From 2360aa39d7c0fa58b323a764a8126f9d6c0e5096 Mon Sep 17 00:00:00 2001 From: Ori Glassman Date: Mon, 5 Aug 2024 15:49:54 +0300 Subject: [PATCH 1/2] feat(ebpf): make process_execute_failed not rely on sys_enter/exit --- api/v1beta1/event.proto | 2 +- .../builtin/extra/process_execute_failed.md | 2 +- pkg/ebpf/c/maps.h | 3 +- pkg/ebpf/c/tracee.bpf.c | 116 +++++------- pkg/ebpf/c/types.h | 4 +- pkg/ebpf/probes/probe_group.go | 1 - pkg/ebpf/probes/probes.go | 1 - pkg/ebpf/tracee.go | 2 +- pkg/events/core.go | 55 +++--- pkg/events/definition_dependencies.go | 3 +- pkg/events/derive/process_execute_failed.go | 41 +++-- pkg/events/parse/params.go | 10 + pkg/server/grpc/tracee.go | 172 +++++++++--------- .../e2e-process_execute_failed.go | 2 +- 14 files changed, 205 insertions(+), 209 deletions(-) diff --git a/api/v1beta1/event.proto b/api/v1beta1/event.proto index a70daef13744..9a3e894a0c87 100644 --- a/api/v1beta1/event.proto +++ b/api/v1beta1/event.proto @@ -547,7 +547,7 @@ enum EventId { module_load = 1082; module_free = 1083; execute_finished = 1084; - security_bprm_creds_for_exec = 1085; + process_execute_failed_internal = 1085; // Events originated from user-space net_packet_ipv4 = 2000; diff --git a/docs/docs/events/builtin/extra/process_execute_failed.md b/docs/docs/events/builtin/extra/process_execute_failed.md index 988fdb271f18..4032b4740491 100644 --- a/docs/docs/events/builtin/extra/process_execute_failed.md +++ b/docs/docs/events/builtin/extra/process_execute_failed.md @@ -56,7 +56,7 @@ Relevant from kernel version 5.8 onwards, matching the `security_bprm_creds_for_ ## Example Use Case ```console -./tracee -e process_execution_failed +./tracee -e process_execute_failed ``` ## Issues diff --git a/pkg/ebpf/c/maps.h b/pkg/ebpf/c/maps.h index 2a7b54829e3c..fe415e403484 100644 --- a/pkg/ebpf/c/maps.h +++ b/pkg/ebpf/c/maps.h @@ -17,8 +17,7 @@ enum tail_call_id_e TAIL_SCHED_PROCESS_EXEC_EVENT_SUBMIT, TAIL_VFS_READ, TAIL_VFS_READV, - TAIL_PROCESS_EXECUTE_FAILED1, - TAIL_PROCESS_EXECUTE_FAILED2, + TAIL_PROCESS_EXECUTE_FAILED, TAIL_HIDDEN_KERNEL_MODULE_PROC, TAIL_HIDDEN_KERNEL_MODULE_KSET, TAIL_HIDDEN_KERNEL_MODULE_MOD_TREE, diff --git a/pkg/ebpf/c/tracee.bpf.c b/pkg/ebpf/c/tracee.bpf.c index f69a6c4d15e9..112b44d9bb10 100644 --- a/pkg/ebpf/c/tracee.bpf.c +++ b/pkg/ebpf/c/tracee.bpf.c @@ -1521,7 +1521,7 @@ int syscall__accept4(void *ctx) struct socket *old_sock = (struct socket *) saved_args.args[0]; struct socket *new_sock = (struct socket *) saved_args.args[1]; - u32 sockfd = (u32) saved_args.args[2]; + u64 sockfd = (u32) saved_args.args[2]; if (new_sock == NULL) { return -1; @@ -4940,31 +4940,32 @@ statfunc int submit_process_execute_failed(struct pt_regs *ctx, program_data_t * struct file *file = get_file_ptr_from_bprm(bprm); const char *path = get_binprm_filename(bprm); - save_str_to_buf(&p->event->args_buf, (void *) path, 0); + save_str_to_buf(&p->event->args_buf, (void *) path, 2); void *binary_path = get_path_str(__builtin_preserve_access_index(&file->f_path)); - save_str_to_buf(&p->event->args_buf, binary_path, 1); + save_str_to_buf(&p->event->args_buf, binary_path, 3); dev_t binary_device_id = get_dev_from_file(file); - save_to_submit_buf(&p->event->args_buf, &binary_device_id, sizeof(dev_t), 2); + save_to_submit_buf(&p->event->args_buf, &binary_device_id, sizeof(dev_t), 4); unsigned long binary_inode_number = get_inode_nr_from_file(file); - save_to_submit_buf(&p->event->args_buf, &binary_inode_number, sizeof(unsigned long), 3); + save_to_submit_buf(&p->event->args_buf, &binary_inode_number, sizeof(unsigned long), 5); u64 binary_ctime = get_ctime_nanosec_from_file(file); - save_to_submit_buf(&p->event->args_buf, &binary_ctime, sizeof(u64), 4); + save_to_submit_buf(&p->event->args_buf, &binary_ctime, sizeof(u64), 6); umode_t binary_inode_mode = get_inode_mode_from_file(file); - save_to_submit_buf(&p->event->args_buf, &binary_inode_mode, sizeof(umode_t), 5); + save_to_submit_buf(&p->event->args_buf, &binary_inode_mode, sizeof(umode_t), 7); const char *interpreter_path = get_binprm_interp(bprm); - save_str_to_buf(&p->event->args_buf, (void *) interpreter_path, 6); + save_str_to_buf(&p->event->args_buf, (void *) interpreter_path, 8); - bpf_tail_call(ctx, &prog_array, TAIL_PROCESS_EXECUTE_FAILED1); + bpf_tail_call(ctx, &prog_array, TAIL_PROCESS_EXECUTE_FAILED); return -1; } -statfunc int execute_failed_tail1(struct pt_regs *ctx, u32 tail_call_id) +SEC("kprobe/process_execute_failed_tail") +int process_execute_failed_tail(struct pt_regs *ctx) { program_data_t p = {}; if (!init_tailcall_program_data(&p, ctx)) @@ -4974,91 +4975,38 @@ statfunc int execute_failed_tail1(struct pt_regs *ctx, u32 tail_call_id) struct file *stdin_file = get_struct_file_from_fd(0); unsigned short stdin_type = get_inode_mode_from_file(stdin_file) & S_IFMT; - save_to_submit_buf(&p.event->args_buf, &stdin_type, sizeof(unsigned short), 7); + save_to_submit_buf(&p.event->args_buf, &stdin_type, sizeof(unsigned short), 9); void *stdin_path = get_path_str(__builtin_preserve_access_index(&stdin_file->f_path)); - save_str_to_buf(&p.event->args_buf, stdin_path, 8); + save_str_to_buf(&p.event->args_buf, stdin_path, 10); int kernel_invoked = (get_task_parent_flags(task) & PF_KTHREAD) ? 1 : 0; - save_to_submit_buf(&p.event->args_buf, &kernel_invoked, sizeof(int), 9); + save_to_submit_buf(&p.event->args_buf, &kernel_invoked, sizeof(int), 11); - bpf_tail_call(ctx, &prog_array, tail_call_id); - return -1; -} - -statfunc int execute_failed_tail2(struct pt_regs *ctx) -{ - program_data_t p = {}; - if (!init_tailcall_program_data(&p, ctx)) - return -1; - - long long argv, envp; - struct pt_regs *regs = get_current_task_pt_regs(); - - if (p.event->context.syscall == SYSCALL_EXECVE) { - argv = get_syscall_arg2(p.event->task, regs, false); - envp = get_syscall_arg3(p.event->task, regs, false); - } else { - argv = get_syscall_arg3(p.event->task, regs, false); - envp = get_syscall_arg4(p.event->task, regs, false); - } - - save_str_arr_to_buf(&p.event->args_buf, (const char *const *) argv, 10); // userspace argv - - if (p.config->options & OPT_EXEC_ENV) { - save_str_arr_to_buf(&p.event->args_buf, (const char *const *) envp, 11); // userspace envp - } - - int ret = PT_REGS_RC(ctx); // needs to be int - return events_perf_submit(&p, ret); + return events_perf_submit(&p, 0); } bool use_security_bprm_creds_for_exec = false; SEC("kprobe/exec_binprm") -TRACE_ENT_FUNC(exec_binprm, EXEC_BINPRM); - -SEC("kretprobe/exec_binprm") -int BPF_KPROBE(trace_ret_exec_binprm) +int BPF_KPROBE(trace_exec_binprm) { if (use_security_bprm_creds_for_exec) { return 0; } - args_t saved_args; - if (load_args(&saved_args, EXEC_BINPRM) != 0) { - // missed entry or not traced - return 0; - } - del_args(EXEC_BINPRM); - - int ret_val = PT_REGS_RC(ctx); - if (ret_val == 0) - return 0; // not interested of successful execution - for that we have sched_process_exec program_data_t p = {}; - if (!init_program_data(&p, ctx, PROCESS_EXECUTION_FAILED)) + if (!init_program_data(&p, ctx, PROCESS_EXECUTE_FAILED_INTERNAL)) return 0; return submit_process_execute_failed(ctx, &p); } -SEC("kretprobe/trace_execute_failed1") -int BPF_KPROBE(trace_execute_failed1) -{ - return execute_failed_tail1(ctx, TAIL_PROCESS_EXECUTE_FAILED2); -} - -SEC("kretprobe/trace_execute_failed2") -int BPF_KPROBE(trace_execute_failed2) -{ - return execute_failed_tail2(ctx); -} - SEC("kprobe/security_bprm_creds_for_exec") int BPF_KPROBE(trace_security_bprm_creds_for_exec) { use_security_bprm_creds_for_exec = true; program_data_t p = {}; - if (!init_program_data(&p, ctx, SECURITY_BPRM_CREDS_FOR_EXEC)) + if (!init_program_data(&p, ctx, PROCESS_EXECUTE_FAILED_INTERNAL)) return 0; return submit_process_execute_failed(ctx, &p); } @@ -5073,6 +5021,34 @@ int BPF_KPROBE(trace_execute_finished) if (!evaluate_scope_filters(&p)) return 0; + // We can enrich the event with user provided arguments. If we have kernelspace arguments, + // the userspace arguments will be discarded. + struct pt_regs *task_regs = get_current_task_pt_regs(); + u64 argv, envp; + void *path; + + if (p.event->context.syscall == SYSCALL_EXECVEAT) { + int dirfd = get_syscall_arg1(p.event->task, task_regs, false); + path = (void *) get_syscall_arg2(p.event->task, task_regs, false); + argv = get_syscall_arg3(p.event->task, task_regs, false); + envp = get_syscall_arg4(p.event->task, task_regs, false); + int flags = get_syscall_arg5(p.event->task, task_regs, false); + + // send args unique to execevat + save_to_submit_buf(&p.event->args_buf, &dirfd, sizeof(int), 0); + save_to_submit_buf(&p.event->args_buf, &flags, sizeof(int), 1); + } else { + path = (void *) get_syscall_arg1(p.event->task, task_regs, false); + argv = get_syscall_arg2(p.event->task, task_regs, false); + envp = get_syscall_arg3(p.event->task, task_regs, false); + } + + save_str_to_buf(&p.event->args_buf, path, 2); + save_str_arr_to_buf(&p.event->args_buf, (const char *const *) argv, 12); + if (p.config->options & OPT_EXEC_ENV) { + save_str_arr_to_buf(&p.event->args_buf, (const char *const *) envp, 13); + } + long exec_ret = PT_REGS_RC(ctx); return events_perf_submit(&p, exec_ret); } diff --git a/pkg/ebpf/c/types.h b/pkg/ebpf/c/types.h index 7ed9fa4ec1b7..b6ee3df138f4 100644 --- a/pkg/ebpf/c/types.h +++ b/pkg/ebpf/c/types.h @@ -121,14 +121,14 @@ enum event_id_e FILE_MODIFICATION, INOTIFY_WATCH, SECURITY_BPF_PROG, - PROCESS_EXECUTION_FAILED, + PROCESS_EXECUTE_FAILED, SECURITY_PATH_NOTIFY, SET_FS_PWD, HIDDEN_KERNEL_MODULE_SEEKER, MODULE_LOAD, MODULE_FREE, EXECUTE_FINISHED, - SECURITY_BPRM_CREDS_FOR_EXEC, + PROCESS_EXECUTE_FAILED_INTERNAL, SECURITY_TASK_SETRLIMIT, SECURITY_SETTIME64, MAX_EVENT_ID, diff --git a/pkg/ebpf/probes/probe_group.go b/pkg/ebpf/probes/probe_group.go index cc90263d8c09..7e3e57329d3b 100644 --- a/pkg/ebpf/probes/probe_group.go +++ b/pkg/ebpf/probes/probe_group.go @@ -202,7 +202,6 @@ func NewDefaultProbeGroup(module *bpf.Module, netEnabled bool) (*ProbeGroup, err InotifyFindInodeRet: NewTraceProbe(KretProbe, "inotify_find_inode", "trace_ret_inotify_find_inode"), BpfCheck: NewTraceProbe(KProbe, "bpf_check", "trace_bpf_check"), ExecBinprm: NewTraceProbe(KProbe, "exec_binprm", "trace_exec_binprm"), - ExecBinprmRet: