From 2c74ffa13c0ecef7a9d1b3a4f811284f1a07daff Mon Sep 17 00:00:00 2001 From: Ori Glassman Date: Mon, 5 Aug 2024 15:49:54 +0300 Subject: [PATCH] feat(ebpf): make process_execute_failed not rely on sys_enter/exit --- api/v1beta1/event.proto | 2 +- .../builtin/extra/process_execute_failed.md | 2 +- pkg/ebpf/c/tracee.bpf.c | 80 ++++---- pkg/ebpf/c/types.h | 4 +- pkg/ebpf/probes/probe_group.go | 1 - pkg/ebpf/probes/probes.go | 1 - pkg/ebpf/tracee.go | 2 +- pkg/events/core.go | 44 ++--- pkg/events/derive/process_execute_failed.go | 35 ++-- pkg/server/grpc/tracee.go | 172 +++++++++--------- 10 files changed, 169 insertions(+), 174 deletions(-) diff --git a/api/v1beta1/event.proto b/api/v1beta1/event.proto index a70daef13744..9a3e894a0c87 100644 --- a/api/v1beta1/event.proto +++ b/api/v1beta1/event.proto @@ -547,7 +547,7 @@ enum EventId { module_load = 1082; module_free = 1083; execute_finished = 1084; - security_bprm_creds_for_exec = 1085; + process_execute_failed_internal = 1085; // Events originated from user-space net_packet_ipv4 = 2000; diff --git a/docs/docs/events/builtin/extra/process_execute_failed.md b/docs/docs/events/builtin/extra/process_execute_failed.md index 988fdb271f18..4032b4740491 100644 --- a/docs/docs/events/builtin/extra/process_execute_failed.md +++ b/docs/docs/events/builtin/extra/process_execute_failed.md @@ -56,7 +56,7 @@ Relevant from kernel version 5.8 onwards, matching the `security_bprm_creds_for_ ## Example Use Case ```console -./tracee -e process_execution_failed +./tracee -e process_execute_failed ``` ## Issues diff --git a/pkg/ebpf/c/tracee.bpf.c b/pkg/ebpf/c/tracee.bpf.c index d364de379872..af729dcebd7e 100644 --- a/pkg/ebpf/c/tracee.bpf.c +++ b/pkg/ebpf/c/tracee.bpf.c @@ -4950,7 +4950,8 @@ statfunc int submit_process_execute_failed(struct pt_regs *ctx, program_data_t * return -1; } -statfunc int execute_failed_tail1(struct pt_regs *ctx, u32 tail_call_id) +SEC("kprobe/execute_failed_tail1") +int execute_failed_tail1(struct pt_regs *ctx) { program_data_t p = {}; if (!init_tailcall_program_data(&p, ctx)) @@ -4968,75 +4969,50 @@ statfunc int execute_failed_tail1(struct pt_regs *ctx, u32 tail_call_id) int kernel_invoked = (get_task_parent_flags(task) & PF_KTHREAD) ? 1 : 0; save_to_submit_buf(&p.event->args_buf, &kernel_invoked, sizeof(int), 9); - bpf_tail_call(ctx, &prog_array, tail_call_id); + bpf_tail_call(ctx, &prog_array, TAIL_PROCESS_EXECUTE_FAILED2); return -1; } -statfunc int execute_failed_tail2(struct pt_regs *ctx) +SEC("kprobe/execute_failed_tail2") +int execute_failed_tail2(struct pt_regs *ctx) { program_data_t p = {}; if (!init_tailcall_program_data(&p, ctx)) return -1; - syscall_data_t *sys = &p.task_info->syscall_data; - save_str_arr_to_buf( - &p.event->args_buf, (const char *const *) sys->args.args[1], 10); // userspace argv + struct pt_regs *task_regs = get_task_pt_regs((struct task_struct *) bpf_get_current_task()); + u64 argv = PT_REGS_PARM2_CORE_SYSCALL(task_regs); + u64 envp = PT_REGS_PARM3_CORE_SYSCALL(task_regs); + save_str_arr_to_buf(&p.event->args_buf, (const