events/derive: simplify files

Refactor includes multiple simplifcations to the event derivation code:
1. Merge events/derive.go and derive_test.go to events/derive/derive.go.
2. Simplify and rewrite names and comments across the package.
3. Move errors to an errors.go file

Author: NDStrahilevitz

pkg/ebpf/events_derived.go

@@ -23,47 +23,47 @@ func (t *Tracee) initDerivationTable() error {
 	pathResolver := containers.InitPathResolver(&t.pidsInMntns)
 	soLoader := sharedobjs.InitContainersSymbolsLoader(&pathResolver, 1024)
 
-	t.eventDerivations = events.DerivationTable{
+	t.eventDerivations = derive.Table{
 		events.CgroupMkdir: {
 			events.ContainerCreate: {
-				Enabled:  t.events[events.ContainerCreate].submit,
-				Function: derive.ContainerCreate(t.containers),
+				Enabled:        t.events[events.ContainerCreate].submit,
+				DeriveFunction: derive.ContainerCreate(t.containers),
 			},
 		},
 		events.CgroupRmdir: {
 			events.ContainerRemove: {
-				Enabled:  t.events[events.ContainerRemove].submit,
-				Function: derive.ContainerRemove(t.containers),
+				Enabled:        t.events[events.ContainerRemove].submit,
+				DeriveFunction: derive.ContainerRemove(t.containers),
 			},
 		},
 		events.PrintSyscallTable: {
 			events.HookedSyscalls: {
-				Enabled:  t.events[events.PrintSyscallTable].submit,
-				Function: derive.DetectHookedSyscall(t.kernelSymbols),
+				Enabled:        t.events[events.PrintSyscallTable].submit,
+				DeriveFunction: derive.DetectHookedSyscall(t.kernelSymbols),
 			},
 		},
 		events.DnsRequest: {
 			events.NetPacket: {
-				Enabled:  t.events[events.NetPacket].submit,
-				Function: derive.NetPacket(),
+				Enabled:        t.events[events.NetPacket].submit,
+				DeriveFunction: derive.NetPacket(),
 			},
 		},
 		events.DnsResponse: {
 			events.NetPacket: {
-				Enabled:  t.events[events.NetPacket].submit,
-				Function: derive.NetPacket(),
+				Enabled:        t.events[events.NetPacket].submit,
+				DeriveFunction: derive.NetPacket(),
 			},
 		},
 		events.PrintNetSeqOps: {
 			events.HookedSeqOps: {
-				Enabled:  t.events[events.HookedSeqOps].submit,
-				Function: derive.HookedSeqOps(t.kernelSymbols),
+				Enabled:        t.events[events.HookedSeqOps].submit,
+				DeriveFunction: derive.HookedSeqOps(t.kernelSymbols),
 			},
 		},
 		events.SharedObjectLoaded: {
 			events.SymbolsLoaded: {
 				Enabled: t.events[events.SymbolsLoaded].submit,
-				Function: derive.SymbolsLoaded(
+				DeriveFunction: derive.SymbolsLoaded(
 					soLoader,
 					t.config.Filter.ArgFilter.Filters[events.SymbolsLoaded]["symbols"].Equal,
 					t.config.Filter.ArgFilter.Filters[events.SymbolsLoaded]["library_path"].NotEqual,
@@ -91,7 +91,7 @@ func (t *Tracee) deriveEvents(ctx context.Context, in <-chan *trace.Event) (<-ch
 				out <- event
 
 				// Derive event before parse its arguments
-				derivatives, errors := events.Derive(*event, t.eventDerivations)
+				derivatives, errors := derive.DeriveEvent(*event, t.eventDerivations)
 
 				for _, err := range errors {
 					t.handleError(err)

pkg/ebpf/net_events.go

@@ -12,6 +12,7 @@ import (
 
 	"github.com/aquasecurity/tracee/pkg/bufferdecoder"
 	"github.com/aquasecurity/tracee/pkg/events"
+	"github.com/aquasecurity/tracee/pkg/events/derive"
 	"github.com/aquasecurity/tracee/pkg/procinfo"
 	"github.com/aquasecurity/tracee/pkg/utils"
 	"github.com/google/gopacket"
@@ -251,7 +252,7 @@ func (t *Tracee) processNetEvents(ctx gocontext.Context) {
 					}
 