NewTraceProbe(KretProbe, "exec_binprm", "trace_ret_exec_binprm"), SecurityPathNotify: NewTraceProbe(KProbe, "security_path_notify", "trace_security_path_notify"), SecurityBprmCredsForExec: NewTraceProbe(KProbe, "security_bprm_creds_for_exec", "trace_security_bprm_creds_for_exec"), SetFsPwd: NewTraceProbe(KProbe, "set_fs_pwd", "trace_set_fs_pwd"), diff --git a/pkg/ebpf/probes/probes.go b/pkg/ebpf/probes/probes.go index e8b59fe24500..bdf5ae6525b8 100644 --- a/pkg/ebpf/probes/probes.go +++ b/pkg/ebpf/probes/probes.go @@ -126,7 +126,6 @@ const ( InotifyFindInodeRet BpfCheck ExecBinprm - ExecBinprmRet SecurityPathNotify SecurityBprmCredsForExec SetFsPwd diff --git a/pkg/ebpf/tracee.go b/pkg/ebpf/tracee.go index f182bdca5a46..b6f03492bcfe 100644 --- a/pkg/ebpf/tracee.go +++ b/pkg/ebpf/tracee.go @@ -781,7 +781,7 @@ func (t *Tracee) initDerivationTable() error { DeriveFunction: executeFailedGen.ProcessExecuteFailed(), }, }, - events.SecurityBprmCredsForExec: { + events.ProcessExecuteFailedInternal: { events.ProcessExecuteFailed: { Enabled: shouldSubmit(events.ProcessExecuteFailed), DeriveFunction: executeFailedGen.ProcessExecuteFailed(), diff --git a/pkg/events/core.go b/pkg/events/core.go index 792384cd0883..0ce5645f1452 100644 --- a/pkg/events/core.go +++ b/pkg/events/core.go @@ -110,7 +110,7 @@ const ( ModuleLoad ModuleFree ExecuteFinished - SecurityBprmCredsForExec + ProcessExecuteFailedInternal SecurityTaskSetrlimit SecuritySettime64 MaxCommonID @@ -12877,25 +12877,44 @@ var CoreEvents = map[ID]Definition{ {handle: probes.ExecuteAtFinishedCompatARM, required: false}, }, }, + params: []trace.ArgMeta{ + {Type: "int", Name: "dirfd"}, + {Type: "int", Name: "flags"}, + {Type: "const char*", Name: "pathname"}, + {Type: "const char*", Name: "binary.path"}, + {Type: "dev_t", Name: "binary.device_id"}, + {Type: "unsigned long", Name: "binary.inode_number"}, + {Type: "unsigned long", Name: "binary.ctime"}, + {Type: "umode_t", Name: "binary.inode_mode"}, + {Type: "const char*", Name: "interpreter_path"}, + {Type: "umode_t", Name: "stdin_type"}, + {Type: "char*", Name: "stdin_path"}, + {Type: "int", Name: "kernel_invoked"}, + {Type: "const char*const*", Name: "argv"}, + {Type: "const char*const*", Name: "envp"}, + }, }, - SecurityBprmCredsForExec: { - id: SecurityBprmCredsForExec, + ProcessExecuteFailedInternal: { + id: ProcessExecuteFailedInternal, id32Bit: Sys32Undefined, - name: "security_bprm_creds_for_exec", + name: "process_execute_failed_internal", version: NewVersion(1, 0, 0), sets: []string{"proc"}, internal: true, dependencies: Dependencies{ + ids: []ID{ExecuteFinished}, probes: []Probe{ + {handle: probes.ExecBinprm, required: false}, {handle: probes.SecurityBprmCredsForExec, required: false}, // TODO: Change to required once fallbacks are supported }, tailCalls: []TailCall{ - {"prog_array", "trace_execute_failed1", []uint32{TailProcessExecuteFailed1}}, - {"prog_array", "trace_execute_failed2", []uint32{TailProcessExecuteFailed2}}, + {"prog_array", "process_execute_failed_tail", []uint32{TailProcessExecuteFailed}}, }, }, params: []trace.ArgMeta{ - {Type: "const char*", Name: "path"}, + {Type: "int", Name: "dirfd"}, + {Type: "int", Name: "flags"}, + {Type: "const char*", Name: "pathname"}, {Type: "const char*", Name: "binary.path"}, {Type: "dev_t", Name: "binary.device_id"}, {Type: "unsigned long", Name: "binary.inode_number"}, @@ -12905,8 +12924,8 @@ var CoreEvents = map[ID]Definition{ {Type: "umode_t", Name: "stdin_type"}, {Type: "char*", Name: "stdin_path"}, {Type: "int", Name: "kernel_invoked"}, - {Type: "const char*const*", Name: "binary.arguments"}, - {Type: "const char*const*", Name: "environment"}, + {Type: "const char*const*", Name: "argv"}, + {Type: "const char*const*", Name: "envp"}, }, }, ProcessExecuteFailed: { @@ -12916,18 +12935,12 @@ var CoreEvents = map[ID]Definition{ version: NewVersion(1, 0, 0), sets: []string{"proc"}, dependencies: Dependencies{ - ids: []ID{ExecuteFinished, SecurityBprmCredsForExec}, // For kernel version >= 5.8 - probes: []Probe{ - {handle: probes.ExecBinprm, required: false}, - {handle: probes.ExecBinprmRet, required: false}, - }, - tailCalls: []TailCall{ - {"prog_array", "trace_execute_failed1", []uint32{TailProcessExecuteFailed1}}, - {"prog_array", "trace_execute_failed2", []uint32{TailProcessExecuteFailed2}}, - }, + ids: []ID{ProcessExecuteFailedInternal}, }, params: []trace.ArgMeta{ - {Type: "const char*", Name: "path"}, + {Type: "int", Name: "dirfd"}, + {Type: "int", Name: "flags"}, + {Type: "const char*", Name: "pathname"}, {Type: "const char*", Name: "binary.path"}, {Type: "dev_t", Name: "binary.device_id"}, {Type: "unsigned long", Name: "binary.inode_number"}, @@ -12937,8 +12950,8 @@ var CoreEvents = map[ID]Definition{ {Type: "umode_t", Name: "stdin_type"}, {Type: "char*", Name: "stdin_path"}, {Type: "int", Name: "kernel_invoked"}, - {Type: "const char*const*", Name: "binary.arguments"}, - {Type: "const char*const*", Name: "environment"}, + {Type: "const char*const*", Name: "argv"}, + {Type: "const char*const*", Name: "envp"}, }, }, FtraceHook: { diff --git a/pkg/events/definition_dependencies.go b/pkg/events/definition_dependencies.go index 563189d076cc..31f651df8711 100644 --- a/pkg/events/definition_dependencies.go +++ b/pkg/events/definition_dependencies.go @@ -147,8 +147,7 @@ const ( TailSchedProcessExecEventSubmit TailVfsRead TailVfsReadv - TailProcessExecuteFailed1 - TailProcessExecuteFailed2 + TailProcessExecuteFailed TailHiddenKernelModuleProc TailHiddenKernelModuleKset TailHiddenKernelModuleModTree diff --git a/pkg/events/derive/process_execute_failed.go b/pkg/events/derive/process_execute_failed.go index 352f36fd8f30..dc5eb4fe30a1 100644 --- a/pkg/events/derive/process_execute_failed.go +++ b/pkg/events/derive/process_execute_failed.go @@ -6,6 +6,7 @@ import ( lru "github.com/hashicorp/golang-lru/v2" "github.com/aquasecurity/tracee/pkg/events" + "github.com/aquasecurity/tracee/pkg/events/parse" "github.com/aquasecurity/tracee/types/trace" ) @@ -57,6 +58,7 @@ func (gen *ExecFailedGenerator) ProcessExecuteFailed() DeriveFunction { type execEndInfo struct { returnCode int timestamp int + args []trace.Argument } // deriveEvent is the main logic, which will try to derive the event from the given event. @@ -64,7 +66,7 @@ func (gen *ExecFailedGenerator) deriveEvent(event *trace.Event) ( *trace.Event, error, ) { switch events.ID(event.EventID) { - case events.SecurityBprmCredsForExec: + case events.ProcessExecuteFailedInternal: return gen.handleExecBaseEvent(event) case events.ExecuteFinished: return gen.handleExecFinished(event) @@ -73,40 +75,34 @@ func (gen *ExecFailedGenerator) deriveEvent(event *trace.Event) ( } } -// handleExecFinished will derive the event if all the event parts were received. -// Else it