@@ -12,59 +12,50 @@ import (
1212
1313// Event is a single result of an ebpf event process. It is used as a payload later delivered to tracee-rules.
1414type Event struct {
15- Timestamp int `json:"timestamp"`
16- ThreadStartTime int `json:"threadStartTime"`
17- ProcessorID int `json:"processorId"`
18- ProcessID int `json:"processId"`
19- CgroupID uint `json:"cgroupId"`
20- ThreadID int `json:"threadId"`
21- ParentProcessID int `json:"parentProcessId"`
22- HostProcessID int `json:"hostProcessId"`
23- HostThreadID int `json:"hostThreadId"`
24- HostParentProcessID int `json:"hostParentProcessId"`
25- UserID int `json:"userId"`
26- MountNS int `json:"mountNamespace"`
27- PIDNS int `json:"pidNamespace"`
28- ProcessName string `json:"processName"`
29- HostName string `json:"hostName"`
30- ContainerID string `json:"containerId"`
31- ContainerImage string `json:"containerImage"`
32- ContainerName string `json:"containerName"`
33- PodName string `json:"podName"`
34- PodNamespace string `json:"podNamespace"`
35- PodUID string `json:"podUID"`
36- EventID int `json:"eventId,string"`
37- EventName string `json:"eventName"`
38- ArgsNum int `json:"argsNum"`
39- ReturnValue int `json:"returnValue"`
40- StackAddresses []uint64 `json:"stackAddresses"`
41- ContextFlags ContextFlags `json:"contextFlags"`
42- Args []Argument `json:"args"` //Arguments are ordered according their appearance in the original event
43- }
44-
45- // ContextFlags are flags representing event context
46- type ContextFlags struct {
47- ContainerStarted bool `json:"containerStarted"`
15+ Timestamp int `json:"timestamp"`
16+ ThreadStartTime int `json:"threadStartTime"`
17+ ProcessorID int `json:"processorId"`
18+ ProcessID int `json:"processId"`
19+ CgroupID uint `json:"cgroupId"`
20+ ThreadID int `json:"threadId"`
21+ ParentProcessID int `json:"parentProcessId"`
22+ HostProcessID int `json:"hostProcessId"`
23+ HostThreadID int `json:"hostThreadId"`
24+ HostParentProcessID int `json:"hostParentProcessId"`
25+ UserID int `json:"userId"`
26+ MountNS int `json:"mountNamespace"`
27+ PIDNS int `json:"pidNamespace"`
28+ ProcessName string `json:"processName"`
29+ HostName string `json:"hostName"`
30+ ContainerID string `json:"containerId"`
31+ ContainerImage string `json:"containerImage"`
32+ ContainerName string `json:"containerName"`
33+ PodName string `json:"podName"`
34+ PodNamespace string `json:"podNamespace"`
35+ PodUID string `json:"podUID"`
36+ EventID int `json:"eventId,string"`
37+ EventName string `json:"eventName"`
38+ ArgsNum int `json:"argsNum"`
39+ ReturnValue int `json:"returnValue"`
40+ StackAddresses []uint64 `json:"stackAddresses"`
41+ Args []Argument `json:"args"` //Arguments are ordered according their appearance in the original event
4842}
4943
5044// EventOrigin is where a trace.Event occured, it can either be from the host machine or from a container
5145type EventOrigin string
5246
5347const (
54- ContainerOrigin EventOrigin = "container" // Events originated from within a container, starting with the entry-point execution
55- HostOrigin EventOrigin = "host" // Events originated from the host
56- ContainerInitOrigin EventOrigin = "container-init" // Events originated from within container, before entry-point execution
48+ ContainerOrigin EventOrigin = "container"
49+ HostOrigin EventOrigin = "host"
5750)
5851
59- // Origin derive the EventOrigin of a trace.Event
52+ // Derive the EventOrigin of a trace.Event
6053func (e Event ) Origin () EventOrigin {
61- if e .ContextFlags . ContainerStarted {
54+ if e .ContainerID != "" || e . ProcessID != e . HostProcessID {
6255 return ContainerOrigin
56+ } else {
57+ return HostOrigin
6358 }
64- if e .ContainerID != "" {
65- return ContainerInitOrigin
66- }
67- return HostOrigin
6859}
6960
7061const (
0 commit comments