values, nil 22987 case "signal.target.ancestors.tid": 22988 var values []int 22989 ctx := eval.NewContext(ev) 22990 iterator := &ProcessAncestorsIterator{} 22991 ptr := iterator.Front(ctx) 22992 for ptr != nil { 22993 element := (*ProcessCacheEntry)(ptr) 22994 result := int(element.ProcessContext.Process.PIDContext.Tid) 22995 values = append(values, result) 22996 ptr = iterator.Next() 22997 } 22998 return values, nil 22999 case "signal.target.ancestors.tty_name": 23000 var values []string 23001 ctx := eval.NewContext(ev) 23002 iterator := &ProcessAncestorsIterator{} 23003 ptr := iterator.Front(ctx) 23004 for ptr != nil { 23005 element := (*ProcessCacheEntry)(ptr) 23006 result := element.ProcessContext.Process.TTYName 23007 values = append(values, result) 23008 ptr = iterator.Next() 23009 } 23010 return values, nil 23011 case "signal.target.ancestors.uid": 23012 var values []int 23013 ctx := eval.NewContext(ev) 23014 iterator := &ProcessAncestorsIterator{} 23015 ptr := iterator.Front(ctx) 23016 for ptr != nil { 23017 element := (*ProcessCacheEntry)(ptr) 23018 result := int(element.ProcessContext.Process.Credentials.UID) 23019 values = append(values, result) 23020 ptr = iterator.Next() 23021 } 23022 return values, nil 23023 case "signal.target.ancestors.user": 23024 var values []string 23025 ctx := eval.NewContext(ev) 23026 iterator := &ProcessAncestorsIterator{} 23027 ptr := iterator.Front(ctx) 23028 for ptr != nil { 23029 element := (*ProcessCacheEntry)(ptr) 23030 result := element.ProcessContext.Process.Credentials.User 23031 values = append(values, result) 23032 ptr = iterator.Next() 23033 } 23034 return values, nil 23035 case "signal.target.ancestors.user_session.k8s_groups": 23036 var values []string 23037 ctx := eval.NewContext(ev) 23038 iterator := &ProcessAncestorsIterator{} 23039 ptr := iterator.Front(ctx) 23040 for ptr != nil { 23041 element := (*ProcessCacheEntry)(ptr) 23042 result := ev.FieldHandlers.ResolveK8SGroups(ev, &element.ProcessContext.Process.UserSession) 23043 values = append(values, result...) 23044 ptr = iterator.Next() 23045 } 23046 return values, nil 23047 case "signal.target.ancestors.user_session.k8s_uid": 23048 var values []string 23049 ctx := eval.NewContext(ev) 23050 iterator := &ProcessAncestorsIterator{} 23051 ptr := iterator.Front(ctx) 23052 for ptr != nil { 23053 element := (*ProcessCacheEntry)(ptr) 23054 result := ev.FieldHandlers.ResolveK8SUID(ev, &element.ProcessContext.Process.UserSession) 23055 values = append(values, result) 23056 ptr = iterator.Next() 23057 } 23058 return values, nil 23059 case "signal.target.ancestors.user_session.k8s_username": 23060 var values []string 23061 ctx := eval.NewContext(ev) 23062 iterator := &ProcessAncestorsIterator{} 23063 ptr := iterator.Front(ctx) 23064 for ptr != nil { 23065 element := (*ProcessCacheEntry)(ptr) 23066 result := ev.FieldHandlers.ResolveK8SUsername(ev, &element.ProcessContext.Process.UserSession) 23067 values = append(values, result) 23068 ptr = iterator.Next() 23069 } 23070 return values, nil 23071 case "signal.target.args": 23072 return ev.FieldHandlers.ResolveProcessArgs(ev, &ev.Signal.Target.Process), nil 23073 case "signal.target.args_flags": 23074 return ev.FieldHandlers.ResolveProcessArgsFlags(ev, &ev.Signal.Target.Process), nil 23075 case "signal.target.args_options": 23076 return ev.FieldHandlers.ResolveProcessArgsOptions(ev, &ev.Signal.Target.Process), nil 23077 case "signal.target.args_truncated": 23078 return ev.FieldHandlers.ResolveProcessArgsTruncated(ev, &ev.Signal.Target.Process), nil 23079 case "signal.target.argv": 23080 return ev.FieldHandlers.ResolveProcessArgv(ev, &ev.Signal.Target.Process), nil 23081 case "signal.target.argv0": 23082 return ev.FieldHandlers.ResolveProcessArgv0(ev, &ev.Signal.Target.Process), nil 23083 case "signal.target.cap_effective": 23084 return int(ev.Signal.Target.Process.Credentials.CapEffective), nil 23085 case "signal.target.cap_permitted": 23086 return int(ev.Signal.Target.Process.Credentials.CapPermitted), nil 23087 case "signal.target.comm": 23088 return ev.Signal.Target.Process.Comm, nil 23089 case "signal.target.container.id": 23090 return ev.Signal.Target.Process.ContainerID, nil 23091 case "signal.target.created_at": 23092 return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, &ev.Signal.Target.Process)), nil 23093 case "signal.target.egid": 23094 return int(ev.Signal.Target.Process.Credentials.EGID), nil 23095 case "signal.target.egroup": 23096 return ev.Signal.Target.Process.Credentials.EGroup, nil 23097 case "signal.target.envp": 23098 return ev.FieldHandlers.ResolveProcessEnvp(ev, &ev.Signal.Target.Process), nil 23099 case "signal.target.envs": 23100 return ev.FieldHandlers.ResolveProcessEnvs(ev, &ev.Signal.Target.Process), nil 23101 case "signal.target.envs_truncated": 23102 return ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, &ev.Signal.Target.Process), nil 23103 case "signal.target.euid": 23104 return int(ev.Signal.Target.Process.Credentials.EUID), nil 23105 case "signal.target.euser": 23106 return ev.Signal.Target.Process.Credentials.EUser, nil 23107 case "signal.target.file.change_time": 23108 if !ev.Signal.Target.Process.IsNotKworker() { 23109 return 0, &eval.ErrNotSupported{Field: field} 23110 } 23111 return int(ev.Signal.Target.Process.FileEvent.FileFields.CTime), nil 23112 case "signal.target.file.filesystem": 23113 if !ev.Signal.Target.Process.IsNotKworker() { 23114 return "", &eval.ErrNotSupported{Field: field} 23115 } 23116 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Signal.Target.Process.FileEvent), nil 23117 case "signal.target.file.gid": 23118 if !ev.Signal.Target.Process.IsNotKworker() { 23119 return 0, &eval.ErrNotSupported{Field: field} 23120 } 23121 return int(ev.Signal.Target.Process.FileEvent.FileFields.GID), nil 23122 case "signal.target.file.group": 23123 if !ev.Signal.Target.Process.IsNotKworker() { 23124 return "", &eval.ErrNotSupported{Field: field} 23125 } 23126 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Signal.Target.Process.FileEvent.FileFields), nil 23127 case "signal.target.file.hashes": 23128 if !ev.Signal.Target.Process.IsNotKworker() { 23129 return []string{}, &eval.ErrNotSupported{Field: field} 23130 } 23131 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Signal.Target.Process.FileEvent), nil 23132 case "signal.target.file.in_upper_layer": 23133 if !ev.Signal.Target.Process.IsNotKworker() { 23134 return false, &eval.ErrNotSupported{Field: field} 23135 } 23136 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Signal.Target.Process.FileEvent.FileFields), nil 23137 case "signal.target.file.inode": 23138 if !ev.Signal.Target.Process.IsNotKworker() { 23139 return 0, &eval.ErrNotSupported{Field: field} 23140 } 23141 return int(ev.Signal.Target.Process.FileEvent.FileFields.PathKey.Inode), nil 23142 case "signal.target.file.mode": 23143 if !ev.Signal.Target.Process.IsNotKworker() { 23144 return 0, &eval.ErrNotSupported{Field: field} 23145 } 23146 return int(ev.Signal.Target.Process.FileEvent.FileFields.Mode), nil 23147 case "signal.target.file.modification_time": 23148 if !ev.Signal.Target.Process.IsNotKworker() { 23149 return 0, &eval.ErrNotSupported{Field: field} 23150 } 23151 return int(ev.Signal.Target.Process.FileEvent.FileFields.MTime), nil 23152 case "signal.target.file.mount_id": 23153 if !ev.Signal.Target.Process.IsNotKworker() { 23154 return 0, &eval.ErrNotSupported{Field: field} 23155 } 23156 return int(ev.Signal.Target.Process.FileEvent.FileFields.PathKey.MountID), nil 23157 case "signal.target.file.name": 23158 if !ev.Signal.Target.Process.IsNotKworker() { 23159 return "", &eval.ErrNotSupported{Field: field} 23160 } 23161 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Signal.Target.Process.FileEvent), nil 23162 case "signal.target.file.name.length": 23163 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Signal.Target.Process.FileEvent), nil 23164 case "signal.target.file.package.name": 23165 if !ev.Signal.Target.Process.IsNotKworker() { 23166 return "", &eval.ErrNotSupported{Field: field} 23167 } 23168 return ev.FieldHandlers.ResolvePackageName(ev, &ev.Signal.Target.Process.FileEvent), nil 23169 case "signal.target.file.package.source_version": 23170 if !ev.Signal.Target.Process.IsNotKworker() { 23171 return "", &eval.ErrNotSupported{Field: field} 23172 } 23173 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Signal.Target.Process.FileEvent), nil 23174 case "signal.target.file.package.version": 23175 if !ev.Signal.Target.Process.IsNotKworker() { 23176 return "", &eval.ErrNotSupported{Field: field} 23177 } 23178 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Signal.Target.Process.FileEvent), nil 23179 case "signal.target.file.path": 23180 if !ev.Signal.Target.Process.IsNotKworker() { 23181 return "", &eval.ErrNotSupported{Field: field} 23182 } 23183 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Signal.Target.Process.FileEvent), nil 23184 case "signal.target.file.path.length": 23185 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Signal.Target.Process.FileEvent), nil 23186 case "signal.target.file.rights": 23187 if !ev.Signal.Target.Process.IsNotKworker() { 23188 return 0, &eval.ErrNotSupported{Field: field} 23189 } 23190 return int(ev.FieldHandlers.ResolveRights(ev, &ev.Signal.Target.Process.FileEvent.FileFields)), nil 23191 case "signal.target.file.uid": 23192 if !ev.Signal.Target.Process.IsNotKworker() { 23193 return 0, &eval.ErrNotSupported{Field: field} 23194 } 23195 return int(ev.Signal.Target.Process.FileEvent.FileFields.UID), nil 23196 case "signal.target.file.user": 23197 if !ev.Signal.Target.Process.IsNotKworker() { 23198 return "", &eval.ErrNotSupported{Field: field} 23199 } 23200 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Signal.Target.Process.FileEvent.FileFields), nil 23201 case "signal.target.fsgid": 23202 return int(ev.Signal.Target.Process.Credentials.FSGID), nil 23203 case "signal.target.fsgroup": 23204 return ev.Signal.Target.Process.Credentials.FSGroup, nil 23205 case "signal.target.fsuid": 23206 return int(ev.Signal.Target.Process.Credentials.FSUID), nil 23207 case "signal.target.fsuser": 23208 return ev.Signal.Target.Process.Credentials.FSUser, nil 23209 case "signal.target.gid": 23210 return int(ev.Signal.Target.Process.Credentials.GID), nil 23211 case "signal.target.group": 23212 return ev.Signal.Target.Process.Credentials.Group, nil 23213 case "signal.target.interpreter.file.change_time": 23214 if !ev.Signal.Target.Process.HasInterpreter() { 23215 return 0, &eval.ErrNotSupported{Field: field} 23216 } 23217 return int(ev.Signal.Target.Process.LinuxBinprm.FileEvent.FileFields.CTime), nil 23218 case "signal.target.interpreter.file.filesystem": 23219 if !ev.Signal.Target.Process.HasInterpreter() { 23220 return "", &eval.ErrNotSupported{Field: field} 23221 } 23222 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Signal.Target.Process.LinuxBinprm.FileEvent), nil 23223 case "signal.target.interpreter.file.gid": 23224 if !ev.Signal.Target.Process.HasInterpreter() { 23225 return 0, &eval.ErrNotSupported{Field: field} 23226 } 23227 return int(ev.Signal.Target.Process.LinuxBinprm.FileEvent.FileFields.GID), nil 23228 case "signal.target.interpreter.file.group": 23229 if !ev.Signal.Target.Process.HasInterpreter() { 23230 return "", &eval.ErrNotSupported{Field: field} 23231 } 23232 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Signal.Target.Process.LinuxBinprm.FileEvent.FileFields), nil 23233 case "signal.target.interpreter.file.hashes": 23234 if !ev.Signal.Target.Process.HasInterpreter() { 23235 return []string{}, &eval.ErrNotSupported{Field: field} 23236 } 23237 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Signal.Target.Process.LinuxBinprm.FileEvent), nil 23238 case "signal.target.interpreter.file.in_upper_layer": 23239 if !ev.Signal.Target.Process.HasInterpreter() { 23240 return false, &eval.ErrNotSupported{Field: field} 23241 } 23242 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Signal.Target.Process.LinuxBinprm.FileEvent.FileFields), nil 23243 case "signal.target.interpreter.file.inode": 23244 if !ev.Signal.Target.Process.HasInterpreter() { 23245 return 0, &eval.ErrNotSupported{Field: field} 23246 } 23247 return int(ev.Signal.Target.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode), nil 23248 case "signal.target.interpreter.file.mode": 23249 if !ev.Signal.Target.Process.HasInterpreter() { 23250 return 0, &eval.ErrNotSupported{Field: field} 23251 } 23252 return int(ev.Signal.Target.Process.LinuxBinprm.FileEvent.FileFields.Mode), nil 23253 case "signal.target.interpreter.file.modification_time": 23254 if !ev.Signal.Target.Process.HasInterpreter() { 23255 return 0, &eval.ErrNotSupported{Field: field} 23256 } 23257 return int(ev.Signal.Target.Process.LinuxBinprm.FileEvent.FileFields.MTime), nil 23258 case "signal.target.interpreter.file.mount_id": 23259 if !ev.Signal.Target.Process.HasInterpreter() { 23260 return 0, &eval.ErrNotSupported{Field: field} 23261 } 23262 return int(ev.Signal.Target.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID), nil 23263 case "signal.target.interpreter.file.name": 23264 if !ev.Signal.Target.Process.HasInterpreter() { 23265 return "", &eval.ErrNotSupported{Field: field} 23266 } 23267 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Signal.Target.Process.LinuxBinprm.FileEvent), nil 23268 case "signal.target.interpreter.file.name.length": 23269 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Signal.Target.Process.LinuxBinprm.FileEvent), nil 23270 case "signal.target.interpreter.file.package.name": 23271 if !ev.Signal.Target.Process.HasInterpreter() { 23272 return "", &eval.ErrNotSupported{Field: field} 23273 } 23274 return ev.FieldHandlers.ResolvePackageName(ev, &ev.Signal.Target.Process.LinuxBinprm.FileEvent), nil 23275 case "signal.target.interpreter.file.package.source_version": 23276 if !ev.Signal.Target.Process.HasInterpreter() { 23277 return "", &eval.ErrNotSupported{Field: field} 23278 } 23279 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Signal.Target.Process.LinuxBinprm.FileEvent), nil 23280 case "signal.target.interpreter.file.package.version": 23281 if !ev.Signal.Target.Process.HasInterpreter() { 23282 return "", &eval.ErrNotSupported{Field: field} 23283 } 23284 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Signal.Target.Process.LinuxBinprm.FileEvent), nil 23285 case "signal.target.interpreter.file.path": 23286 if !ev.Signal.Target.Process.HasInterpreter() { 23287 return "", &eval.ErrNotSupported{Field: field} 23288 } 23289 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Signal.Target.Process.LinuxBinprm.FileEvent), nil 23290 case "signal.target.interpreter.file.path.length": 23291 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Signal.Target.Process.LinuxBinprm.FileEvent), nil 23292 case "signal.target.interpreter.file.rights": 23293 if !ev.Signal.Target.Process.HasInterpreter() { 23294 return 0, &eval.ErrNotSupported{Field: field} 23295 } 23296 return int(ev.FieldHandlers.ResolveRights(ev, &ev.Signal.Target.Process.LinuxBinprm.FileEvent.FileFields)), nil 23297 case "signal.target.interpreter.file.uid": 23298 if !ev.Signal.Target.Process.HasInterpreter() { 23299 return 0, &eval.ErrNotSupported{Field: field} 23300 } 23301 return int(ev.Signal.Target.Process.LinuxBinprm.FileEvent.FileFields.UID), nil 23302 case "signal.target.interpreter.file.user": 23303 if !ev.Signal.Target.Process.HasInterpreter() { 23304 return "", &eval.ErrNotSupported{Field: field} 23305 } 23306 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Signal.Target.Process.LinuxBinprm.FileEvent.FileFields), nil 23307 case "signal.target.is_kworker": 23308 return ev.Signal.Target.Process.PIDContext.IsKworker, nil 23309 case "signal.target.is_thread": 23310 return ev.Signal.Target.Process.IsThread, nil 23311 case "signal.target.parent.args": 23312 if !ev.Signal.Target.HasParent() { 23313 return "", &eval.ErrNotSupported{Field: field} 23314 } 23315 return ev.FieldHandlers.ResolveProcessArgs(ev, ev.Signal.Target.Parent), nil 23316 case "signal.target.parent.args_flags": 23317 if !ev.Signal.Target.HasParent() { 23318 return []string{}, &eval.ErrNotSupported{Field: field} 23319 } 23320 return ev.FieldHandlers.ResolveProcessArgsFlags(ev, ev.Signal.Target.Parent), nil 23321 case "signal.target.parent.args_options": 23322 if !ev.Signal.Target.HasParent() { 23323 return []string{}, &eval.ErrNotSupported{Field: field} 23324 } 23325 return ev.FieldHandlers.ResolveProcessArgsOptions(ev, ev.Signal.Target.Parent), nil 23326 case "signal.target.parent.args_truncated": 23327 if !ev.Signal.Target.HasParent() { 23328 return false, &eval.ErrNotSupported{Field: field} 23329 } 23330 return ev.FieldHandlers.ResolveProcessArgsTruncated(ev, ev.Signal.Target.Parent), nil 23331 case "signal.target.parent.argv": 23332 if !ev.Signal.Target.HasParent() { 23333 return []string{}, &eval.ErrNotSupported{Field: field} 23334 } 23335 return ev.FieldHandlers.ResolveProcessArgv(ev, ev.Signal.Target.Parent), nil 23336 case "signal.target.parent.argv0": 23337 if !ev.Signal.Target.HasParent() { 23338 return "", &eval.ErrNotSupported{Field: field} 23339 } 23340 return ev.FieldHandlers.ResolveProcessArgv0(ev, ev.Signal.Target.Parent), nil 23341 case "signal.target.parent.cap_effective": 23342 if !ev.Signal.Target.HasParent() { 23343 return 0, &eval.ErrNotSupported{Field: field} 23344 } 23345 return int(ev.Signal.Target.Parent.Credentials.CapEffective), nil 23346 case "signal.target.parent.cap_permitted": 23347 if !ev.Signal.Target.HasParent() { 23348 return 0, &eval.ErrNotSupported{Field: field} 23349 } 23350 return int(ev.Signal.Target.Parent.Credentials.CapPermitted), nil 23351 case "signal.target.parent.comm": 23352 if !ev.Signal.Target.HasParent() { 23353 return "", &eval.ErrNotSupported{Field: field} 23354 } 23355 return ev.Signal.Target.Parent.Comm, nil 23356 case "signal.target.parent.container.id": 23357 if !ev.Signal.Target.HasParent() { 23358 return "", &eval.ErrNotSupported{Field: field} 23359 } 23360 return ev.Signal.Target.Parent.ContainerID, nil 23361 case "signal.target.parent.created_at": 23362 if !ev.Signal.Target.HasParent() { 23363 return 0, &eval.ErrNotSupported{Field: field} 23364 } 23365 return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, ev.Signal.Target.Parent)), nil 23366 case "signal.target.parent.egid": 23367 if !ev.Signal.Target.HasParent() { 23368 return 0, &eval.ErrNotSupported{Field: field} 23369 } 23370 return int(ev.Signal.Target.Parent.Credentials.EGID), nil 23371 case "signal.target.parent.egroup": 23372 if !ev.Signal.Target.HasParent() { 23373 return "", &eval.ErrNotSupported{Field: field} 23374 } 23375 return ev.Signal.Target.Parent.Credentials.EGroup, nil 23376 case "signal.target.parent.envp": 23377 if !ev.Signal.Target.HasParent() { 23378 return []string{}, &eval.ErrNotSupported{Field: field} 23379 } 23380 return ev.FieldHandlers.ResolveProcessEnvp(ev, ev.Signal.Target.Parent), nil 23381 case "signal.target.parent.envs": 23382 if !ev.Signal.Target.HasParent() { 23383 return []string{}, &eval.ErrNotSupported{Field: field} 23384 } 23385 return ev.FieldHandlers.ResolveProcessEnvs(ev, ev.Signal.Target.Parent), nil 23386 case "signal.target.parent.envs_truncated": 23387 if !ev.Signal.Target.HasParent() { 23388 return false, &eval.ErrNotSupported{Field: field} 23389 } 23390 return ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, ev.Signal.Target.Parent), nil 23391 case "signal.target.parent.euid": 23392 if !ev.Signal.Target.HasParent() { 23393 return 0, &eval.ErrNotSupported{Field: field} 23394 } 23395 return int(ev.Signal.Target.Parent.Credentials.EUID), nil 23396 case "signal.target.parent.euser": 23397 if !ev.Signal.Target.HasParent() { 23398 return "", &eval.ErrNotSupported{Field: field} 23399 } 23400 return ev.Signal.Target.Parent.Credentials.EUser, nil 23401 case "signal.target.parent.file.change_time": 23402 if !ev.Signal.Target.HasParent() { 23403 return 0, &eval.ErrNotSupported{Field: field} 23404 } 23405 if !ev.Signal.Target.Parent.IsNotKworker() { 23406 return 0, &eval.ErrNotSupported{Field: field} 23407 } 23408 return int(ev.Signal.Target.Parent.FileEvent.FileFields.CTime), nil 23409 case "signal.target.parent.file.filesystem": 23410 if !ev.Signal.Target.HasParent() { 23411 return "", &eval.ErrNotSupported{Field: field} 23412 } 23413 if !ev.Signal.Target.Parent.IsNotKworker() { 23414 return "", &eval.ErrNotSupported{Field: field} 23415 } 23416 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Signal.Target.Parent.FileEvent), nil 23417 case "signal.target.parent.file.gid": 23418 if !ev.Signal.Target.HasParent() { 23419 return 0, &eval.ErrNotSupported{Field: field} 23420 } 23421 if !ev.Signal.Target.Parent.IsNotKworker() { 23422 return 0, &eval.ErrNotSupported{Field: field} 23423 } 23424 return int(ev.Signal.Target.Parent.FileEvent.FileFields.GID), nil 23425 case "signal.target.parent.file.group": 23426 if !ev.Signal.Target.HasParent() { 23427 return "", &eval.ErrNotSupported{Field: field} 23428 } 23429 if !ev.Signal.Target.Parent.IsNotKworker() { 23430 return "", &eval.ErrNotSupported{Field: field} 23431 } 23432 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Signal.Target.Parent.FileEvent.FileFields), nil 23433 case "signal.target.parent.file.hashes": 23434 if !ev.Signal.Target.HasParent() { 23435 return []string{}, &eval.ErrNotSupported{Field: field} 23436 } 23437 if !ev.Signal.Target.Parent.IsNotKworker() { 23438 return []string{}, &eval.ErrNotSupported{Field: field} 23439 } 23440 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Signal.Target.Parent.FileEvent), nil 23441 case "signal.target.parent.file.in_upper_layer": 23442 if !ev.Signal.Target.HasParent() { 23443 return false, &eval.ErrNotSupported{Field: field} 23444 } 23445 if !ev.Signal.Target.Parent.IsNotKworker() { 23446 return false, &eval.ErrNotSupported{Field: field} 23447 } 23448 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Signal.Target.Parent.FileEvent.FileFields), nil 23449 case "signal.target.parent.file.inode": 23450 if !ev.Signal.Target.HasParent() { 23451 return 0, &eval.ErrNotSupported{Field: field} 23452 } 23453 if !ev.Signal.Target.Parent.IsNotKworker() { 23454 return 0, &eval.ErrNotSupported{Field: field} 23455 } 23456 return int(ev.Signal.Target.Parent.FileEvent.FileFields.PathKey.Inode), nil 23457 case "signal.target.parent.file.mode": 23458 if !ev.Signal.Target.HasParent() { 23459 return 0, &eval.ErrNotSupported{Field: field} 23460 } 23461 if !ev.Signal.Target.Parent.IsNotKworker() { 23462 return 0, &eval.ErrNotSupported{Field: field} 23463 } 23464 return int(ev.Signal.Target.Parent.FileEvent.FileFields.Mode), nil 23465 case "signal.target.parent.file.modification_time": 23466 if !ev.Signal.Target.HasParent() { 23467 return 0, &eval.ErrNotSupported{Field: field} 23468 } 23469 if !ev.Signal.Target.Parent.IsNotKworker() { 23470 return 0, &eval.ErrNotSupported{Field: field} 23471 } 23472 return int(ev.Signal.Target.Parent.FileEvent.FileFields.MTime), nil 23473 case "signal.target.parent.file.mount_id": 23474 if !ev.Signal.Target.HasParent() { 23475 return 0, &eval.ErrNotSupported{Field: field} 23476 } 23477 if !ev.Signal.Target.Parent.IsNotKworker() { 23478 return 0, &eval.ErrNotSupported{Field: field} 23479 } 23480 return int(ev.Signal.Target.Parent.FileEvent.FileFields.PathKey.MountID), nil 23481 case "signal.target.parent.file.name": 23482 if !ev.Signal.Target.HasParent() { 23483 return "", &eval.ErrNotSupported{Field: field} 23484 } 23485 if !ev.Signal.Target.Parent.IsNotKworker() { 23486 return "", &eval.ErrNotSupported{Field: field} 23487 } 23488 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Signal.Target.Parent.FileEvent), nil 23489 case "signal.target.parent.file.name.length": 23490 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Signal.Target.Parent.FileEvent), nil 23491 case "signal.target.parent.file.package.name": 23492 if !ev.Signal.Target.HasParent() { 23493 return "", &eval.ErrNotSupported{Field: field} 23494 } 23495 if !ev.Signal.Target.Parent.IsNotKworker() { 23496 return "", &eval.ErrNotSupported{Field: field} 23497 } 23498 return ev.FieldHandlers.ResolvePackageName(ev, &ev.Signal.Target.Parent.FileEvent), nil 23499 case "signal.target.parent.file.package.source_version": 23500 if !ev.Signal.Target.HasParent() { 23501 return "", &eval.ErrNotSupported{Field: field} 23502 } 23503 if !ev.Signal.Target.Parent.IsNotKworker() { 23504 return "", &eval.ErrNotSupported{Field: field} 23505 } 23506 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Signal.Target.Parent.FileEvent), nil 23507 case "signal.target.parent.file.package.version": 23508 if !ev.Signal.Target.HasParent() { 23509 return "", &eval.ErrNotSupported{Field: field} 23510 } 23511 if !ev.Signal.Target.Parent.IsNotKworker() { 23512 return "", &eval.ErrNotSupported{Field: field} 23513 } 23514 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Signal.Target.Parent.FileEvent), nil 23515 case "signal.target.parent.file.path": 23516 if !ev.Signal.Target.HasParent() { 23517 return "", &eval.ErrNotSupported{Field: field} 23518 } 23519 if !ev.Signal.Target.Parent.IsNotKworker() { 23520 return "", &eval.ErrNotSupported{Field: field} 23521 } 23522 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Signal.Target.Parent.FileEvent), nil 23523 case "signal.target.parent.file.path.length": 23524 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Signal.Target.Parent.FileEvent), nil 23525 case "signal.target.parent.file.rights": 23526 if !ev.Signal.Target.HasParent() { 23527 return 0, &eval.ErrNotSupported{Field: field} 23528 } 23529 if !ev.Signal.Target.Parent.IsNotKworker() { 23530 return 0, &eval.ErrNotSupported{Field: field} 23531 } 23532 return int(ev.FieldHandlers.ResolveRights(ev, &ev.Signal.Target.Parent.FileEvent.FileFields)), nil 23533 case "signal.target.parent.file.uid": 23534 if !ev.Signal.Target.HasParent() { 23535 return 0, &eval.ErrNotSupported{Field: field} 23536 } 23537 if !ev.Signal.Target.Parent.IsNotKworker() { 23538 return 0, &eval.ErrNotSupported{Field: field} 23539 } 23540 return int(ev.Signal.Target.Parent.FileEvent.FileFields.UID), nil 23541 case "signal.target.parent.file.user": 23542 if !ev.Signal.Target.HasParent() { 23543 return "", &eval.ErrNotSupported{Field: field} 23544 } 23545 if !ev.Signal.Target.Parent.IsNotKworker() { 23546 return "", &eval.ErrNotSupported{Field: field} 23547 } 23548 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Signal.Target.Parent.FileEvent.FileFields), nil 23549 case "signal.target.parent.fsgid": 23550 if !ev.Signal.Target.HasParent() { 23551 return 0, &eval.ErrNotSupported{Field: field} 23552 } 23553 return int(ev.Signal.Target.Parent.Credentials.FSGID), nil 23554 case "signal.target.parent.fsgroup": 23555 if !ev.Signal.Target.HasParent() { 23556 return "", &eval.ErrNotSupported{Field: field} 23557 } 23558 return ev.Signal.Target.Parent.Credentials.FSGroup, nil 23559 case "signal.target.parent.fsuid": 23560 if !ev.Signal.Target.HasParent() { 23561 return 0, &eval.ErrNotSupported{Field: field} 23562 } 23563 return int(ev.Signal.Target.Parent.Credentials.FSUID), nil 23564 case "signal.target.parent.fsuser": 23565 if !ev.Signal.Target.HasParent() { 23566 return "", &eval.ErrNotSupported{Field: field} 23567 } 23568 return ev.Signal.Target.Parent.Credentials.FSUser, nil 23569 case "signal.target.parent.gid": 23570 if !ev.Signal.Target.HasParent() { 23571 return 0, &eval.ErrNotSupported{Field: field} 23572 } 23573 return int(ev.Signal.Target.Parent.Credentials.GID), nil 23574 case "signal.target.parent.group": 23575 if !ev.Signal.Target.HasParent() { 23576 return "", &eval.ErrNotSupported{Field: field} 23577 } 23578 return ev.Signal.Target.Parent.Credentials.Group, nil 23579 case "signal.target.parent.interpreter.file.change_time": 23580 if !ev.Signal.Target.HasParent() { 23581 return 0, &eval.ErrNotSupported{Field: field} 23582 } 23583 if !ev.Signal.Target.Parent.HasInterpreter() { 23584 return 0, &eval.ErrNotSupported{Field: field} 23585 } 23586 return int(ev.Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields.CTime), nil 23587 case "signal.target.parent.interpreter.file.filesystem": 23588 if !ev.Signal.Target.HasParent() { 23589 return "", &eval.ErrNotSupported{Field: field} 23590 } 23591 if !ev.Signal.Target.Parent.HasInterpreter() { 23592 return "", &eval.ErrNotSupported{Field: field} 23593 } 23594 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Signal.Target.Parent.LinuxBinprm.FileEvent), nil 23595 case "signal.target.parent.interpreter.file.gid": 23596 if !ev.Signal.Target.HasParent() { 23597 return 0, &eval.ErrNotSupported{Field: field} 23598 } 23599 if !ev.Signal.Target.Parent.HasInterpreter() { 23600 return 0, &eval.ErrNotSupported{Field: field} 23601 } 23602 return int(ev.Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields.GID), nil 23603 case "signal.target.parent.interpreter.file.group": 23604 if !ev.Signal.Target.HasParent() { 23605 return "", &eval.ErrNotSupported{Field: field} 23606 } 23607 if !ev.Signal.Target.Parent.HasInterpreter() { 23608 return "", &eval.ErrNotSupported{Field: field} 23609 } 23610 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields), nil 23611 case "signal.target.parent.interpreter.file.hashes": 23612 if !ev.Signal.Target.HasParent() { 23613 return []string{}, &eval.ErrNotSupported{Field: field} 23614 } 23615 if !ev.Signal.Target.Parent.HasInterpreter() { 23616 return []string{}, &eval.ErrNotSupported{Field: field} 23617 } 23618 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Signal.Target.Parent.LinuxBinprm.FileEvent), nil 23619 case "signal.target.parent.interpreter.file.in_upper_layer": 23620 if !ev.Signal.Target.HasParent() { 23621 return false, &eval.ErrNotSupported{Field: field} 23622 } 23623 if !ev.Signal.Target.Parent.HasInterpreter() { 23624 return false, &eval.ErrNotSupported{Field: field} 23625 } 23626 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields), nil 23627 case "signal.target.parent.interpreter.file.inode": 23628 if !ev.Signal.Target.HasParent() { 23629 return 0, &eval.ErrNotSupported{Field: field} 23630 } 23631 if !ev.Signal.Target.Parent.HasInterpreter() { 23632 return 0, &eval.ErrNotSupported{Field: field} 23633 } 23634 return int(ev.Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields.PathKey.Inode), nil 23635 case "signal.target.parent.interpreter.file.mode": 23636 if !ev.Signal.Target.HasParent() { 23637 return 0, &eval.ErrNotSupported{Field: field} 23638 } 23639 if !ev.Signal.Target.Parent.HasInterpreter() { 23640 return 0, &eval.ErrNotSupported{Field: field} 23641 } 23642 return int(ev.Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields.Mode), nil 23643 case "signal.target.parent.interpreter.file.modification_time": 23644 if !ev.Signal.Target.HasParent() { 23645 return 0, &eval.ErrNotSupported{Field: field} 23646 } 23647 if !ev.Signal.Target.Parent.HasInterpreter() { 23648 return 0, &eval.ErrNotSupported{Field: field} 23649 } 23650 return int(ev.Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields.MTime), nil 23651 case "signal.target.parent.interpreter.file.mount_id": 23652 if !ev.Signal.Target.HasParent() { 23653 return 0, &eval.ErrNotSupported{Field: field} 23654 } 23655 if !ev.Signal.Target.Parent.HasInterpreter() { 23656 return 0, &eval.ErrNotSupported{Field: field} 23657 } 23658 return int(ev.Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields.PathKey.MountID), nil 23659 case "signal.target.parent.interpreter.file.name": 23660 if !ev.Signal.Target.HasParent() { 23661 return "", &eval.ErrNotSupported{Field: field} 23662 } 23663 if !ev.Signal.Target.Parent.HasInterpreter() { 23664 return "", &eval.ErrNotSupported{Field: field} 23665 } 23666 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Signal.Target.Parent.LinuxBinprm.FileEvent), nil 23667 case "signal.target.parent.interpreter.file.name.length": 23668 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Signal.Target.Parent.LinuxBinprm.FileEvent), nil 23669 case "signal.target.parent.interpreter.file.package.name": 23670 if !ev.Signal.Target.HasParent() { 23671 return "", &eval.ErrNotSupported{Field: field} 23672 } 23673 if !ev.Signal.Target.Parent.HasInterpreter() { 23674 return "", &eval.ErrNotSupported{Field: field} 23675 } 23676 return ev.FieldHandlers.ResolvePackageName(ev, &ev.Signal.Target.Parent.LinuxBinprm.FileEvent), nil 23677 case "signal.target.parent.interpreter.file.package.source_version": 23678 if !ev.Signal.Target.HasParent() { 23679 return "", &eval.ErrNotSupported{Field: field} 23680 } 23681 if !ev.Signal.Target.Parent.HasInterpreter() { 23682 return "", &eval.ErrNotSupported{Field: field} 23683 } 23684 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Signal.Target.Parent.LinuxBinprm.FileEvent), nil 23685 case "signal.target.parent.interpreter.file.package.version": 23686 if !ev.Signal.Target.HasParent() { 23687 return "", &eval.ErrNotSupported{Field: field} 23688 } 23689 if !ev.Signal.Target.Parent.HasInterpreter() { 23690 return "", &eval.ErrNotSupported{Field: field} 23691 } 23692 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Signal.Target.Parent.LinuxBinprm.FileEvent), nil 23693 case "signal.target.parent.interpreter.file.path": 23694 if !ev.Signal.Target.HasParent() { 23695 return "", &eval.ErrNotSupported{Field: field} 23696 } 23697 if !ev.Signal.Target.Parent.HasInterpreter() { 23698 return "", &eval.ErrNotSupported{Field: field} 23699 } 23700 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Signal.Target.Parent.LinuxBinprm.FileEvent), nil 23701 case "signal.target.parent.interpreter.file.path.length": 23702 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Signal.Target.Parent.LinuxBinprm.FileEvent), nil 23703 case "signal.target.parent.interpreter.file.rights": 23704 if !ev.Signal.Target.HasParent() { 23705 return 0, &eval.ErrNotSupported{Field: field} 23706 } 23707 if !ev.Signal.Target.Parent.HasInterpreter() { 23708 return 0, &eval.ErrNotSupported{Field: field} 23709 } 23710 return int(ev.FieldHandlers.ResolveRights(ev, &ev.Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields)), nil 23711 case "signal.target.parent.interpreter.file.uid": 23712 if !ev.Signal.Target.HasParent() { 23713 return 0, &eval.ErrNotSupported{Field: field} 23714 } 23715 if !ev.Signal.Target.Parent.HasInterpreter() { 23716 return 0, &eval.ErrNotSupported{Field: field} 23717 } 23718 return int(ev.Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields.UID), nil 23719 case "signal.target.parent.interpreter.file.user": 23720 if !ev.Signal.Target.HasParent() { 23721 return "", &eval.ErrNotSupported{Field: field} 23722 } 23723 if !ev.Signal.Target.Parent.HasInterpreter() { 23724 return "", &eval.ErrNotSupported{Field: field} 23725 } 23726 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields), nil 23727 case "signal.target.parent.is_kworker": 23728 if !ev.Signal.Target.HasParent() { 23729 return false, &eval.ErrNotSupported{Field: field} 23730 } 23731 return ev.Signal.Target.Parent.PIDContext.IsKworker, nil 23732 case "signal.target.parent.is_thread": 23733 if !ev.Signal.Target.HasParent() { 23734 return false, &eval.ErrNotSupported{Field: field} 23735 } 23736 return ev.Signal.Target.Parent.IsThread, nil 23737 case "signal.target.parent.pid": 23738 if !ev.Signal.Target.HasParent() { 23739 return 0, &eval.ErrNotSupported{Field: field} 23740 } 23741 return int(ev.Signal.Target.Parent.PIDContext.Pid), nil 23742 case "signal.target.parent.ppid": 23743 if !ev.Signal.Target.HasParent() { 23744 return 0, &eval.ErrNotSupported{Field: field} 23745 } 23746 return int(ev.Signal.Target.Parent.PPid), nil 23747 case "signal.target.parent.tid": 23748 if !ev.Signal.Target.HasParent() { 23749 return 0, &eval.ErrNotSupported{Field: field} 23750 } 23751 return int(ev.Signal.Target.Parent.PIDContext.Tid), nil 23752 case "signal.target.parent.tty_name": 23753 if !ev.Signal.Target.HasParent() { 23754 return "", &eval.ErrNotSupported{Field: field} 23755 } 23756 return ev.Signal.Target.Parent.TTYName, nil 23757 case "signal.target.parent.uid": 23758 if !ev.Signal.Target.HasParent() { 23759 return 0, &eval.ErrNotSupported{Field: field} 23760 } 23761 return int(ev.Signal.Target.Parent.Credentials.UID), nil 23762 case "signal.target.parent.user": 23763 if !ev.Signal.Target.HasParent() { 23764 return "", &eval.ErrNotSupported{Field: field} 23765 } 23766 return ev.Signal.Target.Parent.Credentials.User, nil 23767 case "signal.target.parent.user_session.k8s_groups": 23768 if !ev.Signal.Target.HasParent() { 23769 return []string{}, &eval.ErrNotSupported{Field: field} 23770 } 23771 return ev.FieldHandlers.ResolveK8SGroups(ev, &ev.Signal.Target.Parent.UserSession), nil 23772 case "signal.target.parent.user_session.k8s_uid": 23773 if !ev.Signal.Target.HasParent() { 23774 return "", &eval.ErrNotSupported{Field: field} 23775 } 23776 return ev.FieldHandlers.ResolveK8SUID(ev, &ev.Signal.Target.Parent.UserSession), nil 23777 case "signal.target.parent.user_session.k8s_username": 23778 if !ev.Signal.Target.HasParent() { 23779 return "", &eval.ErrNotSupported{Field: field} 23780 } 23781 return ev.FieldHandlers.ResolveK8SUsername(ev, &ev.Signal.Target.Parent.UserSession), nil 23782 case "signal.target.pid": 23783 return int(ev.Signal.Target.Process.PIDContext.Pid), nil 23784 case "signal.target.ppid": 23785 return int(ev.Signal.Target.Process.PPid), nil 23786 case "signal.target.tid": 23787 return int(ev.Signal.Target.Process.PIDContext.Tid), nil 23788 case "signal.target.tty_name": 23789 return ev.Signal.Target.Process.TTYName, nil 23790 case "signal.target.uid": 23791 return int(ev.Signal.Target.Process.Credentials.UID), nil 23792 case "signal.target.user": 23793 return ev.Signal.Target.Process.Credentials.User, nil 23794 case "signal.target.user_session.k8s_groups": 23795 return ev.FieldHandlers.ResolveK8SGroups(ev, &ev.Signal.Target.Process.UserSession), nil 23796 case "signal.target.user_session.k8s_uid": 23797 return ev.FieldHandlers.ResolveK8SUID(ev, &ev.Signal.Target.Process.UserSession), nil 23798 case "signal.target.user_session.k8s_username": 23799 return ev.FieldHandlers.ResolveK8SUsername(ev, &ev.Signal.Target.Process.UserSession), nil 23800 case "signal.type": 23801 return int(ev.Signal.Type), nil 23802 case "splice.file.change_time": 23803 return int(ev.Splice.File.FileFields.CTime), nil 23804 case "splice.file.filesystem": 23805 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Splice.File), nil 23806 case "splice.file.gid": 23807 return int(ev.Splice.File.FileFields.GID), nil 23808 case "splice.file.group": 23809 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Splice.File.FileFields), nil 23810 case "splice.file.hashes": 23811 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Splice.File), nil 23812 case "splice.file.in_upper_layer": 23813 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Splice.File.FileFields), nil 23814 case "splice.file.inode": 23815 return int(ev.Splice.File.FileFields.PathKey.Inode), nil 23816 case "splice.file.mode": 23817 return int(ev.Splice.File.FileFields.Mode), nil 23818 case "splice.file.modification_time": 23819 return int(ev.Splice.File.FileFields.MTime), nil 23820 case "splice.file.mount_id": 23821 return int(ev.Splice.File.FileFields.PathKey.MountID), nil 23822 case "splice.file.name": 23823 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Splice.File), nil 23824 case "splice.file.name.length": 23825 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Splice.File), nil 23826 case "splice.file.package.name": 23827 return ev.FieldHandlers.ResolvePackageName(ev, &ev.Splice.File), nil 23828 case "splice.file.package.source_version": 23829 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Splice.File), nil 23830 case "splice.file.package.version": 23831 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Splice.File), nil 23832 case "splice.file.path": 23833 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Splice.File), nil 23834 case "splice.file.path.length": 23835 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Splice.File), nil 23836 case "splice.file.rights": 23837 return int(ev.FieldHandlers.ResolveRights(ev, &ev.Splice.File.FileFields)), nil 23838 case "splice.file.uid": 23839 return int(ev.Splice.File.FileFields.UID), nil 23840 case "splice.file.user": 23841 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Splice.File.FileFields), nil 23842 case "splice.pipe_entry_flag": 23843 return int(ev.Splice.PipeEntryFlag), nil 23844 case "splice.pipe_exit_flag": 23845 return int(ev.Splice.PipeExitFlag), nil 23846 case "splice.retval": 23847 return int(ev.Splice.SyscallEvent.Retval), nil 23848 case "unlink.file.change_time": 23849 return int(ev.Unlink.File.FileFields.CTime), nil 23850 case "unlink.file.filesystem": 23851 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Unlink.File), nil 23852 case "unlink.file.gid": 23853 return int(ev.Unlink.File.FileFields.GID), nil 23854 case "unlink.file.group": 23855 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Unlink.File.FileFields), nil 23856 case "unlink.file.hashes": 23857 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Unlink.File), nil 23858 case "unlink.file.in_upper_layer": 23859 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Unlink.File.FileFields), nil 23860 case "unlink.file.inode": 23861 return int(ev.Unlink.File.FileFields.PathKey.Inode), nil 23862 case "unlink.file.mode": 23863 return int(ev.Unlink.File.FileFields.Mode), nil 23864 case "unlink.file.modification_time": 23865 return int(ev.Unlink.File.FileFields.MTime), nil 23866 case "unlink.file.mount_id": 23867 return int(ev.Unlink.File.FileFields.PathKey.MountID), nil 23868 case "unlink.file.name": 23869 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Unlink.File), nil 23870 case "unlink.file.name.length": 23871 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Unlink.File), nil 23872 case "unlink.file.package.name": 23873 return ev.FieldHandlers.ResolvePackageName(ev, &ev.Unlink.File), nil 23874 case "unlink.file.package.source_version": 23875 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Unlink.File), nil 23876 case "unlink.file.package.version": 23877 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Unlink.File), nil 23878 case "unlink.file.path": 23879 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Unlink.File), nil 23880 case "unlink.file.path.length": 23881 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Unlink.File), nil 23882 case "unlink.file.rights": 23883 return int(ev.FieldHandlers.ResolveRights(ev, &ev.Unlink.File.FileFields)), nil 23884 case "unlink.file.uid": 23885 return int(ev.Unlink.File.FileFields.UID), nil 23886 case "unlink.file.user": 23887 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Unlink.File.FileFields), nil 23888 case "unlink.flags": 23889 return int(ev.Unlink.Flags), nil 23890 case "unlink.retval": 23891 return int(ev.Unlink.SyscallEvent.Retval), nil 23892 case "unload_module.name": 23893 return ev.UnloadModule.Name, nil 23894 case "unload_module.retval": 23895 return int(ev.UnloadModule.SyscallEvent.Retval), nil 23896 case "utimes.file.change_time": 23897 return int(ev.Utimes.File.FileFields.CTime), nil 23898 case "utimes.file.filesystem": 23899 return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Utimes.File), nil 23900 case "utimes.file.gid": 23901 return int(ev.Utimes.File.FileFields.GID), nil 23902 case "utimes.file.group": 23903 return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Utimes.File.FileFields), nil 23904 case "utimes.file.hashes": 23905 return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Utimes.File), nil 23906 case "utimes.file.in_upper_layer": 23907 return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Utimes.File.FileFields), nil 23908 case "utimes.file.inode": 23909 return int(ev.Utimes.File.FileFields.PathKey.Inode), nil 23910 case "utimes.file.mode": 23911 return int(ev.Utimes.File.FileFields.Mode), nil 23912 case "utimes.file.modification_time": 23913 return int(ev.Utimes.File.FileFields.MTime), nil 23914 case "utimes.file.mount_id": 23915 return int(ev.Utimes.File.FileFields.PathKey.MountID), nil 23916 case "utimes.file.name": 23917 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Utimes.File), nil 23918 case "utimes.file.name.length": 23919 return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Utimes.File), nil 23920 case "utimes.file.package.name": 23921 return ev.FieldHandlers.ResolvePackageName(ev, &ev.Utimes.File), nil 23922 case "utimes.file.package.source_version": 23923 return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Utimes.File), nil 23924 case "utimes.file.package.version": 23925 return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Utimes.File), nil 23926 case "utimes.file.path": 23927 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Utimes.File), nil 23928 case "utimes.file.path.length": 23929 return ev.FieldHandlers.ResolveFilePath(ev, &ev.Utimes.File), nil 23930 case "utimes.file.rights": 23931 return int(ev.FieldHandlers.ResolveRights(ev, &ev.Utimes.File.FileFields)), nil 23932 case "utimes.file.uid": 23933 return int(ev.Utimes.File.FileFields.UID), nil 23934 case "utimes.file.user": 23935 return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Utimes.File.FileFields), nil 23936 case "utimes.retval": 23937 return int(ev.Utimes.SyscallEvent.Retval), nil 23938 } 23939 return nil, &eval.ErrFieldNotFound{Field: field} 23940 } 23941 func (ev *Event) GetFieldEventType(field eval.Field) (eval.EventType, error) { 23942 switch field { 23943 case "bind.addr.family": 23944 return "bind", nil 23945 case "bind.addr.ip": 23946 return "bind", nil 23947 case "bind.addr.port": 23948 return "bind", nil 23949 case "bind.retval": 23950 return "bind", nil 23951 case "bpf.cmd": 23952 return "bpf", nil 23953 case "bpf.map.name": 23954 return "bpf", nil 23955 case "bpf.map.type": 23956 return "bpf", nil 23957 case "bpf.prog.attach_type": 23958 return "bpf", nil 23959 case "bpf.prog.helpers": 23960 return "bpf", nil 23961 case "bpf.prog.name": 23962 return "bpf", nil 23963 case "bpf.prog.tag": 23964 return "bpf", nil 23965 case "bpf.prog.type": 23966 return "bpf", nil 23967 case "bpf.retval": 23968 return "bpf", nil 23969 case "capset.cap_effective": 23970 return "capset", nil 23971 case "capset.cap_permitted": 23972 return "capset", nil 23973 case "chdir.file.change_time": 23974 return "chdir", nil 23975 case "chdir.file.filesystem": 23976 return "chdir", nil 23977 case "chdir.file.gid": 23978 return "chdir", nil 23979 case "chdir.file.group": 23980 return "chdir", nil 23981 case "chdir.file.hashes": 23982 return "chdir", nil 23983 case "chdir.file.in_upper_layer": 23984 return "chdir", nil 23985 case "chdir.file.inode": 23986 return "chdir", nil 23987 case "chdir.file.mode": 23988 return "chdir", nil 23989 case "chdir.file.modification_time": 23990 return "chdir", nil 23991 case "chdir.file.mount_id": 23992 return "chdir", nil 23993 case "chdir.file.name": 23994 return "chdir", nil 23995 case "chdir.file.name.length": 23996 return "chdir", nil 23997 case "chdir.file.package.name": 23998 return "chdir", nil 23999 case "chdir.file.package.source_version": 24000 return "chdir", nil 24001 case "chdir.file.package.version": 24002 return "chdir", nil 24003 case "chdir.file.path": 24004 return "chdir", nil 24005 case "chdir.file.path.length": 24006 return "chdir", nil 24007 case "chdir.file.rights": 24008 return "chdir", nil 24009 case "chdir.file.uid": 24010 return "chdir", nil 24011 case "chdir.file.user": 24012 return "chdir", nil 24013 case "chdir.retval": 24014 return "chdir", nil 24015 case "chmod.file.change_time": 24016 return "chmod", nil 24017 case "chmod.file.destination.mode": 24018 return "chmod", nil 24019 case "chmod.file.destination.rights": 24020 return "chmod", nil 24021 case "chmod.file.filesystem": 24022 return "chmod", nil 24023 case "chmod.file.gid": 24024 return "chmod", nil 24025 case "chmod.file.group": 24026 return "chmod", nil 24027 case "chmod.file.hashes": 24028 return "chmod", nil 24029 case "chmod.file.in_upper_layer": 24030 return "chmod", nil 24031 case "chmod.file.inode": 24032 return "chmod", nil 24033 case "chmod.file.mode": 24034 return "chmod", nil 24035 case "chmod.file.modification_time": 24036 return "chmod", nil 24037 case "chmod.file.mount_id": 24038 return "chmod", nil 24039 case "chmod.file.name": 24040 return "chmod", nil 24041 case "chmod.file.name.length": 24042 return "chmod", nil 24043 case "chmod.file.package.name": 24044 return "chmod", nil 24045 case "chmod.file.package.source_version": 24046 return "chmod", nil 24047 case "chmod.file.package.version": 24048 return "chmod", nil 24049 case "chmod.file.path": 24050 return "chmod", nil 24051 case "chmod.file.path.length": 24052 return "chmod", nil 24053 case "chmod.file.rights": 24054 return "chmod", nil 24055 case "chmod.file.uid": 24056 return "chmod", nil 24057 case "chmod.file.user": 24058 return "chmod", nil 24059 case "chmod.retval": 24060 return "chmod", nil 24061 case "chown.file.change_time": 24062 return "chown", nil 24063 case "chown.file.destination.gid": 24064 return "chown", nil 24065 case "chown.file.destination.group": 24066 return "chown", nil 24067 case "chown.file.destination.uid": 24068 return "chown", nil 24069 case "chown.file.destination.user": 24070 return "chown", nil 24071 case "chown.file.filesystem": 24072 return "chown", nil 24073 case "chown.file.gid": 24074 return "chown", nil 24075 case "chown.file.group": 24076 return "chown", nil 24077 case "chown.file.hashes": 24078 return "chown", nil 24079 case "chown.file.in_upper_layer": 24080 return "chown", nil 24081 case "chown.file.inode": 24082 return "chown", nil 24083 case "chown.file.mode": 24084 return "chown", nil 24085 case "chown.file.modification_time": 24086 return "chown", nil 24087 case "chown.file.mount_id": 24088 return "chown", nil 24089 case "chown.file.name": 24090 return "chown", nil 24091 case "chown.file.name.length": 24092 return "chown", nil 24093 case "chown.file.package.name": 24094 return "chown", nil 24095 case "chown.file.package.source_version": 24096 return "chown", nil 24097 case "chown.file.package.version": 24098 return "chown", nil 24099 case "chown.file.path": 24100 return "chown", nil 24101 case "chown.file.path.length": 24102 return "chown", nil 24103 case "chown.file.rights": 24104 return "chown", nil 24105 case "chown.file.uid": 24106 return "chown", nil 24107 case "chown.file.user": 24108 return "chown", nil 24109 case "chown.retval": 24110 return "chown", nil 24111 case "container.created_at": 24112 return "*", nil 24113 case "container.id": 24114 return "*", nil 24115 case "container.tags": 24116 return "*", nil 24117 case "dns.id": 24118 return "dns", nil 24119 case "dns.question.class": 24120 return "dns", nil 24121 case "dns.question.count": 24122 return "dns", nil 24123 case "dns.question.length": 24124 return "dns", nil 24125 case "dns.question.name": 24126 return "dns", nil 24127 case "dns.question.name.length": 24128 return "dns", nil 24129 case "dns.question.type": 24130 return "dns", nil 24131 case "event.async": 24132 return "*", nil 24133 case "event.origin": 24134 return "*", nil 24135 case "event.os": 24136 return "*", nil 24137 case "event.service": 24138 return "*", nil 24139 case "event.timestamp": 24140 return "*", nil 24141 case "exec.args": 24142 return "exec", nil 24143 case "exec.args_flags": 24144 return "exec", nil 24145 case "exec.args_options": 24146 return "exec", nil 24147 case "exec.args_truncated": 24148 return "exec", nil 24149 case "exec.argv": 24150 return "exec", nil 24151 case "exec.argv0": 24152 return "exec", nil 24153 case "exec.cap_effective": 24154 return "exec", nil 24155 case "exec.cap_permitted": 24156 return "exec", nil 24157 case "exec.comm": 24158 return "exec", nil 24159 case "exec.container.id": 24160 return "exec", nil 24161 case "exec.created_at": 24162 return "exec", nil 24163 case "exec.egid": 24164 return "exec", nil 24165 case "exec.egroup": 24166 return "exec", nil 24167 case "exec.envp": 24168 return "exec", nil 24169 case "exec.envs": 24170 return "exec", nil 24171 case "exec.envs_truncated": 24172 return "exec", nil 24173 case "exec.euid": 24174 return "exec", nil 24175 case "exec.euser": 24176 return "exec", nil 24177 case "exec.file.change_time": 24178 return "exec", nil 24179 case "exec.file.filesystem": 24180 return "exec", nil 24181 case "exec.file.gid": 24182 return "exec", nil 24183 case "exec.file.group": 24184 return "exec", nil 24185 case "exec.file.hashes": 24186 return "exec", nil 24187 case "exec.file.in_upper_layer": 24188 return "exec", nil 24189 case "exec.file.inode": 24190 return "exec", nil 24191 case "exec.file.mode": 24192 return "exec", nil 24193 case "exec.file.modification_time": 24194 return "exec", nil 24195 case "exec.file.mount_id": 24196 return "exec", nil 24197 case "exec.file.name": 24198 return "exec", nil 24199 case "exec.file.name.length": 24200 return "exec", nil 24201 case "exec.file.package.name": 24202 return "exec", nil 24203 case "exec.file.package.source_version": 24204 return "exec", nil 24205 case "exec.file.package.version": 24206 return "exec", nil 24207 case "exec.file.path": 24208 return "exec", nil 24209 case "exec.file.path.length": 24210 return "exec", nil 24211 case "exec.file.rights": 24212 return "exec", nil 24213 case "exec.file.uid": 24214 return "exec", nil 24215 case "exec.file.user": 24216 return "exec", nil 24217 case "exec.fsgid": 24218 return "exec", nil 24219 case "exec.fsgroup": 24220 return "exec", nil 24221 case "exec.fsuid": 24222 return "exec", nil 24223 case "exec.fsuser": 24224 return "exec", nil 24225 case "exec.gid": 24226 return "exec", nil 24227 case "exec.group": 24228 return "exec", nil 24229 case "exec.interpreter.file.change_time": 24230 return "exec", nil 24231 case "exec.interpreter.file.filesystem": 24232 return "exec", nil 24233 case "exec.interpreter.file.gid": 24234 return "exec", nil 24235 case "exec.interpreter.file.group": 24236 return "exec", nil 24237 case "exec.interpreter.file.hashes": 24238 return "exec", nil 24239 case "exec.interpreter.file.in_upper_layer": 24240 return "exec", nil 24241 case "exec.interpreter.file.inode": 24242 return "exec", nil 24243 case "exec.interpreter.file.mode": 24244 return "exec", nil 24245 case "exec.interpreter.file.modification_time": 24246 return "exec", nil 24247 case "exec.interpreter.file.mount_id": 24248 return "exec", nil 24249 case "exec.interpreter.file.name": 24250 return "exec", nil 24251 case "exec.interpreter.file.name.length": 24252 return "exec", nil 24253 case "exec.interpreter.file.package.name": 24254 return "exec", nil 24255 case "exec.interpreter.file.package.source_version": 24256 return "exec", nil 24257 case "exec.interpreter.file.package.version": 24258 return "exec", nil 24259 case "exec.interpreter.file.path": 24260 return "exec", nil 24261 case "exec.interpreter.file.path.length": 24262 return "exec", nil 24263 case "exec.interpreter.file.rights": 24264 return "exec", nil 24265 case "exec.interpreter.file.uid": 24266 return "exec", nil 24267 case "exec.interpreter.file.user": 24268 return "exec", nil 24269 case "exec.is_kworker": 24270 return "exec", nil 24271 case "exec.is_thread": 24272 return "exec", nil 24273 case "exec.pid": 24274 return "exec", nil 24275 case "exec.ppid": 24276 return "exec", nil 24277 case "exec.tid": 24278 return "exec", nil 24279 case "exec.tty_name": 24280 return "exec", nil 24281 case "exec.uid": 24282 return "exec", nil 24283 case "exec.user": 24284 return "exec", nil 24285 case "exec.user_session.k8s_groups": 24286 return "exec", nil 24287 case "exec.user_session.k8s_uid": 24288 return "exec", nil 24289 case "exec.user_session.k8s_username": 24290 return "exec", nil 24291 case "exit.args": 24292 return "exit", nil 24293 case "exit.args_flags": 24294 return "exit", nil 24295 case "exit.args_options": 24296 return "exit", nil 24297 case "exit.args_truncated": 24298 return "exit", nil 24299 case "exit.argv": 24300 return "exit", nil 24301 case "exit.argv0": 24302 return "exit", nil 24303 case "exit.cap_effective": 24304 return "exit", nil 24305 case "exit.cap_permitted": 24306 return "exit", nil 24307 case "exit.cause": 24308 return "exit", nil 24309 case "exit.code": 24310 return "exit", nil 24311 case "exit.comm": 24312 return "exit", nil 24313 case "exit.container.id": 24314 return "exit", nil 24315 case "exit.created_at": 24316 return "exit", nil 24317 case "exit.egid": 24318 return "exit", nil 24319 case "exit.egroup": 24320 return "exit", nil 24321 case "exit.envp": 24322 return "exit", nil 24323 case "exit.envs": 24324 return "exit", nil 24325 case "exit.envs_truncated": 24326 return "exit", nil 24327 case "exit.euid": 24328 return "exit", nil 24329 case "exit.euser": 24330 return "exit", nil 24331 case "exit.file.change_time": 24332 return "exit", nil 24333 case "exit.file.filesystem": 24334 return "exit", nil 24335 case "exit.file.gid": 24336 return "exit", nil 24337 case "exit.file.group": 24338 return "exit", nil 24339 case "exit.file.hashes": 24340 return "exit", nil 24341 case "exit.file.in_upper_layer": 24342 return "exit", nil 24343 case "exit.file.inode": 24344 return "exit", nil 24345 case "exit.file.mode": 24346 return "exit", nil 24347 case "exit.file.modification_time": 24348 return "exit", nil 24349 case "exit.file.mount_id": 24350 return "exit", nil 24351 case "exit.file.name": 24352 return "exit", nil 24353 case "exit.file.name.length": 24354 return "exit", nil 24355 case "exit.file.package.name": 24356 return "exit", nil 24357 case "exit.file.package.source_version": 24358 return "exit", nil 24359 case "exit.file.package.version": 24360 return "exit", nil 24361 case "exit.file.path": 24362 return "exit", nil 24363 case "exit.file.path.length": 24364 return "exit", nil 24365 case "exit.file.rights": 24366 return "exit", nil 24367 case "exit.file.uid": 24368 return "exit", nil 24369 case "exit.file.user": 24370 return "exit", nil 24371 case "exit.fsgid": 24372 return "exit", nil 24373 case "exit.fsgroup": 24374 return "exit", nil 24375 case "exit.fsuid": 24376 return "exit", nil 24377 case "exit.fsuser": 24378 return "exit", nil 24379 case "exit.gid": 24380 return "exit", nil 24381 case "exit.group": 24382 return "exit", nil 24383 case "exit.interpreter.file.change_time": 24384 return "exit", nil 24385 case "exit.interpreter.file.filesystem": 24386 return "exit", nil 24387 case "exit.interpreter.file.gid": 24388 return "exit", nil 24389 case "exit.interpreter.file.group": 24390 return "exit", nil 24391 case "exit.interpreter.file.hashes": 24392 return "exit", nil 24393 case "exit.interpreter.file.in_upper_layer": 24394 return "exit", nil 24395 case "exit.interpreter.file.inode": 24396 return "exit", nil 24397 case "exit.interpreter.file.mode": 24398 return "exit", nil 24399 case "exit.interpreter.file.modification_time": 24400 return "exit", nil 24401 case "exit.interpreter.file.mount_id": 24402 return "exit", nil 24403 case "exit.interpreter.file.name": 24404 return "exit", nil 24405 case "exit.interpreter.file.name.length": 24406 return "exit", nil 24407 case "exit.interpreter.file.package.name": 24408 return "exit", nil 24409 case "exit.interpreter.file.package.source_version": 24410 return "exit", nil 24411 case "exit.interpreter.file.package.version": 24412 return "exit", nil 24413 case "exit.interpreter.file.path": 24414 return "exit", nil 24415 case "exit.interpreter.file.path.length": 24416 return "exit", nil 24417 case "exit.interpreter.file.rights": 24418 return "exit", nil 24419 case "exit.interpreter.file.uid": 24420 return "exit", nil 24421 case "exit.interpreter.file.user": 24422 return "exit", nil 24423 case "exit.is_kworker": 24424 return "exit", nil 24425 case "exit.is_thread": 24426 return "exit", nil 24427 case "exit.pid": 24428 return "exit", nil 24429 case "exit.ppid": 24430 return "exit", nil 24431 case "exit.tid": 24432 return "exit", nil 24433 case "exit.tty_name": 24434 return "exit", nil 24435 case "exit.uid": 24436 return "exit", nil 24437 case "exit.user": 24438 return "exit", nil 24439 case "exit.user_session.k8s_groups": 24440 return "exit", nil 24441 case "exit.user_session.k8s_uid": 24442 return "exit", nil 24443 case "exit.user_session.k8s_username": 24444 return "exit", nil 24445 case "link.file.change_time": 24446 return "link", nil 24447 case "link.file.destination.change_time": 24448 return "link", nil 24449 case "link.file.destination.filesystem": 24450 return "link", nil 24451 case "link.file.destination.gid": 24452 return "link", nil 24453 case "link.file.destination.group": 24454 return "link", nil 24455 case "link.file.destination.hashes": 24456 return "link", nil 24457 case "link.file.destination.in_upper_layer": 24458 return "link", nil 24459 case "link.file.destination.inode": 24460 return "link", nil 24461 case "link.file.destination.mode": 24462 return "link", nil 24463 case "link.file.destination.modification_time": 24464 return "link", nil 24465 case "link.file.destination.mount_id": 24466 return "link", nil 24467 case "link.file.destination.name": 24468 return "link", nil 24469 case "link.file.destination.name.length": 24470 return "link", nil 24471 case "link.file.destination.package.name": 24472 return "link", nil 24473 case "link.file.destination.package.source_version": 24474 return "link", nil 24475 case "link.file.destination.package.version": 24476 return "link", nil 24477 case "link.file.destination.path": 24478 return "link", nil 24479 case "link.file.destination.path.length": 24480 return "link", nil 24481 case "link.file.destination.rights": 24482 return "link", nil 24483 case "link.file.destination.uid": 24484 return "link", nil 24485 case "link.file.destination.user": 24486 return "link", nil 24487 case "link.file.filesystem": 24488 return "link", nil 24489 case "link.file.gid": 24490 return "link", nil 24491 case "link.file.group": 24492 return "link", nil 24493 case "link.file.hashes": 24494 return "link", nil 24495 case "link.file.in_upper_layer": 24496 return "link", nil 24497 case "link.file.inode": 24498 return "link", nil 24499 case "link.file.mode": 24500 return "link", nil 24501 case "link.file.modification_time": 24502 return "link", nil 24503 case "link.file.mount_id": 24504 return "link", nil 24505 case "link.file.name": 24506 return "link", nil 24507 case "link.file.name.length": 24508 return "link", nil 24509 case "link.file.package.name": 24510 return "link", nil 24511 case "link.file.package.source_version": 24512 return "link", nil 24513 case "link.file.package.version": 24514 return "link", nil 24515 case "link.file.path": 24516 return "link", nil 24517 case "link.file.path.length": 24518 return "link", nil 24519 case "link.file.rights": 24520 return "link", nil 24521 case "link.file.uid": 24522 return "link", nil 24523 case "link.file.user": 24524 return "link", nil 24525 case "link.retval": 24526 return "link", nil 24527 case "load_module.args": 24528 return "load_module", nil 24529 case "load_module.args_truncated": 24530 return "load_module", nil 24531 case "load_module.argv": 24532 return "load_module", nil 24533 case "load_module.file.change_time": 24534 return "load_module", nil 24535 case "load_module.file.filesystem": 24536 return "load_module", nil 24537 case "load_module.file.gid": 24538 return "load_module", nil 24539 case "load_module.file.group": 24540 return "load_module", nil 24541 case "load_module.file.hashes": 24542 return "load_module", nil 24543 case "load_module.file.in_upper_layer": 24544 return "load_module", nil 24545 case "load_module.file.inode": 24546 return "load_module", nil 24547 case "load_module.file.mode": 24548 return "load_module", nil 24549 case "load_module.file.modification_time": 24550 return "load_module", nil 24551 case "load_module.file.mount_id": 24552 return "load_module", nil 24553 case "load_module.file.name": 24554 return "load_module", nil 24555 case "load_module.file.name.length": 24556 return "load_module", nil 24557 case "load_module.file.package.name": 24558 return "load_module", nil 24559 case "load_module.file.package.source_version": 24560 return "load_module", nil 24561 case "load_module.file.package.version": 24562 return "load_module", nil 24563 case "load_module.file.path": 24564 return "load_module", nil 24565 case "load_module.file.path.length": 24566 return "load_module", nil 24567 case "load_module.file.rights": 24568 return "load_module", nil 24569 case "load_module.file.uid": 24570 return "load_module", nil 24571 case "load_module.file.user": 24572 return "load_module", nil 24573 case "load_module.loaded_from_memory": 24574 return "load_module", nil 24575 case "load_module.name": 24576 return "load_module", nil 24577 case "load_module.retval": 24578 return "load_module", nil 24579 case "mkdir.file.change_time": 24580 return "mkdir", nil 24581 case "mkdir.file.destination.mode": 24582 return "mkdir", nil 24583 case "mkdir.file.destination.rights": 24584 return "mkdir", nil 24585 case "mkdir.file.filesystem": 24586 return "mkdir", nil 24587 case "mkdir.file.gid": 24588 return "mkdir", nil 24589 case "mkdir.file.group": 24590 return "mkdir", nil 24591 case "mkdir.file.hashes": 24592 return "mkdir", nil 24593 case "mkdir.file.in_upper_layer": 24594 return "mkdir", nil 24595 case "mkdir.file.inode": 24596 return "mkdir", nil 24597 case "mkdir.file.mode": 24598 return "mkdir", nil 24599 case "mkdir.file.modification_time": 24600 return "mkdir", nil 24601 case "mkdir.file.mount_id": 24602 return "mkdir", nil 24603 case "mkdir.file.name": 24604 return "mkdir", nil 24605 case "mkdir.file.name.length": 24606 return "mkdir", nil 24607 case "mkdir.file.package.name": 24608 return "mkdir", nil 24609 case "mkdir.file.package.source_version": 24610 return "mkdir", nil 24611 case "mkdir.file.package.version": 24612 return "mkdir", nil 24613 case "mkdir.file.path": 24614 return "mkdir", nil 24615 case "mkdir.file.path.length": 24616 return "mkdir", nil 24617 case "mkdir.file.rights": 24618 return "mkdir", nil 24619 case "mkdir.file.uid": 24620 return "mkdir", nil 24621 case "mkdir.file.user": 24622 return "mkdir", nil 24623 case "mkdir.retval": 24624 return "mkdir", nil 24625 case "mmap.file.change_time": 24626 return "mmap", nil 24627 case "mmap.file.filesystem": 24628 return "mmap", nil 24629 case "mmap.file.gid": 24630 return "mmap", nil 24631 case "mmap.file.group": 24632 return "mmap", nil 24633 case "mmap.file.hashes": 24634 return "mmap", nil 24635 case "mmap.file.in_upper_layer": 24636 return "mmap", nil 24637 case "mmap.file.inode": 24638 return "mmap", nil 24639 case "mmap.file.mode": 24640 return "mmap", nil 24641 case "mmap.file.modification_time": 24642 return "mmap", nil 24643 case "mmap.file.mount_id": 24644 return "mmap", nil 24645 case "mmap.file.name": 24646 return "mmap", nil 24647 case "mmap.file.name.length": 24648 return "mmap", nil 24649 case "mmap.file.package.name": 24650 return "mmap", nil 24651 case "mmap.file.package.source_version": 24652 return "mmap", nil 24653 case "mmap.file.package.version": 24654 return "mmap", nil 24655 case "mmap.file.path": 24656 return "mmap", nil 24657 case "mmap.file.path.length": 24658 return "mmap", nil 24659 case "mmap.file.rights": 24660 return "mmap", nil 24661 case "mmap.file.uid": 24662 return "mmap", nil 24663 case "mmap.file.user": 24664 return "mmap", nil 24665 case "mmap.flags": 24666 return "mmap", nil 24667 case "mmap.protection": 24668 return "mmap", nil 24669 case "mmap.retval": 24670 return "mmap", nil 24671 case "mount.fs_type": 24672 return "mount", nil 24673 case "mount.mountpoint.path": 24674 return "mount", nil 24675 case "mount.retval": 24676 return "mount", nil 24677 case "mount.root.path": 24678 return "mount", nil 24679 case "mount.source.path": 24680 return "mount", nil 24681 case "mprotect.req_protection": 24682 return "mprotect", nil 24683 case "mprotect.retval": 24684 return "mprotect", nil 24685 case "mprotect.vm_protection": 24686 return "mprotect", nil 24687 case "network.destination.ip": 24688 return "dns", nil 24689 case "network.destination.port": 24690 return "dns", nil 24691 case "network.device.ifindex": 24692 return "dns", nil 24693 case "network.device.ifname": 24694 return "dns", nil 24695 case "network.l3_protocol": 24696 return "dns", nil 24697 case "network.l4_protocol": 24698 return "dns", nil 24699 case "network.size": 24700 return "dns", nil 24701 case "network.source.ip": 24702 return "dns", nil 24703 case "network.source.port": 24704 return "dns", nil 24705 case "open.file.change_time": 24706 return "open", nil 24707 case "open.file.destination.mode": 24708 return "open", nil 24709 case "open.file.filesystem": 24710 return "open", nil 24711 case "open.file.gid": 24712 return "open", nil 24713 case "open.file.group": 24714 return "open", nil 24715 case "open.file.hashes": 24716 return "open", nil 24717 case "open.file.in_upper_layer": 24718 return "open", nil 24719 case "open.file.inode": 24720 return "open", nil 24721 case "open.file.mode": 24722 return "open", nil 24723 case "open.file.modification_time": 24724 return "open", nil 24725 case "open.file.mount_id": 24726 return "open", nil 24727 case "open.file.name": 24728 return "open", nil 24729 case "open.file.name.length": 24730 return "open", nil 24731 case "open.file.package.name": 24732 return "open", nil 24733 case "open.file.package.source_version": 24734 return "open", nil 24735 case "open.file.package.version": 24736 return "open", nil 24737 case "open.file.path": 24738 return "open", nil 24739 case "open.file.path.length": 24740 return "open", nil 24741 case "open.file.rights": 24742 return "open", nil 24743 case "open.file.uid": 24744 return "open", nil 24745 case "open.file.user": 24746 return "open", nil 24747 case "open.flags": 24748 return "open", nil 24749 case "open.retval": 24750 return "open", nil 24751 case "process.ancestors.args": 24752 return "*", nil 24753 case "process.ancestors.args_flags": 24754 return "*", nil 24755 case "process.ancestors.args_options": 24756 return "*", nil 24757 case "process.ancestors.args_truncated": 24758 return "*", nil 24759 case "process.ancestors.argv": 24760 return "*", nil 24761 case "process.ancestors.argv0": 24762 return "*", nil 24763 case "process.ancestors.cap_effective": 24764 return "*", nil 24765 case "process.ancestors.cap_permitted": 24766 return "*", nil 24767 case "process.ancestors.comm": 24768 return "*", nil 24769 case "process.ancestors.container.id": 24770 return "*", nil 24771 case "process.ancestors.created_at": 24772 return "*", nil 24773 case "process.ancestors.egid": 24774 return "*", nil 24775 case "process.ancestors.egroup": 24776 return "*", nil 24777 case "process.ancestors.envp": 24778 return "*", nil 24779 case "process.ancestors.envs": 24780 return "*", nil 24781 case "process.ancestors.envs_truncated": 24782 return "*", nil 24783 case "process.ancestors.euid": 24784 return "*", nil 24785 case "process.ancestors.euser": 24786 return "*", nil 24787 case "process.ancestors.file.change_time": 24788 return "*", nil 24789 case "process.ancestors.file.filesystem": 24790 return "*", nil 24791 case "process.ancestors.file.gid": 24792 return "*", nil 24793 case "process.ancestors.file.group": 24794 return "*", nil 24795 case "process.ancestors.file.hashes": 24796 return "*", nil 24797 case "process.ancestors.file.in_upper_layer": 24798 return "*", nil 24799 case "process.ancestors.file.inode": 24800 return "*", nil 24801 case "process.ancestors.file.mode": 24802 return "*", nil 24803 case "process.ancestors.file.modification_time": 24804 return "*", nil 24805 case "process.ancestors.file.mount_id": 24806 return "*", nil 24807 case "process.ancestors.file.name": 24808 return "*", nil 24809 case "process.ancestors.file.name.length": 24810 return "*", nil 24811 case "process.ancestors.file.package.name": 24812 return "*", nil 24813 case "process.ancestors.file.package.source_version": 24814 return "*", nil 24815 case "process.ancestors.file.package.version": 24816 return "*", nil 24817 case "process.ancestors.file.path": 24818 return "*", nil 24819 case "process.ancestors.file.path.length": 24820 return "*", nil 24821 case "process.ancestors.file.rights": 24822 return "*", nil 24823 case "process.ancestors.file.uid": 24824 return "*", nil 24825 case "process.ancestors.file.user": 24826 return "*", nil 24827 case "process.ancestors.fsgid": 24828 return "*", nil 24829 case "process.ancestors.fsgroup": 24830 return "*", nil 24831 case "process.ancestors.fsuid": 24832 return "*", nil 24833 case "process.ancestors.fsuser": 24834 return "*", nil 24835 case "process.ancestors.gid": 24836 return "*", nil 24837 case "process.ancestors.group": 24838 return "*", nil 24839 case "process.ancestors.interpreter.file.change_time": 24840 return "*", nil 24841 case "process.ancestors.interpreter.file.filesystem": 24842 return "*", nil 24843 case "process.ancestors.interpreter.file.gid": 24844 return "*", nil 24845 case "process.ancestors.interpreter.file.group": 24846 return "*", nil 24847 case "process.ancestors.interpreter.file.hashes": 24848 return "*", nil 24849 case "process.ancestors.interpreter.file.in_upper_layer": 24850 return "*", nil 24851 case "process.ancestors.interpreter.file.inode": 24852 return "*", nil 24853 case "process.ancestors.interpreter.file.mode": 24854 return "*", nil 24855 case "process.ancestors.interpreter.file.modification_time": 24856 return "*", nil 24857 case "process.ancestors.interpreter.file.mount_id": 24858 return "*", nil 24859 case "process.ancestors.interpreter.file.name": 24860 return "*", nil 24861 case "process.ancestors.interpreter.file.name.length": 24862 return "*", nil 24863 case "process.ancestors.interpreter.file.package.name": 24864 return "*", nil 24865 case "process.ancestors.interpreter.file.package.source_version": 24866 return "*", nil 24867 case "process.ancestors.interpreter.file.package.version": 24868 return "*", nil 24869 case "process.ancestors.interpreter.file.path": 24870 return "*", nil 24871 case "process.ancestors.interpreter.file.path.length": 24872 return "*", nil 24873 case "process.ancestors.interpreter.file.rights": 24874 return "*", nil 24875 case "process.ancestors.interpreter.file.uid": 24876 return "*", nil 24877 case "process.ancestors.interpreter.file.user": 24878 return "*", nil 24879 case "process.ancestors.is_kworker": 24880 return "*", nil 24881 case "process.ancestors.is_thread": 24882 return "*", nil 24883 case "process.ancestors.pid": 24884 return "*", nil 24885 case "process.ancestors.ppid": 24886 return "*", nil 24887 case "process.ancestors.tid": 24888 return "*", nil 24889 case "process.ancestors.tty_name": 24890 return "*", nil 24891 case "process.ancestors.uid": 24892 return "*", nil 24893 case "process.ancestors.user": 24894 return "*", nil 24895 case "process.ancestors.user_session.k8s_groups": 24896 return "*", nil 24897 case "process.ancestors.user_session.k8s_uid": 24898 return "*", nil 24899 case "process.ancestors.user_session.k8s_username": 24900 return "*", nil 24901 case "process.args": 24902 return "*", nil 24903 case "process.args_flags": 24904 return "*", nil 24905 case "process.args_options": 24906 return "*", nil 24907 case "process.args_truncated": 24908 return "*", nil 24909 case "process.argv": 24910 return "*", nil 24911 case "process.argv0": 24912 return "*", nil 24913 case "process.cap_effective": 24914 return "*", nil 24915 case "process.cap_permitted": 24916 return "*", nil 24917 case "process.comm": 24918 return "*", nil 24919 case "process.container.id": 24920 return "*", nil 24921 case "process.created_at": 24922 return "*", nil 24923 case "process.egid": 24924 return "*", nil 24925 case "process.egroup": 24926 return "*", nil 24927 case "process.envp": 24928 return "*", nil 24929 case "process.envs": 24930 return "*", nil 24931 case "process.envs_truncated": 24932 return "*", nil 24933 case "process.euid": 24934 return "*", nil 24935 case "process.euser": 24936 return "*", nil 24937 case "process.file.change_time": 24938 return "*", nil 24939 case "process.file.filesystem": 24940 return "*", nil 24941 case "process.file.gid": 24942 return "*", nil 24943 case "process.file.group": 24944 return "*", nil 24945 case "process.file.hashes": 24946 return "*", nil 24947 case "process.file.in_upper_layer": 24948 return "*", nil 24949 case "process.file.inode": 24950 return "*", nil 24951 case "process.file.mode": 24952 return "*", nil 24953 case "process.file.modification_time": 24954 return "*", nil 24955 case "process.file.mount_id": 24956 return "*", nil 24957 case "process.file.name": 24958 return "*", nil 24959 case "process.file.name.length": 24960 return "*", nil 24961 case "process.file.package.name": 24962 return "*", nil 24963 case "process.file.package.source_version": 24964 return "*", nil 24965 case "process.file.package.version": 24966 return "*", nil 24967 case "process.file.path": 24968 return "*", nil 24969 case "process.file.path.length": 24970 return "*", nil 24971 case "process.file.rights": 24972 return "*", nil 24973 case "process.file.uid": 24974 return "*", nil 24975 case "process.file.user": 24976 return "*", nil 24977 case "process.fsgid": 24978 return "*", nil 24979 case "process.fsgroup": 24980 return "*", nil 24981 case "process.fsuid": 24982 return "*", nil 24983 case "process.fsuser": 24984 return "*", nil 24985 case "process.gid": 24986 return "*", nil 24987 case "process.group": 24988 return "*", nil 24989 case "process.interpreter.file.change_time": 24990 return "*", nil 24991 case "process.interpreter.file.filesystem": 24992 return "*", nil 24993 case "process.interpreter.file.gid": 24994 return "*", nil 24995 case "process.interpreter.file.group": 24996 return "*", nil 24997 case "process.interpreter.file.hashes": 24998 return "*", nil 24999 case "process.interpreter.file.in_upper_layer": 25000 return "*", nil 25001 case "process.interpreter.file.inode": 25002 return "*", nil 25003 case "process.interpreter.file.mode": 25004 return "*", nil 25005 case "process.interpreter.file.modification_time": 25006 return "*", nil 25007 case "process.interpreter.file.mount_id": 25008 return "*", nil 25009 case "process.interpreter.file.name": 25010 return "*", nil 25011 case "process.interpreter.file.name.length": 25012 return "*", nil 25013 case "process.interpreter.file.package.name": 25014 return "*", nil 25015 case "process.interpreter.file.package.source_version": 25016 return "*", nil 25017 case "process.interpreter.file.package.version": 25018 return "*", nil 25019 case "process.interpreter.file.path": 25020 return "*", nil 25021 case "process.interpreter.file.path.length": 25022 return "*", nil 25023 case "process.interpreter.file.rights": 25024 return "*", nil 25025 case "process.interpreter.file.uid": 25026 return "*", nil 25027 case "process.interpreter.file.user": 25028 return "*", nil 25029 case "process.is_kworker": 25030 return "*", nil 25031 case "process.is_thread": 25032 return "*", nil 25033 case "process.parent.args": 25034 return "*", nil 25035 case "process.parent.args_flags": 25036 return "*", nil 25037 case "process.parent.args_options": 25038 return "*", nil 25039 case "process.parent.args_truncated": 25040 return "*", nil 25041 case "process.parent.argv": 25042 return "*", nil 25043 case "process.parent.argv0": 25044 return "*", nil 25045 case "process.parent.cap_effective": 25046 return "*", nil 25047 case "process.parent.cap_permitted": 25048 return "*", nil 25049 case "process.parent.comm": 25050 return "*", nil 25051 case "process.parent.container.id": 25052 return "*", nil 25053 case "process.parent.created_at": 25054 return "*", nil 25055 case "process.parent.egid": 25056 return "*", nil 25057 case "process.parent.egroup": 25058 return "*", nil 25059 case "process.parent.envp": 25060 return "*", nil 25061 case "process.parent.envs": 25062 return "*", nil 25063 case "process.parent.envs_truncated": 25064 return "*", nil 25065 case "process.parent.euid": 25066 return "*", nil 25067 case "process.parent.euser": 25068 return "*", nil 25069 case "process.parent.file.change_time": 25070 return "*", nil 25071 case "process.parent.file.filesystem": 25072 return "*", nil 25073 case "process.parent.file.gid": 25074 return "*", nil 25075 case "process.parent.file.group": 25076 return "*", nil 25077 case "process.parent.file.hashes": 25078 return "*", nil 25079 case "process.parent.file.in_upper_layer": 25080 return "*", nil 25081 case "process.parent.file.inode": 25082 return "*", nil 25083 case "process.parent.file.mode": 25084 return "*", nil 25085 case "process.parent.file.modification_time": 25086 return "*", nil 25087 case "process.parent.file.mount_id": 25088 return "*", nil 25089 case "process.parent.file.name": 25090 return "*", nil 25091 case "process.parent.file.name.length": 25092 return "*", nil 25093 case "process.parent.file.package.name": 25094 return "*", nil 25095 case "process.parent.file.package.source_version": 25096 return "*", nil 25097 case "process.parent.file.package.version": 25098 return "*", nil 25099 case "process.parent.file.path": 25100 return "*", nil 25101 case "process.parent.file.path.length": 25102 return "*", nil 25103 case "process.parent.file.rights": 25104 return "*", nil 25105 case "process.parent.file.uid": 25106 return "*", nil 25107 case "process.parent.file.user": 25108 return "*", nil 25109 case "process.parent.fsgid": 25110 return "*", nil 25111 case "process.parent.fsgroup": 25112 return "*", nil 25113 case "process.parent.fsuid": 25114 return "*", nil 25115 case "process.parent.fsuser": 25116 return "*", nil 25117 case "process.parent.gid": 25118 return "*", nil 25119 case "process.parent.group": 25120 return "*", nil 25121 case "process.parent.interpreter.file.change_time": 25122 return "*", nil 25123 case "process.parent.interpreter.file.filesystem": 25124 return "*", nil 25125 case "process.parent.interpreter.file.gid": 25126 return "*", nil 25127 case "process.parent.interpreter.file.group": 25128 return "*", nil 25129 case "process.parent.interpreter.file.hashes": 25130 return "*", nil 25131 case "process.parent.interpreter.file.in_upper_layer": 25132 return "*", nil 25133 case "process.parent.interpreter.file.inode": 25134 return "*", nil 25135 case "process.parent.interpreter.file.mode": 25136 return "*", nil 25137 case "process.parent.interpreter.file.modification_time": 25138 return "*", nil 25139 case "process.parent.interpreter.file.mount_id": 25140 return "*", nil 25141 case "process.parent.interpreter.file.name": 25142 return "*", nil 25143 case "process.parent.interpreter.file.name.length": 25144 return "*", nil 25145 case "process.parent.interpreter.file.package.name": 25146 return "*", nil 25147 case "process.parent.interpreter.file.package.source_version": 25148 return "*", nil 25149 case "process.parent.interpreter.file.package.version": 25150 return "*", nil 25151 case "process.parent.interpreter.file.path": 25152 return "*", nil 25153 case "process.parent.interpreter.file.path.length": 25154 return "*", nil 25155 case "process.parent.interpreter.file.rights": 25156 return "*", nil 25157 case "process.parent.interpreter.file.uid": 25158 return "*", nil 25159 case "process.parent.interpreter.file.user": 25160 return "*", nil 25161 case "process.parent.is_kworker": 25162 return "*", nil 25163 case "process.parent.is_thread": 25164 return "*", nil 25165 case "process.parent.pid": 25166 return "*", nil 25167 case "process.parent.ppid": 25168 return "*", nil 25169 case "process.parent.tid": 25170 return "*", nil 25171 case "process.parent.tty_name": 25172 return "*", nil 25173 case "process.parent.uid": 25174 return "*", nil 25175 case "process.parent.user": 25176 return "*", nil 25177 case "process.parent.user_session.k8s_groups": 25178 return "*", nil 25179 case "process.parent.user_session.k8s_uid": 25180 return "*", nil 25181 case "process.parent.user_session.k8s_username": 25182 return "*", nil 25183 case "process.pid": 25184 return "*", nil 25185 case "process.ppid": 25186 return "*", nil 25187 case "process.tid": 25188 return "*", nil 25189 case "process.tty_name": 25190 return "*", nil 25191 case "process.uid": 25192 return "*", nil 25193 case "process.user": 25194 return "*", nil 25195 case "process.user_session.k8s_groups": 25196 return "*", nil 25197 case "process.user_session.k8s_uid": 25198 return "*", nil 25199 case "process.user_session.k8s_username": 25200 return "*", nil 25201 case "ptrace.request": 25202 return "ptrace", nil 25203 case "ptrace.retval": 25204 return "ptrace", nil 25205 case "ptrace.tracee.ancestors.args": 25206 return "ptrace", nil 25207 case "ptrace.tracee.ancestors.args_flags": 25208 return "ptrace", nil 25209 case "ptrace.tracee.ancestors.args_options": 25210 return "ptrace", nil 25211 case "ptrace.tracee.ancestors.args_truncated": 25212 return "ptrace", nil 25213 case "ptrace.tracee.ancestors.argv": 25214 return "ptrace", nil 25215 case "ptrace.tracee.ancestors.argv0": 25216 return "ptrace", nil 25217 case "ptrace.tracee.ancestors.cap_effective": 25218 return "ptrace", nil 25219 case "ptrace.tracee.ancestors.cap_permitted": 25220 return "ptrace", nil 25221 case "ptrace.tracee.ancestors.comm": 25222 return "ptrace", nil 25223 case "ptrace.tracee.ancestors.container.id": 25224 return "ptrace", nil 25225 case "ptrace.tracee.ancestors.created_at": 25226 return "ptrace", nil 25227 case "ptrace.tracee.ancestors.egid": 25228 return "ptrace", nil 25229 case "ptrace.tracee.ancestors.egroup": 25230 return "ptrace", nil 25231 case "ptrace.tracee.ancestors.envp": 25232 return "ptrace", nil 25233 case "ptrace.tracee.ancestors.envs": 25234 return "ptrace", nil 25235 case "ptrace.tracee.ancestors.envs_truncated": 25236 return "ptrace", nil 25237 case "ptrace.tracee.ancestors.euid": 25238 return "ptrace", nil 25239 case "ptrace.tracee.ancestors.euser": 25240 return "ptrace", nil 25241 case "ptrace.tracee.ancestors.file.change_time": 25242 return "ptrace", nil 25243 case "ptrace.tracee.ancestors.file.filesystem": 25244 return "ptrace", nil 25245 case "ptrace.tracee.ancestors.file.gid": 25246 return "ptrace", nil 25247 case "ptrace.tracee.ancestors.file.group": 25248 return "ptrace", nil 25249 case "ptrace.tracee.ancestors.file.hashes": 25250 return "ptrace", nil 25251 case "ptrace.tracee.ancestors.file.in_upper_layer": 25252 return "ptrace", nil 25253 case "ptrace.tracee.ancestors.file.inode": 25254 return "ptrace", nil 25255 case "ptrace.tracee.ancestors.file.mode": 25256 return "ptrace", nil 25257 case "ptrace.tracee.ancestors.file.modification_time": 25258 return "ptrace", nil 25259 case "ptrace.tracee.ancestors.file.mount_id": 25260 return "ptrace", nil 25261 case "ptrace.tracee.ancestors.file.name": 25262 return "ptrace", nil 25263 case "ptrace.tracee.ancestors.file.name.length": 25264 return "ptrace", nil 25265 case "ptrace.tracee.ancestors.file.package.name": 25266 return "ptrace", nil 25267 case "ptrace.tracee.ancestors.file.package.source_version": 25268 return "ptrace", nil 25269 case "ptrace.tracee.ancestors.file.package.version": 25270 return "ptrace", nil 25271 case "ptrace.tracee.ancestors.file.path": 25272 return "ptrace", nil 25273 case "ptrace.tracee.ancestors.file.path.length": 25274 return "ptrace", nil 25275 case "ptrace.tracee.ancestors.file.rights": 25276 return "ptrace", nil 25277 case "ptrace.tracee.ancestors.file.uid": 25278 return "ptrace", nil 25279 case "ptrace.tracee.ancestors.file.user": 25280 return "ptrace", nil 25281 case "ptrace.tracee.ancestors.fsgid": 25282 return "ptrace", nil 25283 case "ptrace.tracee.ancestors.fsgroup": 25284 return "ptrace", nil 25285 case "ptrace.tracee.ancestors.fsuid": 25286 return "ptrace", nil 25287 case "ptrace.tracee.ancestors.fsuser": 25288 return "ptrace", nil 25289 case "ptrace.tracee.ancestors.gid": 25290 return "ptrace", nil 25291 case "ptrace.tracee.ancestors.group": 25292 return "ptrace", nil 25293 case "ptrace.tracee.ancestors.interpreter.file.change_time": 25294 return "ptrace", nil 25295 case "ptrace.tracee.ancestors.interpreter.file.filesystem": 25296 return "ptrace", nil 25297 case "ptrace.tracee.ancestors.interpreter.file.gid": 25298 return "ptrace", nil 25299 case "ptrace.tracee.ancestors.interpreter.file.group": 25300 return "ptrace", nil 25301 case "ptrace.tracee.ancestors.interpreter.file.hashes": 25302 return "ptrace", nil 25303 case "ptrace.tracee.ancestors.interpreter.file.in_upper_layer": 25304 return "ptrace", nil 25305 case "ptrace.tracee.ancestors.interpreter.file.inode": 25306 return "ptrace", nil 25307 case "ptrace.tracee.ancestors.interpreter.file.mode": 25308 return "ptrace", nil 25309 case "ptrace.tracee.ancestors.interpreter.file.modification_time": 25310 return "ptrace", nil 25311 case "ptrace.tracee.ancestors.interpreter.file.mount_id": 25312 return "ptrace", nil 25313 case "ptrace.tracee.ancestors.interpreter.file.name": 25314 return "ptrace", nil 25315 case "ptrace.tracee.ancestors.interpreter.file.name.length": 25316 return "ptrace", nil 25317 case "ptrace.tracee.ancestors.interpreter.file.package.name": 25318 return "ptrace", nil 25319 case "ptrace.tracee.ancestors.interpreter.file.package.source_version": 25320 return "ptrace", nil 25321 case "ptrace.tracee.ancestors.interpreter.file.package.version": 25322 return "ptrace", nil 25323 case "ptrace.tracee.ancestors.interpreter.file.path": 25324 return "ptrace", nil 25325 case "ptrace.tracee.ancestors.interpreter.file.path.length": 25326 return "ptrace", nil 25327 case "ptrace.tracee.ancestors.interpreter.file.rights": 25328 return "ptrace", nil 25329 case "ptrace.tracee.ancestors.interpreter.file.uid": 25330 return "ptrace", nil 25331 case "ptrace.tracee.ancestors.interpreter.file.user": 25332 return "ptrace", nil 25333 case "ptrace.tracee.ancestors.is_kworker": 25334 return "ptrace", nil 25335 case "ptrace.tracee.ancestors.is_thread": 25336 return "ptrace", nil 25337 case "ptrace.tracee.ancestors.pid": 25338 return "ptrace", nil 25339 case "ptrace.tracee.ancestors.ppid": 25340 return "ptrace", nil 25341 case "ptrace.tracee.ancestors.tid": 25342 return "ptrace", nil 25343 case "ptrace.tracee.ancestors.tty_name": 25344 return "ptrace", nil 25345 case "ptrace.tracee.ancestors.uid": 25346 return "ptrace", nil 25347 case "ptrace.tracee.ancestors.user": 25348 return "ptrace", nil 25349 case "ptrace.tracee.ancestors.user_session.k8s_groups": 25350 return "ptrace", nil 25351 case "ptrace.tracee.ancestors.user_session.k8s_uid": 25352 return "ptrace", nil 25353 case "ptrace.tracee.ancestors.user_session.k8s_username": 25354 return "ptrace", nil 25355 case "ptrace.tracee.args": 25356 return "ptrace", nil 25357 case "ptrace.tracee.args_flags": 25358 return "ptrace", nil 25359 case "ptrace.tracee.args_options": 25360 return "ptrace", nil 25361 case "ptrace.tracee.args_truncated": 25362 return "ptrace", nil 25363 case "ptrace.tracee.argv": 25364 return "ptrace", nil 25365 case "ptrace.tracee.argv0": 25366 return "ptrace", nil 25367 case "ptrace.tracee.cap_effective": 25368 return "ptrace", nil 25369 case "ptrace.tracee.cap_permitted": 25370 return "ptrace", nil 25371 case "ptrace.tracee.comm": 25372 return "ptrace", nil 25373 case "ptrace.tracee.container.id": 25374 return "ptrace", nil 25375 case "ptrace.tracee.created_at": 25376 return "ptrace", nil 25377 case "ptrace.tracee.egid": 25378 return "ptrace", nil 25379 case "ptrace.tracee.egroup": 25380 return "ptrace", nil 25381 case "ptrace.tracee.envp": 25382 return "ptrace", nil 25383 case "ptrace.tracee.envs": 25384 return "ptrace", nil 25385 case "ptrace.tracee.envs_truncated": 25386 return "ptrace", nil 25387 case "ptrace.tracee.euid": 25388 return "ptrace", nil 25389 case "ptrace.tracee.euser": 25390 return "ptrace", nil 25391 case "ptrace.tracee.file.change_time": 25392 return "ptrace", nil 25393 case "ptrace.tracee.file.filesystem": 25394 return "ptrace", nil 25395 case "ptrace.tracee.file.gid": 25396 return "ptrace", nil 25397 case "ptrace.tracee.file.group": 25398 return "ptrace", nil 25399 case "ptrace.tracee.file.hashes": 25400 return "ptrace", nil 25401 case "ptrace.tracee.file.in_upper_layer": 25402 return "ptrace", nil 25403 case "ptrace.tracee.file.inode": 25404 return "ptrace", nil 25405 case "ptrace.tracee.file.mode": 25406 return "ptrace", nil 25407 case "ptrace.tracee.file.modification_time": 25408 return "ptrace", nil 25409 case "ptrace.tracee.file.mount_id": 25410 return "ptrace", nil 25411 case "ptrace.tracee.file.name": 25412 return "ptrace", nil 25413 case "ptrace.tracee.file.name.length": 25414 return "ptrace", nil 25415 case "ptrace.tracee.file.package.name": 25416 return "ptrace", nil 25417 case "ptrace.tracee.file.package.source_version": 25418 return "ptrace", nil 25419 case "ptrace.tracee.file.package.version": 25420 return "ptrace", nil 25421 case "ptrace.tracee.file.path": 25422 return "ptrace", nil 25423 case "ptrace.tracee.file.path.length": 25424 return "ptrace", nil 25425 case "ptrace.tracee.file.rights": 25426 return "ptrace", nil 25427 case "ptrace.tracee.file.uid": 25428 return "ptrace", nil 25429 case "ptrace.tracee.file.user": 25430 return "ptrace", nil 25431 case "ptrace.tracee.fsgid": 25432 return "ptrace", nil 25433 case "ptrace.tracee.fsgroup": 25434 return "ptrace", nil 25435 case "ptrace.tracee.fsuid": 25436 return "ptrace", nil 25437 case "ptrace.tracee.fsuser": 25438 return "ptrace", nil 25439 case "ptrace.tracee.gid": 25440 return "ptrace", nil 25441 case "ptrace.tracee.group": 25442 return "ptrace", nil 25443 case "ptrace.tracee.interpreter.file.change_time": 25444 return "ptrace", nil 25445 case "ptrace.tracee.interpreter.file.filesystem": 25446 return "ptrace", nil 25447 case "ptrace.tracee.interpreter.file.gid": 25448 return "ptrace", nil 25449 case "ptrace.tracee.interpreter.file.group": 25450 return "ptrace", nil 25451 case "ptrace.tracee.interpreter.file.hashes": 25452 return "ptrace", nil 25453 case "ptrace.tracee.interpreter.file.in_upper_layer": 25454 return "ptrace", nil 25455 case "ptrace.tracee.interpreter.file.inode": 25456 return "ptrace", nil 25457 case "ptrace.tracee.interpreter.file.mode": 25458 return "ptrace", nil 25459 case "ptrace.tracee.interpreter.file.modification_time": 25460 return "ptrace", nil 25461 case "ptrace.tracee.interpreter.file.mount_id": 25462 return "ptrace", nil 25463 case "ptrace.tracee.interpreter.file.name": 25464 return "ptrace", nil 25465 case "ptrace.tracee.interpreter.file.name.length": 25466 return "ptrace", nil 25467 case "ptrace.tracee.interpreter.file.package.name": 25468 return "ptrace", nil 25469 case "ptrace.tracee.interpreter.file.package.source_version": 25470 return "ptrace", nil 25471 case "ptrace.tracee.interpreter.file.package.version": 25472 return "ptrace", nil 25473 case "ptrace.tracee.interpreter.file.path": 25474 return "ptrace", nil 25475 case "ptrace.tracee.interpreter.file.path.length": 25476 return "ptrace", nil 25477 case "ptrace.tracee.interpreter.file.rights": 25478 return "ptrace", nil 25479 case "ptrace.tracee.interpreter.file.uid": 25480 return "ptrace", nil 25481 case "ptrace.tracee.interpreter.file.user": 25482 return "ptrace", nil 25483 case "ptrace.tracee.is_kworker": 25484 return "ptrace", nil 25485 case "ptrace.tracee.is_thread": 25486 return "ptrace", nil 25487 case "ptrace.tracee.parent.args": 25488 return "ptrace", nil 25489 case "ptrace.tracee.parent.args_flags": 25490 return "ptrace", nil 25491 case "ptrace.tracee.parent.args_options": 25492 return "ptrace", nil 25493 case "ptrace.tracee.parent.args_truncated": 25494 return "ptrace", nil 25495 case "ptrace.tracee.parent.argv": 25496 return "ptrace", nil 25497 case "ptrace.tracee.parent.argv0": 25498 return "ptrace", nil 25499 case "ptrace.tracee.parent.cap_effective": 25500 return "ptrace", nil 25501 case "ptrace.tracee.parent.cap_permitted": 25502 return "ptrace", nil 25503 case "ptrace.tracee.parent.comm": 25504 return "ptrace", nil 25505 case "ptrace.tracee.parent.container.id": 25506 return "ptrace", nil 25507 case "ptrace.tracee.parent.created_at": 25508 return "ptrace", nil 25509 case "ptrace.tracee.parent.egid": 25510 return "ptrace", nil 25511 case "ptrace.tracee.parent.egroup": 25512 return "ptrace", nil 25513 case "ptrace.tracee.parent.envp": 25514 return "ptrace", nil 25515 case "ptrace.tracee.parent.envs": 25516 return "ptrace", nil 25517 case "ptrace.tracee.parent.envs_truncated": 25518 return "ptrace", nil 25519 case "ptrace.tracee.parent.euid": 25520 return "ptrace", nil 25521 case "ptrace.tracee.parent.euser": 25522 return "ptrace", nil 25523 case "ptrace.tracee.parent.file.change_time": 25524 return "ptrace", nil 25525 case "ptrace.tracee.parent.file.filesystem": 25526 return "ptrace", nil 25527 case "ptrace.tracee.parent.file.gid": 25528 return "ptrace", nil 25529 case "ptrace.tracee.parent.file.group": 25530 return "ptrace", nil 25531 case "ptrace.tracee.parent.file.hashes": 25532 return "ptrace", nil 25533 case "ptrace.tracee.parent.file.in_upper_layer": 25534 return "ptrace", nil 25535 case "ptrace.tracee.parent.file.inode": 25536 return "ptrace", nil 25537 case "ptrace.tracee.parent.file.mode": 25538 return "ptrace", nil 25539 case "ptrace.tracee.parent.file.modification_time": 25540 return "ptrace", nil 25541 case "ptrace.tracee.parent.file.mount_id": 25542 return "ptrace", nil 25543 case "ptrace.tracee.parent.file.name": 25544 return "ptrace", nil 25545 case "ptrace.tracee.parent.file.name.length": 25546 return "ptrace", nil 25547 case "ptrace.tracee.parent.file.package.name": 25548 return "ptrace", nil 25549 case "ptrace.tracee.parent.file.package.source_version": 25550 return "ptrace", nil 25551 case "ptrace.tracee.parent.file.package.version": 25552 return "ptrace", nil 25553 case "ptrace.tracee.parent.file.path": 25554 return "ptrace", nil 25555 case "ptrace.tracee.parent.file.path.length": 25556 return "ptrace", nil 25557 case "ptrace.tracee.parent.file.rights": 25558 return "ptrace", nil 25559 case "ptrace.tracee.parent.file.uid": 25560 return "ptrace", nil 25561 case "ptrace.tracee.parent.file.user": 25562 return "ptrace", nil 25563 case "ptrace.tracee.parent.fsgid": 25564 return "ptrace", nil 25565 case "ptrace.tracee.parent.fsgroup": 25566 return "ptrace", nil 25567 case "ptrace.tracee.parent.fsuid": 25568 return "ptrace", nil 25569 case "ptrace.tracee.parent.fsuser": 25570 return "ptrace", nil 25571 case "ptrace.tracee.parent.gid": 25572 return "ptrace", nil 25573 case "ptrace.tracee.parent.group": 25574 return "ptrace", nil 25575 case "ptrace.tracee.parent.interpreter.file.change_time": 25576 return "ptrace", nil 25577 case "ptrace.tracee.parent.interpreter.file.filesystem": 25578 return "ptrace", nil 25579 case "ptrace.tracee.parent.interpreter.file.gid": 25580 return "ptrace", nil 25581 case "ptrace.tracee.parent.interpreter.file.group": 25582 return "ptrace", nil 25583 case "ptrace.tracee.parent.interpreter.file.hashes": 25584 return "ptrace", nil 25585 case "ptrace.tracee.parent.interpreter.file.in_upper_layer": 25586 return "ptrace", nil 25587 case "ptrace.tracee.parent.interpreter.file.inode": 25588 return "ptrace", nil 25589 case "ptrace.tracee.parent.interpreter.file.mode": 25590 return "ptrace", nil 25591 case "ptrace.tracee.parent.interpreter.file.modification_time": 25592 return "ptrace", nil 25593 case "ptrace.tracee.parent.interpreter.file.mount_id": 25594 return "ptrace", nil 25595 case "ptrace.tracee.parent.interpreter.file.name": 25596 return "ptrace", nil 25597 case "ptrace.tracee.parent.interpreter.file.name.length": 25598 return "ptrace", nil 25599 case "ptrace.tracee.parent.interpreter.file.package.name": 25600 return "ptrace", nil 25601 case "ptrace.tracee.parent.interpreter.file.package.source_version": 25602 return "ptrace", nil 25603 case "ptrace.tracee.parent.interpreter.file.package.version": 25604 return "ptrace", nil 25605 case "ptrace.tracee.parent.interpreter.file.path": 25606 return "ptrace", nil 25607 case "ptrace.tracee.parent.interpreter.file.path.length": 25608 return "ptrace", nil 25609 case "ptrace.tracee.parent.interpreter.file.rights": 25610 return "ptrace", nil 25611 case "ptrace.tracee.parent.interpreter.file.uid": 25612 return "ptrace", nil 25613 case "ptrace.tracee.parent.interpreter.file.user": 25614 return "ptrace", nil 25615 case "ptrace.tracee.parent.is_kworker": 25616 return "ptrace", nil 25617 case "ptrace.tracee.parent.is_thread": 25618 return "ptrace", nil 25619 case "ptrace.tracee.parent.pid": 25620 return "ptrace", nil 25621 case "ptrace.tracee.parent.ppid": 25622 return "ptrace", nil 25623 case "ptrace.tracee.parent.tid": 25624 return "ptrace", nil 25625 case "ptrace.tracee.parent.tty_name": 25626 return "ptrace", nil 25627 case "ptrace.tracee.parent.uid": 25628 return "ptrace", nil 25629 case "ptrace.tracee.parent.user": 25630 return "ptrace", nil 25631 case "ptrace.tracee.parent.user_session.k8s_groups": 25632 return "ptrace", nil 25633 case "ptrace.tracee.parent.user_session.k8s_uid": 25634 return "ptrace", nil 25635 case "ptrace.tracee.parent.user_session.k8s_username": 25636 return "ptrace", nil 25637 case "ptrace.tracee.pid": 25638 return "ptrace", nil 25639 case "ptrace.tracee.ppid": 25640 return "ptrace", nil 25641 case "ptrace.tracee.tid": 25642 return "ptrace", nil 25643 case "ptrace.tracee.tty_name": 25644 return "ptrace", nil 25645 case "ptrace.tracee.uid": 25646 return "ptrace", nil 25647 case "ptrace.tracee.user": 25648 return "ptrace", nil 25649 case "ptrace.tracee.user_session.k8s_groups": 25650 return "ptrace", nil 25651 case "ptrace.tracee.user_session.k8s_uid": 25652 return "ptrace", nil 25653 case "ptrace.tracee.user_session.k8s_username": 25654 return "ptrace", nil 25655 case "removexattr.file.change_time": 25656 return "removexattr", nil 25657 case "removexattr.file.destination.name": 25658 return "removexattr", nil 25659 case "removexattr.file.destination.namespace": 25660 return "removexattr", nil 25661 case "removexattr.file.filesystem": 25662 return "removexattr", nil 25663 case "removexattr.file.gid": 25664 return "removexattr", nil 25665 case "removexattr.file.group": 25666 return "removexattr", nil 25667 case "removexattr.file.hashes": 25668 return "removexattr", nil 25669 case "removexattr.file.in_upper_layer": 25670 return "removexattr", nil 25671 case "removexattr.file.inode": 25672 return "removexattr", nil 25673 case "removexattr.file.mode": 25674 return "removexattr", nil 25675 case "removexattr.file.modification_time": 25676 return "removexattr", nil 25677 case "removexattr.file.mount_id": 25678 return "removexattr", nil 25679 case "removexattr.file.name": 25680 return "removexattr", nil 25681 case "removexattr.file.name.length": 25682 return "removexattr", nil 25683 case "removexattr.file.package.name": 25684 return "removexattr", nil 25685 case "removexattr.file.package.source_version": 25686 return "removexattr", nil 25687 case "removexattr.file.package.version": 25688 return "removexattr", nil 25689 case "removexattr.file.path": 25690 return "removexattr", nil 25691 case "removexattr.file.path.length": 25692 return "removexattr", nil 25693 case "removexattr.file.rights": 25694 return "removexattr", nil 25695 case "removexattr.file.uid": 25696 return "removexattr", nil 25697 case "removexattr.file.user": 25698 return "removexattr", nil 25699 case "removexattr.retval": 25700 return "removexattr", nil 25701 case "rename.file.change_time": 25702 return "rename", nil 25703 case "rename.file.destination.change_time": 25704 return "rename", nil 25705 case "rename.file.destination.filesystem": 25706 return "rename", nil 25707 case "rename.file.destination.gid": 25708 return "rename", nil 25709 case "rename.file.destination.group": 25710 return "rename", nil 25711 case "rename.file.destination.hashes": 25712 return "rename", nil 25713 case "rename.file.destination.in_upper_layer": 25714 return "rename", nil 25715 case "rename.file.destination.inode": 25716 return "rename", nil 25717 case "rename.file.destination.mode": 25718 return "rename", nil 25719 case "rename.file.destination.modification_time": 25720 return "rename", nil 25721 case "rename.file.destination.mount_id": 25722 return "rename", nil 25723 case "rename.file.destination.name": 25724 return "rename", nil 25725 case "rename.file.destination.name.length": 25726 return "rename", nil 25727 case "rename.file.destination.package.name": 25728 return "rename", nil 25729 case "rename.file.destination.package.source_version": 25730 return "rename", nil 25731 case "rename.file.destination.package.version": 25732 return "rename", nil 25733 case "rename.file.destination.path": 25734 return "rename", nil 25735 case "rename.file.destination.path.length": 25736 return "rename", nil 25737 case "rename.file.destination.rights": 25738 return "rename", nil 25739 case "rename.file.destination.uid": 25740 return "rename", nil 25741 case "rename.file.destination.user": 25742 return "rename", nil 25743 case "rename.file.filesystem": 25744 return "rename", nil 25745 case "rename.file.gid": 25746 return "rename", nil 25747 case "rename.file.group": 25748 return "rename", nil 25749 case "rename.file.hashes": 25750 return "rename", nil 25751 case "rename.file.in_upper_layer": 25752 return "rename", nil 25753 case "rename.file.inode": 25754 return "rename", nil 25755 case "rename.file.mode": 25756 return "rename", nil 25757 case "rename.file.modification_time": 25758 return "rename", nil 25759 case "rename.file.mount_id": 25760 return "rename", nil 25761 case "rename.file.name": 25762 return "rename", nil 25763 case "rename.file.name.length": 25764 return "rename", nil 25765 case "rename.file.package.name": 25766 return "rename", nil 25767 case "rename.file.package.source_version": 25768 return "rename", nil 25769 case "rename.file.package.version": 25770 return "rename", nil 25771 case "rename.file.path": 25772 return "rename", nil 25773 case "rename.file.path.length": 25774 return "rename", nil 25775 case "rename.file.rights": 25776 return "rename", nil 25777 case "rename.file.uid": 25778 return "rename", nil 25779 case "rename.file.user": 25780 return "rename", nil 25781 case "rename.retval": 25782 return "rename", nil 25783 case "rmdir.file.change_time": 25784 return "rmdir", nil 25785 case "rmdir.file.filesystem": 25786 return "rmdir", nil 25787 case "rmdir.file.gid": 25788 return "rmdir", nil 25789 case "rmdir.file.group": 25790 return "rmdir", nil 25791 case "rmdir.file.hashes": 25792 return "rmdir", nil 25793 case "rmdir.file.in_upper_layer": 25794 return "rmdir", nil 25795 case "rmdir.file.inode": 25796 return "rmdir", nil 25797 case "rmdir.file.mode": 25798 return "rmdir", nil 25799 case "rmdir.file.modification_time": 25800 return "rmdir", nil 25801 case "rmdir.file.mount_id": 25802 return "rmdir", nil 25803 case "rmdir.file.name": 25804 return "rmdir", nil 25805 case "rmdir.file.name.length": 25806 return "rmdir", nil 25807 case "rmdir.file.package.name": 25808 return "rmdir", nil 25809 case "rmdir.file.package.source_version": 25810 return "rmdir", nil 25811 case "rmdir.file.package.version": 25812 return "rmdir", nil 25813 case "rmdir.file.path": 25814 return "rmdir", nil 25815 case "rmdir.file.path.length": 25816 return "rmdir", nil 25817 case "rmdir.file.rights": 25818 return "rmdir", nil 25819 case "rmdir.file.uid": 25820 return "rmdir", nil 25821 case "rmdir.file.user": 25822 return "rmdir", nil 25823 case "rmdir.retval": 25824 return "rmdir", nil 25825 case "selinux.bool.name": 25826 return "selinux", nil 25827 case "selinux.bool.state": 25828 return "selinux", nil 25829 case "selinux.bool_commit.state": 25830 return "selinux", nil 25831 case "selinux.enforce.status": 25832 return "selinux", nil 25833 case "setgid.egid": 25834 return "setgid", nil 25835 case "setgid.egroup": 25836 return "setgid", nil 25837 case "setgid.fsgid": 25838 return "setgid", nil 25839 case "setgid.fsgroup": 25840 return "setgid", nil 25841 case "setgid.gid": 25842 return "setgid", nil 25843 case "setgid.group": 25844 return "setgid", nil 25845 case "setuid.euid": 25846 return "setuid", nil 25847 case "setuid.euser": 25848 return "setuid", nil 25849 case "setuid.fsuid": 25850 return "setuid", nil 25851 case "setuid.fsuser": 25852 return "setuid", nil 25853 case "setuid.uid": 25854 return "setuid", nil 25855 case "setuid.user": 25856 return "setuid", nil 25857 case "setxattr.file.change_time": 25858 return "setxattr", nil 25859 case "setxattr.file.destination.name": 25860 return "setxattr", nil 25861 case "setxattr.file.destination.namespace": 25862 return "setxattr", nil 25863 case "setxattr.file.filesystem": 25864 return "setxattr", nil 25865 case "setxattr.file.gid": 25866 return "setxattr", nil 25867 case "setxattr.file.group": 25868 return "setxattr", nil 25869 case "setxattr.file.hashes": 25870 return "setxattr", nil 25871 case "setxattr.file.in_upper_layer": 25872 return "setxattr", nil 25873 case "setxattr.file.inode": 25874 return "setxattr", nil 25875 case "setxattr.file.mode": 25876 return "setxattr", nil 25877 case "setxattr.file.modification_time": 25878 return "setxattr", nil 25879 case "setxattr.file.mount_id": 25880 return "setxattr", nil 25881 case "setxattr.file.name": 25882 return "setxattr", nil 25883 case "setxattr.file.name.length": 25884 return "setxattr", nil 25885 case "setxattr.file.package.name": 25886 return "setxattr", nil 25887 case "setxattr.file.package.source_version": 25888 return "setxattr", nil 25889 case "setxattr.file.package.version": 25890 return "setxattr", nil 25891 case "setxattr.file.path": 25892 return "setxattr", nil 25893 case "setxattr.file.path.length": 25894 return "setxattr", nil 25895 case "setxattr.file.rights": 25896 return "setxattr", nil 25897 case "setxattr.file.uid": 25898 return "setxattr", nil 25899 case "setxattr.file.user": 25900 return "setxattr", nil 25901 case "setxattr.retval": 25902 return "setxattr", nil 25903 case "signal.pid": 25904 return "signal", nil 25905 case "signal.retval": 25906 return "signal", nil 25907 case "signal.target.ancestors.args": 25908 return "signal", nil 25909 case "signal.target.ancestors.args_flags": 25910 return "signal", nil 25911 case "signal.target.ancestors.args_options": 25912 return "signal", nil 25913 case "signal.target.ancestors.args_truncated": 25914 return "signal", nil 25915 case "signal.target.ancestors.argv": 25916 return "signal", nil 25917 case "signal.target.ancestors.argv0": 25918 return "signal", nil 25919 case "signal.target.ancestors.cap_effective": 25920 return "signal", nil 25921 case "signal.target.ancestors.cap_permitted": 25922 return "signal", nil 25923 case "signal.target.ancestors.comm": 25924 return "signal", nil 25925 case "signal.target.ancestors.container.id": 25926 return "signal", nil 25927 case "signal.target.ancestors.created_at": 25928 return "signal", nil 25929 case "signal.target.ancestors.egid": 25930 return "signal", nil 25931 case "signal.target.ancestors.egroup": 25932 return "signal", nil 25933 case "signal.target.ancestors.envp": 25934 return "signal", nil 25935 case "signal.target.ancestors.envs": 25936 return "signal", nil 25937 case "signal.target.ancestors.envs_truncated": 25938 return "signal", nil 25939 case "signal.target.ancestors.euid": 25940 return "signal", nil 25941 case "signal.target.ancestors.euser": 25942 return "signal", nil 25943 case "signal.target.ancestors.file.change_time": 25944 return "signal", nil 25945 case "signal.target.ancestors.file.filesystem": 25946 return "signal", nil 25947 case "signal.target.ancestors.file.gid": 25948 return "signal", nil 25949 case "signal.target.ancestors.file.group": 25950 return "signal", nil 25951 case "signal.target.ancestors.file.hashes": 25952 return "signal", nil 25953 case "signal.target.ancestors.file.in_upper_layer": 25954 return "signal", nil 25955 case "signal.target.ancestors.file.inode": 25956 return "signal", nil 25957 case "signal.target.ancestors.file.mode": 25958 return "signal", nil 25959 case "signal.target.ancestors.file.modification_time": 25960 return "signal", nil 25961 case "signal.target.ancestors.file.mount_id": 25962 return "signal", nil 25963 case "signal.target.ancestors.file.name": 25964 return "signal", nil 25965 case "signal.target.ancestors.file.name.length": 25966 return "signal", nil 25967 case "signal.target.ancestors.file.package.name": 25968 return "signal", nil 25969 case "signal.target.ancestors.file.package.source_version": 25970 return "signal", nil 25971 case "signal.target.ancestors.file.package.version": 25972 return "signal", nil 25973 case "signal.target.ancestors.file.path": 25974 return "signal", nil 25975 case "signal.target.ancestors.file.path.length": 25976 return "signal", nil 25977 case "signal.target.ancestors.file.rights": 25978 return "signal", nil 25979 case "signal.target.ancestors.file.uid": 25980 return "signal", nil 25981 case "signal.target.ancestors.file.user": 25982 return "signal", nil 25983 case "signal.target.ancestors.fsgid": 25984 return "signal", nil 25985 case "signal.target.ancestors.fsgroup": 25986 return "signal", nil 25987 case "signal.target.ancestors.fsuid": 25988 return "signal", nil 25989 case "signal.target.ancestors.fsuser": 25990 return "signal", nil 25991 case "signal.target.ancestors.gid": 25992 return "signal", nil 25993 case "signal.target.ancestors.group": 25994 return "signal", nil 25995 case "signal.target.ancestors.interpreter.file.change_time": 25996 return "signal", nil 25997 case "signal.target.ancestors.interpreter.file.filesystem": 25998 return "signal", nil 25999 case "signal.target.ancestors.interpreter.file.gid": 26000 return "signal", nil 26001 case "signal.target.ancestors.interpreter.file.group": 26002 return "signal", nil 26003 case "signal.target.ancestors.interpreter.file.hashes": 26004 return "signal", nil 26005 case "signal.target.ancestors.interpreter.file.in_upper_layer": 26006 return "signal", nil 26007 case "signal.target.ancestors.interpreter.file.inode": 26008 return "signal", nil 26009 case "signal.target.ancestors.interpreter.file.mode": 26010 return "signal", nil 26011 case "signal.target.ancestors.interpreter.file.modification_time": 26012 return "signal", nil 26013 case "signal.target.ancestors.interpreter.file.mount_id": 26014 return "signal", nil 26015 case "signal.target.ancestors.interpreter.file.name": 26016 return "signal", nil 26017 case "signal.target.ancestors.interpreter.file.name.length": 26018 return "signal", nil 26019 case "signal.target.ancestors.interpreter.file.package.name": 26020 return "signal", nil 26021 case "signal.target.ancestors.interpreter.file.package.source_version": 26022 return "signal", nil 26023 case "signal.target.ancestors.interpreter.file.package.version": 26024 return "signal", nil 26025 case "signal.target.ancestors.interpreter.file.path": 26026 return "signal", nil 26027 case "signal.target.ancestors.interpreter.file.path.length": 26028 return "signal", nil 26029 case "signal.target.ancestors.interpreter.file.rights": 26030 return "signal", nil 26031 case "signal.target.ancestors.interpreter.file.uid": 26032 return "signal", nil 26033 case "signal.target.ancestors.interpreter.file.user": 26034 return "signal", nil 26035 case "signal.target.ancestors.is_kworker": 26036 return "signal", nil 26037 case "signal.target.ancestors.is_thread": 26038 return "signal", nil 26039 case "signal.target.ancestors.pid": 26040 return "signal", nil 26041 case "signal.target.ancestors.ppid": 26042 return "signal", nil 26043 case "signal.target.ancestors.tid": 26044 return "signal", nil 26045 case "signal.target.ancestors.tty_name": 26046 return "signal", nil 26047 case "signal.target.ancestors.uid": 26048 return "signal", nil 26049 case "signal.target.ancestors.user": 26050 return "signal", nil 26051 case "signal.target.ancestors.user_session.k8s_groups": 26052 return "signal", nil 26053 case "signal.target.ancestors.user_session.k8s_uid": 26054 return "signal", nil 26055 case "signal.target.ancestors.user_session.k8s_username": 26056 return "signal", nil 26057 case "signal.target.args": 26058 return "signal", nil 26059 case "signal.target.args_flags": 26060 return "signal", nil 26061 case "signal.target.args_options": 26062 return "signal", nil 26063 case "signal.target.args_truncated": 26064 return "signal", nil 26065 case "signal.target.argv": 26066 return "signal", nil 26067 case "signal.target.argv0": 26068 return "signal", nil 26069 case "signal.target.cap_effective": 26070 return "signal", nil 26071 case "signal.target.cap_permitted": 26072 return "signal", nil 26073 case "signal.target.comm": 26074 return "signal", nil 26075 case "signal.target.container.id": 26076 return "signal", nil 26077 case "signal.target.created_at": 26078 return "signal", nil 26079 case "signal.target.egid": 26080 return "signal", nil 26081 case "signal.target.egroup": 26082 return "signal", nil 26083 case "signal.target.envp": 26084 return "signal", nil 26085 case "signal.target.envs": 26086 return "signal", nil 26087 case "signal.target.envs_truncated": 26088 return "signal", nil 26089 case "signal.target.euid": 26090 return "signal", nil 26091 case "signal.target.euser": 26092 return "signal", nil 26093 case "signal.target.file.change_time": 26094 return "signal", nil 26095 case "signal.target.file.filesystem": 26096 return "signal", nil 26097 case "signal.target.file.gid": 26098 return "signal", nil 26099 case "signal.target.file.group": 26100 return "signal", nil 26101 case "signal.target.file.hashes": 26102 return "signal", nil 26103 case "signal.target.file.in_upper_layer": 26104 return "signal", nil 26105 case "signal.target.file.inode": 26106 return "signal", nil 26107 case "signal.target.file.mode": 26108 return "signal", nil 26109 case "signal.target.file.modification_time": 26110 return "signal", nil 26111 case "signal.target.file.mount_id": 26112 return "signal", nil 26113 case "signal.target.file.name": 26114 return "signal", nil 26115 case "signal.target.file.name.length": 26116 return "signal", nil 26117 case "signal.target.file.package.name": 26118 return "signal", nil 26119 case "signal.target.file.package.source_version": 26120 return "signal", nil 26121 case "signal.target.file.package.version": 26122 return "signal", nil 26123 case "signal.target.file.path": 26124 return "signal", nil 26125 case "signal.target.file.path.length": 26126 return "signal", nil 26127 case "signal.target.file.rights": 26128 return "signal", nil 26129 case "signal.target.file.uid": 26130 return "signal", nil 26131 case "signal.target.file.user": 26132 return "signal", nil 26133 case "signal.target.fsgid": 26134 return "signal", nil 26135 case "signal.target.fsgroup": 26136 return "signal", nil 26137 case "signal.target.fsuid": 26138 return "signal", nil 26139 case "signal.target.fsuser": 26140 return "signal", nil 26141 case "signal.target.gid": 26142 return "signal", nil 26143 case "signal.target.group": 26144 return "signal", nil 26145 case "signal.target.interpreter.file.change_time": 26146 return "signal", nil 26147 case "signal.target.interpreter.file.filesystem": 26148 return "signal", nil 26149 case "signal.target.interpreter.file.gid": 26150 return "signal", nil 26151 case "signal.target.interpreter.file.group": 26152 return "signal", nil 26153 case "signal.target.interpreter.file.hashes": 26154 return "signal", nil 26155 case "signal.target.interpreter.file.in_upper_layer": 26156 return "signal", nil 26157 case "signal.target.interpreter.file.inode": 26158 return "signal", nil 26159 case "signal.target.interpreter.file.mode": 26160 return "signal", nil 26161 case "signal.target.interpreter.file.modification_time": 26162 return "signal", nil 26163 case "signal.target.interpreter.file.mount_id": 26164 return "signal", nil 26165 case "signal.target.interpreter.file.name": 26166 return "signal", nil 26167 case "signal.target.interpreter.file.name.length": 26168 return "signal", nil 26169 case "signal.target.interpreter.file.package.name": 26170 return "signal", nil 26171 case "signal.target.interpreter.file.package.source_version": 26172 return "signal", nil 26173 case "signal.target.interpreter.file.package.version": 26174 return "signal", nil 26175 case "signal.target.interpreter.file.path": 26176 return "signal", nil 26177 case "signal.target.interpreter.file.path.length": 26178 return "signal", nil 26179 case "signal.target.interpreter.file.rights": 26180 return "signal", nil 26181 case "signal.target.interpreter.file.uid": 26182 return "signal", nil 26183 case "signal.target.interpreter.file.user": 26184 return "signal", nil 26185 case "signal.target.is_kworker": 26186 return "signal", nil 26187 case "signal.target.is_thread": 26188 return "signal", nil 26189 case "signal.target.parent.args": 26190 return "signal", nil 26191 case "signal.target.parent.args_flags": 26192 return "signal", nil 26193 case "signal.target.parent.args_options": 26194 return "signal", nil 26195 case "signal.target.parent.args_truncated": 26196 return "signal", nil 26197 case "signal.target.parent.argv": 26198 return "signal", nil 26199 case "signal.target.parent.argv0": 26200 return "signal", nil 26201 case "signal.target.parent.cap_effective": 26202 return "signal", nil 26203 case "signal.target.parent.cap_permitted": 26204 return "signal", nil 26205 case "signal.target.parent.comm": 26206 return "signal", nil 26207 case "signal.target.parent.container.id": 26208 return "signal", nil 26209 case "signal.target.parent.created_at": 26210 return "signal", nil 26211 case "signal.target.parent.egid": 26212 return "signal", nil 26213 case "signal.target.parent.egroup": 26214 return "signal", nil 26215 case "signal.target.parent.envp": 26216 return "signal", nil 26217 case "signal.target.parent.envs": 26218 return "signal", nil 26219 case "signal.target.parent.envs_truncated": 26220 return "signal", nil 26221 case "signal.target.parent.euid": 26222 return "signal", nil 26223 case "signal.target.parent.euser": 26224 return "signal", nil 26225 case "signal.target.parent.file.change_time": 26226 return "signal", nil 26227 case "signal.target.parent.file.filesystem": 26228 return "signal", nil 26229 case "signal.target.parent.file.gid": 26230 return "signal", nil 26231 case "signal.target.parent.file.group": 26232 return "signal", nil 26233 case "signal.target.parent.file.hashes": 26234 return "signal", nil 26235 case "signal.target.parent.file.in_upper_layer": 26236 return "signal", nil 26237 case "signal.target.parent.file.inode": 26238 return "signal", nil 26239 case "signal.target.parent.file.mode": 26240 return "signal", nil 26241 case "signal.target.parent.file.modification_time": 26242 return "signal", nil 26243 case "signal.target.parent.file.mount_id": 26244 return "signal", nil 26245 case "signal.target.parent.file.name": 26246 return "signal", nil 26247 case "signal.target.parent.file.name.length": 26248 return "signal", nil 26249 case "signal.target.parent.file.package.name": 26250 return "signal", nil 26251 case "signal.target.parent.file.package.source_version": 26252 return "signal", nil 26253 case "signal.target.parent.file.package.version": 26254 return "signal", nil 26255 case "signal.target.parent.file.path": 26256 return "signal", nil 26257 case "signal.target.parent.file.path.length": 26258 return "signal", nil 26259 case "signal.target.parent.file.rights": 26260 return "signal", nil 26261 case "signal.target.parent.file.uid": 26262 return "signal", nil 26263 case "signal.target.parent.file.user": 26264 return "signal", nil 26265 case "signal.target.parent.fsgid": 26266 return "signal", nil 26267 case "signal.target.parent.fsgroup": 26268 return "signal", nil 26269 case "signal.target.parent.fsuid": 26270 return "signal", nil 26271 case "signal.target.parent.fsuser": 26272 return "signal", nil 26273 case "signal.target.parent.gid": 26274 return "signal", nil 26275 case "signal.target.parent.group": 26276 return "signal", nil 26277 case "signal.target.parent.interpreter.file.change_time": 26278 return "signal", nil 26279 case "signal.target.parent.interpreter.file.filesystem": 26280 return "signal", nil 26281 case "signal.target.parent.interpreter.file.gid": 26282 return "signal", nil 26283 case "signal.target.parent.interpreter.file.group": 26284 return "signal", nil 26285 case "signal.target.parent.interpreter.file.hashes": 26286 return "signal", nil 26287 case "signal.target.parent.interpreter.file.in_upper_layer": 26288 return "signal", nil 26289 case "signal.target.parent.interpreter.file.inode": 26290 return "signal", nil 26291 case "signal.target.parent.interpreter.file.mode": 26292 return "signal", nil 26293 case "signal.target.parent.interpreter.file.modification_time": 26294 return "signal", nil 26295 case "signal.target.parent.interpreter.file.mount_id": 26296 return "signal", nil 26297 case "signal.target.parent.interpreter.file.name": 26298 return "signal", nil 26299 case "signal.target.parent.interpreter.file.name.length": 26300 return "signal", nil 26301 case "signal.target.parent.interpreter.file.package.name": 26302 return "signal", nil 26303 case "signal.target.parent.interpreter.file.package.source_version": 26304 return "signal", nil 26305 case "signal.target.parent.interpreter.file.package.version": 26306 return "signal", nil 26307 case "signal.target.parent.interpreter.file.path": 26308 return "signal", nil 26309 case "signal.target.parent.interpreter.file.path.length": 26310 return "signal", nil 26311 case "signal.target.parent.interpreter.file.rights": 26312 return "signal", nil 26313 case "signal.target.parent.interpreter.file.uid": 26314 return "signal", nil 26315 case "signal.target.parent.interpreter.file.user": 26316 return "signal", nil 26317 case "signal.target.parent.is_kworker": 26318 return "signal", nil 26319 case "signal.target.parent.is_thread": 26320 return "signal", nil 26321 case "signal.target.parent.pid": 26322 return "signal", nil 26323 case "signal.target.parent.ppid": 26324 return "signal", nil 26325 case "signal.target.parent.tid": 26326 return "signal", nil 26327 case "signal.target.parent.tty_name": 26328 return "signal", nil 26329 case "signal.target.parent.uid": 26330 return "signal", nil 26331 case "signal.target.parent.user": 26332 return "signal", nil 26333 case "signal.target.parent.user_session.k8s_groups": 26334 return "signal", nil 26335 case "signal.target.parent.user_session.k8s_uid": 26336 return "signal", nil 26337 case "signal.target.parent.user_session.k8s_username": 26338 return "signal", nil 26339 case "signal.target.pid": 26340 return "signal", nil 26341 case "signal.target.ppid": 26342 return "signal", nil 26343 case "signal.target.tid": 26344 return "signal", nil 26345 case "signal.target.tty_name": 26346 return "signal", nil 26347 case "signal.target.uid": 26348 return "signal", nil 26349 case "signal.target.user": 26350 return "signal", nil 26351 case "signal.target.user_session.k8s_groups": 26352 return "signal", nil 26353 case "signal.target.user_session.k8s_uid": 26354 return "signal", nil 26355 case "signal.target.user_session.k8s_username": 26356 return "signal", nil 26357 case "signal.type": 26358 return "signal", nil 26359 case "splice.file.change_time": 26360 return "splice", nil 26361 case "splice.file.filesystem": 26362 return "splice", nil 26363 case "splice.file.gid": 26364 return "splice", nil 26365 case "splice.file.group": 26366 return "splice", nil 26367 case "splice.file.hashes": 26368 return "splice", nil 26369 case "splice.file.in_upper_layer": 26370 return "splice", nil 26371 case "splice.file.inode": 26372 return "splice", nil 26373 case "splice.file.mode": 26374 return "splice", nil 26375 case "splice.file.modification_time": 26376 return "splice", nil 26377 case "splice.file.mount_id": 26378 return "splice", nil 26379 case "splice.file.name": 26380 return "splice", nil 26381 case "splice.file.name.length": 26382 return "splice", nil 26383 case "splice.file.package.name": 26384 return "splice", nil 26385 case "splice.file.package.source_version": 26386 return "splice", nil 26387 case "splice.file.package.version": 26388 return "splice", nil 26389 case "splice.file.path": 26390 return "splice", nil 26391 case "splice.file.path.length": 26392 return "splice", nil 26393 case "splice.file.rights": 26394 return "splice", nil 26395 case "splice.file.uid": 26396 return "splice", nil 26397 case "splice.file.user": 26398 return "splice", nil 26399 case "splice.pipe_entry_flag": 26400 return "splice", nil 26401 case "splice.pipe_exit_flag": 26402 return "splice", nil 26403 case "splice.retval": 26404 return "splice", nil 26405 case "unlink.file.change_time": 26406 return "unlink", nil 26407 case "unlink.file.filesystem": 26408 return "unlink", nil 26409 case "unlink.file.gid": 26410 return "unlink", nil 26411 case "unlink.file.group": 26412 return "unlink", nil 26413 case "unlink.file.hashes": 26414 return "unlink", nil 26415 case "unlink.file.in_upper_layer": 26416 return "unlink", nil 26417 case "unlink.file.inode": 26418 return "unlink", nil 26419 case "unlink.file.mode": 26420 return "unlink", nil 26421 case "unlink.file.modification_time": 26422 return "unlink", nil 26423 case "unlink.file.mount_id": 26424 return "unlink", nil 26425 case "unlink.file.name": 26426 return "unlink", nil 26427 case "unlink.file.name.length": 26428 return "unlink", nil 26429 case "unlink.file.package.name": 26430 return "unlink", nil 26431 case "unlink.file.package.source_version": 26432 return "unlink", nil 26433 case "unlink.file.package.version": 26434 return "unlink", nil 26435 case "unlink.file.path": 26436 return "unlink", nil 26437 case "unlink.file.path.length": 26438 return "unlink", nil 26439 case "unlink.file.rights": 26440 return "unlink", nil 26441 case "unlink.file.uid": 26442 return "unlink", nil 26443 case "unlink.file.user": 26444 return "unlink", nil 26445 case "unlink.flags": 26446 return "unlink", nil 26447 case "unlink.retval": 26448 return "unlink", nil 26449 case "unload_module.name": 26450 return "unload_module", nil 26451 case "unload_module.retval": 26452 return "unload_module", nil 26453 case "utimes.file.change_time": 26454 return "utimes", nil 26455 case "utimes.file.filesystem": 26456 return "utimes", nil 26457 case "utimes.file.gid": 26458 return "utimes", nil 26459 case "utimes.file.group": 26460 return "utimes", nil 26461 case "utimes.file.hashes": 26462 return "utimes", nil 26463 case "utimes.file.in_upper_layer": 26464 return "utimes", nil 26465 case "utimes.file.inode": 26466 return "utimes", nil 26467 case "utimes.file.mode": 26468 return "utimes", nil 26469 case "utimes.file.modification_time": 26470 return "utimes", nil 26471 case "utimes.file.mount_id": 26472 return "utimes", nil 26473 case "utimes.file.name": 26474 return "utimes", nil 26475 case "utimes.file.name.length": 26476 return "utimes", nil 26477 case "utimes.file.package.name": 26478 return "utimes", nil 26479 case "utimes.file.package.source_version": 26480 return "utimes", nil 26481 case "utimes.file.package.version": 26482 return "utimes", nil 26483 case "utimes.file.path": 26484 return "utimes", nil 26485 case "utimes.file.path.length": 26486 return "utimes", nil 26487 case "utimes.file.rights": 26488 return "utimes", nil 26489 case "utimes.file.uid": 26490 return "utimes", nil 26491 case "utimes.file.user": 26492 return "utimes", nil 26493 case "utimes.retval": 26494 return "utimes", nil 26495 } 26496 return "", &eval.ErrFieldNotFound{Field: field} 26497 } 26498 func (ev *Event) GetFieldType(field eval.Field) (reflect.Kind, error) { 26499 switch field { 26500 case "bind.addr.family": 26501 return reflect.Int, nil 26502 case "bind.addr.ip": 26503 return reflect.Struct, nil 26504 case "bind.addr.port": 26505 return reflect.Int, nil 26506 case "bind.retval": 26507 return reflect.Int, nil 26508 case "bpf.cmd": 26509 return reflect.Int, nil 26510 case "bpf.map.name": 26511 return reflect.String, nil 26512 case "bpf.map.type": 26513 return reflect.Int, nil 26514 case "bpf.prog.attach_type": 26515 return reflect.Int, nil 26516 case "bpf.prog.helpers": 26517 return reflect.Int, nil 26518 case "bpf.prog.name": 26519 return reflect.String, nil 26520 case "bpf.prog.tag": 26521 return reflect.String, nil 26522 case "bpf.prog.type": 26523 return reflect.Int, nil 26524 case "bpf.retval": 26525 return reflect.Int, nil 26526 case "capset.cap_effective": 26527 return reflect.Int, nil 26528 case "capset.cap_permitted": 26529 return reflect.Int, nil 26530 case "chdir.file.change_time": 26531 return reflect.Int, nil 26532 case "chdir.file.filesystem": 26533 return reflect.String, nil 26534 case "chdir.file.gid": 26535 return reflect.Int, nil 26536 case "chdir.file.group": 26537 return reflect.String, nil 26538 case "chdir.file.hashes": 26539 return reflect.String, nil 26540 case "chdir.file.in_upper_layer": 26541 return reflect.Bool, nil 26542 case "chdir.file.inode": 26543 return reflect.Int, nil 26544 case "chdir.file.mode": 26545 return reflect.Int, nil 26546 case "chdir.file.modification_time": 26547 return reflect.Int, nil 26548 case "chdir.file.mount_id": 26549 return reflect.Int, nil 26550 case "chdir.file.name": 26551 return reflect.String, nil 26552 case "chdir.file.name.length": 26553 return reflect.Int, nil 26554 case "chdir.file.package.name": 26555 return reflect.String, nil 26556 case "chdir.file.package.source_version": 26557 return reflect.String, nil 26558 case "chdir.file.package.version": 26559 return reflect.String, nil 26560 case "chdir.file.path": 26561 return reflect.String, nil 26562 case "chdir.file.path.length": 26563 return reflect.Int, nil 26564 case "chdir.file.rights": 26565 return reflect.Int, nil 26566 case "chdir.file.uid": 26567 return reflect.Int, nil 26568 case "chdir.file.user": 26569 return reflect.String, nil 26570 case "chdir.retval": 26571 return reflect.Int, nil 26572 case "chmod.file.change_time": 26573 return reflect.Int, nil 26574 case "chmod.file.destination.mode": 26575 return reflect.Int, nil 26576 case "chmod.file.destination.rights": 26577 return reflect.Int, nil 26578 case "chmod.file.filesystem": 26579 return reflect.String, nil 26580 case "chmod.file.gid": 26581 return reflect.Int, nil 26582 case "chmod.file.group": 26583 return reflect.String, nil 26584 case "chmod.file.hashes": 26585 return reflect.String, nil 26586 case "chmod.file.in_upper_layer": 26587 return reflect.Bool, nil 26588 case "chmod.file.inode": 26589 return reflect.Int, nil 26590 case "chmod.file.mode": 26591 return reflect.Int, nil 26592 case "chmod.file.modification_time": 26593 return reflect.Int, nil 26594 case "chmod.file.mount_id": 26595 return reflect.Int, nil 26596 case "chmod.file.name": 26597 return reflect.String, nil 26598 case "chmod.file.name.length": 26599 return reflect.Int, nil 26600 case "chmod.file.package.name": 26601 return reflect.String, nil 26602 case "chmod.file.package.source_version": 26603 return reflect.String, nil 26604 case "chmod.file.package.version": 26605 return reflect.String, nil 26606 case "chmod.file.path": 26607 return reflect.String, nil 26608 case "chmod.file.path.length": 26609 return reflect.Int, nil 26610 case "chmod.file.rights": 26611 return reflect.Int, nil 26612 case "chmod.file.uid": 26613 return reflect.Int, nil 26614 case "chmod.file.user": 26615 return reflect.String, nil 26616 case "chmod.retval": 26617 return reflect.Int, nil 26618 case "chown.file.change_time": 26619 return reflect.Int, nil 26620 case "chown.file.destination.gid": 26621 return reflect.Int, nil 26622 case "chown.file.destination.group": 26623 return reflect.String, nil 26624 case "chown.file.destination.uid": 26625 return reflect.Int, nil 26626 case "chown.file.destination.user": 26627 return reflect.String, nil 26628 case "chown.file.filesystem": 26629 return reflect.String, nil 26630 case "chown.file.gid": 26631 return reflect.Int, nil 26632 case "chown.file.group": 26633 return reflect.String, nil 26634 case "chown.file.hashes": 26635 return reflect.String, nil 26636 case "chown.file.in_upper_layer": 26637 return reflect.Bool, nil 26638 case "chown.file.inode": 26639 return reflect.Int, nil 26640 case "chown.file.mode": 26641 return reflect.Int, nil 26642 case "chown.file.modification_time": 26643 return reflect.Int, nil 26644 case "chown.file.mount_id": 26645 return reflect.Int, nil 26646 case "chown.file.name": 26647 return reflect.String, nil 26648 case "chown.file.name.length": 26649 return reflect.Int, nil 26650 case "chown.file.package.name": 26651 return reflect.String, nil 26652 case "chown.file.package.source_version": 26653 return reflect.String, nil 26654 case "chown.file.package.version": 26655 return reflect.String, nil 26656 case "chown.file.path": 26657 return reflect.String, nil 26658 case "chown.file.path.length": 26659 return reflect.Int, nil 26660 case "chown.file.rights": 26661 return reflect.Int, nil 26662 case "chown.file.uid": 26663 return reflect.Int, nil 26664 case "chown.file.user": 26665 return reflect.String, nil 26666 case "chown.retval": 26667 return reflect.Int, nil 26668 case "container.created_at": 26669 return reflect.Int, nil 26670 case "container.id": 26671 return reflect.String, nil 26672 case "container.tags": 26673 return reflect.String, nil 26674 case "dns.id": 26675 return reflect.Int, nil 26676 case "dns.question.class": 26677 return reflect.Int, nil 26678 case "dns.question.count": 26679 return reflect.Int, nil 26680 case "dns.question.length": 26681 return reflect.Int, nil 26682 case "dns.question.name": 26683 return reflect.String, nil 26684 case "dns.question.name.length": 26685 return reflect.Int, nil 26686 case "dns.question.type": 26687 return reflect.Int, nil 26688 case "event.async": 26689 return reflect.Bool, nil 26690 case "event.origin": 26691 return reflect.String, nil 26692 case "event.os": 26693 return reflect.String, nil 26694 case "event.service": 26695 return reflect.String, nil 26696 case "event.timestamp": 26697 return reflect.Int, nil 26698 case "exec.args": 26699 return reflect.String, nil 26700 case "exec.args_flags": 26701 return reflect.String, nil 26702 case "exec.args_options": 26703 return reflect.String, nil 26704 case "exec.args_truncated": 26705 return reflect.Bool, nil 26706 case "exec.argv": 26707 return reflect.String, nil 26708 case "exec.argv0": 26709 return reflect.String, nil 26710 case "exec.cap_effective": 26711 return reflect.Int, nil 26712 case "exec.cap_permitted": 26713 return reflect.Int, nil 26714 case "exec.comm": 26715 return reflect.String, nil 26716 case "exec.container.id": 26717 return reflect.String, nil 26718 case "exec.created_at": 26719 return reflect.Int, nil 26720 case "exec.egid": 26721 return reflect.Int, nil 26722 case "exec.egroup": 26723 return reflect.String, nil 26724 case "exec.envp": 26725 return reflect.String, nil 26726 case "exec.envs": 26727 return reflect.String, nil 26728 case "exec.envs_truncated": 26729 return reflect.Bool, nil 26730 case "exec.euid": 26731 return reflect.Int, nil 26732 case "exec.euser": 26733 return reflect.String, nil 26734 case "exec.file.change_time": 26735 return reflect.Int, nil 26736 case "exec.file.filesystem": 26737 return reflect.String, nil 26738 case "exec.file.gid": 26739 return reflect.Int, nil 26740 case "exec.file.group": 26741 return reflect.String, nil 26742 case "exec.file.hashes": 26743 return reflect.String, nil 26744 case "exec.file.in_upper_layer": 26745 return reflect.Bool, nil 26746 case "exec.file.inode": 26747 return reflect.Int, nil 26748 case "exec.file.mode": 26749 return reflect.Int, nil 26750 case "exec.file.modification_time": 26751 return reflect.Int, nil 26752 case "exec.file.mount_id": 26753 return reflect.Int, nil 26754 case "exec.file.name": 26755 return reflect.String, nil 26756 case "exec.file.name.length": 26757 return reflect.Int, nil 26758 case "exec.file.package.name": 26759 return reflect.String, nil 26760 case "exec.file.package.source_version": 26761 return reflect.String, nil 26762 case "exec.file.package.version": 26763 return reflect.String, nil 26764 case "exec.file.path": 26765 return reflect.String, nil 26766 case "exec.file.path.length": 26767 return reflect.Int, nil 26768 case "exec.file.rights": 26769 return reflect.Int, nil 26770 case "exec.file.uid": 26771 return reflect.Int, nil 26772 case "exec.file.user": 26773 return reflect.String, nil 26774 case "exec.fsgid": 26775 return reflect.Int, nil 26776 case "exec.fsgroup": 26777 return reflect.String, nil 26778 case "exec.fsuid": 26779 return reflect.Int, nil 26780 case "exec.fsuser": 26781 return reflect.String, nil 26782 case "exec.gid": 26783 return reflect.Int, nil 26784 case "exec.group": 26785 return reflect.String, nil 26786 case "exec.interpreter.file.change_time": 26787 return reflect.Int, nil 26788 case "exec.interpreter.file.filesystem": 26789 return reflect.String, nil 26790 case "exec.interpreter.file.gid": 26791 return reflect.Int, nil 26792 case "exec.interpreter.file.group": 26793 return reflect.String, nil 26794 case "exec.interpreter.file.hashes": 26795 return reflect.String, nil 26796 case "exec.interpreter.file.in_upper_layer": 26797 return reflect.Bool, nil 26798 case "exec.interpreter.file.inode": 26799 return reflect.Int, nil 26800 case "exec.interpreter.file.mode": 26801 return reflect.Int, nil 26802 case "exec.interpreter.file.modification_time": 26803 return reflect.Int, nil 26804 case "exec.interpreter.file.mount_id": 26805 return reflect.Int, nil 26806 case "exec.interpreter.file.name": 26807 return reflect.String, nil 26808 case "exec.interpreter.file.name.length": 26809 return reflect.Int, nil 26810 case "exec.interpreter.file.package.name": 26811 return reflect.String, nil 26812 case "exec.interpreter.file.package.source_version": 26813 return reflect.String, nil 26814 case "exec.interpreter.file.package.version": 26815 return reflect.String, nil 26816 case "exec.interpreter.file.path": 26817 return reflect.String, nil 26818 case "exec.interpreter.file.path.length": 26819 return reflect.Int, nil 26820 case "exec.interpreter.file.rights": 26821 return reflect.Int, nil 26822 case "exec.interpreter.file.uid": 26823 return reflect.Int, nil 26824 case "exec.interpreter.file.user": 26825 return reflect.String, nil 26826 case "exec.is_kworker": 26827 return reflect.Bool, nil 26828 case "exec.is_thread": 26829 return reflect.Bool, nil 26830 case "exec.pid": 26831 return reflect.Int, nil 26832 case "exec.ppid": 26833 return reflect.Int, nil 26834 case "exec.tid": 26835 return reflect.Int, nil 26836 case "exec.tty_name": 26837 return reflect.String, nil 26838 case "exec.uid": 26839 return reflect.Int, nil 26840 case "exec.user": 26841 return reflect.String, nil 26842 case "exec.user_session.k8s_groups": 26843 return reflect.String, nil 26844 case "exec.user_session.k8s_uid": 26845 return reflect.String, nil 26846 case "exec.user_session.k8s_username": 26847 return reflect.String, nil 26848 case "exit.args": 26849 return reflect.String, nil 26850 case "exit.args_flags": 26851 return reflect.String, nil 26852 case "exit.args_options": 26853 return reflect.String, nil 26854 case "exit.args_truncated": 26855 return reflect.Bool, nil 26856 case "exit.argv": 26857 return reflect.String, nil 26858 case "exit.argv0": 26859 return reflect.String, nil 26860 case "exit.cap_effective": 26861 return reflect.Int, nil 26862 case "exit.cap_permitted": 26863 return reflect.Int, nil 26864 case "exit.cause": 26865 return reflect.Int, nil 26866 case "exit.code": 26867 return reflect.Int, nil 26868 case "exit.comm": 26869 return reflect.String, nil 26870 case "exit.container.id": 26871 return reflect.String, nil 26872 case "exit.created_at": 26873 return reflect.Int, nil 26874 case "exit.egid": 26875 return reflect.Int, nil 26876 case "exit.egroup": 26877 return reflect.String, nil 26878 case "exit.envp": 26879 return reflect.String, nil 26880 case "exit.envs": 26881 return reflect.String, nil 26882 case "exit.envs_truncated": 26883 return reflect.Bool, nil 26884 case "exit.euid": 26885 return reflect.Int, nil 26886 case "exit.euser": 26887 return reflect.String, nil 26888 case "exit.file.change_time": 26889 return reflect.Int, nil 26890 case "exit.file.filesystem": 26891 return reflect.String, nil 26892 case "exit.file.gid": 26893 return reflect.Int, nil 26894 case "exit.file.group": 26895 return reflect.String, nil 26896 case "exit.file.hashes": 26897 return reflect.String, nil 26898 case "exit.file.in_upper_layer": 26899 return reflect.Bool, nil 26900 case "exit.file.inode": 26901 return reflect.Int, nil 26902 case "exit.file.mode": 26903 return reflect.Int, nil 26904 case "exit.file.modification_time": 26905 return reflect.Int, nil 26906 case "exit.file.mount_id": 26907 return reflect.Int, nil 26908 case "exit.file.name": 26909 return reflect.String, nil 26910 case "exit.file.name.length": 26911 return reflect.Int, nil 26912 case "exit.file.package.name": 26913 return reflect.String, nil 26914 case "exit.file.package.source_version": 26915 return reflect.String, nil 26916 case "exit.file.package.version": 26917 return reflect.String, nil 26918 case "exit.file.path": 26919 return reflect.String, nil 26920 case "exit.file.path.length": 26921 return reflect.Int, nil 26922 case "exit.file.rights": 26923 return reflect.Int, nil 26924 case "exit.file.uid": 26925 return reflect.Int, nil 26926 case "exit.file.user": 26927 return reflect.String, nil 26928 case "exit.fsgid": 26929 return reflect.Int, nil 26930 case "exit.fsgroup": 26931 return reflect.String, nil 26932 case "exit.fsuid": 26933 return reflect.Int, nil 26934 case "exit.fsuser": 26935 return reflect.String, nil 26936 case "exit.gid": 26937 return reflect.Int, nil 26938 case "exit.group": 26939 return reflect.String, nil 26940 case "exit.interpreter.file.change_time": 26941 return reflect.Int, nil 26942 case "exit.interpreter.file.filesystem": 26943 return reflect.String, nil 26944 case "exit.interpreter.file.gid": 26945 return reflect.Int, nil 26946 case "exit.interpreter.file.group": 26947 return reflect.String, nil 26948 case "exit.interpreter.file.hashes": 26949 return reflect.String, nil 26950 case "exit.interpreter.file.in_upper_layer": 26951 return reflect.Bool, nil 26952 case "exit.interpreter.file.inode": 26953 return reflect.Int, nil 26954 case "exit.interpreter.file.mode": 26955 return reflect.Int, nil 26956 case "exit.interpreter.file.modification_time": 26957 return reflect.Int, nil 26958 case "exit.interpreter.file.mount_id": 26959 return reflect.Int, nil 26960 case "exit.interpreter.file.name": 26961 return reflect.String, nil 26962 case "exit.interpreter.file.name.length": 26963 return reflect.Int, nil 26964 case "exit.interpreter.file.package.name": 26965 return reflect.String, nil 26966 case "exit.interpreter.file.package.source_version": 26967 return reflect.String, nil 26968 case "exit.interpreter.file.package.version": 26969 return reflect.String, nil 26970 case "exit.interpreter.file.path": 26971 return reflect.String, nil 26972 case "exit.interpreter.file.path.length": 26973 return reflect.Int, nil 26974 case "exit.interpreter.file.rights": 26975 return reflect.Int, nil 26976 case "exit.interpreter.file.uid": 26977 return reflect.Int, nil 26978 case "exit.interpreter.file.user": 26979 return reflect.String, nil 26980 case "exit.is_kworker": 26981 return reflect.Bool, nil 26982 case "exit.is_thread": 26983 return reflect.Bool, nil 26984 case "exit.pid": 26985 return reflect.Int, nil 26986 case "exit.ppid": 26987 return reflect.Int, nil 26988 case "exit.tid": 26989 return reflect.Int, nil 26990 case "exit.tty_name": 26991 return reflect.String, nil 26992 case "exit.uid": 26993 return reflect.Int, nil 26994 case "exit.user": 26995 return reflect.String, nil 26996 case "exit.user_session.k8s_groups": 26997 return reflect.String, nil 26998 case "exit.user_session.k8s_uid": 26999 return reflect.String, nil 27000 case "exit.user_session.k8s_username": 27001 return reflect.String, nil 27002 case "link.file.change_time": 27003 return reflect.Int, nil 27004 case "link.file.destination.change_time": 27005 return reflect.Int, nil 27006 case "link.file.destination.filesystem": 27007 return reflect.String, nil 27008 case "link.file.destination.gid": 27009 return reflect.Int, nil 27010 case "link.file.destination.group": 27011 return reflect.String, nil 27012 case "link.file.destination.hashes": 27013 return reflect.String, nil 27014 case "link.file.destination.in_upper_layer": 27015 return reflect.Bool, nil 27016 case "link.file.destination.inode": 27017 return reflect.Int, nil 27018 case "link.file.destination.mode": 27019 return reflect.Int, nil 27020 case "link.file.destination.modification_time": 27021 return reflect.Int, nil 27022 case "link.file.destination.mount_id": 27023 return reflect.Int, nil 27024 case "link.file.destination.name": 27025 return reflect.String, nil 27026 case "link.file.destination.name.length": 27027 return reflect.Int, nil 27028 case "link.file.destination.package.name": 27029 return reflect.String, nil 27030 case "link.file.destination.package.source_version": 27031 return reflect.String, nil 27032 case "link.file.destination.package.version": 27033 return reflect.String, nil 27034 case "link.file.destination.path": 27035 return reflect.String, nil 27036 case "link.file.destination.path.length": 27037 return reflect.Int, nil 27038 case "link.file.destination.rights": 27039 return reflect.Int, nil 27040 case "link.file.destination.uid": 27041 return reflect.Int, nil 27042 case "link.file.destination.user": 27043 return reflect.String, nil 27044 case "link.file.filesystem": 27045 return reflect.String, nil 27046 case "link.file.gid": 27047 return reflect.Int, nil 27048 case "link.file.group": 27049 return reflect.String, nil 27050 case "link.file.hashes": 27051 return reflect.String, nil 27052 case "link.file.in_upper_layer": 27053 return reflect.Bool, nil 27054 case "link.file.inode": 27055 return reflect.Int, nil 27056 case "link.file.mode": 27057 return reflect.Int, nil 27058 case "link.file.modification_time": 27059 return reflect.Int, nil 27060 case "link.file.mount_id": 27061 return reflect.Int, nil 27062 case "link.file.name": 27063 return reflect.String, nil 27064 case "link.file.name.length": 27065 return reflect.Int, nil 27066 case "link.file.package.name": 27067 return reflect.String, nil 27068 case "link.file.package.source_version": 27069 return reflect.String, nil 27070 case "link.file.package.version": 27071 return reflect.String, nil 27072 case "link.file.path": 27073 return reflect.String, nil 27074 case "link.file.path.length": 27075 return reflect.Int, nil 27076 case "link.file.rights": 27077 return reflect.Int, nil 27078 case "link.file.uid": 27079 return reflect.Int, nil 27080 case "link.file.user": 27081 return reflect.String, nil 27082 case "link.retval": 27083 return reflect.Int, nil 27084 case "load_module.args": 27085 return reflect.String, nil 27086 case "load_module.args_truncated": 27087 return reflect.Bool, nil 27088 case "load_module.argv": 27089 return reflect.String, nil 27090 case "load_module.file.change_time": 27091 return reflect.Int, nil 27092 case "load_module.file.filesystem": 27093 return reflect.String, nil 27094 case "load_module.file.gid": 27095 return reflect.Int, nil 27096 case "load_module.file.group": 27097 return reflect.String, nil 27098 case "load_module.file.hashes": 27099 return reflect.String, nil 27100 case "load_module.file.in_upper_layer": 27101 return reflect.Bool, nil 27102 case "load_module.file.inode": 27103 return reflect.Int, nil 27104 case "load_module.file.mode": 27105 return reflect.Int, nil 27106 case "load_module.file.modification_time": 27107 return reflect.Int, nil 27108 case "load_module.file.mount_id": 27109 return reflect.Int, nil 27110 case "load_module.file.name": 27111 return reflect.String, nil 27112 case "load_module.file.name.length": 27113 return reflect.Int, nil 27114 case "load_module.file.package.name": 27115 return reflect.String, nil 27116 case "load_module.file.package.source_version": 27117 return reflect.String, nil 27118 case "load_module.file.package.version": 27119 return reflect.String, nil 27120 case "load_module.file.path": 27121 return reflect.String, nil 27122 case "load_module.file.path.length": 27123 return reflect.Int, nil 27124 case "load_module.file.rights": 27125 return reflect.Int, nil 27126 case "load_module.file.uid": 27127 return reflect.Int, nil 27128 case "load_module.file.user": 27129 return reflect.String, nil 27130 case "load_module.loaded_from_memory": 27131 return reflect.Bool, nil 27132 case "load_module.name": 27133 return reflect.String, nil 27134 case "load_module.retval": 27135 return reflect.Int, nil 27136 case "mkdir.file.change_time": 27137 return reflect.Int, nil 27138 case "mkdir.file.destination.mode": 27139 return reflect.Int, nil 27140 case "mkdir.file.destination.rights": 27141 return reflect.Int, nil 27142 case "mkdir.file.filesystem": 27143 return reflect.String, nil 27144 case "mkdir.file.gid": 27145 return reflect.Int, nil 27146 case "mkdir.file.group": 27147 return reflect.String, nil 27148 case "mkdir.file.hashes": 27149 return reflect.String, nil 27150 case "mkdir.file.in_upper_layer": 27151 return reflect.Bool, nil 27152 case "mkdir.file.inode": 27153 return reflect.Int, nil 27154 case "mkdir.file.mode": 27155 return reflect.Int, nil 27156 case "mkdir.file.modification_time": 27157 return reflect.Int, nil 27158 case "mkdir.file.mount_id": 27159 return reflect.Int, nil 27160 case "mkdir.file.name": 27161 return reflect.String, nil 27162 case "mkdir.file.name.length": 27163 return reflect.Int, nil 27164 case "mkdir.file.package.name": 27165 return reflect.String, nil 27166 case "mkdir.file.package.source_version": 27167 return reflect.String, nil 27168 case "mkdir.file.package.version": 27169 return reflect.String, nil 27170 case "mkdir.file.path": 27171 return reflect.String, nil 27172 case "mkdir.file.path.length": 27173 return reflect.Int, nil 27174 case "mkdir.file.rights": 27175 return reflect.Int, nil 27176 case "mkdir.file.uid": 27177 return reflect.Int, nil 27178 case "mkdir.file.user": 27179 return reflect.String, nil 27180 case "mkdir.retval": 27181 return reflect.Int, nil 27182 case "mmap.file.change_time": 27183 return reflect.Int, nil 27184 case "mmap.file.filesystem": 27185 return reflect.String, nil 27186 case "mmap.file.gid": 27187 return reflect.Int, nil 27188 case "mmap.file.group": 27189 return reflect.String, nil 27190 case "mmap.file.hashes": 27191 return reflect.String, nil 27192 case "mmap.file.in_upper_layer": 27193 return reflect.Bool, nil 27194 case "mmap.file.inode": 27195 return reflect.Int, nil 27196 case "mmap.file.mode": 27197 return reflect.Int, nil 27198 case "mmap.file.modification_time": 27199 return reflect.Int, nil 27200 case "mmap.file.mount_id": 27201 return reflect.Int, nil 27202 case "mmap.file.name": 27203 return reflect.String, nil 27204 case "mmap.file.name.length": 27205 return reflect.Int, nil 27206 case "mmap.file.package.name": 27207 return reflect.String, nil 27208 case "mmap.file.package.source_version": 27209 return reflect.String, nil 27210 case "mmap.file.package.version": 27211 return reflect.String, nil 27212 case "mmap.file.path": 27213 return reflect.String, nil 27214 case "mmap.file.path.length": 27215 return reflect.Int, nil 27216 case "mmap.file.rights": 27217 return reflect.Int, nil 27218 case "mmap.file.uid": 27219 return reflect.Int, nil 27220 case "mmap.file.user": 27221 return reflect.String, nil 27222 case "mmap.flags": 27223 return reflect.Int, nil 27224 case "mmap.protection": 27225 return reflect.Int, nil 27226 case "mmap.retval": 27227 return reflect.Int, nil 27228 case "mount.fs_type": 27229 return reflect.String, nil 27230 case "mount.mountpoint.path": 27231 return reflect.String, nil 27232 case "mount.retval": 27233 return reflect.Int, nil 27234 case "mount.root.path": 27235 return reflect.String, nil 27236 case "mount.source.path": 27237 return reflect.String, nil 27238 case "mprotect.req_protection": 27239 return reflect.Int, nil 27240 case "mprotect.retval": 27241 return reflect.Int, nil 27242 case "mprotect.vm_protection": 27243 return reflect.Int, nil 27244 case "network.destination.ip": 27245 return reflect.Struct, nil 27246 case "network.destination.port": 27247 return reflect.Int, nil 27248 case "network.device.ifindex": 27249 return reflect.Int, nil 27250 case "network.device.ifname": 27251 return reflect.String, nil 27252 case "network.l3_protocol": 27253 return reflect.Int, nil 27254 case "network.l4_protocol": 27255 return reflect.Int, nil 27256 case "network.size": 27257 return reflect.Int, nil 27258 case "network.source.ip": 27259 return reflect.Struct, nil 27260 case "network.source.port": 27261 return reflect.Int, nil 27262 case "open.file.change_time": 27263 return reflect.Int, nil 27264 case "open.file.destination.mode": 27265 return reflect.Int, nil 27266 case "open.file.filesystem": 27267 return reflect.String, nil 27268 case "open.file.gid": 27269 return reflect.Int, nil 27270 case "open.file.group": 27271 return reflect.String, nil 27272 case "open.file.hashes": 27273 return reflect.String, nil 27274 case "open.file.in_upper_layer": 27275 return reflect.Bool, nil 27276 case "open.file.inode": 27277 return reflect.Int, nil 27278 case "open.file.mode": 27279 return reflect.Int, nil 27280 case "open.file.modification_time": 27281 return reflect.Int, nil 27282 case "open.file.mount_id": 27283 return reflect.Int, nil 27284 case "open.file.name": 27285 return reflect.String, nil 27286 case "open.file.name.length": 27287 return reflect.Int, nil 27288 case "open.file.package.name": 27289 return reflect.String, nil 27290 case "open.file.package.source_version": 27291 return reflect.String, nil 27292 case "open.file.package.version": 27293 return reflect.String, nil 27294 case "open.file.path": 27295 return reflect.String, nil 27296 case "open.file.path.length": 27297 return reflect.Int, nil 27298 case "open.file.rights": 27299 return reflect.Int, nil 27300 case "open.file.uid": 27301 return reflect.Int, nil 27302 case "open.file.user": 27303 return reflect.String, nil 27304 case "open.flags": 27305 return reflect.Int, nil 27306 case "open.retval": 27307 return reflect.Int, nil 27308 case "process.ancestors.args": 27309 return reflect.String, nil 27310 case "process.ancestors.args_flags": 27311 return reflect.String, nil 27312 case "process.ancestors.args_options": 27313 return reflect.String, nil 27314 case "process.ancestors.args_truncated": 27315 return reflect.Bool, nil 27316 case "process.ancestors.argv": 27317 return reflect.String, nil 27318 case "process.ancestors.argv0": 27319 return reflect.String, nil 27320 case "process.ancestors.cap_effective": 27321 return reflect.Int, nil 27322 case "process.ancestors.cap_permitted": 27323 return reflect.Int, nil 27324 case "process.ancestors.comm": 27325 return reflect.String, nil 27326 case "process.ancestors.container.id": 27327 return reflect.String, nil 27328 case "process.ancestors.created_at": 27329 return reflect.Int, nil 27330 case "process.ancestors.egid": 27331 return reflect.Int, nil 27332 case "process.ancestors.egroup": 27333 return reflect.String, nil 27334 case "process.ancestors.envp": 27335 return reflect.String, nil 27336 case "process.ancestors.envs": 27337 return reflect.String, nil 27338 case "process.ancestors.envs_truncated": 27339 return reflect.Bool, nil 27340 case "process.ancestors.euid": 27341 return reflect.Int, nil 27342 case "process.ancestors.euser": 27343 return reflect.String, nil 27344 case "process.ancestors.file.change_time": 27345 return reflect.Int, nil 27346 case "process.ancestors.file.filesystem": 27347 return reflect.String, nil 27348 case "process.ancestors.file.gid": 27349 return reflect.Int, nil 27350 case "process.ancestors.file.group": 27351 return reflect.String, nil 27352 case "process.ancestors.file.hashes": 27353 return reflect.String, nil 27354 case "process.ancestors.file.in_upper_layer": 27355 return reflect.Bool, nil 27356 case "process.ancestors.file.inode": 27357 return reflect.Int, nil 27358 case "process.ancestors.file.mode": 27359 return reflect.Int, nil 27360 case "process.ancestors.file.modification_time": 27361 return reflect.Int, nil 27362 case "process.ancestors.file.mount_id": 27363 return reflect.Int, nil 27364 case "process.ancestors.file.name": 27365 return reflect.String, nil 27366 case "process.ancestors.file.name.length": 27367 return reflect.Int, nil 27368 case "process.ancestors.file.package.name": 27369 return reflect.String, nil 27370 case "process.ancestors.file.package.source_version": 27371 return reflect.String, nil 27372 case "process.ancestors.file.package.version": 27373 return reflect.String, nil 27374 case "process.ancestors.file.path": 27375 return reflect.String, nil 27376 case "process.ancestors.file.path.length": 27377 return reflect.Int, nil 27378 case "process.ancestors.file.rights": 27379 return reflect.Int, nil 27380 case "process.ancestors.file.uid": 27381 return reflect.Int, nil 27382 case "process.ancestors.file.user": 27383 return reflect.String, nil 27384 case "process.ancestors.fsgid": 27385 return reflect.Int, nil 27386 case "process.ancestors.fsgroup": 27387 return reflect.String, nil 27388 case "process.ancestors.fsuid": 27389 return reflect.Int, nil 27390 case "process.ancestors.fsuser": 27391 return reflect.String, nil 27392 case "process.ancestors.gid": 27393 return reflect.Int, nil 27394 case "process.ancestors.group": 27395 return reflect.String, nil 27396 case "process.ancestors.interpreter.file.change_time": 27397 return reflect.Int, nil 27398 case "process.ancestors.interpreter.file.filesystem": 27399 return reflect.String, nil 27400 case "process.ancestors.interpreter.file.gid": 27401 return reflect.Int, nil 27402 case "process.ancestors.interpreter.file.group": 27403 return reflect.String, nil 27404 case "process.ancestors.interpreter.file.hashes": 27405 return reflect.String, nil 27406 case "process.ancestors.interpreter.file.in_upper_layer": 27407 return reflect.Bool, nil 27408 case "process.ancestors.interpreter.file.inode": 27409 return reflect.Int, nil 27410 case "process.ancestors.interpreter.file.mode": 27411 return reflect.Int, nil 27412 case "process.ancestors.interpreter.file.modification_time": 27413 return reflect.Int, nil 27414 case "process.ancestors.interpreter.file.mount_id": 27415 return reflect.Int, nil 27416 case "process.ancestors.interpreter.file.name": 27417 return reflect.String, nil 27418 case "process.ancestors.interpreter.file.name.length": 27419 return reflect.Int, nil 27420 case "process.ancestors.interpreter.file.package.name": 27421 return reflect.String, nil 27422 case "process.ancestors.interpreter.file.package.source_version": 27423 return reflect.String, nil 27424 case "process.ancestors.interpreter.file.package.version": 27425 return reflect.String, nil 27426 case "process.ancestors.interpreter.file.path": 27427 return reflect.String, nil 27428 case "process.ancestors.interpreter.file.path.length": 27429 return reflect.Int, nil 27430 case "process.ancestors.interpreter.file.rights": 27431 return reflect.Int, nil 27432 case "process.ancestors.interpreter.file.uid": 27433 return reflect.Int, nil 27434 case "process.ancestors.interpreter.file.user": 27435 return reflect.String, nil 27436 case "process.ancestors.is_kworker": 27437 return reflect.Bool, nil 27438 case "process.ancestors.is_thread": 27439 return reflect.Bool, nil 27440 case "process.ancestors.pid": 27441 return reflect.Int, nil 27442 case "process.ancestors.ppid": 27443 return reflect.Int, nil 27444 case "process.ancestors.tid": 27445 return reflect.Int, nil 27446 case "process.ancestors.tty_name": 27447 return reflect.String, nil 27448 case "process.ancestors.uid": 27449 return reflect.Int, nil 27450 case "process.ancestors.user": 27451 return reflect.String, nil 27452 case "process.ancestors.user_session.k8s_groups": 27453 return reflect.String, nil 27454 case "process.ancestors.user_session.k8s_uid": 27455 return reflect.String, nil 27456 case "process.ancestors.user_session.k8s_username": 27457 return reflect.String, nil 27458 case "process.args": 27459 return reflect.String, nil 27460 case "process.args_flags": 27461 return reflect.String, nil 27462 case "process.args_options": 27463 return reflect.String, nil 27464 case "process.args_truncated": 27465 return reflect.Bool, nil 27466 case "process.argv": 27467 return reflect.String, nil 27468 case "process.argv0": 27469 return reflect.String, nil 27470 case "process.cap_effective": 27471 return reflect.Int, nil 27472 case "process.cap_permitted": 27473 return reflect.Int, nil 27474 case "process.comm": 27475 return reflect.String, nil 27476 case "process.container.id": 27477 return reflect.String, nil 27478 case "process.created_at": 27479 return reflect.Int, nil 27480 case "process.egid": 27481 return reflect.Int, nil 27482 case "process.egroup": 27483 return reflect.String, nil 27484 case "process.envp": 27485 return reflect.String, nil 27486 case "process.envs": 27487 return reflect.String, nil 27488 case "process.envs_truncated": 27489 return reflect.Bool, nil 27490 case "process.euid": 27491 return reflect.Int, nil 27492 case "process.euser": 27493 return reflect.String, nil 27494 case "process.file.change_time": 27495 return reflect.Int, nil 27496 case "process.file.filesystem": 27497 return reflect.String, nil 27498 case "process.file.gid": 27499 return reflect.Int, nil 27500 case "process.file.group": 27501 return reflect.String, nil 27502 case "process.file.hashes": 27503 return reflect.String, nil 27504 case "process.file.in_upper_layer": 27505 return reflect.Bool, nil 27506 case "process.file.inode": 27507 return reflect.Int, nil 27508 case "process.file.mode": 27509 return reflect.Int, nil 27510 case "process.file.modification_time": 27511 return reflect.Int, nil 27512 case "process.file.mount_id": 27513 return reflect.Int, nil 27514 case "process.file.name": 27515 return reflect.String, nil 27516 case "process.file.name.length": 27517 return reflect.Int, nil 27518 case "process.file.package.name": 27519 return reflect.String, nil 27520 case "process.file.package.source_version": 27521 return reflect.String, nil 27522 case "process.file.package.version": 27523 return reflect.String, nil 27524 case "process.file.path": 27525 return reflect.String, nil 27526 case "process.file.path.length": 27527 return reflect.Int, nil 27528 case "process.file.rights": 27529 return reflect.Int, nil 27530 case "process.file.uid": 27531 return reflect.Int, nil 27532 case "process.file.user": 27533 return reflect.String, nil 27534 case "process.fsgid": 27535 return reflect.Int, nil 27536 case "process.fsgroup": 27537 return reflect.String, nil 27538 case "process.fsuid": 27539 return reflect.Int, nil 27540 case "process.fsuser": 27541 return reflect.String, nil 27542 case "process.gid": 27543 return reflect.Int, nil 27544 case "process.group": 27545 return reflect.String, nil 27546 case "process.interpreter.file.change_time": 27547 return reflect.Int, nil 27548 case "process.interpreter.file.filesystem": 27549 return reflect.String, nil 27550 case "process.interpreter.file.gid": 27551 return reflect.Int, nil 27552 case "process.interpreter.file.group": 27553 return reflect.String, nil 27554 case "process.interpreter.file.hashes": 27555 return reflect.String, nil 27556 case "process.interpreter.file.in_upper_layer": 27557 return reflect.Bool, nil 27558 case "process.interpreter.file.inode": 27559 return reflect.Int, nil 27560 case "process.interpreter.file.mode": 27561 return reflect.Int, nil 27562 case "process.interpreter.file.modification_time": 27563 return reflect.Int, nil 27564 case "process.interpreter.file.mount_id": 27565 return reflect.Int, nil 27566 case "process.interpreter.file.name": 27567 return reflect.String, nil 27568 case "process.interpreter.file.name.length": 27569 return reflect.Int, nil 27570 case "process.interpreter.file.package.name": 27571 return reflect.String, nil 27572 case "process.interpreter.file.package.source_version": 27573 return reflect.String, nil 27574 case "process.interpreter.file.package.version": 27575 return reflect.String, nil 27576 case "process.interpreter.file.path": 27577 return reflect.String, nil 27578 case "process.interpreter.file.path.length": 27579 return reflect.Int, nil 27580 case "process.interpreter.file.rights": 27581 return reflect.Int, nil 27582 case "process.interpreter.file.uid": 27583 return reflect.Int, nil 27584 case "process.interpreter.file.user": 27585 return reflect.String, nil 27586 case "process.is_kworker": 27587 return reflect.Bool, nil 27588 case "process.is_thread": 27589 return reflect.Bool, nil 27590 case "process.parent.args": 27591 return reflect.String, nil 27592 case "process.parent.args_flags": 27593 return reflect.String, nil 27594 case "process.parent.args_options": 27595 return reflect.String, nil 27596 case "process.parent.args_truncated": 