grpc: refactor event structure

- rename some protobuf fields;
- ancestors (deprecated parent field) is now array of objects.

commit: 17a3b4e (main), cherry-pick

go.mod

@@ -8,7 +8,7 @@ require (
 	github.com/IBM/fluent-forward-go v0.2.1
 	github.com/Masterminds/sprig/v3 v3.2.3
 	github.com/aquasecurity/libbpfgo v0.7.0-libbpf-1.4
-	github.com/aquasecurity/tracee/api v0.0.0-20240603142303-ab1c72f65402
+	github.com/aquasecurity/tracee/api v0.0.0-20240613180148-873f896bb075
 	github.com/aquasecurity/tracee/signatures/helpers v0.0.0-20240122160245-67dec940088c
 	github.com/aquasecurity/tracee/types v0.0.0-20240122122429-7f84f526758d
 	github.com/containerd/containerd v1.7.14

go.sum

@@ -25,8 +25,8 @@ github.com/agnivade/levenshtein v1.1.1 h1:QY8M92nrzkmr798gCo3kmMyqXFzdQVpxLlGPRB
 github.com/agnivade/levenshtein v1.1.1/go.mod h1:veldBMzWxcCG2ZvUTKD2kJNRdCk5hVbJomOvKkmgYbo=
 github.com/aquasecurity/libbpfgo v0.7.0-libbpf-1.4 h1:rQ94U12Xlz2tncE8Rxnw3vpp/9hgUIEu3/Lv0/XQM0Q=
 github.com/aquasecurity/libbpfgo v0.7.0-libbpf-1.4/go.mod h1:iI7QCIZ3kXG0MR+FHsDZck6cYs1y1HyZP3sMObBg0sk=
-github.com/aquasecurity/tracee/api v0.0.0-20240603142303-ab1c72f65402 h1:5ZpKmOXEjJKcpoQZFReseMYegq88JOqYk/U4LLcktiU=
-github.com/aquasecurity/tracee/api v0.0.0-20240603142303-ab1c72f65402/go.mod h1:jXLAr/iFkfaNTuNcdbx2blngdMD/qaAfxQe9rCL9jwk=
+github.com/aquasecurity/tracee/api v0.0.0-20240613180148-873f896bb075 h1:2aZK6bM+j/W6M9sADv29uvzcUAIa3RSDarBM/qyXphI=
+github.com/aquasecurity/tracee/api v0.0.0-20240613180148-873f896bb075/go.mod h1:jXLAr/iFkfaNTuNcdbx2blngdMD/qaAfxQe9rCL9jwk=
 github.com/aquasecurity/tracee/signatures/helpers v0.0.0-20240122160245-67dec940088c h1:Gms5lUHPIq+OpI5HjcZ+l0NZHhSwBd/47nyUZY89c+M=
 github.com/aquasecurity/tracee/signatures/helpers v0.0.0-20240122160245-67dec940088c/go.mod h1:SSh6X96P8pT/9B6eBl6ptBo8QnaSCNCZHMOZ1iXyPUw=
 github.com/aquasecurity/tracee/types v0.0.0-20240122122429-7f84f526758d h1:6CQjy5G6Cj/VKm8RP1uZnBZxDgfyGo15HfWFnYrkGro=

pkg/server/grpc/tracee.go

@@ -777,30 +777,40 @@ func getProcess(e trace.Event) *pb.Process {
 		executable = &pb.Executable{Path: e.Executable.Path}
 	}
 