 					// derive events chosen by the user
-					derivatives, errors := events.Derive(evt, t.eventDerivations)
+					derivatives, errors := derive.DeriveEvent(evt, t.eventDerivations)
 
 					for _, err := range errors {
 						t.handleError(err)

pkg/ebpf/tracee.go

@@ -201,7 +201,7 @@ type Tracee struct {
 	containers        *containers.Containers
 	procInfo          *procinfo.ProcInfo
 	eventsSorter      *sorting.EventsChronologicalSorter
-	eventDerivations  events.DerivationTable
+	eventDerivations  derive.Table
 	kernelSymbols     *helpers.KernelSymbolTable
 	triggerContexts   trigger.Context
 	running           bool

pkg/events/derive.go

@@ -9,8 +9,8 @@ import (
 
 // ContainerCreate receives a containers as a closure argument to track it's containers.
 // If it receives a cgroup_mkdir event, it can derive a container_create event from it.
-func ContainerCreate(containers *containers.Containers) events.DeriveFunction {
-	return singleEventDeriveFunc(events.ContainerCreate, deriveContainerCreateArgs(containers))
+func ContainerCreate(containers *containers.Containers) deriveFunction {
+	return deriveSingleEvent(events.ContainerCreate, deriveContainerCreateArgs(containers))
 }
 
 func deriveContainerCreateArgs(containers *containers.Containers) func(event trace.Event) ([]interface{}, error) {

pkg/events/derive/container_create.go

@@ -9,8 +9,8 @@ import (
 
 // ContainerRemove receives a containers.Containers object as a closure argument to track it's containers.
 // If it receives a cgroup_rmdir event, it can derive a container_remove event from it.
-func ContainerRemove(containers *containers.Containers) events.DeriveFunction {
-	return singleEventDeriveFunc(events.ContainerRemove, deriveContainerRemoveArgs(containers))
+func ContainerRemove(containers *containers.Containers) deriveFunction {
+	return deriveSingleEvent(events.ContainerRemove, deriveContainerRemoveArgs(containers))
 }
 
 func deriveContainerRemoveArgs(containers *containers.Containers) deriveArgsFunction {

pkg/events/derive/container_remove.go

@@ -1,55 +1,81 @@
 package derive
 
 import (
-	"fmt"
-
 	"github.com/aquasecurity/tracee/pkg/events"
 	"github.com/aquasecurity/tracee/types/trace"
 )
 
-// Use as static variable for testability reasons
-var getEventDefFunc = events.Definitions.Get
+// deriveFunction is a function prototype for a function that receives an event as
+// argument and may produce a new event if relevant.
+// It returns a derived or empty event, depending on successful derivation,
+// and an error if one occurred.
+type deriveFunction func(trace.Event) ([]trace.Event, []error)
+
+// Table defines a table between events and events they can be derived into corresponding to a deriveFunction
+// The Enabled flag is used in order to skip derivation of unneeded events.
+type Table map[events.ID]map[events.ID]struct {
+	DeriveFunction deriveFunction
+	Enabled        bool
+}
 
-// eventSkeleton is a struct for the necessary information from an event definition to create the derived event
-type eventSkeleton struct {
+// DeriveEvent takes a trace.Event and checks if it can derive additional events from it as defined by a derivationTable.
+func DeriveEvent(event trace.Event, derivationTable Table) ([]trace.Event, []error) {
+	derivatives := []trace.Event{}
+	errors := []error{}
+	deriveFns := derivationTable[events.ID(event.EventID)]
+	for id, deriveFn := range deriveFns {
+		if deriveFn.Enabled {
+			derivative, errs := deriveFn.DeriveFunction(event)
+			for _, err := range errs {
+				errors = append(errors, deriveError(id, err))
+			}
+			derivatives = append(derivatives, derivative...)
+		}
+	}
+
+	return derivatives, errors
+}
+
+// deriveBase is a struct for the necessary information from an event definition to create a derived event
+type deriveBase struct {
 	Name   string
 	ID     int
 	Params []trace.ArgMeta
 }
 