27597 return reflect.Bool, nil 27598 case "process.parent.argv": 27599 return reflect.String, nil 27600 case "process.parent.argv0": 27601 return reflect.String, nil 27602 case "process.parent.cap_effective": 27603 return reflect.Int, nil 27604 case "process.parent.cap_permitted": 27605 return reflect.Int, nil 27606 case "process.parent.comm": 27607 return reflect.String, nil 27608 case "process.parent.container.id": 27609 return reflect.String, nil 27610 case "process.parent.created_at": 27611 return reflect.Int, nil 27612 case "process.parent.egid": 27613 return reflect.Int, nil 27614 case "process.parent.egroup": 27615 return reflect.String, nil 27616 case "process.parent.envp": 27617 return reflect.String, nil 27618 case "process.parent.envs": 27619 return reflect.String, nil 27620 case "process.parent.envs_truncated": 27621 return reflect.Bool, nil 27622 case "process.parent.euid": 27623 return reflect.Int, nil 27624 case "process.parent.euser": 27625 return reflect.String, nil 27626 case "process.parent.file.change_time": 27627 return reflect.Int, nil 27628 case "process.parent.file.filesystem": 27629 return reflect.String, nil 27630 case "process.parent.file.gid": 27631 return reflect.Int, nil 27632 case "process.parent.file.group": 27633 return reflect.String, nil 27634 case "process.parent.file.hashes": 27635 return reflect.String, nil 27636 case "process.parent.file.in_upper_layer": 27637 return reflect.Bool, nil 27638 case "process.parent.file.inode": 27639 return reflect.Int, nil 27640 case "process.parent.file.mode": 27641 return reflect.Int, nil 27642 case "process.parent.file.modification_time": 27643 return reflect.Int, nil 27644 case "process.parent.file.mount_id": 27645 return reflect.Int, nil 27646 case "process.parent.file.name": 27647 return reflect.String, nil 27648 case "process.parent.file.name.length": 27649 return reflect.Int, nil 27650 case "process.parent.file.package.name": 27651 return reflect.String, nil 27652 case "process.parent.file.package.source_version": 27653 return reflect.String, nil 27654 case "process.parent.file.package.version": 27655 return reflect.String, nil 27656 case "process.parent.file.path": 27657 return reflect.String, nil 27658 case "process.parent.file.path.length": 27659 return reflect.Int, nil 27660 case "process.parent.file.rights": 27661 return reflect.Int, nil 27662 case "process.parent.file.uid": 27663 return reflect.Int, nil 27664 case "process.parent.file.user": 27665 return reflect.String, nil 27666 case "process.parent.fsgid": 27667 return reflect.Int, nil 27668 case "process.parent.fsgroup": 27669 return reflect.String, nil 27670 case "process.parent.fsuid": 27671 return reflect.Int, nil 27672 case "process.parent.fsuser": 27673 return reflect.String, nil 27674 case "process.parent.gid": 27675 return reflect.Int, nil 27676 case "process.parent.group": 27677 return reflect.String, nil 27678 case "process.parent.interpreter.file.change_time": 27679 return reflect.Int, nil 27680 case "process.parent.interpreter.file.filesystem": 27681 return reflect.String, nil 27682 case "process.parent.interpreter.file.gid": 27683 return reflect.Int, nil 27684 case "process.parent.interpreter.file.group": 27685 return reflect.String, nil 27686 case "process.parent.interpreter.file.hashes": 27687 return reflect.String, nil 27688 case "process.parent.interpreter.file.in_upper_layer": 27689 return reflect.Bool, nil 27690 case "process.parent.interpreter.file.inode": 27691 return reflect.Int, nil 27692 case "process.parent.interpreter.file.mode": 27693 return reflect.Int, nil 27694 case "process.parent.interpreter.file.modification_time": 27695 return reflect.Int, nil 27696 case "process.parent.interpreter.file.mount_id": 27697 return reflect.Int, nil 27698 case "process.parent.interpreter.file.name": 27699 return reflect.String, nil 27700 case "process.parent.interpreter.file.name.length": 27701 return reflect.Int, nil 27702 case "process.parent.interpreter.file.package.name": 27703 return reflect.String, nil 27704 case "process.parent.interpreter.file.package.source_version": 27705 return reflect.String, nil 27706 case "process.parent.interpreter.file.package.version": 27707 return reflect.String, nil 27708 case "process.parent.interpreter.file.path": 27709 return reflect.String, nil 27710 case "process.parent.interpreter.file.path.length": 27711 return reflect.Int, nil 27712 case "process.parent.interpreter.file.rights": 27713 return reflect.Int, nil 27714 case "process.parent.interpreter.file.uid": 27715 return reflect.Int, nil 27716 case "process.parent.interpreter.file.user": 27717 return reflect.String, nil 27718 case "process.parent.is_kworker": 27719 return reflect.Bool, nil 27720 case "process.parent.is_thread": 27721 return reflect.Bool, nil 27722 case "process.parent.pid": 27723 return reflect.Int, nil 27724 case "process.parent.ppid": 27725 return reflect.Int, nil 27726 case "process.parent.tid": 27727 return reflect.Int, nil 27728 case "process.parent.tty_name": 27729 return reflect.String, nil 27730 case "process.parent.uid": 27731 return reflect.Int, nil 27732 case "process.parent.user": 27733 return reflect.String, nil 27734 case "process.parent.user_session.k8s_groups": 27735 return reflect.String, nil 27736 case "process.parent.user_session.k8s_uid": 27737 return reflect.String, nil 27738 case "process.parent.user_session.k8s_username": 27739 return reflect.String, nil 27740 case "process.pid": 27741 return reflect.Int, nil 27742 case "process.ppid": 27743 return reflect.Int, nil 27744 case "process.tid": 27745 return reflect.Int, nil 27746 case "process.tty_name": 27747 return reflect.String, nil 27748 case "process.uid": 27749 return reflect.Int, nil 27750 case "process.user": 27751 return reflect.String, nil 27752 case "process.user_session.k8s_groups": 27753 return reflect.String, nil 27754 case "process.user_session.k8s_uid": 27755 return reflect.String, nil 27756 case "process.user_session.k8s_username": 27757 return reflect.String, nil 27758 case "ptrace.request": 27759 return reflect.Int, nil 27760 case "ptrace.retval": 27761 return reflect.Int, nil 27762 case "ptrace.tracee.ancestors.args": 27763 return reflect.String, nil 27764 case "ptrace.tracee.ancestors.args_flags": 27765 return reflect.String, nil 27766 case "ptrace.tracee.ancestors.args_options": 27767 return reflect.String, nil 27768 case "ptrace.tracee.ancestors.args_truncated": 27769 return reflect.Bool, nil 27770 case "ptrace.tracee.ancestors.argv": 27771 return reflect.String, nil 27772 case "ptrace.tracee.ancestors.argv0": 27773 return reflect.String, nil 27774 case "ptrace.tracee.ancestors.cap_effective": 27775 return reflect.Int, nil 27776 case "ptrace.tracee.ancestors.cap_permitted": 27777 return reflect.Int, nil 27778 case "ptrace.tracee.ancestors.comm": 27779 return reflect.String, nil 27780 case "ptrace.tracee.ancestors.container.id": 27781 return reflect.String, nil 27782 case "ptrace.tracee.ancestors.created_at": 27783 return reflect.Int, nil 27784 case "ptrace.tracee.ancestors.egid": 27785 return reflect.Int, nil 27786 case "ptrace.tracee.ancestors.egroup": 27787 return reflect.String, nil 27788 case "ptrace.tracee.ancestors.envp": 27789 return reflect.String, nil 27790 case "ptrace.tracee.ancestors.envs": 27791 return reflect.String, nil 27792 case "ptrace.tracee.ancestors.envs_truncated": 27793 return reflect.Bool, nil 27794 case "ptrace.tracee.ancestors.euid": 27795 return reflect.Int, nil 27796 case "ptrace.tracee.ancestors.euser": 27797 return reflect.String, nil 27798 case "ptrace.tracee.ancestors.file.change_time": 27799 return reflect.Int, nil 27800 case "ptrace.tracee.ancestors.file.filesystem": 27801 return reflect.String, nil 27802 case "ptrace.tracee.ancestors.file.gid": 27803 return reflect.Int, nil 27804 case "ptrace.tracee.ancestors.file.group": 27805 return reflect.String, nil 27806 case "ptrace.tracee.ancestors.file.hashes": 27807 return reflect.String, nil 27808 case "ptrace.tracee.ancestors.file.in_upper_layer": 27809 return reflect.Bool, nil 27810 case "ptrace.tracee.ancestors.file.inode": 27811 return reflect.Int, nil 27812 case "ptrace.tracee.ancestors.file.mode": 27813 return reflect.Int, nil 27814 case "ptrace.tracee.ancestors.file.modification_time": 27815 return reflect.Int, nil 27816 case "ptrace.tracee.ancestors.file.mount_id": 27817 return reflect.Int, nil 27818 case "ptrace.tracee.ancestors.file.name": 27819 return reflect.String, nil 27820 case "ptrace.tracee.ancestors.file.name.length": 27821 return reflect.Int, nil 27822 case "ptrace.tracee.ancestors.file.package.name": 27823 return reflect.String, nil 27824 case "ptrace.tracee.ancestors.file.package.source_version": 27825 return reflect.String, nil 27826 case "ptrace.tracee.ancestors.file.package.version": 27827 return reflect.String, nil 27828 case "ptrace.tracee.ancestors.file.path": 27829 return reflect.String, nil 27830 case "ptrace.tracee.ancestors.file.path.length": 27831 return reflect.Int, nil 27832 case "ptrace.tracee.ancestors.file.rights": 27833 return reflect.Int, nil 27834 case "ptrace.tracee.ancestors.file.uid": 27835 return reflect.Int, nil 27836 case "ptrace.tracee.ancestors.file.user": 27837 return reflect.String, nil 27838 case "ptrace.tracee.ancestors.fsgid": 27839 return reflect.Int, nil 27840 case "ptrace.tracee.ancestors.fsgroup": 27841 return reflect.String, nil 27842 case "ptrace.tracee.ancestors.fsuid": 27843 return reflect.Int, nil 27844 case "ptrace.tracee.ancestors.fsuser": 27845 return reflect.String, nil 27846 case "ptrace.tracee.ancestors.gid": 27847 return reflect.Int, nil 27848 case "ptrace.tracee.ancestors.group": 27849 return reflect.String, nil 27850 case "ptrace.tracee.ancestors.interpreter.file.change_time": 27851 return reflect.Int, nil 27852 case "ptrace.tracee.ancestors.interpreter.file.filesystem": 27853 return reflect.String, nil 27854 case "ptrace.tracee.ancestors.interpreter.file.gid": 27855 return reflect.Int, nil 27856 case "ptrace.tracee.ancestors.interpreter.file.group": 27857 return reflect.String, nil 27858 case "ptrace.tracee.ancestors.interpreter.file.hashes": 27859 return reflect.String, nil 27860 case "ptrace.tracee.ancestors.interpreter.file.in_upper_layer": 27861 return reflect.Bool, nil 27862 case "ptrace.tracee.ancestors.interpreter.file.inode": 27863 return reflect.Int, nil 27864 case "ptrace.tracee.ancestors.interpreter.file.mode": 27865 return reflect.Int, nil 27866 case "ptrace.tracee.ancestors.interpreter.file.modification_time": 27867 return reflect.Int, nil 27868 case "ptrace.tracee.ancestors.interpreter.file.mount_id": 27869 return reflect.Int, nil 27870 case "ptrace.tracee.ancestors.interpreter.file.name": 27871 return reflect.String, nil 27872 case "ptrace.tracee.ancestors.interpreter.file.name.length": 27873 return reflect.Int, nil 27874 case "ptrace.tracee.ancestors.interpreter.file.package.name": 27875 return reflect.String, nil 27876 case "ptrace.tracee.ancestors.interpreter.file.package.source_version": 27877 return reflect.String, nil 27878 case "ptrace.tracee.ancestors.interpreter.file.package.version": 27879 return reflect.String, nil 27880 case "ptrace.tracee.ancestors.interpreter.file.path": 27881 return reflect.String, nil 27882 case "ptrace.tracee.ancestors.interpreter.file.path.length": 27883 return reflect.Int, nil 27884 case "ptrace.tracee.ancestors.interpreter.file.rights": 27885 return reflect.Int, nil 27886 case "ptrace.tracee.ancestors.interpreter.file.uid": 27887 return reflect.Int, nil 27888 case "ptrace.tracee.ancestors.interpreter.file.user": 27889 return reflect.String, nil 27890 case "ptrace.tracee.ancestors.is_kworker": 27891 return reflect.Bool, nil 27892 case "ptrace.tracee.ancestors.is_thread": 27893 return reflect.Bool, nil 27894 case "ptrace.tracee.ancestors.pid": 27895 return reflect.Int, nil 27896 case "ptrace.tracee.ancestors.ppid": 27897 return reflect.Int, nil 27898 case "ptrace.tracee.ancestors.tid": 27899 return reflect.Int, nil 27900 case "ptrace.tracee.ancestors.tty_name": 27901 return reflect.String, nil 27902 case "ptrace.tracee.ancestors.uid": 27903 return reflect.Int, nil 27904 case "ptrace.tracee.ancestors.user": 27905 return reflect.String, nil 27906 case "ptrace.tracee.ancestors.user_session.k8s_groups": 27907 return reflect.String, nil 27908 case "ptrace.tracee.ancestors.user_session.k8s_uid": 27909 return reflect.String, nil 27910 case "ptrace.tracee.ancestors.user_session.k8s_username": 27911 return reflect.String, nil 27912 case "ptrace.tracee.args": 27913 return reflect.String, nil 27914 case "ptrace.tracee.args_flags": 27915 return reflect.String, nil 27916 case "ptrace.tracee.args_options": 27917 return reflect.String, nil 27918 case "ptrace.tracee.args_truncated": 27919 return reflect.Bool, nil 27920 case "ptrace.tracee.argv": 27921 return reflect.String, nil 27922 case "ptrace.tracee.argv0": 27923 return reflect.String, nil 27924 case "ptrace.tracee.cap_effective": 27925 return reflect.Int, nil 27926 case "ptrace.tracee.cap_permitted": 27927 return reflect.Int, nil 27928 case "ptrace.tracee.comm": 27929 return reflect.String, nil 27930 case "ptrace.tracee.container.id": 27931 return reflect.String, nil 27932 case "ptrace.tracee.created_at": 27933 return reflect.Int, nil 27934 case "ptrace.tracee.egid": 27935 return reflect.Int, nil 27936 case "ptrace.tracee.egroup": 27937 return reflect.String, nil 27938 case "ptrace.tracee.envp": 27939 return reflect.String, nil 27940 case "ptrace.tracee.envs": 27941 return reflect.String, nil 27942 case "ptrace.tracee.envs_truncated": 27943 return reflect.Bool, nil 27944 case "ptrace.tracee.euid": 27945 return reflect.Int, nil 27946 case "ptrace.tracee.euser": 27947 return reflect.String, nil 27948 case "ptrace.tracee.file.change_time": 27949 return reflect.Int, nil 27950 case "ptrace.tracee.file.filesystem": 27951 return reflect.String, nil 27952 case "ptrace.tracee.file.gid": 27953 return reflect.Int, nil 27954 case "ptrace.tracee.file.group": 27955 return reflect.String, nil 27956 case "ptrace.tracee.file.hashes": 27957 return reflect.String, nil 27958 case "ptrace.tracee.file.in_upper_layer": 27959 return reflect.Bool, nil 27960 case "ptrace.tracee.file.inode": 27961 return reflect.Int, nil 27962 case "ptrace.tracee.file.mode": 27963 return reflect.Int, nil 27964 case "ptrace.tracee.file.modification_time": 27965 return reflect.Int, nil 27966 case "ptrace.tracee.file.mount_id": 27967 return reflect.Int, nil 27968 case "ptrace.tracee.file.name": 27969 return reflect.String, nil 27970 case "ptrace.tracee.file.name.length": 27971 return reflect.Int, nil 27972 case "ptrace.tracee.file.package.name": 27973 return reflect.String, nil 27974 case "ptrace.tracee.file.package.source_version": 27975 return reflect.String, nil 27976 case "ptrace.tracee.file.package.version": 27977 return reflect.String, nil 27978 case "ptrace.tracee.file.path": 27979 return reflect.String, nil 27980 case "ptrace.tracee.file.path.length": 27981 return reflect.Int, nil 27982 case "ptrace.tracee.file.rights": 27983 return reflect.Int, nil 27984 case "ptrace.tracee.file.uid": 27985 return reflect.Int, nil 27986 case "ptrace.tracee.file.user": 27987 return reflect.String, nil 27988 case "ptrace.tracee.fsgid": 27989 return reflect.Int, nil 27990 case "ptrace.tracee.fsgroup": 27991 return reflect.String, nil 27992 case "ptrace.tracee.fsuid": 27993 return reflect.Int, nil 27994 case "ptrace.tracee.fsuser": 27995 return reflect.String, nil 27996 case "ptrace.tracee.gid": 27997 return reflect.Int, nil 27998 case "ptrace.tracee.group": 27999 return reflect.String, nil 28000 case "ptrace.tracee.interpreter.file.change_time": 28001 return reflect.Int, nil 28002 case "ptrace.tracee.interpreter.file.filesystem": 28003 return reflect.String, nil 28004 case "ptrace.tracee.interpreter.file.gid": 28005 return reflect.Int, nil 28006 case "ptrace.tracee.interpreter.file.group": 28007 return reflect.String, nil 28008 case "ptrace.tracee.interpreter.file.hashes": 28009 return reflect.String, nil 28010 case "ptrace.tracee.interpreter.file.in_upper_layer": 28011 return reflect.Bool, nil 28012 case "ptrace.tracee.interpreter.file.inode": 28013 return reflect.Int, nil 28014 case "ptrace.tracee.interpreter.file.mode": 28015 return reflect.Int, nil 28016 case "ptrace.tracee.interpreter.file.modification_time": 28017 return reflect.Int, nil 28018 case "ptrace.tracee.interpreter.file.mount_id": 28019 return reflect.Int, nil 28020 case "ptrace.tracee.interpreter.file.name": 28021 return reflect.String, nil 28022 case "ptrace.tracee.interpreter.file.name.length": 28023 return reflect.Int, nil 28024 case "ptrace.tracee.interpreter.file.package.name": 28025 return reflect.String, nil 28026 case "ptrace.tracee.interpreter.file.package.source_version": 28027 return reflect.String, nil 28028 case "ptrace.tracee.interpreter.file.package.version": 28029 return reflect.String, nil 28030 case "ptrace.tracee.interpreter.file.path": 28031 return reflect.String, nil 28032 case "ptrace.tracee.interpreter.file.path.length": 28033 return reflect.Int, nil 28034 case "ptrace.tracee.interpreter.file.rights": 28035 return reflect.Int, nil 28036 case "ptrace.tracee.interpreter.file.uid": 28037 return reflect.Int, nil 28038 case "ptrace.tracee.interpreter.file.user": 28039 return reflect.String, nil 28040 case "ptrace.tracee.is_kworker": 28041 return reflect.Bool, nil 28042 case "ptrace.tracee.is_thread": 28043 return reflect.Bool, nil 28044 case "ptrace.tracee.parent.args": 28045 return reflect.String, nil 28046 case "ptrace.tracee.parent.args_flags": 28047 return reflect.String, nil 28048 case "ptrace.tracee.parent.args_options": 28049 return reflect.String, nil 28050 case "ptrace.tracee.parent.args_truncated": 28051 return reflect.Bool, nil 28052 case "ptrace.tracee.parent.argv": 28053 return reflect.String, nil 28054 case "ptrace.tracee.parent.argv0": 28055 return reflect.String, nil 28056 case "ptrace.tracee.parent.cap_effective": 28057 return reflect.Int, nil 28058 case "ptrace.tracee.parent.cap_permitted": 28059 return reflect.Int, nil 28060 case "ptrace.tracee.parent.comm": 28061 return reflect.String, nil 28062 case "ptrace.tracee.parent.container.id": 28063 return reflect.String, nil 28064 case "ptrace.tracee.parent.created_at": 28065 return reflect.Int, nil 28066 case "ptrace.tracee.parent.egid": 28067 return reflect.Int, nil 28068 case "ptrace.tracee.parent.egroup": 28069 return reflect.String, nil 28070 case "ptrace.tracee.parent.envp": 28071 return reflect.String, nil 28072 case "ptrace.tracee.parent.envs": 28073 return reflect.String, nil 28074 case "ptrace.tracee.parent.envs_truncated": 28075 return reflect.Bool, nil 28076 case "ptrace.tracee.parent.euid": 28077 return reflect.Int, nil 28078 case "ptrace.tracee.parent.euser": 28079 return reflect.String, nil 28080 case "ptrace.tracee.parent.file.change_time": 28081 return reflect.Int, nil 28082 case "ptrace.tracee.parent.file.filesystem": 28083 return reflect.String, nil 28084 case "ptrace.tracee.parent.file.gid": 28085 return reflect.Int, nil 28086 case "ptrace.tracee.parent.file.group": 28087 return reflect.String, nil 28088 case "ptrace.tracee.parent.file.hashes": 28089 return reflect.String, nil 28090 case "ptrace.tracee.parent.file.in_upper_layer": 28091 return reflect.Bool, nil 28092 case "ptrace.tracee.parent.file.inode": 28093 return reflect.Int, nil 28094 case "ptrace.tracee.parent.file.mode": 28095 return reflect.Int, nil 28096 case "ptrace.tracee.parent.file.modification_time": 28097 return reflect.Int, nil 28098 case "ptrace.tracee.parent.file.mount_id": 28099 return reflect.Int, nil 28100 case "ptrace.tracee.parent.file.name": 28101 return reflect.String, nil 28102 case "ptrace.tracee.parent.file.name.length": 28103 return reflect.Int, nil 28104 case "ptrace.tracee.parent.file.package.name": 28105 return reflect.String, nil 28106 case "ptrace.tracee.parent.file.package.source_version": 28107 return reflect.String, nil 28108 case "ptrace.tracee.parent.file.package.version": 28109 return reflect.String, nil 28110 case "ptrace.tracee.parent.file.path": 28111 return reflect.String, nil 28112 case "ptrace.tracee.parent.file.path.length": 28113 return reflect.Int, nil 28114 case "ptrace.tracee.parent.file.rights": 28115 return reflect.Int, nil 28116 case "ptrace.tracee.parent.file.uid": 28117 return reflect.Int, nil 28118 case "ptrace.tracee.parent.file.user": 28119 return reflect.String, nil 28120 case "ptrace.tracee.parent.fsgid": 28121 return reflect.Int, nil 28122 case "ptrace.tracee.parent.fsgroup": 28123 return reflect.String, nil 28124 case "ptrace.tracee.parent.fsuid": 28125 return reflect.Int, nil 28126 case "ptrace.tracee.parent.fsuser": 28127 return reflect.String, nil 28128 case "ptrace.tracee.parent.gid": 28129 return reflect.Int, nil 28130 case "ptrace.tracee.parent.group": 28131 return reflect.String, nil 28132 case "ptrace.tracee.parent.interpreter.file.change_time": 28133 return reflect.Int, nil 28134 case "ptrace.tracee.parent.interpreter.file.filesystem": 28135 return reflect.String, nil 28136 case "ptrace.tracee.parent.interpreter.file.gid": 28137 return reflect.Int, nil 28138 case "ptrace.tracee.parent.interpreter.file.group": 28139 return reflect.String, nil 28140 case "ptrace.tracee.parent.interpreter.file.hashes": 28141 return reflect.String, nil 28142 case "ptrace.tracee.parent.interpreter.file.in_upper_layer": 28143 return reflect.Bool, nil 28144 case "ptrace.tracee.parent.interpreter.file.inode": 28145 return reflect.Int, nil 28146 case "ptrace.tracee.parent.interpreter.file.mode": 28147 return reflect.Int, nil 28148 case "ptrace.tracee.parent.interpreter.file.modification_time": 28149 return reflect.Int, nil 28150 case "ptrace.tracee.parent.interpreter.file.mount_id": 28151 return reflect.Int, nil 28152 case "ptrace.tracee.parent.interpreter.file.name": 28153 return reflect.String, nil 28154 case "ptrace.tracee.parent.interpreter.file.name.length": 28155 return reflect.Int, nil 28156 case "ptrace.tracee.parent.interpreter.file.package.name": 28157 return reflect.String, nil 28158 case "ptrace.tracee.parent.interpreter.file.package.source_version": 28159 return reflect.String, nil 28160 case "ptrace.tracee.parent.interpreter.file.package.version": 28161 return reflect.String, nil 28162 case "ptrace.tracee.parent.interpreter.file.path": 28163 return reflect.String, nil 28164 case "ptrace.tracee.parent.interpreter.file.path.length": 28165 return reflect.Int, nil 28166 case "ptrace.tracee.parent.interpreter.file.rights": 28167 return reflect.Int, nil 28168 case "ptrace.tracee.parent.interpreter.file.uid": 28169 return reflect.Int, nil 28170 case "ptrace.tracee.parent.interpreter.file.user": 28171 return reflect.String, nil 28172 case "ptrace.tracee.parent.is_kworker": 28173 return reflect.Bool, nil 28174 case "ptrace.tracee.parent.is_thread": 28175 return reflect.Bool, nil 28176 case "ptrace.tracee.parent.pid": 28177 return reflect.Int, nil 28178 case "ptrace.tracee.parent.ppid": 28179 return reflect.Int, nil 28180 case "ptrace.tracee.parent.tid": 28181 return reflect.Int, nil 28182 case "ptrace.tracee.parent.tty_name": 28183 return reflect.String, nil 28184 case "ptrace.tracee.parent.uid": 28185 return reflect.Int, nil 28186 case "ptrace.tracee.parent.user": 28187 return reflect.String, nil 28188 case "ptrace.tracee.parent.user_session.k8s_groups": 28189 return reflect.String, nil 28190 case "ptrace.tracee.parent.user_session.k8s_uid": 28191 return reflect.String, nil 28192 case "ptrace.tracee.parent.user_session.k8s_username": 28193 return reflect.String, nil 28194 case "ptrace.tracee.pid": 28195 return reflect.Int, nil 28196 case "ptrace.tracee.ppid": 28197 return reflect.Int, nil 28198 case "ptrace.tracee.tid": 28199 return reflect.Int, nil 28200 case "ptrace.tracee.tty_name": 28201 return reflect.String, nil 28202 case "ptrace.tracee.uid": 28203 return reflect.Int, nil 28204 case "ptrace.tracee.user": 28205 return reflect.String, nil 28206 case "ptrace.tracee.user_session.k8s_groups": 28207 return reflect.String, nil 28208 case "ptrace.tracee.user_session.k8s_uid": 28209 return reflect.String, nil 28210 case "ptrace.tracee.user_session.k8s_username": 28211 return reflect.String, nil 28212 case "removexattr.file.change_time": 28213 return reflect.Int, nil 28214 case "removexattr.file.destination.name": 28215 return reflect.String, nil 28216 case "removexattr.file.destination.namespace": 28217 return reflect.String, nil 28218 case "removexattr.file.filesystem": 28219 return reflect.String, nil 28220 case "removexattr.file.gid": 28221 return reflect.Int, nil 28222 case "removexattr.file.group": 28223 return reflect.String, nil 28224 case "removexattr.file.hashes": 28225 return reflect.String, nil 28226 case "removexattr.file.in_upper_layer": 28227 return reflect.Bool, nil 28228 case "removexattr.file.inode": 28229 return reflect.Int, nil 28230 case "removexattr.file.mode": 28231 return reflect.Int, nil 28232 case "removexattr.file.modification_time": 28233 return reflect.Int, nil 28234 case "removexattr.file.mount_id": 28235 return reflect.Int, nil 28236 case "removexattr.file.name": 28237 return reflect.String, nil 28238 case "removexattr.file.name.length": 28239 return reflect.Int, nil 28240 case "removexattr.file.package.name": 28241 return reflect.String, nil 28242 case "removexattr.file.package.source_version": 28243 return reflect.String, nil 28244 case "removexattr.file.package.version": 28245 return reflect.String, nil 28246 case "removexattr.file.path": 28247 return reflect.String, nil 28248 case "removexattr.file.path.length": 28249 return reflect.Int, nil 28250 case "removexattr.file.rights": 28251 return reflect.Int, nil 28252 case "removexattr.file.uid": 28253 return reflect.Int, nil 28254 case "removexattr.file.user": 28255 return reflect.String, nil 28256 case "removexattr.retval": 28257 return reflect.Int, nil 28258 case "rename.file.change_time": 28259 return reflect.Int, nil 28260 case "rename.file.destination.change_time": 28261 return reflect.Int, nil 28262 case "rename.file.destination.filesystem": 28263 return reflect.String, nil 28264 case "rename.file.destination.gid": 28265 return reflect.Int, nil 28266 case "rename.file.destination.group": 28267 return reflect.String, nil 28268 case "rename.file.destination.hashes": 28269 return reflect.String, nil 28270 case "rename.file.destination.in_upper_layer": 28271 return reflect.Bool, nil 28272 case "rename.file.destination.inode": 28273 return reflect.Int, nil 28274 case "rename.file.destination.mode": 28275 return reflect.Int, nil 28276 case "rename.file.destination.modification_time": 28277 return reflect.Int, nil 28278 case "rename.file.destination.mount_id": 28279 return reflect.Int, nil 28280 case "rename.file.destination.name": 28281 return reflect.String, nil 28282 case "rename.file.destination.name.length": 28283 return reflect.Int, nil 28284 case "rename.file.destination.package.name": 28285 return reflect.String, nil 28286 case "rename.file.destination.package.source_version": 28287 return reflect.String, nil 28288 case "rename.file.destination.package.version": 28289 return reflect.String, nil 28290 case "rename.file.destination.path": 28291 return reflect.String, nil 28292 case "rename.file.destination.path.length": 28293 return reflect.Int, nil 28294 case "rename.file.destination.rights": 28295 return reflect.Int, nil 28296 case "rename.file.destination.uid": 28297 return reflect.Int, nil 28298 case "rename.file.destination.user": 28299 return reflect.String, nil 28300 case "rename.file.filesystem": 28301 return reflect.String, nil 28302 case "rename.file.gid": 28303 return reflect.Int, nil 28304 case "rename.file.group": 28305 return reflect.String, nil 28306 case "rename.file.hashes": 28307 return reflect.String, nil 28308 case "rename.file.in_upper_layer": 28309 return reflect.Bool, nil 28310 case "rename.file.inode": 28311 return reflect.Int, nil 28312 case "rename.file.mode": 28313 return reflect.Int, nil 28314 case "rename.file.modification_time": 28315 return reflect.Int, nil 28316 case "rename.file.mount_id": 28317 return reflect.Int, nil 28318 case "rename.file.name": 28319 return reflect.String, nil 28320 case "rename.file.name.length": 28321 return reflect.Int, nil 28322 case "rename.file.package.name": 28323 return reflect.String, nil 28324 case "rename.file.package.source_version": 28325 return reflect.String, nil 28326 case "rename.file.package.version": 28327 return reflect.String, nil 28328 case "rename.file.path": 28329 return reflect.String, nil 28330 case "rename.file.path.length": 28331 return reflect.Int, nil 28332 case "rename.file.rights": 28333 return reflect.Int, nil 28334 case "rename.file.uid": 28335 return reflect.Int, nil 28336 case "rename.file.user": 28337 return reflect.String, nil 28338 case "rename.retval": 28339 return reflect.Int, nil 28340 case "rmdir.file.change_time": 28341 return reflect.Int, nil 28342 case "rmdir.file.filesystem": 28343 return reflect.String, nil 28344 case "rmdir.file.gid": 28345 return reflect.Int, nil 28346 case "rmdir.file.group": 28347 return reflect.String, nil 28348 case "rmdir.file.hashes": 28349 return reflect.String, nil 28350 case "rmdir.file.in_upper_layer": 28351 return reflect.Bool, nil 28352 case "rmdir.file.inode": 28353 return reflect.Int, nil 28354 case "rmdir.file.mode": 28355 return reflect.Int, nil 28356 case "rmdir.file.modification_time": 28357 return reflect.Int, nil 28358 case "rmdir.file.mount_id": 28359 return reflect.Int, nil 28360 case "rmdir.file.name": 28361 return reflect.String, nil 28362 case "rmdir.file.name.length": 28363 return reflect.Int, nil 28364 case "rmdir.file.package.name": 28365 return reflect.String, nil 28366 case "rmdir.file.package.source_version": 28367 return reflect.String, nil 28368 case "rmdir.file.package.version": 28369 return reflect.String, nil 28370 case "rmdir.file.path": 28371 return reflect.String, nil 28372 case "rmdir.file.path.length": 28373 return reflect.Int, nil 28374 case "rmdir.file.rights": 28375 return reflect.Int, nil 28376 case "rmdir.file.uid": 28377 return reflect.Int, nil 28378 case "rmdir.file.user": 28379 return reflect.String, nil 28380 case "rmdir.retval": 28381 return reflect.Int, nil 28382 case "selinux.bool.name": 28383 return reflect.String, nil 28384 case "selinux.bool.state": 28385 return reflect.String, nil 28386 case "selinux.bool_commit.state": 28387 return reflect.Bool, nil 28388 case "selinux.enforce.status": 28389 return reflect.String, nil 28390 case "setgid.egid": 28391 return reflect.Int, nil 28392 case "setgid.egroup": 28393 return reflect.String, nil 28394 case "setgid.fsgid": 28395 return reflect.Int, nil 28396 case "setgid.fsgroup": 28397 return reflect.String, nil 28398 case "setgid.gid": 28399 return reflect.Int, nil 28400 case "setgid.group": 28401 return reflect.String, nil 28402 case "setuid.euid": 28403 return reflect.Int, nil 28404 case "setuid.euser": 28405 return reflect.String, nil 28406 case "setuid.fsuid": 28407 return reflect.Int, nil 28408 case "setuid.fsuser": 28409 return reflect.String, nil 28410 case "setuid.uid": 28411 return reflect.Int, nil 28412 case "setuid.user": 28413 return reflect.String, nil 28414 case "setxattr.file.change_time": 28415 return reflect.Int, nil 28416 case "setxattr.file.destination.name": 28417 return reflect.String, nil 28418 case "setxattr.file.destination.namespace": 28419 return reflect.String, nil 28420 case "setxattr.file.filesystem": 28421 return reflect.String, nil 28422 case "setxattr.file.gid": 28423 return reflect.Int, nil 28424 case "setxattr.file.group": 28425 return reflect.String, nil 28426 case "setxattr.file.hashes": 28427 return reflect.String, nil 28428 case "setxattr.file.in_upper_layer": 28429 return reflect.Bool, nil 28430 case "setxattr.file.inode": 28431 return reflect.Int, nil 28432 case "setxattr.file.mode": 28433 return reflect.Int, nil 28434 case "setxattr.file.modification_time": 28435 return reflect.Int, nil 28436 case "setxattr.file.mount_id": 28437 return reflect.Int, nil 28438 case "setxattr.file.name": 28439 return reflect.String, nil 28440 case "setxattr.file.name.length": 28441 return reflect.Int, nil 28442 case "setxattr.file.package.name": 28443 return reflect.String, nil 28444 case "setxattr.file.package.source_version": 28445 return reflect.String, nil 28446 case "setxattr.file.package.version": 28447 return reflect.String, nil 28448 case "setxattr.file.path": 28449 return reflect.String, nil 28450 case "setxattr.file.path.length": 28451 return reflect.Int, nil 28452 case "setxattr.file.rights": 28453 return reflect.Int, nil 28454 case "setxattr.file.uid": 28455 return reflect.Int, nil 28456 case "setxattr.file.user": 28457 return reflect.String, nil 28458 case "setxattr.retval": 28459 return reflect.Int, nil 28460 case "signal.pid": 28461 return reflect.Int, nil 28462 case "signal.retval": 28463 return reflect.Int, nil 28464 case "signal.target.ancestors.args": 28465 return reflect.String, nil 28466 case "signal.target.ancestors.args_flags": 28467 return reflect.String, nil 28468 case "signal.target.ancestors.args_options": 28469 return reflect.String, nil 28470 case "signal.target.ancestors.args_truncated": 28471 return reflect.Bool, nil 28472 case "signal.target.ancestors.argv": 28473 return reflect.String, nil 28474 case "signal.target.ancestors.argv0": 28475 return reflect.String, nil 28476 case "signal.target.ancestors.cap_effective": 28477 return reflect.Int, nil 28478 case "signal.target.ancestors.cap_permitted": 28479 return reflect.Int, nil 28480 case "signal.target.ancestors.comm": 28481 return reflect.String, nil 28482 case "signal.target.ancestors.container.id": 28483 return reflect.String, nil 28484 case "signal.target.ancestors.created_at": 28485 return reflect.Int, nil 28486 case "signal.target.ancestors.egid": 28487 return reflect.Int, nil 28488 case "signal.target.ancestors.egroup": 28489 return reflect.String, nil 28490 case "signal.target.ancestors.envp": 28491 return reflect.String, nil 28492 case "signal.target.ancestors.envs": 28493 return reflect.String, nil 28494 case "signal.target.ancestors.envs_truncated": 28495 return reflect.Bool, nil 28496 case "signal.target.ancestors.euid": 28497 return reflect.Int, nil 28498 case "signal.target.ancestors.euser": 28499 return reflect.String, nil 28500 case "signal.target.ancestors.file.change_time": 28501 return reflect.Int, nil 28502 case "signal.target.ancestors.file.filesystem": 28503 return reflect.String, nil 28504 case "signal.target.ancestors.file.gid": 28505 return reflect.Int, nil 28506 case "signal.target.ancestors.file.group": 28507 return reflect.String, nil 28508 case "signal.target.ancestors.file.hashes": 28509 return reflect.String, nil 28510 case "signal.target.ancestors.file.in_upper_layer": 28511 return reflect.Bool, nil 28512 case "signal.target.ancestors.file.inode": 28513 return reflect.Int, nil 28514 case "signal.target.ancestors.file.mode": 28515 return reflect.Int, nil 28516 case "signal.target.ancestors.file.modification_time": 28517 return reflect.Int, nil 28518 case "signal.target.ancestors.file.mount_id": 28519 return reflect.Int, nil 28520 case "signal.target.ancestors.file.name": 28521 return reflect.String, nil 28522 case "signal.target.ancestors.file.name.length": 28523 return reflect.Int, nil 28524 case "signal.target.ancestors.file.package.name": 28525 return reflect.String, nil 28526 case "signal.target.ancestors.file.package.source_version": 28527 return reflect.String, nil 28528 case "signal.target.ancestors.file.package.version": 28529 return reflect.String, nil 28530 case "signal.target.ancestors.file.path": 28531 return reflect.String, nil 28532 case "signal.target.ancestors.file.path.length": 28533 return reflect.Int, nil 28534 case "signal.target.ancestors.file.rights": 28535 return reflect.Int, nil 28536 case "signal.target.ancestors.file.uid": 28537 return reflect.Int, nil 28538 case "signal.target.ancestors.file.user": 28539 return reflect.String, nil 28540 case "signal.target.ancestors.fsgid": 28541 return reflect.Int, nil 28542 case "signal.target.ancestors.fsgroup": 28543 return reflect.String, nil 28544 case "signal.target.ancestors.fsuid": 28545 return reflect.Int, nil 28546 case "signal.target.ancestors.fsuser": 28547 return reflect.String, nil 28548 case "signal.target.ancestors.gid": 28549 return reflect.Int, nil 28550 case "signal.target.ancestors.group": 28551 return reflect.String, nil 28552 case "signal.target.ancestors.interpreter.file.change_time": 28553 return reflect.Int, nil 28554 case "signal.target.ancestors.interpreter.file.filesystem": 28555 return reflect.String, nil 28556 case "signal.target.ancestors.interpreter.file.gid": 28557 return reflect.Int, nil 28558 case "signal.target.ancestors.interpreter.file.group": 28559 return reflect.String, nil 28560 case "signal.target.ancestors.interpreter.file.hashes": 28561 return reflect.String, nil 28562 case "signal.target.ancestors.interpreter.file.in_upper_layer": 28563 return reflect.Bool, nil 28564 case "signal.target.ancestors.interpreter.file.inode": 28565 return reflect.Int, nil 28566 case "signal.target.ancestors.interpreter.file.mode": 28567 return reflect.Int, nil 28568 case "signal.target.ancestors.interpreter.file.modification_time": 28569 return reflect.Int, nil 28570 case "signal.target.ancestors.interpreter.file.mount_id": 28571 return reflect.Int, nil 28572 case "signal.target.ancestors.interpreter.file.name": 28573 return reflect.String, nil 28574 case "signal.target.ancestors.interpreter.file.name.length": 28575 return reflect.Int, nil 28576 case "signal.target.ancestors.interpreter.file.package.name": 28577 return reflect.String, nil 28578 case "signal.target.ancestors.interpreter.file.package.source_version": 28579 return reflect.String, nil 28580 case "signal.target.ancestors.interpreter.file.package.version": 28581 return reflect.String, nil 28582 case "signal.target.ancestors.interpreter.file.path": 28583 return reflect.String, nil 28584 case "signal.target.ancestors.interpreter.file.path.length": 28585 return reflect.Int, nil 28586 case "signal.target.ancestors.interpreter.file.rights": 28587 return reflect.Int, nil 28588 case "signal.target.ancestors.interpreter.file.uid": 28589 return reflect.Int, nil 28590 case "signal.target.ancestors.interpreter.file.user": 28591 return reflect.String, nil 28592 case "signal.target.ancestors.is_kworker": 28593 return reflect.Bool, nil 28594 case "signal.target.ancestors.is_thread": 28595 return reflect.Bool, nil 28596 case "signal.target.ancestors.pid": 28597 return reflect.Int, nil 28598 case "signal.target.ancestors.ppid": 28599 return reflect.Int, nil 28600 case "signal.target.ancestors.tid": 28601 return reflect.Int, nil 28602 case "signal.target.ancestors.tty_name": 28603 return reflect.String, nil 28604 case "signal.target.ancestors.uid": 28605 return reflect.Int, nil 28606 case "signal.target.ancestors.user": 28607 return reflect.String, nil 28608 case "signal.target.ancestors.user_session.k8s_groups": 28609 return reflect.String, nil 28610 case "signal.target.ancestors.user_session.k8s_uid": 28611 return reflect.String, nil 28612 case "signal.target.ancestors.user_session.k8s_username": 28613 return reflect.String, nil 28614 case "signal.target.args": 28615 return reflect.String, nil 28616 case "signal.target.args_flags": 28617 return reflect.String, nil 28618 case "signal.target.args_options": 28619 return reflect.String, nil 28620 case "signal.target.args_truncated": 28621 return reflect.Bool, nil 28622 case "signal.target.argv": 28623 return reflect.String, nil 28624 case "signal.target.argv0": 28625 return reflect.String, nil 28626 case "signal.target.cap_effective": 28627 return reflect.Int, nil 28628 case "signal.target.cap_permitted": 28629 return reflect.Int, nil 28630 case "signal.target.comm": 28631 return reflect.String, nil 28632 case "signal.target.container.id": 28633 return reflect.String, nil 28634 case "signal.target.created_at": 28635 return reflect.Int, nil 28636 case "signal.target.egid": 28637 return reflect.Int, nil 28638 case "signal.target.egroup": 28639 return reflect.String, nil 28640 case "signal.target.envp": 28641 return reflect.String, nil 28642 case "signal.target.envs": 28643 return reflect.String, nil 28644 case "signal.target.envs_truncated": 28645 return reflect.Bool, nil 28646 case "signal.target.euid": 28647 return reflect.Int, nil 28648 case "signal.target.euser": 28649 return reflect.String, nil 28650 case "signal.target.file.change_time": 28651 return reflect.Int, nil 28652 case "signal.target.file.filesystem": 28653 return reflect.String, nil 28654 case "signal.target.file.gid": 28655 return reflect.Int, nil 28656 case "signal.target.file.group": 28657 return reflect.String, nil 28658 case "signal.target.file.hashes": 28659 return reflect.String, nil 28660 case "signal.target.file.in_upper_layer": 28661 return reflect.Bool, nil 28662 case "signal.target.file.inode": 28663 return reflect.Int, nil 28664 case "signal.target.file.mode": 28665 return reflect.Int, nil 28666 case "signal.target.file.modification_time": 28667 return reflect.Int, nil 28668 case "signal.target.file.mount_id": 28669 return reflect.Int, nil 28670 case "signal.target.file.name": 28671 return reflect.String, nil 28672 case "signal.target.file.name.length": 28673 return reflect.Int, nil 28674 case "signal.target.file.package.name": 28675 return reflect.String, nil 28676 case "signal.target.file.package.source_version": 28677 return reflect.String, nil 28678 case "signal.target.file.package.version": 28679 return reflect.String, nil 28680 case "signal.target.file.path": 28681 return reflect.String, nil 28682 case "signal.target.file.path.length": 28683 return reflect.Int, nil 28684 case "signal.target.file.rights": 28685 return reflect.Int, nil 28686 case "signal.target.file.uid": 28687 return reflect.Int, nil 28688 case "signal.target.file.user": 28689 return reflect.String, nil 28690 case "signal.target.fsgid": 28691 return reflect.Int, nil 28692 case "signal.target.fsgroup": 28693 return reflect.String, nil 28694 case "signal.target.fsuid": 28695 return reflect.Int, nil 28696 case "signal.target.fsuser": 28697 return reflect.String, nil 28698 case "signal.target.gid": 28699 return reflect.Int, nil 28700 case "signal.target.group": 28701 return reflect.String, nil 28702 case "signal.target.interpreter.file.change_time": 28703 return reflect.Int, nil 28704 case "signal.target.interpreter.file.filesystem": 28705 return reflect.String, nil 28706 case "signal.target.interpreter.file.gid": 28707 return reflect.Int, nil 28708 case "signal.target.interpreter.file.group": 28709 return reflect.String, nil 28710 case "signal.target.interpreter.file.hashes": 28711 return reflect.String, nil 28712 case "signal.target.interpreter.file.in_upper_layer": 28713 return reflect.Bool, nil 28714 case "signal.target.interpreter.file.inode": 28715 return reflect.Int, nil 28716 case "signal.target.interpreter.file.mode": 28717 return reflect.Int, nil 28718 case "signal.target.interpreter.file.modification_time": 28719 return reflect.Int, nil 28720 case "signal.target.interpreter.file.mount_id": 28721 return reflect.Int, nil 28722 case "signal.target.interpreter.file.name": 28723 return reflect.String, nil 28724 case "signal.target.interpreter.file.name.length": 28725 return reflect.Int, nil 28726 case "signal.target.interpreter.file.package.name": 28727 return reflect.String, nil 28728 case "signal.target.interpreter.file.package.source_version": 28729 return reflect.String, nil 28730 case "signal.target.interpreter.file.package.version": 28731 return reflect.String, nil 28732 case "signal.target.interpreter.file.path": 28733 return reflect.String, nil 28734 case "signal.target.interpreter.file.path.length": 28735 return reflect.Int, nil 28736 case "signal.target.interpreter.file.rights": 28737 return reflect.Int, nil 28738 case "signal.target.interpreter.file.uid": 28739 return reflect.Int, nil 28740 case "signal.target.interpreter.file.user": 28741 return reflect.String, nil 28742 case "signal.target.is_kworker": 28743 return reflect.Bool, nil 28744 case "signal.target.is_thread": 28745 return reflect.Bool, nil 28746 case "signal.target.parent.args": 28747 return reflect.String, nil 28748 case "signal.target.parent.args_flags": 28749 return reflect.String, nil 28750 case "signal.target.parent.args_options": 28751 return reflect.String, nil 28752 case "signal.target.parent.args_truncated": 28753 return reflect.Bool, nil 28754 case "signal.target.parent.argv": 28755 return reflect.String, nil 28756 case "signal.target.parent.argv0": 28757 return reflect.String, nil 28758 case "signal.target.parent.cap_effective": 28759 return reflect.Int, nil 28760 case "signal.target.parent.cap_permitted": 28761 return reflect.Int, nil 28762 case "signal.target.parent.comm": 28763 return reflect.String, nil 28764 case "signal.target.parent.container.id": 28765 return reflect.String, nil 28766 case "signal.target.parent.created_at": 28767 return reflect.Int, nil 28768 case "signal.target.parent.egid": 28769 return reflect.Int, nil 28770 case "signal.target.parent.egroup": 28771 return reflect.String, nil 28772 case "signal.target.parent.envp": 28773 return reflect.String, nil 28774 case "signal.target.parent.envs": 28775 return reflect.String, nil 28776 case "signal.target.parent.envs_truncated": 28777 return reflect.Bool, nil 28778 case "signal.target.parent.euid": 28779 return reflect.Int, nil 28780 case "signal.target.parent.euser": 28781 return reflect.String, nil 28782 case "signal.target.parent.file.change_time": 28783 return reflect.Int, nil 28784 case "signal.target.parent.file.filesystem": 28785 return reflect.String, nil 28786 case "signal.target.parent.file.gid": 28787 return reflect.Int, nil 28788 case "signal.target.parent.file.group": 28789 return reflect.String, nil 28790 case "signal.target.parent.file.hashes": 28791 return reflect.String, nil 28792 case "signal.target.parent.file.in_upper_layer": 28793 return reflect.Bool, nil 28794 case "signal.target.parent.file.inode": 28795 return reflect.Int, nil 28796 case "signal.target.parent.file.mode": 28797 return reflect.Int, nil 28798 case "signal.target.parent.file.modification_time": 28799 return reflect.Int, nil 28800 case "signal.target.parent.file.mount_id": 28801 return reflect.Int, nil 28802 case "signal.target.parent.file.name": 28803 return reflect.String, nil 28804 case "signal.target.parent.file.name.length": 28805 return reflect.Int, nil 28806 case "signal.target.parent.file.package.name": 28807 return reflect.String, nil 28808 case "signal.target.parent.file.package.source_version": 28809 return reflect.String, nil 28810 case "signal.target.parent.file.package.version": 28811 return reflect.String, nil 28812 case "signal.target.parent.file.path": 28813 return reflect.String, nil 28814 case "signal.target.parent.file.path.length": 28815 return reflect.Int, nil 28816 case "signal.target.parent.file.rights": 28817 return reflect.Int, nil 28818 case "signal.target.parent.file.uid": 28819 return reflect.Int, nil 28820 case "signal.target.parent.file.user": 28821 return reflect.String, nil 28822 case "signal.target.parent.fsgid": 28823 return reflect.Int, nil 28824 case "signal.target.parent.fsgroup": 28825 return reflect.String, nil 28826 case "signal.target.parent.fsuid": 28827 return reflect.Int, nil 28828 case "signal.target.parent.fsuser": 28829 return reflect.String, nil 28830 case "signal.target.parent.gid": 28831 return reflect.Int, nil 28832 case "signal.target.parent.group": 28833 return reflect.String, nil 28834 case "signal.target.parent.interpreter.file.change_time": 28835 return reflect.Int, nil 28836 case "signal.target.parent.interpreter.file.filesystem": 28837 return reflect.String, nil 28838 case "signal.target.parent.interpreter.file.gid": 28839 return reflect.Int, nil 28840 case "signal.target.parent.interpreter.file.group": 28841 return reflect.String, nil 28842 case "signal.target.parent.interpreter.file.hashes": 28843 return reflect.String, nil 28844 case "signal.target.parent.interpreter.file.in_upper_layer": 28845 return reflect.Bool, nil 28846 case "signal.target.parent.interpreter.file.inode": 28847 return reflect.Int, nil 28848 case "signal.target.parent.interpreter.file.mode": 28849 return reflect.Int, nil 28850 case "signal.target.parent.interpreter.file.modification_time": 28851 return reflect.Int, nil 28852 case "signal.target.parent.interpreter.file.mount_id": 28853 return reflect.Int, nil 28854 case "signal.target.parent.interpreter.file.name": 28855 return reflect.String, nil 28856 case "signal.target.parent.interpreter.file.name.length": 28857 return reflect.Int, nil 28858 case "signal.target.parent.interpreter.file.package.name": 28859 return reflect.String, nil 28860 case "signal.target.parent.interpreter.file.package.source_version": 28861 return reflect.String, nil 28862 case "signal.target.parent.interpreter.file.package.version": 28863 return reflect.String, nil 28864 case "signal.target.parent.interpreter.file.path": 28865 return reflect.String, nil 28866 case "signal.target.parent.interpreter.file.path.length": 28867 return reflect.Int, nil 28868 case "signal.target.parent.interpreter.file.rights": 28869 return reflect.Int, nil 28870 case "signal.target.parent.interpreter.file.uid": 28871 return reflect.Int, nil 28872 case "signal.target.parent.interpreter.file.user": 28873 return reflect.String, nil 28874 case "signal.target.parent.is_kworker": 28875 return reflect.Bool, nil 28876 case "signal.target.parent.is_thread": 28877 return reflect.Bool, nil 28878 case "signal.target.parent.pid": 28879 return reflect.Int, nil 28880 case "signal.target.parent.ppid": 28881 return reflect.Int, nil 28882 case "signal.target.parent.tid": 28883 return reflect.Int, nil 28884 case "signal.target.parent.tty_name": 28885 return reflect.String, nil 28886 case "signal.target.parent.uid": 28887 return reflect.Int, nil 28888 case "signal.target.parent.user": 28889 return reflect.String, nil 28890 case "signal.target.parent.user_session.k8s_groups": 28891 return reflect.String, nil 28892 case "signal.target.parent.user_session.k8s_uid": 28893 return reflect.String, nil 28894 case "signal.target.parent.user_session.k8s_username": 28895 return reflect.String, nil 28896 case "signal.target.pid": 28897 return reflect.Int, nil 28898 case "signal.target.ppid": 28899 return reflect.Int, nil 28900 case "signal.target.tid": 28901 return reflect.Int, nil 28902 case "signal.target.tty_name": 28903 return reflect.String, nil 28904 case "signal.target.uid": 28905 return reflect.Int, nil 28906 case "signal.target.user": 28907 return reflect.String, nil 28908 case "signal.target.user_session.k8s_groups": 28909 return reflect.String, nil 28910 case "signal.target.user_session.k8s_uid": 28911 return reflect.String, nil 28912 case "signal.target.user_session.k8s_username": 28913 return reflect.String, nil 28914 case "signal.type": 28915 return reflect.Int, nil 28916 case "splice.file.change_time": 28917 return reflect.Int, nil 28918 case "splice.file.filesystem": 28919 return reflect.String, nil 28920 case "splice.file.gid": 28921 return reflect.Int, nil 28922 case "splice.file.group": 28923 return reflect.String, nil 28924 case "splice.file.hashes": 28925 return reflect.String, nil 28926 case "splice.file.in_upper_layer": 28927 return reflect.Bool, nil 28928 case "splice.file.inode": 28929 return reflect.Int, nil 28930 case "splice.file.mode": 28931 return reflect.Int, nil 28932 case "splice.file.modification_time": 28933 return reflect.Int, nil 28934 case "splice.file.mount_id": 28935 return reflect.Int, nil 28936 case "splice.file.name": 28937 return reflect.String, nil 28938 case "splice.file.name.length": 28939 return reflect.Int, nil 28940 case "splice.file.package.name": 28941 return reflect.String, nil 28942 case "splice.file.package.source_version": 28943 return reflect.String, nil 28944 case "splice.file.package.version": 28945 return reflect.String, nil 28946 case "splice.file.path": 28947 return reflect.String, nil 28948 case "splice.file.path.length": 28949 return reflect.Int, nil 28950 case "splice.file.rights": 28951 return reflect.Int, nil 28952 case "splice.file.uid": 28953 return reflect.Int, nil 28954 case "splice.file.user": 28955 return reflect.String, nil 28956 case "splice.pipe_entry_flag": 28957 return reflect.Int, nil 28958 case "splice.pipe_exit_flag": 28959 return reflect.Int, nil 28960 case "splice.retval": 28961 return reflect.Int, nil 28962 case "unlink.file.change_time": 28963 return reflect.Int, nil 28964 case "unlink.file.filesystem": 28965 return reflect.String, nil 28966 case "unlink.file.gid": 28967 return reflect.Int, nil 28968 case "unlink.file.group": 28969 return reflect.String, nil 28970 case "unlink.file.hashes": 28971 return reflect.String, nil 28972 case "unlink.file.in_upper_layer": 28973 return reflect.Bool, nil 28974 case "unlink.file.inode": 28975 return reflect.Int, nil 28976 case "unlink.file.mode": 28977 return reflect.Int, nil 28978 case "unlink.file.modification_time": 28979 return reflect.Int, nil 28980 case "unlink.file.mount_id": 28981 return reflect.Int, nil 28982 case "unlink.file.name": 28983 return reflect.String, nil 28984 case "unlink.file.name.length": 28985 return reflect.Int, nil 28986 case "unlink.file.package.name": 28987 return reflect.String, nil 28988 case "unlink.file.package.source_version": 28989 return reflect.String, nil 28990 case "unlink.file.package.version": 28991 return reflect.String, nil 28992 case "unlink.file.path": 28993 return reflect.String, nil 28994 case "unlink.file.path.length": 28995 return reflect.Int, nil 28996 case "unlink.file.rights": 28997 return reflect.Int, nil 28998 case "unlink.file.uid": 28999 return reflect.Int, nil 29000 case "unlink.file.user": 29001 return reflect.String, nil 29002 case "unlink.flags": 29003 return reflect.Int, nil 29004 case "unlink.retval": 29005 return reflect.Int, nil 29006 case "unload_module.name": 29007 return reflect.String, nil 29008 case "unload_module.retval": 29009 return reflect.Int, nil 29010 case "utimes.file.change_time": 29011 return reflect.Int, nil 29012 case "utimes.file.filesystem": 29013 return reflect.String, nil 29014 case "utimes.file.gid": 29015 return reflect.Int, nil 29016 case "utimes.file.group": 29017 return reflect.String, nil 29018 case "utimes.file.hashes": 29019 return reflect.String, nil 29020 case "utimes.file.in_upper_layer": 29021 return reflect.Bool, nil 29022 case "utimes.file.inode": 29023 return reflect.Int, nil 29024 case "utimes.file.mode": 29025 return reflect.Int, nil 29026 case "utimes.file.modification_time": 29027 return reflect.Int, nil 29028 case "utimes.file.mount_id": 29029 return reflect.Int, nil 29030 case "utimes.file.name": 29031 return reflect.String, nil 29032 case "utimes.file.name.length": 29033 return reflect.Int, nil 29034 case "utimes.file.package.name": 29035 return reflect.String, nil 29036 case "utimes.file.package.source_version": 29037 return reflect.String, nil 29038 case "utimes.file.package.version": 29039 return reflect.String, nil 29040 case "utimes.file.path": 29041 return reflect.String, nil 29042 case "utimes.file.path.length": 29043 return reflect.Int, nil 29044 case "utimes.file.rights": 29045 return reflect.Int, nil 29046 case "utimes.file.uid": 29047 return reflect.Int, nil 29048 case "utimes.file.user": 29049 return reflect.String, nil 29050 case "utimes.retval": 29051 return reflect.Int, nil 29052 } 29053 return reflect.Invalid, &eval.ErrFieldNotFound{Field: field} 29054 } 29055 func (ev *Event) SetFieldValue(field eval.Field, value interface{}) error { 29056 switch field { 29057 case "bind.addr.family": 29058 rv, ok := value.(int) 29059 if !ok { 29060 return &eval.ErrValueTypeMismatch{Field: "Bind.AddrFamily"} 29061 } 29062 ev.Bind.AddrFamily = uint16(rv) 29063 return nil 29064 case "bind.addr.ip": 29065 rv, ok := value.(net.IPNet) 29066 if !ok { 29067 return &eval.ErrValueTypeMismatch{Field: "Bind.Addr.IPNet"} 29068 } 29069 ev.Bind.Addr.IPNet = rv 29070 return nil 29071 case "bind.addr.port": 29072 rv, ok := value.(int) 29073 if !ok { 29074 return &eval.ErrValueTypeMismatch{Field: "Bind.Addr.Port"} 29075 } 29076 ev.Bind.Addr.Port = uint16(rv) 29077 return nil 29078 case "bind.retval": 29079 rv, ok := value.(int) 29080 if !ok { 29081 return &eval.ErrValueTypeMismatch{Field: "Bind.SyscallEvent.Retval"} 29082 } 29083 ev.Bind.SyscallEvent.Retval = int64(rv) 29084 return nil 29085 case "bpf.cmd": 29086 rv, ok := value.(int) 29087 if !ok { 29088 return &eval.ErrValueTypeMismatch{Field: "BPF.Cmd"} 29089 } 29090 ev.BPF.Cmd = uint32(rv) 29091 return nil 29092 case "bpf.map.name": 29093 rv, ok := value.(string) 29094 if !ok { 29095 return &eval.ErrValueTypeMismatch{Field: "BPF.Map.Name"} 29096 } 29097 ev.BPF.Map.Name = rv 29098 return nil 29099 case "bpf.map.type": 29100 rv, ok := value.(int) 29101 if !ok { 29102 return &eval.ErrValueTypeMismatch{Field: "BPF.Map.Type"} 29103 } 29104 ev.BPF.Map.Type = uint32(rv) 29105 return nil 29106 case "bpf.prog.attach_type": 29107 rv, ok := value.(int) 29108 if !ok { 29109 return &eval.ErrValueTypeMismatch{Field: "BPF.Program.AttachType"} 29110 } 29111 ev.BPF.Program.AttachType = uint32(rv) 29112 return nil 29113 case "bpf.prog.helpers": 29114 switch rv := value.(type) { 29115 case int: 29116 ev.BPF.Program.Helpers = append(ev.BPF.Program.Helpers, uint32(rv)) 29117 case []int: 29118 for _, i := range rv { 29119 ev.BPF.Program.Helpers = append(ev.BPF.Program.Helpers, uint32(i)) 29120 } 29121 default: 29122 return &eval.ErrValueTypeMismatch{Field: "BPF.Program.Helpers"} 29123 } 29124 return nil 29125 case "bpf.prog.name": 29126 rv, ok := value.(string) 29127 if !ok { 29128 return &eval.ErrValueTypeMismatch{Field: "BPF.Program.Name"} 29129 } 29130 ev.BPF.Program.Name = rv 29131 return nil 29132 case "bpf.prog.tag": 29133 rv, ok := value.(string) 29134 if !ok { 29135 return &eval.ErrValueTypeMismatch{Field: "BPF.Program.Tag"} 29136 } 29137 ev.BPF.Program.Tag = rv 29138 return nil 29139 case "bpf.prog.type": 29140 rv, ok := value.(int) 29141 if !ok { 29142 return &eval.ErrValueTypeMismatch{Field: "BPF.Program.Type"} 29143 } 29144 ev.BPF.Program.Type = uint32(rv) 29145 return nil 29146 case "bpf.retval": 29147 rv, ok := value.(int) 29148 if !ok { 29149 return &eval.ErrValueTypeMismatch{Field: "BPF.SyscallEvent.Retval"} 29150 } 29151 ev.BPF.SyscallEvent.Retval = int64(rv) 29152 return nil 29153 case "capset.cap_effective": 29154 rv, ok := value.(int) 29155 if !ok { 29156 return &eval.ErrValueTypeMismatch{Field: "Capset.CapEffective"} 29157 } 29158 ev.Capset.CapEffective = uint64(rv) 29159 return nil 29160 case "capset.cap_permitted": 29161 rv, ok := value.(int) 29162 if !ok { 29163 return &eval.ErrValueTypeMismatch{Field: "Capset.CapPermitted"} 29164 } 29165 ev.Capset.CapPermitted = uint64(rv) 29166 return nil 29167 case "chdir.file.change_time": 29168 rv, ok := value.(int) 29169 if !ok { 29170 return &eval.ErrValueTypeMismatch{Field: "Chdir.File.FileFields.CTime"} 29171 } 29172 ev.Chdir.File.FileFields.CTime = uint64(rv) 29173 return nil 29174 case "chdir.file.filesystem": 29175 rv, ok := value.(string) 29176 if !ok { 29177 return &eval.ErrValueTypeMismatch{Field: "Chdir.File.Filesystem"} 29178 } 29179 ev.Chdir.File.Filesystem = rv 29180 return nil 29181 case "chdir.file.gid": 29182 rv, ok := value.(int) 29183 if !ok { 29184 return &eval.ErrValueTypeMismatch{Field: "Chdir.File.FileFields.GID"} 29185 } 29186 ev.Chdir.File.FileFields.GID = uint32(rv) 29187 return nil 29188 case "chdir.file.group": 29189 rv, ok := value.(string) 29190 if !ok { 29191 return &eval.ErrValueTypeMismatch{Field: "Chdir.File.FileFields.Group"} 29192 } 29193 ev.Chdir.File.FileFields.Group = rv 29194 return nil 29195 case "chdir.file.hashes": 29196 switch rv := value.(type) { 29197 case string: 29198 ev.Chdir.File.Hashes = append(ev.Chdir.File.Hashes, rv) 29199 case []string: 29200 ev.Chdir.File.Hashes = append(ev.Chdir.File.Hashes, rv...) 29201 default: 29202 return &eval.ErrValueTypeMismatch{Field: "Chdir.File.Hashes"} 29203 } 29204 return nil 29205 case "chdir.file.in_upper_layer": 29206 rv, ok := value.(bool) 29207 if !ok { 29208 return &eval.ErrValueTypeMismatch{Field: "Chdir.File.FileFields.InUpperLayer"} 29209 } 29210 ev.Chdir.File.FileFields.InUpperLayer = rv 29211 return nil 29212 case "chdir.file.inode": 29213 rv, ok := value.(int) 29214 if !ok { 29215 return &eval.ErrValueTypeMismatch{Field: "Chdir.File.FileFields.PathKey.Inode"} 29216 } 29217 ev.Chdir.File.FileFields.PathKey.Inode = uint64(rv) 29218 return nil 29219 case "chdir.file.mode": 29220 rv, ok := value.(int) 29221 if !ok { 29222 return &eval.ErrValueTypeMismatch{Field: "Chdir.File.FileFields.Mode"} 29223 } 29224 ev.Chdir.File.FileFields.Mode = uint16(rv) 29225 return nil 29226 case "chdir.file.modification_time": 29227 rv, ok := value.(int) 29228 if !ok { 29229 return &eval.ErrValueTypeMismatch{Field: "Chdir.File.FileFields.MTime"} 29230 } 29231 ev.Chdir.File.FileFields.MTime = uint64(rv) 29232 return nil 29233 case "chdir.file.mount_id": 29234 rv, ok := value.(int) 29235 if !ok { 29236 return &eval.ErrValueTypeMismatch{Field: "Chdir.File.FileFields.PathKey.MountID"} 29237 } 29238 ev.Chdir.File.FileFields.PathKey.MountID = uint32(rv) 29239 return nil 29240 case "chdir.file.name": 29241 rv, ok := value.(string) 29242 if !ok { 29243 return &eval.ErrValueTypeMismatch{Field: "Chdir.File.BasenameStr"} 29244 } 29245 ev.Chdir.File.BasenameStr = rv 29246 return nil 29247 case "chdir.file.name.length": 29248 return &eval.ErrFieldReadOnly{Field: "chdir.file.name.length"} 29249 case "chdir.file.package.name": 29250 rv, ok := value.(string) 29251 if !ok { 29252 return &eval.ErrValueTypeMismatch{Field: "Chdir.File.PkgName"} 29253 } 29254 ev.Chdir.File.PkgName = rv 29255 return nil 29256 case "chdir.file.package.source_version": 29257 rv, ok := value.(string) 29258 if !ok { 29259 return &eval.ErrValueTypeMismatch{Field: "Chdir.File.PkgSrcVersion"} 29260 } 29261 ev.Chdir.File.PkgSrcVersion = rv 29262 return nil 29263 case "chdir.file.package.version": 29264 rv, ok := value.(string) 29265 if !ok { 29266 return &eval.ErrValueTypeMismatch{Field: "Chdir.File.PkgVersion"} 29267 } 29268 ev.Chdir.File.PkgVersion = rv 29269 return nil 29270 case "chdir.file.path": 29271 rv, ok := value.(string) 29272 if !ok { 29273 return &eval.ErrValueTypeMismatch{Field: "Chdir.File.PathnameStr"} 29274 } 29275 ev.Chdir.File.PathnameStr = rv 29276 return nil 29277 case "chdir.file.path.length": 29278 return &eval.ErrFieldReadOnly{Field: "chdir.file.path.length"} 29279 case "chdir.file.rights": 29280 rv, ok := value.(int) 29281 if !ok { 29282 return &eval.ErrValueTypeMismatch{Field: "Chdir.File.FileFields.Mode"} 29283 } 29284 ev.Chdir.File.FileFields.Mode = uint16(rv) 29285 return nil 29286 case "chdir.file.uid": 29287 rv, ok := value.(int) 29288 if !ok { 29289 return &eval.ErrValueTypeMismatch{Field: "Chdir.File.FileFields.UID"} 29290 } 29291 ev.Chdir.File.FileFields.UID = uint32(rv) 29292 return nil 29293 case "chdir.file.user": 29294 rv, ok := value.(string) 29295 if !ok { 29296 return &eval.ErrValueTypeMismatch{Field: "Chdir.File.FileFields.User"} 29297 } 29298 ev.Chdir.File.FileFields.User = rv 29299 return nil 29300 case "chdir.retval": 29301 rv, ok := value.(int) 29302 if !ok { 29303 return &eval.ErrValueTypeMismatch{Field: "Chdir.SyscallEvent.Retval"} 29304 } 29305 ev.Chdir.SyscallEvent.Retval = int64(rv) 29306 return nil 29307 case "chmod.file.change_time": 29308 rv, ok := value.(int) 29309 if !ok { 29310 return &eval.ErrValueTypeMismatch{Field: "Chmod.File.FileFields.CTime"} 29311 } 29312 ev.Chmod.File.FileFields.CTime = uint64(rv) 29313 return nil 29314 case "chmod.file.destination.mode": 29315 rv, ok := value.(int) 29316 if !ok { 29317 return &eval.ErrValueTypeMismatch{Field: "Chmod.Mode"} 29318 } 29319 ev.Chmod.Mode = uint32(rv) 29320 return nil 29321 case "chmod.file.destination.rights": 29322 rv, ok := value.(int) 29323 if !ok { 29324 return &eval.ErrValueTypeMismatch{Field: "Chmod.Mode"} 29325 } 29326 ev.Chmod.Mode = uint32(rv) 29327 return nil 29328 case "chmod.file.filesystem": 29329 rv, ok := value.(string) 29330 if !ok { 29331 return &eval.ErrValueTypeMismatch{Field: "Chmod.File.Filesystem"} 29332 } 29333 ev.Chmod.File.Filesystem = rv 29334 return nil 29335 case "chmod.file.gid": 29336 rv, ok := value.(int) 29337 if !ok { 29338 return &eval.ErrValueTypeMismatch{Field: "Chmod.File.FileFields.GID"} 29339 } 29340 ev.Chmod.File.FileFields.GID = uint32(rv) 29341 return nil 29342 case "chmod.file.group": 29343 rv, ok := value.(string) 29344 if !ok { 29345 return &eval.ErrValueTypeMismatch{Field: "Chmod.File.FileFields.Group"} 29346 } 29347 ev.Chmod.File.FileFields.Group = rv 29348 return nil 29349 case "chmod.file.hashes": 29350 switch rv := value.(type) { 29351 case string: 29352 ev.Chmod.File.Hashes = append(ev.Chmod.File.Hashes, rv) 29353 case []string: 29354 ev.Chmod.File.Hashes = append(ev.Chmod.File.Hashes, rv...) 29355 default: 29356 return &eval.ErrValueTypeMismatch{Field: "Chmod.File.Hashes"} 29357 } 29358 return nil 29359 case "chmod.file.in_upper_layer": 29360 rv, ok := value.(bool) 29361 if !ok { 29362 return &eval.ErrValueTypeMismatch{Field: "Chmod.File.FileFields.InUpperLayer"} 29363 } 29364 ev.Chmod.File.FileFields.InUpperLayer = rv 29365 return nil 29366 case "chmod.file.inode": 29367 rv, ok := value.(int) 29368 if !ok { 29369 return &eval.ErrValueTypeMismatch{Field: "Chmod.File.FileFields.PathKey.Inode"} 29370 } 29371 ev.Chmod.File.FileFields.PathKey.Inode = uint64(rv) 29372 return nil 29373 case "chmod.file.mode": 29374 rv, ok := value.(int) 29375 if !ok { 29376 return &eval.ErrValueTypeMismatch{Field: "Chmod.File.FileFields.Mode"} 29377 } 29378 ev.Chmod.File.FileFields.Mode = uint16(rv) 29379 return nil 29380 case "chmod.file.modification_time": 29381 rv, ok := value.(int) 29382 if !ok { 29383 return &eval.ErrValueTypeMismatch{Field: "Chmod.File.FileFields.MTime"} 29384 } 29385 ev.Chmod.File.FileFields.MTime = uint64(rv) 29386 return nil 29387 case "chmod.file.mount_id": 29388 rv, ok := value.(int) 29389 if !ok { 29390 return &eval.ErrValueTypeMismatch{Field: "Chmod.File.FileFields.PathKey.MountID"} 29391 } 29392 ev.Chmod.File.FileFields.PathKey.MountID = uint32(rv) 29393 return nil 29394 case "chmod.file.name": 29395 rv, ok := value.(string) 29396 if !ok { 29397 return &eval.ErrValueTypeMismatch{Field: "Chmod.File.BasenameStr"} 29398 } 29399 ev.Chmod.File.BasenameStr = rv 29400 return nil 29401 case "chmod.file.name.length": 29402 return &eval.ErrFieldReadOnly{Field: "chmod.file.name.length"} 29403 case "chmod.file.package.name": 29404 rv, ok := value.(string) 29405 if !ok { 29406 return &eval.ErrValueTypeMismatch{Field: "Chmod.File.PkgName"} 29407 } 29408 ev.Chmod.File.PkgName = rv 29409 return nil 29410 case "chmod.file.package.source_version": 29411 rv, ok := value.(string) 29412 if !ok { 29413 return &eval.ErrValueTypeMismatch{Field: "Chmod.File.PkgSrcVersion"} 29414 } 29415 ev.Chmod.File.PkgSrcVersion = rv 29416 return nil 29417 case "chmod.file.package.version": 29418 rv, ok := value.(string) 29419 if !ok { 29420 return &eval.ErrValueTypeMismatch{Field: "Chmod.File.PkgVersion"} 29421 } 29422 ev.Chmod.File.PkgVersion = rv 29423 return nil 29424 case "chmod.file.path": 29425 rv, ok := value.(string) 29426 if !ok { 29427 return &eval.ErrValueTypeMismatch{Field: "Chmod.File.PathnameStr"} 29428 } 29429 ev.Chmod.File.PathnameStr = rv 29430 return nil 29431 case "chmod.file.path.length": 29432 return &eval.ErrFieldReadOnly{Field: "chmod.file.path.length"} 29433 case "chmod.file.rights": 29434 rv, ok := value.(int) 29435 if !ok { 29436 return &eval.ErrValueTypeMismatch{Field: "Chmod.File.FileFields.Mode"} 29437 } 29438 ev.Chmod.File.FileFields.Mode = uint16(rv) 29439 return nil 29440 case "chmod.file.uid": 29441 rv, ok := value.(int) 29442 if !ok { 29443 return &eval.ErrValueTypeMismatch{Field: "Chmod.File.FileFields.UID"} 29444 } 29445 ev.Chmod.File.FileFields.UID = uint32(rv) 29446 return nil 29447 case "chmod.file.user": 29448 rv, ok := value.(string) 29449 if !ok { 29450 return &eval.ErrValueTypeMismatch{Field: "Chmod.File.FileFields.User"} 29451 } 29452 ev.Chmod.File.FileFields.User = rv 29453 return nil 29454 case "chmod.retval": 29455 rv, ok := value.(int) 29456 if !ok { 29457 return &eval.ErrValueTypeMismatch{Field: "Chmod.SyscallEvent.Retval"} 29458 } 29459 ev.Chmod.SyscallEvent.Retval = int64(rv) 29460 return nil 29461 case "chown.file.change_time": 29462 rv, ok := value.(int) 29463 if !ok { 29464 return &eval.ErrValueTypeMismatch{Field: "Chown.File.FileFields.CTime"} 29465 } 29466 ev.Chown.File.FileFields.CTime = uint64(rv) 29467 return nil 29468 case "chown.file.destination.gid": 29469 rv, ok := value.(int) 29470 if !ok { 29471 return &eval.ErrValueTypeMismatch{Field: "Chown.GID"} 29472 } 29473 ev.Chown.GID = int64(rv) 29474 return nil 29475 case "chown.file.destination.group": 29476 rv, ok := value.(string) 29477 if !ok { 29478 return &eval.ErrValueTypeMismatch{Field: "Chown.Group"} 29479 } 29480 ev.Chown.Group = rv 29481 return nil 29482 case "chown.file.destination.uid": 29483 rv, ok := value.(int) 29484 if !ok { 29485 return &eval.ErrValueTypeMismatch{Field: "Chown.UID"} 29486 } 29487 ev.Chown.UID = int64(rv) 29488 return nil 29489 case "chown.file.destination.user": 29490 rv, ok := value.(string) 29491 if !ok { 29492 return &eval.ErrValueTypeMismatch{Field: "Chown.User"} 29493 } 29494 ev.Chown.User = rv 29495 return nil 29496 case "chown.file.filesystem": 29497 rv, ok := value.(string) 29498 if !ok { 29499 return &eval.ErrValueTypeMismatch{Field: "Chown.File.Filesystem"} 29500 } 29501 ev.Chown.File.Filesystem = rv 29502 return nil 29503 case "chown.file.gid": 29504 rv, ok := value.(int) 29505 if !ok { 29506 return &eval.ErrValueTypeMismatch{Field: "Chown.File.FileFields.GID"} 29507 } 29508 ev.Chown.File.FileFields.GID = uint32(rv) 29509 return nil 29510 case "chown.file.group": 29511 rv, ok := value.(string) 29512 if !ok { 29513 return &eval.ErrValueTypeMismatch{Field: "Chown.File.FileFields.Group"} 29514 } 29515 ev.Chown.File.FileFields.Group = rv 29516 return nil 29517 case "chown.file.hashes": 29518 switch rv := value.(type) { 29519 case string: 29520 ev.Chown.File.Hashes = append(ev.Chown.File.Hashes, rv) 29521 case []string: 29522 ev.Chown.File.Hashes = append(ev.Chown.File.Hashes, rv...) 29523 default: 29524 return &eval.ErrValueTypeMismatch{Field: "Chown.File.Hashes"} 29525 } 29526 return nil 29527 case "chown.file.in_upper_layer": 29528 rv, ok := value.(bool) 29529 if !ok { 29530 return &eval.ErrValueTypeMismatch{Field: "Chown.File.FileFields.InUpperLayer"} 29531 } 29532 ev.Chown.File.FileFields.InUpperLayer = rv 29533 return nil 29534 case "chown.file.inode": 29535 rv, ok := value.(int) 29536 if !ok { 29537 return &eval.ErrValueTypeMismatch{Field: "Chown.File.FileFields.PathKey.Inode"} 29538 } 29539 ev.Chown.File.FileFields.PathKey.Inode = uint64(rv) 29540 return nil 29541 case "chown.file.mode": 29542 rv, ok := value.(int) 29543 if !ok { 29544 return &eval.ErrValueTypeMismatch{Field: "Chown.File.FileFields.Mode"} 29545 } 29546 ev.Chown.File.FileFields.Mode = uint16(rv) 29547 return nil 29548 case "chown.file.modification_time": 29549 rv, ok := value.(int) 29550 if !ok { 29551 return &eval.ErrValueTypeMismatch{Field: "Chown.File.FileFields.MTime"} 29552 } 29553 ev.Chown.File.FileFields.MTime = uint64(rv) 29554 return nil 29555 case "chown.file.mount_id": 29556 rv, ok := value.(int) 29557 if !ok { 29558 return &eval.ErrValueTypeMismatch{Field: "Chown.File.FileFields.PathKey.MountID"} 29559 } 29560 ev.Chown.File.FileFields.PathKey.MountID = uint32(rv) 29561 return nil 29562 case "chown.file.name": 29563 rv, ok := value.(string) 29564 if !ok { 29565 return &eval.ErrValueTypeMismatch{Field: "Chown.File.BasenameStr"} 29566 } 29567 ev.Chown.File.BasenameStr = rv 29568 return nil 29569 case "chown.file.name.length": 29570 return &eval.ErrFieldReadOnly{Field: "chown.file.name.length"} 29571 case "chown.file.package.name": 29572 rv, ok := value.(string) 29573 if !ok { 29574 return &eval.ErrValueTypeMismatch{Field: "Chown.File.PkgName"} 29575 } 29576 ev.Chown.File.PkgName = rv 29577 return nil 29578 case "chown.file.package.source_version": 29579 rv, ok := value.(string) 29580 if !ok { 29581 return &eval.ErrValueTypeMismatch{Field: "Chown.File.PkgSrcVersion"} 29582 } 29583 ev.Chown.File.PkgSrcVersion = rv 29584 return nil 29585 case "chown.file.package.version": 29586 rv, ok := value.(string) 29587 if !ok { 29588 return &eval.ErrValueTypeMismatch{Field: "Chown.File.PkgVersion"} 29589 } 29590 ev.Chown.File.PkgVersion = rv 29591 return nil 29592 case "chown.file.path": 29593 rv, ok := value.(string) 29594 if !ok { 29595 return &eval.ErrValueTypeMismatch{Field: "Chown.File.PathnameStr"} 29596 } 29597 ev.Chown.File.PathnameStr = rv 29598 return nil 29599 case "chown.file.path.length": 29600 return &eval.ErrFieldReadOnly{Field: "chown.file.path.length"} 29601 case "chown.file.rights": 29602 rv, ok := value.(int) 29603 if !ok { 29604 return &eval.ErrValueTypeMismatch{Field: "Chown.File.FileFields.Mode"} 29605 } 29606 ev.Chown.File.FileFields.Mode = uint16(rv) 29607 return nil 29608 case "chown.file.uid": 29609 rv, ok := value.(int) 29610 if !ok { 29611 return &eval.ErrValueTypeMismatch{Field: "Chown.File.FileFields.UID"} 29612 } 29613 ev.Chown.File.FileFields.UID = uint32(rv) 29614 return nil 29615 case "chown.file.user": 29616 rv, ok := value.(string) 29617 if !ok { 29618 return &eval.ErrValueTypeMismatch{Field: "Chown.File.FileFields.User"} 29619 } 29620 ev.Chown.File.FileFields.User = rv 29621 return nil 29622 case "chown.retval": 29623 rv, ok := value.(int) 29624 if !ok { 29625 return &eval.ErrValueTypeMismatch{Field: "Chown.SyscallEvent.Retval"} 29626 } 29627 ev.Chown.SyscallEvent.Retval = int64(rv) 29628 return nil 29629 case "container.created_at": 29630 if ev.BaseEvent.ContainerContext == nil { 29631 ev.BaseEvent.ContainerContext = &ContainerContext{} 29632 } 29633 rv, ok := value.(int) 29634 if !ok { 29635 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ContainerContext.CreatedAt"} 29636 } 29637 ev.BaseEvent.ContainerContext.CreatedAt = uint64(rv) 29638 return nil 29639 case "container.id": 29640 if ev.BaseEvent.ContainerContext == nil { 29641 ev.BaseEvent.ContainerContext = &ContainerContext{} 29642 } 29643 rv, ok := value.(string) 29644 if !ok { 29645 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ContainerContext.ID"} 29646 } 29647 ev.BaseEvent.ContainerContext.ID = rv 29648 return nil 29649 case "container.tags": 29650 if ev.BaseEvent.ContainerContext == nil { 29651 ev.BaseEvent.ContainerContext = &ContainerContext{} 29652 } 29653 switch rv := value.(type) { 29654 case string: 29655 ev.BaseEvent.ContainerContext.Tags = append(ev.BaseEvent.ContainerContext.Tags, rv) 29656 case []string: 29657 ev.BaseEvent.ContainerContext.Tags = append(ev.BaseEvent.ContainerContext.Tags, rv...) 29658 default: 29659 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ContainerContext.Tags"} 29660 } 29661 return nil 29662 case "dns.id": 29663 rv, ok := value.(int) 29664 if !ok { 29665 return &eval.ErrValueTypeMismatch{Field: "DNS.ID"} 29666 } 29667 ev.DNS.ID = uint16(rv) 29668 return nil 29669 case "dns.question.class": 29670 rv, ok := value.(int) 29671 if !ok { 29672 return &eval.ErrValueTypeMismatch{Field: "DNS.Class"} 29673 } 29674 ev.DNS.Class = uint16(rv) 29675 return nil 29676 case "dns.question.count": 29677 rv, ok := value.(int) 29678 if !ok { 29679 return &eval.ErrValueTypeMismatch{Field: "DNS.Count"} 29680 } 29681 ev.DNS.Count = uint16(rv) 29682 return nil 29683 case "dns.question.length": 29684 rv, ok := value.(int) 29685 if !ok { 29686 return &eval.ErrValueTypeMismatch{Field: "DNS.Size"} 29687 } 29688 ev.DNS.Size = uint16(rv) 29689 return nil 29690 case "dns.question.name": 29691 rv, ok := value.(string) 29692 if !ok { 29693 return &eval.ErrValueTypeMismatch{Field: "DNS.Name"} 29694 } 29695 ev.DNS.Name = rv 29696 return nil 29697 case "dns.question.name.length": 29698 return &eval.ErrFieldReadOnly{Field: "dns.question.name.length"} 29699 case "dns.question.type": 29700 rv, ok := value.(int) 29701 if !ok { 29702 return &eval.ErrValueTypeMismatch{Field: "DNS.Type"} 29703 } 29704 ev.DNS.Type = uint16(rv) 29705 return nil 29706 case "event.async": 29707 rv, ok := value.(bool) 29708 if !ok { 29709 return &eval.ErrValueTypeMismatch{Field: "Async"} 29710 } 29711 ev.Async = rv 29712 return nil 29713 case "event.origin": 29714 rv, ok := value.(string) 29715 if !ok { 29716 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.Origin"} 29717 } 29718 ev.BaseEvent.Origin = rv 29719 return nil 29720 case "event.os": 29721 rv, ok := value.(string) 29722 if !ok { 29723 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.Os"} 29724 } 29725 ev.BaseEvent.Os = rv 29726 return nil 29727 case "event.service": 29728 rv, ok := value.(string) 29729 if !ok { 29730 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.Service"} 29731 } 29732 ev.BaseEvent.Service = rv 29733 return nil 29734 case "event.timestamp": 29735 rv, ok := value.(int) 29736 if !ok { 29737 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.TimestampRaw"} 29738 } 29739 ev.BaseEvent.TimestampRaw = uint64(rv) 29740 return nil 29741 case "exec.args": 29742 if ev.Exec.Process == nil { 29743 ev.Exec.Process = &Process{} 29744 } 29745 rv, ok := value.(string) 29746 if !ok { 29747 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.Args"} 29748 } 29749 ev.Exec.Process.Args = rv 29750 return nil 29751 case "exec.args_flags": 29752 if ev.Exec.Process == nil { 29753 ev.Exec.Process = &Process{} 29754 } 29755 switch rv := value.(type) { 29756 case string: 29757 ev.Exec.Process.Argv = append(ev.Exec.Process.Argv, rv) 29758 case []string: 29759 ev.Exec.Process.Argv = append(ev.Exec.Process.Argv, rv...) 29760 default: 29761 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.Argv"} 29762 } 29763 return nil 29764 case "exec.args_options": 29765 if ev.Exec.Process == nil { 29766 ev.Exec.Process = &Process{} 29767 } 29768 switch rv := value.(type) { 29769 case string: 29770 ev.Exec.Process.Argv = append(ev.Exec.Process.Argv, rv) 29771 case []string: 29772 ev.Exec.Process.Argv = append(ev.Exec.Process.Argv, rv...) 29773 default: 29774 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.Argv"} 29775 } 29776 return nil 29777 case "exec.args_truncated": 29778 if ev.Exec.Process == nil { 29779 ev.Exec.Process = &Process{} 29780 } 29781 rv, ok := value.(bool) 29782 if !ok { 29783 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.ArgsTruncated"} 29784 } 29785 ev.Exec.Process.ArgsTruncated = rv 29786 return nil 29787 case "exec.argv": 29788 if ev.Exec.Process == nil { 29789 ev.Exec.Process = &Process{} 29790 } 29791 switch rv := value.(type) { 29792 case string: 29793 ev.Exec.Process.Argv = append(ev.Exec.Process.Argv, rv) 29794 case []string: 29795 ev.Exec.Process.Argv = append(ev.Exec.Process.Argv, rv...) 29796 default: 29797 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.Argv"} 29798 } 29799 return nil 29800 case "exec.argv0": 29801 if ev.Exec.Process == nil { 29802 ev.Exec.Process = &Process{} 29803 } 29804 rv, ok := value.(string) 29805 if !ok { 29806 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.Argv0"} 29807 } 29808 ev.Exec.Process.Argv0 = rv 29809 return nil 29810 case "exec.cap_effective": 29811 if ev.Exec.Process == nil { 29812 ev.Exec.Process = &Process{} 29813 } 29814 rv, ok := value.(int) 29815 if !ok { 29816 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.Credentials.CapEffective"} 29817 } 29818 ev.Exec.Process.Credentials.CapEffective = uint64(rv) 29819 return nil 29820 case "exec.cap_permitted": 29821 if ev.Exec.Process == nil { 29822 ev.Exec.Process = &Process{} 29823 } 29824 rv, ok := value.(int) 29825 if !ok { 29826 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.Credentials.CapPermitted"} 29827 } 29828 ev.Exec.Process.Credentials.CapPermitted = uint64(rv) 29829 return nil 29830 case "exec.comm": 29831 if ev.Exec.Process == nil { 29832 ev.Exec.Process = &Process{} 29833 } 29834 rv, ok := value.(string) 29835 if !ok { 29836 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.Comm"} 29837 } 29838 ev.Exec.Process.Comm = rv 29839 return nil 29840 case "exec.container.id": 29841 if ev.Exec.Process == nil { 29842 ev.Exec.Process = &Process{} 29843 } 29844 rv, ok := value.(string) 29845 if !ok { 29846 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.ContainerID"} 29847 } 29848 ev.Exec.Process.ContainerID = rv 29849 return nil 29850 case "exec.created_at": 29851 if ev.Exec.Process == nil { 29852 ev.Exec.Process = &Process{} 29853 } 29854 rv, ok := value.(int) 29855 if !ok { 29856 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.CreatedAt"} 29857 } 29858 ev.Exec.Process.CreatedAt = uint64(rv) 29859 return nil 29860 case "exec.egid": 29861 if ev.Exec.Process == nil { 29862 ev.Exec.Process = &Process{} 29863 } 29864 rv, ok := value.(int) 29865 if !ok { 29866 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.Credentials.EGID"} 29867 } 29868 ev.Exec.Process.Credentials.EGID = uint32(rv) 29869 return nil 29870 case "exec.egroup": 29871 if ev.Exec.Process == nil { 29872 ev.Exec.Process = &Process{} 29873 } 29874 rv, ok := value.(string) 29875 if !ok { 29876 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.Credentials.EGroup"} 29877 } 29878 ev.Exec.Process.Credentials.EGroup = rv 29879 return nil 29880 case "exec.envp": 29881 if ev.Exec.Process == nil { 29882 ev.Exec.Process = &Process{} 29883 } 29884 switch rv := value.(type) { 29885 case string: 29886 ev.Exec.Process.Envp = append(ev.Exec.Process.Envp, rv) 29887 case []string: 29888 ev.Exec.Process.Envp = append(ev.Exec.Process.Envp, rv...) 29889 default: 29890 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.Envp"} 29891 } 29892 return nil 29893 case "exec.envs": 29894 if ev.Exec.Process == nil { 29895 ev.Exec.Process = &Process{} 29896 } 29897 switch rv := value.(type) { 29898 case string: 29899 ev.Exec.Process.Envs = append(ev.Exec.Process.Envs, rv) 29900 case []string: 29901 ev.Exec.Process.Envs = append(ev.Exec.Process.Envs, rv...) 29902 default: 29903 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.Envs"} 29904 } 29905 return nil 29906 case "exec.envs_truncated": 29907 if ev.Exec.Process == nil { 29908 ev.Exec.Process = &Process{} 29909 } 29910 rv, ok := value.(bool) 29911 if !ok { 29912 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.EnvsTruncated"} 29913 } 29914 ev.Exec.Process.EnvsTruncated = rv 29915 return nil 29916 case "exec.euid": 29917 if ev.Exec.Process == nil { 29918 ev.Exec.Process = &Process{} 29919 } 29920 rv, ok := value.(int) 29921 if !ok { 29922 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.Credentials.EUID"} 29923 } 29924 ev.Exec.Process.Credentials.EUID = uint32(rv) 29925 return nil 29926 case "exec.euser": 29927 if ev.Exec.Process == nil { 29928 ev.Exec.Process = &Process{} 29929 } 29930 rv, ok := value.(string) 29931 if !ok { 29932 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.Credentials.EUser"} 29933 } 29934 ev.Exec.Process.Credentials.EUser = rv 29935 return nil 29936 case "exec.file.change_time": 29937 if ev.Exec.Process == nil { 29938 ev.Exec.Process = &Process{} 29939 } 29940 rv, ok := value.(int) 29941 if !ok { 29942 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.FileEvent.FileFields.CTime"} 29943 } 29944 ev.Exec.Process.FileEvent.FileFields.CTime = uint64(rv) 29945 return nil 29946 case "exec.file.filesystem": 29947 if ev.Exec.Process == nil { 29948 ev.Exec.Process = &Process{} 29949 } 29950 rv, ok := value.(string) 29951 if !ok { 29952 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.FileEvent.Filesystem"} 29953 } 29954 ev.Exec.Process.FileEvent.Filesystem = rv 29955 return nil 29956 case "exec.file.gid": 29957 if ev.Exec.Process == nil { 29958 ev.Exec.Process = &Process{} 29959 } 29960 rv, ok := value.(int) 29961 if !ok { 29962 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.FileEvent.FileFields.GID"} 29963 } 29964 ev.Exec.Process.FileEvent.FileFields.GID = uint32(rv) 29965 return nil 29966 case "exec.file.group": 29967 if ev.Exec.Process == nil { 29968 ev.Exec.Process = &Process{} 29969 } 29970 rv, ok := value.