char *const *) argv, 10); // userspace argv if (p.config->options & OPT_EXEC_ENV) { - save_str_arr_to_buf( - &p.event->args_buf, (const char *const *) sys->args.args[2], 11); // userspace envp + save_str_arr_to_buf(&p.event->args_buf, (const char *const *) envp, 11); // userspace envp } - int ret = PT_REGS_RC(ctx); // needs to be int - return events_perf_submit(&p, ret); + return events_perf_submit(&p, 0); } bool use_security_bprm_creds_for_exec = false; SEC("kprobe/exec_binprm") -TRACE_ENT_FUNC(exec_binprm, EXEC_BINPRM); - -SEC("kretprobe/exec_binprm") -int BPF_KPROBE(trace_ret_exec_binprm) +int BPF_KPROBE(trace_exec_binprm) { if (use_security_bprm_creds_for_exec) { return 0; } - args_t saved_args; - if (load_args(&saved_args, EXEC_BINPRM) != 0) { - // missed entry or not traced - return 0; - } - del_args(EXEC_BINPRM); - - int ret_val = PT_REGS_RC(ctx); - if (ret_val == 0) - return 0; // not interested of successful execution - for that we have sched_process_exec program_data_t p = {}; - if (!init_program_data(&p, ctx, PROCESS_EXECUTION_FAILED)) + if (!init_program_data(&p, ctx, PROCESS_EXECUTE_FAILED_INTERNAL)) return 0; return submit_process_execute_failed(ctx, &p); } -SEC("kretprobe/trace_execute_failed1") -int BPF_KPROBE(trace_execute_failed1) -{ - return execute_failed_tail1(ctx, TAIL_PROCESS_EXECUTE_FAILED2); -} - -SEC("kretprobe/trace_execute_failed2") -int BPF_KPROBE(trace_execute_failed2) -{ - return execute_failed_tail2(ctx); -} - SEC("kprobe/security_bprm_creds_for_exec") int BPF_KPROBE(trace_security_bprm_creds_for_exec) { use_security_bprm_creds_for_exec = true; program_data_t p = {}; - if (!init_program_data(&p, ctx, SECURITY_BPRM_CREDS_FOR_EXEC)) + if (!init_program_data(&p, ctx, PROCESS_EXECUTE_FAILED_INTERNAL)) return 0; return submit_process_execute_failed(ctx, &p); } @@ -5051,6 +5027,34 @@ int BPF_KPROBE(trace_execute_finished) if (!evaluate_scope_filters(&p)) return 0; + // We can enrich the event with user provided arguments. If we have kernelspace arguments, + // the userspace arguments will be discarded. + struct pt_regs *task_regs = get_task_pt_regs((struct task_struct *) bpf_get_current_task()); + u64 argv, envp; + void *path; + + if (p.event->context.syscall == SYSCALL_EXECVEAT) { // TODO: what about compat? + int dirfd = PT_REGS_PARM1_CORE_SYSCALL(task_regs); + path = (void *) PT_REGS_PARM2_CORE_SYSCALL(task_regs); + argv = PT_REGS_PARM3_CORE_SYSCALL(task_regs); + envp = PT_REGS_PARM4_CORE_SYSCALL(task_regs); + int flags = PT_REGS_PARM5_CORE_SYSCALL(task_regs); + + // send args unique to execevat + save_to_submit_buf(&p.event->args_buf, &dirfd, sizeof(int), 0); + save_to_submit_buf(&p.event->args_buf, &flags, sizeof(int), 4); + } else { + path = (void *) PT_REGS_PARM1_CORE_SYSCALL(task_regs); + argv = PT_REGS_PARM2_CORE_SYSCALL(task_regs); + envp = PT_REGS_PARM3_CORE_SYSCALL(task_regs); + } + + save_str_to_buf(&p.event->args_buf, path, 1); + save_str_arr_to_buf(&p.event->args_buf, (const char *const *) argv, 2); + if (p.config->options & OPT_EXEC_ENV) { + save_str_arr_to_buf(&p.event->args_buf, (const