+	ancestors := getAncestors(e)
+
 	return &pb.Process{
-		Executable:    executable,
-		EntityId:      wrapperspb.UInt32(e.ProcessEntityId),
-		Pid:           wrapperspb.UInt32(uint32(e.HostProcessID)),
-		NamespacedPid: wrapperspb.UInt32(uint32(e.ProcessID)),
+		Executable: executable,
+		UniqueId:   wrapperspb.UInt32(e.ProcessEntityId),
+		HostPid:    wrapperspb.UInt32(uint32(e.HostProcessID)),
+		Pid:        wrapperspb.UInt32(uint32(e.ProcessID)),
 		RealUser: &pb.User{
 			Id: wrapperspb.UInt32(uint32(e.UserID)),
 		},
 		Thread: &pb.Thread{
-			Start:          threadStartTime,
+			StartTime:      threadStartTime,
 			Name:           e.ProcessName,
-			EntityId:       wrapperspb.UInt32(e.ThreadEntityId),
-			Tid:            wrapperspb.UInt32(uint32(e.HostThreadID)),
-			NamespacedTid:  wrapperspb.UInt32(uint32(e.ThreadID)),
+			UniqueId:       wrapperspb.UInt32(e.ThreadEntityId),
+			HostTid:        wrapperspb.UInt32(uint32(e.HostThreadID)),
+			Tid:            wrapperspb.UInt32(uint32(e.ThreadID)),
 			Syscall:        e.Syscall,
 			Compat:         e.ContextFlags.ContainerStarted,
 			UserStackTrace: userStackTrace,
 		},
-		Parent: &pb.Process{
-			EntityId:      wrapperspb.UInt32(e.ParentEntityId),
-			Pid:           wrapperspb.UInt32(uint32(e.HostParentProcessID)),
-			NamespacedPid: wrapperspb.UInt32(uint32(e.ParentProcessID)),
-		},
+		Ancestors: ancestors,
+	}
+}
+
+func getAncestors(e trace.Event) []*pb.Process {
+	var ancestors []*pb.Process
+	if e.ParentEntityId != 0 {
+		ancestors = append(ancestors, &pb.Process{
+			UniqueId: wrapperspb.UInt32(e.ParentEntityId),
+			HostPid:  wrapperspb.UInt32(uint32(e.HostParentProcessID)),
+			Pid:      wrapperspb.UInt32(uint32(e.ParentProcessID)),
+		})
 	}
+	return ancestors
 }
 
 func getContainer(e trace.Event) *pb.Container {

pkg/server/grpc/tracee_test.go

@@ -40,17 +40,17 @@ func Test_convertEventWithProcessContext(t *testing.T) {
 	protoEvent, err := convertTraceeEventToProto(traceEvent)
 	assert.NoError(t, err)
 
-	assert.Equal(t, uint32(1), protoEvent.Context.Process.NamespacedPid.Value)
-	assert.Equal(t, uint32(2), protoEvent.Context.Process.Thread.NamespacedTid.Value)
-	assert.Equal(t, uint32(3), protoEvent.Context.Process.Pid.Value)
-	assert.Equal(t, uint32(4), protoEvent.Context.Process.Thread.Tid.Value)
-	assert.Equal(t, uint32(5), protoEvent.Context.Process.Parent.NamespacedPid.Value)
-	assert.Equal(t, uint32(6), protoEvent.Context.Process.Parent.Pid.Value)
+	assert.Equal(t, uint32(1), protoEvent.Context.Process.Pid.Value)
+	assert.Equal(t, uint32(2), protoEvent.Context.Process.Thread.Tid.Value)
+	assert.Equal(t, uint32(3), protoEvent.Context.Process.HostPid.Value)
+	assert.Equal(t, uint32(4), protoEvent.Context.Process.Thread.HostTid.Value)
+	assert.Equal(t, uint32(5), protoEvent.Context.Process.Ancestors[0].Pid.Value)
+	assert.Equal(t, uint32(6), protoEvent.Context.Process.Ancestors[0].HostPid.Value)
 	assert.Equal(t, uint32(7), protoEvent.Context.Process.RealUser.Id.Value)
 	assert.Equal(t, pb.EventId_execve, protoEvent.Id)
-	assert.Equal(t, uint32(9), protoEvent.Context.Process.Thread.EntityId.Value)
-	assert.Equal(t, uint32(10), protoEvent.Context.Process.EntityId.Value)
-	assert.Equal(t, uint32(11), protoEvent.Context.Process.Parent.EntityId.Value)
+	assert.Equal(t, uint32(9), protoEvent.Context.Process.Thread.UniqueId.Value)
+	assert.Equal(t, uint32(10), protoEvent.Context.Process.UniqueId.Value)
+	assert.Equal(t, uint32(11), protoEvent.Context.Process.Ancestors[0].UniqueId.Value)
 	assert.Equal(t, "eventTest", protoEvent.Name)
 	assert.Equal(t, []string{"policyTest"}, protoEvent.Policies.Matched)
 	assert.Equal(t, "processTest", protoEvent.Context.Process.Thread.Name)