(string) 29971 if !ok { 29972 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.FileEvent.FileFields.Group"} 29973 } 29974 ev.Exec.Process.FileEvent.FileFields.Group = rv 29975 return nil 29976 case "exec.file.hashes": 29977 if ev.Exec.Process == nil { 29978 ev.Exec.Process = &Process{} 29979 } 29980 switch rv := value.(type) { 29981 case string: 29982 ev.Exec.Process.FileEvent.Hashes = append(ev.Exec.Process.FileEvent.Hashes, rv) 29983 case []string: 29984 ev.Exec.Process.FileEvent.Hashes = append(ev.Exec.Process.FileEvent.Hashes, rv...) 29985 default: 29986 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.FileEvent.Hashes"} 29987 } 29988 return nil 29989 case "exec.file.in_upper_layer": 29990 if ev.Exec.Process == nil { 29991 ev.Exec.Process = &Process{} 29992 } 29993 rv, ok := value.(bool) 29994 if !ok { 29995 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.FileEvent.FileFields.InUpperLayer"} 29996 } 29997 ev.Exec.Process.FileEvent.FileFields.InUpperLayer = rv 29998 return nil 29999 case "exec.file.inode": 30000 if ev.Exec.Process == nil { 30001 ev.Exec.Process = &Process{} 30002 } 30003 rv, ok := value.(int) 30004 if !ok { 30005 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.FileEvent.FileFields.PathKey.Inode"} 30006 } 30007 ev.Exec.Process.FileEvent.FileFields.PathKey.Inode = uint64(rv) 30008 return nil 30009 case "exec.file.mode": 30010 if ev.Exec.Process == nil { 30011 ev.Exec.Process = &Process{} 30012 } 30013 rv, ok := value.(int) 30014 if !ok { 30015 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.FileEvent.FileFields.Mode"} 30016 } 30017 ev.Exec.Process.FileEvent.FileFields.Mode = uint16(rv) 30018 return nil 30019 case "exec.file.modification_time": 30020 if ev.Exec.Process == nil { 30021 ev.Exec.Process = &Process{} 30022 } 30023 rv, ok := value.(int) 30024 if !ok { 30025 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.FileEvent.FileFields.MTime"} 30026 } 30027 ev.Exec.Process.FileEvent.FileFields.MTime = uint64(rv) 30028 return nil 30029 case "exec.file.mount_id": 30030 if ev.Exec.Process == nil { 30031 ev.Exec.Process = &Process{} 30032 } 30033 rv, ok := value.(int) 30034 if !ok { 30035 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.FileEvent.FileFields.PathKey.MountID"} 30036 } 30037 ev.Exec.Process.FileEvent.FileFields.PathKey.MountID = uint32(rv) 30038 return nil 30039 case "exec.file.name": 30040 if ev.Exec.Process == nil { 30041 ev.Exec.Process = &Process{} 30042 } 30043 rv, ok := value.(string) 30044 if !ok { 30045 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.FileEvent.BasenameStr"} 30046 } 30047 ev.Exec.Process.FileEvent.BasenameStr = rv 30048 return nil 30049 case "exec.file.name.length": 30050 if ev.Exec.Process == nil { 30051 ev.Exec.Process = &Process{} 30052 } 30053 return &eval.ErrFieldReadOnly{Field: "exec.file.name.length"} 30054 case "exec.file.package.name": 30055 if ev.Exec.Process == nil { 30056 ev.Exec.Process = &Process{} 30057 } 30058 rv, ok := value.(string) 30059 if !ok { 30060 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.FileEvent.PkgName"} 30061 } 30062 ev.Exec.Process.FileEvent.PkgName = rv 30063 return nil 30064 case "exec.file.package.source_version": 30065 if ev.Exec.Process == nil { 30066 ev.Exec.Process = &Process{} 30067 } 30068 rv, ok := value.(string) 30069 if !ok { 30070 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.FileEvent.PkgSrcVersion"} 30071 } 30072 ev.Exec.Process.FileEvent.PkgSrcVersion = rv 30073 return nil 30074 case "exec.file.package.version": 30075 if ev.Exec.Process == nil { 30076 ev.Exec.Process = &Process{} 30077 } 30078 rv, ok := value.(string) 30079 if !ok { 30080 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.FileEvent.PkgVersion"} 30081 } 30082 ev.Exec.Process.FileEvent.PkgVersion = rv 30083 return nil 30084 case "exec.file.path": 30085 if ev.Exec.Process == nil { 30086 ev.Exec.Process = &Process{} 30087 } 30088 rv, ok := value.(string) 30089 if !ok { 30090 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.FileEvent.PathnameStr"} 30091 } 30092 ev.Exec.Process.FileEvent.PathnameStr = rv 30093 return nil 30094 case "exec.file.path.length": 30095 if ev.Exec.Process == nil { 30096 ev.Exec.Process = &Process{} 30097 } 30098 return &eval.ErrFieldReadOnly{Field: "exec.file.path.length"} 30099 case "exec.file.rights": 30100 if ev.Exec.Process == nil { 30101 ev.Exec.Process = &Process{} 30102 } 30103 rv, ok := value.(int) 30104 if !ok { 30105 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.FileEvent.FileFields.Mode"} 30106 } 30107 ev.Exec.Process.FileEvent.FileFields.Mode = uint16(rv) 30108 return nil 30109 case "exec.file.uid": 30110 if ev.Exec.Process == nil { 30111 ev.Exec.Process = &Process{} 30112 } 30113 rv, ok := value.(int) 30114 if !ok { 30115 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.FileEvent.FileFields.UID"} 30116 } 30117 ev.Exec.Process.FileEvent.FileFields.UID = uint32(rv) 30118 return nil 30119 case "exec.file.user": 30120 if ev.Exec.Process == nil { 30121 ev.Exec.Process = &Process{} 30122 } 30123 rv, ok := value.(string) 30124 if !ok { 30125 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.FileEvent.FileFields.User"} 30126 } 30127 ev.Exec.Process.FileEvent.FileFields.User = rv 30128 return nil 30129 case "exec.fsgid": 30130 if ev.Exec.Process == nil { 30131 ev.Exec.Process = &Process{} 30132 } 30133 rv, ok := value.(int) 30134 if !ok { 30135 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.Credentials.FSGID"} 30136 } 30137 ev.Exec.Process.Credentials.FSGID = uint32(rv) 30138 return nil 30139 case "exec.fsgroup": 30140 if ev.Exec.Process == nil { 30141 ev.Exec.Process = &Process{} 30142 } 30143 rv, ok := value.(string) 30144 if !ok { 30145 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.Credentials.FSGroup"} 30146 } 30147 ev.Exec.Process.Credentials.FSGroup = rv 30148 return nil 30149 case "exec.fsuid": 30150 if ev.Exec.Process == nil { 30151 ev.Exec.Process = &Process{} 30152 } 30153 rv, ok := value.(int) 30154 if !ok { 30155 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.Credentials.FSUID"} 30156 } 30157 ev.Exec.Process.Credentials.FSUID = uint32(rv) 30158 return nil 30159 case "exec.fsuser": 30160 if ev.Exec.Process == nil { 30161 ev.Exec.Process = &Process{} 30162 } 30163 rv, ok := value.(string) 30164 if !ok { 30165 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.Credentials.FSUser"} 30166 } 30167 ev.Exec.Process.Credentials.FSUser = rv 30168 return nil 30169 case "exec.gid": 30170 if ev.Exec.Process == nil { 30171 ev.Exec.Process = &Process{} 30172 } 30173 rv, ok := value.(int) 30174 if !ok { 30175 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.Credentials.GID"} 30176 } 30177 ev.Exec.Process.Credentials.GID = uint32(rv) 30178 return nil 30179 case "exec.group": 30180 if ev.Exec.Process == nil { 30181 ev.Exec.Process = &Process{} 30182 } 30183 rv, ok := value.(string) 30184 if !ok { 30185 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.Credentials.Group"} 30186 } 30187 ev.Exec.Process.Credentials.Group = rv 30188 return nil 30189 case "exec.interpreter.file.change_time": 30190 if ev.Exec.Process == nil { 30191 ev.Exec.Process = &Process{} 30192 } 30193 rv, ok := value.(int) 30194 if !ok { 30195 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.LinuxBinprm.FileEvent.FileFields.CTime"} 30196 } 30197 ev.Exec.Process.LinuxBinprm.FileEvent.FileFields.CTime = uint64(rv) 30198 return nil 30199 case "exec.interpreter.file.filesystem": 30200 if ev.Exec.Process == nil { 30201 ev.Exec.Process = &Process{} 30202 } 30203 rv, ok := value.(string) 30204 if !ok { 30205 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.LinuxBinprm.FileEvent.Filesystem"} 30206 } 30207 ev.Exec.Process.LinuxBinprm.FileEvent.Filesystem = rv 30208 return nil 30209 case "exec.interpreter.file.gid": 30210 if ev.Exec.Process == nil { 30211 ev.Exec.Process = &Process{} 30212 } 30213 rv, ok := value.(int) 30214 if !ok { 30215 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.LinuxBinprm.FileEvent.FileFields.GID"} 30216 } 30217 ev.Exec.Process.LinuxBinprm.FileEvent.FileFields.GID = uint32(rv) 30218 return nil 30219 case "exec.interpreter.file.group": 30220 if ev.Exec.Process == nil { 30221 ev.Exec.Process = &Process{} 30222 } 30223 rv, ok := value.(string) 30224 if !ok { 30225 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.LinuxBinprm.FileEvent.FileFields.Group"} 30226 } 30227 ev.Exec.Process.LinuxBinprm.FileEvent.FileFields.Group = rv 30228 return nil 30229 case "exec.interpreter.file.hashes": 30230 if ev.Exec.Process == nil { 30231 ev.Exec.Process = &Process{} 30232 } 30233 switch rv := value.(type) { 30234 case string: 30235 ev.Exec.Process.LinuxBinprm.FileEvent.Hashes = append(ev.Exec.Process.LinuxBinprm.FileEvent.Hashes, rv) 30236 case []string: 30237 ev.Exec.Process.LinuxBinprm.FileEvent.Hashes = append(ev.Exec.Process.LinuxBinprm.FileEvent.Hashes, rv...) 30238 default: 30239 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.LinuxBinprm.FileEvent.Hashes"} 30240 } 30241 return nil 30242 case "exec.interpreter.file.in_upper_layer": 30243 if ev.Exec.Process == nil { 30244 ev.Exec.Process = &Process{} 30245 } 30246 rv, ok := value.(bool) 30247 if !ok { 30248 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.LinuxBinprm.FileEvent.FileFields.InUpperLayer"} 30249 } 30250 ev.Exec.Process.LinuxBinprm.FileEvent.FileFields.InUpperLayer = rv 30251 return nil 30252 case "exec.interpreter.file.inode": 30253 if ev.Exec.Process == nil { 30254 ev.Exec.Process = &Process{} 30255 } 30256 rv, ok := value.(int) 30257 if !ok { 30258 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode"} 30259 } 30260 ev.Exec.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode = uint64(rv) 30261 return nil 30262 case "exec.interpreter.file.mode": 30263 if ev.Exec.Process == nil { 30264 ev.Exec.Process = &Process{} 30265 } 30266 rv, ok := value.(int) 30267 if !ok { 30268 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.LinuxBinprm.FileEvent.FileFields.Mode"} 30269 } 30270 ev.Exec.Process.LinuxBinprm.FileEvent.FileFields.Mode = uint16(rv) 30271 return nil 30272 case "exec.interpreter.file.modification_time": 30273 if ev.Exec.Process == nil { 30274 ev.Exec.Process = &Process{} 30275 } 30276 rv, ok := value.(int) 30277 if !ok { 30278 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.LinuxBinprm.FileEvent.FileFields.MTime"} 30279 } 30280 ev.Exec.Process.LinuxBinprm.FileEvent.FileFields.MTime = uint64(rv) 30281 return nil 30282 case "exec.interpreter.file.mount_id": 30283 if ev.Exec.Process == nil { 30284 ev.Exec.Process = &Process{} 30285 } 30286 rv, ok := value.(int) 30287 if !ok { 30288 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID"} 30289 } 30290 ev.Exec.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID = uint32(rv) 30291 return nil 30292 case "exec.interpreter.file.name": 30293 if ev.Exec.Process == nil { 30294 ev.Exec.Process = &Process{} 30295 } 30296 rv, ok := value.(string) 30297 if !ok { 30298 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.LinuxBinprm.FileEvent.BasenameStr"} 30299 } 30300 ev.Exec.Process.LinuxBinprm.FileEvent.BasenameStr = rv 30301 return nil 30302 case "exec.interpreter.file.name.length": 30303 if ev.Exec.Process == nil { 30304 ev.Exec.Process = &Process{} 30305 } 30306 return &eval.ErrFieldReadOnly{Field: "exec.interpreter.file.name.length"} 30307 case "exec.interpreter.file.package.name": 30308 if ev.Exec.Process == nil { 30309 ev.Exec.Process = &Process{} 30310 } 30311 rv, ok := value.(string) 30312 if !ok { 30313 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.LinuxBinprm.FileEvent.PkgName"} 30314 } 30315 ev.Exec.Process.LinuxBinprm.FileEvent.PkgName = rv 30316 return nil 30317 case "exec.interpreter.file.package.source_version": 30318 if ev.Exec.Process == nil { 30319 ev.Exec.Process = &Process{} 30320 } 30321 rv, ok := value.(string) 30322 if !ok { 30323 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.LinuxBinprm.FileEvent.PkgSrcVersion"} 30324 } 30325 ev.Exec.Process.LinuxBinprm.FileEvent.PkgSrcVersion = rv 30326 return nil 30327 case "exec.interpreter.file.package.version": 30328 if ev.Exec.Process == nil { 30329 ev.Exec.Process = &Process{} 30330 } 30331 rv, ok := value.(string) 30332 if !ok { 30333 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.LinuxBinprm.FileEvent.PkgVersion"} 30334 } 30335 ev.Exec.Process.LinuxBinprm.FileEvent.PkgVersion = rv 30336 return nil 30337 case "exec.interpreter.file.path": 30338 if ev.Exec.Process == nil { 30339 ev.Exec.Process = &Process{} 30340 } 30341 rv, ok := value.(string) 30342 if !ok { 30343 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.LinuxBinprm.FileEvent.PathnameStr"} 30344 } 30345 ev.Exec.Process.LinuxBinprm.FileEvent.PathnameStr = rv 30346 return nil 30347 case "exec.interpreter.file.path.length": 30348 if ev.Exec.Process == nil { 30349 ev.Exec.Process = &Process{} 30350 } 30351 return &eval.ErrFieldReadOnly{Field: "exec.interpreter.file.path.length"} 30352 case "exec.interpreter.file.rights": 30353 if ev.Exec.Process == nil { 30354 ev.Exec.Process = &Process{} 30355 } 30356 rv, ok := value.(int) 30357 if !ok { 30358 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.LinuxBinprm.FileEvent.FileFields.Mode"} 30359 } 30360 ev.Exec.Process.LinuxBinprm.FileEvent.FileFields.Mode = uint16(rv) 30361 return nil 30362 case "exec.interpreter.file.uid": 30363 if ev.Exec.Process == nil { 30364 ev.Exec.Process = &Process{} 30365 } 30366 rv, ok := value.(int) 30367 if !ok { 30368 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.LinuxBinprm.FileEvent.FileFields.UID"} 30369 } 30370 ev.Exec.Process.LinuxBinprm.FileEvent.FileFields.UID = uint32(rv) 30371 return nil 30372 case "exec.interpreter.file.user": 30373 if ev.Exec.Process == nil { 30374 ev.Exec.Process = &Process{} 30375 } 30376 rv, ok := value.(string) 30377 if !ok { 30378 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.LinuxBinprm.FileEvent.FileFields.User"} 30379 } 30380 ev.Exec.Process.LinuxBinprm.FileEvent.FileFields.User = rv 30381 return nil 30382 case "exec.is_kworker": 30383 if ev.Exec.Process == nil { 30384 ev.Exec.Process = &Process{} 30385 } 30386 rv, ok := value.(bool) 30387 if !ok { 30388 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.PIDContext.IsKworker"} 30389 } 30390 ev.Exec.Process.PIDContext.IsKworker = rv 30391 return nil 30392 case "exec.is_thread": 30393 if ev.Exec.Process == nil { 30394 ev.Exec.Process = &Process{} 30395 } 30396 rv, ok := value.(bool) 30397 if !ok { 30398 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.IsThread"} 30399 } 30400 ev.Exec.Process.IsThread = rv 30401 return nil 30402 case "exec.pid": 30403 if ev.Exec.Process == nil { 30404 ev.Exec.Process = &Process{} 30405 } 30406 rv, ok := value.(int) 30407 if !ok { 30408 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.PIDContext.Pid"} 30409 } 30410 ev.Exec.Process.PIDContext.Pid = uint32(rv) 30411 return nil 30412 case "exec.ppid": 30413 if ev.Exec.Process == nil { 30414 ev.Exec.Process = &Process{} 30415 } 30416 rv, ok := value.(int) 30417 if !ok { 30418 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.PPid"} 30419 } 30420 ev.Exec.Process.PPid = uint32(rv) 30421 return nil 30422 case "exec.tid": 30423 if ev.Exec.Process == nil { 30424 ev.Exec.Process = &Process{} 30425 } 30426 rv, ok := value.(int) 30427 if !ok { 30428 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.PIDContext.Tid"} 30429 } 30430 ev.Exec.Process.PIDContext.Tid = uint32(rv) 30431 return nil 30432 case "exec.tty_name": 30433 if ev.Exec.Process == nil { 30434 ev.Exec.Process = &Process{} 30435 } 30436 rv, ok := value.(string) 30437 if !ok { 30438 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.TTYName"} 30439 } 30440 ev.Exec.Process.TTYName = rv 30441 return nil 30442 case "exec.uid": 30443 if ev.Exec.Process == nil { 30444 ev.Exec.Process = &Process{} 30445 } 30446 rv, ok := value.(int) 30447 if !ok { 30448 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.Credentials.UID"} 30449 } 30450 ev.Exec.Process.Credentials.UID = uint32(rv) 30451 return nil 30452 case "exec.user": 30453 if ev.Exec.Process == nil { 30454 ev.Exec.Process = &Process{} 30455 } 30456 rv, ok := value.(string) 30457 if !ok { 30458 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.Credentials.User"} 30459 } 30460 ev.Exec.Process.Credentials.User = rv 30461 return nil 30462 case "exec.user_session.k8s_groups": 30463 if ev.Exec.Process == nil { 30464 ev.Exec.Process = &Process{} 30465 } 30466 switch rv := value.(type) { 30467 case string: 30468 ev.Exec.Process.UserSession.K8SGroups = append(ev.Exec.Process.UserSession.K8SGroups, rv) 30469 case []string: 30470 ev.Exec.Process.UserSession.K8SGroups = append(ev.Exec.Process.UserSession.K8SGroups, rv...) 30471 default: 30472 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.UserSession.K8SGroups"} 30473 } 30474 return nil 30475 case "exec.user_session.k8s_uid": 30476 if ev.Exec.Process == nil { 30477 ev.Exec.Process = &Process{} 30478 } 30479 rv, ok := value.(string) 30480 if !ok { 30481 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.UserSession.K8SUID"} 30482 } 30483 ev.Exec.Process.UserSession.K8SUID = rv 30484 return nil 30485 case "exec.user_session.k8s_username": 30486 if ev.Exec.Process == nil { 30487 ev.Exec.Process = &Process{} 30488 } 30489 rv, ok := value.(string) 30490 if !ok { 30491 return &eval.ErrValueTypeMismatch{Field: "Exec.Process.UserSession.K8SUsername"} 30492 } 30493 ev.Exec.Process.UserSession.K8SUsername = rv 30494 return nil 30495 case "exit.args": 30496 if ev.Exit.Process == nil { 30497 ev.Exit.Process = &Process{} 30498 } 30499 rv, ok := value.(string) 30500 if !ok { 30501 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.Args"} 30502 } 30503 ev.Exit.Process.Args = rv 30504 return nil 30505 case "exit.args_flags": 30506 if ev.Exit.Process == nil { 30507 ev.Exit.Process = &Process{} 30508 } 30509 switch rv := value.(type) { 30510 case string: 30511 ev.Exit.Process.Argv = append(ev.Exit.Process.Argv, rv) 30512 case []string: 30513 ev.Exit.Process.Argv = append(ev.Exit.Process.Argv, rv...) 30514 default: 30515 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.Argv"} 30516 } 30517 return nil 30518 case "exit.args_options": 30519 if ev.Exit.Process == nil { 30520 ev.Exit.Process = &Process{} 30521 } 30522 switch rv := value.(type) { 30523 case string: 30524 ev.Exit.Process.Argv = append(ev.Exit.Process.Argv, rv) 30525 case []string: 30526 ev.Exit.Process.Argv = append(ev.Exit.Process.Argv, rv...) 30527 default: 30528 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.Argv"} 30529 } 30530 return nil 30531 case "exit.args_truncated": 30532 if ev.Exit.Process == nil { 30533 ev.Exit.Process = &Process{} 30534 } 30535 rv, ok := value.(bool) 30536 if !ok { 30537 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.ArgsTruncated"} 30538 } 30539 ev.Exit.Process.ArgsTruncated = rv 30540 return nil 30541 case "exit.argv": 30542 if ev.Exit.Process == nil { 30543 ev.Exit.Process = &Process{} 30544 } 30545 switch rv := value.(type) { 30546 case string: 30547 ev.Exit.Process.Argv = append(ev.Exit.Process.Argv, rv) 30548 case []string: 30549 ev.Exit.Process.Argv = append(ev.Exit.Process.Argv, rv...) 30550 default: 30551 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.Argv"} 30552 } 30553 return nil 30554 case "exit.argv0": 30555 if ev.Exit.Process == nil { 30556 ev.Exit.Process = &Process{} 30557 } 30558 rv, ok := value.(string) 30559 if !ok { 30560 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.Argv0"} 30561 } 30562 ev.Exit.Process.Argv0 = rv 30563 return nil 30564 case "exit.cap_effective": 30565 if ev.Exit.Process == nil { 30566 ev.Exit.Process = &Process{} 30567 } 30568 rv, ok := value.(int) 30569 if !ok { 30570 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.Credentials.CapEffective"} 30571 } 30572 ev.Exit.Process.Credentials.CapEffective = uint64(rv) 30573 return nil 30574 case "exit.cap_permitted": 30575 if ev.Exit.Process == nil { 30576 ev.Exit.Process = &Process{} 30577 } 30578 rv, ok := value.(int) 30579 if !ok { 30580 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.Credentials.CapPermitted"} 30581 } 30582 ev.Exit.Process.Credentials.CapPermitted = uint64(rv) 30583 return nil 30584 case "exit.cause": 30585 rv, ok := value.(int) 30586 if !ok { 30587 return &eval.ErrValueTypeMismatch{Field: "Exit.Cause"} 30588 } 30589 ev.Exit.Cause = uint32(rv) 30590 return nil 30591 case "exit.code": 30592 rv, ok := value.(int) 30593 if !ok { 30594 return &eval.ErrValueTypeMismatch{Field: "Exit.Code"} 30595 } 30596 ev.Exit.Code = uint32(rv) 30597 return nil 30598 case "exit.comm": 30599 if ev.Exit.Process == nil { 30600 ev.Exit.Process = &Process{} 30601 } 30602 rv, ok := value.(string) 30603 if !ok { 30604 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.Comm"} 30605 } 30606 ev.Exit.Process.Comm = rv 30607 return nil 30608 case "exit.container.id": 30609 if ev.Exit.Process == nil { 30610 ev.Exit.Process = &Process{} 30611 } 30612 rv, ok := value.(string) 30613 if !ok { 30614 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.ContainerID"} 30615 } 30616 ev.Exit.Process.ContainerID = rv 30617 return nil 30618 case "exit.created_at": 30619 if ev.Exit.Process == nil { 30620 ev.Exit.Process = &Process{} 30621 } 30622 rv, ok := value.(int) 30623 if !ok { 30624 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.CreatedAt"} 30625 } 30626 ev.Exit.Process.CreatedAt = uint64(rv) 30627 return nil 30628 case "exit.egid": 30629 if ev.Exit.Process == nil { 30630 ev.Exit.Process = &Process{} 30631 } 30632 rv, ok := value.(int) 30633 if !ok { 30634 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.Credentials.EGID"} 30635 } 30636 ev.Exit.Process.Credentials.EGID = uint32(rv) 30637 return nil 30638 case "exit.egroup": 30639 if ev.Exit.Process == nil { 30640 ev.Exit.Process = &Process{} 30641 } 30642 rv, ok := value.(string) 30643 if !ok { 30644 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.Credentials.EGroup"} 30645 } 30646 ev.Exit.Process.Credentials.EGroup = rv 30647 return nil 30648 case "exit.envp": 30649 if ev.Exit.Process == nil { 30650 ev.Exit.Process = &Process{} 30651 } 30652 switch rv := value.(type) { 30653 case string: 30654 ev.Exit.Process.Envp = append(ev.Exit.Process.Envp, rv) 30655 case []string: 30656 ev.Exit.Process.Envp = append(ev.Exit.Process.Envp, rv...) 30657 default: 30658 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.Envp"} 30659 } 30660 return nil 30661 case "exit.envs": 30662 if ev.Exit.Process == nil { 30663 ev.Exit.Process = &Process{} 30664 } 30665 switch rv := value.(type) { 30666 case string: 30667 ev.Exit.Process.Envs = append(ev.Exit.Process.Envs, rv) 30668 case []string: 30669 ev.Exit.Process.Envs = append(ev.Exit.Process.Envs, rv...) 30670 default: 30671 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.Envs"} 30672 } 30673 return nil 30674 case "exit.envs_truncated": 30675 if ev.Exit.Process == nil { 30676 ev.Exit.Process = &Process{} 30677 } 30678 rv, ok := value.(bool) 30679 if !ok { 30680 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.EnvsTruncated"} 30681 } 30682 ev.Exit.Process.EnvsTruncated = rv 30683 return nil 30684 case "exit.euid": 30685 if ev.Exit.Process == nil { 30686 ev.Exit.Process = &Process{} 30687 } 30688 rv, ok := value.(int) 30689 if !ok { 30690 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.Credentials.EUID"} 30691 } 30692 ev.Exit.Process.Credentials.EUID = uint32(rv) 30693 return nil 30694 case "exit.euser": 30695 if ev.Exit.Process == nil { 30696 ev.Exit.Process = &Process{} 30697 } 30698 rv, ok := value.(string) 30699 if !ok { 30700 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.Credentials.EUser"} 30701 } 30702 ev.Exit.Process.Credentials.EUser = rv 30703 return nil 30704 case "exit.file.change_time": 30705 if ev.Exit.Process == nil { 30706 ev.Exit.Process = &Process{} 30707 } 30708 rv, ok := value.(int) 30709 if !ok { 30710 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.FileEvent.FileFields.CTime"} 30711 } 30712 ev.Exit.Process.FileEvent.FileFields.CTime = uint64(rv) 30713 return nil 30714 case "exit.file.filesystem": 30715 if ev.Exit.Process == nil { 30716 ev.Exit.Process = &Process{} 30717 } 30718 rv, ok := value.(string) 30719 if !ok { 30720 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.FileEvent.Filesystem"} 30721 } 30722 ev.Exit.Process.FileEvent.Filesystem = rv 30723 return nil 30724 case "exit.file.gid": 30725 if ev.Exit.Process == nil { 30726 ev.Exit.Process = &Process{} 30727 } 30728 rv, ok := value.(int) 30729 if !ok { 30730 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.FileEvent.FileFields.GID"} 30731 } 30732 ev.Exit.Process.FileEvent.FileFields.GID = uint32(rv) 30733 return nil 30734 case "exit.file.group": 30735 if ev.Exit.Process == nil { 30736 ev.Exit.Process = &Process{} 30737 } 30738 rv, ok := value.(string) 30739 if !ok { 30740 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.FileEvent.FileFields.Group"} 30741 } 30742 ev.Exit.Process.FileEvent.FileFields.Group = rv 30743 return nil 30744 case "exit.file.hashes": 30745 if ev.Exit.Process == nil { 30746 ev.Exit.Process = &Process{} 30747 } 30748 switch rv := value.(type) { 30749 case string: 30750 ev.Exit.Process.FileEvent.Hashes = append(ev.Exit.Process.FileEvent.Hashes, rv) 30751 case []string: 30752 ev.Exit.Process.FileEvent.Hashes = append(ev.Exit.Process.FileEvent.Hashes, rv...) 30753 default: 30754 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.FileEvent.Hashes"} 30755 } 30756 return nil 30757 case "exit.file.in_upper_layer": 30758 if ev.Exit.Process == nil { 30759 ev.Exit.Process = &Process{} 30760 } 30761 rv, ok := value.(bool) 30762 if !ok { 30763 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.FileEvent.FileFields.InUpperLayer"} 30764 } 30765 ev.Exit.Process.FileEvent.FileFields.InUpperLayer = rv 30766 return nil 30767 case "exit.file.inode": 30768 if ev.Exit.Process == nil { 30769 ev.Exit.Process = &Process{} 30770 } 30771 rv, ok := value.(int) 30772 if !ok { 30773 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.FileEvent.FileFields.PathKey.Inode"} 30774 } 30775 ev.Exit.Process.FileEvent.FileFields.PathKey.Inode = uint64(rv) 30776 return nil 30777 case "exit.file.mode": 30778 if ev.Exit.Process == nil { 30779 ev.Exit.Process = &Process{} 30780 } 30781 rv, ok := value.(int) 30782 if !ok { 30783 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.FileEvent.FileFields.Mode"} 30784 } 30785 ev.Exit.Process.FileEvent.FileFields.Mode = uint16(rv) 30786 return nil 30787 case "exit.file.modification_time": 30788 if ev.Exit.Process == nil { 30789 ev.Exit.Process = &Process{} 30790 } 30791 rv, ok := value.(int) 30792 if !ok { 30793 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.FileEvent.FileFields.MTime"} 30794 } 30795 ev.Exit.Process.FileEvent.FileFields.MTime = uint64(rv) 30796 return nil 30797 case "exit.file.mount_id": 30798 if ev.Exit.Process == nil { 30799 ev.Exit.Process = &Process{} 30800 } 30801 rv, ok := value.(int) 30802 if !ok { 30803 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.FileEvent.FileFields.PathKey.MountID"} 30804 } 30805 ev.Exit.Process.FileEvent.FileFields.PathKey.MountID = uint32(rv) 30806 return nil 30807 case "exit.file.name": 30808 if ev.Exit.Process == nil { 30809 ev.Exit.Process = &Process{} 30810 } 30811 rv, ok := value.(string) 30812 if !ok { 30813 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.FileEvent.BasenameStr"} 30814 } 30815 ev.Exit.Process.FileEvent.BasenameStr = rv 30816 return nil 30817 case "exit.file.name.length": 30818 if ev.Exit.Process == nil { 30819 ev.Exit.Process = &Process{} 30820 } 30821 return &eval.ErrFieldReadOnly{Field: "exit.file.name.length"} 30822 case "exit.file.package.name": 30823 if ev.Exit.Process == nil { 30824 ev.Exit.Process = &Process{} 30825 } 30826 rv, ok := value.(string) 30827 if !ok { 30828 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.FileEvent.PkgName"} 30829 } 30830 ev.Exit.Process.FileEvent.PkgName = rv 30831 return nil 30832 case "exit.file.package.source_version": 30833 if ev.Exit.Process == nil { 30834 ev.Exit.Process = &Process{} 30835 } 30836 rv, ok := value.(string) 30837 if !ok { 30838 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.FileEvent.PkgSrcVersion"} 30839 } 30840 ev.Exit.Process.FileEvent.PkgSrcVersion = rv 30841 return nil 30842 case "exit.file.package.version": 30843 if ev.Exit.Process == nil { 30844 ev.Exit.Process = &Process{} 30845 } 30846 rv, ok := value.(string) 30847 if !ok { 30848 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.FileEvent.PkgVersion"} 30849 } 30850 ev.Exit.Process.FileEvent.PkgVersion = rv 30851 return nil 30852 case "exit.file.path": 30853 if ev.Exit.Process == nil { 30854 ev.Exit.Process = &Process{} 30855 } 30856 rv, ok := value.(string) 30857 if !ok { 30858 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.FileEvent.PathnameStr"} 30859 } 30860 ev.Exit.Process.FileEvent.PathnameStr = rv 30861 return nil 30862 case "exit.file.path.length": 30863 if ev.Exit.Process == nil { 30864 ev.Exit.Process = &Process{} 30865 } 30866 return &eval.ErrFieldReadOnly{Field: "exit.file.path.length"} 30867 case "exit.file.rights": 30868 if ev.Exit.Process == nil { 30869 ev.Exit.Process = &Process{} 30870 } 30871 rv, ok := value.(int) 30872 if !ok { 30873 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.FileEvent.FileFields.Mode"} 30874 } 30875 ev.Exit.Process.FileEvent.FileFields.Mode = uint16(rv) 30876 return nil 30877 case "exit.file.uid": 30878 if ev.Exit.Process == nil { 30879 ev.Exit.Process = &Process{} 30880 } 30881 rv, ok := value.(int) 30882 if !ok { 30883 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.FileEvent.FileFields.UID"} 30884 } 30885 ev.Exit.Process.FileEvent.FileFields.UID = uint32(rv) 30886 return nil 30887 case "exit.file.user": 30888 if ev.Exit.Process == nil { 30889 ev.Exit.Process = &Process{} 30890 } 30891 rv, ok := value.(string) 30892 if !ok { 30893 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.FileEvent.FileFields.User"} 30894 } 30895 ev.Exit.Process.FileEvent.FileFields.User = rv 30896 return nil 30897 case "exit.fsgid": 30898 if ev.Exit.Process == nil { 30899 ev.Exit.Process = &Process{} 30900 } 30901 rv, ok := value.(int) 30902 if !ok { 30903 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.Credentials.FSGID"} 30904 } 30905 ev.Exit.Process.Credentials.FSGID = uint32(rv) 30906 return nil 30907 case "exit.fsgroup": 30908 if ev.Exit.Process == nil { 30909 ev.Exit.Process = &Process{} 30910 } 30911 rv, ok := value.(string) 30912 if !ok { 30913 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.Credentials.FSGroup"} 30914 } 30915 ev.Exit.Process.Credentials.FSGroup = rv 30916 return nil 30917 case "exit.fsuid": 30918 if ev.Exit.Process == nil { 30919 ev.Exit.Process = &Process{} 30920 } 30921 rv, ok := value.(int) 30922 if !ok { 30923 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.Credentials.FSUID"} 30924 } 30925 ev.Exit.Process.Credentials.FSUID = uint32(rv) 30926 return nil 30927 case "exit.fsuser": 30928 if ev.Exit.Process == nil { 30929 ev.Exit.Process = &Process{} 30930 } 30931 rv, ok := value.(string) 30932 if !ok { 30933 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.Credentials.FSUser"} 30934 } 30935 ev.Exit.Process.Credentials.FSUser = rv 30936 return nil 30937 case "exit.gid": 30938 if ev.Exit.Process == nil { 30939 ev.Exit.Process = &Process{} 30940 } 30941 rv, ok := value.(int) 30942 if !ok { 30943 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.Credentials.GID"} 30944 } 30945 ev.Exit.Process.Credentials.GID = uint32(rv) 30946 return nil 30947 case "exit.group": 30948 if ev.Exit.Process == nil { 30949 ev.Exit.Process = &Process{} 30950 } 30951 rv, ok := value.(string) 30952 if !ok { 30953 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.Credentials.Group"} 30954 } 30955 ev.Exit.Process.Credentials.Group = rv 30956 return nil 30957 case "exit.interpreter.file.change_time": 30958 if ev.Exit.Process == nil { 30959 ev.Exit.Process = &Process{} 30960 } 30961 rv, ok := value.(int) 30962 if !ok { 30963 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.LinuxBinprm.FileEvent.FileFields.CTime"} 30964 } 30965 ev.Exit.Process.LinuxBinprm.FileEvent.FileFields.CTime = uint64(rv) 30966 return nil 30967 case "exit.interpreter.file.filesystem": 30968 if ev.Exit.Process == nil { 30969 ev.Exit.Process = &Process{} 30970 } 30971 rv, ok := value.(string) 30972 if !ok { 30973 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.LinuxBinprm.FileEvent.Filesystem"} 30974 } 30975 ev.Exit.Process.LinuxBinprm.FileEvent.Filesystem = rv 30976 return nil 30977 case "exit.interpreter.file.gid": 30978 if ev.Exit.Process == nil { 30979 ev.Exit.Process = &Process{} 30980 } 30981 rv, ok := value.(int) 30982 if !ok { 30983 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.LinuxBinprm.FileEvent.FileFields.GID"} 30984 } 30985 ev.Exit.Process.LinuxBinprm.FileEvent.FileFields.GID = uint32(rv) 30986 return nil 30987 case "exit.interpreter.file.group": 30988 if ev.Exit.Process == nil { 30989 ev.Exit.Process = &Process{} 30990 } 30991 rv, ok := value.(string) 30992 if !ok { 30993 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.LinuxBinprm.FileEvent.FileFields.Group"} 30994 } 30995 ev.Exit.Process.LinuxBinprm.FileEvent.FileFields.Group = rv 30996 return nil 30997 case "exit.interpreter.file.hashes": 30998 if ev.Exit.Process == nil { 30999 ev.Exit.Process = &Process{} 31000 } 31001 switch rv := value.(type) { 31002 case string: 31003 ev.Exit.Process.LinuxBinprm.FileEvent.Hashes = append(ev.Exit.Process.LinuxBinprm.FileEvent.Hashes, rv) 31004 case []string: 31005 ev.Exit.Process.LinuxBinprm.FileEvent.Hashes = append(ev.Exit.Process.LinuxBinprm.FileEvent.Hashes, rv...) 31006 default: 31007 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.LinuxBinprm.FileEvent.Hashes"} 31008 } 31009 return nil 31010 case "exit.interpreter.file.in_upper_layer": 31011 if ev.Exit.Process == nil { 31012 ev.Exit.Process = &Process{} 31013 } 31014 rv, ok := value.(bool) 31015 if !ok { 31016 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.LinuxBinprm.FileEvent.FileFields.InUpperLayer"} 31017 } 31018 ev.Exit.Process.LinuxBinprm.FileEvent.FileFields.InUpperLayer = rv 31019 return nil 31020 case "exit.interpreter.file.inode": 31021 if ev.Exit.Process == nil { 31022 ev.Exit.Process = &Process{} 31023 } 31024 rv, ok := value.(int) 31025 if !ok { 31026 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode"} 31027 } 31028 ev.Exit.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode = uint64(rv) 31029 return nil 31030 case "exit.interpreter.file.mode": 31031 if ev.Exit.Process == nil { 31032 ev.Exit.Process = &Process{} 31033 } 31034 rv, ok := value.(int) 31035 if !ok { 31036 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.LinuxBinprm.FileEvent.FileFields.Mode"} 31037 } 31038 ev.Exit.Process.LinuxBinprm.FileEvent.FileFields.Mode = uint16(rv) 31039 return nil 31040 case "exit.interpreter.file.modification_time": 31041 if ev.Exit.Process == nil { 31042 ev.Exit.Process = &Process{} 31043 } 31044 rv, ok := value.(int) 31045 if !ok { 31046 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.LinuxBinprm.FileEvent.FileFields.MTime"} 31047 } 31048 ev.Exit.Process.LinuxBinprm.FileEvent.FileFields.MTime = uint64(rv) 31049 return nil 31050 case "exit.interpreter.file.mount_id": 31051 if ev.Exit.Process == nil { 31052 ev.Exit.Process = &Process{} 31053 } 31054 rv, ok := value.(int) 31055 if !ok { 31056 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID"} 31057 } 31058 ev.Exit.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID = uint32(rv) 31059 return nil 31060 case "exit.interpreter.file.name": 31061 if ev.Exit.Process == nil { 31062 ev.Exit.Process = &Process{} 31063 } 31064 rv, ok := value.(string) 31065 if !ok { 31066 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.LinuxBinprm.FileEvent.BasenameStr"} 31067 } 31068 ev.Exit.Process.LinuxBinprm.FileEvent.BasenameStr = rv 31069 return nil 31070 case "exit.interpreter.file.name.length": 31071 if ev.Exit.Process == nil { 31072 ev.Exit.Process = &Process{} 31073 } 31074 return &eval.ErrFieldReadOnly{Field: "exit.interpreter.file.name.length"} 31075 case "exit.interpreter.file.package.name": 31076 if ev.Exit.Process == nil { 31077 ev.Exit.Process = &Process{} 31078 } 31079 rv, ok := value.(string) 31080 if !ok { 31081 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.LinuxBinprm.FileEvent.PkgName"} 31082 } 31083 ev.Exit.Process.LinuxBinprm.FileEvent.PkgName = rv 31084 return nil 31085 case "exit.interpreter.file.package.source_version": 31086 if ev.Exit.Process == nil { 31087 ev.Exit.Process = &Process{} 31088 } 31089 rv, ok := value.(string) 31090 if !ok { 31091 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.LinuxBinprm.FileEvent.PkgSrcVersion"} 31092 } 31093 ev.Exit.Process.LinuxBinprm.FileEvent.PkgSrcVersion = rv 31094 return nil 31095 case "exit.interpreter.file.package.version": 31096 if ev.Exit.Process == nil { 31097 ev.Exit.Process = &Process{} 31098 } 31099 rv, ok := value.(string) 31100 if !ok { 31101 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.LinuxBinprm.FileEvent.PkgVersion"} 31102 } 31103 ev.Exit.Process.LinuxBinprm.FileEvent.PkgVersion = rv 31104 return nil 31105 case "exit.interpreter.file.path": 31106 if ev.Exit.Process == nil { 31107 ev.Exit.Process = &Process{} 31108 } 31109 rv, ok := value.(string) 31110 if !ok { 31111 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.LinuxBinprm.FileEvent.PathnameStr"} 31112 } 31113 ev.Exit.Process.LinuxBinprm.FileEvent.PathnameStr = rv 31114 return nil 31115 case "exit.interpreter.file.path.length": 31116 if ev.Exit.Process == nil { 31117 ev.Exit.Process = &Process{} 31118 } 31119 return &eval.ErrFieldReadOnly{Field: "exit.interpreter.file.path.length"} 31120 case "exit.interpreter.file.rights": 31121 if ev.Exit.Process == nil { 31122 ev.Exit.Process = &Process{} 31123 } 31124 rv, ok := value.(int) 31125 if !ok { 31126 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.LinuxBinprm.FileEvent.FileFields.Mode"} 31127 } 31128 ev.Exit.Process.LinuxBinprm.FileEvent.FileFields.Mode = uint16(rv) 31129 return nil 31130 case "exit.interpreter.file.uid": 31131 if ev.Exit.Process == nil { 31132 ev.Exit.Process = &Process{} 31133 } 31134 rv, ok := value.(int) 31135 if !ok { 31136 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.LinuxBinprm.FileEvent.FileFields.UID"} 31137 } 31138 ev.Exit.Process.LinuxBinprm.FileEvent.FileFields.UID = uint32(rv) 31139 return nil 31140 case "exit.interpreter.file.user": 31141 if ev.Exit.Process == nil { 31142 ev.Exit.Process = &Process{} 31143 } 31144 rv, ok := value.(string) 31145 if !ok { 31146 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.LinuxBinprm.FileEvent.FileFields.User"} 31147 } 31148 ev.Exit.Process.LinuxBinprm.FileEvent.FileFields.User = rv 31149 return nil 31150 case "exit.is_kworker": 31151 if ev.Exit.Process == nil { 31152 ev.Exit.Process = &Process{} 31153 } 31154 rv, ok := value.(bool) 31155 if !ok { 31156 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.PIDContext.IsKworker"} 31157 } 31158 ev.Exit.Process.PIDContext.IsKworker = rv 31159 return nil 31160 case "exit.is_thread": 31161 if ev.Exit.Process == nil { 31162 ev.Exit.Process = &Process{} 31163 } 31164 rv, ok := value.(bool) 31165 if !ok { 31166 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.IsThread"} 31167 } 31168 ev.Exit.Process.IsThread = rv 31169 return nil 31170 case "exit.pid": 31171 if ev.Exit.Process == nil { 31172 ev.Exit.Process = &Process{} 31173 } 31174 rv, ok := value.(int) 31175 if !ok { 31176 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.PIDContext.Pid"} 31177 } 31178 ev.Exit.Process.PIDContext.Pid = uint32(rv) 31179 return nil 31180 case "exit.ppid": 31181 if ev.Exit.Process == nil { 31182 ev.Exit.Process = &Process{} 31183 } 31184 rv, ok := value.(int) 31185 if !ok { 31186 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.PPid"} 31187 } 31188 ev.Exit.Process.PPid = uint32(rv) 31189 return nil 31190 case "exit.tid": 31191 if ev.Exit.Process == nil { 31192 ev.Exit.Process = &Process{} 31193 } 31194 rv, ok := value.(int) 31195 if !ok { 31196 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.PIDContext.Tid"} 31197 } 31198 ev.Exit.Process.PIDContext.Tid = uint32(rv) 31199 return nil 31200 case "exit.tty_name": 31201 if ev.Exit.Process == nil { 31202 ev.Exit.Process = &Process{} 31203 } 31204 rv, ok := value.(string) 31205 if !ok { 31206 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.TTYName"} 31207 } 31208 ev.Exit.Process.TTYName = rv 31209 return nil 31210 case "exit.uid": 31211 if ev.Exit.Process == nil { 31212 ev.Exit.Process = &Process{} 31213 } 31214 rv, ok := value.(int) 31215 if !ok { 31216 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.Credentials.UID"} 31217 } 31218 ev.Exit.Process.Credentials.UID = uint32(rv) 31219 return nil 31220 case "exit.user": 31221 if ev.Exit.Process == nil { 31222 ev.Exit.Process = &Process{} 31223 } 31224 rv, ok := value.(string) 31225 if !ok { 31226 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.Credentials.User"} 31227 } 31228 ev.Exit.Process.Credentials.User = rv 31229 return nil 31230 case "exit.user_session.k8s_groups": 31231 if ev.Exit.Process == nil { 31232 ev.Exit.Process = &Process{} 31233 } 31234 switch rv := value.(type) { 31235 case string: 31236 ev.Exit.Process.UserSession.K8SGroups = append(ev.Exit.Process.UserSession.K8SGroups, rv) 31237 case []string: 31238 ev.Exit.Process.UserSession.K8SGroups = append(ev.Exit.Process.UserSession.K8SGroups, rv...) 31239 default: 31240 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.UserSession.K8SGroups"} 31241 } 31242 return nil 31243 case "exit.user_session.k8s_uid": 31244 if ev.Exit.Process == nil { 31245 ev.Exit.Process = &Process{} 31246 } 31247 rv, ok := value.(string) 31248 if !ok { 31249 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.UserSession.K8SUID"} 31250 } 31251 ev.Exit.Process.UserSession.K8SUID = rv 31252 return nil 31253 case "exit.user_session.k8s_username": 31254 if ev.Exit.Process == nil { 31255 ev.Exit.Process = &Process{} 31256 } 31257 rv, ok := value.(string) 31258 if !ok { 31259 return &eval.ErrValueTypeMismatch{Field: "Exit.Process.UserSession.K8SUsername"} 31260 } 31261 ev.Exit.Process.UserSession.K8SUsername = rv 31262 return nil 31263 case "link.file.change_time": 31264 rv, ok := value.(int) 31265 if !ok { 31266 return &eval.ErrValueTypeMismatch{Field: "Link.Source.FileFields.CTime"} 31267 } 31268 ev.Link.Source.FileFields.CTime = uint64(rv) 31269 return nil 31270 case "link.file.destination.change_time": 31271 rv, ok := value.(int) 31272 if !ok { 31273 return &eval.ErrValueTypeMismatch{Field: "Link.Target.FileFields.CTime"} 31274 } 31275 ev.Link.Target.FileFields.CTime = uint64(rv) 31276 return nil 31277 case "link.file.destination.filesystem": 31278 rv, ok := value.(string) 31279 if !ok { 31280 return &eval.ErrValueTypeMismatch{Field: "Link.Target.Filesystem"} 31281 } 31282 ev.Link.Target.Filesystem = rv 31283 return nil 31284 case "link.file.destination.gid": 31285 rv, ok := value.(int) 31286 if !ok { 31287 return &eval.ErrValueTypeMismatch{Field: "Link.Target.FileFields.GID"} 31288 } 31289 ev.Link.Target.FileFields.GID = uint32(rv) 31290 return nil 31291 case "link.file.destination.group": 31292 rv, ok := value.(string) 31293 if !ok { 31294 return &eval.ErrValueTypeMismatch{Field: "Link.Target.FileFields.Group"} 31295 } 31296 ev.Link.Target.FileFields.Group = rv 31297 return nil 31298 case "link.file.destination.hashes": 31299 switch rv := value.(type) { 31300 case string: 31301 ev.Link.Target.Hashes = append(ev.Link.Target.Hashes, rv) 31302 case []string: 31303 ev.Link.Target.Hashes = append(ev.Link.Target.Hashes, rv...) 31304 default: 31305 return &eval.ErrValueTypeMismatch{Field: "Link.Target.Hashes"} 31306 } 31307 return nil 31308 case "link.file.destination.in_upper_layer": 31309 rv, ok := value.(bool) 31310 if !ok { 31311 return &eval.ErrValueTypeMismatch{Field: "Link.Target.FileFields.InUpperLayer"} 31312 } 31313 ev.Link.Target.FileFields.InUpperLayer = rv 31314 return nil 31315 case "link.file.destination.inode": 31316 rv, ok := value.(int) 31317 if !ok { 31318 return &eval.ErrValueTypeMismatch{Field: "Link.Target.FileFields.PathKey.Inode"} 31319 } 31320 ev.Link.Target.FileFields.PathKey.Inode = uint64(rv) 31321 return nil 31322 case "link.file.destination.mode": 31323 rv, ok := value.(int) 31324 if !ok { 31325 return &eval.ErrValueTypeMismatch{Field: "Link.Target.FileFields.Mode"} 31326 } 31327 ev.Link.Target.FileFields.Mode = uint16(rv) 31328 return nil 31329 case "link.file.destination.modification_time": 31330 rv, ok := value.(int) 31331 if !ok { 31332 return &eval.ErrValueTypeMismatch{Field: "Link.Target.FileFields.MTime"} 31333 } 31334 ev.Link.Target.FileFields.MTime = uint64(rv) 31335 return nil 31336 case "link.file.destination.mount_id": 31337 rv, ok := value.(int) 31338 if !ok { 31339 return &eval.ErrValueTypeMismatch{Field: "Link.Target.FileFields.PathKey.MountID"} 31340 } 31341 ev.Link.Target.FileFields.PathKey.MountID = uint32(rv) 31342 return nil 31343 case "link.file.destination.name": 31344 rv, ok := value.(string) 31345 if !ok { 31346 return &eval.ErrValueTypeMismatch{Field: "Link.Target.BasenameStr"} 31347 } 31348 ev.Link.Target.BasenameStr = rv 31349 return nil 31350 case "link.file.destination.name.length": 31351 return &eval.ErrFieldReadOnly{Field: "link.file.destination.name.length"} 31352 case "link.file.destination.package.name": 31353 rv, ok := value.(string) 31354 if !ok { 31355 return &eval.ErrValueTypeMismatch{Field: "Link.Target.PkgName"} 31356 } 31357 ev.Link.Target.PkgName = rv 31358 return nil 31359 case "link.file.destination.package.source_version": 31360 rv, ok := value.(string) 31361 if !ok { 31362 return &eval.ErrValueTypeMismatch{Field: "Link.Target.PkgSrcVersion"} 31363 } 31364 ev.Link.Target.PkgSrcVersion = rv 31365 return nil 31366 case "link.file.destination.package.version": 31367 rv, ok := value.(string) 31368 if !ok { 31369 return &eval.ErrValueTypeMismatch{Field: "Link.Target.PkgVersion"} 31370 } 31371 ev.Link.Target.PkgVersion = rv 31372 return nil 31373 case "link.file.destination.path": 31374 rv, ok := value.(string) 31375 if !ok { 31376 return &eval.ErrValueTypeMismatch{Field: "Link.Target.PathnameStr"} 31377 } 31378 ev.Link.Target.PathnameStr = rv 31379 return nil 31380 case "link.file.destination.path.length": 31381 return &eval.ErrFieldReadOnly{Field: "link.file.destination.path.length"} 31382 case "link.file.destination.rights": 31383 rv, ok := value.(int) 31384 if !ok { 31385 return &eval.ErrValueTypeMismatch{Field: "Link.Target.FileFields.Mode"} 31386 } 31387 ev.Link.Target.FileFields.Mode = uint16(rv) 31388 return nil 31389 case "link.file.destination.uid": 31390 rv, ok := value.(int) 31391 if !ok { 31392 return &eval.ErrValueTypeMismatch{Field: "Link.Target.FileFields.UID"} 31393 } 31394 ev.Link.Target.FileFields.UID = uint32(rv) 31395 return nil 31396 case "link.file.destination.user": 31397 rv, ok := value.(string) 31398 if !ok { 31399 return &eval.ErrValueTypeMismatch{Field: "Link.Target.FileFields.User"} 31400 } 31401 ev.Link.Target.FileFields.User = rv 31402 return nil 31403 case "link.file.filesystem": 31404 rv, ok := value.(string) 31405 if !ok { 31406 return &eval.ErrValueTypeMismatch{Field: "Link.Source.Filesystem"} 31407 } 31408 ev.Link.Source.Filesystem = rv 31409 return nil 31410 case "link.file.gid": 31411 rv, ok := value.(int) 31412 if !ok { 31413 return &eval.ErrValueTypeMismatch{Field: "Link.Source.FileFields.GID"} 31414 } 31415 ev.Link.Source.FileFields.GID = uint32(rv) 31416 return nil 31417 case "link.file.group": 31418 rv, ok := value.(string) 31419 if !ok { 31420 return &eval.ErrValueTypeMismatch{Field: "Link.Source.FileFields.Group"} 31421 } 31422 ev.Link.Source.FileFields.Group = rv 31423 return nil 31424 case "link.file.hashes": 31425 switch rv := value.(type) { 31426 case string: 31427 ev.Link.Source.Hashes = append(ev.Link.Source.Hashes, rv) 31428 case []string: 31429 ev.Link.Source.Hashes = append(ev.Link.Source.Hashes, rv...) 31430 default: 31431 return &eval.ErrValueTypeMismatch{Field: "Link.Source.Hashes"} 31432 } 31433 return nil 31434 case "link.file.in_upper_layer": 31435 rv, ok := value.(bool) 31436 if !ok { 31437 return &eval.ErrValueTypeMismatch{Field: "Link.Source.FileFields.InUpperLayer"} 31438 } 31439 ev.Link.Source.FileFields.InUpperLayer = rv 31440 return nil 31441 case "link.file.inode": 31442 rv, ok := value.(int) 31443 if !ok { 31444 return &eval.ErrValueTypeMismatch{Field: "Link.Source.FileFields.PathKey.Inode"} 31445 } 31446 ev.Link.Source.FileFields.PathKey.Inode = uint64(rv) 31447 return nil 31448 case "link.file.mode": 31449 rv, ok := value.(int) 31450 if !ok { 31451 return &eval.ErrValueTypeMismatch{Field: "Link.Source.FileFields.Mode"} 31452 } 31453 ev.Link.Source.FileFields.Mode = uint16(rv) 31454 return nil 31455 case "link.file.modification_time": 31456 rv, ok := value.(int) 31457 if !ok { 31458 return &eval.ErrValueTypeMismatch{Field: "Link.Source.FileFields.MTime"} 31459 } 31460 ev.Link.Source.FileFields.MTime = uint64(rv) 31461 return nil 31462 case "link.file.mount_id": 31463 rv, ok := value.(int) 31464 if !ok { 31465 return &eval.ErrValueTypeMismatch{Field: "Link.Source.FileFields.PathKey.MountID"} 31466 } 31467 ev.Link.Source.FileFields.PathKey.MountID = uint32(rv) 31468 return nil 31469 case "link.file.name": 31470 rv, ok := value.(string) 31471 if !ok { 31472 return &eval.ErrValueTypeMismatch{Field: "Link.Source.BasenameStr"} 31473 } 31474 ev.Link.Source.BasenameStr = rv 31475 return nil 31476 case "link.file.name.length": 31477 return &eval.ErrFieldReadOnly{Field: "link.file.name.length"} 31478 case "link.file.package.name": 31479 rv, ok := value.(string) 31480 if !ok { 31481 return &eval.ErrValueTypeMismatch{Field: "Link.Source.PkgName"} 31482 } 31483 ev.Link.Source.PkgName = rv 31484 return nil 31485 case "link.file.package.source_version": 31486 rv, ok := value.(string) 31487 if !ok { 31488 return &eval.ErrValueTypeMismatch{Field: "Link.Source.PkgSrcVersion"} 31489 } 31490 ev.Link.Source.PkgSrcVersion = rv 31491 return nil 31492 case "link.file.package.version": 31493 rv, ok := value.(string) 31494 if !ok { 31495 return &eval.ErrValueTypeMismatch{Field: "Link.Source.PkgVersion"} 31496 } 31497 ev.Link.Source.PkgVersion = rv 31498 return nil 31499 case "link.file.path": 31500 rv, ok := value.(string) 31501 if !ok { 31502 return &eval.ErrValueTypeMismatch{Field: "Link.Source.PathnameStr"} 31503 } 31504 ev.Link.Source.PathnameStr = rv 31505 return nil 31506 case "link.file.path.length": 31507 return &eval.ErrFieldReadOnly{Field: "link.file.path.length"} 31508 case "link.file.rights": 31509 rv, ok := value.(int) 31510 if !ok { 31511 return &eval.ErrValueTypeMismatch{Field: "Link.Source.FileFields.Mode"} 31512 } 31513 ev.Link.Source.FileFields.Mode = uint16(rv) 31514 return nil 31515 case "link.file.uid": 31516 rv, ok := value.(int) 31517 if !ok { 31518 return &eval.ErrValueTypeMismatch{Field: "Link.Source.FileFields.UID"} 31519 } 31520 ev.Link.Source.FileFields.UID = uint32(rv) 31521 return nil 31522 case "link.file.user": 31523 rv, ok := value.(string) 31524 if !ok { 31525 return &eval.ErrValueTypeMismatch{Field: "Link.Source.FileFields.User"} 31526 } 31527 ev.Link.Source.FileFields.User = rv 31528 return nil 31529 case "link.retval": 31530 rv, ok := value.(int) 31531 if !ok { 31532 return &eval.ErrValueTypeMismatch{Field: "Link.SyscallEvent.Retval"} 31533 } 31534 ev.Link.SyscallEvent.Retval = int64(rv) 31535 return nil 31536 case "load_module.args": 31537 rv, ok := value.(string) 31538 if !ok { 31539 return &eval.ErrValueTypeMismatch{Field: "LoadModule.Args"} 31540 } 31541 ev.LoadModule.Args = rv 31542 return nil 31543 case "load_module.args_truncated": 31544 rv, ok := value.(bool) 31545 if !ok { 31546 return &eval.ErrValueTypeMismatch{Field: "LoadModule.ArgsTruncated"} 31547 } 31548 ev.LoadModule.ArgsTruncated = rv 31549 return nil 31550 case "load_module.argv": 31551 switch rv := value.(type) { 31552 case string: 31553 ev.LoadModule.Argv = append(ev.LoadModule.Argv, rv) 31554 case []string: 31555 ev.LoadModule.Argv = append(ev.LoadModule.Argv, rv...) 31556 default: 31557 return &eval.ErrValueTypeMismatch{Field: "LoadModule.Argv"} 31558 } 31559 return nil 31560 case "load_module.file.change_time": 31561 rv, ok := value.(int) 31562 if !ok { 31563 return &eval.ErrValueTypeMismatch{Field: "LoadModule.File.FileFields.CTime"} 31564 } 31565 ev.LoadModule.File.FileFields.CTime = uint64(rv) 31566 return nil 31567 case "load_module.file.filesystem": 31568 rv, ok := value.(string) 31569 if !ok { 31570 return &eval.ErrValueTypeMismatch{Field: "LoadModule.File.Filesystem"} 31571 } 31572 ev.LoadModule.File.Filesystem = rv 31573 return nil 31574 case "load_module.file.gid": 31575 rv, ok := value.(int) 31576 if !ok { 31577 return &eval.ErrValueTypeMismatch{Field: "LoadModule.File.FileFields.GID"} 31578 } 31579 ev.LoadModule.File.FileFields.GID = uint32(rv) 31580 return nil 31581 case "load_module.file.group": 31582 rv, ok := value.(string) 31583 if !ok { 31584 return &eval.ErrValueTypeMismatch{Field: "LoadModule.File.FileFields.Group"} 31585 } 31586 ev.LoadModule.File.FileFields.Group = rv 31587 return nil 31588 case "load_module.file.hashes": 31589 switch rv := value.(type) { 31590 case string: 31591 ev.LoadModule.File.Hashes = append(ev.LoadModule.File.Hashes, rv) 31592 case []string: 31593 ev.LoadModule.File.Hashes = append(ev.LoadModule.File.Hashes, rv...) 31594 default: 31595 return &eval.ErrValueTypeMismatch{Field: "LoadModule.File.Hashes"} 31596 } 31597 return nil 31598 case "load_module.file.in_upper_layer": 31599 rv, ok := value.(bool) 31600 if !ok { 31601 return &eval.ErrValueTypeMismatch{Field: "LoadModule.File.FileFields.InUpperLayer"} 31602 } 31603 ev.LoadModule.File.FileFields.InUpperLayer = rv 31604 return nil 31605 case "load_module.file.inode": 31606 rv, ok := value.(int) 31607 if !ok { 31608 return &eval.ErrValueTypeMismatch{Field: "LoadModule.File.FileFields.PathKey.Inode"} 31609 } 31610 ev.LoadModule.File.FileFields.PathKey.Inode = uint64(rv) 31611 return nil 31612 case "load_module.file.mode": 31613 rv, ok := value.(int) 31614 if !ok { 31615 return &eval.ErrValueTypeMismatch{Field: "LoadModule.File.FileFields.Mode"} 31616 } 31617 ev.LoadModule.File.FileFields.Mode = uint16(rv) 31618 return nil 31619 case "load_module.file.modification_time": 31620 rv, ok := value.(int) 31621 if !ok { 31622 return &eval.ErrValueTypeMismatch{Field: "LoadModule.File.FileFields.MTime"} 31623 } 31624 ev.LoadModule.File.FileFields.MTime = uint64(rv) 31625 return nil 31626 case "load_module.file.mount_id": 31627 rv, ok := value.(int) 31628 if !ok { 31629 return &eval.ErrValueTypeMismatch{Field: "LoadModule.File.FileFields.PathKey.MountID"} 31630 } 31631 ev.LoadModule.File.FileFields.PathKey.MountID = uint32(rv) 31632 return nil 31633 case "load_module.file.name": 31634 rv, ok := value.(string) 31635 if !ok { 31636 return &eval.ErrValueTypeMismatch{Field: "LoadModule.File.BasenameStr"} 31637 } 31638 ev.LoadModule.File.BasenameStr = rv 31639 return nil 31640 case "load_module.file.name.length": 31641 return &eval.ErrFieldReadOnly{Field: "load_module.file.name.length"} 31642 case "load_module.file.package.name": 31643 rv, ok := value.(string) 31644 if !ok { 31645 return &eval.ErrValueTypeMismatch{Field: "LoadModule.File.PkgName"} 31646 } 31647 ev.LoadModule.File.PkgName = rv 31648 return nil 31649 case "load_module.file.package.source_version": 31650 rv, ok := value.(string) 31651 if !ok { 31652 return &eval.ErrValueTypeMismatch{Field: "LoadModule.File.PkgSrcVersion"} 31653 } 31654 ev.LoadModule.File.PkgSrcVersion = rv 31655 return nil 31656 case "load_module.file.package.version": 31657 rv, ok := value.(string) 31658 if !ok { 31659 return &eval.ErrValueTypeMismatch{Field: "LoadModule.File.PkgVersion"} 31660 } 31661 ev.LoadModule.File.PkgVersion = rv 31662 return nil 31663 case "load_module.file.path": 31664 rv, ok := value.(string) 31665 if !ok { 31666 return &eval.ErrValueTypeMismatch{Field: "LoadModule.File.PathnameStr"} 31667 } 31668 ev.LoadModule.File.PathnameStr = rv 31669 return nil 31670 case "load_module.file.path.length": 31671 return &eval.ErrFieldReadOnly{Field: "load_module.file.path.length"} 31672 case "load_module.file.rights": 31673 rv, ok := value.(int) 31674 if !ok { 31675 return &eval.ErrValueTypeMismatch{Field: "LoadModule.File.FileFields.Mode"} 31676 } 31677 ev.LoadModule.File.FileFields.Mode = uint16(rv) 31678 return nil 31679 case "load_module.file.uid": 31680 rv, ok := value.(int) 31681 if !ok { 31682 return &eval.ErrValueTypeMismatch{Field: "LoadModule.File.FileFields.UID"} 31683 } 31684 ev.LoadModule.File.FileFields.UID = uint32(rv) 31685 return nil 31686 case "load_module.file.user": 31687 rv, ok := value.(string) 31688 if !ok { 31689 return &eval.ErrValueTypeMismatch{Field: "LoadModule.File.FileFields.User"} 31690 } 31691 ev.LoadModule.File.FileFields.User = rv 31692 return nil 31693 case "load_module.loaded_from_memory": 31694 rv, ok := value.(bool) 31695 if !ok { 31696 return &eval.ErrValueTypeMismatch{Field: "LoadModule.LoadedFromMemory"} 31697 } 31698 ev.LoadModule.LoadedFromMemory = rv 31699 return nil 31700 case "load_module.name": 31701 rv, ok := value.(string) 31702 if !ok { 31703 return &eval.ErrValueTypeMismatch{Field: "LoadModule.Name"} 31704 } 31705 ev.LoadModule.Name = rv 31706 return nil 31707 case "load_module.retval": 31708 rv, ok := value.(int) 31709 if !ok { 31710 return &eval.ErrValueTypeMismatch{Field: "LoadModule.SyscallEvent.Retval"} 31711 } 31712 ev.LoadModule.SyscallEvent.Retval = int64(rv) 31713 return nil 31714 case "mkdir.file.change_time": 31715 rv, ok := value.(int) 31716 if !ok { 31717 return &eval.ErrValueTypeMismatch{Field: "Mkdir.File.FileFields.CTime"} 31718 } 31719 ev.Mkdir.File.FileFields.CTime = uint64(rv) 31720 return nil 31721 case "mkdir.file.destination.mode": 31722 rv, ok := value.(int) 31723 if !ok { 31724 return &eval.ErrValueTypeMismatch{Field: "Mkdir.Mode"} 31725 } 31726 ev.Mkdir.Mode = uint32(rv) 31727 return nil 31728 case "mkdir.file.destination.rights": 31729 rv, ok := value.(int) 31730 if !ok { 31731 return &eval.ErrValueTypeMismatch{Field: "Mkdir.Mode"} 31732 } 31733 ev.Mkdir.Mode = uint32(rv) 31734 return nil 31735 case "mkdir.file.filesystem": 31736 rv, ok := value.(string) 31737 if !ok { 31738 return &eval.ErrValueTypeMismatch{Field: "Mkdir.File.Filesystem"} 31739 } 31740 ev.Mkdir.File.Filesystem = rv 31741 return nil 31742 case "mkdir.file.gid": 31743 rv, ok := value.(int) 31744 if !ok { 31745 return &eval.ErrValueTypeMismatch{Field: "Mkdir.File.FileFields.GID"} 31746 } 31747 ev.Mkdir.File.FileFields.GID = uint32(rv) 31748 return nil 31749 case "mkdir.file.group": 31750 rv, ok := value.(string) 31751 if !ok { 31752 return &eval.ErrValueTypeMismatch{Field: "Mkdir.File.FileFields.Group"} 31753 } 31754 ev.Mkdir.File.FileFields.Group = rv 31755 return nil 31756 case "mkdir.file.hashes": 31757 switch rv := value.(type) { 31758 case string: 31759 ev.Mkdir.File.Hashes = append(ev.Mkdir.File.Hashes, rv) 31760 case []string: 31761 ev.Mkdir.File.Hashes = append(ev.Mkdir.File.Hashes, rv...) 31762 default: 31763 return &eval.ErrValueTypeMismatch{Field: "Mkdir.File.Hashes"} 31764 } 31765 return nil 31766 case "mkdir.file.in_upper_layer": 31767 rv, ok := value.(bool) 31768 if !ok { 31769 return &eval.ErrValueTypeMismatch{Field: "Mkdir.File.FileFields.InUpperLayer"} 31770 } 31771 ev.Mkdir.File.FileFields.InUpperLayer = rv 31772 return nil 31773 case "mkdir.file.inode": 31774 rv, ok := value.(int) 31775 if !ok { 31776 return &eval.ErrValueTypeMismatch{Field: "Mkdir.File.FileFields.PathKey.Inode"} 31777 } 31778 ev.Mkdir.File.FileFields.PathKey.Inode = uint64(rv) 31779 return nil 31780 case "mkdir.file.mode": 31781 rv, ok := value.(int) 31782 if !ok { 31783 return &eval.ErrValueTypeMismatch{Field: "Mkdir.File.FileFields.Mode"} 31784 } 31785 ev.Mkdir.File.FileFields.Mode = uint16(rv) 31786 return nil 31787 case "mkdir.file.modification_time": 31788 rv, ok := value.(int) 31789 if !ok { 31790 return &eval.ErrValueTypeMismatch{Field: "Mkdir.File.FileFields.MTime"} 31791 } 31792 ev.Mkdir.File.FileFields.MTime = uint64(rv) 31793 return nil 31794 case "mkdir.file.mount_id": 31795 rv, ok := value.(int) 31796 if !ok { 31797 return &eval.ErrValueTypeMismatch{Field: "Mkdir.File.FileFields.PathKey.MountID"} 31798 } 31799 ev.Mkdir.File.FileFields.PathKey.MountID = uint32(rv) 31800 return nil 31801 case "mkdir.file.name": 31802 rv, ok := value.(string) 31803 if !ok { 31804 return &eval.ErrValueTypeMismatch{Field: "Mkdir.File.BasenameStr"} 31805 } 31806 ev.Mkdir.File.BasenameStr = rv 31807 return nil 31808 case "mkdir.file.name.length": 31809 return &eval.ErrFieldReadOnly{Field: "mkdir.file.name.length"} 31810 case "mkdir.file.package.name": 31811 rv, ok := value.(string) 31812 if !ok { 31813 return &eval.ErrValueTypeMismatch{Field: "Mkdir.File.PkgName"} 31814 } 31815 ev.Mkdir.File.PkgName = rv 31816 return nil 31817 case "mkdir.file.package.source_version": 31818 rv, ok := value.(string) 31819 if !ok { 31820 return &eval.ErrValueTypeMismatch{Field: "Mkdir.File.PkgSrcVersion"} 31821 } 31822 ev.Mkdir.File.PkgSrcVersion = rv 31823 return nil 31824 case "mkdir.file.package.version": 31825 rv, ok := value.(string) 31826 if !ok { 31827 return &eval.ErrValueTypeMismatch{Field: "Mkdir.File.PkgVersion"} 31828 } 31829 ev.Mkdir.File.PkgVersion = rv 31830 return nil 31831 case "mkdir.file.path": 31832 rv, ok := value.(string) 31833 if !ok { 31834 return &eval.ErrValueTypeMismatch{Field: "Mkdir.File.PathnameStr"} 31835 } 31836 ev.Mkdir.File.PathnameStr = rv 31837 return nil 31838 case "mkdir.file.path.length": 31839 return &eval.ErrFieldReadOnly{Field: "mkdir.file.path.length"} 31840 case "mkdir.file.rights": 31841 rv, ok := value.(int) 31842 if !ok { 31843 return &eval.ErrValueTypeMismatch{Field: "Mkdir.File.FileFields.Mode"} 31844 } 31845 ev.Mkdir.File.FileFields.Mode = uint16(rv) 31846 return nil 31847 case "mkdir.file.uid": 31848 rv, ok := value.(int) 31849 if !ok { 31850 return &eval.ErrValueTypeMismatch{Field: "Mkdir.File.FileFields.UID"} 31851 } 31852 ev.Mkdir.File.FileFields.UID = uint32(rv) 31853 return nil 31854 case "mkdir.file.user": 31855 rv, ok := value.(string) 31856 if !ok { 31857 return &eval.ErrValueTypeMismatch{Field: "Mkdir.File.FileFields.User"} 31858 } 31859 ev.Mkdir.File.FileFields.User = rv 31860 return nil 31861 case "mkdir.retval": 31862 rv, ok := value.(int) 31863 if !ok { 31864 return &eval.ErrValueTypeMismatch{Field: "Mkdir.SyscallEvent.Retval"} 31865 } 31866 ev.Mkdir.SyscallEvent.Retval = int64(rv) 31867 return nil 31868 case "mmap.file.change_time": 31869 rv, ok := value.(int) 31870 if !ok { 31871 return &eval.ErrValueTypeMismatch{Field: "MMap.File.FileFields.CTime"} 31872 } 31873 ev.MMap.File.FileFields.CTime = uint64(rv) 31874 return nil 31875 case "mmap.file.filesystem": 31876 rv, ok := value.(string) 31877 if !ok { 31878 return &eval.ErrValueTypeMismatch{Field: "MMap.File.Filesystem"} 31879 } 31880 ev.MMap.File.Filesystem = rv 31881 return nil 31882 case "mmap.file.gid": 31883 rv, ok := value.(int) 31884 if !ok { 31885 return &eval.ErrValueTypeMismatch{Field: "MMap.File.FileFields.GID"} 31886 } 31887 ev.MMap.File.FileFields.GID = uint32(rv) 31888 return nil 31889 case "mmap.file.group": 31890 rv, ok := value.(string) 31891 if !ok { 31892 return &eval.ErrValueTypeMismatch{Field: "MMap.File.FileFields.Group"} 31893 } 31894 ev.MMap.File.FileFields.Group = rv 31895 return nil 31896 case "mmap.file.hashes": 31897 switch rv := value.(type) { 31898 case string: 31899 ev.MMap.File.Hashes = append(ev.MMap.File.Hashes, rv) 31900 case []string: 31901 ev.MMap.File.Hashes = append(ev.MMap.File.Hashes, rv...) 31902 default: 31903 return &eval.ErrValueTypeMismatch{Field: "MMap.File.Hashes"} 31904 } 31905 return nil 31906 case "mmap.file.in_upper_layer": 31907 rv, ok := value.(bool) 31908 if !ok { 31909 return &eval.ErrValueTypeMismatch{Field: "MMap.File.FileFields.InUpperLayer"} 31910 } 31911 ev.MMap.File.FileFields.InUpperLayer = rv 31912 return nil 31913 case "mmap.file.inode": 31914 rv, ok := value.(int) 31915 if !ok { 31916 return &eval.ErrValueTypeMismatch{Field: "MMap.File.FileFields.PathKey.Inode"} 31917 } 31918 ev.MMap.File.FileFields.PathKey.Inode = uint64(rv) 31919 return nil 31920 case "mmap.file.mode": 31921 rv, ok := value.(int) 31922 if !ok { 31923 return &eval.ErrValueTypeMismatch{Field: "MMap.File.FileFields.Mode"} 31924 } 31925 ev.MMap.File.FileFields.Mode = uint16(rv) 31926 return nil 31927 case "mmap.file.modification_time": 31928 rv, ok := value.(int) 31929 if !ok { 31930 return &eval.ErrValueTypeMismatch{Field: "MMap.File.FileFields.MTime"} 31931 } 31932 ev.MMap.File.FileFields.MTime = uint64(rv) 31933 return nil 31934 case "mmap.file.mount_id": 31935 rv, ok := value.(int) 31936 if !ok { 31937 return &eval.ErrValueTypeMismatch{Field: "MMap.File.FileFields.PathKey.MountID"} 31938 } 31939 ev.MMap.File.FileFields.PathKey.MountID = uint32(rv) 31940 return nil 31941 case "mmap.file.name": 31942 rv, ok := value.(string) 31943 if !ok { 31944 return &eval.ErrValueTypeMismatch{Field: "MMap.File.BasenameStr"} 31945 } 31946 ev.MMap.File.BasenameStr = rv 31947 return nil 31948 case "mmap.file.name.length": 31949 return &eval.ErrFieldReadOnly{Field: "mmap.file.name.length"} 31950 case "mmap.file.package.name": 31951 rv, ok := value.(string) 31952 if !ok { 31953 return &eval.ErrValueTypeMismatch{Field: "MMap.File.PkgName"} 31954 } 31955 ev.MMap.File.PkgName = rv 31956 return nil 31957 case "mmap.file.package.source_version": 31958 rv, ok := value.(string) 31959 if !ok { 31960 return &eval.ErrValueTypeMismatch{Field: "MMap.File.PkgSrcVersion"} 31961 } 31962 ev.MMap.File.PkgSrcVersion = rv 31963 return nil 31964 case "mmap.file.package.version": 31965 rv, ok := value.(string) 31966 if !ok { 31967 return &eval.ErrValueTypeMismatch{Field: "MMap.File.PkgVersion"} 31968 } 31969 ev.MMap.File.PkgVersion = rv 31970 return nil 31971 case "mmap.file.path": 31972 rv, ok := value.(string) 31973 if !ok { 31974 return &eval.ErrValueTypeMismatch{Field: "MMap.File.PathnameStr"} 31975 } 31976 ev.MMap.File.PathnameStr = rv 31977 return nil 31978 case "mmap.file.path.length": 31979 return &eval.ErrFieldReadOnly{Field: "mmap.file.path.length"} 31980 case "mmap.file.rights": 31981 rv, ok := value.(int) 31982 if !ok { 31983 return &eval.ErrValueTypeMismatch{Field: "MMap.File.FileFields.Mode"} 31984 } 31985 ev.MMap.File.FileFields.Mode = uint16(rv) 31986 return nil 31987 case "mmap.file.uid": 31988 rv, ok := value.(int) 31989 if !ok { 31990 return &eval.ErrValueTypeMismatch{Field: "MMap.File.FileFields.UID"} 31991 } 31992 ev.MMap.File.FileFields.UID = uint32(rv) 31993 return nil 31994 case "mmap.file.user": 31995 rv, ok := value.(string) 31996 if !ok { 31997 return &eval.ErrValueTypeMismatch{Field: "MMap.File.FileFields.User"} 31998 } 31999 ev.MMap.File.FileFields.User = rv 32000 return nil 32001 case "mmap.flags": 32002 rv, ok := value.(int) 32003 if !ok { 32004 return &eval.ErrValueTypeMismatch{Field: "MMap.Flags"} 32005 } 32006 ev.MMap.Flags = uint64(rv) 32007 return nil 32008 case "mmap.protection": 32009 rv, ok := value.(int) 32010 if !ok { 32011 return &eval.ErrValueTypeMismatch{Field: "MMap.Protection"} 32012 } 32013 ev.MMap.Protection = uint64(rv) 32014 return nil 32015 case "mmap.retval": 32016 rv, ok := value.(int) 32017 if !ok { 32018 return &eval.ErrValueTypeMismatch{Field: "MMap.SyscallEvent.Retval"} 32019 } 32020 ev.MMap.SyscallEvent.Retval = int64(rv) 32021 return nil 32022 case "mount.fs_type": 32023 rv, ok := value.(string) 32024 if !ok { 32025 return &eval.ErrValueTypeMismatch{Field: "Mount.Mount.FSType"} 32026 } 32027 ev.Mount.Mount.FSType = rv 32028 return nil 32029 case "mount.mountpoint.path": 32030 rv, ok := value.(string) 32031 if !ok { 32032 return &eval.ErrValueTypeMismatch{Field: "Mount.MountPointPath"} 32033 } 32034 ev.Mount.MountPointPath = rv 32035 return nil 32036 case "mount.retval": 32037 rv, ok := value.(int) 32038 if !ok { 32039 return &eval.ErrValueTypeMismatch{Field: "Mount.SyscallEvent.Retval"} 32040 } 32041 ev.Mount.SyscallEvent.Retval = int64(rv) 32042 return nil 32043 case "mount.root.path": 32044 rv, ok := value.(string) 32045 if !ok { 32046 return &eval.ErrValueTypeMismatch{Field: "Mount.MountRootPath"} 32047 } 32048 ev.Mount.MountRootPath = rv 32049 return nil 32050 case "mount.source.path": 32051 rv, ok := value.(string) 32052 if !ok { 32053 return &eval.ErrValueTypeMismatch{Field: "Mount.MountSourcePath"} 32054 } 32055 ev.Mount.MountSourcePath = rv 32056 return nil 32057 case "mprotect.req_protection": 32058 rv, ok := value.(int) 32059 if !ok { 32060 return &eval.ErrValueTypeMismatch{Field: "MProtect.ReqProtection"} 32061 } 32062 ev.MProtect.ReqProtection = int(rv) 32063 return nil 32064 case "mprotect.retval": 32065 rv, ok := value.(int) 32066 if !ok { 32067 return &eval.ErrValueTypeMismatch{Field: "MProtect.SyscallEvent.Retval"} 32068 } 32069 ev.MProtect.SyscallEvent.Retval = int64(rv) 32070 return nil 32071 case "mprotect.vm_protection": 32072 rv, ok := value.(int) 32073 if !ok { 32074 return &eval.ErrValueTypeMismatch{Field: "MProtect.VMProtection"} 32075 } 32076 ev.MProtect.VMProtection = int(rv) 32077 return nil 32078 case "network.destination.ip": 32079 rv, ok := value.(net.IPNet) 32080 if !ok { 32081 return &eval.ErrValueTypeMismatch{Field: "NetworkContext.Destination.IPNet"} 32082 } 32083 ev.NetworkContext.Destination.IPNet = rv 32084 return nil 32085 case "network.destination.port": 32086 rv, ok := value.(int) 32087 if !ok { 32088 return &eval.ErrValueTypeMismatch{Field: "NetworkContext.Destination.Port"} 32089 } 32090 ev.NetworkContext.Destination.Port = uint16(rv) 32091 return nil 32092 case "network.device.ifindex": 32093 rv, ok := value.(int) 32094 if !ok { 32095 return &eval.ErrValueTypeMismatch{Field: "NetworkContext.Device.IfIndex"} 32096 } 32097 ev.NetworkContext.Device.IfIndex = uint32(rv) 32098 return nil 32099 case "network.device.ifname": 32100 rv, ok := value.(string) 32101 if !ok { 32102 return &eval.ErrValueTypeMismatch{Field: "NetworkContext.Device.IfName"} 32103 } 32104 ev.NetworkContext.Device.IfName = rv 32105 return nil 32106 case "network.l3_protocol": 32107 rv, ok := value.(int) 32108 if !ok { 32109 return &eval.ErrValueTypeMismatch{Field: "NetworkContext.L3Protocol"} 32110 } 32111 ev.NetworkContext.L3Protocol = uint16(rv) 32112 return nil 32113 case "network.l4_protocol": 32114 rv, ok := value.(int) 32115 if !ok { 32116 return &eval.ErrValueTypeMismatch{Field: "NetworkContext.L4Protocol"} 32117 } 32118 ev.NetworkContext.L4Protocol = uint16(rv) 32119 return nil 32120 case "network.size": 32121 rv, ok := value.(int) 32122 if !ok { 32123 return &eval.ErrValueTypeMismatch{Field: "NetworkContext.Size"} 32124 } 32125 ev.NetworkContext.Size = uint32(rv) 32126 return nil 32127 case "network.source.ip": 32128 rv, ok := value.(net.IPNet) 32129 if !ok { 32130 return &eval.ErrValueTypeMismatch{Field: "NetworkContext.Source.IPNet"} 32131 } 32132 ev.NetworkContext.Source.IPNet = rv 32133 return nil 32134 case "network.source.port": 32135 rv, ok := value.(int) 32136 if !ok { 32137 return &eval.ErrValueTypeMismatch{Field: "NetworkContext.Source.Port"} 32138 } 32139 ev.NetworkContext.Source.Port = uint16(rv) 32140 return nil 32141 case "open.file.change_time": 32142 rv, ok := value.(int) 32143 if !ok { 32144 return &eval.ErrValueTypeMismatch{Field: "Open.File.FileFields.CTime"} 32145 } 32146 ev.Open.File.FileFields.CTime = uint64(rv) 32147 return nil 32148 case "open.file.destination.mode": 32149 rv, ok := value.(int) 32150 if !ok { 32151 return &eval.ErrValueTypeMismatch{Field: "Open.Mode"} 32152 } 32153 ev.Open.Mode = uint32(rv) 32154 return nil 32155 case "open.file.filesystem": 32156 rv, ok := value.(string) 32157 if !ok { 32158 return &eval.ErrValueTypeMismatch{Field: "Open.File.Filesystem"} 32159 } 32160 ev.Open.File.Filesystem = rv 32161 return nil 32162 case "open.file.gid": 32163 rv, ok := value.(int) 32164 if !ok { 32165 return &eval.ErrValueTypeMismatch{Field: "Open.File.FileFields.GID"} 32166 } 32167 ev.Open.File.FileFields.GID = uint32(rv) 32168 return nil 32169 case "open.file.group": 32170 rv, ok := value.(string) 32171 if !ok { 32172 return &eval.ErrValueTypeMismatch{Field: "Open.File.FileFields.Group"} 32173 } 32174 ev.Open.File.FileFields.Group = rv 32175 return nil 32176 case "open.file.hashes": 32177 switch rv := value.(type) { 32178 case string: 32179 ev.Open.File.Hashes = append(ev.Open.File.Hashes, rv) 32180 case []string: 32181 ev.Open.File.Hashes = append(ev.Open.File.Hashes, rv...) 32182 default: 32183 return &eval.ErrValueTypeMismatch{Field: "Open.File.Hashes"} 32184 } 32185 return nil 32186 case "open.file.in_upper_layer": 32187 rv, ok := value.(bool) 32188 if !ok { 32189 return &eval.ErrValueTypeMismatch{Field: "Open.File.FileFields.InUpperLayer"} 32190 } 32191 ev.Open.File.FileFields.InUpperLayer = rv 32192 return nil 32193 case "open.file.inode": 32194 rv, ok := value.(int) 32195 if !ok { 32196 return &eval.ErrValueTypeMismatch{Field: "Open.File.FileFields.PathKey.Inode"} 32197 } 32198 ev.Open.File.FileFields.PathKey.Inode = uint64(rv) 32199 return nil 32200 case "open.file.mode": 32201 rv, ok := value.(int) 32202 if !ok { 32203 return &eval.ErrValueTypeMismatch{Field: "Open.File.FileFields.Mode"} 32204 } 32205 ev.Open.File.FileFields.Mode = uint16(rv) 32206 return nil 32207 case "open.file.modification_time": 32208 rv, ok := value.(int) 32209 if !ok { 32210 return &eval.ErrValueTypeMismatch{Field: "Open.File.FileFields.MTime"} 32211 } 32212 ev.Open.File.FileFields.MTime = uint64(rv) 32213 return nil 32214 case "open.file.mount_id": 32215 rv, ok := value.(int) 32216 if !ok { 32217 return &eval.ErrValueTypeMismatch{Field: "Open.File.FileFields.PathKey.MountID"} 32218 } 32219 ev.Open.File.FileFields.PathKey.MountID = uint32(rv) 32220 return nil 32221 case "open.file.name": 32222 rv, ok := value.(string) 32223 if !ok { 32224 return &eval.ErrValueTypeMismatch{Field: "Open.File.BasenameStr"} 32225 } 32226 ev.Open.File.BasenameStr = rv 32227 return nil 32228 case "open.file.name.length": 32229 return &eval.ErrFieldReadOnly{Field: "open.file.name.length"} 32230 case "open.file.package.name": 32231 rv, ok := value.(string) 32232 if !ok { 32233 return &eval.ErrValueTypeMismatch{Field: "Open.File.PkgName"} 32234 } 32235 ev.Open.File.PkgName = rv 32236 return nil 32237 case "open.file.package.source_version": 32238 rv, ok := value.(string) 32239 if !ok { 32240 return &eval.ErrValueTypeMismatch{Field: "Open.File.PkgSrcVersion"} 32241 } 32242 ev.Open.File.PkgSrcVersion = rv 32243 return nil 32244 case "open.file.package.version": 32245 rv, ok := value.(string) 32246 if !ok { 32247 return &eval.ErrValueTypeMismatch{Field: "Open.File.PkgVersion"} 32248 } 32249 ev.Open.File.PkgVersion = rv 32250 return nil 32251 case "open.file.path": 32252 rv, ok := value.(string) 32253 if !ok { 32254 return &eval.ErrValueTypeMismatch{Field: "Open.File.PathnameStr"} 32255 } 32256 ev.Open.File.PathnameStr = rv 32257 return nil 32258 case "open.file.path.length": 32259 return &eval.ErrFieldReadOnly{Field: "open.file.path.length"} 32260 case "open.file.rights": 32261 rv, ok := value.(int) 32262 if !ok { 32263 return &eval.ErrValueTypeMismatch{Field: "Open.File.FileFields.Mode"} 32264 } 32265 ev.Open.File.FileFields.Mode = uint16(rv) 32266 return nil 32267 case "open.file.uid": 32268 rv, ok := value.(int) 32269 if !ok { 32270 return &eval.ErrValueTypeMismatch{Field: "Open.File.FileFields.UID"} 32271 } 32272 ev.Open.File.FileFields.UID = uint32(rv) 32273 return nil 32274 case "open.file.user": 32275 rv, ok := value.(string) 32276 if !ok { 32277 return &eval.ErrValueTypeMismatch{Field: "Open.File.FileFields.User"} 32278 } 32279 ev.Open.File.FileFields.User = rv 32280 return nil 32281 case "open.flags": 32282 rv, ok := value.(int) 32283 if !ok { 32284 return &eval.ErrValueTypeMismatch{Field: "Open.Flags"} 32285 } 32286 ev.Open.Flags = uint32(rv) 32287 return nil 32288 case "open.retval": 32289 rv, ok := value.(int) 32290 if !ok { 32291 return &eval.ErrValueTypeMismatch{Field: "Open.SyscallEvent.Retval"} 32292 } 32293 ev.Open.SyscallEvent.Retval = int64(rv) 32294 return nil 32295 case "process.ancestors.args": 32296 if ev.BaseEvent.ProcessContext == nil { 32297 ev.BaseEvent.ProcessContext = &ProcessContext{} 32298 } 32299 if ev.BaseEvent.ProcessContext.Ancestor == nil { 32300 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 32301 } 32302 rv, ok := value.(string) 32303 if !ok { 32304 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Args"} 32305 } 32306 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Args = rv 32307 return nil 32308 case "process.ancestors.args_flags": 32309 if ev.BaseEvent.ProcessContext == nil { 32310 ev.BaseEvent.ProcessContext = &ProcessContext{} 32311 } 32312 if ev.BaseEvent.ProcessContext.Ancestor == nil { 32313 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 32314 } 32315 switch rv := value.(type) { 32316 case string: 32317 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Argv = append(ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Argv, rv) 32318 case []string: 32319 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Argv = append(ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Argv, rv...) 32320 default: 32321 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Argv"} 32322 } 32323 return nil 32324 case "process.ancestors.args_options": 32325 if ev.BaseEvent.ProcessContext == nil { 32326 ev.BaseEvent.ProcessContext = &ProcessContext{} 32327 } 32328 if ev.BaseEvent.ProcessContext.Ancestor == nil { 32329 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 32330 } 32331 switch rv := value.(type) { 32332 case string: 32333 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Argv = append(ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Argv, rv) 32334 case []string: 32335 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Argv = append(ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Argv, rv...) 32336 default: 32337 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Argv"} 32338 } 32339 return nil 32340 case "process.ancestors.args_truncated": 32341 if ev.BaseEvent.ProcessContext == nil { 32342 ev.BaseEvent.ProcessContext = &ProcessContext{} 32343 } 32344 if ev.BaseEvent.ProcessContext.Ancestor == nil { 32345 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 32346 } 32347 rv, ok := value.(bool) 32348 if !ok { 32349 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.ArgsTruncated"} 32350 } 32351 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.ArgsTruncated = rv 32352 return nil 32353 case "process.ancestors.argv": 32354 if ev.BaseEvent.ProcessContext == nil { 32355 ev.BaseEvent.ProcessContext = &ProcessContext{} 32356 } 32357 if ev.BaseEvent.ProcessContext.Ancestor == nil { 32358 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 32359 } 32360 switch rv := value.(type) { 32361 case string: 32362 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Argv = append(ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Argv, rv) 32363 case []string: 32364 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Argv = append(ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Argv, rv...) 32365 default: 32366 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Argv"} 32367 } 32368 return nil 32369 case "process.ancestors.argv0": 32370 if ev.BaseEvent.ProcessContext == nil { 32371 ev.BaseEvent.ProcessContext = &ProcessContext{} 32372 } 32373 if ev.BaseEvent.ProcessContext.Ancestor == nil { 32374 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 32375 } 32376 rv, ok := value.(string) 32377 if !ok { 32378 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Argv0"} 32379 } 32380 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Argv0 = rv 32381 return nil 32382 case "process.ancestors.cap_effective": 32383 if ev.BaseEvent.ProcessContext == nil { 32384 ev.BaseEvent.ProcessContext = &ProcessContext{} 32385 } 32386 if ev.BaseEvent.ProcessContext.Ancestor == nil { 32387 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 32388 } 32389 rv, ok := value.(int) 32390 if !ok { 32391 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Credentials.CapEffective"} 32392 } 32393 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Credentials.CapEffective = uint64(rv) 32394 return nil 32395 case "process.ancestors.cap_permitted": 32396 if ev.BaseEvent.ProcessContext == nil { 32397 ev.BaseEvent.ProcessContext = &ProcessContext{} 32398 } 32399 if ev.BaseEvent.ProcessContext.Ancestor == nil { 32400 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 32401 } 32402 rv, ok := value.(int) 32403 if !ok { 32404 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Credentials.CapPermitted"} 32405 } 32406 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Credentials.CapPermitted = uint64(rv) 32407 return nil 32408 case "process.ancestors.comm": 32409 if ev.BaseEvent.ProcessContext == nil { 32410 ev.BaseEvent.ProcessContext = &ProcessContext{} 32411 } 32412 if ev.BaseEvent.ProcessContext.Ancestor == nil { 32413 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 32414 } 32415 rv, ok := value.(string) 32416 if !ok { 32417 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Comm"} 32418 } 32419 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Comm = rv 32420 return nil 32421 case "process.ancestors.container.id": 32422 if ev.BaseEvent.ProcessContext == nil { 32423 ev.BaseEvent.ProcessContext = &ProcessContext{} 32424 } 32425 if ev.BaseEvent.ProcessContext.Ancestor == nil { 32426 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 32427 } 32428 rv, ok := value.(string) 32429 if !ok { 32430 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.ContainerID"} 32431 } 32432 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.ContainerID = rv 32433 return nil 32434 case "process.ancestors.created_at": 32435 if ev.BaseEvent.ProcessContext == nil { 32436 ev.BaseEvent.ProcessContext = &ProcessContext{} 32437 } 32438 if ev.BaseEvent.ProcessContext.Ancestor == nil { 32439 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 32440 } 32441 rv, ok := value.(int) 32442 if !ok { 32443 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.CreatedAt"} 32444 } 32445 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.CreatedAt = uint64(rv) 32446 return nil 32447 case "process.ancestors.egid": 32448 if ev.BaseEvent.ProcessContext == nil { 32449 ev.BaseEvent.ProcessContext = &ProcessContext{} 32450 } 32451 if ev.BaseEvent.ProcessContext.Ancestor == nil { 32452 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 32453 } 32454 rv, ok := value.(int) 32455 if !ok { 32456 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Credentials.EGID"} 32457 } 32458 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Credentials.EGID = uint32(rv) 32459 return nil 32460 case "process.ancestors.egroup": 32461 if ev.BaseEvent.ProcessContext == nil { 32462 ev.BaseEvent.ProcessContext = &ProcessContext{} 32463 } 32464 if ev.BaseEvent.ProcessContext.Ancestor == nil { 32465 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 32466 } 32467 rv, ok := value.(string) 32468 if !ok { 32469 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Credentials.EGroup"} 32470 } 32471 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Credentials.EGroup = rv 32472 return nil 32473 case "process.ancestors.envp": 32474 if ev.BaseEvent.ProcessContext == nil { 32475 ev.BaseEvent.ProcessContext = &ProcessContext{} 32476 } 32477 if ev.BaseEvent.ProcessContext.Ancestor == nil { 32478 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 32479 } 32480 switch rv := value.(type) { 32481 case string: 32482 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Envp = append(ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Envp, rv) 32483 case []string: 32484 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Envp = append(ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Envp, rv...) 32485 default: 32486 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Envp"} 32487 } 32488 return nil 32489 case "process.ancestors.envs": 32490 if ev.BaseEvent.ProcessContext == nil { 32491 ev.BaseEvent.ProcessContext = &ProcessContext{} 32492 } 32493 if ev.BaseEvent.ProcessContext.Ancestor == nil { 32494 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 32495 } 32496 switch rv := value.