-// deriveArgsFunction is the main logic of the derived event.
-// It checks the event and produce the arguments of the derived event.
-// If no event is derived, then the returned args should equal `nil`.
+// deriveArgsFunction defines the logic of deriving an Event.
+// It checks the base event and produces arguments for the derived event.
+// If an event can't be derived, the returned arguments should be nil.
 type deriveArgsFunction func(event trace.Event) ([]interface{}, error)
 
-// singleEventDeriveFunc create an events.DeriveFunction to generate a single derive trace.Event.
-// The event will be created using the original event information, the ID given and the arguments given.
-// The order of the arguments given will match the order in the event definition, so make sure the order match
-// the order of the params in the events.event struct of the event under events.Definitions.
-// If the arguments given is nil, than no event will be derived.
-func singleEventDeriveFunc(id events.ID, deriveArgsFunc deriveArgsFunction) events.DeriveFunction {
-	skeleton := makeEventSkeleton(id)
+// deriveSingleEvent create an deriveFunction which generates a single derive trace.Event.
+// The event will be created using the original event information, the ID given and resulting
+// arguments from the function.
+// The arguments will be inserted in order, so they should match the resulting definition argument order.
+// If the returned arguments are nil - no event will be derived.
+func deriveSingleEvent(id events.ID, deriveArgs deriveArgsFunction) deriveFunction {
+	skeleton := makeDeriveBase(id)
 	return func(event trace.Event) ([]trace.Event, []error) {
-		args, err := deriveArgsFunc(event)
+		args, err := deriveArgs(event)
 		if err != nil {
 			return nil, []error{err}
 		}
 		if args == nil {
 			return []trace.Event{}, nil
 		}
-		de, err := newEvent(&event, skeleton, args)
+		de, err := buildDerivedEvent(&event, skeleton, args)
 		if err != nil {
 			return []trace.Event{}, []error{err}
 		}
 		return []trace.Event{de}, nil
 	}
 }
 
-// newEvent create a new derived event from given event values, adjusted by the derived event skeleton meta-data.
+// buildDerivedEvent create a new derived event from given event values, adjusted by the derived event skeleton meta-data.
 // This method enables using the context of the base event, but with the new arguments and meta-data of the derived one.
-func newEvent(baseEvent *trace.Event, skeleton eventSkeleton, argsValues []interface{}) (trace.Event, error) {
+func buildDerivedEvent(baseEvent *trace.Event, skeleton deriveBase, argsValues []interface{}) (trace.Event, error) {
 	if len(skeleton.Params) != len(argsValues) {
-		return trace.Event{}, fmt.Errorf("error while building derived event '%s' - expected %d arguments but given %d", skeleton.Name, len(skeleton.Params), len(argsValues))
+		return trace.Event{}, unexpectedArgCountError(skeleton.Name, len(skeleton.Params), len(argsValues))
 	}
 	de := *baseEvent
 	de.EventID = skeleton.ID
@@ -64,9 +90,12 @@ func newEvent(baseEvent *trace.Event, skeleton eventSkeleton, argsValues []inter
 	return de, nil
 }
 
-func makeEventSkeleton(eventID events.ID) eventSkeleton {
-	def := getEventDefFunc(eventID)
-	return eventSkeleton{
+// store as static variable for mocking in tests
+var getEventDefinition = events.Definitions.Get
+
+func makeDeriveBase(eventID events.ID) deriveBase {
+	def := getEventDefinition(eventID)
+	return deriveBase{
 		Name:   def.Name,
 		ID:     int(eventID),
 		Params: def.Params,