char *const *) envp, 3); + } + long exec_ret = PT_REGS_RC(ctx); return events_perf_submit(&p, exec_ret); } diff --git a/pkg/ebpf/c/types.h b/pkg/ebpf/c/types.h index 89aac425d9f4..bd6d9ae51834 100644 --- a/pkg/ebpf/c/types.h +++ b/pkg/ebpf/c/types.h @@ -121,14 +121,14 @@ enum event_id_e FILE_MODIFICATION, INOTIFY_WATCH, SECURITY_BPF_PROG, - PROCESS_EXECUTION_FAILED, + PROCESS_EXECUTE_FAILED, SECURITY_PATH_NOTIFY, SET_FS_PWD, HIDDEN_KERNEL_MODULE_SEEKER, MODULE_LOAD, MODULE_FREE, EXECUTE_FINISHED, - SECURITY_BPRM_CREDS_FOR_EXEC, + PROCESS_EXECUTE_FAILED_INTERNAL, SECURITY_TASK_SETRLIMIT, SECURITY_SETTIME64, MAX_EVENT_ID, diff --git a/pkg/ebpf/probes/probe_group.go b/pkg/ebpf/probes/probe_group.go index dbf17ebff4d9..226621e1b277 100644 --- a/pkg/ebpf/probes/probe_group.go +++ b/pkg/ebpf/probes/probe_group.go @@ -202,7 +202,6 @@ func NewDefaultProbeGroup(module *bpf.Module, netEnabled bool) (*ProbeGroup, err InotifyFindInodeRet: NewTraceProbe(KretProbe, "inotify_find_inode", "trace_ret_inotify_find_inode"), BpfCheck: NewTraceProbe(KProbe, "bpf_check", "trace_bpf_check"), ExecBinprm: NewTraceProbe(KProbe, "exec_binprm", "trace_exec_binprm"), - ExecBinprmRet: NewTraceProbe(KretProbe, "exec_binprm", "trace_ret_exec_binprm"), SecurityPathNotify: NewTraceProbe(KProbe, "security_path_notify", "trace_security_path_notify"), SecurityBprmCredsForExec: NewTraceProbe(KProbe, "security_bprm_creds_for_exec", "trace_security_bprm_creds_for_exec"), SetFsPwd: NewTraceProbe(KProbe, "set_fs_pwd", "trace_set_fs_pwd"), diff --git a/pkg/ebpf/probes/probes.go b/pkg/ebpf/probes/probes.go index 4117f863b6f6..02d3698a2da4 100644 --- a/pkg/ebpf/probes/probes.go +++ b/pkg/ebpf/probes/probes.go @@ -126,7 +126,6 @@ const ( InotifyFindInodeRet BpfCheck ExecBinprm - ExecBinprmRet SecurityPathNotify SecurityBprmCredsForExec SetFsPwd diff --git a/pkg/ebpf/tracee.go b/pkg/ebpf/tracee.go index f182bdca5a46..b6f03492bcfe 100644 --- a/pkg/ebpf/tracee.go +++ b/pkg/ebpf/tracee.go @@ -781,7 +781,7 @@ func (t *Tracee) initDerivationTable() error { DeriveFunction: executeFailedGen.ProcessExecuteFailed(), }, }, - events.SecurityBprmCredsForExec: { + events.ProcessExecuteFailedInternal: { events.ProcessExecuteFailed: { Enabled: shouldSubmit(events.ProcessExecuteFailed), DeriveFunction: executeFailedGen.ProcessExecuteFailed(), diff --git a/pkg/events/core.go b/pkg/events/core.go index 5f1544137f49..6044b9f1769d 100644 --- a/pkg/events/core.go +++ b/pkg/events/core.go @@ -110,7 +110,7 @@ const ( ModuleLoad ModuleFree ExecuteFinished - SecurityBprmCredsForExec + ProcessExecuteFailedInternal SecurityTaskSetrlimit SecuritySettime64 MaxCommonID @@ -12943,25 +12943,34 @@ var CoreEvents = map[ID]Definition{ {handle: probes.ExecuteAtFinishedCompatARM, required: false}, }, }, + params: []trace.ArgMeta{ + {Type: "int", Name: "dirfd"}, + {Type: "const char*", Name: "pathname"}, + {Type: "const char*const*", Name: "argv"}, + {Type: "const char*const*", Name: "envp"}, + {Type: "int", Name: "flags"}, + }, }, - SecurityBprmCredsForExec: { - id: SecurityBprmCredsForExec, + ProcessExecuteFailedInternal: { + id: ProcessExecuteFailedInternal, id32Bit: Sys32Undefined, - name: "security_bprm_creds_for_exec", + name: "process_execute_failed_internal", version: NewVersion(1, 0, 0), sets: []string{"proc"}, internal: true, dependencies: Dependencies{ + ids: []ID{ExecuteFinished}, probes: []Probe{ + {handle: probes.ExecBinprm, required: false}, {handle: probes.SecurityBprmCredsForExec, required: false}, // TODO: Change to required once fallbacks are supported }, tailCalls: []TailCall{ - {"prog_array", "trace_execute_failed1", []uint32{TailProcessExecuteFailed1}}, - {"prog_array", "trace_execute_failed2", []uint32{TailProcessExecuteFailed2}}, + {"prog_array", "execute_failed_tail1", []uint32{TailProcessExecuteFailed1}}, + {"prog_array", "execute_failed_tail2", []uint32{TailProcessExecuteFailed2}}, }, }, params: []trace.ArgMeta{ - {Type: "const char*", Name: "path"}, + {Type: "const char*", Name: "pathname"}, {Type: "const char*", Name: "binary.path"}, {Type: "dev_t", Name: "binary.device_id"}, {Type: "unsigned long", Name: "binary.inode_number"}, @@ -12971,8 +12980,8 @@ var CoreEvents = map[ID]Definition{ {Type: "umode_t", Name: "stdin_type"}, {Type: "char*", Name: "stdin_path"}, {Type: "int", Name: "kernel_invoked"}, - {Type: "const char*const*", Name: "binary.arguments"}, - {Type: "const char*const*", Name: "environment"}, + {Type: "const char*const*", Name: "argv"}, + {Type: "const char*const*", Name: "envp"}, }, }, ProcessExecuteFailed: { @@ -12982,19 +12991,10 @@ var CoreEvents = map[ID]Definition{ version: NewVersion(1, 0, 0), sets: []string{"proc"}, dependencies: Dependencies{ - ids: []ID{ExecuteFinished, SecurityBprmCredsForExec}, // For kernel version >= 5.8 - probes: []Probe{ - {handle: probes.ExecBinprm, required: false}, - {handle: probes.ExecBinprmRet, required: false}, - {handle: probes.SyscallEnter__Internal, required: true}, - }, - tailCalls: []TailCall{ - {"prog_array", "trace_execute_failed1", []uint32{TailProcessExecuteFailed1}}, - {"prog_array", "trace_execute_failed2", []uint32{TailProcessExecuteFailed2}}, - }, + ids: []ID{ProcessExecuteFailedInternal}, }, params: []trace.ArgMeta{ - {Type: "const char*", Name: "path"}, + {Type: "const char*", Name: "pathname"}, {Type: "const char*", Name: "binary.path"}, {Type: "dev_t", Name: "binary.device_id"}, {Type: "unsigned long", Name: "binary.inode_number"}, @@ -13004,8 +13004,8 @@ var CoreEvents = map[ID]Definition{ {Type: "umode_t", Name: "stdin_type"}, {Type: "char*", Name: "stdin_path"}, {Type: "int", Name: "kernel_invoked"}, - {Type: "const char*const*", Name: "binary.arguments"}, - {Type: "const char*const*", Name: "environment"}, + {Type: "const char*const*", Name: "argv"}, + {Type: "const char*const*", Name: "envp"}, }, }, FtraceHook: { diff --git a/pkg/events/derive/process_execute_failed.go b/pkg/events/derive/process_execute_failed.go index 352f36fd8f30..8f6ec95e0106 100644 --- a/pkg/events/derive/process_execute_failed.go +++ b/pkg/events/derive/process_execute_failed.go @@ -2,7 +2,6 @@ package