(type) { 32497 case string: 32498 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Envs = append(ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Envs, rv) 32499 case []string: 32500 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Envs = append(ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Envs, rv...) 32501 default: 32502 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Envs"} 32503 } 32504 return nil 32505 case "process.ancestors.envs_truncated": 32506 if ev.BaseEvent.ProcessContext == nil { 32507 ev.BaseEvent.ProcessContext = &ProcessContext{} 32508 } 32509 if ev.BaseEvent.ProcessContext.Ancestor == nil { 32510 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 32511 } 32512 rv, ok := value.(bool) 32513 if !ok { 32514 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.EnvsTruncated"} 32515 } 32516 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.EnvsTruncated = rv 32517 return nil 32518 case "process.ancestors.euid": 32519 if ev.BaseEvent.ProcessContext == nil { 32520 ev.BaseEvent.ProcessContext = &ProcessContext{} 32521 } 32522 if ev.BaseEvent.ProcessContext.Ancestor == nil { 32523 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 32524 } 32525 rv, ok := value.(int) 32526 if !ok { 32527 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Credentials.EUID"} 32528 } 32529 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Credentials.EUID = uint32(rv) 32530 return nil 32531 case "process.ancestors.euser": 32532 if ev.BaseEvent.ProcessContext == nil { 32533 ev.BaseEvent.ProcessContext = &ProcessContext{} 32534 } 32535 if ev.BaseEvent.ProcessContext.Ancestor == nil { 32536 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 32537 } 32538 rv, ok := value.(string) 32539 if !ok { 32540 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Credentials.EUser"} 32541 } 32542 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Credentials.EUser = rv 32543 return nil 32544 case "process.ancestors.file.change_time": 32545 if ev.BaseEvent.ProcessContext == nil { 32546 ev.BaseEvent.ProcessContext = &ProcessContext{} 32547 } 32548 if ev.BaseEvent.ProcessContext.Ancestor == nil { 32549 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 32550 } 32551 rv, ok := value.(int) 32552 if !ok { 32553 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.FileEvent.FileFields.CTime"} 32554 } 32555 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.FileEvent.FileFields.CTime = uint64(rv) 32556 return nil 32557 case "process.ancestors.file.filesystem": 32558 if ev.BaseEvent.ProcessContext == nil { 32559 ev.BaseEvent.ProcessContext = &ProcessContext{} 32560 } 32561 if ev.BaseEvent.ProcessContext.Ancestor == nil { 32562 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 32563 } 32564 rv, ok := value.(string) 32565 if !ok { 32566 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.FileEvent.Filesystem"} 32567 } 32568 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.FileEvent.Filesystem = rv 32569 return nil 32570 case "process.ancestors.file.gid": 32571 if ev.BaseEvent.ProcessContext == nil { 32572 ev.BaseEvent.ProcessContext = &ProcessContext{} 32573 } 32574 if ev.BaseEvent.ProcessContext.Ancestor == nil { 32575 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 32576 } 32577 rv, ok := value.(int) 32578 if !ok { 32579 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.FileEvent.FileFields.GID"} 32580 } 32581 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.FileEvent.FileFields.GID = uint32(rv) 32582 return nil 32583 case "process.ancestors.file.group": 32584 if ev.BaseEvent.ProcessContext == nil { 32585 ev.BaseEvent.ProcessContext = &ProcessContext{} 32586 } 32587 if ev.BaseEvent.ProcessContext.Ancestor == nil { 32588 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 32589 } 32590 rv, ok := value.(string) 32591 if !ok { 32592 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.FileEvent.FileFields.Group"} 32593 } 32594 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.FileEvent.FileFields.Group = rv 32595 return nil 32596 case "process.ancestors.file.hashes": 32597 if ev.BaseEvent.ProcessContext == nil { 32598 ev.BaseEvent.ProcessContext = &ProcessContext{} 32599 } 32600 if ev.BaseEvent.ProcessContext.Ancestor == nil { 32601 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 32602 } 32603 switch rv := value.(type) { 32604 case string: 32605 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.FileEvent.Hashes = append(ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.FileEvent.Hashes, rv) 32606 case []string: 32607 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.FileEvent.Hashes = append(ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.FileEvent.Hashes, rv...) 32608 default: 32609 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.FileEvent.Hashes"} 32610 } 32611 return nil 32612 case "process.ancestors.file.in_upper_layer": 32613 if ev.BaseEvent.ProcessContext == nil { 32614 ev.BaseEvent.ProcessContext = &ProcessContext{} 32615 } 32616 if ev.BaseEvent.ProcessContext.Ancestor == nil { 32617 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 32618 } 32619 rv, ok := value.(bool) 32620 if !ok { 32621 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.FileEvent.FileFields.InUpperLayer"} 32622 } 32623 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.FileEvent.FileFields.InUpperLayer = rv 32624 return nil 32625 case "process.ancestors.file.inode": 32626 if ev.BaseEvent.ProcessContext == nil { 32627 ev.BaseEvent.ProcessContext = &ProcessContext{} 32628 } 32629 if ev.BaseEvent.ProcessContext.Ancestor == nil { 32630 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 32631 } 32632 rv, ok := value.(int) 32633 if !ok { 32634 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.FileEvent.FileFields.PathKey.Inode"} 32635 } 32636 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.FileEvent.FileFields.PathKey.Inode = uint64(rv) 32637 return nil 32638 case "process.ancestors.file.mode": 32639 if ev.BaseEvent.ProcessContext == nil { 32640 ev.BaseEvent.ProcessContext = &ProcessContext{} 32641 } 32642 if ev.BaseEvent.ProcessContext.Ancestor == nil { 32643 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 32644 } 32645 rv, ok := value.(int) 32646 if !ok { 32647 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.FileEvent.FileFields.Mode"} 32648 } 32649 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.FileEvent.FileFields.Mode = uint16(rv) 32650 return nil 32651 case "process.ancestors.file.modification_time": 32652 if ev.BaseEvent.ProcessContext == nil { 32653 ev.BaseEvent.ProcessContext = &ProcessContext{} 32654 } 32655 if ev.BaseEvent.ProcessContext.Ancestor == nil { 32656 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 32657 } 32658 rv, ok := value.(int) 32659 if !ok { 32660 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.FileEvent.FileFields.MTime"} 32661 } 32662 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.FileEvent.FileFields.MTime = uint64(rv) 32663 return nil 32664 case "process.ancestors.file.mount_id": 32665 if ev.BaseEvent.ProcessContext == nil { 32666 ev.BaseEvent.ProcessContext = &ProcessContext{} 32667 } 32668 if ev.BaseEvent.ProcessContext.Ancestor == nil { 32669 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 32670 } 32671 rv, ok := value.(int) 32672 if !ok { 32673 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.FileEvent.FileFields.PathKey.MountID"} 32674 } 32675 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.FileEvent.FileFields.PathKey.MountID = uint32(rv) 32676 return nil 32677 case "process.ancestors.file.name": 32678 if ev.BaseEvent.ProcessContext == nil { 32679 ev.BaseEvent.ProcessContext = &ProcessContext{} 32680 } 32681 if ev.BaseEvent.ProcessContext.Ancestor == nil { 32682 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 32683 } 32684 rv, ok := value.(string) 32685 if !ok { 32686 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.FileEvent.BasenameStr"} 32687 } 32688 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.FileEvent.BasenameStr = rv 32689 return nil 32690 case "process.ancestors.file.name.length": 32691 if ev.BaseEvent.ProcessContext == nil { 32692 ev.BaseEvent.ProcessContext = &ProcessContext{} 32693 } 32694 if ev.BaseEvent.ProcessContext.Ancestor == nil { 32695 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 32696 } 32697 return &eval.ErrFieldReadOnly{Field: "process.ancestors.file.name.length"} 32698 case "process.ancestors.file.package.name": 32699 if ev.BaseEvent.ProcessContext == nil { 32700 ev.BaseEvent.ProcessContext = &ProcessContext{} 32701 } 32702 if ev.BaseEvent.ProcessContext.Ancestor == nil { 32703 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 32704 } 32705 rv, ok := value.(string) 32706 if !ok { 32707 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.FileEvent.PkgName"} 32708 } 32709 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.FileEvent.PkgName = rv 32710 return nil 32711 case "process.ancestors.file.package.source_version": 32712 if ev.BaseEvent.ProcessContext == nil { 32713 ev.BaseEvent.ProcessContext = &ProcessContext{} 32714 } 32715 if ev.BaseEvent.ProcessContext.Ancestor == nil { 32716 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 32717 } 32718 rv, ok := value.(string) 32719 if !ok { 32720 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.FileEvent.PkgSrcVersion"} 32721 } 32722 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.FileEvent.PkgSrcVersion = rv 32723 return nil 32724 case "process.ancestors.file.package.version": 32725 if ev.BaseEvent.ProcessContext == nil { 32726 ev.BaseEvent.ProcessContext = &ProcessContext{} 32727 } 32728 if ev.BaseEvent.ProcessContext.Ancestor == nil { 32729 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 32730 } 32731 rv, ok := value.(string) 32732 if !ok { 32733 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.FileEvent.PkgVersion"} 32734 } 32735 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.FileEvent.PkgVersion = rv 32736 return nil 32737 case "process.ancestors.file.path": 32738 if ev.BaseEvent.ProcessContext == nil { 32739 ev.BaseEvent.ProcessContext = &ProcessContext{} 32740 } 32741 if ev.BaseEvent.ProcessContext.Ancestor == nil { 32742 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 32743 } 32744 rv, ok := value.(string) 32745 if !ok { 32746 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.FileEvent.PathnameStr"} 32747 } 32748 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.FileEvent.PathnameStr = rv 32749 return nil 32750 case "process.ancestors.file.path.length": 32751 if ev.BaseEvent.ProcessContext == nil { 32752 ev.BaseEvent.ProcessContext = &ProcessContext{} 32753 } 32754 if ev.BaseEvent.ProcessContext.Ancestor == nil { 32755 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 32756 } 32757 return &eval.ErrFieldReadOnly{Field: "process.ancestors.file.path.length"} 32758 case "process.ancestors.file.rights": 32759 if ev.BaseEvent.ProcessContext == nil { 32760 ev.BaseEvent.ProcessContext = &ProcessContext{} 32761 } 32762 if ev.BaseEvent.ProcessContext.Ancestor == nil { 32763 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 32764 } 32765 rv, ok := value.(int) 32766 if !ok { 32767 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.FileEvent.FileFields.Mode"} 32768 } 32769 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.FileEvent.FileFields.Mode = uint16(rv) 32770 return nil 32771 case "process.ancestors.file.uid": 32772 if ev.BaseEvent.ProcessContext == nil { 32773 ev.BaseEvent.ProcessContext = &ProcessContext{} 32774 } 32775 if ev.BaseEvent.ProcessContext.Ancestor == nil { 32776 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 32777 } 32778 rv, ok := value.(int) 32779 if !ok { 32780 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.FileEvent.FileFields.UID"} 32781 } 32782 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.FileEvent.FileFields.UID = uint32(rv) 32783 return nil 32784 case "process.ancestors.file.user": 32785 if ev.BaseEvent.ProcessContext == nil { 32786 ev.BaseEvent.ProcessContext = &ProcessContext{} 32787 } 32788 if ev.BaseEvent.ProcessContext.Ancestor == nil { 32789 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 32790 } 32791 rv, ok := value.(string) 32792 if !ok { 32793 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.FileEvent.FileFields.User"} 32794 } 32795 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.FileEvent.FileFields.User = rv 32796 return nil 32797 case "process.ancestors.fsgid": 32798 if ev.BaseEvent.ProcessContext == nil { 32799 ev.BaseEvent.ProcessContext = &ProcessContext{} 32800 } 32801 if ev.BaseEvent.ProcessContext.Ancestor == nil { 32802 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 32803 } 32804 rv, ok := value.(int) 32805 if !ok { 32806 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Credentials.FSGID"} 32807 } 32808 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Credentials.FSGID = uint32(rv) 32809 return nil 32810 case "process.ancestors.fsgroup": 32811 if ev.BaseEvent.ProcessContext == nil { 32812 ev.BaseEvent.ProcessContext = &ProcessContext{} 32813 } 32814 if ev.BaseEvent.ProcessContext.Ancestor == nil { 32815 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 32816 } 32817 rv, ok := value.(string) 32818 if !ok { 32819 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Credentials.FSGroup"} 32820 } 32821 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Credentials.FSGroup = rv 32822 return nil 32823 case "process.ancestors.fsuid": 32824 if ev.BaseEvent.ProcessContext == nil { 32825 ev.BaseEvent.ProcessContext = &ProcessContext{} 32826 } 32827 if ev.BaseEvent.ProcessContext.Ancestor == nil { 32828 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 32829 } 32830 rv, ok := value.(int) 32831 if !ok { 32832 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Credentials.FSUID"} 32833 } 32834 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Credentials.FSUID = uint32(rv) 32835 return nil 32836 case "process.ancestors.fsuser": 32837 if ev.BaseEvent.ProcessContext == nil { 32838 ev.BaseEvent.ProcessContext = &ProcessContext{} 32839 } 32840 if ev.BaseEvent.ProcessContext.Ancestor == nil { 32841 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 32842 } 32843 rv, ok := value.(string) 32844 if !ok { 32845 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Credentials.FSUser"} 32846 } 32847 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Credentials.FSUser = rv 32848 return nil 32849 case "process.ancestors.gid": 32850 if ev.BaseEvent.ProcessContext == nil { 32851 ev.BaseEvent.ProcessContext = &ProcessContext{} 32852 } 32853 if ev.BaseEvent.ProcessContext.Ancestor == nil { 32854 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 32855 } 32856 rv, ok := value.(int) 32857 if !ok { 32858 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Credentials.GID"} 32859 } 32860 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Credentials.GID = uint32(rv) 32861 return nil 32862 case "process.ancestors.group": 32863 if ev.BaseEvent.ProcessContext == nil { 32864 ev.BaseEvent.ProcessContext = &ProcessContext{} 32865 } 32866 if ev.BaseEvent.ProcessContext.Ancestor == nil { 32867 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 32868 } 32869 rv, ok := value.(string) 32870 if !ok { 32871 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Credentials.Group"} 32872 } 32873 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Credentials.Group = rv 32874 return nil 32875 case "process.ancestors.interpreter.file.change_time": 32876 if ev.BaseEvent.ProcessContext == nil { 32877 ev.BaseEvent.ProcessContext = &ProcessContext{} 32878 } 32879 if ev.BaseEvent.ProcessContext.Ancestor == nil { 32880 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 32881 } 32882 rv, ok := value.(int) 32883 if !ok { 32884 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.CTime"} 32885 } 32886 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.CTime = uint64(rv) 32887 return nil 32888 case "process.ancestors.interpreter.file.filesystem": 32889 if ev.BaseEvent.ProcessContext == nil { 32890 ev.BaseEvent.ProcessContext = &ProcessContext{} 32891 } 32892 if ev.BaseEvent.ProcessContext.Ancestor == nil { 32893 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 32894 } 32895 rv, ok := value.(string) 32896 if !ok { 32897 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.Filesystem"} 32898 } 32899 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.Filesystem = rv 32900 return nil 32901 case "process.ancestors.interpreter.file.gid": 32902 if ev.BaseEvent.ProcessContext == nil { 32903 ev.BaseEvent.ProcessContext = &ProcessContext{} 32904 } 32905 if ev.BaseEvent.ProcessContext.Ancestor == nil { 32906 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 32907 } 32908 rv, ok := value.(int) 32909 if !ok { 32910 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.GID"} 32911 } 32912 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.GID = uint32(rv) 32913 return nil 32914 case "process.ancestors.interpreter.file.group": 32915 if ev.BaseEvent.ProcessContext == nil { 32916 ev.BaseEvent.ProcessContext = &ProcessContext{} 32917 } 32918 if ev.BaseEvent.ProcessContext.Ancestor == nil { 32919 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 32920 } 32921 rv, ok := value.(string) 32922 if !ok { 32923 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.Group"} 32924 } 32925 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.Group = rv 32926 return nil 32927 case "process.ancestors.interpreter.file.hashes": 32928 if ev.BaseEvent.ProcessContext == nil { 32929 ev.BaseEvent.ProcessContext = &ProcessContext{} 32930 } 32931 if ev.BaseEvent.ProcessContext.Ancestor == nil { 32932 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 32933 } 32934 switch rv := value.(type) { 32935 case string: 32936 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.Hashes = append(ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.Hashes, rv) 32937 case []string: 32938 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.Hashes = append(ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.Hashes, rv...) 32939 default: 32940 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.Hashes"} 32941 } 32942 return nil 32943 case "process.ancestors.interpreter.file.in_upper_layer": 32944 if ev.BaseEvent.ProcessContext == nil { 32945 ev.BaseEvent.ProcessContext = &ProcessContext{} 32946 } 32947 if ev.BaseEvent.ProcessContext.Ancestor == nil { 32948 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 32949 } 32950 rv, ok := value.(bool) 32951 if !ok { 32952 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.InUpperLayer"} 32953 } 32954 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.InUpperLayer = rv 32955 return nil 32956 case "process.ancestors.interpreter.file.inode": 32957 if ev.BaseEvent.ProcessContext == nil { 32958 ev.BaseEvent.ProcessContext = &ProcessContext{} 32959 } 32960 if ev.BaseEvent.ProcessContext.Ancestor == nil { 32961 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 32962 } 32963 rv, ok := value.(int) 32964 if !ok { 32965 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode"} 32966 } 32967 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode = uint64(rv) 32968 return nil 32969 case "process.ancestors.interpreter.file.mode": 32970 if ev.BaseEvent.ProcessContext == nil { 32971 ev.BaseEvent.ProcessContext = &ProcessContext{} 32972 } 32973 if ev.BaseEvent.ProcessContext.Ancestor == nil { 32974 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 32975 } 32976 rv, ok := value.(int) 32977 if !ok { 32978 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.Mode"} 32979 } 32980 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.Mode = uint16(rv) 32981 return nil 32982 case "process.ancestors.interpreter.file.modification_time": 32983 if ev.BaseEvent.ProcessContext == nil { 32984 ev.BaseEvent.ProcessContext = &ProcessContext{} 32985 } 32986 if ev.BaseEvent.ProcessContext.Ancestor == nil { 32987 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 32988 } 32989 rv, ok := value.(int) 32990 if !ok { 32991 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.MTime"} 32992 } 32993 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.MTime = uint64(rv) 32994 return nil 32995 case "process.ancestors.interpreter.file.mount_id": 32996 if ev.BaseEvent.ProcessContext == nil { 32997 ev.BaseEvent.ProcessContext = &ProcessContext{} 32998 } 32999 if ev.BaseEvent.ProcessContext.Ancestor == nil { 33000 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 33001 } 33002 rv, ok := value.(int) 33003 if !ok { 33004 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID"} 33005 } 33006 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID = uint32(rv) 33007 return nil 33008 case "process.ancestors.interpreter.file.name": 33009 if ev.BaseEvent.ProcessContext == nil { 33010 ev.BaseEvent.ProcessContext = &ProcessContext{} 33011 } 33012 if ev.BaseEvent.ProcessContext.Ancestor == nil { 33013 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 33014 } 33015 rv, ok := value.(string) 33016 if !ok { 33017 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.BasenameStr"} 33018 } 33019 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.BasenameStr = rv 33020 return nil 33021 case "process.ancestors.interpreter.file.name.length": 33022 if ev.BaseEvent.ProcessContext == nil { 33023 ev.BaseEvent.ProcessContext = &ProcessContext{} 33024 } 33025 if ev.BaseEvent.ProcessContext.Ancestor == nil { 33026 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 33027 } 33028 return &eval.ErrFieldReadOnly{Field: "process.ancestors.interpreter.file.name.length"} 33029 case "process.ancestors.interpreter.file.package.name": 33030 if ev.BaseEvent.ProcessContext == nil { 33031 ev.BaseEvent.ProcessContext = &ProcessContext{} 33032 } 33033 if ev.BaseEvent.ProcessContext.Ancestor == nil { 33034 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 33035 } 33036 rv, ok := value.(string) 33037 if !ok { 33038 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.PkgName"} 33039 } 33040 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.PkgName = rv 33041 return nil 33042 case "process.ancestors.interpreter.file.package.source_version": 33043 if ev.BaseEvent.ProcessContext == nil { 33044 ev.BaseEvent.ProcessContext = &ProcessContext{} 33045 } 33046 if ev.BaseEvent.ProcessContext.Ancestor == nil { 33047 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 33048 } 33049 rv, ok := value.(string) 33050 if !ok { 33051 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.PkgSrcVersion"} 33052 } 33053 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.PkgSrcVersion = rv 33054 return nil 33055 case "process.ancestors.interpreter.file.package.version": 33056 if ev.BaseEvent.ProcessContext == nil { 33057 ev.BaseEvent.ProcessContext = &ProcessContext{} 33058 } 33059 if ev.BaseEvent.ProcessContext.Ancestor == nil { 33060 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 33061 } 33062 rv, ok := value.(string) 33063 if !ok { 33064 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.PkgVersion"} 33065 } 33066 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.PkgVersion = rv 33067 return nil 33068 case "process.ancestors.interpreter.file.path": 33069 if ev.BaseEvent.ProcessContext == nil { 33070 ev.BaseEvent.ProcessContext = &ProcessContext{} 33071 } 33072 if ev.BaseEvent.ProcessContext.Ancestor == nil { 33073 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 33074 } 33075 rv, ok := value.(string) 33076 if !ok { 33077 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.PathnameStr"} 33078 } 33079 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.PathnameStr = rv 33080 return nil 33081 case "process.ancestors.interpreter.file.path.length": 33082 if ev.BaseEvent.ProcessContext == nil { 33083 ev.BaseEvent.ProcessContext = &ProcessContext{} 33084 } 33085 if ev.BaseEvent.ProcessContext.Ancestor == nil { 33086 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 33087 } 33088 return &eval.ErrFieldReadOnly{Field: "process.ancestors.interpreter.file.path.length"} 33089 case "process.ancestors.interpreter.file.rights": 33090 if ev.BaseEvent.ProcessContext == nil { 33091 ev.BaseEvent.ProcessContext = &ProcessContext{} 33092 } 33093 if ev.BaseEvent.ProcessContext.Ancestor == nil { 33094 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 33095 } 33096 rv, ok := value.(int) 33097 if !ok { 33098 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.Mode"} 33099 } 33100 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.Mode = uint16(rv) 33101 return nil 33102 case "process.ancestors.interpreter.file.uid": 33103 if ev.BaseEvent.ProcessContext == nil { 33104 ev.BaseEvent.ProcessContext = &ProcessContext{} 33105 } 33106 if ev.BaseEvent.ProcessContext.Ancestor == nil { 33107 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 33108 } 33109 rv, ok := value.(int) 33110 if !ok { 33111 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.UID"} 33112 } 33113 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.UID = uint32(rv) 33114 return nil 33115 case "process.ancestors.interpreter.file.user": 33116 if ev.BaseEvent.ProcessContext == nil { 33117 ev.BaseEvent.ProcessContext = &ProcessContext{} 33118 } 33119 if ev.BaseEvent.ProcessContext.Ancestor == nil { 33120 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 33121 } 33122 rv, ok := value.(string) 33123 if !ok { 33124 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.User"} 33125 } 33126 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.User = rv 33127 return nil 33128 case "process.ancestors.is_kworker": 33129 if ev.BaseEvent.ProcessContext == nil { 33130 ev.BaseEvent.ProcessContext = &ProcessContext{} 33131 } 33132 if ev.BaseEvent.ProcessContext.Ancestor == nil { 33133 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 33134 } 33135 rv, ok := value.(bool) 33136 if !ok { 33137 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.PIDContext.IsKworker"} 33138 } 33139 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.PIDContext.IsKworker = rv 33140 return nil 33141 case "process.ancestors.is_thread": 33142 if ev.BaseEvent.ProcessContext == nil { 33143 ev.BaseEvent.ProcessContext = &ProcessContext{} 33144 } 33145 if ev.BaseEvent.ProcessContext.Ancestor == nil { 33146 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 33147 } 33148 rv, ok := value.(bool) 33149 if !ok { 33150 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.IsThread"} 33151 } 33152 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.IsThread = rv 33153 return nil 33154 case "process.ancestors.pid": 33155 if ev.BaseEvent.ProcessContext == nil { 33156 ev.BaseEvent.ProcessContext = &ProcessContext{} 33157 } 33158 if ev.BaseEvent.ProcessContext.Ancestor == nil { 33159 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 33160 } 33161 rv, ok := value.(int) 33162 if !ok { 33163 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.PIDContext.Pid"} 33164 } 33165 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.PIDContext.Pid = uint32(rv) 33166 return nil 33167 case "process.ancestors.ppid": 33168 if ev.BaseEvent.ProcessContext == nil { 33169 ev.BaseEvent.ProcessContext = &ProcessContext{} 33170 } 33171 if ev.BaseEvent.ProcessContext.Ancestor == nil { 33172 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 33173 } 33174 rv, ok := value.(int) 33175 if !ok { 33176 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.PPid"} 33177 } 33178 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.PPid = uint32(rv) 33179 return nil 33180 case "process.ancestors.tid": 33181 if ev.BaseEvent.ProcessContext == nil { 33182 ev.BaseEvent.ProcessContext = &ProcessContext{} 33183 } 33184 if ev.BaseEvent.ProcessContext.Ancestor == nil { 33185 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 33186 } 33187 rv, ok := value.(int) 33188 if !ok { 33189 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.PIDContext.Tid"} 33190 } 33191 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.PIDContext.Tid = uint32(rv) 33192 return nil 33193 case "process.ancestors.tty_name": 33194 if ev.BaseEvent.ProcessContext == nil { 33195 ev.BaseEvent.ProcessContext = &ProcessContext{} 33196 } 33197 if ev.BaseEvent.ProcessContext.Ancestor == nil { 33198 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 33199 } 33200 rv, ok := value.(string) 33201 if !ok { 33202 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.TTYName"} 33203 } 33204 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.TTYName = rv 33205 return nil 33206 case "process.ancestors.uid": 33207 if ev.BaseEvent.ProcessContext == nil { 33208 ev.BaseEvent.ProcessContext = &ProcessContext{} 33209 } 33210 if ev.BaseEvent.ProcessContext.Ancestor == nil { 33211 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 33212 } 33213 rv, ok := value.(int) 33214 if !ok { 33215 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Credentials.UID"} 33216 } 33217 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Credentials.UID = uint32(rv) 33218 return nil 33219 case "process.ancestors.user": 33220 if ev.BaseEvent.ProcessContext == nil { 33221 ev.BaseEvent.ProcessContext = &ProcessContext{} 33222 } 33223 if ev.BaseEvent.ProcessContext.Ancestor == nil { 33224 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 33225 } 33226 rv, ok := value.(string) 33227 if !ok { 33228 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Credentials.User"} 33229 } 33230 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.Credentials.User = rv 33231 return nil 33232 case "process.ancestors.user_session.k8s_groups": 33233 if ev.BaseEvent.ProcessContext == nil { 33234 ev.BaseEvent.ProcessContext = &ProcessContext{} 33235 } 33236 if ev.BaseEvent.ProcessContext.Ancestor == nil { 33237 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 33238 } 33239 switch rv := value.(type) { 33240 case string: 33241 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.UserSession.K8SGroups = append(ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.UserSession.K8SGroups, rv) 33242 case []string: 33243 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.UserSession.K8SGroups = append(ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.UserSession.K8SGroups, rv...) 33244 default: 33245 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.UserSession.K8SGroups"} 33246 } 33247 return nil 33248 case "process.ancestors.user_session.k8s_uid": 33249 if ev.BaseEvent.ProcessContext == nil { 33250 ev.BaseEvent.ProcessContext = &ProcessContext{} 33251 } 33252 if ev.BaseEvent.ProcessContext.Ancestor == nil { 33253 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 33254 } 33255 rv, ok := value.(string) 33256 if !ok { 33257 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.UserSession.K8SUID"} 33258 } 33259 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.UserSession.K8SUID = rv 33260 return nil 33261 case "process.ancestors.user_session.k8s_username": 33262 if ev.BaseEvent.ProcessContext == nil { 33263 ev.BaseEvent.ProcessContext = &ProcessContext{} 33264 } 33265 if ev.BaseEvent.ProcessContext.Ancestor == nil { 33266 ev.BaseEvent.ProcessContext.Ancestor = &ProcessCacheEntry{} 33267 } 33268 rv, ok := value.(string) 33269 if !ok { 33270 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.UserSession.K8SUsername"} 33271 } 33272 ev.BaseEvent.ProcessContext.Ancestor.ProcessContext.Process.UserSession.K8SUsername = rv 33273 return nil 33274 case "process.args": 33275 if ev.BaseEvent.ProcessContext == nil { 33276 ev.BaseEvent.ProcessContext = &ProcessContext{} 33277 } 33278 rv, ok := value.(string) 33279 if !ok { 33280 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.Args"} 33281 } 33282 ev.BaseEvent.ProcessContext.Process.Args = rv 33283 return nil 33284 case "process.args_flags": 33285 if ev.BaseEvent.ProcessContext == nil { 33286 ev.BaseEvent.ProcessContext = &ProcessContext{} 33287 } 33288 switch rv := value.(type) { 33289 case string: 33290 ev.BaseEvent.ProcessContext.Process.Argv = append(ev.BaseEvent.ProcessContext.Process.Argv, rv) 33291 case []string: 33292 ev.BaseEvent.ProcessContext.Process.Argv = append(ev.BaseEvent.ProcessContext.Process.Argv, rv...) 33293 default: 33294 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.Argv"} 33295 } 33296 return nil 33297 case "process.args_options": 33298 if ev.BaseEvent.ProcessContext == nil { 33299 ev.BaseEvent.ProcessContext = &ProcessContext{} 33300 } 33301 switch rv := value.(type) { 33302 case string: 33303 ev.BaseEvent.ProcessContext.Process.Argv = append(ev.BaseEvent.ProcessContext.Process.Argv, rv) 33304 case []string: 33305 ev.BaseEvent.ProcessContext.Process.Argv = append(ev.BaseEvent.ProcessContext.Process.Argv, rv...) 33306 default: 33307 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.Argv"} 33308 } 33309 return nil 33310 case "process.args_truncated": 33311 if ev.BaseEvent.ProcessContext == nil { 33312 ev.BaseEvent.ProcessContext = &ProcessContext{} 33313 } 33314 rv, ok := value.(bool) 33315 if !ok { 33316 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.ArgsTruncated"} 33317 } 33318 ev.BaseEvent.ProcessContext.Process.ArgsTruncated = rv 33319 return nil 33320 case "process.argv": 33321 if ev.BaseEvent.ProcessContext == nil { 33322 ev.BaseEvent.ProcessContext = &ProcessContext{} 33323 } 33324 switch rv := value.(type) { 33325 case string: 33326 ev.BaseEvent.ProcessContext.Process.Argv = append(ev.BaseEvent.ProcessContext.Process.Argv, rv) 33327 case []string: 33328 ev.BaseEvent.ProcessContext.Process.Argv = append(ev.BaseEvent.ProcessContext.Process.Argv, rv...) 33329 default: 33330 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.Argv"} 33331 } 33332 return nil 33333 case "process.argv0": 33334 if ev.BaseEvent.ProcessContext == nil { 33335 ev.BaseEvent.ProcessContext = &ProcessContext{} 33336 } 33337 rv, ok := value.(string) 33338 if !ok { 33339 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.Argv0"} 33340 } 33341 ev.BaseEvent.ProcessContext.Process.Argv0 = rv 33342 return nil 33343 case "process.cap_effective": 33344 if ev.BaseEvent.ProcessContext == nil { 33345 ev.BaseEvent.ProcessContext = &ProcessContext{} 33346 } 33347 rv, ok := value.(int) 33348 if !ok { 33349 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.Credentials.CapEffective"} 33350 } 33351 ev.BaseEvent.ProcessContext.Process.Credentials.CapEffective = uint64(rv) 33352 return nil 33353 case "process.cap_permitted": 33354 if ev.BaseEvent.ProcessContext == nil { 33355 ev.BaseEvent.ProcessContext = &ProcessContext{} 33356 } 33357 rv, ok := value.(int) 33358 if !ok { 33359 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.Credentials.CapPermitted"} 33360 } 33361 ev.BaseEvent.ProcessContext.Process.Credentials.CapPermitted = uint64(rv) 33362 return nil 33363 case "process.comm": 33364 if ev.BaseEvent.ProcessContext == nil { 33365 ev.BaseEvent.ProcessContext = &ProcessContext{} 33366 } 33367 rv, ok := value.(string) 33368 if !ok { 33369 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.Comm"} 33370 } 33371 ev.BaseEvent.ProcessContext.Process.Comm = rv 33372 return nil 33373 case "process.container.id": 33374 if ev.BaseEvent.ProcessContext == nil { 33375 ev.BaseEvent.ProcessContext = &ProcessContext{} 33376 } 33377 rv, ok := value.(string) 33378 if !ok { 33379 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.ContainerID"} 33380 } 33381 ev.BaseEvent.ProcessContext.Process.ContainerID = rv 33382 return nil 33383 case "process.created_at": 33384 if ev.BaseEvent.ProcessContext == nil { 33385 ev.BaseEvent.ProcessContext = &ProcessContext{} 33386 } 33387 rv, ok := value.(int) 33388 if !ok { 33389 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.CreatedAt"} 33390 } 33391 ev.BaseEvent.ProcessContext.Process.CreatedAt = uint64(rv) 33392 return nil 33393 case "process.egid": 33394 if ev.BaseEvent.ProcessContext == nil { 33395 ev.BaseEvent.ProcessContext = &ProcessContext{} 33396 } 33397 rv, ok := value.(int) 33398 if !ok { 33399 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.Credentials.EGID"} 33400 } 33401 ev.BaseEvent.ProcessContext.Process.Credentials.EGID = uint32(rv) 33402 return nil 33403 case "process.egroup": 33404 if ev.BaseEvent.ProcessContext == nil { 33405 ev.BaseEvent.ProcessContext = &ProcessContext{} 33406 } 33407 rv, ok := value.(string) 33408 if !ok { 33409 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.Credentials.EGroup"} 33410 } 33411 ev.BaseEvent.ProcessContext.Process.Credentials.EGroup = rv 33412 return nil 33413 case "process.envp": 33414 if ev.BaseEvent.ProcessContext == nil { 33415 ev.BaseEvent.ProcessContext = &ProcessContext{} 33416 } 33417 switch rv := value.(type) { 33418 case string: 33419 ev.BaseEvent.ProcessContext.Process.Envp = append(ev.BaseEvent.ProcessContext.Process.Envp, rv) 33420 case []string: 33421 ev.BaseEvent.ProcessContext.Process.Envp = append(ev.BaseEvent.ProcessContext.Process.Envp, rv...) 33422 default: 33423 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.Envp"} 33424 } 33425 return nil 33426 case "process.envs": 33427 if ev.BaseEvent.ProcessContext == nil { 33428 ev.BaseEvent.ProcessContext = &ProcessContext{} 33429 } 33430 switch rv := value.(type) { 33431 case string: 33432 ev.BaseEvent.ProcessContext.Process.Envs = append(ev.BaseEvent.ProcessContext.Process.Envs, rv) 33433 case []string: 33434 ev.BaseEvent.ProcessContext.Process.Envs = append(ev.BaseEvent.ProcessContext.Process.Envs, rv...) 33435 default: 33436 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.Envs"} 33437 } 33438 return nil 33439 case "process.envs_truncated": 33440 if ev.BaseEvent.ProcessContext == nil { 33441 ev.BaseEvent.ProcessContext = &ProcessContext{} 33442 } 33443 rv, ok := value.(bool) 33444 if !ok { 33445 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.EnvsTruncated"} 33446 } 33447 ev.BaseEvent.ProcessContext.Process.EnvsTruncated = rv 33448 return nil 33449 case "process.euid": 33450 if ev.BaseEvent.ProcessContext == nil { 33451 ev.BaseEvent.ProcessContext = &ProcessContext{} 33452 } 33453 rv, ok := value.(int) 33454 if !ok { 33455 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.Credentials.EUID"} 33456 } 33457 ev.BaseEvent.ProcessContext.Process.Credentials.EUID = uint32(rv) 33458 return nil 33459 case "process.euser": 33460 if ev.BaseEvent.ProcessContext == nil { 33461 ev.BaseEvent.ProcessContext = &ProcessContext{} 33462 } 33463 rv, ok := value.(string) 33464 if !ok { 33465 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.Credentials.EUser"} 33466 } 33467 ev.BaseEvent.ProcessContext.Process.Credentials.EUser = rv 33468 return nil 33469 case "process.file.change_time": 33470 if ev.BaseEvent.ProcessContext == nil { 33471 ev.BaseEvent.ProcessContext = &ProcessContext{} 33472 } 33473 rv, ok := value.(int) 33474 if !ok { 33475 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.FileEvent.FileFields.CTime"} 33476 } 33477 ev.BaseEvent.ProcessContext.Process.FileEvent.FileFields.CTime = uint64(rv) 33478 return nil 33479 case "process.file.filesystem": 33480 if ev.BaseEvent.ProcessContext == nil { 33481 ev.BaseEvent.ProcessContext = &ProcessContext{} 33482 } 33483 rv, ok := value.(string) 33484 if !ok { 33485 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.FileEvent.Filesystem"} 33486 } 33487 ev.BaseEvent.ProcessContext.Process.FileEvent.Filesystem = rv 33488 return nil 33489 case "process.file.gid": 33490 if ev.BaseEvent.ProcessContext == nil { 33491 ev.BaseEvent.ProcessContext = &ProcessContext{} 33492 } 33493 rv, ok := value.(int) 33494 if !ok { 33495 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.FileEvent.FileFields.GID"} 33496 } 33497 ev.BaseEvent.ProcessContext.Process.FileEvent.FileFields.GID = uint32(rv) 33498 return nil 33499 case "process.file.group": 33500 if ev.BaseEvent.ProcessContext == nil { 33501 ev.BaseEvent.ProcessContext = &ProcessContext{} 33502 } 33503 rv, ok := value.(string) 33504 if !ok { 33505 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.FileEvent.FileFields.Group"} 33506 } 33507 ev.BaseEvent.ProcessContext.Process.FileEvent.FileFields.Group = rv 33508 return nil 33509 case "process.file.hashes": 33510 if ev.BaseEvent.ProcessContext == nil { 33511 ev.BaseEvent.ProcessContext = &ProcessContext{} 33512 } 33513 switch rv := value.(type) { 33514 case string: 33515 ev.BaseEvent.ProcessContext.Process.FileEvent.Hashes = append(ev.BaseEvent.ProcessContext.Process.FileEvent.Hashes, rv) 33516 case []string: 33517 ev.BaseEvent.ProcessContext.Process.FileEvent.Hashes = append(ev.BaseEvent.ProcessContext.Process.FileEvent.Hashes, rv...) 33518 default: 33519 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.FileEvent.Hashes"} 33520 } 33521 return nil 33522 case "process.file.in_upper_layer": 33523 if ev.BaseEvent.ProcessContext == nil { 33524 ev.BaseEvent.ProcessContext = &ProcessContext{} 33525 } 33526 rv, ok := value.(bool) 33527 if !ok { 33528 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.FileEvent.FileFields.InUpperLayer"} 33529 } 33530 ev.BaseEvent.ProcessContext.Process.FileEvent.FileFields.InUpperLayer = rv 33531 return nil 33532 case "process.file.inode": 33533 if ev.BaseEvent.ProcessContext == nil { 33534 ev.BaseEvent.ProcessContext = &ProcessContext{} 33535 } 33536 rv, ok := value.(int) 33537 if !ok { 33538 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.FileEvent.FileFields.PathKey.Inode"} 33539 } 33540 ev.BaseEvent.ProcessContext.Process.FileEvent.FileFields.PathKey.Inode = uint64(rv) 33541 return nil 33542 case "process.file.mode": 33543 if ev.BaseEvent.ProcessContext == nil { 33544 ev.BaseEvent.ProcessContext = &ProcessContext{} 33545 } 33546 rv, ok := value.(int) 33547 if !ok { 33548 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.FileEvent.FileFields.Mode"} 33549 } 33550 ev.BaseEvent.ProcessContext.Process.FileEvent.FileFields.Mode = uint16(rv) 33551 return nil 33552 case "process.file.modification_time": 33553 if ev.BaseEvent.ProcessContext == nil { 33554 ev.BaseEvent.ProcessContext = &ProcessContext{} 33555 } 33556 rv, ok := value.(int) 33557 if !ok { 33558 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.FileEvent.FileFields.MTime"} 33559 } 33560 ev.BaseEvent.ProcessContext.Process.FileEvent.FileFields.MTime = uint64(rv) 33561 return nil 33562 case "process.file.mount_id": 33563 if ev.BaseEvent.ProcessContext == nil { 33564 ev.BaseEvent.ProcessContext = &ProcessContext{} 33565 } 33566 rv, ok := value.(int) 33567 if !ok { 33568 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.FileEvent.FileFields.PathKey.MountID"} 33569 } 33570 ev.BaseEvent.ProcessContext.Process.FileEvent.FileFields.PathKey.MountID = uint32(rv) 33571 return nil 33572 case "process.file.name": 33573 if ev.BaseEvent.ProcessContext == nil { 33574 ev.BaseEvent.ProcessContext = &ProcessContext{} 33575 } 33576 rv, ok := value.(string) 33577 if !ok { 33578 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.FileEvent.BasenameStr"} 33579 } 33580 ev.BaseEvent.ProcessContext.Process.FileEvent.BasenameStr = rv 33581 return nil 33582 case "process.file.name.length": 33583 if ev.BaseEvent.ProcessContext == nil { 33584 ev.BaseEvent.ProcessContext = &ProcessContext{} 33585 } 33586 return &eval.ErrFieldReadOnly{Field: "process.file.name.length"} 33587 case "process.file.package.name": 33588 if ev.BaseEvent.ProcessContext == nil { 33589 ev.BaseEvent.ProcessContext = &ProcessContext{} 33590 } 33591 rv, ok := value.(string) 33592 if !ok { 33593 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.FileEvent.PkgName"} 33594 } 33595 ev.BaseEvent.ProcessContext.Process.FileEvent.PkgName = rv 33596 return nil 33597 case "process.file.package.source_version": 33598 if ev.BaseEvent.ProcessContext == nil { 33599 ev.BaseEvent.ProcessContext = &ProcessContext{} 33600 } 33601 rv, ok := value.(string) 33602 if !ok { 33603 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.FileEvent.PkgSrcVersion"} 33604 } 33605 ev.BaseEvent.ProcessContext.Process.FileEvent.PkgSrcVersion = rv 33606 return nil 33607 case "process.file.package.version": 33608 if ev.BaseEvent.ProcessContext == nil { 33609 ev.BaseEvent.ProcessContext = &ProcessContext{} 33610 } 33611 rv, ok := value.(string) 33612 if !ok { 33613 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.FileEvent.PkgVersion"} 33614 } 33615 ev.BaseEvent.ProcessContext.Process.FileEvent.PkgVersion = rv 33616 return nil 33617 case "process.file.path": 33618 if ev.BaseEvent.ProcessContext == nil { 33619 ev.BaseEvent.ProcessContext = &ProcessContext{} 33620 } 33621 rv, ok := value.(string) 33622 if !ok { 33623 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.FileEvent.PathnameStr"} 33624 } 33625 ev.BaseEvent.ProcessContext.Process.FileEvent.PathnameStr = rv 33626 return nil 33627 case "process.file.path.length": 33628 if ev.BaseEvent.ProcessContext == nil { 33629 ev.BaseEvent.ProcessContext = &ProcessContext{} 33630 } 33631 return &eval.ErrFieldReadOnly{Field: "process.file.path.length"} 33632 case "process.file.rights": 33633 if ev.BaseEvent.ProcessContext == nil { 33634 ev.BaseEvent.ProcessContext = &ProcessContext{} 33635 } 33636 rv, ok := value.(int) 33637 if !ok { 33638 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.FileEvent.FileFields.Mode"} 33639 } 33640 ev.BaseEvent.ProcessContext.Process.FileEvent.FileFields.Mode = uint16(rv) 33641 return nil 33642 case "process.file.uid": 33643 if ev.BaseEvent.ProcessContext == nil { 33644 ev.BaseEvent.ProcessContext = &ProcessContext{} 33645 } 33646 rv, ok := value.(int) 33647 if !ok { 33648 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.FileEvent.FileFields.UID"} 33649 } 33650 ev.BaseEvent.ProcessContext.Process.FileEvent.FileFields.UID = uint32(rv) 33651 return nil 33652 case "process.file.user": 33653 if ev.BaseEvent.ProcessContext == nil { 33654 ev.BaseEvent.ProcessContext = &ProcessContext{} 33655 } 33656 rv, ok := value.(string) 33657 if !ok { 33658 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.FileEvent.FileFields.User"} 33659 } 33660 ev.BaseEvent.ProcessContext.Process.FileEvent.FileFields.User = rv 33661 return nil 33662 case "process.fsgid": 33663 if ev.BaseEvent.ProcessContext == nil { 33664 ev.BaseEvent.ProcessContext = &ProcessContext{} 33665 } 33666 rv, ok := value.(int) 33667 if !ok { 33668 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.Credentials.FSGID"} 33669 } 33670 ev.BaseEvent.ProcessContext.Process.Credentials.FSGID = uint32(rv) 33671 return nil 33672 case "process.fsgroup": 33673 if ev.BaseEvent.ProcessContext == nil { 33674 ev.BaseEvent.ProcessContext = &ProcessContext{} 33675 } 33676 rv, ok := value.(string) 33677 if !ok { 33678 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.Credentials.FSGroup"} 33679 } 33680 ev.BaseEvent.ProcessContext.Process.Credentials.FSGroup = rv 33681 return nil 33682 case "process.fsuid": 33683 if ev.BaseEvent.ProcessContext == nil { 33684 ev.BaseEvent.ProcessContext = &ProcessContext{} 33685 } 33686 rv, ok := value.(int) 33687 if !ok { 33688 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.Credentials.FSUID"} 33689 } 33690 ev.BaseEvent.ProcessContext.Process.Credentials.FSUID = uint32(rv) 33691 return nil 33692 case "process.fsuser": 33693 if ev.BaseEvent.ProcessContext == nil { 33694 ev.BaseEvent.ProcessContext = &ProcessContext{} 33695 } 33696 rv, ok := value.(string) 33697 if !ok { 33698 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.Credentials.FSUser"} 33699 } 33700 ev.BaseEvent.ProcessContext.Process.Credentials.FSUser = rv 33701 return nil 33702 case "process.gid": 33703 if ev.BaseEvent.ProcessContext == nil { 33704 ev.BaseEvent.ProcessContext = &ProcessContext{} 33705 } 33706 rv, ok := value.(int) 33707 if !ok { 33708 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.Credentials.GID"} 33709 } 33710 ev.BaseEvent.ProcessContext.Process.Credentials.GID = uint32(rv) 33711 return nil 33712 case "process.group": 33713 if ev.BaseEvent.ProcessContext == nil { 33714 ev.BaseEvent.ProcessContext = &ProcessContext{} 33715 } 33716 rv, ok := value.(string) 33717 if !ok { 33718 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.Credentials.Group"} 33719 } 33720 ev.BaseEvent.ProcessContext.Process.Credentials.Group = rv 33721 return nil 33722 case "process.interpreter.file.change_time": 33723 if ev.BaseEvent.ProcessContext == nil { 33724 ev.BaseEvent.ProcessContext = &ProcessContext{} 33725 } 33726 rv, ok := value.(int) 33727 if !ok { 33728 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.CTime"} 33729 } 33730 ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.CTime = uint64(rv) 33731 return nil 33732 case "process.interpreter.file.filesystem": 33733 if ev.BaseEvent.ProcessContext == nil { 33734 ev.BaseEvent.ProcessContext = &ProcessContext{} 33735 } 33736 rv, ok := value.(string) 33737 if !ok { 33738 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.Filesystem"} 33739 } 33740 ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.Filesystem = rv 33741 return nil 33742 case "process.interpreter.file.gid": 33743 if ev.BaseEvent.ProcessContext == nil { 33744 ev.BaseEvent.ProcessContext = &ProcessContext{} 33745 } 33746 rv, ok := value.(int) 33747 if !ok { 33748 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.GID"} 33749 } 33750 ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.GID = uint32(rv) 33751 return nil 33752 case "process.interpreter.file.group": 33753 if ev.BaseEvent.ProcessContext == nil { 33754 ev.BaseEvent.ProcessContext = &ProcessContext{} 33755 } 33756 rv, ok := value.(string) 33757 if !ok { 33758 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.Group"} 33759 } 33760 ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.Group = rv 33761 return nil 33762 case "process.interpreter.file.hashes": 33763 if ev.BaseEvent.ProcessContext == nil { 33764 ev.BaseEvent.ProcessContext = &ProcessContext{} 33765 } 33766 switch rv := value.(type) { 33767 case string: 33768 ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.Hashes = append(ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.Hashes, rv) 33769 case []string: 33770 ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.Hashes = append(ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.Hashes, rv...) 33771 default: 33772 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.Hashes"} 33773 } 33774 return nil 33775 case "process.interpreter.file.in_upper_layer": 33776 if ev.BaseEvent.ProcessContext == nil { 33777 ev.BaseEvent.ProcessContext = &ProcessContext{} 33778 } 33779 rv, ok := value.(bool) 33780 if !ok { 33781 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.InUpperLayer"} 33782 } 33783 ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.InUpperLayer = rv 33784 return nil 33785 case "process.interpreter.file.inode": 33786 if ev.BaseEvent.ProcessContext == nil { 33787 ev.BaseEvent.ProcessContext = &ProcessContext{} 33788 } 33789 rv, ok := value.(int) 33790 if !ok { 33791 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode"} 33792 } 33793 ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode = uint64(rv) 33794 return nil 33795 case "process.interpreter.file.mode": 33796 if ev.BaseEvent.ProcessContext == nil { 33797 ev.BaseEvent.ProcessContext = &ProcessContext{} 33798 } 33799 rv, ok := value.(int) 33800 if !ok { 33801 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.Mode"} 33802 } 33803 ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.Mode = uint16(rv) 33804 return nil 33805 case "process.interpreter.file.modification_time": 33806 if ev.BaseEvent.ProcessContext == nil { 33807 ev.BaseEvent.ProcessContext = &ProcessContext{} 33808 } 33809 rv, ok := value.(int) 33810 if !ok { 33811 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.MTime"} 33812 } 33813 ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.MTime = uint64(rv) 33814 return nil 33815 case "process.interpreter.file.mount_id": 33816 if ev.BaseEvent.ProcessContext == nil { 33817 ev.BaseEvent.ProcessContext = &ProcessContext{} 33818 } 33819 rv, ok := value.(int) 33820 if !ok { 33821 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID"} 33822 } 33823 ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID = uint32(rv) 33824 return nil 33825 case "process.interpreter.file.name": 33826 if ev.BaseEvent.ProcessContext == nil { 33827 ev.BaseEvent.ProcessContext = &ProcessContext{} 33828 } 33829 rv, ok := value.(string) 33830 if !ok { 33831 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.BasenameStr"} 33832 } 33833 ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.BasenameStr = rv 33834 return nil 33835 case "process.interpreter.file.name.length": 33836 if ev.BaseEvent.ProcessContext == nil { 33837 ev.BaseEvent.ProcessContext = &ProcessContext{} 33838 } 33839 return &eval.ErrFieldReadOnly{Field: "process.interpreter.file.name.length"} 33840 case "process.interpreter.file.package.name": 33841 if ev.BaseEvent.ProcessContext == nil { 33842 ev.BaseEvent.ProcessContext = &ProcessContext{} 33843 } 33844 rv, ok := value.(string) 33845 if !ok { 33846 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.PkgName"} 33847 } 33848 ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.PkgName = rv 33849 return nil 33850 case "process.interpreter.file.package.source_version": 33851 if ev.BaseEvent.ProcessContext == nil { 33852 ev.BaseEvent.ProcessContext = &ProcessContext{} 33853 } 33854 rv, ok := value.(string) 33855 if !ok { 33856 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.PkgSrcVersion"} 33857 } 33858 ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.PkgSrcVersion = rv 33859 return nil 33860 case "process.interpreter.file.package.version": 33861 if ev.BaseEvent.ProcessContext == nil { 33862 ev.BaseEvent.ProcessContext = &ProcessContext{} 33863 } 33864 rv, ok := value.(string) 33865 if !ok { 33866 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.PkgVersion"} 33867 } 33868 ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.PkgVersion = rv 33869 return nil 33870 case "process.interpreter.file.path": 33871 if ev.BaseEvent.ProcessContext == nil { 33872 ev.BaseEvent.ProcessContext = &ProcessContext{} 33873 } 33874 rv, ok := value.(string) 33875 if !ok { 33876 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.PathnameStr"} 33877 } 33878 ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.PathnameStr = rv 33879 return nil 33880 case "process.interpreter.file.path.length": 33881 if ev.BaseEvent.ProcessContext == nil { 33882 ev.BaseEvent.ProcessContext = &ProcessContext{} 33883 } 33884 return &eval.ErrFieldReadOnly{Field: "process.interpreter.file.path.length"} 33885 case "process.interpreter.file.rights": 33886 if ev.BaseEvent.ProcessContext == nil { 33887 ev.BaseEvent.ProcessContext = &ProcessContext{} 33888 } 33889 rv, ok := value.(int) 33890 if !ok { 33891 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.Mode"} 33892 } 33893 ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.Mode = uint16(rv) 33894 return nil 33895 case "process.interpreter.file.uid": 33896 if ev.BaseEvent.ProcessContext == nil { 33897 ev.BaseEvent.ProcessContext = &ProcessContext{} 33898 } 33899 rv, ok := value.(int) 33900 if !ok { 33901 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.UID"} 33902 } 33903 ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.UID = uint32(rv) 33904 return nil 33905 case "process.interpreter.file.user": 33906 if ev.BaseEvent.ProcessContext == nil { 33907 ev.BaseEvent.ProcessContext = &ProcessContext{} 33908 } 33909 rv, ok := value.(string) 33910 if !ok { 33911 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.User"} 33912 } 33913 ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.User = rv 33914 return nil 33915 case "process.is_kworker": 33916 if ev.BaseEvent.ProcessContext == nil { 33917 ev.BaseEvent.ProcessContext = &ProcessContext{} 33918 } 33919 rv, ok := value.(bool) 33920 if !ok { 33921 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.PIDContext.IsKworker"} 33922 } 33923 ev.BaseEvent.ProcessContext.Process.PIDContext.IsKworker = rv 33924 return nil 33925 case "process.is_thread": 33926 if ev.BaseEvent.ProcessContext == nil { 33927 ev.BaseEvent.ProcessContext = &ProcessContext{} 33928 } 33929 rv, ok := value.(bool) 33930 if !ok { 33931 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.IsThread"} 33932 } 33933 ev.BaseEvent.ProcessContext.Process.IsThread = rv 33934 return nil 33935 case "process.parent.args": 33936 if ev.BaseEvent.ProcessContext == nil { 33937 ev.BaseEvent.ProcessContext = &ProcessContext{} 33938 } 33939 if ev.BaseEvent.ProcessContext.Parent == nil { 33940 ev.BaseEvent.ProcessContext.Parent = &Process{} 33941 } 33942 rv, ok := value.(string) 33943 if !ok { 33944 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.Args"} 33945 } 33946 ev.BaseEvent.ProcessContext.Parent.Args = rv 33947 return nil 33948 case "process.parent.args_flags": 33949 if ev.BaseEvent.ProcessContext == nil { 33950 ev.BaseEvent.ProcessContext = &ProcessContext{} 33951 } 33952 if ev.BaseEvent.ProcessContext.Parent == nil { 33953 ev.BaseEvent.ProcessContext.Parent = &Process{} 33954 } 33955 switch rv := value.(type) { 33956 case string: 33957 ev.BaseEvent.ProcessContext.Parent.Argv = append(ev.BaseEvent.ProcessContext.Parent.Argv, rv) 33958 case []string: 33959 ev.BaseEvent.ProcessContext.Parent.Argv = append(ev.BaseEvent.ProcessContext.Parent.Argv, rv...) 33960 default: 33961 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.Argv"} 33962 } 33963 return nil 33964 case "process.parent.args_options": 33965 if ev.BaseEvent.ProcessContext == nil { 33966 ev.BaseEvent.ProcessContext = &ProcessContext{} 33967 } 33968 if ev.BaseEvent.ProcessContext.Parent == nil { 33969 ev.BaseEvent.ProcessContext.Parent = &Process{} 33970 } 33971 switch rv := value.(type) { 33972 case string: 33973 ev.BaseEvent.ProcessContext.Parent.Argv = append(ev.BaseEvent.ProcessContext.Parent.Argv, rv) 33974 case []string: 33975 ev.BaseEvent.ProcessContext.Parent.Argv = append(ev.BaseEvent.ProcessContext.Parent.Argv, rv...) 33976 default: 33977 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.Argv"} 33978 } 33979 return nil 33980 case "process.parent.args_truncated": 33981 if ev.BaseEvent.ProcessContext == nil { 33982 ev.BaseEvent.ProcessContext = &ProcessContext{} 33983 } 33984 if ev.BaseEvent.ProcessContext.Parent == nil { 33985 ev.BaseEvent.ProcessContext.Parent = &Process{} 33986 } 33987 rv, ok := value.(bool) 33988 if !ok { 33989 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.ArgsTruncated"} 33990 } 33991 ev.BaseEvent.ProcessContext.Parent.ArgsTruncated = rv 33992 return nil 33993 case "process.parent.argv": 33994 if ev.BaseEvent.ProcessContext == nil { 33995 ev.BaseEvent.ProcessContext = &ProcessContext{} 33996 } 33997 if ev.BaseEvent.ProcessContext.Parent == nil { 33998 ev.BaseEvent.ProcessContext.Parent = &Process{} 33999 } 34000 switch rv := value.(type) { 34001 case string: 34002 ev.BaseEvent.ProcessContext.Parent.Argv = append(ev.BaseEvent.ProcessContext.Parent.Argv, rv) 34003 case []string: 34004 ev.BaseEvent.ProcessContext.Parent.Argv = append(ev.BaseEvent.ProcessContext.Parent.Argv, rv...) 34005 default: 34006 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.Argv"} 34007 } 34008 return nil 34009 case "process.parent.argv0": 34010 if ev.BaseEvent.ProcessContext == nil { 34011 ev.BaseEvent.ProcessContext = &ProcessContext{} 34012 } 34013 if ev.BaseEvent.ProcessContext.Parent == nil { 34014 ev.BaseEvent.ProcessContext.Parent = &Process{} 34015 } 34016 rv, ok := value.(string) 34017 if !ok { 34018 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.Argv0"} 34019 } 34020 ev.BaseEvent.ProcessContext.Parent.Argv0 = rv 34021 return nil 34022 case "process.parent.cap_effective": 34023 if ev.BaseEvent.ProcessContext == nil { 34024 ev.BaseEvent.ProcessContext = &ProcessContext{} 34025 } 34026 if ev.BaseEvent.ProcessContext.Parent == nil { 34027 ev.BaseEvent.ProcessContext.Parent = &Process{} 34028 } 34029 rv, ok := value.(int) 34030 if !ok { 34031 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.Credentials.CapEffective"} 34032 } 34033 ev.BaseEvent.ProcessContext.Parent.Credentials.CapEffective = uint64(rv) 34034 return nil 34035 case "process.parent.cap_permitted": 34036 if ev.BaseEvent.ProcessContext == nil { 34037 ev.BaseEvent.ProcessContext = &ProcessContext{} 34038 } 34039 if ev.BaseEvent.ProcessContext.Parent == nil { 34040 ev.BaseEvent.ProcessContext.Parent = &Process{} 34041 } 34042 rv, ok := value.(int) 34043 if !ok { 34044 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.Credentials.CapPermitted"} 34045 } 34046 ev.BaseEvent.ProcessContext.Parent.Credentials.CapPermitted = uint64(rv) 34047 return nil 34048 case "process.parent.comm": 34049 if ev.BaseEvent.ProcessContext == nil { 34050 ev.BaseEvent.ProcessContext = &ProcessContext{} 34051 } 34052 if ev.BaseEvent.ProcessContext.Parent == nil { 34053 ev.BaseEvent.ProcessContext.Parent = &Process{} 34054 } 34055 rv, ok := value.(string) 34056 if !ok { 34057 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.Comm"} 34058 } 34059 ev.BaseEvent.ProcessContext.Parent.Comm = rv 34060 return nil 34061 case "process.parent.container.id": 34062 if ev.BaseEvent.ProcessContext == nil { 34063 ev.BaseEvent.ProcessContext = &ProcessContext{} 34064 } 34065 if ev.BaseEvent.ProcessContext.Parent == nil { 34066 ev.BaseEvent.ProcessContext.Parent = &Process{} 34067 } 34068 rv, ok := value.(string) 34069 if !ok { 34070 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.ContainerID"} 34071 } 34072 ev.BaseEvent.ProcessContext.Parent.ContainerID = rv 34073 return nil 34074 case "process.parent.created_at": 34075 if ev.BaseEvent.ProcessContext == nil { 34076 ev.BaseEvent.ProcessContext = &ProcessContext{} 34077 } 34078 if ev.BaseEvent.ProcessContext.Parent == nil { 34079 ev.BaseEvent.ProcessContext.Parent = &Process{} 34080 } 34081 rv, ok := value.(int) 34082 if !ok { 34083 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.CreatedAt"} 34084 } 34085 ev.BaseEvent.ProcessContext.Parent.CreatedAt = uint64(rv) 34086 return nil 34087 case "process.parent.egid": 34088 if ev.BaseEvent.ProcessContext == nil { 34089 ev.BaseEvent.ProcessContext = &ProcessContext{} 34090 } 34091 if ev.BaseEvent.ProcessContext.Parent == nil { 34092 ev.BaseEvent.ProcessContext.Parent = &Process{} 34093 } 34094 rv, ok := value.(int) 34095 if !ok { 34096 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.Credentials.EGID"} 34097 } 34098 ev.BaseEvent.ProcessContext.Parent.Credentials.EGID = uint32(rv) 34099 return nil 34100 case "process.parent.egroup": 34101 if ev.BaseEvent.ProcessContext == nil { 34102 ev.BaseEvent.ProcessContext = &ProcessContext{} 34103 } 34104 if ev.BaseEvent.ProcessContext.Parent == nil { 34105 ev.BaseEvent.ProcessContext.Parent = &Process{} 34106 } 34107 rv, ok := value.(string) 34108 if !ok { 34109 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.Credentials.EGroup"} 34110 } 34111 ev.BaseEvent.ProcessContext.Parent.Credentials.EGroup = rv 34112 return nil 34113 case "process.parent.envp": 34114 if ev.BaseEvent.ProcessContext == nil { 34115 ev.BaseEvent.ProcessContext = &ProcessContext{} 34116 } 34117 if ev.BaseEvent.ProcessContext.Parent == nil { 34118 ev.BaseEvent.ProcessContext.Parent = &Process{} 34119 } 34120 switch rv := value.(type) { 34121 case string: 34122 ev.BaseEvent.ProcessContext.Parent.Envp = append(ev.BaseEvent.ProcessContext.Parent.Envp, rv) 34123 case []string: 34124 ev.BaseEvent.ProcessContext.Parent.Envp = append(ev.BaseEvent.ProcessContext.Parent.Envp, rv...) 34125 default: 34126 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.Envp"} 34127 } 34128 return nil 34129 case "process.parent.envs": 34130 if ev.BaseEvent.ProcessContext == nil { 34131 ev.BaseEvent.ProcessContext = &ProcessContext{} 34132 } 34133 if ev.BaseEvent.ProcessContext.Parent == nil { 34134 ev.BaseEvent.ProcessContext.Parent = &Process{} 34135 } 34136 switch rv := value.(type) { 34137 case string: 34138 ev.BaseEvent.ProcessContext.Parent.Envs = append(ev.BaseEvent.ProcessContext.Parent.Envs, rv) 34139 case []string: 34140 ev.BaseEvent.ProcessContext.Parent.Envs = append(ev.BaseEvent.ProcessContext.Parent.Envs, rv...) 34141 default: 34142 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.Envs"} 34143 } 34144 return nil 34145 case "process.parent.envs_truncated": 34146 if ev.BaseEvent.ProcessContext == nil { 34147 ev.BaseEvent.ProcessContext = &ProcessContext{} 34148 } 34149 if ev.BaseEvent.ProcessContext.Parent == nil { 34150 ev.BaseEvent.ProcessContext.Parent = &Process{} 34151 } 34152 rv, ok := value.(bool) 34153 if !ok { 34154 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.EnvsTruncated"} 34155 } 34156 ev.BaseEvent.ProcessContext.Parent.EnvsTruncated = rv 34157 return nil 34158 case "process.parent.euid": 34159 if ev.BaseEvent.ProcessContext == nil { 34160 ev.BaseEvent.ProcessContext = &ProcessContext{} 34161 } 34162 if ev.BaseEvent.ProcessContext.Parent == nil { 34163 ev.BaseEvent.ProcessContext.Parent = &Process{} 34164 } 34165 rv, ok := value.(int) 34166 if !ok { 34167 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.Credentials.EUID"} 34168 } 34169 ev.BaseEvent.ProcessContext.Parent.Credentials.EUID = uint32(rv) 34170 return nil 34171 case "process.parent.euser": 34172 if ev.BaseEvent.ProcessContext == nil { 34173 ev.BaseEvent.ProcessContext = &ProcessContext{} 34174 } 34175 if ev.BaseEvent.ProcessContext.Parent == nil { 34176 ev.BaseEvent.ProcessContext.Parent = &Process{} 34177 } 34178 rv, ok := value.(string) 34179 if !ok { 34180 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.Credentials.EUser"} 34181 } 34182 ev.BaseEvent.ProcessContext.Parent.Credentials.EUser = rv 34183 return nil 34184 case "process.parent.file.change_time": 34185 if ev.BaseEvent.ProcessContext == nil { 34186 ev.BaseEvent.ProcessContext = &ProcessContext{} 34187 } 34188 if ev.BaseEvent.ProcessContext.Parent == nil { 34189 ev.BaseEvent.ProcessContext.Parent = &Process{} 34190 } 34191 rv, ok := value.(int) 34192 if !ok { 34193 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.FileEvent.FileFields.CTime"} 34194 } 34195 ev.BaseEvent.ProcessContext.Parent.FileEvent.FileFields.CTime = uint64(rv) 34196 return nil 34197 case "process.parent.file.filesystem": 34198 if ev.BaseEvent.ProcessContext == nil { 34199 ev.BaseEvent.ProcessContext = &ProcessContext{} 34200 } 34201 if ev.BaseEvent.ProcessContext.Parent == nil { 34202 ev.BaseEvent.ProcessContext.Parent = &Process{} 34203 } 34204 rv, ok := value.(string) 34205 if !ok { 34206 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.FileEvent.Filesystem"} 34207 } 34208 ev.BaseEvent.ProcessContext.Parent.FileEvent.Filesystem = rv 34209 return nil 34210 case "process.parent.file.gid": 34211 if ev.BaseEvent.ProcessContext == nil { 34212 ev.BaseEvent.ProcessContext = &ProcessContext{} 34213 } 34214 if ev.BaseEvent.ProcessContext.Parent == nil { 34215 ev.BaseEvent.ProcessContext.Parent = &Process{} 34216 } 34217 rv, ok := value.(int) 34218 if !ok { 34219 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.FileEvent.FileFields.GID"} 34220 } 34221 ev.BaseEvent.ProcessContext.Parent.FileEvent.FileFields.GID = uint32(rv) 34222 return nil 34223 case "process.parent.file.group": 34224 if ev.BaseEvent.ProcessContext == nil { 34225 ev.BaseEvent.ProcessContext = &ProcessContext{} 34226 } 34227 if ev.BaseEvent.ProcessContext.Parent == nil { 34228 ev.BaseEvent.ProcessContext.Parent = &Process{} 34229 } 34230 rv, ok := value.(string) 34231 if !ok { 34232 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.FileEvent.FileFields.Group"} 34233 } 34234 ev.BaseEvent.ProcessContext.Parent.FileEvent.FileFields.Group = rv 34235 return nil 34236 case "process.parent.file.hashes": 34237 if ev.BaseEvent.ProcessContext == nil { 34238 ev.BaseEvent.ProcessContext = &ProcessContext{} 34239 } 34240 if ev.BaseEvent.ProcessContext.Parent == nil { 34241 ev.BaseEvent.ProcessContext.Parent = &Process{} 34242 } 34243 switch rv := value.(type) { 34244 case string: 34245 ev.BaseEvent.ProcessContext.Parent.FileEvent.Hashes = append(ev.BaseEvent.ProcessContext.Parent.FileEvent.Hashes, rv) 34246 case []string: 34247 ev.BaseEvent.ProcessContext.Parent.FileEvent.Hashes = append(ev.BaseEvent.ProcessContext.Parent.FileEvent.Hashes, rv...) 34248 default: 34249 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.FileEvent.Hashes"} 34250 } 34251 return nil 34252 case "process.parent.file.in_upper_layer": 34253 if ev.BaseEvent.ProcessContext == nil { 34254 ev.BaseEvent.ProcessContext = &ProcessContext{} 34255 } 34256 if ev.BaseEvent.ProcessContext.Parent == nil { 34257 ev.BaseEvent.ProcessContext.Parent = &Process{} 34258 } 34259 rv, ok := value.(bool) 34260 if !ok { 34261 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.FileEvent.FileFields.InUpperLayer"} 34262 } 34263 ev.BaseEvent.ProcessContext.Parent.FileEvent.FileFields.InUpperLayer = rv 34264 return nil 34265 case "process.parent.file.inode": 34266 if ev.BaseEvent.ProcessContext == nil { 34267 ev.BaseEvent.ProcessContext = &ProcessContext{} 34268 } 34269 if ev.BaseEvent.ProcessContext.Parent == nil { 34270 ev.BaseEvent.ProcessContext.Parent = &Process{} 34271 } 34272 rv, ok := value.(int) 34273 if !ok { 34274 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.FileEvent.FileFields.PathKey.Inode"} 34275 } 34276 ev.BaseEvent.ProcessContext.Parent.FileEvent.FileFields.PathKey.Inode = uint64(rv) 34277 return nil 34278 case "process.parent.file.mode": 34279 if ev.BaseEvent.ProcessContext == nil { 34280 ev.BaseEvent.ProcessContext = &ProcessContext{} 34281 } 34282 if ev.BaseEvent.ProcessContext.Parent == nil { 34283 ev.BaseEvent.ProcessContext.Parent = &Process{} 34284 } 34285 rv, ok := value.(int) 34286 if !ok { 34287 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.FileEvent.FileFields.Mode"} 34288 } 34289 ev.BaseEvent.ProcessContext.Parent.FileEvent.FileFields.Mode = uint16(rv) 34290 return nil 34291 case "process.parent.file.modification_time": 34292 if ev.BaseEvent.ProcessContext == nil { 34293 ev.BaseEvent.ProcessContext = &ProcessContext{} 34294 } 34295 if ev.BaseEvent.ProcessContext.Parent == nil { 34296 ev.BaseEvent.ProcessContext.Parent = &Process{} 34297 } 34298 rv, ok := value.(int) 34299 if !ok { 34300 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.FileEvent.FileFields.MTime"} 34301 } 34302 ev.BaseEvent.ProcessContext.Parent.FileEvent.FileFields.MTime = uint64(rv) 34303 return nil 34304 case "process.parent.file.mount_id": 34305 if ev.BaseEvent.ProcessContext == nil { 34306 ev.BaseEvent.ProcessContext = &ProcessContext{} 34307 } 34308 if ev.BaseEvent.ProcessContext.Parent == nil { 34309 ev.BaseEvent.ProcessContext.Parent = &Process{} 34310 } 34311 rv, ok := value.(int) 34312 if !ok { 34313 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.FileEvent.FileFields.PathKey.MountID"} 34314 } 34315 ev.BaseEvent.ProcessContext.Parent.FileEvent.FileFields.PathKey.MountID = uint32(rv) 34316 return nil 34317 case "process.parent.file.name": 34318 if ev.BaseEvent.ProcessContext == nil { 34319 ev.BaseEvent.ProcessContext = &ProcessContext{} 34320 } 34321 if ev.BaseEvent.ProcessContext.Parent == nil { 34322 ev.BaseEvent.ProcessContext.Parent = &Process{} 34323 } 34324 rv, ok := value.(string) 34325 if !ok { 34326 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.FileEvent.BasenameStr"} 34327 } 34328 ev.BaseEvent.ProcessContext.Parent.FileEvent.BasenameStr = rv 34329 return nil 34330 case "process.parent.file.name.length": 34331 if ev.BaseEvent.ProcessContext == nil { 34332 ev.BaseEvent.ProcessContext = &ProcessContext{} 34333 } 34334 if ev.BaseEvent.ProcessContext.Parent == nil { 34335 ev.BaseEvent.ProcessContext.Parent = &Process{} 34336 } 34337 return &eval.ErrFieldReadOnly{Field: "process.parent.file.name.length"} 34338 case "process.parent.file.package.name": 34339 if ev.BaseEvent.ProcessContext == nil { 34340 ev.BaseEvent.ProcessContext = &ProcessContext{} 34341 } 34342 if ev.BaseEvent.ProcessContext.Parent == nil { 34343 ev.BaseEvent.ProcessContext.Parent = &Process{} 34344 } 34345 rv, ok := value.(string) 34346 if !ok { 34347 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.FileEvent.PkgName"} 34348 } 34349 ev.BaseEvent.ProcessContext.Parent.FileEvent.PkgName = rv 34350 return nil 34351 case "process.parent.file.package.source_version": 34352 if ev.BaseEvent.ProcessContext == nil { 34353 ev.BaseEvent.ProcessContext = &ProcessContext{} 34354 } 34355 if ev.BaseEvent.ProcessContext.Parent == nil { 34356 ev.BaseEvent.ProcessContext.Parent = &Process{} 34357 } 34358 rv, ok := value.(string) 34359 if !ok { 34360 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.FileEvent.PkgSrcVersion"} 34361 } 34362 ev.BaseEvent.ProcessContext.Parent.FileEvent.PkgSrcVersion = rv 34363 return nil 34364 case "process.parent.file.package.version": 34365 if ev.BaseEvent.ProcessContext == nil { 34366 ev.BaseEvent.ProcessContext = &ProcessContext{} 34367 } 34368 if ev.BaseEvent.ProcessContext.Parent == nil { 34369 ev.BaseEvent.ProcessContext.Parent = &Process{} 34370 } 34371 rv, ok := value.(string) 34372 if !ok { 34373 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.FileEvent.PkgVersion"} 34374 } 34375 ev.BaseEvent.ProcessContext.Parent.FileEvent.PkgVersion = rv 34376 return nil 34377 case "process.parent.file.path": 34378 if ev.BaseEvent.ProcessContext == nil { 34379 ev.BaseEvent.ProcessContext = &ProcessContext{} 34380 } 34381 if ev.BaseEvent.ProcessContext.Parent == nil { 34382 ev.BaseEvent.ProcessContext.Parent = &Process{} 34383 } 34384 rv, ok := value.(string) 34385 if !ok { 34386 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.FileEvent.PathnameStr"} 34387 } 34388 ev.BaseEvent.ProcessContext.Parent.FileEvent.PathnameStr = rv 34389 return nil 34390 case "process.parent.file.path.length": 34391 if ev.BaseEvent.ProcessContext == nil { 34392 ev.BaseEvent.ProcessContext = &ProcessContext{} 34393 } 34394 if ev.BaseEvent.ProcessContext.Parent == nil { 34395 ev.BaseEvent.ProcessContext.Parent = &Process{} 34396 } 34397 return &eval.ErrFieldReadOnly{Field: "process.parent.file.path.length"} 34398 case "process.parent.file.rights": 34399 if ev.BaseEvent.ProcessContext == nil { 34400 ev.BaseEvent.ProcessContext = &ProcessContext{} 34401 } 34402 if ev.BaseEvent.ProcessContext.Parent == nil { 34403 ev.BaseEvent.ProcessContext.Parent = &Process{} 34404 } 34405 rv, ok := value.(int) 34406 if !ok { 34407 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.FileEvent.FileFields.Mode"} 34408 } 34409 ev.BaseEvent.ProcessContext.Parent.FileEvent.FileFields.Mode = uint16(rv) 34410 return nil 34411 case "process.parent.file.uid": 34412 if ev.BaseEvent.ProcessContext == nil { 34413 ev.BaseEvent.ProcessContext = &ProcessContext{} 34414 } 34415 if ev.BaseEvent.ProcessContext.Parent == nil { 34416 ev.BaseEvent.ProcessContext.Parent = &Process{} 34417 } 34418 rv, ok := value.(int) 34419 if !ok { 34420 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.FileEvent.FileFields.UID"} 34421 } 34422 ev.BaseEvent.ProcessContext.Parent.FileEvent.FileFields.UID = uint32(rv) 34423 return nil 34424 case "process.parent.file.user": 34425 if ev.BaseEvent.ProcessContext == nil { 34426 ev.BaseEvent.ProcessContext = &ProcessContext{} 34427 } 34428 if ev.BaseEvent.ProcessContext.Parent == nil { 34429 ev.BaseEvent.ProcessContext.Parent = &Process{} 34430 } 34431 rv, ok := value.(string) 34432 if !ok { 34433 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.FileEvent.FileFields.User"} 34434 } 34435 ev.BaseEvent.ProcessContext.Parent.FileEvent.FileFields.User = rv 34436 return nil 34437 case "process.parent.fsgid": 34438 if ev.BaseEvent.ProcessContext == nil { 34439 ev.BaseEvent.ProcessContext = &ProcessContext{} 34440 } 34441 if ev.BaseEvent.ProcessContext.Parent == nil { 34442 ev.BaseEvent.ProcessContext.Parent = &Process{} 34443 } 34444 rv, ok := value.(int) 34445 if !ok { 34446 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.Credentials.FSGID"} 34447 } 34448 ev.BaseEvent.ProcessContext.Parent.Credentials.FSGID = uint32(rv) 34449 return nil 34450 case "process.parent.fsgroup": 34451 if ev.BaseEvent.ProcessContext == nil { 34452 ev.BaseEvent.ProcessContext = &ProcessContext{} 34453 } 34454 if ev.BaseEvent.ProcessContext.Parent == nil { 34455 ev.BaseEvent.ProcessContext.Parent = &Process{} 34456 } 34457 rv, ok := value.(string) 34458 if !ok { 34459 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.Credentials.FSGroup"} 34460 } 34461 ev.BaseEvent.ProcessContext.Parent.Credentials.FSGroup = rv 34462 return nil 34463 case "process.parent.fsuid": 34464 if ev.BaseEvent.ProcessContext == nil { 34465 ev.BaseEvent.ProcessContext = &ProcessContext{} 34466 } 34467 if ev.BaseEvent.ProcessContext.Parent == nil { 34468 ev.BaseEvent.ProcessContext.Parent = &Process{} 34469 } 34470 rv, ok := value.(int) 34471 if !ok { 34472 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.Credentials.FSUID"} 34473 } 34474 ev.BaseEvent.ProcessContext.Parent.Credentials.FSUID = uint32(rv) 34475 return nil 34476 case "process.parent.fsuser": 34477 if ev.BaseEvent.ProcessContext == nil { 34478 ev.BaseEvent.ProcessContext = &ProcessContext{} 34479 } 34480 if ev.BaseEvent.ProcessContext.Parent == nil { 34481 ev.BaseEvent.ProcessContext.Parent = &Process{} 34482 } 34483 rv, ok := value.(string) 34484 if !ok { 34485 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.Credentials.FSUser"} 34486 } 34487 ev.BaseEvent.ProcessContext.Parent.Credentials.FSUser = rv 34488 return nil 34489 case "process.parent.gid": 34490 if ev.BaseEvent.ProcessContext == nil { 34491 ev.BaseEvent.ProcessContext = &ProcessContext{} 34492 } 34493 if ev.BaseEvent.ProcessContext.Parent == nil { 34494 ev.BaseEvent.ProcessContext.Parent = &Process{} 34495 } 34496 rv, ok := value.(int) 34497 if !ok { 34498 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.Credentials.GID"} 34499 } 34500 ev.BaseEvent.ProcessContext.Parent.Credentials.GID = uint32(rv) 34501 return nil 34502 case "process.parent.group": 34503 if ev.BaseEvent.ProcessContext == nil { 34504 ev.BaseEvent.ProcessContext = &ProcessContext{} 34505 } 34506 if ev.BaseEvent.ProcessContext.Parent == nil { 34507 ev.BaseEvent.ProcessContext.Parent = &Process{} 34508 } 34509 rv, ok := value.(string) 34510 if !ok { 34511 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.Credentials.Group"} 34512 } 34513 ev.BaseEvent.ProcessContext.Parent.Credentials.Group = rv 34514 return nil 34515 case "process.parent.interpreter.file.change_time": 34516 if ev.BaseEvent.ProcessContext == nil { 34517 ev.BaseEvent.ProcessContext = &ProcessContext{} 34518 } 34519 if ev.BaseEvent.ProcessContext.Parent == nil { 34520 ev.BaseEvent.ProcessContext.Parent = &Process{} 34521 } 34522 rv, ok := value.(int) 34523 if !ok { 34524 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields.CTime"} 34525 } 34526 ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields.CTime = uint64(rv) 34527 return nil 34528 case "process.parent.interpreter.file.filesystem": 34529 if ev.BaseEvent.ProcessContext == nil { 34530 ev.BaseEvent.ProcessContext = &ProcessContext{} 34531 } 34532 if ev.BaseEvent.ProcessContext.Parent == nil { 34533 ev.BaseEvent.ProcessContext.Parent = &Process{} 34534 } 34535 rv, ok := value.(string) 34536 if !ok { 34537 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.Filesystem"} 34538 } 34539 ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.Filesystem = rv 34540 return nil 34541 case "process.parent.interpreter.file.gid": 34542 if ev.BaseEvent.ProcessContext == nil { 34543 ev.BaseEvent.ProcessContext = &ProcessContext{} 34544 } 34545 if ev.BaseEvent.ProcessContext.Parent == nil { 34546 ev.BaseEvent.ProcessContext.Parent = &Process{} 34547 } 34548 rv, ok := value.(int) 34549 if !ok { 34550 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields.GID"} 34551 } 34552 ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields.GID = uint32(rv) 34553 return nil 34554 case "process.parent.interpreter.file.group": 34555 if ev.BaseEvent.ProcessContext == nil { 34556 ev.BaseEvent.ProcessContext = &ProcessContext{} 34557 } 34558 if ev.BaseEvent.ProcessContext.Parent == nil { 34559 ev.BaseEvent.ProcessContext.Parent = &Process{} 34560 } 34561 rv, ok := value.(string) 34562 if !ok { 34563 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields.Group"} 34564 } 34565 ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields.Group = rv 34566 return nil 34567 case "process.parent.interpreter.file.hashes": 34568 if ev.BaseEvent.ProcessContext == nil { 34569 ev.BaseEvent.ProcessContext = &ProcessContext{} 34570 } 34571 if ev.BaseEvent.ProcessContext.Parent == nil { 34572 ev.BaseEvent.ProcessContext.Parent = &Process{} 34573 } 34574 switch rv := value.(type) { 34575 case string: 34576 ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.Hashes = append(ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.Hashes, rv) 34577 case []string: 34578 ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.Hashes = append(ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.Hashes, rv...) 34579 default: 34580 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.Hashes"} 34581 } 34582 return nil 34583 case "process.parent.interpreter.file.in_upper_layer": 34584 if ev.BaseEvent.ProcessContext == nil { 34585 ev.BaseEvent.ProcessContext = &ProcessContext{} 34586 } 34587 if ev.BaseEvent.ProcessContext.Parent == nil { 34588 ev.BaseEvent.ProcessContext.Parent = &Process{} 34589 } 34590 rv, ok := value.(bool) 34591 if !ok { 34592 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields.InUpperLayer"} 34593 } 34594 ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields.InUpperLayer = rv 34595 return nil 34596 case "process.parent.interpreter.file.inode": 34597 if ev.BaseEvent.ProcessContext == nil { 34598 ev.BaseEvent.ProcessContext = &ProcessContext{} 34599 } 34600 if ev.BaseEvent.ProcessContext.Parent == nil { 34601 ev.BaseEvent.ProcessContext.Parent = &Process{} 34602 } 34603 rv, ok := value.(int) 34604 if !ok { 34605 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields.PathKey.Inode"} 34606 } 34607 ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields.PathKey.Inode = uint64(rv) 34608 return nil 34609 case "process.parent.interpreter.file.mode": 34610 if ev.BaseEvent.ProcessContext == nil { 34611 ev.BaseEvent.ProcessContext = &ProcessContext{} 34612 } 34613 if ev.BaseEvent.ProcessContext.Parent == nil { 34614 ev.BaseEvent.ProcessContext.Parent = &Process{} 34615 } 34616 rv, ok := value.(int) 34617 if !ok { 34618 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields.Mode"} 34619 } 34620 ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields.Mode = uint16(rv) 34621 return nil 34622 case "process.parent.interpreter.file.modification_time": 34623 if ev.BaseEvent.ProcessContext == nil { 34624 ev.BaseEvent.ProcessContext = &ProcessContext{} 34625 } 34626 if ev.BaseEvent.ProcessContext.Parent == nil { 34627 ev.BaseEvent.ProcessContext.Parent = &Process{} 34628 } 34629 rv, ok := value.(int) 34630 if !ok { 34631 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields.MTime"} 34632 } 34633 ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields.MTime = uint64(rv) 34634 return nil 34635 case "process.parent.interpreter.file.mount_id": 34636 if ev.BaseEvent.ProcessContext == nil { 34637 ev.BaseEvent.ProcessContext = &ProcessContext{} 34638 } 34639 if ev.BaseEvent.ProcessContext.Parent == nil { 34640 ev.BaseEvent.ProcessContext.Parent = &Process{} 34641 } 34642 rv, ok := value.(int) 34643 if !ok { 34644 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields.PathKey.MountID"} 34645 } 34646 ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields.PathKey.MountID = uint32(rv) 34647 return nil 34648 case "process.parent.interpreter.file.name": 34649 if ev.BaseEvent.ProcessContext == nil { 34650 ev.BaseEvent.ProcessContext = &ProcessContext{} 34651 } 34652 if ev.BaseEvent.ProcessContext.Parent == nil { 34653 ev.BaseEvent.ProcessContext.Parent = &Process{} 34654 } 34655 rv, ok := value.(string) 34656 if !ok { 34657 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.BasenameStr"} 34658 } 34659 ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.BasenameStr = rv 34660 return nil 34661 case "process.parent.interpreter.file.name.length": 34662 if ev.BaseEvent.ProcessContext == nil { 34663 ev.BaseEvent.ProcessContext = &ProcessContext{} 34664 } 34665 if ev.BaseEvent.ProcessContext.Parent == nil { 34666 ev.BaseEvent.ProcessContext.Parent = &Process{} 34667 } 34668 return &eval.ErrFieldReadOnly{Field: "process.parent.interpreter.file.name.length"} 34669 case "process.parent.interpreter.file.package.name": 34670 if ev.BaseEvent.ProcessContext == nil { 34671 ev.BaseEvent.ProcessContext = &ProcessContext{} 34672 } 34673 if ev.BaseEvent.ProcessContext.Parent == nil { 34674 ev.BaseEvent.ProcessContext.Parent = &Process{} 34675 } 34676 rv, ok := value.(string) 34677 if !ok { 34678 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.PkgName"} 34679 } 34680 ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.PkgName = rv 34681 return nil 34682 case "process.parent.interpreter.file.package.source_version": 34683 if ev.BaseEvent.ProcessContext == nil { 34684 ev.BaseEvent.ProcessContext = &ProcessContext{} 34685 } 34686 if ev.BaseEvent.ProcessContext.Parent == nil { 34687 ev.BaseEvent.ProcessContext.Parent = &Process{} 34688 } 34689 rv, ok := value.(string) 34690 if !ok { 34691 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.PkgSrcVersion"} 34692 } 34693 ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.PkgSrcVersion = rv 34694 return nil 34695 case "process.parent.interpreter.file.package.version": 34696 if ev.BaseEvent.ProcessContext == nil { 34697 ev.BaseEvent.ProcessContext = &ProcessContext{} 34698 } 34699 if ev.BaseEvent.ProcessContext.Parent == nil { 34700 ev.BaseEvent.ProcessContext.Parent = &Process{} 34701 } 34702 rv, ok := value.(string) 34703 if !ok { 34704 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.PkgVersion"} 34705 } 34706 ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.PkgVersion = rv 34707 return nil 34708 case "process.parent.interpreter.file.path": 34709 if ev.BaseEvent.ProcessContext == nil { 34710 ev.BaseEvent.ProcessContext = &ProcessContext{} 34711 } 34712 if ev.BaseEvent.ProcessContext.Parent == nil { 34713 ev.BaseEvent.ProcessContext.Parent = &Process{} 34714 } 34715 rv, ok := value.(string) 34716 if !ok { 34717 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.PathnameStr"} 34718 } 34719 ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.PathnameStr = rv 34720 return nil 34721 case "process.parent.interpreter.file.path.length": 34722 if ev.BaseEvent.ProcessContext == nil { 34723 ev.BaseEvent.ProcessContext = &ProcessContext{} 34724 } 34725 if ev.BaseEvent.ProcessContext.Parent == nil { 34726 ev.BaseEvent.ProcessContext.Parent = &Process{} 34727 } 34728 return &eval.ErrFieldReadOnly{Field: "process.parent.interpreter.file.path.length"} 34729 case "process.parent.interpreter.file.rights": 34730 if ev.BaseEvent.ProcessContext == nil { 34731 ev.BaseEvent.ProcessContext = &ProcessContext{} 34732 } 34733 if ev.BaseEvent.ProcessContext.Parent == nil { 34734 ev.BaseEvent.ProcessContext.Parent = &Process{} 34735 } 34736 rv, ok := value.(int) 34737 if !ok { 34738 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields.Mode"} 34739 } 34740 ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields.Mode = uint16(rv) 34741 return nil 34742 case "process.parent.interpreter.file.uid": 34743 if ev.BaseEvent.ProcessContext == nil { 34744 ev.BaseEvent.ProcessContext = &ProcessContext{} 34745 } 34746 if ev.BaseEvent.ProcessContext.Parent == nil { 34747 ev.BaseEvent.ProcessContext.Parent = &Process{} 34748 } 34749 rv, ok := value.(int) 34750 if !ok { 34751 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields.UID"} 34752 } 34753 ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields.UID = uint32(rv) 34754 return nil 34755 case "process.parent.interpreter.file.user": 34756 if ev.BaseEvent.ProcessContext == nil { 34757 ev.BaseEvent.ProcessContext = &ProcessContext{} 34758 } 34759 if ev.BaseEvent.ProcessContext.Parent == nil { 34760 ev.BaseEvent.ProcessContext.Parent = &Process{} 34761 } 34762 rv, ok := value.(string) 34763 if !ok { 34764 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields.User"} 34765 } 34766 ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent.FileFields.User = rv 34767 return nil 34768 case "process.parent.is_kworker": 34769 if ev.BaseEvent.ProcessContext == nil { 34770 ev.BaseEvent.ProcessContext = &ProcessContext{} 34771 } 34772 if ev.BaseEvent.ProcessContext.Parent == nil { 34773 ev.BaseEvent.ProcessContext.Parent = &Process{} 34774 } 34775 rv, ok := value.(bool) 34776 if !ok { 34777 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.PIDContext.IsKworker"} 34778 } 34779 ev.BaseEvent.ProcessContext.Parent.PIDContext.IsKworker = rv 34780 return nil 34781 case "process.parent.is_thread": 34782 if ev.BaseEvent.ProcessContext == nil { 34783 ev.BaseEvent.ProcessContext = &ProcessContext{} 34784 } 34785 if ev.BaseEvent.ProcessContext.Parent == nil { 34786 ev.BaseEvent.ProcessContext.Parent = &Process{} 34787 } 34788 rv, ok := value.(bool) 34789 if !ok { 34790 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.IsThread"} 34791 } 34792 ev.BaseEvent.ProcessContext.Parent.IsThread = rv 34793 return nil 34794 case "process.parent.pid": 34795 if ev.BaseEvent.ProcessContext == nil { 34796 ev.BaseEvent.ProcessContext = &ProcessContext{} 34797 } 34798 if ev.BaseEvent.ProcessContext.Parent == nil { 34799 ev.BaseEvent.ProcessContext.Parent = &Process{} 34800 } 34801 rv, ok := value.(int) 34802 if !ok { 34803 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.PIDContext.Pid"} 34804 } 34805 ev.BaseEvent.ProcessContext.Parent.PIDContext.Pid = uint32(rv) 34806 return nil 34807 case "process.parent.ppid": 34808 if ev.BaseEvent.ProcessContext == nil { 34809 ev.BaseEvent.ProcessContext = &ProcessContext{} 34810 } 34811 if ev.BaseEvent.ProcessContext.Parent == nil { 34812 ev.BaseEvent.ProcessContext.Parent = &Process{} 34813 } 34814 rv, ok := value.(int) 34815 if !ok { 34816 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.PPid"} 34817 } 34818 ev.BaseEvent.ProcessContext.Parent.PPid = uint32(rv) 34819 return nil 34820 case "process.parent.tid": 34821 if ev.BaseEvent.ProcessContext == nil { 34822 ev.BaseEvent.ProcessContext = &ProcessContext{} 34823 } 34824 if ev.BaseEvent.ProcessContext.Parent == nil { 34825 ev.BaseEvent.ProcessContext.Parent = &Process{} 34826 } 34827 rv, ok := value.(int) 34828 if !ok { 34829 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.PIDContext.Tid"} 34830 } 34831 ev.BaseEvent.ProcessContext.Parent.PIDContext.Tid = uint32(rv) 34832 return nil 34833 case "process.parent.tty_name": 34834 if ev.BaseEvent.ProcessContext == nil { 34835 ev.BaseEvent.ProcessContext = &ProcessContext{} 34836 } 34837 if ev.BaseEvent.ProcessContext.Parent == nil { 34838 ev.BaseEvent.ProcessContext.Parent = &Process{} 34839 } 34840 rv, ok := value.(string) 34841 if !ok { 34842 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.TTYName"} 34843 } 34844 ev.BaseEvent.ProcessContext.Parent.TTYName = rv 34845 return nil 34846 case "process.parent.uid": 34847 if ev.BaseEvent.ProcessContext == nil { 34848 ev.BaseEvent.ProcessContext = &ProcessContext{} 34849 } 34850 if ev.BaseEvent.ProcessContext.Parent == nil { 34851 ev.BaseEvent.ProcessContext.Parent = &Process{} 34852 } 34853 rv, ok := value.(int) 34854 if !ok { 34855 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.Credentials.UID"} 34856 } 34857 ev.BaseEvent.ProcessContext.Parent.Credentials.UID = uint32(rv) 34858 return nil 34859 case "process.parent.user": 34860 if ev.BaseEvent.ProcessContext == nil { 34861 ev.BaseEvent.ProcessContext = &ProcessContext{} 34862 } 34863 if ev.BaseEvent.ProcessContext.Parent == nil { 34864 ev.BaseEvent.ProcessContext.Parent = &Process{} 34865 } 34866 rv, ok := value.(string) 34867 if !ok { 34868 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.Credentials.User"} 34869 } 34870 ev.BaseEvent.ProcessContext.Parent.Credentials.User = rv 34871 return nil 34872 case "process.parent.user_session.k8s_groups": 34873 if ev.BaseEvent.ProcessContext == nil { 34874 ev.BaseEvent.ProcessContext = &ProcessContext{} 34875 } 34876 if ev.BaseEvent.ProcessContext.Parent == nil { 34877 ev.BaseEvent.ProcessContext.Parent = &Process{} 34878 } 34879 switch rv := value.(type) { 34880 case string: 34881 ev.BaseEvent.ProcessContext.Parent.UserSession.K8SGroups = append(ev.BaseEvent.ProcessContext.Parent.UserSession.K8SGroups, rv) 34882 case []string: 34883 ev.BaseEvent.ProcessContext.Parent.UserSession.K8SGroups = append(ev.BaseEvent.ProcessContext.Parent.UserSession.K8SGroups, rv...) 34884 default: 34885 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.UserSession.K8SGroups"} 34886 } 34887 return nil 34888 case "process.parent.user_session.k8s_uid": 34889 if ev.BaseEvent.ProcessContext == nil { 34890 ev.BaseEvent.ProcessContext = &ProcessContext{} 34891 } 34892 if ev.BaseEvent.ProcessContext.Parent == nil { 34893 ev.BaseEvent.ProcessContext.Parent = &Process{} 34894 } 34895 rv, ok := value.(string) 34896 if !ok { 34897 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.UserSession.K8SUID"} 34898 } 34899 ev.BaseEvent.ProcessContext.Parent.UserSession.K8SUID = rv 34900 return nil 34901 case "process.parent.user_session.k8s_username": 34902 if ev.BaseEvent.ProcessContext == nil { 34903 ev.BaseEvent.ProcessContext = &ProcessContext{} 34904 } 34905 if ev.BaseEvent.ProcessContext.Parent == nil { 34906 ev.BaseEvent.ProcessContext.Parent = &Process{} 34907 } 34908 rv, ok := value.(string) 34909 if !ok { 34910 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Parent.UserSession.K8SUsername"} 34911 } 34912 ev.BaseEvent.ProcessContext.Parent.UserSession.K8SUsername = rv 34913 return nil 34914 case "process.pid": 34915 if ev.BaseEvent.ProcessContext == nil { 34916 ev.BaseEvent.ProcessContext = &ProcessContext{} 34917 } 34918 rv, ok := value.(int) 34919 if !ok { 34920 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.PIDContext.Pid"} 34921 } 34922 ev.BaseEvent.ProcessContext.Process.PIDContext.Pid = uint32(rv) 34923 return nil 34924 case "process.ppid": 34925 if ev.BaseEvent.ProcessContext == nil { 34926 ev.BaseEvent.ProcessContext = &ProcessContext{} 34927 } 34928 rv, ok := value.(int) 34929 if !ok { 34930 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.PPid"} 34931 } 34932 ev.BaseEvent.ProcessContext.Process.PPid = uint32(rv) 34933 return nil 34934 case "process.tid": 34935 if ev.BaseEvent.ProcessContext == nil { 34936 ev.BaseEvent.ProcessContext = &ProcessContext{} 34937 } 34938 rv, ok := value.(int) 34939 if !ok { 34940 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.PIDContext.Tid"} 34941 } 34942 ev.BaseEvent.ProcessContext.Process.PIDContext.Tid = uint32(rv) 34943 return nil 34944 case "process.tty_name": 34945 if ev.BaseEvent.ProcessContext == nil { 34946 ev.BaseEvent.ProcessContext = &ProcessContext{} 34947 } 34948 rv, ok := value.(string) 34949 if !ok { 34950 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.TTYName"} 34951 } 34952 ev.BaseEvent.ProcessContext.Process.TTYName = rv 34953 return nil 34954 case "process.uid": 34955 if ev.BaseEvent.ProcessContext == nil { 34956 ev.BaseEvent.ProcessContext = &ProcessContext{} 34957 } 34958 rv, ok := value.(int) 34959 if !ok { 34960 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.Credentials.UID"} 34961 } 34962 ev.BaseEvent.ProcessContext.Process.Credentials.UID = uint32(rv) 34963 return nil 34964 case "process.user": 34965 if ev.BaseEvent.ProcessContext == nil { 34966 ev.BaseEvent.ProcessContext = &ProcessContext{} 34967 } 34968 rv, ok := value.(string) 34969 if !ok { 34970 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.Credentials.User"} 34971 } 34972 ev.BaseEvent.ProcessContext.Process.Credentials.User = rv 34973 return nil 34974 case "process.user_session.k8s_groups": 34975 if ev.BaseEvent.ProcessContext == nil { 34976 ev.BaseEvent.ProcessContext = &ProcessContext{} 34977 } 34978 switch rv := value.(type) { 34979 case string: 34980 ev.BaseEvent.ProcessContext.Process.UserSession.K8SGroups = append(ev.BaseEvent.ProcessContext.Process.UserSession.K8SGroups, rv) 34981 case []string: 34982 ev.BaseEvent.ProcessContext.Process.UserSession.K8SGroups = append(ev.BaseEvent.ProcessContext.Process.UserSession.K8SGroups, rv...) 34983 default: 34984 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.UserSession.K8SGroups"} 34985 } 34986 return nil 34987 case "process.user_session.k8s_uid": 34988 if ev.BaseEvent.ProcessContext == nil { 34989 ev.BaseEvent.ProcessContext = &ProcessContext{} 34990 } 34991 rv, ok := value.(string) 34992 if !ok { 34993 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.UserSession.K8SUID"} 34994 } 34995 ev.BaseEvent.ProcessContext.Process.UserSession.K8SUID = rv 34996 return nil 34997 case "process.user_session.k8s_username": 34998 if ev.BaseEvent.ProcessContext == nil { 34999 ev.BaseEvent.ProcessContext = &ProcessContext{} 35000 } 35001 rv, ok := value.(string) 35002 if !ok { 35003 return &eval.ErrValueTypeMismatch{Field: "BaseEvent.ProcessContext.Process.UserSession.K8SUsername"} 35004 } 35005 ev.BaseEvent.ProcessContext.Process.UserSession.K8SUsername = rv 35006 return nil 35007 case "ptrace.request": 35008 rv, ok := value.(int) 35009 if !ok { 35010 return &eval.ErrValueTypeMismatch{Field: "PTrace.Request"} 35011 } 35012 ev.PTrace.Request = uint32(rv) 35013 return nil 35014 case "ptrace.retval": 35015 rv, ok := value.(int) 35016 if !ok { 35017 return &eval.ErrValueTypeMismatch{Field: "PTrace.SyscallEvent.Retval"} 35018 } 35019 ev.PTrace.SyscallEvent.Retval = int64(rv) 35020 return nil 35021 case "ptrace.tracee.ancestors.args": 35022 if ev.PTrace.Tracee == nil { 35023 ev.PTrace.Tracee = &ProcessContext{} 35024 } 35025 if ev.PTrace.Tracee.Ancestor == nil { 35026 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35027 } 35028 rv, ok := value.(string) 35029 if !ok { 35030 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.Args"} 35031 } 35032 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.Args = rv 35033 return nil 35034 case "ptrace.tracee.ancestors.args_flags": 35035 if ev.PTrace.Tracee == nil { 35036 ev.PTrace.Tracee = &ProcessContext{} 35037 } 35038 if ev.PTrace.Tracee.Ancestor == nil { 35039 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35040 } 35041 switch rv := value.(type) { 35042 case string: 35043 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.Argv = append(ev.PTrace.Tracee.Ancestor.ProcessContext.Process.Argv, rv) 35044 case []string: 35045 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.Argv = append(ev.PTrace.Tracee.Ancestor.ProcessContext.Process.Argv, rv...) 35046 default: 35047 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.Argv"} 35048 } 35049 return nil 35050 case "ptrace.tracee.ancestors.args_options": 35051 if ev.PTrace.Tracee == nil { 35052 ev.PTrace.Tracee = &ProcessContext{} 35053 } 35054 if ev.PTrace.Tracee.Ancestor == nil { 35055 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35056 } 35057 switch rv := value.(type) { 35058 case string: 35059 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.Argv = append(ev.PTrace.Tracee.Ancestor.ProcessContext.Process.Argv, rv) 35060 case []string: 35061 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.Argv = append(ev.PTrace.Tracee.Ancestor.ProcessContext.Process.Argv, rv...) 35062 default: 35063 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.Argv"} 35064 } 35065 return nil 35066 case "ptrace.tracee.ancestors.args_truncated": 35067 if ev.PTrace.Tracee == nil { 35068 ev.PTrace.Tracee = &ProcessContext{} 35069 } 35070 if ev.PTrace.Tracee.Ancestor == nil { 35071 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35072 } 35073 rv, ok := value.(bool) 35074 if !ok { 35075 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.ArgsTruncated"} 35076 } 35077 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.ArgsTruncated = rv 35078 return nil 35079 case "ptrace.tracee.ancestors.argv": 35080 if ev.PTrace.Tracee == nil { 35081 ev.PTrace.Tracee = &ProcessContext{} 35082 } 35083 if ev.PTrace.Tracee.Ancestor == nil { 35084 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35085 } 35086 switch rv := value.(type) { 35087 case string: 35088 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.Argv = append(ev.PTrace.Tracee.Ancestor.ProcessContext.Process.Argv, rv) 35089 case []string: 35090 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.Argv = append(ev.PTrace.Tracee.Ancestor.ProcessContext.Process.Argv, rv...) 35091 default: 35092 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.Argv"} 35093 } 35094 return nil 35095 case "ptrace.tracee.ancestors.argv0": 35096 if ev.PTrace.Tracee == nil { 35097 ev.PTrace.Tracee = &ProcessContext{} 35098 } 35099 if ev.PTrace.Tracee.Ancestor == nil { 35100 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35101 } 35102 rv, ok := value.(string) 35103 if !ok { 35104 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.Argv0"} 35105 } 35106 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.Argv0 = rv 35107 return nil 35108 case "ptrace.tracee.ancestors.cap_effective": 35109 if ev.PTrace.Tracee == nil { 35110 ev.PTrace.Tracee = &ProcessContext{} 35111 } 35112 if ev.PTrace.Tracee.Ancestor == nil { 35113 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35114 } 35115 rv, ok := value.(int) 35116 if !ok { 35117 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.Credentials.CapEffective"} 35118 } 35119 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.Credentials.CapEffective = uint64(rv) 35120 return nil 35121 case "ptrace.tracee.ancestors.cap_permitted": 35122 if ev.PTrace.Tracee == nil { 35123 ev.PTrace.Tracee = &ProcessContext{} 35124 } 35125 if ev.PTrace.Tracee.Ancestor == nil { 35126 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35127 } 35128 rv, ok := value.(int) 35129 if !ok { 35130 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.Credentials.CapPermitted"} 35131 } 35132 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.Credentials.CapPermitted = uint64(rv) 35133 return nil 35134 case "ptrace.tracee.ancestors.comm": 35135 if ev.PTrace.Tracee == nil { 35136 ev.PTrace.Tracee = &ProcessContext{} 35137 } 35138 if ev.PTrace.Tracee.Ancestor == nil { 35139 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35140 } 35141 rv, ok := value.(string) 35142 if !ok { 35143 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.Comm"} 35144 } 35145 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.Comm = rv 35146 return nil 35147 case "ptrace.tracee.ancestors.container.id": 35148 if ev.PTrace.Tracee == nil { 35149 ev.PTrace.Tracee = &ProcessContext{} 35150 } 35151 if ev.PTrace.Tracee.Ancestor == nil { 35152 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35153 } 35154 rv, ok := value.(string) 35155 if !ok { 35156 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.ContainerID"} 35157 } 35158 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.ContainerID = rv 35159 return nil 35160 case "ptrace.tracee.ancestors.created_at": 35161 if ev.PTrace.Tracee == nil { 35162 ev.PTrace.Tracee = &ProcessContext{} 35163 } 35164 if ev.PTrace.Tracee.Ancestor == nil { 35165 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35166 } 35167 rv, ok := value.(int) 35168 if !ok { 35169 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.CreatedAt"} 35170 } 35171 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.CreatedAt = uint64(rv) 35172 return nil 35173 case "ptrace.tracee.ancestors.egid": 35174 if ev.PTrace.Tracee == nil { 35175 ev.PTrace.Tracee = &ProcessContext{} 35176 } 35177 if ev.PTrace.Tracee.Ancestor == nil { 35178 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35179 } 35180 rv, ok := value.(int) 35181 if !ok { 35182 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.Credentials.EGID"} 35183 } 35184 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.Credentials.EGID = uint32(rv) 35185 return nil 35186 case "ptrace.tracee.ancestors.egroup": 35187 if ev.PTrace.Tracee == nil { 35188 ev.PTrace.Tracee = &ProcessContext{} 35189 } 35190 if ev.PTrace.Tracee.Ancestor == nil { 35191 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35192 } 35193 rv, ok := value.(string) 35194 if !ok { 35195 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.Credentials.EGroup"} 35196 } 35197 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.Credentials.EGroup = rv 35198 return nil 35199 case "ptrace.tracee.ancestors.envp": 35200 if ev.PTrace.Tracee == nil { 35201 ev.PTrace.Tracee = &ProcessContext{} 35202 } 35203 if ev.PTrace.Tracee.Ancestor == nil { 35204 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35205 } 35206 switch rv := value.(type) { 35207 case string: 35208 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.Envp = append(ev.PTrace.Tracee.Ancestor.ProcessContext.Process.Envp, rv) 35209 case []string: 35210 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.Envp = append(ev.PTrace.Tracee.Ancestor.ProcessContext.Process.Envp, rv...) 35211 default: 35212 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.Envp"} 35213 } 35214 return nil 35215 case "ptrace.tracee.ancestors.envs": 35216 if ev.PTrace.Tracee == nil { 35217 ev.PTrace.Tracee = &ProcessContext{} 35218 } 35219 if ev.PTrace.Tracee.Ancestor == nil { 35220 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35221 } 35222 switch rv := value.(type) { 35223 case string: 35224 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.Envs = append(ev.PTrace.Tracee.Ancestor.ProcessContext.Process.Envs, rv) 35225 case []string: 35226 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.Envs = append(ev.PTrace.Tracee.Ancestor.ProcessContext.Process.Envs, rv...) 35227 default: 35228 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.Envs"} 35229 } 35230 return nil 35231 case "ptrace.tracee.ancestors.envs_truncated": 35232 if ev.PTrace.Tracee == nil { 35233 ev.PTrace.Tracee = &ProcessContext{} 35234 } 35235 if ev.PTrace.Tracee.Ancestor == nil { 35236 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35237 } 35238 rv, ok := value.(bool) 35239 if !ok { 35240 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.EnvsTruncated"} 35241 } 35242 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.EnvsTruncated = rv 35243 return nil 35244 case "ptrace.tracee.ancestors.euid": 35245 if ev.PTrace.Tracee == nil { 35246 ev.PTrace.Tracee = &ProcessContext{} 35247 } 35248 if ev.PTrace.Tracee.Ancestor == nil { 35249 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35250 } 35251 rv, ok := value.(int) 35252 if !ok { 35253 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.Credentials.EUID"} 35254 } 35255 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.Credentials.EUID = uint32(rv) 35256 return nil 35257 case "ptrace.tracee.ancestors.euser": 35258 if ev.PTrace.Tracee == nil { 35259 ev.PTrace.Tracee = &ProcessContext{} 35260 } 35261 if ev.PTrace.Tracee.Ancestor == nil { 35262 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35263 } 35264 rv, ok := value.(string) 35265 if !ok { 35266 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.Credentials.EUser"} 35267 } 35268 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.Credentials.EUser = rv 35269 return nil 35270 case "ptrace.tracee.ancestors.file.change_time": 35271 if ev.PTrace.Tracee == nil { 35272 ev.PTrace.Tracee = &ProcessContext{} 35273 } 35274 if ev.PTrace.Tracee.Ancestor == nil { 35275 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35276 } 35277 rv, ok := value.(int) 35278 if !ok { 35279 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.FileEvent.FileFields.CTime"} 35280 } 35281 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.FileEvent.FileFields.CTime = uint64(rv) 35282 return nil 35283 case "ptrace.tracee.ancestors.file.filesystem": 35284 if ev.PTrace.Tracee == nil { 35285 ev.PTrace.Tracee = &ProcessContext{} 35286 } 35287 if ev.PTrace.Tracee.Ancestor == nil { 35288 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35289 } 35290 rv, ok := value.(string) 35291 if !ok { 35292 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.FileEvent.Filesystem"} 35293 } 35294 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.FileEvent.Filesystem = rv 35295 return nil 35296 case "ptrace.tracee.ancestors.file.gid": 35297 if ev.PTrace.Tracee == nil { 35298 ev.PTrace.Tracee = &ProcessContext{} 35299 } 35300 if ev.PTrace.Tracee.Ancestor == nil { 35301 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35302 } 35303 rv, ok := value.(int) 35304 if !ok { 35305 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.FileEvent.FileFields.GID"} 35306 } 35307 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.FileEvent.FileFields.GID = uint32(rv) 35308 return nil 35309 case "ptrace.tracee.ancestors.file.group": 35310 if ev.PTrace.Tracee == nil { 35311 ev.PTrace.Tracee = &ProcessContext{} 35312 } 35313 if ev.PTrace.Tracee.Ancestor == nil { 35314 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35315 } 35316 rv, ok := value.(string) 35317 if !ok { 35318 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.FileEvent.FileFields.Group"} 35319 } 35320 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.FileEvent.FileFields.Group = rv 35321 return nil 35322 case "ptrace.tracee.ancestors.file.hashes": 35323 if ev.PTrace.Tracee == nil { 35324 ev.PTrace.Tracee = &ProcessContext{} 35325 } 35326 if ev.PTrace.Tracee.Ancestor == nil { 35327 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35328 } 35329 switch rv := value.(type) { 35330 case string: 35331 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.FileEvent.Hashes = append(ev.PTrace.Tracee.Ancestor.ProcessContext.Process.FileEvent.Hashes, rv) 35332 case []string: 35333 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.FileEvent.Hashes = append(ev.PTrace.Tracee.Ancestor.ProcessContext.Process.FileEvent.Hashes, rv...) 35334 default: 35335 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.FileEvent.Hashes"} 35336 } 35337 return nil 35338 case "ptrace.tracee.ancestors.file.in_upper_layer": 35339 if ev.PTrace.Tracee == nil { 35340 ev.PTrace.Tracee = &ProcessContext{} 35341 } 35342 if ev.PTrace.Tracee.Ancestor == nil { 35343 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35344 } 35345 rv, ok := value.(bool) 35346 if !ok { 35347 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.FileEvent.FileFields.InUpperLayer"} 35348 } 35349 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.FileEvent.FileFields.InUpperLayer = rv 35350 return nil 35351 case "ptrace.tracee.ancestors.file.inode": 35352 if ev.PTrace.Tracee == nil { 35353 ev.PTrace.Tracee = &ProcessContext{} 35354 } 35355 if ev.PTrace.Tracee.Ancestor == nil { 35356 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35357 } 35358 rv, ok := value.(int) 35359 if !ok { 35360 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.FileEvent.FileFields.PathKey.Inode"} 35361 } 35362 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.FileEvent.FileFields.PathKey.Inode = uint64(rv) 35363 return nil 35364 case "ptrace.tracee.ancestors.file.mode": 35365 if ev.PTrace.Tracee == nil { 35366 ev.PTrace.Tracee = &ProcessContext{} 35367 } 35368 if ev.PTrace.Tracee.Ancestor == nil { 35369 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35370 } 35371 rv, ok := value.(int) 35372 if !ok { 35373 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.FileEvent.FileFields.Mode"} 35374 } 35375 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.FileEvent.FileFields.Mode = uint16(rv) 35376 return nil 35377 case "ptrace.tracee.ancestors.file.modification_time": 35378 if ev.PTrace.Tracee == nil { 35379 ev.PTrace.Tracee = &ProcessContext{} 35380 } 35381 if ev.PTrace.Tracee.Ancestor == nil { 35382 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35383 } 35384 rv, ok := value.(int) 35385 if !ok { 35386 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.FileEvent.FileFields.MTime"} 35387 } 35388 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.FileEvent.FileFields.MTime = uint64(rv) 35389 return nil 35390 case "ptrace.tracee.ancestors.file.mount_id": 35391 if ev.PTrace.Tracee == nil { 35392 ev.PTrace.Tracee = &ProcessContext{} 35393 } 35394 if ev.PTrace.Tracee.Ancestor == nil { 35395 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35396 } 35397 rv, ok := value.(int) 35398 if !ok { 35399 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.FileEvent.FileFields.PathKey.MountID"} 35400 } 35401 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.FileEvent.FileFields.PathKey.MountID = uint32(rv) 35402 return nil 35403 case "ptrace.tracee.ancestors.file.name": 35404 if ev.PTrace.Tracee == nil { 35405 ev.PTrace.Tracee = &ProcessContext{} 35406 } 35407 if ev.PTrace.Tracee.Ancestor == nil { 35408 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35409 } 35410 rv, ok := value.(string) 35411 if !ok { 35412 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.FileEvent.BasenameStr"} 35413 } 35414 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.FileEvent.BasenameStr = rv 35415 return nil 35416 case "ptrace.tracee.ancestors.file.name.length": 35417 if ev.PTrace.Tracee == nil { 35418 ev.PTrace.Tracee = &ProcessContext{} 35419 } 35420 if ev.PTrace.Tracee.Ancestor == nil { 35421 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35422 } 35423 return &eval.ErrFieldReadOnly{Field: "ptrace.tracee.ancestors.file.name.length"} 35424 case "ptrace.tracee.ancestors.file.package.name": 35425 if ev.PTrace.Tracee == nil { 35426 ev.PTrace.Tracee = &ProcessContext{} 35427 } 35428 if ev.PTrace.Tracee.Ancestor == nil { 35429 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35430 } 35431 rv, ok := value.(string) 35432 if !ok { 35433 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.FileEvent.PkgName"} 35434 } 35435 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.FileEvent.PkgName = rv 35436 return nil 35437 case "ptrace.tracee.ancestors.file.package.source_version": 35438 if ev.PTrace.Tracee == nil { 35439 ev.PTrace.Tracee = &ProcessContext{} 35440 } 35441 if ev.PTrace.Tracee.Ancestor == nil { 35442 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35443 } 35444 rv, ok := value.(string) 35445 if !ok { 35446 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.FileEvent.PkgSrcVersion"} 35447 } 35448 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.FileEvent.PkgSrcVersion = rv 35449 return nil 35450 case "ptrace.tracee.ancestors.file.package.version": 35451 if ev.PTrace.Tracee == nil { 35452 ev.PTrace.Tracee = &ProcessContext{} 35453 } 35454 if ev.PTrace.Tracee.Ancestor == nil { 35455 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35456 } 35457 rv, ok := value.(string) 35458 if !ok { 35459 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.FileEvent.PkgVersion"} 35460 } 35461 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.FileEvent.PkgVersion = rv 35462 return nil 35463 case "ptrace.tracee.ancestors.file.path": 35464 if ev.PTrace.Tracee == nil { 35465 ev.PTrace.Tracee = &ProcessContext{} 35466 } 35467 if ev.PTrace.Tracee.Ancestor == nil { 35468 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35469 } 35470 rv, ok := value.(string) 35471 if !ok { 35472 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.FileEvent.PathnameStr"} 35473 } 35474 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.FileEvent.PathnameStr = rv 35475 return nil 35476 case "ptrace.tracee.ancestors.file.path.length": 35477 if ev.PTrace.Tracee == nil { 35478 ev.PTrace.Tracee = &ProcessContext{} 35479 } 35480 if ev.PTrace.Tracee.Ancestor == nil { 35481 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35482 } 35483 return &eval.ErrFieldReadOnly{Field: "ptrace.tracee.ancestors.file.path.length"} 35484 case "ptrace.tracee.ancestors.file.rights": 35485 if ev.PTrace.Tracee == nil { 35486 ev.PTrace.Tracee = &ProcessContext{} 35487 } 35488 if ev.PTrace.Tracee.Ancestor == nil { 35489 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35490 } 35491 rv, ok := value.(int) 35492 if !ok { 35493 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.FileEvent.FileFields.Mode"} 35494 } 35495 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.FileEvent.FileFields.Mode = uint16(rv) 35496 return nil 35497 case "ptrace.tracee.ancestors.file.uid": 35498 if ev.PTrace.Tracee == nil { 35499 ev.PTrace.Tracee = &ProcessContext{} 35500 } 35501 if ev.PTrace.Tracee.Ancestor == nil { 35502 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35503 } 35504 rv, ok := value.(int) 35505 if !ok { 35506 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.FileEvent.FileFields.UID"} 35507 } 35508 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.FileEvent.FileFields.UID = uint32(rv) 35509 return nil 35510 case "ptrace.tracee.ancestors.file.user": 35511 if ev.PTrace.Tracee == nil { 35512 ev.PTrace.Tracee = &ProcessContext{} 35513 } 35514 if ev.PTrace.Tracee.Ancestor == nil { 35515 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35516 } 35517 rv, ok := value.(string) 35518 if !ok { 35519 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.FileEvent.FileFields.User"} 35520 } 35521 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.FileEvent.FileFields.User = rv 35522 return nil 35523 case "ptrace.tracee.ancestors.fsgid": 35524 if ev.PTrace.Tracee == nil { 35525 ev.PTrace.Tracee = &ProcessContext{} 35526 } 35527 if ev.PTrace.Tracee.Ancestor == nil { 35528 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35529 } 35530 rv, ok := value.(int) 35531 if !ok { 35532 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.Credentials.FSGID"} 35533 } 35534 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.Credentials.FSGID = uint32(rv) 35535 return nil 35536 case "ptrace.tracee.ancestors.fsgroup": 35537 if ev.PTrace.Tracee == nil { 35538 ev.PTrace.Tracee = &ProcessContext{} 35539 } 35540 if ev.PTrace.Tracee.Ancestor == nil { 35541 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35542 } 35543 rv, ok := value.(string) 35544 if !ok { 35545 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.Credentials.FSGroup"} 35546 } 35547 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.Credentials.FSGroup = rv 35548 return nil 35549 case "ptrace.tracee.ancestors.fsuid": 35550 if ev.PTrace.Tracee == nil { 35551 ev.PTrace.Tracee = &ProcessContext{} 35552 } 35553 if ev.PTrace.Tracee.Ancestor == nil { 35554 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35555 } 35556 rv, ok := value.(int) 35557 if !ok { 35558 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.Credentials.FSUID"} 35559 } 35560 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.Credentials.FSUID = uint32(rv) 35561 return nil 35562 case "ptrace.tracee.ancestors.fsuser": 35563 if ev.PTrace.Tracee == nil { 35564 ev.PTrace.Tracee = &ProcessContext{} 35565 } 35566 if ev.PTrace.Tracee.Ancestor == nil { 35567 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35568 } 35569 rv, ok := value.(string) 35570 if !ok { 35571 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.Credentials.FSUser"} 35572 } 35573 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.Credentials.FSUser = rv 35574 return nil 35575 case "ptrace.tracee.ancestors.gid": 35576 if ev.PTrace.Tracee == nil { 35577 ev.PTrace.Tracee = &ProcessContext{} 35578 } 35579 if ev.PTrace.Tracee.Ancestor == nil { 35580 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35581 } 35582 rv, ok := value.(int) 35583 if !ok { 35584 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.Credentials.GID"} 35585 } 35586 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.Credentials.GID = uint32(rv) 35587 return nil 35588 case "ptrace.tracee.ancestors.group": 35589 if ev.PTrace.Tracee == nil { 35590 ev.PTrace.Tracee = &ProcessContext{} 35591 } 35592 if ev.PTrace.Tracee.Ancestor == nil { 35593 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35594 } 35595 rv, ok := value.(string) 35596 if !ok { 35597 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.Credentials.Group"} 35598 } 35599 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.Credentials.Group = rv 35600 return nil 35601 case "ptrace.tracee.ancestors.interpreter.file.change_time": 35602 if ev.PTrace.Tracee == nil { 35603 ev.PTrace.Tracee = &ProcessContext{} 35604 } 35605 if ev.PTrace.Tracee.Ancestor == nil { 35606 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35607 } 35608 rv, ok := value.(int) 35609 if !ok { 35610 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.CTime"} 35611 } 35612 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.CTime = uint64(rv) 35613 return nil 35614 case "ptrace.tracee.ancestors.interpreter.file.filesystem": 35615 if ev.PTrace.Tracee == nil { 35616 ev.PTrace.Tracee = &ProcessContext{} 35617 } 35618 if ev.PTrace.Tracee.Ancestor == nil { 35619 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35620 } 35621 rv, ok := value.(string) 35622 if !ok { 35623 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.Filesystem"} 35624 } 35625 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.Filesystem = rv 35626 return nil 35627 case "ptrace.tracee.ancestors.interpreter.file.gid": 35628 if ev.PTrace.Tracee == nil { 35629 ev.PTrace.Tracee = &ProcessContext{} 35630 } 35631 if ev.PTrace.Tracee.Ancestor == nil { 35632 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35633 } 35634 rv, ok := value.(int) 35635 if !ok { 35636 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.GID"} 35637 } 35638 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.GID = uint32(rv) 35639 return nil 35640 case "ptrace.tracee.ancestors.interpreter.file.group": 35641 if ev.PTrace.Tracee == nil { 35642 ev.PTrace.Tracee = &ProcessContext{} 35643 } 35644 if ev.PTrace.Tracee.Ancestor == nil { 35645 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35646 } 35647 rv, ok := value.(string) 35648 if !ok { 35649 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.Group"} 35650 } 35651 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.Group = rv 35652 return nil 35653 case "ptrace.tracee.ancestors.interpreter.file.hashes": 35654 if ev.PTrace.Tracee == nil { 35655 ev.PTrace.Tracee = &ProcessContext{} 35656 } 35657 if ev.PTrace.Tracee.Ancestor == nil { 35658 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35659 } 35660 switch rv := value.(type) { 35661 case string: 35662 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.Hashes = append(ev.PTrace.Tracee.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.Hashes, rv) 35663 case []string: 35664 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.Hashes = append(ev.PTrace.Tracee.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.Hashes, rv...) 35665 default: 35666 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.Hashes"} 35667 } 35668 return nil 35669 case "ptrace.tracee.ancestors.interpreter.file.in_upper_layer": 35670 if ev.PTrace.Tracee == nil { 35671 ev.PTrace.Tracee = &ProcessContext{} 35672 } 35673 if ev.PTrace.Tracee.Ancestor == nil { 35674 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35675 } 35676 rv, ok := value.(bool) 35677 if !ok { 35678 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.InUpperLayer"} 35679 } 35680 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.InUpperLayer = rv 35681 return nil 35682 case "ptrace.tracee.ancestors.interpreter.file.inode": 35683 if ev.PTrace.Tracee == nil { 35684 ev.PTrace.Tracee = &ProcessContext{} 35685 } 35686 if ev.PTrace.Tracee.Ancestor == nil { 35687 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35688 } 35689 rv, ok := value.(int) 35690 if !ok { 35691 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode"} 35692 } 35693 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode = uint64(rv) 35694 return nil 35695 case "ptrace.tracee.ancestors.interpreter.file.mode": 35696 if ev.PTrace.Tracee == nil { 35697 ev.PTrace.Tracee = &ProcessContext{} 35698 } 35699 if ev.PTrace.Tracee.Ancestor == nil { 35700 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35701 } 35702 rv, ok := value.(int) 35703 if !ok { 35704 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.Mode"} 35705 } 35706 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.Mode = uint16(rv) 35707 return nil 35708 case "ptrace.tracee.ancestors.interpreter.file.modification_time": 35709 if ev.PTrace.Tracee == nil { 35710 ev.PTrace.Tracee = &ProcessContext{} 35711 } 35712 if ev.PTrace.Tracee.Ancestor == nil { 35713 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35714 } 35715 rv, ok := value.(int) 35716 if !ok { 35717 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.MTime"} 35718 } 35719 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.MTime = uint64(rv) 35720 return nil 35721 case "ptrace.tracee.ancestors.interpreter.file.mount_id": 35722 if ev.PTrace.Tracee == nil { 35723 ev.PTrace.Tracee = &ProcessContext{} 35724 } 35725 if ev.PTrace.Tracee.Ancestor == nil { 35726 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35727 } 35728 rv, ok := value.(int) 35729 if !ok { 35730 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID"} 35731 } 35732 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID = uint32(rv) 35733 return nil 35734 case "ptrace.tracee.ancestors.interpreter.file.name": 35735 if ev.PTrace.Tracee == nil { 35736 ev.PTrace.Tracee = &ProcessContext{} 35737 } 35738 if ev.PTrace.Tracee.Ancestor == nil { 35739 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35740 } 35741 rv, ok := value.(string) 35742 if !ok { 35743 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.BasenameStr"} 35744 } 35745 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.BasenameStr = rv 35746 return nil 35747 case "ptrace.tracee.ancestors.interpreter.file.name.length": 35748 if ev.PTrace.Tracee == nil { 35749 ev.PTrace.Tracee = &ProcessContext{} 35750 } 35751 if ev.PTrace.Tracee.Ancestor == nil { 35752 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35753 } 35754 return &eval.ErrFieldReadOnly{Field: "ptrace.tracee.ancestors.interpreter.file.name.length"} 35755 case "ptrace.tracee.ancestors.interpreter.file.package.name": 35756 if ev.PTrace.Tracee == nil { 35757 ev.PTrace.Tracee = &ProcessContext{} 35758 } 35759 if ev.PTrace.Tracee.Ancestor == nil { 35760 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35761 } 35762 rv, ok := value.(string) 35763 if !ok { 35764 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.PkgName"} 35765 } 35766 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.PkgName = rv 35767 return nil 35768 case "ptrace.tracee.ancestors.interpreter.file.package.source_version": 35769 if ev.PTrace.Tracee == nil { 35770 ev.PTrace.Tracee = &ProcessContext{} 35771 } 35772 if ev.PTrace.Tracee.Ancestor == nil { 35773 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35774 } 35775 rv, ok := value.(string) 35776 if !ok { 35777 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.PkgSrcVersion"} 35778 } 35779 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.PkgSrcVersion = rv 35780 return nil 35781 case "ptrace.tracee.ancestors.interpreter.file.package.version": 35782 if ev.PTrace.Tracee == nil { 35783 ev.PTrace.Tracee = &ProcessContext{} 35784 } 35785 if ev.PTrace.Tracee.Ancestor == nil { 35786 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35787 } 35788 rv, ok := value.(string) 35789 if !ok { 35790 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.PkgVersion"} 35791 } 35792 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.PkgVersion = rv 35793 return nil 35794 case "ptrace.tracee.ancestors.interpreter.file.path": 35795 if ev.PTrace.Tracee == nil { 35796 ev.PTrace.Tracee = &ProcessContext{} 35797 } 35798 if ev.PTrace.Tracee.Ancestor == nil { 35799 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35800 } 35801 rv, ok := value.(string) 35802 if !ok { 35803 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.PathnameStr"} 35804 } 35805 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.PathnameStr = rv 35806 return nil 35807 case "ptrace.tracee.ancestors.interpreter.file.path.length": 35808 if ev.PTrace.Tracee == nil { 35809 ev.PTrace.Tracee = &ProcessContext{} 35810 } 35811 if ev.PTrace.Tracee.Ancestor == nil { 35812 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35813 } 35814 return &eval.ErrFieldReadOnly{Field: "ptrace.tracee.ancestors.interpreter.file.path.length"} 35815 case "ptrace.tracee.ancestors.interpreter.file.rights": 35816 if ev.PTrace.Tracee == nil { 35817 ev.PTrace.Tracee = &ProcessContext{} 35818 } 35819 if ev.PTrace.Tracee.Ancestor == nil { 35820 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35821 } 35822 rv, ok := value.(int) 35823 if !ok { 35824 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.Mode"} 35825 } 35826 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.Mode = uint16(rv) 35827 return nil 35828 case "ptrace.tracee.ancestors.interpreter.file.uid": 35829 if ev.PTrace.Tracee == nil { 35830 ev.PTrace.Tracee = &ProcessContext{} 35831 } 35832 if ev.PTrace.Tracee.Ancestor == nil { 35833 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35834 } 35835 rv, ok := value.(int) 35836 if !ok { 35837 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.UID"} 35838 } 35839 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.UID = uint32(rv) 35840 return nil 35841 case "ptrace.tracee.ancestors.interpreter.file.user": 35842 if ev.PTrace.Tracee == nil { 35843 ev.PTrace.Tracee = &ProcessContext{} 35844 } 35845 if ev.PTrace.Tracee.Ancestor == nil { 35846 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35847 } 35848 rv, ok := value.(string) 35849 if !ok { 35850 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.User"} 35851 } 35852 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.User = rv 35853 return nil 35854 case "ptrace.tracee.ancestors.is_kworker": 35855 if ev.PTrace.Tracee == nil { 35856 ev.PTrace.Tracee = &ProcessContext{} 35857 } 35858 if ev.PTrace.Tracee.Ancestor == nil { 35859 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35860 } 35861 rv, ok := value.(bool) 35862 if !ok { 35863 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.PIDContext.IsKworker"} 35864 } 35865 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.PIDContext.IsKworker = rv 35866 return nil 35867 case "ptrace.tracee.ancestors.is_thread": 35868 if ev.PTrace.Tracee == nil { 35869 ev.PTrace.Tracee = &ProcessContext{} 35870 } 35871 if ev.PTrace.Tracee.Ancestor == nil { 35872 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35873 } 35874 rv, ok := value.(bool) 35875 if !ok { 35876 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.IsThread"} 35877 } 35878 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.IsThread = rv 35879 return nil 35880 case "ptrace.tracee.ancestors.pid": 35881 if ev.PTrace.Tracee == nil { 35882 ev.PTrace.Tracee = &ProcessContext{} 35883 } 35884 if ev.PTrace.Tracee.Ancestor == nil { 35885 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35886 } 35887 rv, ok := value.(int) 35888 if !ok { 35889 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.PIDContext.Pid"} 35890 } 35891 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.PIDContext.Pid = uint32(rv) 35892 return nil 35893 case "ptrace.tracee.ancestors.ppid": 35894 if ev.PTrace.Tracee == nil { 35895 ev.PTrace.Tracee = &ProcessContext{} 35896 } 35897 if ev.PTrace.Tracee.Ancestor == nil { 35898 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35899 } 35900 rv, ok := value.(int) 35901 if !ok { 35902 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.PPid"} 35903 } 35904 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.PPid = uint32(rv) 35905 return nil 35906 case "ptrace.tracee.ancestors.tid": 35907 if ev.PTrace.Tracee == nil { 35908 ev.PTrace.Tracee = &ProcessContext{} 35909 } 35910 if ev.PTrace.Tracee.Ancestor == nil { 35911 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35912 } 35913 rv, ok := value.(int) 35914 if !ok { 35915 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.PIDContext.Tid"} 35916 } 35917 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.PIDContext.Tid = uint32(rv) 35918 return nil 35919 case "ptrace.tracee.ancestors.tty_name": 35920 if ev.PTrace.Tracee == nil { 35921 ev.PTrace.Tracee = &ProcessContext{} 35922 } 35923 if ev.PTrace.Tracee.Ancestor == nil { 35924 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35925 } 35926 rv, ok := value.(string) 35927 if !ok { 35928 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.TTYName"} 35929 } 35930 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.TTYName = rv 35931 return nil 35932 case "ptrace.tracee.ancestors.uid": 35933 if ev.PTrace.Tracee == nil { 35934 ev.PTrace.Tracee = &ProcessContext{} 35935 } 35936 if ev.PTrace.Tracee.Ancestor == nil { 35937 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35938 } 35939 rv, ok := value.(int) 35940 if !ok { 35941 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.Credentials.UID"} 35942 } 35943 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.Credentials.UID = uint32(rv) 35944 return nil 35945 case "ptrace.tracee.ancestors.user": 35946 if ev.PTrace.Tracee == nil { 35947 ev.PTrace.Tracee = &ProcessContext{} 35948 } 35949 if ev.PTrace.Tracee.Ancestor == nil { 35950 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35951 } 35952 rv, ok := value.(string) 35953 if !ok { 35954 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.Credentials.User"} 35955 } 35956 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.Credentials.User = rv 35957 return nil 35958 case "ptrace.tracee.ancestors.user_session.k8s_groups": 35959 if ev.PTrace.Tracee == nil { 35960 ev.PTrace.Tracee = &ProcessContext{} 35961 } 35962 if ev.PTrace.Tracee.Ancestor == nil { 35963 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35964 } 35965 switch rv := value.(type) { 35966 case string: 35967 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.UserSession.K8SGroups = append(ev.PTrace.Tracee.Ancestor.ProcessContext.Process.UserSession.K8SGroups, rv) 35968 case []string: 35969 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.UserSession.K8SGroups = append(ev.PTrace.Tracee.Ancestor.ProcessContext.Process.UserSession.K8SGroups, rv...) 35970 default: 35971 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.UserSession.K8SGroups"} 35972 } 35973 return nil 35974 case "ptrace.tracee.ancestors.user_session.k8s_uid": 35975 if ev.PTrace.Tracee == nil { 35976 ev.PTrace.Tracee = &ProcessContext{} 35977 } 35978 if ev.PTrace.Tracee.Ancestor == nil { 35979 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35980 } 35981 rv, ok := value.(string) 35982 if !ok { 35983 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.UserSession.K8SUID"} 35984 } 35985 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.UserSession.K8SUID = rv 35986 return nil 35987 case "ptrace.tracee.ancestors.user_session.k8s_username": 35988 if ev.PTrace.Tracee == nil { 35989 ev.PTrace.Tracee = &ProcessContext{} 35990 } 35991 if ev.PTrace.Tracee.Ancestor == nil { 35992 ev.PTrace.Tracee.Ancestor = &ProcessCacheEntry{} 35993 } 35994 rv, ok := value.(string) 35995 if !ok { 35996 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Ancestor.ProcessContext.Process.UserSession.K8SUsername"} 35997 } 35998 ev.PTrace.Tracee.Ancestor.ProcessContext.Process.UserSession.K8SUsername = rv 35999 return nil 36000 case "ptrace.tracee.args": 36001 if ev.PTrace.Tracee == nil { 36002 ev.PTrace.Tracee = &ProcessContext{} 36003 } 36004 rv, ok := value.(string) 36005 if !ok { 36006 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.Args"} 36007 } 36008 ev.PTrace.Tracee.Process.Args = rv 36009 return nil 36010 case "ptrace.tracee.args_flags": 36011 if ev.PTrace.Tracee == nil { 36012 ev.PTrace.Tracee = &ProcessContext{} 36013 } 36014 switch rv := value.(type) { 36015 case string: 36016 ev.PTrace.Tracee.Process.Argv = append(ev.PTrace.Tracee.Process.Argv, rv) 36017 case []string: 36018 ev.PTrace.Tracee.Process.Argv = append(ev.PTrace.Tracee.Process.Argv, rv...) 36019 default: 36020 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.Argv"} 36021 } 36022 return nil 36023 case "ptrace.tracee.args_options": 36024 if ev.PTrace.Tracee == nil { 36025 ev.PTrace.Tracee = &ProcessContext{} 36026 } 36027 switch rv := value.(type) { 36028 case string: 36029 ev.PTrace.Tracee.Process.Argv = append(ev.PTrace.Tracee.Process.Argv, rv) 36030 case []string: 36031 ev.PTrace.Tracee.Process.Argv = append(ev.PTrace.Tracee.Process.Argv, rv...) 36032 default: 36033 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.Argv"} 36034 } 36035 return nil 36036 case "ptrace.tracee.args_truncated": 36037 if ev.PTrace.Tracee == nil { 36038 ev.PTrace.Tracee = &ProcessContext{} 36039 } 36040 rv, ok := value.(bool) 36041 if !ok { 36042 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.ArgsTruncated"} 36043 } 36044 ev.PTrace.Tracee.Process.ArgsTruncated = rv 36045 return nil 36046 case "ptrace.tracee.argv": 36047 if ev.PTrace.Tracee == nil { 36048 ev.PTrace.Tracee = &ProcessContext{} 36049 } 36050 switch rv := value.(type) { 36051 case string: 36052 ev.PTrace.Tracee.Process.Argv = append(ev.PTrace.Tracee.Process.Argv, rv) 36053 case []string: 36054 ev.PTrace.Tracee.Process.Argv = append(ev.PTrace.Tracee.Process.Argv, rv...) 36055 default: 36056 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.Argv"} 36057 } 36058 return nil 36059 case "ptrace.tracee.argv0": 36060 if ev.PTrace.Tracee == nil { 36061 ev.PTrace.Tracee = &ProcessContext{} 36062 } 36063 rv, ok := value.(string) 36064 if !ok { 36065 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.Argv0"} 36066 } 36067 ev.PTrace.Tracee.Process.Argv0 = rv 36068 return nil 36069 case "ptrace.tracee.cap_effective": 36070 if ev.PTrace.Tracee == nil { 36071 ev.PTrace.Tracee = &ProcessContext{} 36072 } 36073 rv, ok := value.(int) 36074 if !ok { 36075 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.Credentials.CapEffective"} 36076 } 36077 ev.PTrace.Tracee.Process.Credentials.CapEffective = uint64(rv) 36078 return nil 36079 case "ptrace.tracee.cap_permitted": 36080 if ev.PTrace.Tracee == nil { 36081 ev.PTrace.Tracee = &ProcessContext{} 36082 } 36083 rv, ok := value.(int) 36084 if !ok { 36085 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.Credentials.CapPermitted"} 36086 } 36087 ev.PTrace.Tracee.Process.Credentials.CapPermitted = uint64(rv) 36088 return nil 36089 case "ptrace.tracee.comm": 36090 if ev.PTrace.Tracee == nil { 36091 ev.PTrace.Tracee = &ProcessContext{} 36092 } 36093 rv, ok := value.(string) 36094 if !ok { 36095 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.Comm"} 36096 } 36097 ev.PTrace.Tracee.Process.Comm = rv 36098 return nil 36099 case "ptrace.tracee.container.id": 36100 if ev.PTrace.Tracee == nil { 36101 ev.PTrace.Tracee = &ProcessContext{} 36102 } 36103 rv, ok := value.(string) 36104 if !ok { 36105 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.ContainerID"} 36106 } 36107 ev.PTrace.Tracee.Process.ContainerID = rv 36108 return nil 36109 case "ptrace.tracee.created_at": 36110 if ev.PTrace.Tracee == nil { 36111 ev.PTrace.Tracee = &ProcessContext{} 36112 } 36113 rv, ok := value.(int) 36114 if !ok { 36115 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.CreatedAt"} 36116 } 36117 ev.PTrace.Tracee.Process.CreatedAt = uint64(rv) 36118 return nil 36119 case "ptrace.tracee.egid": 36120 if ev.PTrace.Tracee == nil { 36121 ev.PTrace.Tracee = &ProcessContext{} 36122 } 36123 rv, ok := value.(int) 36124 if !ok { 36125 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.Credentials.EGID"} 36126 } 36127 ev.PTrace.Tracee.Process.Credentials.EGID = uint32(rv) 36128 return nil 36129 case "ptrace.tracee.egroup": 36130 if ev.PTrace.Tracee == nil { 36131 ev.PTrace.Tracee = &ProcessContext{} 36132 } 36133 rv, ok := value.(string) 36134 if !ok { 36135 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.Credentials.EGroup"} 36136 } 36137 ev.PTrace.Tracee.Process.Credentials.EGroup = rv 36138 return nil 36139 case "ptrace.tracee.envp": 36140 if ev.PTrace.Tracee == nil { 36141 ev.PTrace.Tracee = &ProcessContext{} 36142 } 36143 switch rv := value.(type) { 36144 case string: 36145 ev.PTrace.Tracee.Process.Envp = append(ev.PTrace.Tracee.Process.Envp, rv) 36146 case []string: 36147 ev.PTrace.Tracee.Process.Envp = append(ev.PTrace.Tracee.Process.Envp, rv...) 36148 default: 36149 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.Envp"} 36150 } 36151 return nil 36152 case "ptrace.tracee.envs": 36153 if ev.PTrace.Tracee == nil { 36154 ev.PTrace.Tracee = &ProcessContext{} 36155 } 36156 switch rv := value.(type) { 36157 case string: 36158 ev.PTrace.Tracee.Process.Envs = append(ev.PTrace.Tracee.Process.Envs, rv) 36159 case []string: 36160 ev.PTrace.Tracee.Process.Envs = append(ev.PTrace.Tracee.Process.Envs, rv...) 36161 default: 36162 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.Envs"} 36163 } 36164 return nil 36165 case "ptrace.tracee.envs_truncated": 36166 if ev.PTrace.Tracee == nil { 36167 ev.PTrace.Tracee = &ProcessContext{} 36168 } 36169 rv, ok := value.(bool) 36170 if !ok { 36171 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.EnvsTruncated"} 36172 } 36173 ev.PTrace.Tracee.Process.EnvsTruncated = rv 36174 return nil 36175 case "ptrace.tracee.euid": 36176 if ev.PTrace.Tracee == nil { 36177 ev.PTrace.Tracee = &ProcessContext{} 36178 } 36179 rv, ok := value.(int) 36180 if !ok { 36181 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.Credentials.EUID"} 36182 } 36183 ev.PTrace.Tracee.Process.Credentials.EUID = uint32(rv) 36184 return nil 36185 case "ptrace.tracee.euser": 36186 if ev.PTrace.Tracee == nil { 36187 ev.PTrace.Tracee = &ProcessContext{} 36188 } 36189 rv, ok := value.(string) 36190 if !ok { 36191 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.Credentials.EUser"} 36192 } 36193 ev.PTrace.Tracee.Process.Credentials.EUser = rv 36194 return nil 36195 case "ptrace.tracee.file.change_time": 36196 if ev.PTrace.Tracee == nil { 36197 ev.PTrace.Tracee = &ProcessContext{} 36198 } 36199 rv, ok := value.(int) 36200 if !ok { 36201 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.FileEvent.FileFields.CTime"} 36202 } 36203 ev.PTrace.Tracee.Process.FileEvent.FileFields.CTime = uint64(rv) 36204 return nil 36205 case "ptrace.tracee.file.filesystem": 36206 if ev.PTrace.Tracee == nil { 36207 ev.PTrace.Tracee = &ProcessContext{} 36208 } 36209 rv, ok := value.(string) 36210 if !ok { 36211 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.FileEvent.Filesystem"} 36212 } 36213 ev.PTrace.Tracee.Process.FileEvent.Filesystem = rv 36214 return nil 36215 case "ptrace.tracee.file.gid": 36216 if ev.PTrace.Tracee == nil { 36217 ev.PTrace.Tracee = &ProcessContext{} 36218 } 36219 rv, ok := value.(int) 36220 if !ok { 36221 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.FileEvent.FileFields.GID"} 36222 } 36223 ev.PTrace.Tracee.Process.FileEvent.FileFields.GID = uint32(rv) 36224 return nil 36225 case "ptrace.tracee.file.group": 36226 if ev.PTrace.Tracee == nil { 36227 ev.PTrace.Tracee = &ProcessContext{} 36228 } 36229 rv, ok := value.(string) 36230 if !ok { 36231 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.FileEvent.FileFields.Group"} 36232 } 36233 ev.PTrace.Tracee.Process.FileEvent.FileFields.Group = rv 36234 return nil 36235 case "ptrace.tracee.file.hashes": 36236 if ev.PTrace.Tracee == nil { 36237 ev.PTrace.Tracee = &ProcessContext{} 36238 } 36239 switch rv := value.(type) { 36240 case string: 36241 ev.PTrace.Tracee.Process.FileEvent.Hashes = append(ev.PTrace.Tracee.Process.FileEvent.Hashes, rv) 36242 case []string: 36243 ev.PTrace.Tracee.Process.FileEvent.Hashes = append(ev.PTrace.Tracee.Process.FileEvent.Hashes, rv...) 36244 default: 36245 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.FileEvent.Hashes"} 36246 } 36247 return nil 36248 case "ptrace.tracee.file.in_upper_layer": 36249 if ev.PTrace.Tracee == nil { 36250 ev.PTrace.Tracee = &ProcessContext{} 36251 } 36252 rv, ok := value.(bool) 36253 if !ok { 36254 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.FileEvent.FileFields.InUpperLayer"} 36255 } 36256 ev.PTrace.Tracee.Process.FileEvent.FileFields.InUpperLayer = rv 36257 return nil 36258 case "ptrace.tracee.file.inode": 36259 if ev.PTrace.Tracee == nil { 36260 ev.PTrace.Tracee = &ProcessContext{} 36261 } 36262 rv, ok := value.(int) 36263 if !ok { 36264 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.FileEvent.FileFields.PathKey.Inode"} 36265 } 36266 ev.PTrace.Tracee.Process.FileEvent.FileFields.PathKey.Inode = uint64(rv) 36267 return nil 36268 case "ptrace.tracee.file.mode": 36269 if ev.PTrace.Tracee == nil { 36270 ev.PTrace.Tracee = &ProcessContext{} 36271 } 36272 rv, ok := value.(int) 36273 if !ok { 36274 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.FileEvent.FileFields.Mode"} 36275 } 36276 ev.PTrace.Tracee.Process.FileEvent.FileFields.Mode = uint16(rv) 36277 return nil 36278 case "ptrace.tracee.file.modification_time": 36279 if ev.PTrace.Tracee == nil { 36280 ev.PTrace.Tracee = &ProcessContext{} 36281 } 36282 rv, ok := value.(int) 36283 if !ok { 36284 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.FileEvent.FileFields.MTime"} 36285 } 36286 ev.PTrace.Tracee.Process.FileEvent.FileFields.MTime = uint64(rv) 36287 return nil 36288 case "ptrace.tracee.file.mount_id": 36289 if ev.PTrace.Tracee == nil { 36290 ev.PTrace.Tracee = &ProcessContext{} 36291 } 36292 rv, ok := value.(int) 36293 if !ok { 36294 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.FileEvent.FileFields.PathKey.MountID"} 36295 } 36296 ev.PTrace.Tracee.Process.FileEvent.FileFields.PathKey.MountID = uint32(rv) 36297 return nil 36298 case "ptrace.tracee.file.name": 36299 if ev.PTrace.Tracee == nil { 36300 ev.PTrace.Tracee = &ProcessContext{} 36301 } 36302 rv, ok := value.(string) 36303 if !ok { 36304 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.FileEvent.BasenameStr"} 36305 } 36306 ev.PTrace.Tracee.Process.FileEvent.BasenameStr = rv 36307 return nil 36308 case "ptrace.tracee.file.name.length": 36309 if ev.PTrace.Tracee == nil { 36310 ev.PTrace.Tracee = &ProcessContext{} 36311 } 36312 return &eval.ErrFieldReadOnly{Field: "ptrace.tracee.file.name.length"} 36313 case "ptrace.tracee.file.package.name": 36314 if ev.PTrace.Tracee == nil { 36315 ev.PTrace.Tracee = &ProcessContext{} 36316 } 36317 rv, ok := value.(string) 36318 if !ok { 36319 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.FileEvent.PkgName"} 36320 } 36321 ev.PTrace.Tracee.Process.FileEvent.PkgName = rv 36322 return nil 36323 case "ptrace.tracee.file.package.source_version": 36324 if ev.PTrace.Tracee == nil { 36325 ev.PTrace.Tracee = &ProcessContext{} 36326 } 36327 rv, ok := value.(string) 36328 if !ok { 36329 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.FileEvent.PkgSrcVersion"} 36330 } 36331 ev.PTrace.Tracee.Process.FileEvent.PkgSrcVersion = rv 36332 return nil 36333 case "ptrace.tracee.file.package.version": 36334 if ev.PTrace.Tracee == nil { 36335 ev.PTrace.Tracee = &ProcessContext{} 36336 } 36337 rv, ok := value.(string) 36338 if !ok { 36339 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.FileEvent.PkgVersion"} 36340 } 36341 ev.PTrace.Tracee.Process.FileEvent.PkgVersion = rv 36342 return nil 36343 case "ptrace.tracee.file.path": 36344 if ev.PTrace.Tracee == nil { 36345 ev.PTrace.Tracee = &ProcessContext{} 36346 } 36347 rv, ok := value.(string) 36348 if !ok { 36349 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.FileEvent.PathnameStr"} 36350 } 36351 ev.PTrace.Tracee.Process.FileEvent.PathnameStr = rv 36352 return nil 36353 case "ptrace.tracee.file.path.length": 36354 if ev.PTrace.Tracee == nil { 36355 ev.PTrace.Tracee = &ProcessContext{} 36356 } 36357 return &eval.ErrFieldReadOnly{Field: "ptrace.tracee.file.path.length"} 36358 case "ptrace.tracee.file.rights": 36359 if ev.PTrace.Tracee == nil { 36360 ev.PTrace.Tracee = &ProcessContext{} 36361 } 36362 rv, ok := value.(int) 36363 if !ok { 36364 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.FileEvent.FileFields.Mode"} 36365 } 36366 ev.PTrace.Tracee.Process.FileEvent.FileFields.Mode = uint16(rv) 36367 return nil 36368 case "ptrace.tracee.file.uid": 36369 if ev.PTrace.Tracee == nil { 36370 ev.PTrace.Tracee = &ProcessContext{} 36371 } 36372 rv, ok := value.(int) 36373 if !ok { 36374 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.FileEvent.FileFields.UID"} 36375 } 36376 ev.PTrace.Tracee.Process.FileEvent.FileFields.UID = uint32(rv) 36377 return nil 36378 case "ptrace.tracee.file.user": 36379 if ev.PTrace.Tracee == nil { 36380 ev.PTrace.Tracee = &ProcessContext{} 36381 } 36382 rv, ok := value.(string) 36383 if !ok { 36384 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.FileEvent.FileFields.User"} 36385 } 36386 ev.PTrace.Tracee.Process.FileEvent.FileFields.User = rv 36387 return nil 36388 case "ptrace.tracee.fsgid": 36389 if ev.PTrace.Tracee == nil { 36390 ev.PTrace.Tracee = &ProcessContext{} 36391 } 36392 rv, ok := value.(int) 36393 if !ok { 36394 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.Credentials.FSGID"} 36395 } 36396 ev.PTrace.Tracee.Process.Credentials.FSGID = uint32(rv) 36397 return nil 36398 case "ptrace.tracee.fsgroup": 36399 if ev.PTrace.Tracee == nil { 36400 ev.PTrace.Tracee = &ProcessContext{} 36401 } 36402 rv, ok := value.(string) 36403 if !ok { 36404 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.Credentials.FSGroup"} 36405 } 36406 ev.PTrace.Tracee.Process.Credentials.FSGroup = rv 36407 return nil 36408 case "ptrace.tracee.fsuid": 36409 if ev.PTrace.Tracee == nil { 36410 ev.PTrace.Tracee = &ProcessContext{} 36411 } 36412 rv, ok := value.(int) 36413 if !ok { 36414 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.Credentials.FSUID"} 36415 } 36416 ev.PTrace.Tracee.Process.Credentials.FSUID = uint32(rv) 36417 return nil 36418 case "ptrace.tracee.fsuser": 36419 if ev.PTrace.Tracee == nil { 36420 ev.PTrace.Tracee = &ProcessContext{} 36421 } 36422 rv, ok := value.(string) 36423 if !ok { 36424 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.Credentials.FSUser"} 36425 } 36426 ev.PTrace.Tracee.Process.Credentials.FSUser = rv 36427 return nil 36428 case "ptrace.tracee.gid": 36429 if ev.PTrace.Tracee == nil { 36430 ev.PTrace.Tracee = &ProcessContext{} 36431 } 36432 rv, ok := value.(int) 36433 if !ok { 36434 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.Credentials.GID"} 36435 } 36436 ev.PTrace.Tracee.Process.Credentials.GID = uint32(rv) 36437 return nil 36438 case "ptrace.tracee.group": 36439 if ev.PTrace.Tracee == nil { 36440 ev.PTrace.Tracee = &ProcessContext{} 36441 } 36442 rv, ok := value.(string) 36443 if !ok { 36444 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.Credentials.Group"} 36445 } 36446 ev.PTrace.Tracee.Process.Credentials.Group = rv 36447 return nil 36448 case "ptrace.tracee.interpreter.file.change_time": 36449 if ev.PTrace.Tracee == nil { 36450 ev.PTrace.Tracee = &ProcessContext{} 36451 } 36452 rv, ok := value.(int) 36453 if !ok { 36454 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields.CTime"} 36455 } 36456 ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields.CTime = uint64(rv) 36457 return nil 36458 case "ptrace.tracee.interpreter.file.filesystem": 36459 if ev.PTrace.Tracee == nil { 36460 ev.PTrace.Tracee = &ProcessContext{} 36461 } 36462 rv, ok := value.(string) 36463 if !ok { 36464 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.LinuxBinprm.FileEvent.Filesystem"} 36465 } 36466 ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.Filesystem = rv 36467 return nil 36468 case "ptrace.tracee.interpreter.file.gid": 36469 if ev.PTrace.Tracee == nil { 36470 ev.PTrace.Tracee = &ProcessContext{} 36471 } 36472 rv, ok := value.(int) 36473 if !ok { 36474 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields.GID"} 36475 } 36476 ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields.GID = uint32(rv) 36477 return nil 36478 case "ptrace.tracee.interpreter.file.group": 36479 if ev.PTrace.Tracee == nil { 36480 ev.PTrace.Tracee = &ProcessContext{} 36481 } 36482 rv, ok := value.(string) 36483 if !ok { 36484 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields.Group"} 36485 } 36486 ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields.Group = rv 36487 return nil 36488 case "ptrace.tracee.interpreter.file.hashes": 36489 if ev.PTrace.Tracee == nil { 36490 ev.PTrace.Tracee = &ProcessContext{} 36491 } 36492 switch rv := value.(type) { 36493 case string: 36494 ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.Hashes = append(ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.Hashes, rv) 36495 case []string: 36496 ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.Hashes = append(ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.Hashes, rv...) 36497 default: 36498 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.LinuxBinprm.FileEvent.Hashes"} 36499 } 36500 return nil 36501 case "ptrace.tracee.interpreter.file.in_upper_layer": 36502 if ev.PTrace.Tracee == nil { 36503 ev.PTrace.Tracee = &ProcessContext{} 36504 } 36505 rv, ok := value.(bool) 36506 if !ok { 36507 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields.InUpperLayer"} 36508 } 36509 ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields.InUpperLayer = rv 36510 return nil 36511 case "ptrace.tracee.interpreter.file.inode": 36512 if ev.PTrace.Tracee == nil { 36513 ev.PTrace.Tracee = &ProcessContext{} 36514 } 36515 rv, ok := value.(int) 36516 if !ok { 36517 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode"} 36518 } 36519 ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode = uint64(rv) 36520 return nil 36521 case "ptrace.tracee.interpreter.file.mode": 36522 if ev.PTrace.Tracee == nil { 36523 ev.PTrace.Tracee = &ProcessContext{} 36524 } 36525 rv, ok := value.(int) 36526 if !ok { 36527 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields.Mode"} 36528 } 36529 ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields.Mode = uint16(rv) 36530 return nil 36531 case "ptrace.tracee.interpreter.file.modification_time": 36532 if ev.PTrace.Tracee == nil { 36533 ev.PTrace.Tracee = &ProcessContext{} 36534 } 36535 rv, ok := value.(int) 36536 if !ok { 36537 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields.MTime"} 36538 } 36539 ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields.MTime = uint64(rv) 36540 return nil 36541 case "ptrace.tracee.interpreter.file.mount_id": 36542 if ev.PTrace.Tracee == nil { 36543 ev.PTrace.Tracee = &ProcessContext{} 36544 } 36545 rv, ok := value.(int) 36546 if !ok { 36547 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID"} 36548 } 36549 ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID = uint32(rv) 36550 return nil 36551 case "ptrace.tracee.interpreter.file.name": 36552 if ev.PTrace.Tracee == nil { 36553 ev.PTrace.Tracee = &ProcessContext{} 36554 } 36555 rv, ok := value.(string) 36556 if !ok { 36557 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.LinuxBinprm.FileEvent.BasenameStr"} 36558 } 36559 ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.BasenameStr = rv 36560 return nil 36561 case "ptrace.tracee.interpreter.file.name.length": 36562 if ev.PTrace.Tracee == nil { 36563 ev.PTrace.Tracee = &ProcessContext{} 36564 } 36565 return &eval.ErrFieldReadOnly{Field: "ptrace.tracee.interpreter.file.name.length"} 36566 case "ptrace.tracee.interpreter.file.package.name": 36567 if ev.PTrace.Tracee == nil { 36568 ev.PTrace.Tracee = &ProcessContext{} 36569 } 36570 rv, ok := value.(string) 36571 if !ok { 36572 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.LinuxBinprm.FileEvent.PkgName"} 36573 } 36574 ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.PkgName = rv 36575 return nil 36576 case "ptrace.tracee.interpreter.file.package.source_version": 36577 if ev.PTrace.Tracee == nil { 36578 ev.PTrace.Tracee = &ProcessContext{} 36579 } 36580 rv, ok := value.(string) 36581 if !ok { 36582 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.LinuxBinprm.FileEvent.PkgSrcVersion"} 36583 } 36584 ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.PkgSrcVersion = rv 36585 return nil 36586 case "ptrace.tracee.interpreter.file.package.version": 36587 if ev.PTrace.Tracee == nil { 36588 ev.PTrace.Tracee = &ProcessContext{} 36589 } 36590 rv, ok := value.(string) 36591 if !ok { 36592 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.LinuxBinprm.FileEvent.PkgVersion"} 36593 } 36594 ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.PkgVersion = rv 36595 return nil 36596 case "ptrace.tracee.interpreter.file.path": 36597 if ev.PTrace.Tracee == nil { 36598 ev.PTrace.Tracee = &ProcessContext{} 36599 } 36600 rv, ok := value.(string) 36601 if !ok { 36602 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.LinuxBinprm.FileEvent.PathnameStr"} 36603 } 36604 ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.PathnameStr = rv 36605 return nil 36606 case "ptrace.tracee.interpreter.file.path.length": 36607 if ev.PTrace.Tracee == nil { 36608 ev.PTrace.Tracee = &ProcessContext{} 36609 } 36610 return &eval.ErrFieldReadOnly{Field: "ptrace.tracee.interpreter.file.path.length"} 36611 case "ptrace.tracee.interpreter.file.rights": 36612 if ev.PTrace.Tracee == nil { 36613 ev.PTrace.Tracee = &ProcessContext{} 36614 } 36615 rv, ok := value.(int) 36616 if !ok { 36617 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields.Mode"} 36618 } 36619 ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields.Mode = uint16(rv) 36620 return nil 36621 case "ptrace.tracee.interpreter.file.uid": 36622 if ev.PTrace.Tracee == nil { 36623 ev.PTrace.Tracee = &ProcessContext{} 36624 } 36625 rv, ok := value.(int) 36626 if !ok { 36627 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields.UID"} 36628 } 36629 ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields.UID = uint32(rv) 36630 return nil 36631 case "ptrace.tracee.interpreter.file.user": 36632 if ev.PTrace.Tracee == nil { 36633 ev.PTrace.Tracee = &ProcessContext{} 36634 } 36635 rv, ok := value.(string) 36636 if !ok { 36637 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields.User"} 36638 } 36639 ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent.FileFields.User = rv 36640 return nil 36641 case "ptrace.tracee.is_kworker": 36642 if ev.PTrace.Tracee == nil { 36643 ev.PTrace.Tracee = &ProcessContext{} 36644 } 36645 rv, ok := value.(bool) 36646 if !ok { 36647 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.PIDContext.IsKworker"} 36648 } 36649 ev.PTrace.Tracee.Process.PIDContext.IsKworker = rv 36650 return nil 36651 case "ptrace.tracee.is_thread": 36652 if ev.PTrace.Tracee == nil { 36653 ev.PTrace.Tracee = &ProcessContext{} 36654 } 36655 rv, ok := value.(bool) 36656 if !ok { 36657 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.IsThread"} 36658 } 36659 ev.PTrace.Tracee.Process.IsThread = rv 36660 return nil 36661 case "ptrace.tracee.parent.args": 36662 if ev.PTrace.Tracee == nil { 36663 ev.PTrace.Tracee = &ProcessContext{} 36664 } 36665 if ev.PTrace.Tracee.Parent == nil { 36666 ev.PTrace.Tracee.Parent = &Process{} 36667 } 36668 rv, ok := value.(string) 36669 if !ok { 36670 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.Args"} 36671 } 36672 ev.PTrace.Tracee.Parent.Args = rv 36673 return nil 36674 case "ptrace.tracee.parent.args_flags": 36675 if ev.PTrace.Tracee == nil { 36676 ev.PTrace.Tracee = &ProcessContext{} 36677 } 36678 if ev.PTrace.Tracee.Parent == nil { 36679 ev.PTrace.Tracee.Parent = &Process{} 36680 } 36681 switch rv := value.(type) { 36682 case string: 36683 ev.PTrace.Tracee.Parent.Argv = append(ev.PTrace.Tracee.Parent.Argv, rv) 36684 case []string: 36685 ev.PTrace.Tracee.Parent.Argv = append(ev.PTrace.Tracee.Parent.Argv, rv...) 36686 default: 36687 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.Argv"} 36688 } 36689 return nil 36690 case "ptrace.tracee.parent.args_options": 36691 if ev.PTrace.Tracee == nil { 36692 ev.PTrace.Tracee = &ProcessContext{} 36693 } 36694 if ev.PTrace.Tracee.Parent == nil { 36695 ev.PTrace.Tracee.Parent = &Process{} 36696 } 36697 switch rv := value.(type) { 36698 case string: 36699 ev.PTrace.Tracee.Parent.Argv = append(ev.PTrace.Tracee.Parent.Argv, rv) 36700 case []string: 36701 ev.PTrace.Tracee.Parent.Argv = append(ev.PTrace.Tracee.Parent.Argv, rv...) 36702 default: 36703 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.Argv"} 36704 } 36705 return nil 36706 case "ptrace.tracee.parent.args_truncated": 36707 if ev.PTrace.Tracee == nil { 36708 ev.PTrace.Tracee = &ProcessContext{} 36709 } 36710 if ev.PTrace.Tracee.Parent == nil { 36711 ev.PTrace.Tracee.Parent = &Process{} 36712 } 36713 rv, ok := value.(bool) 36714 if !ok { 36715 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.ArgsTruncated"} 36716 } 36717 ev.PTrace.Tracee.Parent.ArgsTruncated = rv 36718 return nil 36719 case "ptrace.tracee.parent.argv": 36720 if ev.PTrace.Tracee == nil { 36721 ev.PTrace.Tracee = &ProcessContext{} 36722 } 36723 if ev.PTrace.Tracee.Parent == nil { 36724 ev.PTrace.Tracee.Parent = &Process{} 36725 } 36726 switch rv := value.(type) { 36727 case string: 36728 ev.PTrace.Tracee.Parent.Argv = append(ev.PTrace.Tracee.Parent.Argv, rv) 36729 case []string: 36730 ev.PTrace.Tracee.Parent.Argv = append(ev.PTrace.Tracee.Parent.Argv, rv...) 36731 default: 36732 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.Argv"} 36733 } 36734 return nil 36735 case "ptrace.tracee.parent.argv0": 36736 if ev.PTrace.Tracee == nil { 36737 ev.PTrace.Tracee = &ProcessContext{} 36738 } 36739 if ev.PTrace.Tracee.Parent == nil { 36740 ev.PTrace.Tracee.Parent = &Process{} 36741 } 36742 rv, ok := value.(string) 36743 if !ok { 36744 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.Argv0"} 36745 } 36746 ev.PTrace.Tracee.Parent.Argv0 = rv 36747 return nil 36748 case "ptrace.tracee.parent.cap_effective": 36749 if ev.PTrace.Tracee == nil { 36750 ev.PTrace.Tracee = &ProcessContext{} 36751 } 36752 if ev.PTrace.Tracee.Parent == nil { 36753 ev.PTrace.Tracee.Parent = &Process{} 36754 } 36755 rv, ok := value.(int) 36756 if !ok { 36757 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.Credentials.CapEffective"} 36758 } 36759 ev.PTrace.Tracee.Parent.Credentials.CapEffective = uint64(rv) 36760 return nil 36761 case "ptrace.tracee.parent.cap_permitted": 36762 if ev.PTrace.Tracee == nil { 36763 ev.PTrace.Tracee = &ProcessContext{} 36764 } 36765 if ev.PTrace.Tracee.Parent == nil { 36766 ev.PTrace.Tracee.Parent = &Process{} 36767 } 36768 rv, ok := value.(int) 36769 if !ok { 36770 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.Credentials.CapPermitted"} 36771 } 36772 ev.PTrace.Tracee.Parent.Credentials.CapPermitted = uint64(rv) 36773 return nil 36774 case "ptrace.tracee.parent.comm": 36775 if ev.PTrace.Tracee == nil { 36776 ev.PTrace.Tracee = &ProcessContext{} 36777 } 36778 if ev.PTrace.Tracee.Parent == nil { 36779 ev.PTrace.Tracee.Parent = &Process{} 36780 } 36781 rv, ok := value.(string) 36782 if !ok { 36783 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.Comm"} 36784 } 36785 ev.PTrace.Tracee.Parent.Comm = rv 36786 return nil 36787 case "ptrace.tracee.parent.container.id": 36788 if ev.PTrace.Tracee == nil { 36789 ev.PTrace.Tracee = &ProcessContext{} 36790 } 36791 if ev.PTrace.Tracee.Parent == nil { 36792 ev.PTrace.Tracee.Parent = &Process{} 36793 } 36794 rv, ok := value.(string) 36795 if !ok { 36796 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.ContainerID"} 36797 } 36798 ev.PTrace.Tracee.Parent.ContainerID = rv 36799 return nil 36800 case "ptrace.tracee.parent.created_at": 36801 if ev.PTrace.Tracee == nil { 36802 ev.PTrace.Tracee = &ProcessContext{} 36803 } 36804 if ev.PTrace.Tracee.Parent == nil { 36805 ev.PTrace.Tracee.Parent = &Process{} 36806 } 36807 rv, ok := value.(int) 36808 if !ok { 36809 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.CreatedAt"} 36810 } 36811 ev.PTrace.Tracee.Parent.CreatedAt = uint64(rv) 36812 return nil 36813 case "ptrace.tracee.parent.egid": 36814 if ev.PTrace.Tracee == nil { 36815 ev.PTrace.Tracee = &ProcessContext{} 36816 } 36817 if ev.PTrace.Tracee.Parent == nil { 36818 ev.PTrace.Tracee.Parent = &Process{} 36819 } 36820 rv, ok := value.(int) 36821 if !ok { 36822 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.Credentials.EGID"} 36823 } 36824 ev.PTrace.Tracee.Parent.Credentials.EGID = uint32(rv) 36825 return nil 36826 case "ptrace.tracee.parent.egroup": 36827 if ev.PTrace.Tracee == nil { 36828 ev.PTrace.Tracee = &ProcessContext{} 36829 } 36830 if ev.PTrace.Tracee.Parent == nil { 36831 ev.PTrace.Tracee.Parent = &Process{} 36832 } 36833 rv, ok := value.(string) 36834 if !ok { 36835 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.Credentials.EGroup"} 36836 } 36837 ev.PTrace.Tracee.Parent.Credentials.EGroup = rv 36838 return nil 36839 case "ptrace.tracee.parent.envp": 36840 if ev.PTrace.Tracee == nil { 36841 ev.PTrace.Tracee = &ProcessContext{} 36842 } 36843 if ev.PTrace.Tracee.Parent == nil { 36844 ev.PTrace.Tracee.Parent = &Process{} 36845 } 36846 switch rv := value.(type) { 36847 case string: 36848 ev.PTrace.Tracee.Parent.Envp = append(ev.PTrace.Tracee.Parent.Envp, rv) 36849 case []string: 36850 ev.PTrace.Tracee.Parent.Envp = append(ev.PTrace.Tracee.Parent.Envp, rv...) 36851 default: 36852 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.Envp"} 36853 } 36854 return nil 36855 case "ptrace.tracee.parent.envs": 36856 if ev.PTrace.Tracee == nil { 36857 ev.PTrace.Tracee = &ProcessContext{} 36858 } 36859 if ev.PTrace.Tracee.Parent == nil { 36860 ev.PTrace.Tracee.Parent = &Process{} 36861 } 36862 switch rv := value.(type) { 36863 case string: 36864 ev.PTrace.Tracee.Parent.Envs = append(ev.PTrace.Tracee.Parent.Envs, rv) 36865 case []string: 36866 ev.PTrace.Tracee.Parent.Envs = append(ev.PTrace.Tracee.Parent.Envs, rv...) 36867 default: 36868 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.Envs"} 36869 } 36870 return nil 36871 case "ptrace.tracee.parent.envs_truncated": 36872 if ev.PTrace.Tracee == nil { 36873 ev.PTrace.Tracee = &ProcessContext{} 36874 } 36875 if ev.PTrace.Tracee.Parent == nil { 36876 ev.PTrace.Tracee.Parent = &Process{} 36877 } 36878 rv, ok := value.(bool) 36879 if !ok { 36880 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.EnvsTruncated"} 36881 } 36882 ev.PTrace.Tracee.Parent.EnvsTruncated = rv 36883 return nil 36884 case "ptrace.tracee.parent.euid": 36885 if ev.PTrace.Tracee == nil { 36886 ev.PTrace.Tracee = &ProcessContext{} 36887 } 36888 if ev.PTrace.Tracee.Parent == nil { 36889 ev.PTrace.Tracee.Parent = &Process{} 36890 } 36891 rv, ok := value.(int) 36892 if !ok { 36893 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.Credentials.EUID"} 36894 } 36895 ev.PTrace.Tracee.Parent.Credentials.EUID = uint32(rv) 36896 return nil 36897 case "ptrace.tracee.parent.euser": 36898 if ev.PTrace.Tracee == nil { 36899 ev.PTrace.Tracee = &ProcessContext{} 36900 } 36901 if ev.PTrace.Tracee.Parent == nil { 36902 ev.PTrace.Tracee.Parent = &Process{} 36903 } 36904 rv, ok := value.(string) 36905 if !ok { 36906 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.Credentials.EUser"} 36907 } 36908 ev.PTrace.Tracee.Parent.Credentials.EUser = rv 36909 return nil 36910 case "ptrace.tracee.parent.file.change_time": 36911 if ev.PTrace.Tracee == nil { 36912 ev.PTrace.Tracee = &ProcessContext{} 36913 } 36914 if ev.PTrace.Tracee.Parent == nil { 36915 ev.PTrace.Tracee.Parent = &Process{} 36916 } 36917 rv, ok := value.(int) 36918 if !ok { 36919 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.FileEvent.FileFields.CTime"} 36920 } 36921 ev.PTrace.Tracee.Parent.FileEvent.FileFields.CTime = uint64(rv) 36922 return nil 36923 case "ptrace.tracee.parent.file.filesystem": 36924 if ev.PTrace.Tracee == nil { 36925 ev.PTrace.Tracee = &ProcessContext{} 36926 } 36927 if ev.PTrace.Tracee.Parent == nil { 36928 ev.PTrace.Tracee.Parent = &Process{} 36929 } 36930 rv, ok := value.(string) 36931 if !ok { 36932 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.FileEvent.Filesystem"} 36933 } 36934 ev.PTrace.Tracee.Parent.FileEvent.Filesystem = rv 36935 return nil 36936 case "ptrace.tracee.parent.file.gid": 36937 if ev.PTrace.Tracee == nil { 36938 ev.PTrace.Tracee = &ProcessContext{} 36939 } 36940 if ev.PTrace.Tracee.Parent == nil { 36941 ev.PTrace.Tracee.Parent = &Process{} 36942 } 36943 rv, ok := value.(int) 36944 if !ok { 36945 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.FileEvent.FileFields.GID"} 36946 } 36947 ev.PTrace.Tracee.Parent.FileEvent.FileFields.GID = uint32(rv) 36948 return nil 36949 case "ptrace.tracee.parent.file.group": 36950 if ev.PTrace.Tracee == nil { 36951 ev.PTrace.Tracee = &ProcessContext{} 36952 } 36953 if ev.PTrace.Tracee.Parent == nil { 36954 ev.PTrace.Tracee.Parent = &Process{} 36955 } 36956 rv, ok := value.(string) 36957 if !ok { 36958 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.FileEvent.FileFields.Group"} 36959 } 36960 ev.PTrace.Tracee.Parent.FileEvent.FileFields.Group = rv 36961 return nil 36962 case "ptrace.tracee.parent.file.hashes": 36963 if ev.PTrace.Tracee == nil { 36964 ev.PTrace.Tracee = &ProcessContext{} 36965 } 36966 if ev.PTrace.Tracee.Parent == nil { 36967 ev.PTrace.Tracee.Parent = &Process{} 36968 } 36969 switch rv := value.