derive import ( "fmt" - lru "github.com/hashicorp/golang-lru/v2" "github.com/aquasecurity/tracee/pkg/events" @@ -64,7 +63,7 @@ func (gen *ExecFailedGenerator) deriveEvent(event *trace.Event) ( *trace.Event, error, ) { switch events.ID(event.EventID) { - case events.SecurityBprmCredsForExec: + case events.ProcessExecuteFailedInternal: return gen.handleExecBaseEvent(event) case events.ExecuteFinished: return gen.handleExecFinished(event) @@ -73,40 +72,34 @@ func (gen *ExecFailedGenerator) deriveEvent(event *trace.Event) ( } } -// handleExecFinished will derive the event if all the event parts were received. -// Else it will cache the finished exec info for future use. +// handleExecFinished will add info on top of base event unless events came out of order. Sends an event in any case. +// Should be simplified once events reach from kernel-space to user-space are ordered! func (gen *ExecFailedGenerator) handleExecFinished(event *trace.Event) (*trace.Event, error) { + defer gen.execEndInfo.Remove(event.HostProcessID) execInfo := execEndInfo{ returnCode: event.ReturnValue, timestamp: event.Timestamp, } + if !isFailedExec(execInfo.returnCode) { + + return nil, nil + } + + e := event securityExecEvent, ok := gen.baseEvents.Get(event.HostProcessID) if ok { - gen.execEndInfo.Remove(event.HostProcessID) - if !isFailedExec(execInfo.returnCode) { - return nil, nil - } - return gen.generateEvent(securityExecEvent, execInfo) + e = securityExecEvent // There is a base event to use, use it! } - gen.execEndInfo.Add(event.HostProcessID, execInfo) - return nil, nil + return gen.generateEvent(e, execInfo) } // handleExecBaseEvent will derive the event if the event parts were received, else will cache // the base event for future use func (gen *ExecFailedGenerator) handleExecBaseEvent(event *trace.Event) (*trace.Event, error) { - execInfo, ok := gen.execEndInfo.Get(event.HostProcessID) // We don't have the execution end info - cache current event and wait for it to be received // This is the expected flow, as the execution finished event come chronology after - if !ok { - gen.baseEvents.Add(event.HostProcessID, event) - return nil, nil - } - gen.execEndInfo.Remove(event.HostProcessID) - if !isFailedExec(execInfo.returnCode) { - return nil, nil - } - return gen.generateEvent(event, execInfo) + gen.baseEvents.Add(event.HostProcessID, event) + return nil, nil } // generateEvent create the ProcessExecuteFailed event from its parts diff --git a/pkg/server/grpc/tracee.go b/pkg/server/grpc/tracee.go index b3de279ca094..5e432f9f249e 100644 --- a/pkg/server/grpc/tracee.go +++ b/pkg/server/grpc/tracee.go @@ -470,92 +470,92 @@ var EventTranslationTable = [events.MaxBuiltinID]pb.EventId{ events.SchedRrGetInterval32: pb.EventId_sched_rr_get_interval_time32, // Common events translation section - events.NetPacketBase: pb.EventId_net_packet_base, - events.NetPacketIPBase: pb.EventId_net_packet_ip_base, - events.NetPacketTCPBase: pb.EventId_net_packet_tcp_base, - events.NetPacketUDPBase: pb.EventId_net_packet_udp_base, - events.NetPacketICMPBase: pb.EventId_net_packet_icmp_base, - events.NetPacketICMPv6Base: pb.EventId_net_packet_icmpv6_base, - events.NetPacketDNSBase: pb.EventId_net_packet_dns_base, - events.NetPacketHTTPBase: pb.EventId_net_packet_http_base, - events.NetPacketCapture: pb.EventId_net_packet_capture, - events.NetPacketFlow: pb.EventId_net_packet_flow, - events.MaxNetID: pb.EventId_max_net_id, - events.SysEnter: pb.EventId_sys_enter, - events.SysExit: pb.EventId_sys_exit, - events.SchedProcessFork: pb.EventId_sched_process_fork, - events.SchedProcessExec: pb.EventId_sched_process_exec, - events.SchedProcessExit: pb.EventId_sched_process_exit, - events.SchedSwitch: pb.EventId_sched_switch, - events.DoExit: pb.EventId_do_exit, - events.CapCapable: pb.EventId_cap_capable, - events.VfsWrite: pb.EventId_vfs_write, - events.VfsWritev: pb.EventId_vfs_writev, - events.VfsRead: pb.EventId_vfs_read, - events.VfsReadv: pb.EventId_vfs_readv, - events.MemProtAlert: pb.EventId_mem_prot_alert, - events.CommitCreds: pb.EventId_commit_creds, - events.SwitchTaskNS: pb.EventId_switch_task_ns, - events.MagicWrite: pb.EventId_magic_write, - events.CgroupAttachTask: pb.EventId_cgroup_attach_task, - events.CgroupMkdir: pb.EventId_cgroup_mkdir, - events.CgroupRmdir: pb.EventId_cgroup_rmdir, - events.SecurityBprmCheck: pb.EventId_security_bprm_check, - events.SecurityFileOpen: pb.EventId_security_file_open, - events.SecurityInodeUnlink: pb.EventId_security_inode_unlink, - events.SecuritySocketCreate: pb.EventId_security_socket_create, - events.SecuritySocketListen: pb.EventId_security_socket_listen, - events.SecuritySocketConnect: pb.EventId_security_socket_connect, - events.SecuritySocketAccept: pb.EventId_security_socket_accept, - events.SecuritySocketBind: pb.EventId_security_socket_bind, - events.SecuritySocketSetsockopt: pb.EventId_security_socket_setsockopt, - events.SecuritySbMount: pb.EventId_security_sb_mount, - events.SecurityBPF: pb.EventId_security_bpf, - events.SecurityBPFMap: pb.EventId_security_bpf_map, - events.SecurityKernelReadFile: pb.EventId_security_kernel_read_file, - events.SecurityInodeMknod: pb.EventId_security_inode_mknod, - events.SecurityPostReadFile: pb.EventId_security_post_read_file, - events.SecurityInodeSymlinkEventId: pb.EventId_security_inode_symlink_event_id, - events.SecurityMmapFile: pb.EventId_security_mmap_file, - events.SecurityFileMprotect: pb.EventId_security_file_mprotect, - events.SocketDup: pb.EventId_socket_dup, - events.HiddenInodes: pb.EventId_hidden_inodes, - events.KernelWrite: pb.EventId_kernel_write, - events.ProcCreate: pb.EventId_proc_create, - events.KprobeAttach: pb.EventId_kprobe_attach, - events.CallUsermodeHelper: pb.EventId_call_usermode_helper, - events.DirtyPipeSplice: pb.EventId_dirty_pipe_splice, - events.DebugfsCreateFile: pb.EventId_debugfs_create_file, - events.SyscallTableCheck: pb.EventId_syscall_table_check, - events.DebugfsCreateDir: pb.EventId_debugfs_create_dir, - events.DeviceAdd: pb.EventId_device_add, - events.RegisterChrdev: pb.EventId_register_chrdev, - events.SharedObjectLoaded: pb.EventId_shared_object_loaded, - events.DoInitModule: pb.EventId_do_init_module, - events.SocketAccept: pb.EventId_socket_accept, - events.LoadElfPhdrs: pb.EventId_load_elf_phdrs, - events.HookedProcFops: pb.EventId_hooked_proc_fops, - events.PrintNetSeqOps: pb.EventId_print_net_seq_ops, - events.TaskRename: pb.EventId_task_rename, - events.SecurityInodeRename: pb.EventId_security_inode_rename, - events.DoSigaction: pb.EventId_do_sigaction, - events.BpfAttach: pb.EventId_bpf_attach, - events.KallsymsLookupName: pb.EventId_kallsyms_lookup_name, - events.DoMmap: pb.EventId_do_mmap, - events.PrintMemDump: pb.EventId_print_mem_dump, - events.VfsUtimes: pb.EventId_vfs_utimes, - events.DoTruncate: pb.EventId_do_truncate, - events.FileModification: pb.EventId_file_modification, - events.InotifyWatch: pb.EventId_inotify_watch, - events.SecurityBpfProg: pb.EventId_security_bpf_prog, - events.ProcessExecuteFailed: pb.EventId_process_execute_failed, - events.SecurityPathNotify: pb.EventId_security_path_notify, - events.SetFsPwd: pb.EventId_set_fs_pwd, - events.HiddenKernelModuleSeeker: pb.EventId_hidden_kernel_module_seeker, - events.ModuleLoad: pb.EventId_module_load, - events.ModuleFree: pb.EventId_module_free, - events.ExecuteFinished: pb.EventId_execute_finished, - events.SecurityBprmCredsForExec: pb.EventId_security_bprm_creds_for_exec, + events.NetPacketBase: pb.EventId_net_packet_base, + events.NetPacketIPBase: pb.EventId_net_packet_ip_base, + events.NetPacketTCPBase: pb.EventId_net_packet_tcp_base, + events.NetPacketUDPBase: pb.EventId_net_packet_udp_base, + events.NetPacketICMPBase: pb.EventId_net_packet_icmp_base, + events.NetPacketICMPv6Base: pb.EventId_net_packet_icmpv6_base, + events.NetPacketDNSBase: pb.EventId_net_packet_dns_base, + events.NetPacketHTTPBase: pb.EventId_net_packet_http_base, + events.NetPacketCapture: pb.EventId_net_packet_capture, + events.NetPacketFlow: pb.EventId_net_packet_flow, + events.MaxNetID: pb.EventId_max_net_id, + events.SysEnter: pb.EventId_sys_enter, + events.SysExit: pb.EventId_sys_exit, + events.SchedProcessFork: pb.EventId_sched_process_fork, + events.SchedProcessExec: pb.EventId_sched_process_exec, + events.SchedProcessExit: pb.EventId_sched_process_exit, + events.SchedSwitch: pb.EventId_sched_switch, + events.DoExit: pb.EventId_do_exit, + events.CapCapable: pb.EventId_cap_capable, + events.VfsWrite: pb.EventId_vfs_write, + events.VfsWritev: pb.EventId_vfs_writev, + events.VfsRead: pb.EventId_vfs_read, + events.VfsReadv: pb.EventId_vfs_readv, + events.MemProtAlert: pb.EventId_mem_prot_alert, + events.CommitCreds: pb.EventId_commit_creds, + events.SwitchTaskNS: pb.EventId_switch_task_ns, + events.MagicWrite: pb.EventId_magic_write, + events.CgroupAttachTask: pb.EventId_cgroup_attach_task, + events.CgroupMkdir: pb.EventId_cgroup_mkdir, + events.CgroupRmdir: pb.EventId_cgroup_rmdir, + events.SecurityBprmCheck: pb.EventId_security_bprm_check, + events.SecurityFileOpen: pb.EventId_security_file_open, + events.SecurityInodeUnlink: pb.EventId_security_inode_unlink, + events.SecuritySocketCreate: pb.EventId_security_socket_create, + events.SecuritySocketListen: pb.EventId_security_socket_listen, + events.SecuritySocketConnect: pb.EventId_security_socket_connect, + events.SecuritySocketAccept: pb.EventId_security_socket_accept, + events.SecuritySocketBind: pb.EventId_security_socket_bind, + events.SecuritySocketSetsockopt: pb.EventId_security_socket_setsockopt, + events.SecuritySbMount: pb.EventId_security_sb_mount, + events.SecurityBPF: pb.EventId_security_bpf, + events.SecurityBPFMap: pb.EventId_security_bpf_map, + events.SecurityKernelReadFile: pb.EventId_security_kernel_read_file, + events.SecurityInodeMknod: pb.EventId_security_inode_mknod, + events.SecurityPostReadFile: pb.EventId_security_post_read_file, + events.SecurityInodeSymlinkEventId: pb.EventId_security_inode_symlink_event_id, + events.SecurityMmapFile: pb.EventId_security_mmap_file, + events.SecurityFileMprotect: pb.EventId_security_file_mprotect, + events.SocketDup: pb.EventId_socket_dup, + events.HiddenInodes: pb.EventId_hidden_inodes, + events.KernelWrite: pb.EventId_kernel_write, + events.ProcCreate: pb.EventId_proc_create, + events.KprobeAttach: pb.EventId_kprobe_attach, + events.CallUsermodeHelper: pb.EventId_call_usermode_helper, + events.DirtyPipeSplice: pb.EventId_dirty_pipe_splice, + events.DebugfsCreateFile: pb.EventId_debugfs_create_file, + events.SyscallTableCheck: pb.EventId_syscall_table_check, + events.DebugfsCreateDir: pb.EventId_debugfs_create_dir, + events.DeviceAdd: pb.EventId_device_add, + events.RegisterChrdev: pb.EventId_register_chrdev, + events.SharedObjectLoaded: pb.EventId_shared_object_loaded, + events.DoInitModule: pb.EventId_do_init_module, + events.SocketAccept: pb.EventId_socket_accept, + events.LoadElfPhdrs: pb.EventId_load_elf_phdrs, + events.HookedProcFops: pb.EventId_hooked_proc_fops, + events.PrintNetSeqOps: pb.EventId_print_net_seq_ops, + events.TaskRename: pb.EventId_task_rename, + events.SecurityInodeRename: pb.EventId_security_inode_rename, + events.DoSigaction: pb.EventId_do_sigaction, + events.BpfAttach: pb.EventId_bpf_attach, + events.KallsymsLookupName: pb.EventId_kallsyms_lookup_name, + events.DoMmap: pb.EventId_do_mmap, + events.PrintMemDump: pb.EventId_print_mem_dump, + events.VfsUtimes: pb.EventId_vfs_utimes, + events.DoTruncate: pb.EventId_do_truncate, + events.FileModification: pb.EventId_file_modification, + events.InotifyWatch: pb.EventId_inotify_watch, + events.SecurityBpfProg: pb.EventId_security_bpf_prog, + events.ProcessExecuteFailed: pb.EventId_process_execute_failed, + events.SecurityPathNotify: pb.EventId_security_path_notify, + events.SetFsPwd: pb.EventId_set_fs_pwd, + events.HiddenKernelModuleSeeker: pb.EventId_hidden_kernel_module_seeker, + events.ModuleLoad: pb.EventId_module_load, + events.ModuleFree: pb.EventId_module_free, + events.ExecuteFinished: pb.EventId_execute_finished, + events.ProcessExecuteFailedInternal: pb.EventId_security_bprm_creds_for_exec, // Events from user-space translation section events.NetPacketIPv4: pb.EventId_net_packet_ipv4,