(type) { 36970 case string: 36971 ev.PTrace.Tracee.Parent.FileEvent.Hashes = append(ev.PTrace.Tracee.Parent.FileEvent.Hashes, rv) 36972 case []string: 36973 ev.PTrace.Tracee.Parent.FileEvent.Hashes = append(ev.PTrace.Tracee.Parent.FileEvent.Hashes, rv...) 36974 default: 36975 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.FileEvent.Hashes"} 36976 } 36977 return nil 36978 case "ptrace.tracee.parent.file.in_upper_layer": 36979 if ev.PTrace.Tracee == nil { 36980 ev.PTrace.Tracee = &ProcessContext{} 36981 } 36982 if ev.PTrace.Tracee.Parent == nil { 36983 ev.PTrace.Tracee.Parent = &Process{} 36984 } 36985 rv, ok := value.(bool) 36986 if !ok { 36987 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.FileEvent.FileFields.InUpperLayer"} 36988 } 36989 ev.PTrace.Tracee.Parent.FileEvent.FileFields.InUpperLayer = rv 36990 return nil 36991 case "ptrace.tracee.parent.file.inode": 36992 if ev.PTrace.Tracee == nil { 36993 ev.PTrace.Tracee = &ProcessContext{} 36994 } 36995 if ev.PTrace.Tracee.Parent == nil { 36996 ev.PTrace.Tracee.Parent = &Process{} 36997 } 36998 rv, ok := value.(int) 36999 if !ok { 37000 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.FileEvent.FileFields.PathKey.Inode"} 37001 } 37002 ev.PTrace.Tracee.Parent.FileEvent.FileFields.PathKey.Inode = uint64(rv) 37003 return nil 37004 case "ptrace.tracee.parent.file.mode": 37005 if ev.PTrace.Tracee == nil { 37006 ev.PTrace.Tracee = &ProcessContext{} 37007 } 37008 if ev.PTrace.Tracee.Parent == nil { 37009 ev.PTrace.Tracee.Parent = &Process{} 37010 } 37011 rv, ok := value.(int) 37012 if !ok { 37013 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.FileEvent.FileFields.Mode"} 37014 } 37015 ev.PTrace.Tracee.Parent.FileEvent.FileFields.Mode = uint16(rv) 37016 return nil 37017 case "ptrace.tracee.parent.file.modification_time": 37018 if ev.PTrace.Tracee == nil { 37019 ev.PTrace.Tracee = &ProcessContext{} 37020 } 37021 if ev.PTrace.Tracee.Parent == nil { 37022 ev.PTrace.Tracee.Parent = &Process{} 37023 } 37024 rv, ok := value.(int) 37025 if !ok { 37026 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.FileEvent.FileFields.MTime"} 37027 } 37028 ev.PTrace.Tracee.Parent.FileEvent.FileFields.MTime = uint64(rv) 37029 return nil 37030 case "ptrace.tracee.parent.file.mount_id": 37031 if ev.PTrace.Tracee == nil { 37032 ev.PTrace.Tracee = &ProcessContext{} 37033 } 37034 if ev.PTrace.Tracee.Parent == nil { 37035 ev.PTrace.Tracee.Parent = &Process{} 37036 } 37037 rv, ok := value.(int) 37038 if !ok { 37039 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.FileEvent.FileFields.PathKey.MountID"} 37040 } 37041 ev.PTrace.Tracee.Parent.FileEvent.FileFields.PathKey.MountID = uint32(rv) 37042 return nil 37043 case "ptrace.tracee.parent.file.name": 37044 if ev.PTrace.Tracee == nil { 37045 ev.PTrace.Tracee = &ProcessContext{} 37046 } 37047 if ev.PTrace.Tracee.Parent == nil { 37048 ev.PTrace.Tracee.Parent = &Process{} 37049 } 37050 rv, ok := value.(string) 37051 if !ok { 37052 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.FileEvent.BasenameStr"} 37053 } 37054 ev.PTrace.Tracee.Parent.FileEvent.BasenameStr = rv 37055 return nil 37056 case "ptrace.tracee.parent.file.name.length": 37057 if ev.PTrace.Tracee == nil { 37058 ev.PTrace.Tracee = &ProcessContext{} 37059 } 37060 if ev.PTrace.Tracee.Parent == nil { 37061 ev.PTrace.Tracee.Parent = &Process{} 37062 } 37063 return &eval.ErrFieldReadOnly{Field: "ptrace.tracee.parent.file.name.length"} 37064 case "ptrace.tracee.parent.file.package.name": 37065 if ev.PTrace.Tracee == nil { 37066 ev.PTrace.Tracee = &ProcessContext{} 37067 } 37068 if ev.PTrace.Tracee.Parent == nil { 37069 ev.PTrace.Tracee.Parent = &Process{} 37070 } 37071 rv, ok := value.(string) 37072 if !ok { 37073 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.FileEvent.PkgName"} 37074 } 37075 ev.PTrace.Tracee.Parent.FileEvent.PkgName = rv 37076 return nil 37077 case "ptrace.tracee.parent.file.package.source_version": 37078 if ev.PTrace.Tracee == nil { 37079 ev.PTrace.Tracee = &ProcessContext{} 37080 } 37081 if ev.PTrace.Tracee.Parent == nil { 37082 ev.PTrace.Tracee.Parent = &Process{} 37083 } 37084 rv, ok := value.(string) 37085 if !ok { 37086 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.FileEvent.PkgSrcVersion"} 37087 } 37088 ev.PTrace.Tracee.Parent.FileEvent.PkgSrcVersion = rv 37089 return nil 37090 case "ptrace.tracee.parent.file.package.version": 37091 if ev.PTrace.Tracee == nil { 37092 ev.PTrace.Tracee = &ProcessContext{} 37093 } 37094 if ev.PTrace.Tracee.Parent == nil { 37095 ev.PTrace.Tracee.Parent = &Process{} 37096 } 37097 rv, ok := value.(string) 37098 if !ok { 37099 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.FileEvent.PkgVersion"} 37100 } 37101 ev.PTrace.Tracee.Parent.FileEvent.PkgVersion = rv 37102 return nil 37103 case "ptrace.tracee.parent.file.path": 37104 if ev.PTrace.Tracee == nil { 37105 ev.PTrace.Tracee = &ProcessContext{} 37106 } 37107 if ev.PTrace.Tracee.Parent == nil { 37108 ev.PTrace.Tracee.Parent = &Process{} 37109 } 37110 rv, ok := value.(string) 37111 if !ok { 37112 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.FileEvent.PathnameStr"} 37113 } 37114 ev.PTrace.Tracee.Parent.FileEvent.PathnameStr = rv 37115 return nil 37116 case "ptrace.tracee.parent.file.path.length": 37117 if ev.PTrace.Tracee == nil { 37118 ev.PTrace.Tracee = &ProcessContext{} 37119 } 37120 if ev.PTrace.Tracee.Parent == nil { 37121 ev.PTrace.Tracee.Parent = &Process{} 37122 } 37123 return &eval.ErrFieldReadOnly{Field: "ptrace.tracee.parent.file.path.length"} 37124 case "ptrace.tracee.parent.file.rights": 37125 if ev.PTrace.Tracee == nil { 37126 ev.PTrace.Tracee = &ProcessContext{} 37127 } 37128 if ev.PTrace.Tracee.Parent == nil { 37129 ev.PTrace.Tracee.Parent = &Process{} 37130 } 37131 rv, ok := value.(int) 37132 if !ok { 37133 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.FileEvent.FileFields.Mode"} 37134 } 37135 ev.PTrace.Tracee.Parent.FileEvent.FileFields.Mode = uint16(rv) 37136 return nil 37137 case "ptrace.tracee.parent.file.uid": 37138 if ev.PTrace.Tracee == nil { 37139 ev.PTrace.Tracee = &ProcessContext{} 37140 } 37141 if ev.PTrace.Tracee.Parent == nil { 37142 ev.PTrace.Tracee.Parent = &Process{} 37143 } 37144 rv, ok := value.(int) 37145 if !ok { 37146 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.FileEvent.FileFields.UID"} 37147 } 37148 ev.PTrace.Tracee.Parent.FileEvent.FileFields.UID = uint32(rv) 37149 return nil 37150 case "ptrace.tracee.parent.file.user": 37151 if ev.PTrace.Tracee == nil { 37152 ev.PTrace.Tracee = &ProcessContext{} 37153 } 37154 if ev.PTrace.Tracee.Parent == nil { 37155 ev.PTrace.Tracee.Parent = &Process{} 37156 } 37157 rv, ok := value.(string) 37158 if !ok { 37159 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.FileEvent.FileFields.User"} 37160 } 37161 ev.PTrace.Tracee.Parent.FileEvent.FileFields.User = rv 37162 return nil 37163 case "ptrace.tracee.parent.fsgid": 37164 if ev.PTrace.Tracee == nil { 37165 ev.PTrace.Tracee = &ProcessContext{} 37166 } 37167 if ev.PTrace.Tracee.Parent == nil { 37168 ev.PTrace.Tracee.Parent = &Process{} 37169 } 37170 rv, ok := value.(int) 37171 if !ok { 37172 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.Credentials.FSGID"} 37173 } 37174 ev.PTrace.Tracee.Parent.Credentials.FSGID = uint32(rv) 37175 return nil 37176 case "ptrace.tracee.parent.fsgroup": 37177 if ev.PTrace.Tracee == nil { 37178 ev.PTrace.Tracee = &ProcessContext{} 37179 } 37180 if ev.PTrace.Tracee.Parent == nil { 37181 ev.PTrace.Tracee.Parent = &Process{} 37182 } 37183 rv, ok := value.(string) 37184 if !ok { 37185 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.Credentials.FSGroup"} 37186 } 37187 ev.PTrace.Tracee.Parent.Credentials.FSGroup = rv 37188 return nil 37189 case "ptrace.tracee.parent.fsuid": 37190 if ev.PTrace.Tracee == nil { 37191 ev.PTrace.Tracee = &ProcessContext{} 37192 } 37193 if ev.PTrace.Tracee.Parent == nil { 37194 ev.PTrace.Tracee.Parent = &Process{} 37195 } 37196 rv, ok := value.(int) 37197 if !ok { 37198 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.Credentials.FSUID"} 37199 } 37200 ev.PTrace.Tracee.Parent.Credentials.FSUID = uint32(rv) 37201 return nil 37202 case "ptrace.tracee.parent.fsuser": 37203 if ev.PTrace.Tracee == nil { 37204 ev.PTrace.Tracee = &ProcessContext{} 37205 } 37206 if ev.PTrace.Tracee.Parent == nil { 37207 ev.PTrace.Tracee.Parent = &Process{} 37208 } 37209 rv, ok := value.(string) 37210 if !ok { 37211 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.Credentials.FSUser"} 37212 } 37213 ev.PTrace.Tracee.Parent.Credentials.FSUser = rv 37214 return nil 37215 case "ptrace.tracee.parent.gid": 37216 if ev.PTrace.Tracee == nil { 37217 ev.PTrace.Tracee = &ProcessContext{} 37218 } 37219 if ev.PTrace.Tracee.Parent == nil { 37220 ev.PTrace.Tracee.Parent = &Process{} 37221 } 37222 rv, ok := value.(int) 37223 if !ok { 37224 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.Credentials.GID"} 37225 } 37226 ev.PTrace.Tracee.Parent.Credentials.GID = uint32(rv) 37227 return nil 37228 case "ptrace.tracee.parent.group": 37229 if ev.PTrace.Tracee == nil { 37230 ev.PTrace.Tracee = &ProcessContext{} 37231 } 37232 if ev.PTrace.Tracee.Parent == nil { 37233 ev.PTrace.Tracee.Parent = &Process{} 37234 } 37235 rv, ok := value.(string) 37236 if !ok { 37237 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.Credentials.Group"} 37238 } 37239 ev.PTrace.Tracee.Parent.Credentials.Group = rv 37240 return nil 37241 case "ptrace.tracee.parent.interpreter.file.change_time": 37242 if ev.PTrace.Tracee == nil { 37243 ev.PTrace.Tracee = &ProcessContext{} 37244 } 37245 if ev.PTrace.Tracee.Parent == nil { 37246 ev.PTrace.Tracee.Parent = &Process{} 37247 } 37248 rv, ok := value.(int) 37249 if !ok { 37250 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields.CTime"} 37251 } 37252 ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields.CTime = uint64(rv) 37253 return nil 37254 case "ptrace.tracee.parent.interpreter.file.filesystem": 37255 if ev.PTrace.Tracee == nil { 37256 ev.PTrace.Tracee = &ProcessContext{} 37257 } 37258 if ev.PTrace.Tracee.Parent == nil { 37259 ev.PTrace.Tracee.Parent = &Process{} 37260 } 37261 rv, ok := value.(string) 37262 if !ok { 37263 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.LinuxBinprm.FileEvent.Filesystem"} 37264 } 37265 ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.Filesystem = rv 37266 return nil 37267 case "ptrace.tracee.parent.interpreter.file.gid": 37268 if ev.PTrace.Tracee == nil { 37269 ev.PTrace.Tracee = &ProcessContext{} 37270 } 37271 if ev.PTrace.Tracee.Parent == nil { 37272 ev.PTrace.Tracee.Parent = &Process{} 37273 } 37274 rv, ok := value.(int) 37275 if !ok { 37276 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields.GID"} 37277 } 37278 ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields.GID = uint32(rv) 37279 return nil 37280 case "ptrace.tracee.parent.interpreter.file.group": 37281 if ev.PTrace.Tracee == nil { 37282 ev.PTrace.Tracee = &ProcessContext{} 37283 } 37284 if ev.PTrace.Tracee.Parent == nil { 37285 ev.PTrace.Tracee.Parent = &Process{} 37286 } 37287 rv, ok := value.(string) 37288 if !ok { 37289 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields.Group"} 37290 } 37291 ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields.Group = rv 37292 return nil 37293 case "ptrace.tracee.parent.interpreter.file.hashes": 37294 if ev.PTrace.Tracee == nil { 37295 ev.PTrace.Tracee = &ProcessContext{} 37296 } 37297 if ev.PTrace.Tracee.Parent == nil { 37298 ev.PTrace.Tracee.Parent = &Process{} 37299 } 37300 switch rv := value.(type) { 37301 case string: 37302 ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.Hashes = append(ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.Hashes, rv) 37303 case []string: 37304 ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.Hashes = append(ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.Hashes, rv...) 37305 default: 37306 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.LinuxBinprm.FileEvent.Hashes"} 37307 } 37308 return nil 37309 case "ptrace.tracee.parent.interpreter.file.in_upper_layer": 37310 if ev.PTrace.Tracee == nil { 37311 ev.PTrace.Tracee = &ProcessContext{} 37312 } 37313 if ev.PTrace.Tracee.Parent == nil { 37314 ev.PTrace.Tracee.Parent = &Process{} 37315 } 37316 rv, ok := value.(bool) 37317 if !ok { 37318 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields.InUpperLayer"} 37319 } 37320 ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields.InUpperLayer = rv 37321 return nil 37322 case "ptrace.tracee.parent.interpreter.file.inode": 37323 if ev.PTrace.Tracee == nil { 37324 ev.PTrace.Tracee = &ProcessContext{} 37325 } 37326 if ev.PTrace.Tracee.Parent == nil { 37327 ev.PTrace.Tracee.Parent = &Process{} 37328 } 37329 rv, ok := value.(int) 37330 if !ok { 37331 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields.PathKey.Inode"} 37332 } 37333 ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields.PathKey.Inode = uint64(rv) 37334 return nil 37335 case "ptrace.tracee.parent.interpreter.file.mode": 37336 if ev.PTrace.Tracee == nil { 37337 ev.PTrace.Tracee = &ProcessContext{} 37338 } 37339 if ev.PTrace.Tracee.Parent == nil { 37340 ev.PTrace.Tracee.Parent = &Process{} 37341 } 37342 rv, ok := value.(int) 37343 if !ok { 37344 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields.Mode"} 37345 } 37346 ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields.Mode = uint16(rv) 37347 return nil 37348 case "ptrace.tracee.parent.interpreter.file.modification_time": 37349 if ev.PTrace.Tracee == nil { 37350 ev.PTrace.Tracee = &ProcessContext{} 37351 } 37352 if ev.PTrace.Tracee.Parent == nil { 37353 ev.PTrace.Tracee.Parent = &Process{} 37354 } 37355 rv, ok := value.(int) 37356 if !ok { 37357 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields.MTime"} 37358 } 37359 ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields.MTime = uint64(rv) 37360 return nil 37361 case "ptrace.tracee.parent.interpreter.file.mount_id": 37362 if ev.PTrace.Tracee == nil { 37363 ev.PTrace.Tracee = &ProcessContext{} 37364 } 37365 if ev.PTrace.Tracee.Parent == nil { 37366 ev.PTrace.Tracee.Parent = &Process{} 37367 } 37368 rv, ok := value.(int) 37369 if !ok { 37370 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields.PathKey.MountID"} 37371 } 37372 ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields.PathKey.MountID = uint32(rv) 37373 return nil 37374 case "ptrace.tracee.parent.interpreter.file.name": 37375 if ev.PTrace.Tracee == nil { 37376 ev.PTrace.Tracee = &ProcessContext{} 37377 } 37378 if ev.PTrace.Tracee.Parent == nil { 37379 ev.PTrace.Tracee.Parent = &Process{} 37380 } 37381 rv, ok := value.(string) 37382 if !ok { 37383 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.LinuxBinprm.FileEvent.BasenameStr"} 37384 } 37385 ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.BasenameStr = rv 37386 return nil 37387 case "ptrace.tracee.parent.interpreter.file.name.length": 37388 if ev.PTrace.Tracee == nil { 37389 ev.PTrace.Tracee = &ProcessContext{} 37390 } 37391 if ev.PTrace.Tracee.Parent == nil { 37392 ev.PTrace.Tracee.Parent = &Process{} 37393 } 37394 return &eval.ErrFieldReadOnly{Field: "ptrace.tracee.parent.interpreter.file.name.length"} 37395 case "ptrace.tracee.parent.interpreter.file.package.name": 37396 if ev.PTrace.Tracee == nil { 37397 ev.PTrace.Tracee = &ProcessContext{} 37398 } 37399 if ev.PTrace.Tracee.Parent == nil { 37400 ev.PTrace.Tracee.Parent = &Process{} 37401 } 37402 rv, ok := value.(string) 37403 if !ok { 37404 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.LinuxBinprm.FileEvent.PkgName"} 37405 } 37406 ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.PkgName = rv 37407 return nil 37408 case "ptrace.tracee.parent.interpreter.file.package.source_version": 37409 if ev.PTrace.Tracee == nil { 37410 ev.PTrace.Tracee = &ProcessContext{} 37411 } 37412 if ev.PTrace.Tracee.Parent == nil { 37413 ev.PTrace.Tracee.Parent = &Process{} 37414 } 37415 rv, ok := value.(string) 37416 if !ok { 37417 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.LinuxBinprm.FileEvent.PkgSrcVersion"} 37418 } 37419 ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.PkgSrcVersion = rv 37420 return nil 37421 case "ptrace.tracee.parent.interpreter.file.package.version": 37422 if ev.PTrace.Tracee == nil { 37423 ev.PTrace.Tracee = &ProcessContext{} 37424 } 37425 if ev.PTrace.Tracee.Parent == nil { 37426 ev.PTrace.Tracee.Parent = &Process{} 37427 } 37428 rv, ok := value.(string) 37429 if !ok { 37430 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.LinuxBinprm.FileEvent.PkgVersion"} 37431 } 37432 ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.PkgVersion = rv 37433 return nil 37434 case "ptrace.tracee.parent.interpreter.file.path": 37435 if ev.PTrace.Tracee == nil { 37436 ev.PTrace.Tracee = &ProcessContext{} 37437 } 37438 if ev.PTrace.Tracee.Parent == nil { 37439 ev.PTrace.Tracee.Parent = &Process{} 37440 } 37441 rv, ok := value.(string) 37442 if !ok { 37443 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.LinuxBinprm.FileEvent.PathnameStr"} 37444 } 37445 ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.PathnameStr = rv 37446 return nil 37447 case "ptrace.tracee.parent.interpreter.file.path.length": 37448 if ev.PTrace.Tracee == nil { 37449 ev.PTrace.Tracee = &ProcessContext{} 37450 } 37451 if ev.PTrace.Tracee.Parent == nil { 37452 ev.PTrace.Tracee.Parent = &Process{} 37453 } 37454 return &eval.ErrFieldReadOnly{Field: "ptrace.tracee.parent.interpreter.file.path.length"} 37455 case "ptrace.tracee.parent.interpreter.file.rights": 37456 if ev.PTrace.Tracee == nil { 37457 ev.PTrace.Tracee = &ProcessContext{} 37458 } 37459 if ev.PTrace.Tracee.Parent == nil { 37460 ev.PTrace.Tracee.Parent = &Process{} 37461 } 37462 rv, ok := value.(int) 37463 if !ok { 37464 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields.Mode"} 37465 } 37466 ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields.Mode = uint16(rv) 37467 return nil 37468 case "ptrace.tracee.parent.interpreter.file.uid": 37469 if ev.PTrace.Tracee == nil { 37470 ev.PTrace.Tracee = &ProcessContext{} 37471 } 37472 if ev.PTrace.Tracee.Parent == nil { 37473 ev.PTrace.Tracee.Parent = &Process{} 37474 } 37475 rv, ok := value.(int) 37476 if !ok { 37477 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields.UID"} 37478 } 37479 ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields.UID = uint32(rv) 37480 return nil 37481 case "ptrace.tracee.parent.interpreter.file.user": 37482 if ev.PTrace.Tracee == nil { 37483 ev.PTrace.Tracee = &ProcessContext{} 37484 } 37485 if ev.PTrace.Tracee.Parent == nil { 37486 ev.PTrace.Tracee.Parent = &Process{} 37487 } 37488 rv, ok := value.(string) 37489 if !ok { 37490 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields.User"} 37491 } 37492 ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent.FileFields.User = rv 37493 return nil 37494 case "ptrace.tracee.parent.is_kworker": 37495 if ev.PTrace.Tracee == nil { 37496 ev.PTrace.Tracee = &ProcessContext{} 37497 } 37498 if ev.PTrace.Tracee.Parent == nil { 37499 ev.PTrace.Tracee.Parent = &Process{} 37500 } 37501 rv, ok := value.(bool) 37502 if !ok { 37503 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.PIDContext.IsKworker"} 37504 } 37505 ev.PTrace.Tracee.Parent.PIDContext.IsKworker = rv 37506 return nil 37507 case "ptrace.tracee.parent.is_thread": 37508 if ev.PTrace.Tracee == nil { 37509 ev.PTrace.Tracee = &ProcessContext{} 37510 } 37511 if ev.PTrace.Tracee.Parent == nil { 37512 ev.PTrace.Tracee.Parent = &Process{} 37513 } 37514 rv, ok := value.(bool) 37515 if !ok { 37516 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.IsThread"} 37517 } 37518 ev.PTrace.Tracee.Parent.IsThread = rv 37519 return nil 37520 case "ptrace.tracee.parent.pid": 37521 if ev.PTrace.Tracee == nil { 37522 ev.PTrace.Tracee = &ProcessContext{} 37523 } 37524 if ev.PTrace.Tracee.Parent == nil { 37525 ev.PTrace.Tracee.Parent = &Process{} 37526 } 37527 rv, ok := value.(int) 37528 if !ok { 37529 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.PIDContext.Pid"} 37530 } 37531 ev.PTrace.Tracee.Parent.PIDContext.Pid = uint32(rv) 37532 return nil 37533 case "ptrace.tracee.parent.ppid": 37534 if ev.PTrace.Tracee == nil { 37535 ev.PTrace.Tracee = &ProcessContext{} 37536 } 37537 if ev.PTrace.Tracee.Parent == nil { 37538 ev.PTrace.Tracee.Parent = &Process{} 37539 } 37540 rv, ok := value.(int) 37541 if !ok { 37542 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.PPid"} 37543 } 37544 ev.PTrace.Tracee.Parent.PPid = uint32(rv) 37545 return nil 37546 case "ptrace.tracee.parent.tid": 37547 if ev.PTrace.Tracee == nil { 37548 ev.PTrace.Tracee = &ProcessContext{} 37549 } 37550 if ev.PTrace.Tracee.Parent == nil { 37551 ev.PTrace.Tracee.Parent = &Process{} 37552 } 37553 rv, ok := value.(int) 37554 if !ok { 37555 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.PIDContext.Tid"} 37556 } 37557 ev.PTrace.Tracee.Parent.PIDContext.Tid = uint32(rv) 37558 return nil 37559 case "ptrace.tracee.parent.tty_name": 37560 if ev.PTrace.Tracee == nil { 37561 ev.PTrace.Tracee = &ProcessContext{} 37562 } 37563 if ev.PTrace.Tracee.Parent == nil { 37564 ev.PTrace.Tracee.Parent = &Process{} 37565 } 37566 rv, ok := value.(string) 37567 if !ok { 37568 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.TTYName"} 37569 } 37570 ev.PTrace.Tracee.Parent.TTYName = rv 37571 return nil 37572 case "ptrace.tracee.parent.uid": 37573 if ev.PTrace.Tracee == nil { 37574 ev.PTrace.Tracee = &ProcessContext{} 37575 } 37576 if ev.PTrace.Tracee.Parent == nil { 37577 ev.PTrace.Tracee.Parent = &Process{} 37578 } 37579 rv, ok := value.(int) 37580 if !ok { 37581 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.Credentials.UID"} 37582 } 37583 ev.PTrace.Tracee.Parent.Credentials.UID = uint32(rv) 37584 return nil 37585 case "ptrace.tracee.parent.user": 37586 if ev.PTrace.Tracee == nil { 37587 ev.PTrace.Tracee = &ProcessContext{} 37588 } 37589 if ev.PTrace.Tracee.Parent == nil { 37590 ev.PTrace.Tracee.Parent = &Process{} 37591 } 37592 rv, ok := value.(string) 37593 if !ok { 37594 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.Credentials.User"} 37595 } 37596 ev.PTrace.Tracee.Parent.Credentials.User = rv 37597 return nil 37598 case "ptrace.tracee.parent.user_session.k8s_groups": 37599 if ev.PTrace.Tracee == nil { 37600 ev.PTrace.Tracee = &ProcessContext{} 37601 } 37602 if ev.PTrace.Tracee.Parent == nil { 37603 ev.PTrace.Tracee.Parent = &Process{} 37604 } 37605 switch rv := value.(type) { 37606 case string: 37607 ev.PTrace.Tracee.Parent.UserSession.K8SGroups = append(ev.PTrace.Tracee.Parent.UserSession.K8SGroups, rv) 37608 case []string: 37609 ev.PTrace.Tracee.Parent.UserSession.K8SGroups = append(ev.PTrace.Tracee.Parent.UserSession.K8SGroups, rv...) 37610 default: 37611 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.UserSession.K8SGroups"} 37612 } 37613 return nil 37614 case "ptrace.tracee.parent.user_session.k8s_uid": 37615 if ev.PTrace.Tracee == nil { 37616 ev.PTrace.Tracee = &ProcessContext{} 37617 } 37618 if ev.PTrace.Tracee.Parent == nil { 37619 ev.PTrace.Tracee.Parent = &Process{} 37620 } 37621 rv, ok := value.(string) 37622 if !ok { 37623 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.UserSession.K8SUID"} 37624 } 37625 ev.PTrace.Tracee.Parent.UserSession.K8SUID = rv 37626 return nil 37627 case "ptrace.tracee.parent.user_session.k8s_username": 37628 if ev.PTrace.Tracee == nil { 37629 ev.PTrace.Tracee = &ProcessContext{} 37630 } 37631 if ev.PTrace.Tracee.Parent == nil { 37632 ev.PTrace.Tracee.Parent = &Process{} 37633 } 37634 rv, ok := value.(string) 37635 if !ok { 37636 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Parent.UserSession.K8SUsername"} 37637 } 37638 ev.PTrace.Tracee.Parent.UserSession.K8SUsername = rv 37639 return nil 37640 case "ptrace.tracee.pid": 37641 if ev.PTrace.Tracee == nil { 37642 ev.PTrace.Tracee = &ProcessContext{} 37643 } 37644 rv, ok := value.(int) 37645 if !ok { 37646 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.PIDContext.Pid"} 37647 } 37648 ev.PTrace.Tracee.Process.PIDContext.Pid = uint32(rv) 37649 return nil 37650 case "ptrace.tracee.ppid": 37651 if ev.PTrace.Tracee == nil { 37652 ev.PTrace.Tracee = &ProcessContext{} 37653 } 37654 rv, ok := value.(int) 37655 if !ok { 37656 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.PPid"} 37657 } 37658 ev.PTrace.Tracee.Process.PPid = uint32(rv) 37659 return nil 37660 case "ptrace.tracee.tid": 37661 if ev.PTrace.Tracee == nil { 37662 ev.PTrace.Tracee = &ProcessContext{} 37663 } 37664 rv, ok := value.(int) 37665 if !ok { 37666 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.PIDContext.Tid"} 37667 } 37668 ev.PTrace.Tracee.Process.PIDContext.Tid = uint32(rv) 37669 return nil 37670 case "ptrace.tracee.tty_name": 37671 if ev.PTrace.Tracee == nil { 37672 ev.PTrace.Tracee = &ProcessContext{} 37673 } 37674 rv, ok := value.(string) 37675 if !ok { 37676 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.TTYName"} 37677 } 37678 ev.PTrace.Tracee.Process.TTYName = rv 37679 return nil 37680 case "ptrace.tracee.uid": 37681 if ev.PTrace.Tracee == nil { 37682 ev.PTrace.Tracee = &ProcessContext{} 37683 } 37684 rv, ok := value.(int) 37685 if !ok { 37686 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.Credentials.UID"} 37687 } 37688 ev.PTrace.Tracee.Process.Credentials.UID = uint32(rv) 37689 return nil 37690 case "ptrace.tracee.user": 37691 if ev.PTrace.Tracee == nil { 37692 ev.PTrace.Tracee = &ProcessContext{} 37693 } 37694 rv, ok := value.(string) 37695 if !ok { 37696 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.Credentials.User"} 37697 } 37698 ev.PTrace.Tracee.Process.Credentials.User = rv 37699 return nil 37700 case "ptrace.tracee.user_session.k8s_groups": 37701 if ev.PTrace.Tracee == nil { 37702 ev.PTrace.Tracee = &ProcessContext{} 37703 } 37704 switch rv := value.(type) { 37705 case string: 37706 ev.PTrace.Tracee.Process.UserSession.K8SGroups = append(ev.PTrace.Tracee.Process.UserSession.K8SGroups, rv) 37707 case []string: 37708 ev.PTrace.Tracee.Process.UserSession.K8SGroups = append(ev.PTrace.Tracee.Process.UserSession.K8SGroups, rv...) 37709 default: 37710 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.UserSession.K8SGroups"} 37711 } 37712 return nil 37713 case "ptrace.tracee.user_session.k8s_uid": 37714 if ev.PTrace.Tracee == nil { 37715 ev.PTrace.Tracee = &ProcessContext{} 37716 } 37717 rv, ok := value.(string) 37718 if !ok { 37719 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.UserSession.K8SUID"} 37720 } 37721 ev.PTrace.Tracee.Process.UserSession.K8SUID = rv 37722 return nil 37723 case "ptrace.tracee.user_session.k8s_username": 37724 if ev.PTrace.Tracee == nil { 37725 ev.PTrace.Tracee = &ProcessContext{} 37726 } 37727 rv, ok := value.(string) 37728 if !ok { 37729 return &eval.ErrValueTypeMismatch{Field: "PTrace.Tracee.Process.UserSession.K8SUsername"} 37730 } 37731 ev.PTrace.Tracee.Process.UserSession.K8SUsername = rv 37732 return nil 37733 case "removexattr.file.change_time": 37734 rv, ok := value.(int) 37735 if !ok { 37736 return &eval.ErrValueTypeMismatch{Field: "RemoveXAttr.File.FileFields.CTime"} 37737 } 37738 ev.RemoveXAttr.File.FileFields.CTime = uint64(rv) 37739 return nil 37740 case "removexattr.file.destination.name": 37741 rv, ok := value.(string) 37742 if !ok { 37743 return &eval.ErrValueTypeMismatch{Field: "RemoveXAttr.Name"} 37744 } 37745 ev.RemoveXAttr.Name = rv 37746 return nil 37747 case "removexattr.file.destination.namespace": 37748 rv, ok := value.(string) 37749 if !ok { 37750 return &eval.ErrValueTypeMismatch{Field: "RemoveXAttr.Namespace"} 37751 } 37752 ev.RemoveXAttr.Namespace = rv 37753 return nil 37754 case "removexattr.file.filesystem": 37755 rv, ok := value.(string) 37756 if !ok { 37757 return &eval.ErrValueTypeMismatch{Field: "RemoveXAttr.File.Filesystem"} 37758 } 37759 ev.RemoveXAttr.File.Filesystem = rv 37760 return nil 37761 case "removexattr.file.gid": 37762 rv, ok := value.(int) 37763 if !ok { 37764 return &eval.ErrValueTypeMismatch{Field: "RemoveXAttr.File.FileFields.GID"} 37765 } 37766 ev.RemoveXAttr.File.FileFields.GID = uint32(rv) 37767 return nil 37768 case "removexattr.file.group": 37769 rv, ok := value.(string) 37770 if !ok { 37771 return &eval.ErrValueTypeMismatch{Field: "RemoveXAttr.File.FileFields.Group"} 37772 } 37773 ev.RemoveXAttr.File.FileFields.Group = rv 37774 return nil 37775 case "removexattr.file.hashes": 37776 switch rv := value.(type) { 37777 case string: 37778 ev.RemoveXAttr.File.Hashes = append(ev.RemoveXAttr.File.Hashes, rv) 37779 case []string: 37780 ev.RemoveXAttr.File.Hashes = append(ev.RemoveXAttr.File.Hashes, rv...) 37781 default: 37782 return &eval.ErrValueTypeMismatch{Field: "RemoveXAttr.File.Hashes"} 37783 } 37784 return nil 37785 case "removexattr.file.in_upper_layer": 37786 rv, ok := value.(bool) 37787 if !ok { 37788 return &eval.ErrValueTypeMismatch{Field: "RemoveXAttr.File.FileFields.InUpperLayer"} 37789 } 37790 ev.RemoveXAttr.File.FileFields.InUpperLayer = rv 37791 return nil 37792 case "removexattr.file.inode": 37793 rv, ok := value.(int) 37794 if !ok { 37795 return &eval.ErrValueTypeMismatch{Field: "RemoveXAttr.File.FileFields.PathKey.Inode"} 37796 } 37797 ev.RemoveXAttr.File.FileFields.PathKey.Inode = uint64(rv) 37798 return nil 37799 case "removexattr.file.mode": 37800 rv, ok := value.(int) 37801 if !ok { 37802 return &eval.ErrValueTypeMismatch{Field: "RemoveXAttr.File.FileFields.Mode"} 37803 } 37804 ev.RemoveXAttr.File.FileFields.Mode = uint16(rv) 37805 return nil 37806 case "removexattr.file.modification_time": 37807 rv, ok := value.(int) 37808 if !ok { 37809 return &eval.ErrValueTypeMismatch{Field: "RemoveXAttr.File.FileFields.MTime"} 37810 } 37811 ev.RemoveXAttr.File.FileFields.MTime = uint64(rv) 37812 return nil 37813 case "removexattr.file.mount_id": 37814 rv, ok := value.(int) 37815 if !ok { 37816 return &eval.ErrValueTypeMismatch{Field: "RemoveXAttr.File.FileFields.PathKey.MountID"} 37817 } 37818 ev.RemoveXAttr.File.FileFields.PathKey.MountID = uint32(rv) 37819 return nil 37820 case "removexattr.file.name": 37821 rv, ok := value.(string) 37822 if !ok { 37823 return &eval.ErrValueTypeMismatch{Field: "RemoveXAttr.File.BasenameStr"} 37824 } 37825 ev.RemoveXAttr.File.BasenameStr = rv 37826 return nil 37827 case "removexattr.file.name.length": 37828 return &eval.ErrFieldReadOnly{Field: "removexattr.file.name.length"} 37829 case "removexattr.file.package.name": 37830 rv, ok := value.(string) 37831 if !ok { 37832 return &eval.ErrValueTypeMismatch{Field: "RemoveXAttr.File.PkgName"} 37833 } 37834 ev.RemoveXAttr.File.PkgName = rv 37835 return nil 37836 case "removexattr.file.package.source_version": 37837 rv, ok := value.(string) 37838 if !ok { 37839 return &eval.ErrValueTypeMismatch{Field: "RemoveXAttr.File.PkgSrcVersion"} 37840 } 37841 ev.RemoveXAttr.File.PkgSrcVersion = rv 37842 return nil 37843 case "removexattr.file.package.version": 37844 rv, ok := value.(string) 37845 if !ok { 37846 return &eval.ErrValueTypeMismatch{Field: "RemoveXAttr.File.PkgVersion"} 37847 } 37848 ev.RemoveXAttr.File.PkgVersion = rv 37849 return nil 37850 case "removexattr.file.path": 37851 rv, ok := value.(string) 37852 if !ok { 37853 return &eval.ErrValueTypeMismatch{Field: "RemoveXAttr.File.PathnameStr"} 37854 } 37855 ev.RemoveXAttr.File.PathnameStr = rv 37856 return nil 37857 case "removexattr.file.path.length": 37858 return &eval.ErrFieldReadOnly{Field: "removexattr.file.path.length"} 37859 case "removexattr.file.rights": 37860 rv, ok := value.(int) 37861 if !ok { 37862 return &eval.ErrValueTypeMismatch{Field: "RemoveXAttr.File.FileFields.Mode"} 37863 } 37864 ev.RemoveXAttr.File.FileFields.Mode = uint16(rv) 37865 return nil 37866 case "removexattr.file.uid": 37867 rv, ok := value.(int) 37868 if !ok { 37869 return &eval.ErrValueTypeMismatch{Field: "RemoveXAttr.File.FileFields.UID"} 37870 } 37871 ev.RemoveXAttr.File.FileFields.UID = uint32(rv) 37872 return nil 37873 case "removexattr.file.user": 37874 rv, ok := value.(string) 37875 if !ok { 37876 return &eval.ErrValueTypeMismatch{Field: "RemoveXAttr.File.FileFields.User"} 37877 } 37878 ev.RemoveXAttr.File.FileFields.User = rv 37879 return nil 37880 case "removexattr.retval": 37881 rv, ok := value.(int) 37882 if !ok { 37883 return &eval.ErrValueTypeMismatch{Field: "RemoveXAttr.SyscallEvent.Retval"} 37884 } 37885 ev.RemoveXAttr.SyscallEvent.Retval = int64(rv) 37886 return nil 37887 case "rename.file.change_time": 37888 rv, ok := value.(int) 37889 if !ok { 37890 return &eval.ErrValueTypeMismatch{Field: "Rename.Old.FileFields.CTime"} 37891 } 37892 ev.Rename.Old.FileFields.CTime = uint64(rv) 37893 return nil 37894 case "rename.file.destination.change_time": 37895 rv, ok := value.(int) 37896 if !ok { 37897 return &eval.ErrValueTypeMismatch{Field: "Rename.New.FileFields.CTime"} 37898 } 37899 ev.Rename.New.FileFields.CTime = uint64(rv) 37900 return nil 37901 case "rename.file.destination.filesystem": 37902 rv, ok := value.(string) 37903 if !ok { 37904 return &eval.ErrValueTypeMismatch{Field: "Rename.New.Filesystem"} 37905 } 37906 ev.Rename.New.Filesystem = rv 37907 return nil 37908 case "rename.file.destination.gid": 37909 rv, ok := value.(int) 37910 if !ok { 37911 return &eval.ErrValueTypeMismatch{Field: "Rename.New.FileFields.GID"} 37912 } 37913 ev.Rename.New.FileFields.GID = uint32(rv) 37914 return nil 37915 case "rename.file.destination.group": 37916 rv, ok := value.(string) 37917 if !ok { 37918 return &eval.ErrValueTypeMismatch{Field: "Rename.New.FileFields.Group"} 37919 } 37920 ev.Rename.New.FileFields.Group = rv 37921 return nil 37922 case "rename.file.destination.hashes": 37923 switch rv := value.(type) { 37924 case string: 37925 ev.Rename.New.Hashes = append(ev.Rename.New.Hashes, rv) 37926 case []string: 37927 ev.Rename.New.Hashes = append(ev.Rename.New.Hashes, rv...) 37928 default: 37929 return &eval.ErrValueTypeMismatch{Field: "Rename.New.Hashes"} 37930 } 37931 return nil 37932 case "rename.file.destination.in_upper_layer": 37933 rv, ok := value.(bool) 37934 if !ok { 37935 return &eval.ErrValueTypeMismatch{Field: "Rename.New.FileFields.InUpperLayer"} 37936 } 37937 ev.Rename.New.FileFields.InUpperLayer = rv 37938 return nil 37939 case "rename.file.destination.inode": 37940 rv, ok := value.(int) 37941 if !ok { 37942 return &eval.ErrValueTypeMismatch{Field: "Rename.New.FileFields.PathKey.Inode"} 37943 } 37944 ev.Rename.New.FileFields.PathKey.Inode = uint64(rv) 37945 return nil 37946 case "rename.file.destination.mode": 37947 rv, ok := value.(int) 37948 if !ok { 37949 return &eval.ErrValueTypeMismatch{Field: "Rename.New.FileFields.Mode"} 37950 } 37951 ev.Rename.New.FileFields.Mode = uint16(rv) 37952 return nil 37953 case "rename.file.destination.modification_time": 37954 rv, ok := value.(int) 37955 if !ok { 37956 return &eval.ErrValueTypeMismatch{Field: "Rename.New.FileFields.MTime"} 37957 } 37958 ev.Rename.New.FileFields.MTime = uint64(rv) 37959 return nil 37960 case "rename.file.destination.mount_id": 37961 rv, ok := value.(int) 37962 if !ok { 37963 return &eval.ErrValueTypeMismatch{Field: "Rename.New.FileFields.PathKey.MountID"} 37964 } 37965 ev.Rename.New.FileFields.PathKey.MountID = uint32(rv) 37966 return nil 37967 case "rename.file.destination.name": 37968 rv, ok := value.(string) 37969 if !ok { 37970 return &eval.ErrValueTypeMismatch{Field: "Rename.New.BasenameStr"} 37971 } 37972 ev.Rename.New.BasenameStr = rv 37973 return nil 37974 case "rename.file.destination.name.length": 37975 return &eval.ErrFieldReadOnly{Field: "rename.file.destination.name.length"} 37976 case "rename.file.destination.package.name": 37977 rv, ok := value.(string) 37978 if !ok { 37979 return &eval.ErrValueTypeMismatch{Field: "Rename.New.PkgName"} 37980 } 37981 ev.Rename.New.PkgName = rv 37982 return nil 37983 case "rename.file.destination.package.source_version": 37984 rv, ok := value.(string) 37985 if !ok { 37986 return &eval.ErrValueTypeMismatch{Field: "Rename.New.PkgSrcVersion"} 37987 } 37988 ev.Rename.New.PkgSrcVersion = rv 37989 return nil 37990 case "rename.file.destination.package.version": 37991 rv, ok := value.(string) 37992 if !ok { 37993 return &eval.ErrValueTypeMismatch{Field: "Rename.New.PkgVersion"} 37994 } 37995 ev.Rename.New.PkgVersion = rv 37996 return nil 37997 case "rename.file.destination.path": 37998 rv, ok := value.(string) 37999 if !ok { 38000 return &eval.ErrValueTypeMismatch{Field: "Rename.New.PathnameStr"} 38001 } 38002 ev.Rename.New.PathnameStr = rv 38003 return nil 38004 case "rename.file.destination.path.length": 38005 return &eval.ErrFieldReadOnly{Field: "rename.file.destination.path.length"} 38006 case "rename.file.destination.rights": 38007 rv, ok := value.(int) 38008 if !ok { 38009 return &eval.ErrValueTypeMismatch{Field: "Rename.New.FileFields.Mode"} 38010 } 38011 ev.Rename.New.FileFields.Mode = uint16(rv) 38012 return nil 38013 case "rename.file.destination.uid": 38014 rv, ok := value.(int) 38015 if !ok { 38016 return &eval.ErrValueTypeMismatch{Field: "Rename.New.FileFields.UID"} 38017 } 38018 ev.Rename.New.FileFields.UID = uint32(rv) 38019 return nil 38020 case "rename.file.destination.user": 38021 rv, ok := value.(string) 38022 if !ok { 38023 return &eval.ErrValueTypeMismatch{Field: "Rename.New.FileFields.User"} 38024 } 38025 ev.Rename.New.FileFields.User = rv 38026 return nil 38027 case "rename.file.filesystem": 38028 rv, ok := value.(string) 38029 if !ok { 38030 return &eval.ErrValueTypeMismatch{Field: "Rename.Old.Filesystem"} 38031 } 38032 ev.Rename.Old.Filesystem = rv 38033 return nil 38034 case "rename.file.gid": 38035 rv, ok := value.(int) 38036 if !ok { 38037 return &eval.ErrValueTypeMismatch{Field: "Rename.Old.FileFields.GID"} 38038 } 38039 ev.Rename.Old.FileFields.GID = uint32(rv) 38040 return nil 38041 case "rename.file.group": 38042 rv, ok := value.(string) 38043 if !ok { 38044 return &eval.ErrValueTypeMismatch{Field: "Rename.Old.FileFields.Group"} 38045 } 38046 ev.Rename.Old.FileFields.Group = rv 38047 return nil 38048 case "rename.file.hashes": 38049 switch rv := value.(type) { 38050 case string: 38051 ev.Rename.Old.Hashes = append(ev.Rename.Old.Hashes, rv) 38052 case []string: 38053 ev.Rename.Old.Hashes = append(ev.Rename.Old.Hashes, rv...) 38054 default: 38055 return &eval.ErrValueTypeMismatch{Field: "Rename.Old.Hashes"} 38056 } 38057 return nil 38058 case "rename.file.in_upper_layer": 38059 rv, ok := value.(bool) 38060 if !ok { 38061 return &eval.ErrValueTypeMismatch{Field: "Rename.Old.FileFields.InUpperLayer"} 38062 } 38063 ev.Rename.Old.FileFields.InUpperLayer = rv 38064 return nil 38065 case "rename.file.inode": 38066 rv, ok := value.(int) 38067 if !ok { 38068 return &eval.ErrValueTypeMismatch{Field: "Rename.Old.FileFields.PathKey.Inode"} 38069 } 38070 ev.Rename.Old.FileFields.PathKey.Inode = uint64(rv) 38071 return nil 38072 case "rename.file.mode": 38073 rv, ok := value.(int) 38074 if !ok { 38075 return &eval.ErrValueTypeMismatch{Field: "Rename.Old.FileFields.Mode"} 38076 } 38077 ev.Rename.Old.FileFields.Mode = uint16(rv) 38078 return nil 38079 case "rename.file.modification_time": 38080 rv, ok := value.(int) 38081 if !ok { 38082 return &eval.ErrValueTypeMismatch{Field: "Rename.Old.FileFields.MTime"} 38083 } 38084 ev.Rename.Old.FileFields.MTime = uint64(rv) 38085 return nil 38086 case "rename.file.mount_id": 38087 rv, ok := value.(int) 38088 if !ok { 38089 return &eval.ErrValueTypeMismatch{Field: "Rename.Old.FileFields.PathKey.MountID"} 38090 } 38091 ev.Rename.Old.FileFields.PathKey.MountID = uint32(rv) 38092 return nil 38093 case "rename.file.name": 38094 rv, ok := value.(string) 38095 if !ok { 38096 return &eval.ErrValueTypeMismatch{Field: "Rename.Old.BasenameStr"} 38097 } 38098 ev.Rename.Old.BasenameStr = rv 38099 return nil 38100 case "rename.file.name.length": 38101 return &eval.ErrFieldReadOnly{Field: "rename.file.name.length"} 38102 case "rename.file.package.name": 38103 rv, ok := value.(string) 38104 if !ok { 38105 return &eval.ErrValueTypeMismatch{Field: "Rename.Old.PkgName"} 38106 } 38107 ev.Rename.Old.PkgName = rv 38108 return nil 38109 case "rename.file.package.source_version": 38110 rv, ok := value.(string) 38111 if !ok { 38112 return &eval.ErrValueTypeMismatch{Field: "Rename.Old.PkgSrcVersion"} 38113 } 38114 ev.Rename.Old.PkgSrcVersion = rv 38115 return nil 38116 case "rename.file.package.version": 38117 rv, ok := value.(string) 38118 if !ok { 38119 return &eval.ErrValueTypeMismatch{Field: "Rename.Old.PkgVersion"} 38120 } 38121 ev.Rename.Old.PkgVersion = rv 38122 return nil 38123 case "rename.file.path": 38124 rv, ok := value.(string) 38125 if !ok { 38126 return &eval.ErrValueTypeMismatch{Field: "Rename.Old.PathnameStr"} 38127 } 38128 ev.Rename.Old.PathnameStr = rv 38129 return nil 38130 case "rename.file.path.length": 38131 return &eval.ErrFieldReadOnly{Field: "rename.file.path.length"} 38132 case "rename.file.rights": 38133 rv, ok := value.(int) 38134 if !ok { 38135 return &eval.ErrValueTypeMismatch{Field: "Rename.Old.FileFields.Mode"} 38136 } 38137 ev.Rename.Old.FileFields.Mode = uint16(rv) 38138 return nil 38139 case "rename.file.uid": 38140 rv, ok := value.(int) 38141 if !ok { 38142 return &eval.ErrValueTypeMismatch{Field: "Rename.Old.FileFields.UID"} 38143 } 38144 ev.Rename.Old.FileFields.UID = uint32(rv) 38145 return nil 38146 case "rename.file.user": 38147 rv, ok := value.(string) 38148 if !ok { 38149 return &eval.ErrValueTypeMismatch{Field: "Rename.Old.FileFields.User"} 38150 } 38151 ev.Rename.Old.FileFields.User = rv 38152 return nil 38153 case "rename.retval": 38154 rv, ok := value.(int) 38155 if !ok { 38156 return &eval.ErrValueTypeMismatch{Field: "Rename.SyscallEvent.Retval"} 38157 } 38158 ev.Rename.SyscallEvent.Retval = int64(rv) 38159 return nil 38160 case "rmdir.file.change_time": 38161 rv, ok := value.(int) 38162 if !ok { 38163 return &eval.ErrValueTypeMismatch{Field: "Rmdir.File.FileFields.CTime"} 38164 } 38165 ev.Rmdir.File.FileFields.CTime = uint64(rv) 38166 return nil 38167 case "rmdir.file.filesystem": 38168 rv, ok := value.(string) 38169 if !ok { 38170 return &eval.ErrValueTypeMismatch{Field: "Rmdir.File.Filesystem"} 38171 } 38172 ev.Rmdir.File.Filesystem = rv 38173 return nil 38174 case "rmdir.file.gid": 38175 rv, ok := value.(int) 38176 if !ok { 38177 return &eval.ErrValueTypeMismatch{Field: "Rmdir.File.FileFields.GID"} 38178 } 38179 ev.Rmdir.File.FileFields.GID = uint32(rv) 38180 return nil 38181 case "rmdir.file.group": 38182 rv, ok := value.(string) 38183 if !ok { 38184 return &eval.ErrValueTypeMismatch{Field: "Rmdir.File.FileFields.Group"} 38185 } 38186 ev.Rmdir.File.FileFields.Group = rv 38187 return nil 38188 case "rmdir.file.hashes": 38189 switch rv := value.(type) { 38190 case string: 38191 ev.Rmdir.File.Hashes = append(ev.Rmdir.File.Hashes, rv) 38192 case []string: 38193 ev.Rmdir.File.Hashes = append(ev.Rmdir.File.Hashes, rv...) 38194 default: 38195 return &eval.ErrValueTypeMismatch{Field: "Rmdir.File.Hashes"} 38196 } 38197 return nil 38198 case "rmdir.file.in_upper_layer": 38199 rv, ok := value.(bool) 38200 if !ok { 38201 return &eval.ErrValueTypeMismatch{Field: "Rmdir.File.FileFields.InUpperLayer"} 38202 } 38203 ev.Rmdir.File.FileFields.InUpperLayer = rv 38204 return nil 38205 case "rmdir.file.inode": 38206 rv, ok := value.(int) 38207 if !ok { 38208 return &eval.ErrValueTypeMismatch{Field: "Rmdir.File.FileFields.PathKey.Inode"} 38209 } 38210 ev.Rmdir.File.FileFields.PathKey.Inode = uint64(rv) 38211 return nil 38212 case "rmdir.file.mode": 38213 rv, ok := value.(int) 38214 if !ok { 38215 return &eval.ErrValueTypeMismatch{Field: "Rmdir.File.FileFields.Mode"} 38216 } 38217 ev.Rmdir.File.FileFields.Mode = uint16(rv) 38218 return nil 38219 case "rmdir.file.modification_time": 38220 rv, ok := value.(int) 38221 if !ok { 38222 return &eval.ErrValueTypeMismatch{Field: "Rmdir.File.FileFields.MTime"} 38223 } 38224 ev.Rmdir.File.FileFields.MTime = uint64(rv) 38225 return nil 38226 case "rmdir.file.mount_id": 38227 rv, ok := value.(int) 38228 if !ok { 38229 return &eval.ErrValueTypeMismatch{Field: "Rmdir.File.FileFields.PathKey.MountID"} 38230 } 38231 ev.Rmdir.File.FileFields.PathKey.MountID = uint32(rv) 38232 return nil 38233 case "rmdir.file.name": 38234 rv, ok := value.(string) 38235 if !ok { 38236 return &eval.ErrValueTypeMismatch{Field: "Rmdir.File.BasenameStr"} 38237 } 38238 ev.Rmdir.File.BasenameStr = rv 38239 return nil 38240 case "rmdir.file.name.length": 38241 return &eval.ErrFieldReadOnly{Field: "rmdir.file.name.length"} 38242 case "rmdir.file.package.name": 38243 rv, ok := value.(string) 38244 if !ok { 38245 return &eval.ErrValueTypeMismatch{Field: "Rmdir.File.PkgName"} 38246 } 38247 ev.Rmdir.File.PkgName = rv 38248 return nil 38249 case "rmdir.file.package.source_version": 38250 rv, ok := value.(string) 38251 if !ok { 38252 return &eval.ErrValueTypeMismatch{Field: "Rmdir.File.PkgSrcVersion"} 38253 } 38254 ev.Rmdir.File.PkgSrcVersion = rv 38255 return nil 38256 case "rmdir.file.package.version": 38257 rv, ok := value.(string) 38258 if !ok { 38259 return &eval.ErrValueTypeMismatch{Field: "Rmdir.File.PkgVersion"} 38260 } 38261 ev.Rmdir.File.PkgVersion = rv 38262 return nil 38263 case "rmdir.file.path": 38264 rv, ok := value.(string) 38265 if !ok { 38266 return &eval.ErrValueTypeMismatch{Field: "Rmdir.File.PathnameStr"} 38267 } 38268 ev.Rmdir.File.PathnameStr = rv 38269 return nil 38270 case "rmdir.file.path.length": 38271 return &eval.ErrFieldReadOnly{Field: "rmdir.file.path.length"} 38272 case "rmdir.file.rights": 38273 rv, ok := value.(int) 38274 if !ok { 38275 return &eval.ErrValueTypeMismatch{Field: "Rmdir.File.FileFields.Mode"} 38276 } 38277 ev.Rmdir.File.FileFields.Mode = uint16(rv) 38278 return nil 38279 case "rmdir.file.uid": 38280 rv, ok := value.(int) 38281 if !ok { 38282 return &eval.ErrValueTypeMismatch{Field: "Rmdir.File.FileFields.UID"} 38283 } 38284 ev.Rmdir.File.FileFields.UID = uint32(rv) 38285 return nil 38286 case "rmdir.file.user": 38287 rv, ok := value.(string) 38288 if !ok { 38289 return &eval.ErrValueTypeMismatch{Field: "Rmdir.File.FileFields.User"} 38290 } 38291 ev.Rmdir.File.FileFields.User = rv 38292 return nil 38293 case "rmdir.retval": 38294 rv, ok := value.(int) 38295 if !ok { 38296 return &eval.ErrValueTypeMismatch{Field: "Rmdir.SyscallEvent.Retval"} 38297 } 38298 ev.Rmdir.SyscallEvent.Retval = int64(rv) 38299 return nil 38300 case "selinux.bool.name": 38301 rv, ok := value.(string) 38302 if !ok { 38303 return &eval.ErrValueTypeMismatch{Field: "SELinux.BoolName"} 38304 } 38305 ev.SELinux.BoolName = rv 38306 return nil 38307 case "selinux.bool.state": 38308 rv, ok := value.(string) 38309 if !ok { 38310 return &eval.ErrValueTypeMismatch{Field: "SELinux.BoolChangeValue"} 38311 } 38312 ev.SELinux.BoolChangeValue = rv 38313 return nil 38314 case "selinux.bool_commit.state": 38315 rv, ok := value.(bool) 38316 if !ok { 38317 return &eval.ErrValueTypeMismatch{Field: "SELinux.BoolCommitValue"} 38318 } 38319 ev.SELinux.BoolCommitValue = rv 38320 return nil 38321 case "selinux.enforce.status": 38322 rv, ok := value.(string) 38323 if !ok { 38324 return &eval.ErrValueTypeMismatch{Field: "SELinux.EnforceStatus"} 38325 } 38326 ev.SELinux.EnforceStatus = rv 38327 return nil 38328 case "setgid.egid": 38329 rv, ok := value.(int) 38330 if !ok { 38331 return &eval.ErrValueTypeMismatch{Field: "SetGID.EGID"} 38332 } 38333 ev.SetGID.EGID = uint32(rv) 38334 return nil 38335 case "setgid.egroup": 38336 rv, ok := value.(string) 38337 if !ok { 38338 return &eval.ErrValueTypeMismatch{Field: "SetGID.EGroup"} 38339 } 38340 ev.SetGID.EGroup = rv 38341 return nil 38342 case "setgid.fsgid": 38343 rv, ok := value.(int) 38344 if !ok { 38345 return &eval.ErrValueTypeMismatch{Field: "SetGID.FSGID"} 38346 } 38347 ev.SetGID.FSGID = uint32(rv) 38348 return nil 38349 case "setgid.fsgroup": 38350 rv, ok := value.(string) 38351 if !ok { 38352 return &eval.ErrValueTypeMismatch{Field: "SetGID.FSGroup"} 38353 } 38354 ev.SetGID.FSGroup = rv 38355 return nil 38356 case "setgid.gid": 38357 rv, ok := value.(int) 38358 if !ok { 38359 return &eval.ErrValueTypeMismatch{Field: "SetGID.GID"} 38360 } 38361 ev.SetGID.GID = uint32(rv) 38362 return nil 38363 case "setgid.group": 38364 rv, ok := value.(string) 38365 if !ok { 38366 return &eval.ErrValueTypeMismatch{Field: "SetGID.Group"} 38367 } 38368 ev.SetGID.Group = rv 38369 return nil 38370 case "setuid.euid": 38371 rv, ok := value.(int) 38372 if !ok { 38373 return &eval.ErrValueTypeMismatch{Field: "SetUID.EUID"} 38374 } 38375 ev.SetUID.EUID = uint32(rv) 38376 return nil 38377 case "setuid.euser": 38378 rv, ok := value.(string) 38379 if !ok { 38380 return &eval.ErrValueTypeMismatch{Field: "SetUID.EUser"} 38381 } 38382 ev.SetUID.EUser = rv 38383 return nil 38384 case "setuid.fsuid": 38385 rv, ok := value.(int) 38386 if !ok { 38387 return &eval.ErrValueTypeMismatch{Field: "SetUID.FSUID"} 38388 } 38389 ev.SetUID.FSUID = uint32(rv) 38390 return nil 38391 case "setuid.fsuser": 38392 rv, ok := value.(string) 38393 if !ok { 38394 return &eval.ErrValueTypeMismatch{Field: "SetUID.FSUser"} 38395 } 38396 ev.SetUID.FSUser = rv 38397 return nil 38398 case "setuid.uid": 38399 rv, ok := value.(int) 38400 if !ok { 38401 return &eval.ErrValueTypeMismatch{Field: "SetUID.UID"} 38402 } 38403 ev.SetUID.UID = uint32(rv) 38404 return nil 38405 case "setuid.user": 38406 rv, ok := value.(string) 38407 if !ok { 38408 return &eval.ErrValueTypeMismatch{Field: "SetUID.User"} 38409 } 38410 ev.SetUID.User = rv 38411 return nil 38412 case "setxattr.file.change_time": 38413 rv, ok := value.(int) 38414 if !ok { 38415 return &eval.ErrValueTypeMismatch{Field: "SetXAttr.File.FileFields.CTime"} 38416 } 38417 ev.SetXAttr.File.FileFields.CTime = uint64(rv) 38418 return nil 38419 case "setxattr.file.destination.name": 38420 rv, ok := value.(string) 38421 if !ok { 38422 return &eval.ErrValueTypeMismatch{Field: "SetXAttr.Name"} 38423 } 38424 ev.SetXAttr.Name = rv 38425 return nil 38426 case "setxattr.file.destination.namespace": 38427 rv, ok := value.(string) 38428 if !ok { 38429 return &eval.ErrValueTypeMismatch{Field: "SetXAttr.Namespace"} 38430 } 38431 ev.SetXAttr.Namespace = rv 38432 return nil 38433 case "setxattr.file.filesystem": 38434 rv, ok := value.(string) 38435 if !ok { 38436 return &eval.ErrValueTypeMismatch{Field: "SetXAttr.File.Filesystem"} 38437 } 38438 ev.SetXAttr.File.Filesystem = rv 38439 return nil 38440 case "setxattr.file.gid": 38441 rv, ok := value.(int) 38442 if !ok { 38443 return &eval.ErrValueTypeMismatch{Field: "SetXAttr.File.FileFields.GID"} 38444 } 38445 ev.SetXAttr.File.FileFields.GID = uint32(rv) 38446 return nil 38447 case "setxattr.file.group": 38448 rv, ok := value.(string) 38449 if !ok { 38450 return &eval.ErrValueTypeMismatch{Field: "SetXAttr.File.FileFields.Group"} 38451 } 38452 ev.SetXAttr.File.FileFields.Group = rv 38453 return nil 38454 case "setxattr.file.hashes": 38455 switch rv := value.(type) { 38456 case string: 38457 ev.SetXAttr.File.Hashes = append(ev.SetXAttr.File.Hashes, rv) 38458 case []string: 38459 ev.SetXAttr.File.Hashes = append(ev.SetXAttr.File.Hashes, rv...) 38460 default: 38461 return &eval.ErrValueTypeMismatch{Field: "SetXAttr.File.Hashes"} 38462 } 38463 return nil 38464 case "setxattr.file.in_upper_layer": 38465 rv, ok := value.(bool) 38466 if !ok { 38467 return &eval.ErrValueTypeMismatch{Field: "SetXAttr.File.FileFields.InUpperLayer"} 38468 } 38469 ev.SetXAttr.File.FileFields.InUpperLayer = rv 38470 return nil 38471 case "setxattr.file.inode": 38472 rv, ok := value.(int) 38473 if !ok { 38474 return &eval.ErrValueTypeMismatch{Field: "SetXAttr.File.FileFields.PathKey.Inode"} 38475 } 38476 ev.SetXAttr.File.FileFields.PathKey.Inode = uint64(rv) 38477 return nil 38478 case "setxattr.file.mode": 38479 rv, ok := value.(int) 38480 if !ok { 38481 return &eval.ErrValueTypeMismatch{Field: "SetXAttr.File.FileFields.Mode"} 38482 } 38483 ev.SetXAttr.File.FileFields.Mode = uint16(rv) 38484 return nil 38485 case "setxattr.file.modification_time": 38486 rv, ok := value.(int) 38487 if !ok { 38488 return &eval.ErrValueTypeMismatch{Field: "SetXAttr.File.FileFields.MTime"} 38489 } 38490 ev.SetXAttr.File.FileFields.MTime = uint64(rv) 38491 return nil 38492 case "setxattr.file.mount_id": 38493 rv, ok := value.(int) 38494 if !ok { 38495 return &eval.ErrValueTypeMismatch{Field: "SetXAttr.File.FileFields.PathKey.MountID"} 38496 } 38497 ev.SetXAttr.File.FileFields.PathKey.MountID = uint32(rv) 38498 return nil 38499 case "setxattr.file.name": 38500 rv, ok := value.(string) 38501 if !ok { 38502 return &eval.ErrValueTypeMismatch{Field: "SetXAttr.File.BasenameStr"} 38503 } 38504 ev.SetXAttr.File.BasenameStr = rv 38505 return nil 38506 case "setxattr.file.name.length": 38507 return &eval.ErrFieldReadOnly{Field: "setxattr.file.name.length"} 38508 case "setxattr.file.package.name": 38509 rv, ok := value.(string) 38510 if !ok { 38511 return &eval.ErrValueTypeMismatch{Field: "SetXAttr.File.PkgName"} 38512 } 38513 ev.SetXAttr.File.PkgName = rv 38514 return nil 38515 case "setxattr.file.package.source_version": 38516 rv, ok := value.(string) 38517 if !ok { 38518 return &eval.ErrValueTypeMismatch{Field: "SetXAttr.File.PkgSrcVersion"} 38519 } 38520 ev.SetXAttr.File.PkgSrcVersion = rv 38521 return nil 38522 case "setxattr.file.package.version": 38523 rv, ok := value.(string) 38524 if !ok { 38525 return &eval.ErrValueTypeMismatch{Field: "SetXAttr.File.PkgVersion"} 38526 } 38527 ev.SetXAttr.File.PkgVersion = rv 38528 return nil 38529 case "setxattr.file.path": 38530 rv, ok := value.(string) 38531 if !ok { 38532 return &eval.ErrValueTypeMismatch{Field: "SetXAttr.File.PathnameStr"} 38533 } 38534 ev.SetXAttr.File.PathnameStr = rv 38535 return nil 38536 case "setxattr.file.path.length": 38537 return &eval.ErrFieldReadOnly{Field: "setxattr.file.path.length"} 38538 case "setxattr.file.rights": 38539 rv, ok := value.(int) 38540 if !ok { 38541 return &eval.ErrValueTypeMismatch{Field: "SetXAttr.File.FileFields.Mode"} 38542 } 38543 ev.SetXAttr.File.FileFields.Mode = uint16(rv) 38544 return nil 38545 case "setxattr.file.uid": 38546 rv, ok := value.(int) 38547 if !ok { 38548 return &eval.ErrValueTypeMismatch{Field: "SetXAttr.File.FileFields.UID"} 38549 } 38550 ev.SetXAttr.File.FileFields.UID = uint32(rv) 38551 return nil 38552 case "setxattr.file.user": 38553 rv, ok := value.(string) 38554 if !ok { 38555 return &eval.ErrValueTypeMismatch{Field: "SetXAttr.File.FileFields.User"} 38556 } 38557 ev.SetXAttr.File.FileFields.User = rv 38558 return nil 38559 case "setxattr.retval": 38560 rv, ok := value.(int) 38561 if !ok { 38562 return &eval.ErrValueTypeMismatch{Field: "SetXAttr.SyscallEvent.Retval"} 38563 } 38564 ev.SetXAttr.SyscallEvent.Retval = int64(rv) 38565 return nil 38566 case "signal.pid": 38567 rv, ok := value.(int) 38568 if !ok { 38569 return &eval.ErrValueTypeMismatch{Field: "Signal.PID"} 38570 } 38571 ev.Signal.PID = uint32(rv) 38572 return nil 38573 case "signal.retval": 38574 rv, ok := value.(int) 38575 if !ok { 38576 return &eval.ErrValueTypeMismatch{Field: "Signal.SyscallEvent.Retval"} 38577 } 38578 ev.Signal.SyscallEvent.Retval = int64(rv) 38579 return nil 38580 case "signal.target.ancestors.args": 38581 if ev.Signal.Target == nil { 38582 ev.Signal.Target = &ProcessContext{} 38583 } 38584 if ev.Signal.Target.Ancestor == nil { 38585 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 38586 } 38587 rv, ok := value.(string) 38588 if !ok { 38589 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.Args"} 38590 } 38591 ev.Signal.Target.Ancestor.ProcessContext.Process.Args = rv 38592 return nil 38593 case "signal.target.ancestors.args_flags": 38594 if ev.Signal.Target == nil { 38595 ev.Signal.Target = &ProcessContext{} 38596 } 38597 if ev.Signal.Target.Ancestor == nil { 38598 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 38599 } 38600 switch rv := value.(type) { 38601 case string: 38602 ev.Signal.Target.Ancestor.ProcessContext.Process.Argv = append(ev.Signal.Target.Ancestor.ProcessContext.Process.Argv, rv) 38603 case []string: 38604 ev.Signal.Target.Ancestor.ProcessContext.Process.Argv = append(ev.Signal.Target.Ancestor.ProcessContext.Process.Argv, rv...) 38605 default: 38606 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.Argv"} 38607 } 38608 return nil 38609 case "signal.target.ancestors.args_options": 38610 if ev.Signal.Target == nil { 38611 ev.Signal.Target = &ProcessContext{} 38612 } 38613 if ev.Signal.Target.Ancestor == nil { 38614 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 38615 } 38616 switch rv := value.(type) { 38617 case string: 38618 ev.Signal.Target.Ancestor.ProcessContext.Process.Argv = append(ev.Signal.Target.Ancestor.ProcessContext.Process.Argv, rv) 38619 case []string: 38620 ev.Signal.Target.Ancestor.ProcessContext.Process.Argv = append(ev.Signal.Target.Ancestor.ProcessContext.Process.Argv, rv...) 38621 default: 38622 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.Argv"} 38623 } 38624 return nil 38625 case "signal.target.ancestors.args_truncated": 38626 if ev.Signal.Target == nil { 38627 ev.Signal.Target = &ProcessContext{} 38628 } 38629 if ev.Signal.Target.Ancestor == nil { 38630 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 38631 } 38632 rv, ok := value.(bool) 38633 if !ok { 38634 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.ArgsTruncated"} 38635 } 38636 ev.Signal.Target.Ancestor.ProcessContext.Process.ArgsTruncated = rv 38637 return nil 38638 case "signal.target.ancestors.argv": 38639 if ev.Signal.Target == nil { 38640 ev.Signal.Target = &ProcessContext{} 38641 } 38642 if ev.Signal.Target.Ancestor == nil { 38643 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 38644 } 38645 switch rv := value.(type) { 38646 case string: 38647 ev.Signal.Target.Ancestor.ProcessContext.Process.Argv = append(ev.Signal.Target.Ancestor.ProcessContext.Process.Argv, rv) 38648 case []string: 38649 ev.Signal.Target.Ancestor.ProcessContext.Process.Argv = append(ev.Signal.Target.Ancestor.ProcessContext.Process.Argv, rv...) 38650 default: 38651 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.Argv"} 38652 } 38653 return nil 38654 case "signal.target.ancestors.argv0": 38655 if ev.Signal.Target == nil { 38656 ev.Signal.Target = &ProcessContext{} 38657 } 38658 if ev.Signal.Target.Ancestor == nil { 38659 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 38660 } 38661 rv, ok := value.(string) 38662 if !ok { 38663 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.Argv0"} 38664 } 38665 ev.Signal.Target.Ancestor.ProcessContext.Process.Argv0 = rv 38666 return nil 38667 case "signal.target.ancestors.cap_effective": 38668 if ev.Signal.Target == nil { 38669 ev.Signal.Target = &ProcessContext{} 38670 } 38671 if ev.Signal.Target.Ancestor == nil { 38672 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 38673 } 38674 rv, ok := value.(int) 38675 if !ok { 38676 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.Credentials.CapEffective"} 38677 } 38678 ev.Signal.Target.Ancestor.ProcessContext.Process.Credentials.CapEffective = uint64(rv) 38679 return nil 38680 case "signal.target.ancestors.cap_permitted": 38681 if ev.Signal.Target == nil { 38682 ev.Signal.Target = &ProcessContext{} 38683 } 38684 if ev.Signal.Target.Ancestor == nil { 38685 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 38686 } 38687 rv, ok := value.(int) 38688 if !ok { 38689 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.Credentials.CapPermitted"} 38690 } 38691 ev.Signal.Target.Ancestor.ProcessContext.Process.Credentials.CapPermitted = uint64(rv) 38692 return nil 38693 case "signal.target.ancestors.comm": 38694 if ev.Signal.Target == nil { 38695 ev.Signal.Target = &ProcessContext{} 38696 } 38697 if ev.Signal.Target.Ancestor == nil { 38698 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 38699 } 38700 rv, ok := value.(string) 38701 if !ok { 38702 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.Comm"} 38703 } 38704 ev.Signal.Target.Ancestor.ProcessContext.Process.Comm = rv 38705 return nil 38706 case "signal.target.ancestors.container.id": 38707 if ev.Signal.Target == nil { 38708 ev.Signal.Target = &ProcessContext{} 38709 } 38710 if ev.Signal.Target.Ancestor == nil { 38711 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 38712 } 38713 rv, ok := value.(string) 38714 if !ok { 38715 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.ContainerID"} 38716 } 38717 ev.Signal.Target.Ancestor.ProcessContext.Process.ContainerID = rv 38718 return nil 38719 case "signal.target.ancestors.created_at": 38720 if ev.Signal.Target == nil { 38721 ev.Signal.Target = &ProcessContext{} 38722 } 38723 if ev.Signal.Target.Ancestor == nil { 38724 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 38725 } 38726 rv, ok := value.(int) 38727 if !ok { 38728 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.CreatedAt"} 38729 } 38730 ev.Signal.Target.Ancestor.ProcessContext.Process.CreatedAt = uint64(rv) 38731 return nil 38732 case "signal.target.ancestors.egid": 38733 if ev.Signal.Target == nil { 38734 ev.Signal.Target = &ProcessContext{} 38735 } 38736 if ev.Signal.Target.Ancestor == nil { 38737 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 38738 } 38739 rv, ok := value.(int) 38740 if !ok { 38741 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.Credentials.EGID"} 38742 } 38743 ev.Signal.Target.Ancestor.ProcessContext.Process.Credentials.EGID = uint32(rv) 38744 return nil 38745 case "signal.target.ancestors.egroup": 38746 if ev.Signal.Target == nil { 38747 ev.Signal.Target = &ProcessContext{} 38748 } 38749 if ev.Signal.Target.Ancestor == nil { 38750 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 38751 } 38752 rv, ok := value.(string) 38753 if !ok { 38754 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.Credentials.EGroup"} 38755 } 38756 ev.Signal.Target.Ancestor.ProcessContext.Process.Credentials.EGroup = rv 38757 return nil 38758 case "signal.target.ancestors.envp": 38759 if ev.Signal.Target == nil { 38760 ev.Signal.Target = &ProcessContext{} 38761 } 38762 if ev.Signal.Target.Ancestor == nil { 38763 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 38764 } 38765 switch rv := value.(type) { 38766 case string: 38767 ev.Signal.Target.Ancestor.ProcessContext.Process.Envp = append(ev.Signal.Target.Ancestor.ProcessContext.Process.Envp, rv) 38768 case []string: 38769 ev.Signal.Target.Ancestor.ProcessContext.Process.Envp = append(ev.Signal.Target.Ancestor.ProcessContext.Process.Envp, rv...) 38770 default: 38771 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.Envp"} 38772 } 38773 return nil 38774 case "signal.target.ancestors.envs": 38775 if ev.Signal.Target == nil { 38776 ev.Signal.Target = &ProcessContext{} 38777 } 38778 if ev.Signal.Target.Ancestor == nil { 38779 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 38780 } 38781 switch rv := value.(type) { 38782 case string: 38783 ev.Signal.Target.Ancestor.ProcessContext.Process.Envs = append(ev.Signal.Target.Ancestor.ProcessContext.Process.Envs, rv) 38784 case []string: 38785 ev.Signal.Target.Ancestor.ProcessContext.Process.Envs = append(ev.Signal.Target.Ancestor.ProcessContext.Process.Envs, rv...) 38786 default: 38787 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.Envs"} 38788 } 38789 return nil 38790 case "signal.target.ancestors.envs_truncated": 38791 if ev.Signal.Target == nil { 38792 ev.Signal.Target = &ProcessContext{} 38793 } 38794 if ev.Signal.Target.Ancestor == nil { 38795 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 38796 } 38797 rv, ok := value.(bool) 38798 if !ok { 38799 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.EnvsTruncated"} 38800 } 38801 ev.Signal.Target.Ancestor.ProcessContext.Process.EnvsTruncated = rv 38802 return nil 38803 case "signal.target.ancestors.euid": 38804 if ev.Signal.Target == nil { 38805 ev.Signal.Target = &ProcessContext{} 38806 } 38807 if ev.Signal.Target.Ancestor == nil { 38808 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 38809 } 38810 rv, ok := value.(int) 38811 if !ok { 38812 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.Credentials.EUID"} 38813 } 38814 ev.Signal.Target.Ancestor.ProcessContext.Process.Credentials.EUID = uint32(rv) 38815 return nil 38816 case "signal.target.ancestors.euser": 38817 if ev.Signal.Target == nil { 38818 ev.Signal.Target = &ProcessContext{} 38819 } 38820 if ev.Signal.Target.Ancestor == nil { 38821 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 38822 } 38823 rv, ok := value.(string) 38824 if !ok { 38825 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.Credentials.EUser"} 38826 } 38827 ev.Signal.Target.Ancestor.ProcessContext.Process.Credentials.EUser = rv 38828 return nil 38829 case "signal.target.ancestors.file.change_time": 38830 if ev.Signal.Target == nil { 38831 ev.Signal.Target = &ProcessContext{} 38832 } 38833 if ev.Signal.Target.Ancestor == nil { 38834 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 38835 } 38836 rv, ok := value.(int) 38837 if !ok { 38838 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.FileEvent.FileFields.CTime"} 38839 } 38840 ev.Signal.Target.Ancestor.ProcessContext.Process.FileEvent.FileFields.CTime = uint64(rv) 38841 return nil 38842 case "signal.target.ancestors.file.filesystem": 38843 if ev.Signal.Target == nil { 38844 ev.Signal.Target = &ProcessContext{} 38845 } 38846 if ev.Signal.Target.Ancestor == nil { 38847 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 38848 } 38849 rv, ok := value.(string) 38850 if !ok { 38851 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.FileEvent.Filesystem"} 38852 } 38853 ev.Signal.Target.Ancestor.ProcessContext.Process.FileEvent.Filesystem = rv 38854 return nil 38855 case "signal.target.ancestors.file.gid": 38856 if ev.Signal.Target == nil { 38857 ev.Signal.Target = &ProcessContext{} 38858 } 38859 if ev.Signal.Target.Ancestor == nil { 38860 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 38861 } 38862 rv, ok := value.(int) 38863 if !ok { 38864 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.FileEvent.FileFields.GID"} 38865 } 38866 ev.Signal.Target.Ancestor.ProcessContext.Process.FileEvent.FileFields.GID = uint32(rv) 38867 return nil 38868 case "signal.target.ancestors.file.group": 38869 if ev.Signal.Target == nil { 38870 ev.Signal.Target = &ProcessContext{} 38871 } 38872 if ev.Signal.Target.Ancestor == nil { 38873 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 38874 } 38875 rv, ok := value.(string) 38876 if !ok { 38877 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.FileEvent.FileFields.Group"} 38878 } 38879 ev.Signal.Target.Ancestor.ProcessContext.Process.FileEvent.FileFields.Group = rv 38880 return nil 38881 case "signal.target.ancestors.file.hashes": 38882 if ev.Signal.Target == nil { 38883 ev.Signal.Target = &ProcessContext{} 38884 } 38885 if ev.Signal.Target.Ancestor == nil { 38886 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 38887 } 38888 switch rv := value.(type) { 38889 case string: 38890 ev.Signal.Target.Ancestor.ProcessContext.Process.FileEvent.Hashes = append(ev.Signal.Target.Ancestor.ProcessContext.Process.FileEvent.Hashes, rv) 38891 case []string: 38892 ev.Signal.Target.Ancestor.ProcessContext.Process.FileEvent.Hashes = append(ev.Signal.Target.Ancestor.ProcessContext.Process.FileEvent.Hashes, rv...) 38893 default: 38894 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.FileEvent.Hashes"} 38895 } 38896 return nil 38897 case "signal.target.ancestors.file.in_upper_layer": 38898 if ev.Signal.Target == nil { 38899 ev.Signal.Target = &ProcessContext{} 38900 } 38901 if ev.Signal.Target.Ancestor == nil { 38902 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 38903 } 38904 rv, ok := value.(bool) 38905 if !ok { 38906 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.FileEvent.FileFields.InUpperLayer"} 38907 } 38908 ev.Signal.Target.Ancestor.ProcessContext.Process.FileEvent.FileFields.InUpperLayer = rv 38909 return nil 38910 case "signal.target.ancestors.file.inode": 38911 if ev.Signal.Target == nil { 38912 ev.Signal.Target = &ProcessContext{} 38913 } 38914 if ev.Signal.Target.Ancestor == nil { 38915 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 38916 } 38917 rv, ok := value.(int) 38918 if !ok { 38919 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.FileEvent.FileFields.PathKey.Inode"} 38920 } 38921 ev.Signal.Target.Ancestor.ProcessContext.Process.FileEvent.FileFields.PathKey.Inode = uint64(rv) 38922 return nil 38923 case "signal.target.ancestors.file.mode": 38924 if ev.Signal.Target == nil { 38925 ev.Signal.Target = &ProcessContext{} 38926 } 38927 if ev.Signal.Target.Ancestor == nil { 38928 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 38929 } 38930 rv, ok := value.(int) 38931 if !ok { 38932 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.FileEvent.FileFields.Mode"} 38933 } 38934 ev.Signal.Target.Ancestor.ProcessContext.Process.FileEvent.FileFields.Mode = uint16(rv) 38935 return nil 38936 case "signal.target.ancestors.file.modification_time": 38937 if ev.Signal.Target == nil { 38938 ev.Signal.Target = &ProcessContext{} 38939 } 38940 if ev.Signal.Target.Ancestor == nil { 38941 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 38942 } 38943 rv, ok := value.(int) 38944 if !ok { 38945 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.FileEvent.FileFields.MTime"} 38946 } 38947 ev.Signal.Target.Ancestor.ProcessContext.Process.FileEvent.FileFields.MTime = uint64(rv) 38948 return nil 38949 case "signal.target.ancestors.file.mount_id": 38950 if ev.Signal.Target == nil { 38951 ev.Signal.Target = &ProcessContext{} 38952 } 38953 if ev.Signal.Target.Ancestor == nil { 38954 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 38955 } 38956 rv, ok := value.(int) 38957 if !ok { 38958 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.FileEvent.FileFields.PathKey.MountID"} 38959 } 38960 ev.Signal.Target.Ancestor.ProcessContext.Process.FileEvent.FileFields.PathKey.MountID = uint32(rv) 38961 return nil 38962 case "signal.target.ancestors.file.name": 38963 if ev.Signal.Target == nil { 38964 ev.Signal.Target = &ProcessContext{} 38965 } 38966 if ev.Signal.Target.Ancestor == nil { 38967 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 38968 } 38969 rv, ok := value.(string) 38970 if !ok { 38971 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.FileEvent.BasenameStr"} 38972 } 38973 ev.Signal.Target.Ancestor.ProcessContext.Process.FileEvent.BasenameStr = rv 38974 return nil 38975 case "signal.target.ancestors.file.name.length": 38976 if ev.Signal.Target == nil { 38977 ev.Signal.Target = &ProcessContext{} 38978 } 38979 if ev.Signal.Target.Ancestor == nil { 38980 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 38981 } 38982 return &eval.ErrFieldReadOnly{Field: "signal.target.ancestors.file.name.length"} 38983 case "signal.target.ancestors.file.package.name": 38984 if ev.Signal.Target == nil { 38985 ev.Signal.Target = &ProcessContext{} 38986 } 38987 if ev.Signal.Target.Ancestor == nil { 38988 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 38989 } 38990 rv, ok := value.(string) 38991 if !ok { 38992 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.FileEvent.PkgName"} 38993 } 38994 ev.Signal.Target.Ancestor.ProcessContext.Process.FileEvent.PkgName = rv 38995 return nil 38996 case "signal.target.ancestors.file.package.source_version": 38997 if ev.Signal.Target == nil { 38998 ev.Signal.Target = &ProcessContext{} 38999 } 39000 if ev.Signal.Target.Ancestor == nil { 39001 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 39002 } 39003 rv, ok := value.(string) 39004 if !ok { 39005 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.FileEvent.PkgSrcVersion"} 39006 } 39007 ev.Signal.Target.Ancestor.ProcessContext.Process.FileEvent.PkgSrcVersion = rv 39008 return nil 39009 case "signal.target.ancestors.file.package.version": 39010 if ev.Signal.Target == nil { 39011 ev.Signal.Target = &ProcessContext{} 39012 } 39013 if ev.Signal.Target.Ancestor == nil { 39014 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 39015 } 39016 rv, ok := value.(string) 39017 if !ok { 39018 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.FileEvent.PkgVersion"} 39019 } 39020 ev.Signal.Target.Ancestor.ProcessContext.Process.FileEvent.PkgVersion = rv 39021 return nil 39022 case "signal.target.ancestors.file.path": 39023 if ev.Signal.Target == nil { 39024 ev.Signal.Target = &ProcessContext{} 39025 } 39026 if ev.Signal.Target.Ancestor == nil { 39027 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 39028 } 39029 rv, ok := value.(string) 39030 if !ok { 39031 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.FileEvent.PathnameStr"} 39032 } 39033 ev.Signal.Target.Ancestor.ProcessContext.Process.FileEvent.PathnameStr = rv 39034 return nil 39035 case "signal.target.ancestors.file.path.length": 39036 if ev.Signal.Target == nil { 39037 ev.Signal.Target = &ProcessContext{} 39038 } 39039 if ev.Signal.Target.Ancestor == nil { 39040 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 39041 } 39042 return &eval.ErrFieldReadOnly{Field: "signal.target.ancestors.file.path.length"} 39043 case "signal.target.ancestors.file.rights": 39044 if ev.Signal.Target == nil { 39045 ev.Signal.Target = &ProcessContext{} 39046 } 39047 if ev.Signal.Target.Ancestor == nil { 39048 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 39049 } 39050 rv, ok := value.(int) 39051 if !ok { 39052 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.FileEvent.FileFields.Mode"} 39053 } 39054 ev.Signal.Target.Ancestor.ProcessContext.Process.FileEvent.FileFields.Mode = uint16(rv) 39055 return nil 39056 case "signal.target.ancestors.file.uid": 39057 if ev.Signal.Target == nil { 39058 ev.Signal.Target = &ProcessContext{} 39059 } 39060 if ev.Signal.Target.Ancestor == nil { 39061 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 39062 } 39063 rv, ok := value.(int) 39064 if !ok { 39065 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.FileEvent.FileFields.UID"} 39066 } 39067 ev.Signal.Target.Ancestor.ProcessContext.Process.FileEvent.FileFields.UID = uint32(rv) 39068 return nil 39069 case "signal.target.ancestors.file.user": 39070 if ev.Signal.Target == nil { 39071 ev.Signal.Target = &ProcessContext{} 39072 } 39073 if ev.Signal.Target.Ancestor == nil { 39074 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 39075 } 39076 rv, ok := value.(string) 39077 if !ok { 39078 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.FileEvent.FileFields.User"} 39079 } 39080 ev.Signal.Target.Ancestor.ProcessContext.Process.FileEvent.FileFields.User = rv 39081 return nil 39082 case "signal.target.ancestors.fsgid": 39083 if ev.Signal.Target == nil { 39084 ev.Signal.Target = &ProcessContext{} 39085 } 39086 if ev.Signal.Target.Ancestor == nil { 39087 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 39088 } 39089 rv, ok := value.(int) 39090 if !ok { 39091 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.Credentials.FSGID"} 39092 } 39093 ev.Signal.Target.Ancestor.ProcessContext.Process.Credentials.FSGID = uint32(rv) 39094 return nil 39095 case "signal.target.ancestors.fsgroup": 39096 if ev.Signal.Target == nil { 39097 ev.Signal.Target = &ProcessContext{} 39098 } 39099 if ev.Signal.Target.Ancestor == nil { 39100 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 39101 } 39102 rv, ok := value.(string) 39103 if !ok { 39104 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.Credentials.FSGroup"} 39105 } 39106 ev.Signal.Target.Ancestor.ProcessContext.Process.Credentials.FSGroup = rv 39107 return nil 39108 case "signal.target.ancestors.fsuid": 39109 if ev.Signal.Target == nil { 39110 ev.Signal.Target = &ProcessContext{} 39111 } 39112 if ev.Signal.Target.Ancestor == nil { 39113 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 39114 } 39115 rv, ok := value.(int) 39116 if !ok { 39117 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.Credentials.FSUID"} 39118 } 39119 ev.Signal.Target.Ancestor.ProcessContext.Process.Credentials.FSUID = uint32(rv) 39120 return nil 39121 case "signal.target.ancestors.fsuser": 39122 if ev.Signal.Target == nil { 39123 ev.Signal.Target = &ProcessContext{} 39124 } 39125 if ev.Signal.Target.Ancestor == nil { 39126 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 39127 } 39128 rv, ok := value.(string) 39129 if !ok { 39130 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.Credentials.FSUser"} 39131 } 39132 ev.Signal.Target.Ancestor.ProcessContext.Process.Credentials.FSUser = rv 39133 return nil 39134 case "signal.target.ancestors.gid": 39135 if ev.Signal.Target == nil { 39136 ev.Signal.Target = &ProcessContext{} 39137 } 39138 if ev.Signal.Target.Ancestor == nil { 39139 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 39140 } 39141 rv, ok := value.(int) 39142 if !ok { 39143 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.Credentials.GID"} 39144 } 39145 ev.Signal.Target.Ancestor.ProcessContext.Process.Credentials.GID = uint32(rv) 39146 return nil 39147 case "signal.target.ancestors.group": 39148 if ev.Signal.Target == nil { 39149 ev.Signal.Target = &ProcessContext{} 39150 } 39151 if ev.Signal.Target.Ancestor == nil { 39152 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 39153 } 39154 rv, ok := value.(string) 39155 if !ok { 39156 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.Credentials.Group"} 39157 } 39158 ev.Signal.Target.Ancestor.ProcessContext.Process.Credentials.Group = rv 39159 return nil 39160 case "signal.target.ancestors.interpreter.file.change_time": 39161 if ev.Signal.Target == nil { 39162 ev.Signal.Target = &ProcessContext{} 39163 } 39164 if ev.Signal.Target.Ancestor == nil { 39165 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 39166 } 39167 rv, ok := value.(int) 39168 if !ok { 39169 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.CTime"} 39170 } 39171 ev.Signal.Target.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.CTime = uint64(rv) 39172 return nil 39173 case "signal.target.ancestors.interpreter.file.filesystem": 39174 if ev.Signal.Target == nil { 39175 ev.Signal.Target = &ProcessContext{} 39176 } 39177 if ev.Signal.Target.Ancestor == nil { 39178 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 39179 } 39180 rv, ok := value.(string) 39181 if !ok { 39182 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.Filesystem"} 39183 } 39184 ev.Signal.Target.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.Filesystem = rv 39185 return nil 39186 case "signal.target.ancestors.interpreter.file.gid": 39187 if ev.Signal.Target == nil { 39188 ev.Signal.Target = &ProcessContext{} 39189 } 39190 if ev.Signal.Target.Ancestor == nil { 39191 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 39192 } 39193 rv, ok := value.(int) 39194 if !ok { 39195 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.GID"} 39196 } 39197 ev.Signal.Target.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.GID = uint32(rv) 39198 return nil 39199 case "signal.target.ancestors.interpreter.file.group": 39200 if ev.Signal.Target == nil { 39201 ev.Signal.Target = &ProcessContext{} 39202 } 39203 if ev.Signal.Target.Ancestor == nil { 39204 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 39205 } 39206 rv, ok := value.(string) 39207 if !ok { 39208 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.Group"} 39209 } 39210 ev.Signal.Target.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.Group = rv 39211 return nil 39212 case "signal.target.ancestors.interpreter.file.hashes": 39213 if ev.Signal.Target == nil { 39214 ev.Signal.Target = &ProcessContext{} 39215 } 39216 if ev.Signal.Target.Ancestor == nil { 39217 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 39218 } 39219 switch rv := value.(type) { 39220 case string: 39221 ev.Signal.Target.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.Hashes = append(ev.Signal.Target.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.Hashes, rv) 39222 case []string: 39223 ev.Signal.Target.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.Hashes = append(ev.Signal.Target.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.Hashes, rv...) 39224 default: 39225 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.Hashes"} 39226 } 39227 return nil 39228 case "signal.target.ancestors.interpreter.file.in_upper_layer": 39229 if ev.Signal.Target == nil { 39230 ev.Signal.Target = &ProcessContext{} 39231 } 39232 if ev.Signal.Target.Ancestor == nil { 39233 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 39234 } 39235 rv, ok := value.(bool) 39236 if !ok { 39237 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.InUpperLayer"} 39238 } 39239 ev.Signal.Target.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.InUpperLayer = rv 39240 return nil 39241 case "signal.target.ancestors.interpreter.file.inode": 39242 if ev.Signal.Target == nil { 39243 ev.Signal.Target = &ProcessContext{} 39244 } 39245 if ev.Signal.Target.Ancestor == nil { 39246 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 39247 } 39248 rv, ok := value.(int) 39249 if !ok { 39250 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode"} 39251 } 39252 ev.Signal.Target.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode = uint64(rv) 39253 return nil 39254 case "signal.target.ancestors.interpreter.file.mode": 39255 if ev.Signal.Target == nil { 39256 ev.Signal.Target = &ProcessContext{} 39257 } 39258 if ev.Signal.Target.Ancestor == nil { 39259 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 39260 } 39261 rv, ok := value.(int) 39262 if !ok { 39263 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.Mode"} 39264 } 39265 ev.Signal.Target.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.Mode = uint16(rv) 39266 return nil 39267 case "signal.target.ancestors.interpreter.file.modification_time": 39268 if ev.Signal.Target == nil { 39269 ev.Signal.Target = &ProcessContext{} 39270 } 39271 if ev.Signal.Target.Ancestor == nil { 39272 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 39273 } 39274 rv, ok := value.(int) 39275 if !ok { 39276 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.MTime"} 39277 } 39278 ev.Signal.Target.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.MTime = uint64(rv) 39279 return nil 39280 case "signal.target.ancestors.interpreter.file.mount_id": 39281 if ev.Signal.Target == nil { 39282 ev.Signal.Target = &ProcessContext{} 39283 } 39284 if ev.Signal.Target.Ancestor == nil { 39285 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 39286 } 39287 rv, ok := value.(int) 39288 if !ok { 39289 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID"} 39290 } 39291 ev.Signal.Target.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID = uint32(rv) 39292 return nil 39293 case "signal.target.ancestors.interpreter.file.name": 39294 if ev.Signal.Target == nil { 39295 ev.Signal.Target = &ProcessContext{} 39296 } 39297 if ev.Signal.Target.Ancestor == nil { 39298 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 39299 } 39300 rv, ok := value.(string) 39301 if !ok { 39302 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.BasenameStr"} 39303 } 39304 ev.Signal.Target.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.BasenameStr = rv 39305 return nil 39306 case "signal.target.ancestors.interpreter.file.name.length": 39307 if ev.Signal.Target == nil { 39308 ev.Signal.Target = &ProcessContext{} 39309 } 39310 if ev.Signal.Target.Ancestor == nil { 39311 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 39312 } 39313 return &eval.ErrFieldReadOnly{Field: "signal.target.ancestors.interpreter.file.name.length"} 39314 case "signal.target.ancestors.interpreter.file.package.name": 39315 if ev.Signal.Target == nil { 39316 ev.Signal.Target = &ProcessContext{} 39317 } 39318 if ev.Signal.Target.Ancestor == nil { 39319 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 39320 } 39321 rv, ok := value.(string) 39322 if !ok { 39323 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.PkgName"} 39324 } 39325 ev.Signal.Target.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.PkgName = rv 39326 return nil 39327 case "signal.target.ancestors.interpreter.file.package.source_version": 39328 if ev.Signal.Target == nil { 39329 ev.Signal.Target = &ProcessContext{} 39330 } 39331 if ev.Signal.Target.Ancestor == nil { 39332 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 39333 } 39334 rv, ok := value.(string) 39335 if !ok { 39336 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.PkgSrcVersion"} 39337 } 39338 ev.Signal.Target.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.PkgSrcVersion = rv 39339 return nil 39340 case "signal.target.ancestors.interpreter.file.package.version": 39341 if ev.Signal.Target == nil { 39342 ev.Signal.Target = &ProcessContext{} 39343 } 39344 if ev.Signal.Target.Ancestor == nil { 39345 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 39346 } 39347 rv, ok := value.(string) 39348 if !ok { 39349 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.PkgVersion"} 39350 } 39351 ev.Signal.Target.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.PkgVersion = rv 39352 return nil 39353 case "signal.target.ancestors.interpreter.file.path": 39354 if ev.Signal.Target == nil { 39355 ev.Signal.Target = &ProcessContext{} 39356 } 39357 if ev.Signal.Target.Ancestor == nil { 39358 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 39359 } 39360 rv, ok := value.(string) 39361 if !ok { 39362 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.PathnameStr"} 39363 } 39364 ev.Signal.Target.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.PathnameStr = rv 39365 return nil 39366 case "signal.target.ancestors.interpreter.file.path.length": 39367 if ev.Signal.Target == nil { 39368 ev.Signal.Target = &ProcessContext{} 39369 } 39370 if ev.Signal.Target.Ancestor == nil { 39371 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 39372 } 39373 return &eval.ErrFieldReadOnly{Field: "signal.target.ancestors.interpreter.file.path.length"} 39374 case "signal.target.ancestors.interpreter.file.rights": 39375 if ev.Signal.Target == nil { 39376 ev.Signal.Target = &ProcessContext{} 39377 } 39378 if ev.Signal.Target.Ancestor == nil { 39379 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 39380 } 39381 rv, ok := value.(int) 39382 if !ok { 39383 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.Mode"} 39384 } 39385 ev.Signal.Target.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.Mode = uint16(rv) 39386 return nil 39387 case "signal.target.ancestors.interpreter.file.uid": 39388 if ev.Signal.Target == nil { 39389 ev.Signal.Target = &ProcessContext{} 39390 } 39391 if ev.Signal.Target.Ancestor == nil { 39392 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 39393 } 39394 rv, ok := value.(int) 39395 if !ok { 39396 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.UID"} 39397 } 39398 ev.Signal.Target.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.UID = uint32(rv) 39399 return nil 39400 case "signal.target.ancestors.interpreter.file.user": 39401 if ev.Signal.Target == nil { 39402 ev.Signal.Target = &ProcessContext{} 39403 } 39404 if ev.Signal.Target.Ancestor == nil { 39405 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 39406 } 39407 rv, ok := value.(string) 39408 if !ok { 39409 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.User"} 39410 } 39411 ev.Signal.Target.Ancestor.ProcessContext.Process.LinuxBinprm.FileEvent.FileFields.User = rv 39412 return nil 39413 case "signal.target.ancestors.is_kworker": 39414 if ev.Signal.Target == nil { 39415 ev.Signal.Target = &ProcessContext{} 39416 } 39417 if ev.Signal.Target.Ancestor == nil { 39418 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 39419 } 39420 rv, ok := value.(bool) 39421 if !ok { 39422 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.PIDContext.IsKworker"} 39423 } 39424 ev.Signal.Target.Ancestor.ProcessContext.Process.PIDContext.IsKworker = rv 39425 return nil 39426 case "signal.target.ancestors.is_thread": 39427 if ev.Signal.Target == nil { 39428 ev.Signal.Target = &ProcessContext{} 39429 } 39430 if ev.Signal.Target.Ancestor == nil { 39431 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 39432 } 39433 rv, ok := value.(bool) 39434 if !ok { 39435 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.IsThread"} 39436 } 39437 ev.Signal.Target.Ancestor.ProcessContext.Process.IsThread = rv 39438 return nil 39439 case "signal.target.ancestors.pid": 39440 if ev.Signal.Target == nil { 39441 ev.Signal.Target = &ProcessContext{} 39442 } 39443 if ev.Signal.Target.Ancestor == nil { 39444 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 39445 } 39446 rv, ok := value.(int) 39447 if !ok { 39448 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.PIDContext.Pid"} 39449 } 39450 ev.Signal.Target.Ancestor.ProcessContext.Process.PIDContext.Pid = uint32(rv) 39451 return nil 39452 case "signal.target.ancestors.ppid": 39453 if ev.Signal.Target == nil { 39454 ev.Signal.Target = &ProcessContext{} 39455 } 39456 if ev.Signal.Target.Ancestor == nil { 39457 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 39458 } 39459 rv, ok := value.(int) 39460 if !ok { 39461 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.PPid"} 39462 } 39463 ev.Signal.Target.Ancestor.ProcessContext.Process.PPid = uint32(rv) 39464 return nil 39465 case "signal.target.ancestors.tid": 39466 if ev.Signal.Target == nil { 39467 ev.Signal.Target = &ProcessContext{} 39468 } 39469 if ev.Signal.Target.Ancestor == nil { 39470 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 39471 } 39472 rv, ok := value.(int) 39473 if !ok { 39474 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.PIDContext.Tid"} 39475 } 39476 ev.Signal.Target.Ancestor.ProcessContext.Process.PIDContext.Tid = uint32(rv) 39477 return nil 39478 case "signal.target.ancestors.tty_name": 39479 if ev.Signal.Target == nil { 39480 ev.Signal.Target = &ProcessContext{} 39481 } 39482 if ev.Signal.Target.Ancestor == nil { 39483 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 39484 } 39485 rv, ok := value.(string) 39486 if !ok { 39487 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.TTYName"} 39488 } 39489 ev.Signal.Target.Ancestor.ProcessContext.Process.TTYName = rv 39490 return nil 39491 case "signal.target.ancestors.uid": 39492 if ev.Signal.Target == nil { 39493 ev.Signal.Target = &ProcessContext{} 39494 } 39495 if ev.Signal.Target.Ancestor == nil { 39496 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 39497 } 39498 rv, ok := value.(int) 39499 if !ok { 39500 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.Credentials.UID"} 39501 } 39502 ev.Signal.Target.Ancestor.ProcessContext.Process.Credentials.UID = uint32(rv) 39503 return nil 39504 case "signal.target.ancestors.user": 39505 if ev.Signal.Target == nil { 39506 ev.Signal.Target = &ProcessContext{} 39507 } 39508 if ev.Signal.Target.Ancestor == nil { 39509 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 39510 } 39511 rv, ok := value.(string) 39512 if !ok { 39513 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.Credentials.User"} 39514 } 39515 ev.Signal.Target.Ancestor.ProcessContext.Process.Credentials.User = rv 39516 return nil 39517 case "signal.target.ancestors.user_session.k8s_groups": 39518 if ev.Signal.Target == nil { 39519 ev.Signal.Target = &ProcessContext{} 39520 } 39521 if ev.Signal.Target.Ancestor == nil { 39522 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 39523 } 39524 switch rv := value.(type) { 39525 case string: 39526 ev.Signal.Target.Ancestor.ProcessContext.Process.UserSession.K8SGroups = append(ev.Signal.Target.Ancestor.ProcessContext.Process.UserSession.K8SGroups, rv) 39527 case []string: 39528 ev.Signal.Target.Ancestor.ProcessContext.Process.UserSession.K8SGroups = append(ev.Signal.Target.Ancestor.ProcessContext.Process.UserSession.K8SGroups, rv...) 39529 default: 39530 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.UserSession.K8SGroups"} 39531 } 39532 return nil 39533 case "signal.target.ancestors.user_session.k8s_uid": 39534 if ev.Signal.Target == nil { 39535 ev.Signal.Target = &ProcessContext{} 39536 } 39537 if ev.Signal.Target.Ancestor == nil { 39538 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 39539 } 39540 rv, ok := value.(string) 39541 if !ok { 39542 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.UserSession.K8SUID"} 39543 } 39544 ev.Signal.Target.Ancestor.ProcessContext.Process.UserSession.K8SUID = rv 39545 return nil 39546 case "signal.target.ancestors.user_session.k8s_username": 39547 if ev.Signal.Target == nil { 39548 ev.Signal.Target = &ProcessContext{} 39549 } 39550 if ev.Signal.Target.Ancestor == nil { 39551 ev.Signal.Target.Ancestor = &ProcessCacheEntry{} 39552 } 39553 rv, ok := value.(string) 39554 if !ok { 39555 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Ancestor.ProcessContext.Process.UserSession.K8SUsername"} 39556 } 39557 ev.Signal.Target.Ancestor.ProcessContext.Process.UserSession.K8SUsername = rv 39558 return nil 39559 case "signal.target.args": 39560 if ev.Signal.Target == nil { 39561 ev.Signal.Target = &ProcessContext{} 39562 } 39563 rv, ok := value.(string) 39564 if !ok { 39565 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.Args"} 39566 } 39567 ev.Signal.Target.Process.Args = rv 39568 return nil 39569 case "signal.target.args_flags": 39570 if ev.Signal.Target == nil { 39571 ev.Signal.Target = &ProcessContext{} 39572 } 39573 switch rv := value.(type) { 39574 case string: 39575 ev.Signal.Target.Process.Argv = append(ev.Signal.Target.Process.Argv, rv) 39576 case []string: 39577 ev.Signal.Target.Process.Argv = append(ev.Signal.Target.Process.Argv, rv...) 39578 default: 39579 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.Argv"} 39580 } 39581 return nil 39582 case "signal.target.args_options": 39583 if ev.Signal.Target == nil { 39584 ev.Signal.Target = &ProcessContext{} 39585 } 39586 switch rv := value.(type) { 39587 case string: 39588 ev.Signal.Target.Process.Argv = append(ev.Signal.Target.Process.Argv, rv) 39589 case []string: 39590 ev.Signal.Target.Process.Argv = append(ev.Signal.Target.Process.Argv, rv...) 39591 default: 39592 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.Argv"} 39593 } 39594 return nil 39595 case "signal.target.args_truncated": 39596 if ev.Signal.Target == nil { 39597 ev.Signal.Target = &ProcessContext{} 39598 } 39599 rv, ok := value.(bool) 39600 if !ok { 39601 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.ArgsTruncated"} 39602 } 39603 ev.Signal.Target.Process.ArgsTruncated = rv 39604 return nil 39605 case "signal.target.argv": 39606 if ev.Signal.Target == nil { 39607 ev.Signal.Target = &ProcessContext{} 39608 } 39609 switch rv := value.(type) { 39610 case string: 39611 ev.Signal.Target.Process.Argv = append(ev.Signal.Target.Process.Argv, rv) 39612 case []string: 39613 ev.Signal.Target.Process.Argv = append(ev.Signal.Target.Process.Argv, rv...) 39614 default: 39615 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.Argv"} 39616 } 39617 return nil 39618 case "signal.target.argv0": 39619 if ev.Signal.Target == nil { 39620 ev.Signal.Target = &ProcessContext{} 39621 } 39622 rv, ok := value.(string) 39623 if !ok { 39624 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.Argv0"} 39625 } 39626 ev.Signal.Target.Process.Argv0 = rv 39627 return nil 39628 case "signal.target.cap_effective": 39629 if ev.Signal.Target == nil { 39630 ev.Signal.Target = &ProcessContext{} 39631 } 39632 rv, ok := value.(int) 39633 if !ok { 39634 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.Credentials.CapEffective"} 39635 } 39636 ev.Signal.Target.Process.Credentials.CapEffective = uint64(rv) 39637 return nil 39638 case "signal.target.cap_permitted": 39639 if ev.Signal.Target == nil { 39640 ev.Signal.Target = &ProcessContext{} 39641 } 39642 rv, ok := value.(int) 39643 if !ok { 39644 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.Credentials.CapPermitted"} 39645 } 39646 ev.Signal.Target.Process.Credentials.CapPermitted = uint64(rv) 39647 return nil 39648 case "signal.target.comm": 39649 if ev.Signal.Target == nil { 39650 ev.Signal.Target = &ProcessContext{} 39651 } 39652 rv, ok := value.(string) 39653 if !ok { 39654 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.Comm"} 39655 } 39656 ev.Signal.Target.Process.Comm = rv 39657 return nil 39658 case "signal.target.container.id": 39659 if ev.Signal.Target == nil { 39660 ev.Signal.Target = &ProcessContext{} 39661 } 39662 rv, ok := value.(string) 39663 if !ok { 39664 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.ContainerID"} 39665 } 39666 ev.Signal.Target.Process.ContainerID = rv 39667 return nil 39668 case "signal.target.created_at": 39669 if ev.Signal.Target == nil { 39670 ev.Signal.Target = &ProcessContext{} 39671 } 39672 rv, ok := value.(int) 39673 if !ok { 39674 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.CreatedAt"} 39675 } 39676 ev.Signal.Target.Process.CreatedAt = uint64(rv) 39677 return nil 39678 case "signal.target.egid": 39679 if ev.Signal.Target == nil { 39680 ev.Signal.Target = &ProcessContext{} 39681 } 39682 rv, ok := value.(int) 39683 if !ok { 39684 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.Credentials.EGID"} 39685 } 39686 ev.Signal.Target.Process.Credentials.EGID = uint32(rv) 39687 return nil 39688 case "signal.target.egroup": 39689 if ev.Signal.Target == nil { 39690 ev.Signal.Target = &ProcessContext{} 39691 } 39692 rv, ok := value.(string) 39693 if !ok { 39694 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.Credentials.EGroup"} 39695 } 39696 ev.Signal.Target.Process.Credentials.EGroup = rv 39697 return nil 39698 case "signal.target.envp": 39699 if ev.Signal.Target == nil { 39700 ev.Signal.Target = &ProcessContext{} 39701 } 39702 switch rv := value.(type) { 39703 case string: 39704 ev.Signal.Target.Process.Envp = append(ev.Signal.Target.Process.Envp, rv) 39705 case []string: 39706 ev.Signal.Target.Process.Envp = append(ev.Signal.Target.Process.Envp, rv...) 39707 default: 39708 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.Envp"} 39709 } 39710 return nil 39711 case "signal.target.envs": 39712 if ev.Signal.Target == nil { 39713 ev.Signal.Target = &ProcessContext{} 39714 } 39715 switch rv := value.(type) { 39716 case string: 39717 ev.Signal.Target.Process.Envs = append(ev.Signal.Target.Process.Envs, rv) 39718 case []string: 39719 ev.Signal.Target.Process.Envs = append(ev.Signal.Target.Process.Envs, rv...) 39720 default: 39721 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.Envs"} 39722 } 39723 return nil 39724 case "signal.target.envs_truncated": 39725 if ev.Signal.Target == nil { 39726 ev.Signal.Target = &ProcessContext{} 39727 } 39728 rv, ok := value.(bool) 39729 if !ok { 39730 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.EnvsTruncated"} 39731 } 39732 ev.Signal.Target.Process.EnvsTruncated = rv 39733 return nil 39734 case "signal.target.euid": 39735 if ev.Signal.Target == nil { 39736 ev.Signal.Target = &ProcessContext{} 39737 } 39738 rv, ok := value.(int) 39739 if !ok { 39740 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.Credentials.EUID"} 39741 } 39742 ev.Signal.Target.Process.Credentials.EUID = uint32(rv) 39743 return nil 39744 case "signal.target.euser": 39745 if ev.Signal.Target == nil { 39746 ev.Signal.Target = &ProcessContext{} 39747 } 39748 rv, ok := value.(string) 39749 if !ok { 39750 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.Credentials.EUser"} 39751 } 39752 ev.Signal.Target.Process.Credentials.EUser = rv 39753 return nil 39754 case "signal.target.file.change_time": 39755 if ev.Signal.Target == nil { 39756 ev.Signal.Target = &ProcessContext{} 39757 } 39758 rv, ok := value.(int) 39759 if !ok { 39760 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.FileEvent.FileFields.CTime"} 39761 } 39762 ev.Signal.Target.Process.FileEvent.FileFields.CTime = uint64(rv) 39763 return nil 39764 case "signal.target.file.filesystem": 39765 if ev.Signal.Target == nil { 39766 ev.Signal.Target = &ProcessContext{} 39767 } 39768 rv, ok := value.(string) 39769 if !ok { 39770 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.FileEvent.Filesystem"} 39771 } 39772 ev.Signal.Target.Process.FileEvent.Filesystem = rv 39773 return nil 39774 case "signal.target.file.gid": 39775 if ev.Signal.Target == nil { 39776 ev.Signal.Target = &ProcessContext{} 39777 } 39778 rv, ok := value.(int) 39779 if !ok { 39780 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.FileEvent.FileFields.GID"} 39781 } 39782 ev.Signal.Target.Process.FileEvent.FileFields.GID = uint32(rv) 39783 return nil 39784 case "signal.target.file.group": 39785 if ev.Signal.Target == nil { 39786 ev.Signal.Target = &ProcessContext{} 39787 } 39788 rv, ok := value.(string) 39789 if !ok { 39790 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.FileEvent.FileFields.Group"} 39791 } 39792 ev.Signal.Target.Process.FileEvent.FileFields.Group = rv 39793 return nil 39794 case "signal.target.file.hashes": 39795 if ev.Signal.Target == nil { 39796 ev.Signal.Target = &ProcessContext{} 39797 } 39798 switch rv := value.(type) { 39799 case string: 39800 ev.Signal.Target.Process.FileEvent.Hashes = append(ev.Signal.Target.Process.FileEvent.Hashes, rv) 39801 case []string: 39802 ev.Signal.Target.Process.FileEvent.Hashes = append(ev.Signal.Target.Process.FileEvent.Hashes, rv...) 39803 default: 39804 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.FileEvent.Hashes"} 39805 } 39806 return nil 39807 case "signal.target.file.in_upper_layer": 39808 if ev.Signal.Target == nil { 39809 ev.Signal.Target = &ProcessContext{} 39810 } 39811 rv, ok := value.(bool) 39812 if !ok { 39813 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.FileEvent.FileFields.InUpperLayer"} 39814 } 39815 ev.Signal.Target.Process.FileEvent.FileFields.InUpperLayer = rv 39816 return nil 39817 case "signal.target.file.inode": 39818 if ev.Signal.Target == nil { 39819 ev.Signal.Target = &ProcessContext{} 39820 } 39821 rv, ok := value.(int) 39822 if !ok { 39823 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.FileEvent.FileFields.PathKey.Inode"} 39824 } 39825 ev.Signal.Target.Process.FileEvent.FileFields.PathKey.Inode = uint64(rv) 39826 return nil 39827 case "signal.target.file.mode": 39828 if ev.Signal.Target == nil { 39829 ev.Signal.Target = &ProcessContext{} 39830 } 39831 rv, ok := value.(int) 39832 if !ok { 39833 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.FileEvent.FileFields.Mode"} 39834 } 39835 ev.Signal.Target.Process.FileEvent.FileFields.Mode = uint16(rv) 39836 return nil 39837 case "signal.target.file.modification_time": 39838 if ev.Signal.Target == nil { 39839 ev.Signal.Target = &ProcessContext{} 39840 } 39841 rv, ok := value.(int) 39842 if !ok { 39843 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.FileEvent.FileFields.MTime"} 39844 } 39845 ev.Signal.Target.Process.FileEvent.FileFields.MTime = uint64(rv) 39846 return nil 39847 case "signal.target.file.mount_id": 39848 if ev.Signal.Target == nil { 39849 ev.Signal.Target = &ProcessContext{} 39850 } 39851 rv, ok := value.(int) 39852 if !ok { 39853 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.FileEvent.FileFields.PathKey.MountID"} 39854 } 39855 ev.Signal.Target.Process.FileEvent.FileFields.PathKey.MountID = uint32(rv) 39856 return nil 39857 case "signal.target.file.name": 39858 if ev.Signal.Target == nil { 39859 ev.Signal.Target = &ProcessContext{} 39860 } 39861 rv, ok := value.(string) 39862 if !ok { 39863 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.FileEvent.BasenameStr"} 39864 } 39865 ev.Signal.Target.Process.FileEvent.BasenameStr = rv 39866 return nil 39867 case "signal.target.file.name.length": 39868 if ev.Signal.Target == nil { 39869 ev.Signal.Target = &ProcessContext{} 39870 } 39871 return &eval.ErrFieldReadOnly{Field: "signal.target.file.name.length"} 39872 case "signal.target.file.package.name": 39873 if ev.Signal.Target == nil { 39874 ev.Signal.Target = &ProcessContext{} 39875 } 39876 rv, ok := value.(string) 39877 if !ok { 39878 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.FileEvent.PkgName"} 39879 } 39880 ev.Signal.Target.Process.FileEvent.PkgName = rv 39881 return nil 39882 case "signal.target.file.package.source_version": 39883 if ev.Signal.Target == nil { 39884 ev.Signal.Target = &ProcessContext{} 39885 } 39886 rv, ok := value.(string) 39887 if !ok { 39888 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.FileEvent.PkgSrcVersion"} 39889 } 39890 ev.Signal.Target.Process.FileEvent.PkgSrcVersion = rv 39891 return nil 39892 case "signal.target.file.package.version": 39893 if ev.Signal.Target == nil { 39894 ev.Signal.Target = &ProcessContext{} 39895 } 39896 rv, ok := value.(string) 39897 if !ok { 39898 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.FileEvent.PkgVersion"} 39899 } 39900 ev.Signal.Target.Process.FileEvent.PkgVersion = rv 39901 return nil 39902 case "signal.target.file.path": 39903 if ev.Signal.Target == nil { 39904 ev.Signal.Target = &ProcessContext{} 39905 } 39906 rv, ok := value.(string) 39907 if !ok { 39908 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.FileEvent.PathnameStr"} 39909 } 39910 ev.Signal.Target.Process.FileEvent.PathnameStr = rv 39911 return nil 39912 case "signal.target.file.path.length": 39913 if ev.Signal.Target == nil { 39914 ev.Signal.Target = &ProcessContext{} 39915 } 39916 return &eval.ErrFieldReadOnly{Field: "signal.target.file.path.length"} 39917 case "signal.target.file.rights": 39918 if ev.Signal.Target == nil { 39919 ev.Signal.Target = &ProcessContext{} 39920 } 39921 rv, ok := value.(int) 39922 if !ok { 39923 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.FileEvent.FileFields.Mode"} 39924 } 39925 ev.Signal.Target.Process.FileEvent.FileFields.Mode = uint16(rv) 39926 return nil 39927 case "signal.target.file.uid": 39928 if ev.Signal.Target == nil { 39929 ev.Signal.Target = &ProcessContext{} 39930 } 39931 rv, ok := value.(int) 39932 if !ok { 39933 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.FileEvent.FileFields.UID"} 39934 } 39935 ev.Signal.Target.Process.FileEvent.FileFields.UID = uint32(rv) 39936 return nil 39937 case "signal.target.file.user": 39938 if ev.Signal.Target == nil { 39939 ev.Signal.Target = &ProcessContext{} 39940 } 39941 rv, ok := value.(string) 39942 if !ok { 39943 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.FileEvent.FileFields.User"} 39944 } 39945 ev.Signal.Target.Process.FileEvent.FileFields.User = rv 39946 return nil 39947 case "signal.target.fsgid": 39948 if ev.Signal.Target == nil { 39949 ev.Signal.Target = &ProcessContext{} 39950 } 39951 rv, ok := value.(int) 39952 if !ok { 39953 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.Credentials.FSGID"} 39954 } 39955 ev.Signal.Target.Process.Credentials.FSGID = uint32(rv) 39956 return nil 39957 case "signal.target.fsgroup": 39958 if ev.Signal.Target == nil { 39959 ev.Signal.Target = &ProcessContext{} 39960 } 39961 rv, ok := value.(string) 39962 if !ok { 39963 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.Credentials.FSGroup"} 39964 } 39965 ev.Signal.Target.Process.Credentials.FSGroup = rv 39966 return nil 39967 case "signal.target.fsuid": 39968 if ev.Signal.Target == nil { 39969 ev.Signal.Target = &ProcessContext{} 39970 } 39971 rv, ok := value.(int) 39972 if !ok { 39973 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.Credentials.FSUID"} 39974 } 39975 ev.Signal.Target.Process.Credentials.FSUID = uint32(rv) 39976 return nil 39977 case "signal.target.fsuser": 39978 if ev.Signal.Target == nil { 39979 ev.Signal.Target = &ProcessContext{} 39980 } 39981 rv, ok := value.(string) 39982 if !ok { 39983 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.Credentials.FSUser"} 39984 } 39985 ev.Signal.Target.Process.Credentials.FSUser = rv 39986 return nil 39987 case "signal.target.gid": 39988 if ev.Signal.Target == nil { 39989 ev.Signal.Target = &ProcessContext{} 39990 } 39991 rv, ok := value.(int) 39992 if !ok { 39993 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.Credentials.GID"} 39994 } 39995 ev.Signal.Target.Process.Credentials.GID = uint32(rv) 39996 return nil 39997 case "signal.target.group": 39998 if ev.Signal.Target == nil { 39999 ev.Signal.Target = &ProcessContext{} 40000 } 40001 rv, ok := value.(string) 40002 if !ok { 40003 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.Credentials.Group"} 40004 } 40005 ev.Signal.Target.Process.Credentials.Group = rv 40006 return nil 40007 case "signal.target.interpreter.file.change_time": 40008 if ev.Signal.Target == nil { 40009 ev.Signal.Target = &ProcessContext{} 40010 } 40011 rv, ok := value.(int) 40012 if !ok { 40013 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.LinuxBinprm.FileEvent.FileFields.CTime"} 40014 } 40015 ev.Signal.Target.Process.LinuxBinprm.FileEvent.FileFields.CTime = uint64(rv) 40016 return nil 40017 case "signal.target.interpreter.file.filesystem": 40018 if ev.Signal.Target == nil { 40019 ev.Signal.Target = &ProcessContext{} 40020 } 40021 rv, ok := value.(string) 40022 if !ok { 40023 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.LinuxBinprm.FileEvent.Filesystem"} 40024 } 40025 ev.Signal.Target.Process.LinuxBinprm.FileEvent.Filesystem = rv 40026 return nil 40027 case "signal.target.interpreter.file.gid": 40028 if ev.Signal.Target == nil { 40029 ev.Signal.Target = &ProcessContext{} 40030 } 40031 rv, ok := value.(int) 40032 if !ok { 40033 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.LinuxBinprm.FileEvent.FileFields.GID"} 40034 } 40035 ev.Signal.Target.Process.LinuxBinprm.FileEvent.FileFields.GID = uint32(rv) 40036 return nil 40037 case "signal.target.interpreter.file.group": 40038 if ev.Signal.Target == nil { 40039 ev.Signal.Target = &ProcessContext{} 40040 } 40041 rv, ok := value.(string) 40042 if !ok { 40043 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.LinuxBinprm.FileEvent.FileFields.Group"} 40044 } 40045 ev.Signal.Target.Process.LinuxBinprm.FileEvent.FileFields.Group = rv 40046 return nil 40047 case "signal.target.interpreter.file.hashes": 40048 if ev.Signal.Target == nil { 40049 ev.Signal.Target = &ProcessContext{} 40050 } 40051 switch rv := value.(type) { 40052 case string: 40053 ev.Signal.Target.Process.LinuxBinprm.FileEvent.Hashes = append(ev.Signal.Target.Process.LinuxBinprm.FileEvent.Hashes, rv) 40054 case []string: 40055 ev.Signal.Target.Process.LinuxBinprm.FileEvent.Hashes = append(ev.Signal.Target.Process.LinuxBinprm.FileEvent.Hashes, rv...) 40056 default: 40057 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.LinuxBinprm.FileEvent.Hashes"} 40058 } 40059 return nil 40060 case "signal.target.interpreter.file.in_upper_layer": 40061 if ev.Signal.Target == nil { 40062 ev.Signal.Target = &ProcessContext{} 40063 } 40064 rv, ok := value.(bool) 40065 if !ok { 40066 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.LinuxBinprm.FileEvent.FileFields.InUpperLayer"} 40067 } 40068 ev.Signal.Target.Process.LinuxBinprm.FileEvent.FileFields.InUpperLayer = rv 40069 return nil 40070 case "signal.target.interpreter.file.inode": 40071 if ev.Signal.Target == nil { 40072 ev.Signal.Target = &ProcessContext{} 40073 } 40074 rv, ok := value.(int) 40075 if !ok { 40076 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode"} 40077 } 40078 ev.Signal.Target.Process.LinuxBinprm.FileEvent.FileFields.PathKey.Inode = uint64(rv) 40079 return nil 40080 case "signal.target.interpreter.file.mode": 40081 if ev.Signal.Target == nil { 40082 ev.Signal.Target = &ProcessContext{} 40083 } 40084 rv, ok := value.(int) 40085 if !ok { 40086 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.LinuxBinprm.FileEvent.FileFields.Mode"} 40087 } 40088 ev.Signal.Target.Process.LinuxBinprm.FileEvent.FileFields.Mode = uint16(rv) 40089 return nil 40090 case "signal.target.interpreter.file.modification_time": 40091 if ev.Signal.Target == nil { 40092 ev.Signal.Target = &ProcessContext{} 40093 } 40094 rv, ok := value.(int) 40095 if !ok { 40096 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.LinuxBinprm.FileEvent.FileFields.MTime"} 40097 } 40098 ev.Signal.Target.Process.LinuxBinprm.FileEvent.FileFields.MTime = uint64(rv) 40099 return nil 40100 case "signal.target.interpreter.file.mount_id": 40101 if ev.Signal.Target == nil { 40102 ev.Signal.Target = &ProcessContext{} 40103 } 40104 rv, ok := value.(int) 40105 if !ok { 40106 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID"} 40107 } 40108 ev.Signal.Target.Process.LinuxBinprm.FileEvent.FileFields.PathKey.MountID = uint32(rv) 40109 return nil 40110 case "signal.target.interpreter.file.name": 40111 if ev.Signal.Target == nil { 40112 ev.Signal.Target = &ProcessContext{} 40113 } 40114 rv, ok := value.(string) 40115 if !ok { 40116 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.LinuxBinprm.FileEvent.BasenameStr"} 40117 } 40118 ev.Signal.Target.Process.LinuxBinprm.FileEvent.BasenameStr = rv 40119 return nil 40120 case "signal.target.interpreter.file.name.length": 40121 if ev.Signal.Target == nil { 40122 ev.Signal.Target = &ProcessContext{} 40123 } 40124 return &eval.ErrFieldReadOnly{Field: "signal.target.interpreter.file.name.length"} 40125 case "signal.target.interpreter.file.package.name": 40126 if ev.Signal.Target == nil { 40127 ev.Signal.Target = &ProcessContext{} 40128 } 40129 rv, ok := value.(string) 40130 if !ok { 40131 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.LinuxBinprm.FileEvent.PkgName"} 40132 } 40133 ev.Signal.Target.Process.LinuxBinprm.FileEvent.PkgName = rv 40134 return nil 40135 case "signal.target.interpreter.file.package.source_version": 40136 if ev.Signal.Target == nil { 40137 ev.Signal.Target = &ProcessContext{} 40138 } 40139 rv, ok := value.(string) 40140 if !ok { 40141 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.LinuxBinprm.FileEvent.PkgSrcVersion"} 40142 } 40143 ev.Signal.Target.Process.LinuxBinprm.FileEvent.PkgSrcVersion = rv 40144 return nil 40145 case "signal.target.interpreter.file.package.version": 40146 if ev.Signal.Target == nil { 40147 ev.Signal.Target = &ProcessContext{} 40148 } 40149 rv, ok := value.(string) 40150 if !ok { 40151 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.LinuxBinprm.FileEvent.PkgVersion"} 40152 } 40153 ev.Signal.Target.Process.LinuxBinprm.FileEvent.PkgVersion = rv 40154 return nil 40155 case "signal.target.interpreter.file.path": 40156 if ev.Signal.Target == nil { 40157 ev.Signal.Target = &ProcessContext{} 40158 } 40159 rv, ok := value.(string) 40160 if !ok { 40161 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.LinuxBinprm.FileEvent.PathnameStr"} 40162 } 40163 ev.Signal.Target.Process.LinuxBinprm.FileEvent.PathnameStr = rv 40164 return nil 40165 case "signal.target.interpreter.file.path.length": 40166 if ev.Signal.Target == nil { 40167 ev.Signal.Target = &ProcessContext{} 40168 } 40169 return &eval.ErrFieldReadOnly{Field: "signal.target.interpreter.file.path.length"} 40170 case "signal.target.interpreter.file.rights": 40171 if ev.Signal.Target == nil { 40172 ev.Signal.Target = &ProcessContext{} 40173 } 40174 rv, ok := value.(int) 40175 if !ok { 40176 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.LinuxBinprm.FileEvent.FileFields.Mode"} 40177 } 40178 ev.Signal.Target.Process.LinuxBinprm.FileEvent.FileFields.Mode = uint16(rv) 40179 return nil 40180 case "signal.target.interpreter.file.uid": 40181 if ev.Signal.Target == nil { 40182 ev.Signal.Target = &ProcessContext{} 40183 } 40184 rv, ok := value.(int) 40185 if !ok { 40186 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.LinuxBinprm.FileEvent.FileFields.UID"} 40187 } 40188 ev.Signal.Target.Process.LinuxBinprm.FileEvent.FileFields.UID = uint32(rv) 40189 return nil 40190 case "signal.target.interpreter.file.user": 40191 if ev.Signal.Target == nil { 40192 ev.Signal.Target = &ProcessContext{} 40193 } 40194 rv, ok := value.(string) 40195 if !ok { 40196 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.LinuxBinprm.FileEvent.FileFields.User"} 40197 } 40198 ev.Signal.Target.Process.LinuxBinprm.FileEvent.FileFields.User = rv 40199 return nil 40200 case "signal.target.is_kworker": 40201 if ev.Signal.Target == nil { 40202 ev.Signal.Target = &ProcessContext{} 40203 } 40204 rv, ok := value.(bool) 40205 if !ok { 40206 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.PIDContext.IsKworker"} 40207 } 40208 ev.Signal.Target.Process.PIDContext.IsKworker = rv 40209 return nil 40210 case "signal.target.is_thread": 40211 if ev.Signal.Target == nil { 40212 ev.Signal.Target = &ProcessContext{} 40213 } 40214 rv, ok := value.(bool) 40215 if !ok { 40216 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.IsThread"} 40217 } 40218 ev.Signal.Target.Process.IsThread = rv 40219 return nil 40220 case "signal.target.parent.args": 40221 if ev.Signal.Target == nil { 40222 ev.Signal.Target = &ProcessContext{} 40223 } 40224 if ev.Signal.Target.Parent == nil { 40225 ev.Signal.Target.Parent = &Process{} 40226 } 40227 rv, ok := value.(string) 40228 if !ok { 40229 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.Args"} 40230 } 40231 ev.Signal.Target.Parent.Args = rv 40232 return nil 40233 case "signal.target.parent.args_flags": 40234 if ev.Signal.Target == nil { 40235 ev.Signal.Target = &ProcessContext{} 40236 } 40237 if ev.Signal.Target.Parent == nil { 40238 ev.Signal.Target.Parent = &Process{} 40239 } 40240 switch rv := value.(type) { 40241 case string: 40242 ev.Signal.Target.Parent.Argv = append(ev.Signal.Target.Parent.Argv, rv) 40243 case []string: 40244 ev.Signal.Target.Parent.Argv = append(ev.Signal.Target.Parent.Argv, rv...) 40245 default: 40246 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.Argv"} 40247 } 40248 return nil 40249 case "signal.target.parent.args_options": 40250 if ev.Signal.Target == nil { 40251 ev.Signal.Target = &ProcessContext{} 40252 } 40253 if ev.Signal.Target.Parent == nil { 40254 ev.Signal.Target.Parent = &Process{} 40255 } 40256 switch rv := value.(type) { 40257 case string: 40258 ev.Signal.Target.Parent.Argv = append(ev.Signal.Target.Parent.Argv, rv) 40259 case []string: 40260 ev.Signal.Target.Parent.Argv = append(ev.Signal.Target.Parent.Argv, rv...) 40261 default: 40262 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.Argv"} 40263 } 40264 return nil 40265 case "signal.target.parent.args_truncated": 40266 if ev.Signal.Target == nil { 40267 ev.Signal.Target = &ProcessContext{} 40268 } 40269 if ev.Signal.Target.Parent == nil { 40270 ev.Signal.Target.Parent = &Process{} 40271 } 40272 rv, ok := value.(bool) 40273 if !ok { 40274 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.ArgsTruncated"} 40275 } 40276 ev.Signal.Target.Parent.ArgsTruncated = rv 40277 return nil 40278 case "signal.target.parent.argv": 40279 if ev.Signal.Target == nil { 40280 ev.Signal.Target = &ProcessContext{} 40281 } 40282 if ev.Signal.Target.Parent == nil { 40283 ev.Signal.Target.Parent = &Process{} 40284 } 40285 switch rv := value.(type) { 40286 case string: 40287 ev.Signal.Target.Parent.Argv = append(ev.Signal.Target.Parent.Argv, rv) 40288 case []string: 40289 ev.Signal.Target.Parent.Argv = append(ev.Signal.Target.Parent.Argv, rv...) 40290 default: 40291 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.Argv"} 40292 } 40293 return nil 40294 case "signal.target.parent.argv0": 40295 if ev.Signal.Target == nil { 40296 ev.Signal.Target = &ProcessContext{} 40297 } 40298 if ev.Signal.Target.Parent == nil { 40299 ev.Signal.Target.Parent = &Process{} 40300 } 40301 rv, ok := value.(string) 40302 if !ok { 40303 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.Argv0"} 40304 } 40305 ev.Signal.Target.Parent.Argv0 = rv 40306 return nil 40307 case "signal.target.parent.cap_effective": 40308 if ev.Signal.Target == nil { 40309 ev.Signal.Target = &ProcessContext{} 40310 } 40311 if ev.Signal.Target.Parent == nil { 40312 ev.Signal.Target.Parent = &Process{} 40313 } 40314 rv, ok := value.(int) 40315 if !ok { 40316 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.Credentials.CapEffective"} 40317 } 40318 ev.Signal.Target.Parent.Credentials.CapEffective = uint64(rv) 40319 return nil 40320 case "signal.target.parent.cap_permitted": 40321 if ev.Signal.Target == nil { 40322 ev.Signal.Target = &ProcessContext{} 40323 } 40324 if ev.Signal.Target.Parent == nil { 40325 ev.Signal.Target.Parent = &Process{} 40326 } 40327 rv, ok := value.(int) 40328 if !ok { 40329 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.Credentials.CapPermitted"} 40330 } 40331 ev.Signal.Target.Parent.Credentials.CapPermitted = uint64(rv) 40332 return nil 40333 case "signal.target.parent.comm": 40334 if ev.Signal.Target == nil { 40335 ev.Signal.Target = &ProcessContext{} 40336 } 40337 if ev.Signal.Target.Parent == nil { 40338 ev.Signal.Target.Parent = &Process{} 40339 } 40340 rv, ok := value.(string) 40341 if !ok { 40342 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.Comm"} 40343 } 40344 ev.Signal.Target.Parent.Comm = rv 40345 return nil 40346 case "signal.target.parent.container.id": 40347 if ev.Signal.Target == nil { 40348 ev.Signal.Target = &ProcessContext{} 40349 } 40350 if ev.Signal.Target.Parent == nil { 40351 ev.Signal.Target.Parent = &Process{} 40352 } 40353 rv, ok := value.(string) 40354 if !ok { 40355 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.ContainerID"} 40356 } 40357 ev.Signal.Target.Parent.ContainerID = rv 40358 return nil 40359 case "signal.target.parent.created_at": 40360 if ev.Signal.Target == nil { 40361 ev.Signal.Target = &ProcessContext{} 40362 } 40363 if ev.Signal.Target.Parent == nil { 40364 ev.Signal.Target.Parent = &Process{} 40365 } 40366 rv, ok := value.(int) 40367 if !ok { 40368 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.CreatedAt"} 40369 } 40370 ev.Signal.Target.Parent.CreatedAt = uint64(rv) 40371 return nil 40372 case "signal.target.parent.egid": 40373 if ev.Signal.Target == nil { 40374 ev.Signal.Target = &ProcessContext{} 40375 } 40376 if ev.Signal.Target.Parent == nil { 40377 ev.Signal.Target.Parent = &Process{} 40378 } 40379 rv, ok := value.(int) 40380 if !ok { 40381 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.Credentials.EGID"} 40382 } 40383 ev.Signal.Target.Parent.Credentials.EGID = uint32(rv) 40384 return nil 40385 case "signal.target.parent.egroup": 40386 if ev.Signal.Target == nil { 40387 ev.Signal.Target = &ProcessContext{} 40388 } 40389 if ev.Signal.Target.Parent == nil { 40390 ev.Signal.Target.Parent = &Process{} 40391 } 40392 rv, ok := value.(string) 40393 if !ok { 40394 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.Credentials.EGroup"} 40395 } 40396 ev.Signal.Target.Parent.Credentials.EGroup = rv 40397 return nil 40398 case "signal.target.parent.envp": 40399 if ev.Signal.Target == nil { 40400 ev.Signal.Target = &ProcessContext{} 40401 } 40402 if ev.Signal.Target.Parent == nil { 40403 ev.Signal.Target.Parent = &Process{} 40404 } 40405 switch rv := value.(type) { 40406 case string: 40407 ev.Signal.Target.Parent.Envp = append(ev.Signal.Target.Parent.Envp, rv) 40408 case []string: 40409 ev.Signal.Target.Parent.Envp = append(ev.Signal.Target.Parent.Envp, rv...) 40410 default: 40411 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.Envp"} 40412 } 40413 return nil 40414 case "signal.target.parent.envs": 40415 if ev.Signal.Target == nil { 40416 ev.Signal.Target = &ProcessContext{} 40417 } 40418 if ev.Signal.Target.Parent == nil { 40419 ev.Signal.Target.Parent = &Process{} 40420 } 40421 switch rv := value.(type) { 40422 case string: 40423 ev.Signal.Target.Parent.Envs = append(ev.Signal.Target.Parent.Envs, rv) 40424 case []string: 40425 ev.Signal.Target.Parent.Envs = append(ev.Signal.Target.Parent.Envs, rv...) 40426 default: 40427 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.Envs"} 40428 } 40429 return nil 40430 case "signal.target.parent.envs_truncated": 40431 if ev.Signal.Target == nil { 40432 ev.Signal.Target = &ProcessContext{} 40433 } 40434 if ev.Signal.Target.Parent == nil { 40435 ev.Signal.Target.Parent = &Process{} 40436 } 40437 rv, ok := value.(bool) 40438 if !ok { 40439 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.EnvsTruncated"} 40440 } 40441 ev.Signal.Target.Parent.EnvsTruncated = rv 40442 return nil 40443 case "signal.target.parent.euid": 40444 if ev.Signal.Target == nil { 40445 ev.Signal.Target = &ProcessContext{} 40446 } 40447 if ev.Signal.Target.Parent == nil { 40448 ev.Signal.Target.Parent = &Process{} 40449 } 40450 rv, ok := value.(int) 40451 if !ok { 40452 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.Credentials.EUID"} 40453 } 40454 ev.Signal.Target.Parent.Credentials.EUID = uint32(rv) 40455 return nil 40456 case "signal.target.parent.euser": 40457 if ev.Signal.Target == nil { 40458 ev.Signal.Target = &ProcessContext{} 40459 } 40460 if ev.Signal.Target.Parent == nil { 40461 ev.Signal.Target.Parent = &Process{} 40462 } 40463 rv, ok := value.(string) 40464 if !ok { 40465 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.Credentials.EUser"} 40466 } 40467 ev.Signal.Target.Parent.Credentials.EUser = rv 40468 return nil 40469 case "signal.target.parent.file.change_time": 40470 if ev.Signal.Target == nil { 40471 ev.Signal.Target = &ProcessContext{} 40472 } 40473 if ev.Signal.Target.Parent == nil { 40474 ev.Signal.Target.Parent = &Process{} 40475 } 40476 rv, ok := value.(int) 40477 if !ok { 40478 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.FileEvent.FileFields.CTime"} 40479 } 40480 ev.Signal.Target.Parent.FileEvent.FileFields.CTime = uint64(rv) 40481 return nil 40482 case "signal.target.parent.file.filesystem": 40483 if ev.Signal.Target == nil { 40484 ev.Signal.Target = &ProcessContext{} 40485 } 40486 if ev.Signal.Target.Parent == nil { 40487 ev.Signal.Target.Parent = &Process{} 40488 } 40489 rv, ok := value.(string) 40490 if !ok { 40491 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.FileEvent.Filesystem"} 40492 } 40493 ev.Signal.Target.Parent.FileEvent.Filesystem = rv 40494 return nil 40495 case "signal.target.parent.file.gid": 40496 if ev.Signal.Target == nil { 40497 ev.Signal.Target = &ProcessContext{} 40498 } 40499 if ev.Signal.Target.Parent == nil { 40500 ev.Signal.Target.Parent = &Process{} 40501 } 40502 rv, ok := value.(int) 40503 if !ok { 40504 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.FileEvent.FileFields.GID"} 40505 } 40506 ev.Signal.Target.Parent.FileEvent.FileFields.GID = uint32(rv) 40507 return nil 40508 case "signal.target.parent.file.group": 40509 if ev.Signal.Target == nil { 40510 ev.Signal.Target = &ProcessContext{} 40511 } 40512 if ev.Signal.Target.Parent == nil { 40513 ev.Signal.Target.Parent = &Process{} 40514 } 40515 rv, ok := value.(string) 40516 if !ok { 40517 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.FileEvent.FileFields.Group"} 40518 } 40519 ev.Signal.Target.Parent.FileEvent.FileFields.Group = rv 40520 return nil 40521 case "signal.target.parent.file.hashes": 40522 if ev.Signal.Target == nil { 40523 ev.Signal.Target = &ProcessContext{} 40524 } 40525 if ev.Signal.Target.Parent == nil { 40526 ev.Signal.Target.Parent = &Process{} 40527 } 40528 switch rv := value.(type) { 40529 case string: 40530 ev.Signal.Target.Parent.FileEvent.Hashes = append(ev.Signal.Target.Parent.FileEvent.Hashes, rv) 40531 case []string: 40532 ev.Signal.Target.Parent.FileEvent.Hashes = append(ev.Signal.Target.Parent.FileEvent.Hashes, rv...) 40533 default: 40534 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.FileEvent.Hashes"} 40535 } 40536 return nil 40537 case "signal.target.parent.file.in_upper_layer": 40538 if ev.Signal.Target == nil { 40539 ev.Signal.Target = &ProcessContext{} 40540 } 40541 if ev.Signal.Target.Parent == nil { 40542 ev.Signal.Target.Parent = &Process{} 40543 } 40544 rv, ok := value.(bool) 40545 if !ok { 40546 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.FileEvent.FileFields.InUpperLayer"} 40547 } 40548 ev.Signal.Target.Parent.FileEvent.FileFields.InUpperLayer = rv 40549 return nil 40550 case "signal.target.parent.file.inode": 40551 if ev.Signal.Target == nil { 40552 ev.Signal.Target = &ProcessContext{} 40553 } 40554 if ev.Signal.Target.Parent == nil { 40555 ev.Signal.Target.Parent = &Process{} 40556 } 40557 rv, ok := value.(int) 40558 if !ok { 40559 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.FileEvent.FileFields.PathKey.Inode"} 40560 } 40561 ev.Signal.Target.Parent.FileEvent.FileFields.PathKey.Inode = uint64(rv) 40562 return nil 40563 case "signal.target.parent.file.mode": 40564 if ev.Signal.Target == nil { 40565 ev.Signal.Target = &ProcessContext{} 40566 } 40567 if ev.Signal.Target.Parent == nil { 40568 ev.Signal.Target.Parent = &Process{} 40569 } 40570 rv, ok := value.(int) 40571 if !ok { 40572 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.FileEvent.FileFields.Mode"} 40573 } 40574 ev.Signal.Target.Parent.FileEvent.FileFields.Mode = uint16(rv) 40575 return nil 40576 case "signal.target.parent.file.modification_time": 40577 if ev.Signal.Target == nil { 40578 ev.Signal.Target = &ProcessContext{} 40579 } 40580 if ev.Signal.Target.Parent == nil { 40581 ev.Signal.Target.Parent = &Process{} 40582 } 40583 rv, ok := value.(int) 40584 if !ok { 40585 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.FileEvent.FileFields.MTime"} 40586 } 40587 ev.Signal.Target.Parent.FileEvent.FileFields.MTime = uint64(rv) 40588 return nil 40589 case "signal.target.parent.file.mount_id": 40590 if ev.Signal.Target == nil { 40591 ev.Signal.Target = &ProcessContext{} 40592 } 40593 if ev.Signal.Target.Parent == nil { 40594 ev.Signal.Target.Parent = &Process{} 40595 } 40596 rv, ok := value.(int) 40597 if !ok { 40598 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.FileEvent.FileFields.PathKey.MountID"} 40599 } 40600 ev.Signal.Target.Parent.FileEvent.FileFields.PathKey.MountID = uint32(rv) 40601 return nil 40602 case "signal.target.parent.file.name": 40603 if ev.Signal.Target == nil { 40604 ev.Signal.Target = &ProcessContext{} 40605 } 40606 if ev.Signal.Target.Parent == nil { 40607 ev.Signal.Target.Parent = &Process{} 40608 } 40609 rv, ok := value.(string) 40610 if !ok { 40611 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.FileEvent.BasenameStr"} 40612 } 40613 ev.Signal.Target.Parent.FileEvent.BasenameStr = rv 40614 return nil 40615 case "signal.target.parent.file.name.length": 40616 if ev.Signal.Target == nil { 40617 ev.Signal.Target = &ProcessContext{} 40618 } 40619 if ev.Signal.Target.Parent == nil { 40620 ev.Signal.Target.Parent = &Process{} 40621 } 40622 return &eval.ErrFieldReadOnly{Field: "signal.target.parent.file.name.length"} 40623 case "signal.target.parent.file.package.name": 40624 if ev.Signal.Target == nil { 40625 ev.Signal.Target = &ProcessContext{} 40626 } 40627 if ev.Signal.Target.Parent == nil { 40628 ev.Signal.Target.Parent = &Process{} 40629 } 40630 rv, ok := value.(string) 40631 if !ok { 40632 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.FileEvent.PkgName"} 40633 } 40634 ev.Signal.Target.Parent.FileEvent.PkgName = rv 40635 return nil 40636 case "signal.target.parent.file.package.source_version": 40637 if ev.Signal.Target == nil { 40638 ev.Signal.Target = &ProcessContext{} 40639 } 40640 if ev.Signal.Target.Parent == nil { 40641 ev.Signal.Target.Parent = &Process{} 40642 } 40643 rv, ok := value.(string) 40644 if !ok { 40645 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.FileEvent.PkgSrcVersion"} 40646 } 40647 ev.Signal.Target.Parent.FileEvent.PkgSrcVersion = rv 40648 return nil 40649 case "signal.target.parent.file.package.version": 40650 if ev.Signal.Target == nil { 40651 ev.Signal.Target = &ProcessContext{} 40652 } 40653 if ev.Signal.Target.Parent == nil { 40654 ev.Signal.Target.Parent = &Process{} 40655 } 40656 rv, ok := value.(string) 40657 if !ok { 40658 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.FileEvent.PkgVersion"} 40659 } 40660 ev.Signal.Target.Parent.FileEvent.PkgVersion = rv 40661 return nil 40662 case "signal.target.parent.file.path": 40663 if ev.Signal.Target == nil { 40664 ev.Signal.Target = &ProcessContext{} 40665 } 40666 if ev.Signal.Target.Parent == nil { 40667 ev.Signal.Target.Parent = &Process{} 40668 } 40669 rv, ok := value.(string) 40670 if !ok { 40671 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.FileEvent.PathnameStr"} 40672 } 40673 ev.Signal.Target.Parent.FileEvent.PathnameStr = rv 40674 return nil 40675 case "signal.target.parent.file.path.length": 40676 if ev.Signal.Target == nil { 40677 ev.Signal.Target = &ProcessContext{} 40678 } 40679 if ev.Signal.Target.Parent == nil { 40680 ev.Signal.Target.Parent = &Process{} 40681 } 40682 return &eval.ErrFieldReadOnly{Field: "signal.target.parent.file.path.length"} 40683 case "signal.target.parent.file.rights": 40684 if ev.Signal.Target == nil { 40685 ev.Signal.Target = &ProcessContext{} 40686 } 40687 if ev.Signal.Target.Parent == nil { 40688 ev.Signal.Target.Parent = &Process{} 40689 } 40690 rv, ok := value.(int) 40691 if !ok { 40692 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.FileEvent.FileFields.Mode"} 40693 } 40694 ev.Signal.Target.Parent.FileEvent.FileFields.Mode = uint16(rv) 40695 return nil 40696 case "signal.target.parent.file.uid": 40697 if ev.Signal.Target == nil { 40698 ev.Signal.Target = &ProcessContext{} 40699 } 40700 if ev.Signal.Target.Parent == nil { 40701 ev.Signal.Target.Parent = &Process{} 40702 } 40703 rv, ok := value.(int) 40704 if !ok { 40705 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.FileEvent.FileFields.UID"} 40706 } 40707 ev.Signal.Target.Parent.FileEvent.FileFields.UID = uint32(rv) 40708 return nil 40709 case "signal.target.parent.file.user": 40710 if ev.Signal.Target == nil { 40711 ev.Signal.Target = &ProcessContext{} 40712 } 40713 if ev.Signal.Target.Parent == nil { 40714 ev.Signal.Target.Parent = &Process{} 40715 } 40716 rv, ok := value.(string) 40717 if !ok { 40718 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.FileEvent.FileFields.User"} 40719 } 40720 ev.Signal.Target.Parent.FileEvent.FileFields.User = rv 40721 return nil 40722 case "signal.target.parent.fsgid": 40723 if ev.Signal.Target == nil { 40724 ev.Signal.Target = &ProcessContext{} 40725 } 40726 if ev.Signal.Target.Parent == nil { 40727 ev.Signal.Target.Parent = &Process{} 40728 } 40729 rv, ok := value.(int) 40730 if !ok { 40731 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.Credentials.FSGID"} 40732 } 40733 ev.Signal.Target.Parent.Credentials.FSGID = uint32(rv) 40734 return nil 40735 case "signal.target.parent.fsgroup": 40736 if ev.Signal.Target == nil { 40737 ev.Signal.Target = &ProcessContext{} 40738 } 40739 if ev.Signal.Target.Parent == nil { 40740 ev.Signal.Target.Parent = &Process{} 40741 } 40742 rv, ok := value.(string) 40743 if !ok { 40744 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.Credentials.FSGroup"} 40745 } 40746 ev.Signal.Target.Parent.Credentials.FSGroup = rv 40747 return nil 40748 case "signal.target.parent.fsuid": 40749 if ev.Signal.Target == nil { 40750 ev.Signal.Target = &ProcessContext{} 40751 } 40752 if ev.Signal.Target.Parent == nil { 40753 ev.Signal.Target.Parent = &Process{} 40754 } 40755 rv, ok := value.(int) 40756 if !ok { 40757 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.Credentials.FSUID"} 40758 } 40759 ev.Signal.Target.Parent.Credentials.FSUID = uint32(rv) 40760 return nil 40761 case "signal.target.parent.fsuser": 40762 if ev.Signal.Target == nil { 40763 ev.Signal.Target = &ProcessContext{} 40764 } 40765 if ev.Signal.Target.Parent == nil { 40766 ev.Signal.Target.Parent = &Process{} 40767 } 40768 rv, ok := value.(string) 40769 if !ok { 40770 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.Credentials.FSUser"} 40771 } 40772 ev.Signal.Target.Parent.Credentials.FSUser = rv 40773 return nil 40774 case "signal.target.parent.gid": 40775 if ev.Signal.Target == nil { 40776 ev.Signal.Target = &ProcessContext{} 40777 } 40778 if ev.Signal.Target.Parent == nil { 40779 ev.Signal.Target.Parent = &Process{} 40780 } 40781 rv, ok := value.(int) 40782 if !ok { 40783 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.Credentials.GID"} 40784 } 40785 ev.Signal.Target.Parent.Credentials.GID = uint32(rv) 40786 return nil 40787 case "signal.target.parent.group": 40788 if ev.Signal.Target == nil { 40789 ev.Signal.Target = &ProcessContext{} 40790 } 40791 if ev.Signal.Target.Parent == nil { 40792 ev.Signal.Target.Parent = &Process{} 40793 } 40794 rv, ok := value.(string) 40795 if !ok { 40796 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.Credentials.Group"} 40797 } 40798 ev.Signal.Target.Parent.Credentials.Group = rv 40799 return nil 40800 case "signal.target.parent.interpreter.file.change_time": 40801 if ev.Signal.Target == nil { 40802 ev.Signal.Target = &ProcessContext{} 40803 } 40804 if ev.Signal.Target.Parent == nil { 40805 ev.Signal.Target.Parent = &Process{} 40806 } 40807 rv, ok := value.(int) 40808 if !ok { 40809 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields.CTime"} 40810 } 40811 ev.Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields.CTime = uint64(rv) 40812 return nil 40813 case "signal.target.parent.interpreter.file.filesystem": 40814 if ev.Signal.Target == nil { 40815 ev.Signal.Target = &ProcessContext{} 40816 } 40817 if ev.Signal.Target.Parent == nil { 40818 ev.Signal.Target.Parent = &Process{} 40819 } 40820 rv, ok := value.(string) 40821 if !ok { 40822 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.LinuxBinprm.FileEvent.Filesystem"} 40823 } 40824 ev.Signal.Target.Parent.LinuxBinprm.FileEvent.Filesystem = rv 40825 return nil 40826 case "signal.target.parent.interpreter.file.gid": 40827 if ev.Signal.Target == nil { 40828 ev.Signal.Target = &ProcessContext{} 40829 } 40830 if ev.Signal.Target.Parent == nil { 40831 ev.Signal.Target.Parent = &Process{} 40832 } 40833 rv, ok := value.(int) 40834 if !ok { 40835 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields.GID"} 40836 } 40837 ev.Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields.GID = uint32(rv) 40838 return nil 40839 case "signal.target.parent.interpreter.file.group": 40840 if ev.Signal.Target == nil { 40841 ev.Signal.Target = &ProcessContext{} 40842 } 40843 if ev.Signal.Target.Parent == nil { 40844 ev.Signal.Target.Parent = &Process{} 40845 } 40846 rv, ok := value.(string) 40847 if !ok { 40848 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields.Group"} 40849 } 40850 ev.Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields.Group = rv 40851 return nil 40852 case "signal.target.parent.interpreter.file.hashes": 40853 if ev.Signal.Target == nil { 40854 ev.Signal.Target = &ProcessContext{} 40855 } 40856 if ev.Signal.Target.Parent == nil { 40857 ev.Signal.Target.Parent = &Process{} 40858 } 40859 switch rv := value.(type) { 40860 case string: 40861 ev.Signal.Target.Parent.LinuxBinprm.FileEvent.Hashes = append(ev.Signal.Target.Parent.LinuxBinprm.FileEvent.Hashes, rv) 40862 case []string: 40863 ev.Signal.Target.Parent.LinuxBinprm.FileEvent.Hashes = append(ev.Signal.Target.Parent.LinuxBinprm.FileEvent.Hashes, rv...) 40864 default: 40865 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.LinuxBinprm.FileEvent.Hashes"} 40866 } 40867 return nil 40868 case "signal.target.parent.interpreter.file.in_upper_layer": 40869 if ev.Signal.Target == nil { 40870 ev.Signal.Target = &ProcessContext{} 40871 } 40872 if ev.Signal.Target.Parent == nil { 40873 ev.Signal.Target.Parent = &Process{} 40874 } 40875 rv, ok := value.(bool) 40876 if !ok { 40877 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields.InUpperLayer"} 40878 } 40879 ev.Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields.InUpperLayer = rv 40880 return nil 40881 case "signal.target.parent.interpreter.file.inode": 40882 if ev.Signal.Target == nil { 40883 ev.Signal.Target = &ProcessContext{} 40884 } 40885 if ev.Signal.Target.Parent == nil { 40886 ev.Signal.Target.Parent = &Process{} 40887 } 40888 rv, ok := value.(int) 40889 if !ok { 40890 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields.PathKey.Inode"} 40891 } 40892 ev.Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields.PathKey.Inode = uint64(rv) 40893 return nil 40894 case "signal.target.parent.interpreter.file.mode": 40895 if ev.Signal.Target == nil { 40896 ev.Signal.Target = &ProcessContext{} 40897 } 40898 if ev.Signal.Target.Parent == nil { 40899 ev.Signal.Target.Parent = &Process{} 40900 } 40901 rv, ok := value.(int) 40902 if !ok { 40903 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields.Mode"} 40904 } 40905 ev.Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields.Mode = uint16(rv) 40906 return nil 40907 case "signal.target.parent.interpreter.file.modification_time": 40908 if ev.Signal.Target == nil { 40909 ev.Signal.Target = &ProcessContext{} 40910 } 40911 if ev.Signal.Target.Parent == nil { 40912 ev.Signal.Target.Parent = &Process{} 40913 } 40914 rv, ok := value.(int) 40915 if !ok { 40916 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields.MTime"} 40917 } 40918 ev.Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields.MTime = uint64(rv) 40919 return nil 40920 case "signal.target.parent.interpreter.file.mount_id": 40921 if ev.Signal.Target == nil { 40922 ev.Signal.Target = &ProcessContext{} 40923 } 40924 if ev.Signal.Target.Parent == nil { 40925 ev.Signal.Target.Parent = &Process{} 40926 } 40927 rv, ok := value.(int) 40928 if !ok { 40929 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields.PathKey.MountID"} 40930 } 40931 ev.Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields.PathKey.MountID = uint32(rv) 40932 return nil 40933 case "signal.target.parent.interpreter.file.name": 40934 if ev.Signal.Target == nil { 40935 ev.Signal.Target = &ProcessContext{} 40936 } 40937 if ev.Signal.Target.Parent == nil { 40938 ev.Signal.Target.Parent = &Process{} 40939 } 40940 rv, ok := value.(string) 40941 if !ok { 40942 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.LinuxBinprm.FileEvent.BasenameStr"} 40943 } 40944 ev.Signal.Target.Parent.LinuxBinprm.FileEvent.BasenameStr = rv 40945 return nil 40946 case "signal.target.parent.interpreter.file.name.length": 40947 if ev.Signal.Target == nil { 40948 ev.Signal.Target = &ProcessContext{} 40949 } 40950 if ev.Signal.Target.Parent == nil { 40951 ev.Signal.Target.Parent = &Process{} 40952 } 40953 return &eval.ErrFieldReadOnly{Field: "signal.target.parent.interpreter.file.name.length"} 40954 case "signal.target.parent.interpreter.file.package.name": 40955 if ev.Signal.Target == nil { 40956 ev.Signal.Target = &ProcessContext{} 40957 } 40958 if ev.Signal.Target.Parent == nil { 40959 ev.Signal.Target.Parent = &Process{} 40960 } 40961 rv, ok := value.(string) 40962 if !ok { 40963 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.LinuxBinprm.FileEvent.PkgName"} 40964 } 40965 ev.Signal.Target.Parent.LinuxBinprm.FileEvent.PkgName = rv 40966 return nil 40967 case "signal.target.parent.interpreter.file.package.source_version": 40968 if ev.Signal.Target == nil { 40969 ev.Signal.Target = &ProcessContext{} 40970 } 40971 if ev.Signal.Target.Parent == nil { 40972 ev.Signal.Target.Parent = &Process{} 40973 } 40974 rv, ok := value.(string) 40975 if !ok { 40976 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.LinuxBinprm.FileEvent.PkgSrcVersion"} 40977 } 40978 ev.Signal.Target.Parent.LinuxBinprm.FileEvent.PkgSrcVersion = rv 40979 return nil 40980 case "signal.target.parent.interpreter.file.package.version": 40981 if ev.Signal.Target == nil { 40982 ev.Signal.Target = &ProcessContext{} 40983 } 40984 if ev.Signal.Target.Parent == nil { 40985 ev.Signal.Target.Parent = &Process{} 40986 } 40987 rv, ok := value.(string) 40988 if !ok { 40989 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.LinuxBinprm.FileEvent.PkgVersion"} 40990 } 40991 ev.Signal.Target.Parent.LinuxBinprm.FileEvent.PkgVersion = rv 40992 return nil 40993 case "signal.target.parent.interpreter.file.path": 40994 if ev.Signal.Target == nil { 40995 ev.Signal.Target = &ProcessContext{} 40996 } 40997 if ev.Signal.Target.Parent == nil { 40998 ev.Signal.Target.Parent = &Process{} 40999 } 41000 rv, ok := value.(string) 41001 if !ok { 41002 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.LinuxBinprm.FileEvent.PathnameStr"} 41003 } 41004 ev.Signal.Target.Parent.LinuxBinprm.FileEvent.PathnameStr = rv 41005 return nil 41006 case "signal.target.parent.interpreter.file.path.length": 41007 if ev.Signal.Target == nil { 41008 ev.Signal.Target = &ProcessContext{} 41009 } 41010 if ev.Signal.Target.Parent == nil { 41011 ev.Signal.Target.Parent = &Process{} 41012 } 41013 return &eval.ErrFieldReadOnly{Field: "signal.target.parent.interpreter.file.path.length"} 41014 case "signal.target.parent.interpreter.file.rights": 41015 if ev.Signal.Target == nil { 41016 ev.Signal.Target = &ProcessContext{} 41017 } 41018 if ev.Signal.Target.Parent == nil { 41019 ev.Signal.Target.Parent = &Process{} 41020 } 41021 rv, ok := value.(int) 41022 if !ok { 41023 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields.Mode"} 41024 } 41025 ev.Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields.Mode = uint16(rv) 41026 return nil 41027 case "signal.target.parent.interpreter.file.uid": 41028 if ev.Signal.Target == nil { 41029 ev.Signal.Target = &ProcessContext{} 41030 } 41031 if ev.Signal.Target.Parent == nil { 41032 ev.Signal.Target.Parent = &Process{} 41033 } 41034 rv, ok := value.(int) 41035 if !ok { 41036 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields.UID"} 41037 } 41038 ev.Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields.UID = uint32(rv) 41039 return nil 41040 case "signal.target.parent.interpreter.file.user": 41041 if ev.Signal.Target == nil { 41042 ev.Signal.Target = &ProcessContext{} 41043 } 41044 if ev.Signal.Target.Parent == nil { 41045 ev.Signal.Target.Parent = &Process{} 41046 } 41047 rv, ok := value.(string) 41048 if !ok { 41049 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields.User"} 41050 } 41051 ev.Signal.Target.Parent.LinuxBinprm.FileEvent.FileFields.User = rv 41052 return nil 41053 case "signal.target.parent.is_kworker": 41054 if ev.Signal.Target == nil { 41055 ev.Signal.Target = &ProcessContext{} 41056 } 41057 if ev.Signal.Target.Parent == nil { 41058 ev.Signal.Target.Parent = &Process{} 41059 } 41060 rv, ok := value.(bool) 41061 if !ok { 41062 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.PIDContext.IsKworker"} 41063 } 41064 ev.Signal.Target.Parent.PIDContext.IsKworker = rv 41065 return nil 41066 case "signal.target.parent.is_thread": 41067 if ev.Signal.Target == nil { 41068 ev.Signal.Target = &ProcessContext{} 41069 } 41070 if ev.Signal.Target.Parent == nil { 41071 ev.Signal.Target.Parent = &Process{} 41072 } 41073 rv, ok := value.(bool) 41074 if !ok { 41075 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.IsThread"} 41076 } 41077 ev.Signal.Target.Parent.IsThread = rv 41078 return nil 41079 case "signal.target.parent.pid": 41080 if ev.Signal.Target == nil { 41081 ev.Signal.Target = &ProcessContext{} 41082 } 41083 if ev.Signal.Target.Parent == nil { 41084 ev.Signal.Target.Parent = &Process{} 41085 } 41086 rv, ok := value.(int) 41087 if !ok { 41088 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.PIDContext.Pid"} 41089 } 41090 ev.Signal.Target.Parent.PIDContext.Pid = uint32(rv) 41091 return nil 41092 case "signal.target.parent.ppid": 41093 if ev.Signal.Target == nil { 41094 ev.Signal.Target = &ProcessContext{} 41095 } 41096 if ev.Signal.Target.Parent == nil { 41097 ev.Signal.Target.Parent = &Process{} 41098 } 41099 rv, ok := value.(int) 41100 if !ok { 41101 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.PPid"} 41102 } 41103 ev.Signal.Target.Parent.PPid = uint32(rv) 41104 return nil 41105 case "signal.target.parent.tid": 41106 if ev.Signal.Target == nil { 41107 ev.Signal.Target = &ProcessContext{} 41108 } 41109 if ev.Signal.Target.Parent == nil { 41110 ev.Signal.Target.Parent = &Process{} 41111 } 41112 rv, ok := value.(int) 41113 if !ok { 41114 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.PIDContext.Tid"} 41115 } 41116 ev.Signal.Target.Parent.PIDContext.Tid = uint32(rv) 41117 return nil 41118 case "signal.target.parent.tty_name": 41119 if ev.Signal.Target == nil { 41120 ev.Signal.Target = &ProcessContext{} 41121 } 41122 if ev.Signal.Target.Parent == nil { 41123 ev.Signal.Target.Parent = &Process{} 41124 } 41125 rv, ok := value.(string) 41126 if !ok { 41127 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.TTYName"} 41128 } 41129 ev.Signal.Target.Parent.TTYName = rv 41130 return nil 41131 case "signal.target.parent.uid": 41132 if ev.Signal.Target == nil { 41133 ev.Signal.Target = &ProcessContext{} 41134 } 41135 if ev.Signal.Target.Parent == nil { 41136 ev.Signal.Target.Parent = &Process{} 41137 } 41138 rv, ok := value.(int) 41139 if !ok { 41140 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.Credentials.UID"} 41141 } 41142 ev.Signal.Target.Parent.Credentials.UID = uint32(rv) 41143 return nil 41144 case "signal.target.parent.user": 41145 if ev.Signal.Target == nil { 41146 ev.Signal.Target = &ProcessContext{} 41147 } 41148 if ev.Signal.Target.Parent == nil { 41149 ev.Signal.Target.Parent = &Process{} 41150 } 41151 rv, ok := value.(string) 41152 if !ok { 41153 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.Credentials.User"} 41154 } 41155 ev.Signal.Target.Parent.Credentials.User = rv 41156 return nil 41157 case "signal.target.parent.user_session.k8s_groups": 41158 if ev.Signal.Target == nil { 41159 ev.Signal.Target = &ProcessContext{} 41160 } 41161 if ev.Signal.Target.Parent == nil { 41162 ev.Signal.Target.Parent = &Process{} 41163 } 41164 switch rv := value.(type) { 41165 case string: 41166 ev.Signal.Target.Parent.UserSession.K8SGroups = append(ev.Signal.Target.Parent.UserSession.K8SGroups, rv) 41167 case []string: 41168 ev.Signal.Target.Parent.UserSession.K8SGroups = append(ev.Signal.Target.Parent.UserSession.K8SGroups, rv...) 41169 default: 41170 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.UserSession.K8SGroups"} 41171 } 41172 return nil 41173 case "signal.target.parent.user_session.k8s_uid": 41174 if ev.Signal.Target == nil { 41175 ev.Signal.Target = &ProcessContext{} 41176 } 41177 if ev.Signal.Target.Parent == nil { 41178 ev.Signal.Target.Parent = &Process{} 41179 } 41180 rv, ok := value.(string) 41181 if !ok { 41182 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.UserSession.K8SUID"} 41183 } 41184 ev.Signal.Target.Parent.UserSession.K8SUID = rv 41185 return nil 41186 case "signal.target.parent.user_session.k8s_username": 41187 if ev.Signal.Target == nil { 41188 ev.Signal.Target = &ProcessContext{} 41189 } 41190 if ev.Signal.Target.Parent == nil { 41191 ev.Signal.Target.Parent = &Process{} 41192 } 41193 rv, ok := value.(string) 41194 if !ok { 41195 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Parent.UserSession.K8SUsername"} 41196 } 41197 ev.Signal.Target.Parent.UserSession.K8SUsername = rv 41198 return nil 41199 case "signal.target.pid": 41200 if ev.Signal.Target == nil { 41201 ev.Signal.Target = &ProcessContext{} 41202 } 41203 rv, ok := value.(int) 41204 if !ok { 41205 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.PIDContext.Pid"} 41206 } 41207 ev.Signal.Target.Process.PIDContext.Pid = uint32(rv) 41208 return nil 41209 case "signal.target.ppid": 41210 if ev.Signal.Target == nil { 41211 ev.Signal.Target = &ProcessContext{} 41212 } 41213 rv, ok := value.(int) 41214 if !ok { 41215 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.PPid"} 41216 } 41217 ev.Signal.Target.Process.PPid = uint32(rv) 41218 return nil 41219 case "signal.target.tid": 41220 if ev.Signal.Target == nil { 41221 ev.Signal.Target = &ProcessContext{} 41222 } 41223 rv, ok := value.(int) 41224 if !ok { 41225 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.PIDContext.Tid"} 41226 } 41227 ev.Signal.Target.Process.PIDContext.Tid = uint32(rv) 41228 return nil 41229 case "signal.target.tty_name": 41230 if ev.Signal.Target == nil { 41231 ev.Signal.Target = &ProcessContext{} 41232 } 41233 rv, ok := value.(string) 41234 if !ok { 41235 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.TTYName"} 41236 } 41237 ev.Signal.Target.Process.TTYName = rv 41238 return nil 41239 case "signal.target.uid": 41240 if ev.Signal.Target == nil { 41241 ev.Signal.Target = &ProcessContext{} 41242 } 41243 rv, ok := value.(int) 41244 if !ok { 41245 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.Credentials.UID"} 41246 } 41247 ev.Signal.Target.Process.Credentials.UID = uint32(rv) 41248 return nil 41249 case "signal.target.user": 41250 if ev.Signal.Target == nil { 41251 ev.Signal.Target = &ProcessContext{} 41252 } 41253 rv, ok := value.(string) 41254 if !ok { 41255 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.Credentials.User"} 41256 } 41257 ev.Signal.Target.Process.Credentials.User = rv 41258 return nil 41259 case "signal.target.user_session.k8s_groups": 41260 if ev.Signal.Target == nil { 41261 ev.Signal.Target = &ProcessContext{} 41262 } 41263 switch rv := value.(type) { 41264 case string: 41265 ev.Signal.Target.Process.UserSession.K8SGroups = append(ev.Signal.Target.Process.UserSession.K8SGroups, rv) 41266 case []string: 41267 ev.Signal.Target.Process.UserSession.K8SGroups = append(ev.Signal.Target.Process.UserSession.K8SGroups, rv...) 41268 default: 41269 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.UserSession.K8SGroups"} 41270 } 41271 return nil 41272 case "signal.target.user_session.k8s_uid": 41273 if ev.Signal.Target == nil { 41274 ev.Signal.Target = &ProcessContext{} 41275 } 41276 rv, ok := value.(string) 41277 if !ok { 41278 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.UserSession.K8SUID"} 41279 } 41280 ev.Signal.Target.Process.UserSession.K8SUID = rv 41281 return nil 41282 case "signal.target.user_session.k8s_username": 41283 if ev.Signal.Target == nil { 41284 ev.Signal.Target = &ProcessContext{} 41285 } 41286 rv, ok := value.(string) 41287 if !ok { 41288 return &eval.ErrValueTypeMismatch{Field: "Signal.Target.Process.UserSession.K8SUsername"} 41289 } 41290 ev.Signal.Target.Process.UserSession.K8SUsername = rv 41291 return nil 41292 case "signal.type": 41293 rv, ok := value.(int) 41294 if !ok { 41295 return &eval.ErrValueTypeMismatch{Field: "Signal.Type"} 41296 } 41297 ev.Signal.Type = uint32(rv) 41298 return nil 41299 case "splice.file.change_time": 41300 rv, ok := value.(int) 41301 if !ok { 41302 return &eval.ErrValueTypeMismatch{Field: "Splice.File.FileFields.CTime"} 41303 } 41304 ev.Splice.File.FileFields.CTime = uint64(rv) 41305 return nil 41306 case "splice.file.filesystem": 41307 rv, ok := value.(string) 41308 if !ok { 41309 return &eval.ErrValueTypeMismatch{Field: "Splice.File.Filesystem"} 41310 } 41311 ev.Splice.File.Filesystem = rv 41312 return nil 41313 case "splice.file.gid": 41314 rv, ok := value.(int) 41315 if !ok { 41316 return &eval.ErrValueTypeMismatch{Field: "Splice.File.FileFields.GID"} 41317 } 41318 ev.Splice.File.FileFields.GID = uint32(rv) 41319 return nil 41320 case "splice.file.group": 41321 rv, ok := value.(string) 41322 if !ok { 41323 return &eval.ErrValueTypeMismatch{Field: "Splice.File.FileFields.Group"} 41324 } 41325 ev.Splice.File.FileFields.Group = rv 41326 return nil 41327 case "splice.file.hashes": 41328 switch rv := value.(type) { 41329 case string: 41330 ev.Splice.File.Hashes = append(ev.Splice.File.Hashes, rv) 41331 case []string: 41332 ev.Splice.File.Hashes = append(ev.Splice.File.Hashes, rv...) 41333 default: 41334 return &eval.ErrValueTypeMismatch{Field: "Splice.File.Hashes"} 41335 } 41336 return nil 41337 case "splice.file.in_upper_layer": 41338 rv, ok := value.(bool) 41339 if !ok { 41340 return &eval.ErrValueTypeMismatch{Field: "Splice.File.FileFields.InUpperLayer"} 41341 } 41342 ev.Splice.File.FileFields.InUpperLayer = rv 41343 return nil 41344 case "splice.file.inode": 41345 rv, ok := value.(int) 41346 if !ok { 41347 return &eval.ErrValueTypeMismatch{Field: "Splice.File.FileFields.PathKey.Inode"} 41348 } 41349 ev.Splice.File.FileFields.PathKey.Inode = uint64(rv) 41350 return nil 41351 case "splice.file.mode": 41352 rv, ok := value.(int) 41353 if !ok { 41354 return &eval.ErrValueTypeMismatch{Field: "Splice.File.FileFields.Mode"} 41355 } 41356 ev.Splice.File.FileFields.Mode = uint16(rv) 41357 return nil 41358 case "splice.file.modification_time": 41359 rv, ok := value.(int) 41360 if !ok { 41361 return &eval.ErrValueTypeMismatch{Field: "Splice.File.FileFields.MTime"} 41362 } 41363 ev.Splice.File.FileFields.MTime = uint64(rv) 41364 return nil 41365 case "splice.file.mount_id": 41366 rv, ok := value.(int) 41367 if !ok { 41368 return &eval.ErrValueTypeMismatch{Field: "Splice.File.FileFields.PathKey.MountID"} 41369 } 41370 ev.Splice.File.FileFields.PathKey.MountID = uint32(rv) 41371 return nil 41372 case "splice.file.name": 41373 rv, ok := value.(string) 41374 if !ok { 41375 return &eval.ErrValueTypeMismatch{Field: "Splice.File.BasenameStr"} 41376 } 41377 ev.Splice.File.BasenameStr = rv 41378 return nil 41379 case "splice.file.name.length": 41380 return &eval.ErrFieldReadOnly{Field: "splice.file.name.length"} 41381 case "splice.file.package.name": 41382 rv, ok := value.(string) 41383 if !ok { 41384 return &eval.ErrValueTypeMismatch{Field: "Splice.File.PkgName"} 41385 } 41386 ev.Splice.File.PkgName = rv 41387 return nil 41388 case "splice.file.package.source_version": 41389 rv, ok := value.(string) 41390 if !ok { 41391 return &eval.ErrValueTypeMismatch{Field: "Splice.File.PkgSrcVersion"} 41392 } 41393 ev.Splice.File.PkgSrcVersion = rv 41394 return nil 41395 case "splice.file.package.version": 41396 rv, ok := value.(string) 41397 if !ok { 41398 return &eval.ErrValueTypeMismatch{Field: "Splice.File.PkgVersion"} 41399 } 41400 ev.Splice.File.PkgVersion = rv 41401 return nil 41402 case "splice.file.path": 41403 rv, ok := value.(string) 41404 if !ok { 41405 return &eval.ErrValueTypeMismatch{Field: "Splice.File.PathnameStr"} 41406 } 41407 ev.Splice.File.PathnameStr = rv 41408 return nil 41409 case "splice.file.path.length": 41410 return &eval.ErrFieldReadOnly{Field: "splice.file.path.length"} 41411 case "splice.file.rights": 41412 rv, ok := value.(int) 41413 if !ok { 41414 return &eval.ErrValueTypeMismatch{Field: "Splice.File.FileFields.Mode"} 41415 } 41416 ev.Splice.File.FileFields.Mode = uint16(rv) 41417 return nil 41418 case "splice.file.uid": 41419 rv, ok := value.(int) 41420 if !ok { 41421 return &eval.ErrValueTypeMismatch{Field: "Splice.File.FileFields.UID"} 41422 } 41423 ev.Splice.File.FileFields.UID = uint32(rv) 41424 return nil 41425 case "splice.file.user": 41426 rv, ok := value.(string) 41427 if !ok { 41428 return &eval.ErrValueTypeMismatch{Field: "Splice.File.FileFields.User"} 41429 } 41430 ev.Splice.File.FileFields.User = rv 41431 return nil 41432 case "splice.pipe_entry_flag": 41433 rv, ok := value.(int) 41434 if !ok { 41435 return &eval.ErrValueTypeMismatch{Field: "Splice.PipeEntryFlag"} 41436 } 41437 ev.Splice.PipeEntryFlag = uint32(rv) 41438 return nil 41439 case "splice.pipe_exit_flag": 41440 rv, ok := value.(int) 41441 if !ok { 41442 return &eval.ErrValueTypeMismatch{Field: "Splice.PipeExitFlag"} 41443 } 41444 ev.Splice.PipeExitFlag = uint32(rv) 41445 return nil 41446 case "splice.retval": 41447 rv, ok := value.(int) 41448 if !ok { 41449 return &eval.ErrValueTypeMismatch{Field: "Splice.SyscallEvent.Retval"} 41450 } 41451 ev.Splice.SyscallEvent.Retval = int64(rv) 41452 return nil 41453 case "unlink.file.change_time": 41454 rv, ok := value.(int) 41455 if !ok { 41456 return &eval.ErrValueTypeMismatch{Field: "Unlink.File.FileFields.CTime"} 41457 } 41458 ev.Unlink.File.FileFields.CTime = uint64(rv) 41459 return nil 41460 case "unlink.file.filesystem": 41461 rv, ok := value.(string) 41462 if !ok { 41463 return &eval.ErrValueTypeMismatch{Field: "Unlink.File.Filesystem"} 41464 } 41465 ev.Unlink.File.Filesystem = rv 41466 return nil 41467 case "unlink.file.gid": 41468 rv, ok := value.(int) 41469 if !ok { 41470 return &eval.ErrValueTypeMismatch{Field: "Unlink.File.FileFields.GID"} 41471 } 41472 ev.Unlink.File.FileFields.GID = uint32(rv) 41473 return nil 41474 case "unlink.file.group": 41475 rv, ok := value.(string) 41476 if !ok { 41477 return &eval.ErrValueTypeMismatch{Field: "Unlink.File.FileFields.Group"} 41478 } 41479 ev.Unlink.File.FileFields.Group = rv 41480 return nil 41481 case "unlink.file.hashes": 41482 switch rv := value.(type) { 41483 case string: 41484 ev.Unlink.File.Hashes = append(ev.Unlink.File.Hashes, rv) 41485 case []string: 41486 ev.Unlink.File.Hashes = append(ev.Unlink.File.Hashes, rv...) 41487 default: 41488 return &eval.ErrValueTypeMismatch{Field: "Unlink.File.Hashes"} 41489 } 41490 return nil 41491 case "unlink.file.in_upper_layer": 41492 rv, ok := value.(bool) 41493 if !ok { 41494 return &eval.ErrValueTypeMismatch{Field: "Unlink.File.FileFields.InUpperLayer"} 41495 } 41496 ev.Unlink.File.FileFields.InUpperLayer = rv 41497 return nil 41498 case "unlink.file.inode": 41499 rv, ok := value.(int) 41500 if !ok { 41501 return &eval.ErrValueTypeMismatch{Field: "Unlink.File.FileFields.PathKey.Inode"} 41502 } 41503 ev.Unlink.File.FileFields.PathKey.Inode = uint64(rv) 41504 return nil 41505 case "unlink.file.mode": 41506 rv, ok := value.(int) 41507 if !ok { 41508 return &eval.ErrValueTypeMismatch{Field: "Unlink.File.FileFields.Mode"} 41509 } 41510 ev.Unlink.File.FileFields.Mode = uint16(rv) 41511 return nil 41512 case "unlink.file.modification_time": 41513 rv, ok := value.(int) 41514 if !ok { 41515 return &eval.ErrValueTypeMismatch{Field: "Unlink.File.FileFields.MTime"} 41516 } 41517 ev.Unlink.File.FileFields.MTime = uint64(rv) 41518 return nil 41519 case "unlink.file.mount_id": 41520 rv, ok := value.(int) 41521 if !ok { 41522 return &eval.ErrValueTypeMismatch{Field: "Unlink.File.FileFields.PathKey.MountID"} 41523 } 41524 ev.Unlink.File.FileFields.PathKey.MountID = uint32(rv) 41525 return nil 41526 case "unlink.file.name": 41527 rv, ok := value.(string) 41528 if !ok { 41529 return &eval.ErrValueTypeMismatch{Field: "Unlink.File.BasenameStr"} 41530 } 41531 ev.Unlink.File.BasenameStr = rv 41532 return nil 41533 case "unlink.file.name.length": 41534 return &eval.ErrFieldReadOnly{Field: "unlink.file.name.length"} 41535 case "unlink.file.package.name": 41536 rv, ok := value.(string) 41537 if !ok { 41538 return &eval.ErrValueTypeMismatch{Field: "Unlink.File.PkgName"} 41539 } 41540 ev.Unlink.File.PkgName = rv 41541 return nil 41542 case "unlink.file.package.source_version": 41543 rv, ok := value.(string) 41544 if !ok { 41545 return &eval.ErrValueTypeMismatch{Field: "Unlink.File.PkgSrcVersion"} 41546 } 41547 ev.Unlink.File.PkgSrcVersion = rv 41548 return nil 41549 case "unlink.file.package.version": 41550 rv, ok := value.(string) 41551 if !ok { 41552 return &eval.ErrValueTypeMismatch{Field: "Unlink.File.PkgVersion"} 41553 } 41554 ev.Unlink.File.PkgVersion = rv 41555 return nil 41556 case "unlink.file.path": 41557 rv, ok := value.(string) 41558 if !ok { 41559 return &eval.ErrValueTypeMismatch{Field: "Unlink.File.PathnameStr"} 41560 } 41561 ev.Unlink.File.PathnameStr = rv 41562 return nil 41563 case "unlink.file.path.length": 41564 return &eval.ErrFieldReadOnly{Field: "unlink.file.path.length"} 41565 case "unlink.file.rights": 41566 rv, ok := value.(int) 41567 if !ok { 41568 return &eval.ErrValueTypeMismatch{Field: "Unlink.File.FileFields.Mode"} 41569 } 41570 ev.Unlink.File.FileFields.Mode = uint16(rv) 41571 return nil 41572 case "unlink.file.uid": 41573 rv, ok := value.(int) 41574 if !ok { 41575 return &eval.ErrValueTypeMismatch{Field: "Unlink.File.FileFields.UID"} 41576 } 41577 ev.Unlink.File.FileFields.UID = uint32(rv) 41578 return nil 41579 case "unlink.file.user": 41580 rv, ok := value.(string) 41581 if !ok { 41582 return &eval.ErrValueTypeMismatch{Field: "Unlink.File.FileFields.User"} 41583 } 41584 ev.Unlink.File.FileFields.User = rv 41585 return nil 41586 case "unlink.flags": 41587 rv, ok := value.(int) 41588 if !ok { 41589 return &eval.ErrValueTypeMismatch{Field: "Unlink.Flags"} 41590 } 41591 ev.Unlink.Flags = uint32(rv) 41592 return nil 41593 case "unlink.retval": 41594 rv, ok := value.(int) 41595 if !ok { 41596 return &eval.ErrValueTypeMismatch{Field: "Unlink.SyscallEvent.Retval"} 41597 } 41598 ev.Unlink.SyscallEvent.Retval = int64(rv) 41599 return nil 41600 case "unload_module.name": 41601 rv, ok := value.(string) 41602 if !ok { 41603 return &eval.ErrValueTypeMismatch{Field: "UnloadModule.Name"} 41604 } 41605 ev.UnloadModule.Name = rv 41606 return nil 41607 case "unload_module.retval": 41608 rv, ok := value.(int) 41609 if !ok { 41610 return &eval.ErrValueTypeMismatch{Field: "UnloadModule.SyscallEvent.Retval"} 41611 } 41612 ev.UnloadModule.SyscallEvent.Retval = int64(rv) 41613 return nil 41614 case "utimes.file.change_time": 41615 rv, ok := value.(int) 41616 if !ok { 41617 return &eval.ErrValueTypeMismatch{Field: "Utimes.File.FileFields.CTime"} 41618 } 41619 ev.Utimes.File.FileFields.CTime = uint64(rv) 41620 return nil 41621 case "utimes.file.filesystem": 41622 rv, ok := value.(string) 41623 if !ok { 41624 return &eval.ErrValueTypeMismatch{Field: "Utimes.File.Filesystem"} 41625 } 41626 ev.Utimes.File.Filesystem = rv 41627 return nil 41628 case "utimes.file.gid": 41629 rv, ok := value.(int) 41630 if !ok { 41631 return &eval.ErrValueTypeMismatch{Field: "Utimes.File.FileFields.GID"} 41632 } 41633 ev.Utimes.File.FileFields.GID = uint32(rv) 41634 return nil 41635 case "utimes.file.group": 41636 rv, ok := value.(string) 41637 if !ok { 41638 return &eval.ErrValueTypeMismatch{Field: "Utimes.File.FileFields.Group"} 41639 } 41640 ev.Utimes.File.FileFields.Group = rv 41641 return nil 41642 case "utimes.file.hashes": 41643 switch rv := value.(type) { 41644 case string: 41645 ev.Utimes.File.Hashes = append(ev.Utimes.File.Hashes, rv) 41646 case []string: 41647 ev.Utimes.File.Hashes = append(ev.Utimes.File.Hashes, rv...) 41648 default: 41649 return &eval.ErrValueTypeMismatch{Field: "Utimes.File.Hashes"} 41650 } 41651 return nil 41652 case "utimes.file.in_upper_layer": 41653 rv, ok := value.(bool) 41654 if !ok { 41655 return &eval.ErrValueTypeMismatch{Field: "Utimes.File.FileFields.InUpperLayer"} 41656 } 41657 ev.Utimes.File.FileFields.InUpperLayer = rv 41658 return nil 41659 case "utimes.file.inode": 41660 rv, ok := value.(int) 41661 if !ok { 41662 return &eval.ErrValueTypeMismatch{Field: "Utimes.File.FileFields.PathKey.Inode"} 41663 } 41664 ev.Utimes.File.FileFields.PathKey.Inode = uint64(rv) 41665 return nil 41666 case "utimes.file.mode": 41667 rv, ok := value.(int) 41668 if !ok { 41669 return &eval.ErrValueTypeMismatch{Field: "Utimes.File.FileFields.Mode"} 41670 } 41671 ev.Utimes.File.FileFields.Mode = uint16(rv) 41672 return nil 41673 case "utimes.file.modification_time": 41674 rv, ok := value.(int) 41675 if !ok { 41676 return &eval.ErrValueTypeMismatch{Field: "Utimes.File.FileFields.MTime"} 41677 } 41678 ev.Utimes.File.FileFields.MTime = uint64(rv) 41679 return nil 41680 case "utimes.file.mount_id": 41681 rv, ok := value.(int) 41682 if !ok { 41683 return &eval.ErrValueTypeMismatch{Field: "Utimes.File.FileFields.PathKey.MountID"} 41684 } 41685 ev.Utimes.File.FileFields.PathKey.MountID = uint32(rv) 41686 return nil 41687 case "utimes.file.name": 41688 rv, ok := value.(string) 41689 if !ok { 41690 return &eval.ErrValueTypeMismatch{Field: "Utimes.File.BasenameStr"} 41691 } 41692 ev.Utimes.File.BasenameStr = rv 41693 return nil 41694 case "utimes.file.name.length": 41695 return &eval.ErrFieldReadOnly{Field: "utimes.file.name.length"} 41696 case "utimes.file.package.name": 41697 rv, ok := value.(string) 41698 if !ok { 41699 return &eval.ErrValueTypeMismatch{Field: "Utimes.File.PkgName"} 41700 } 41701 ev.Utimes.File.PkgName = rv 41702 return nil 41703 case "utimes.file.package.source_version": 41704 rv, ok := value.(string) 41705 if !ok { 41706 return &eval.ErrValueTypeMismatch{Field: "Utimes.File.PkgSrcVersion"} 41707 } 41708 ev.Utimes.File.PkgSrcVersion = rv 41709 return nil 41710 case "utimes.file.package.version": 41711 rv, ok := value.(string) 41712 if !ok { 41713 return &eval.ErrValueTypeMismatch{Field: "Utimes.File.PkgVersion"} 41714 } 41715 ev.Utimes.File.PkgVersion = rv 41716 return nil 41717 case "utimes.file.path": 41718 rv, ok := value.(string) 41719 if !ok { 41720 return &eval.ErrValueTypeMismatch{Field: "Utimes.File.PathnameStr"} 41721 } 41722 ev.Utimes.File.PathnameStr = rv 41723 return nil 41724 case "utimes.file.path.length": 41725 return &eval.ErrFieldReadOnly{Field: "utimes.file.path.length"} 41726 case "utimes.file.rights": 41727 rv, ok := value.(int) 41728 if !ok { 41729 return &eval.ErrValueTypeMismatch{Field: "Utimes.File.FileFields.Mode"} 41730 } 41731 ev.Utimes.File.FileFields.Mode = uint16(rv) 41732 return nil 41733 case "utimes.file.uid": 41734 rv, ok := value.(int) 41735 if !ok { 41736 return &eval.ErrValueTypeMismatch{Field: "Utimes.File.FileFields.UID"} 41737 } 41738 ev.Utimes.File.FileFields.UID = uint32(rv) 41739 return nil 41740 case "utimes.file.user": 41741 rv, ok := value.(string) 41742 if !ok { 41743 return &eval.ErrValueTypeMismatch{Field: "Utimes.File.FileFields.User"} 41744 } 41745 ev.Utimes.File.FileFields.User = rv 41746 return nil 41747 case "utimes.retval": 41748 rv, ok := value.(int) 41749 if !ok { 41750 return &eval.ErrValueTypeMismatch{Field: "Utimes.SyscallEvent.Retval"} 41751 } 41752 ev.Utimes.SyscallEvent.Retval = int64(rv) 41753 return nil 41754 } 41755 return &eval.ErrFieldNotFound{Field: field} 41756 }