will cache the finished exec info for future use. +// handleExecFinished will add info on top of base event unless events came out of order. Sends an event in any case. +// Should be simplified once events reach from kernel-space to user-space are ordered! func (gen *ExecFailedGenerator) handleExecFinished(event *trace.Event) (*trace.Event, error) { + defer gen.execEndInfo.Remove(event.HostProcessID) execInfo := execEndInfo{ returnCode: event.ReturnValue, timestamp: event.Timestamp, + args: event.Args, } + if !isFailedExec(execInfo.returnCode) { + return nil, nil + } + + e := event securityExecEvent, ok := gen.baseEvents.Get(event.HostProcessID) if ok { - gen.execEndInfo.Remove(event.HostProcessID) - if !isFailedExec(execInfo.returnCode) { - return nil, nil - } - return gen.generateEvent(securityExecEvent, execInfo) + e = securityExecEvent // There is a base event to use, use it! } - gen.execEndInfo.Add(event.HostProcessID, execInfo) - return nil, nil + return gen.generateEvent(e, execInfo) } // handleExecBaseEvent will derive the event if the event parts were received, else will cache // the base event for future use func (gen *ExecFailedGenerator) handleExecBaseEvent(event *trace.Event) (*trace.Event, error) { - execInfo, ok := gen.execEndInfo.Get(event.HostProcessID) // We don't have the execution end info - cache current event and wait for it to be received // This is the expected flow, as the execution finished event come chronology after - if !ok { - gen.baseEvents.Add(event.HostProcessID, event) - return nil, nil - } - gen.execEndInfo.Remove(event.HostProcessID) - if !isFailedExec(execInfo.returnCode) { - return nil, nil - } - return gen.generateEvent(event, execInfo) + gen.baseEvents.Add(event.HostProcessID, event) + return nil, nil } // generateEvent create the ProcessExecuteFailed event from its parts @@ -119,6 +115,11 @@ func (gen *ExecFailedGenerator) generateEvent( newEvent.EventID = gen.deriveBase.ID newEvent.EventName = gen.deriveBase.Name newEvent.ReturnValue = execInfo.returnCode + + // fill userspace argv and envp from execute_finished event + newEvent.Args[parse.ArgIndex(newEvent.Args, "argv")] = execInfo.args[parse.ArgIndex(execInfo.args, "argv")] + newEvent.Args[parse.ArgIndex(newEvent.Args, "envp")] = execInfo.args[parse.ArgIndex(execInfo.args, "envp")] + return &newEvent, nil } diff --git a/pkg/events/parse/params.go b/pkg/events/parse/params.go index cc504f1acd9a..64345e584c50 100644 --- a/pkg/events/parse/params.go +++ b/pkg/events/parse/params.go @@ -23,3 +23,13 @@ func ArgVal[T any](args []trace.Argument, argName string) (T, error) { } return *new(T), errfmt.Errorf("argument %s not found", argName) } + +// ArgIndex find the index of an argument by name +func ArgIndex(args []trace.Argument, argName string) int { + for index, arg := range args { + if arg.Name == argName { + return index + } + } + return -1 +} diff --git a/pkg/server/grpc/tracee.go b/pkg/server/grpc/tracee.go index b3de279ca094..5e432f9f249e 100644 --- a/pkg/server/grpc/tracee.go +++ b/pkg/server/grpc/tracee.go @@ -470,92 +470,92 @@ var EventTranslationTable = [events.MaxBuiltinID]pb.EventId{ events.SchedRrGetInterval32: pb.EventId_sched_rr_get_interval_time32, // Common events translation section - events.NetPacketBase: pb.EventId_net_packet_base, - events.NetPacketIPBase: pb.EventId_net_packet_ip_base, - events.NetPacketTCPBase: pb.EventId_net_packet_tcp_base, - events.NetPacketUDPBase: pb.EventId_net_packet_udp_base, - events.NetPacketICMPBase: pb.EventId_net_packet_icmp_base, - events.NetPacketICMPv6Base: pb.EventId_net_packet_icmpv6_base, - events.NetPacketDNSBase: pb.EventId_net_packet_dns_base, - events.NetPacketHTTPBase: pb.EventId_net_packet_http_base, - events.NetPacketCapture: pb.EventId_net_packet_capture, - events.NetPacketFlow: pb.EventId_net_packet_flow, - events.MaxNetID: pb.EventId_max_net_id, - events.SysEnter: pb.EventId_sys_enter, - events.SysExit: pb.EventId_sys_exit, - events.SchedProcessFork: pb.EventId_sched_process_fork, - events.SchedProcessExec: pb.EventId_sched_process_exec, - events.SchedProcessExit: pb.EventId_sched_process_exit, - events.SchedSwitch: pb.EventId_sched_switch, - events.DoExit: pb.EventId_do_exit, - events.CapCapable: pb.EventId_cap_capable, - events.VfsWrite: pb.EventId_vfs_write, - events.VfsWritev: pb.EventId_vfs_writev, - events.VfsRead: pb.EventId_vfs_read, - events.VfsReadv: pb.EventId_vfs_readv, - events.MemProtAlert: pb.EventId_mem_prot_alert, - events.CommitCreds: pb.EventId_commit_creds, - events.SwitchTaskNS: pb.EventId_switch_task_ns, - events.MagicWrite: pb.EventId_magic_write, - events.CgroupAttachTask: pb.EventId_cgroup_attach_task, - events.CgroupMkdir: pb.EventId_cgroup_mkdir, - events.CgroupRmdir: pb.EventId_cgroup_rmdir, - events.SecurityBprmCheck: pb.EventId_security_bprm_check, - events.SecurityFileOpen: pb.EventId_security_file_open, - events.SecurityInodeUnlink: pb.EventId_security_inode_unlink, - events.SecuritySocketCreate: pb.EventId_security_socket_create, - events.SecuritySocketListen: pb.EventId_security_socket_listen, - events.SecuritySocketConnect: pb.EventId_security_socket_connect, - events.SecuritySocketAccept: pb.EventId_security_socket_accept, - events.SecuritySocketBind: pb.EventId_security_socket_bind, - events.SecuritySocketSetsockopt: pb.EventId_security_socket_setsockopt, - events.SecuritySbMount: pb.EventId_security_sb_mount, - events.SecurityBPF: pb.EventId_security_bpf, - events.SecurityBPFMap: pb.EventId_security_bpf_map, - events.SecurityKernelReadFile: pb.EventId_security_kernel_read_file, - events.SecurityInodeMknod: pb.EventId_security_inode_mknod, - events.SecurityPostReadFile: pb.EventId_security_post_read_file, - events.SecurityInodeSymlinkEventId: pb.EventId_security_inode_symlink_event_id, - events.SecurityMmapFile: pb.EventId_security_mmap_file, - events.SecurityFileMprotect: pb.EventId_security_file_mprotect, - events.SocketDup: pb.EventId_socket_dup, - events.HiddenInodes: pb.EventId_hidden_inodes, - events.KernelWrite: pb.EventId_kernel_write, - events.ProcCreate: pb.EventId_proc_create, - events.KprobeAttach: pb.EventId_kprobe_attach, - events.CallUsermodeHelper: pb.EventId_call_usermode_helper, - events.DirtyPipeSplice: pb.EventId_dirty_pipe_splice, - events.DebugfsCreateFile: pb.EventId_debugfs_create_file, - events.SyscallTableCheck: pb.EventId_syscall_table_check, - events.DebugfsCreateDir: pb.EventId_debugfs_create_dir, - events.DeviceAdd: pb.EventId_device_add, - events.RegisterChrdev: pb.EventId_register_chrdev, - events.SharedObjectLoaded: pb.EventId_shared_object_loaded, - events.DoInitModule: pb.EventId_do_init_module, - events.SocketAccept: pb.EventId_socket_accept, - events.LoadElfPhdrs: pb.EventId_load_elf_phdrs, - events.HookedProcFops: pb.EventId_hooked_proc_fops, - events.PrintNetSeqOps: pb.EventId_print_net_seq_ops, - events.TaskRename: pb.EventId_task_rename, - events.SecurityInodeRename: pb.EventId_security_inode_rename, - events.DoSigaction: pb.EventId_do_sigaction, - events.BpfAttach: pb.EventId_bpf_attach, - events.KallsymsLookupName: pb.EventId_kallsyms_lookup_name, - events.DoMmap: pb.EventId_do_mmap, - events.PrintMemDump: pb.EventId_print_mem_dump, - events.VfsUtimes: pb.EventId_vfs_utimes, - events.DoTruncate: pb.EventId_do_truncate, - events.FileModification: pb.EventId_file_modification, - events.InotifyWatch: pb.EventId_inotify_watch, - events.SecurityBpfProg: pb.EventId_security_bpf_prog, - events.ProcessExecuteFailed: pb.EventId_process_execute_failed, - events.SecurityPathNotify: pb.EventId_security_path_notify, - events.SetFsPwd: pb.EventId_set_fs_pwd, - events.HiddenKernelModuleSeeker: pb.EventId_hidden_kernel_module_seeker, - events.ModuleLoad: pb.EventId_module_load, - events.ModuleFree: pb.EventId_module_free, - events.ExecuteFinished: pb.EventId_execute_finished, - events.SecurityBprmCredsForExec: pb.EventId_security_bprm_creds_for_exec, + events.NetPacketBase: pb.EventId_net_packet_base, + events.NetPacketIPBase: pb.EventId_net_packet_ip_base, + events.NetPacketTCPBase: pb.EventId_net_packet_tcp_base, + events.NetPacketUDPBase: pb.EventId_net_packet_udp_base, + events.NetPacketICMPBase: pb.EventId_net_packet_icmp_base, + events.NetPacketICMPv6Base: pb.EventId_net_packet_icmpv6_base, + events.NetPacketDNSBase: pb.EventId_net_packet_dns_base, + events.NetPacketHTTPBase: pb.EventId_net_packet_http_base, + events.NetPacketCapture: pb.EventId_net_packet_capture, + events.NetPacketFlow: pb.EventId_net_packet_flow, + events.MaxNetID: pb.EventId_max_net_id, + events.SysEnter: pb.EventId_sys_enter, + events.SysExit: pb.EventId_sys_exit, + events.SchedProcessFork: pb.EventId_sched_process_fork, + events.SchedProcessExec: pb.EventId_sched_process_exec, + events.SchedProcessExit: pb.EventId_sched_process_exit, + events.SchedSwitch: pb.EventId_sched_switch, + events.DoExit: pb.EventId_do_exit, + events.CapCapable: pb.EventId_cap_capable, + events.VfsWrite: pb.EventId_vfs_write, + events.VfsWritev: pb.EventId_vfs_writev, + events.VfsRead: pb.EventId_vfs_read, + events.VfsReadv: pb.EventId_vfs_readv, + events.MemProtAlert: pb.EventId_mem_prot_alert, + events.CommitCreds: pb.EventId_commit_creds, + events.SwitchTaskNS: pb.EventId_switch_task_ns, + events.MagicWrite: pb.EventId_magic_write, + events.CgroupAttachTask: pb.EventId_cgroup_attach_task, + events.CgroupMkdir: pb.EventId_cgroup_mkdir, + events.CgroupRmdir: pb.EventId_cgroup_rmdir, + events.SecurityBprmCheck: pb.EventId_security_bprm_check, + events.SecurityFileOpen: pb.EventId_security_file_open, + events.SecurityInodeUnlink: pb.EventId_security_inode_unlink, + events.SecuritySocketCreate: pb.EventId_security_socket_create, + events.SecuritySocketListen: pb.EventId_security_socket_listen, + events.SecuritySocketConnect: pb.EventId_security_socket_connect, + events.SecuritySocketAccept: pb.EventId_security_socket_accept, + events.SecuritySocketBind: pb.EventId_security_socket_bind, + events.SecuritySocketSetsockopt: pb.EventId_security_socket_setsockopt, + events.SecuritySbMount: pb.EventId_security_sb_mount, + events.SecurityBPF: pb.EventId_security_bpf, + events.SecurityBPFMap: pb.EventId_security_bpf_map, + events.SecurityKernelReadFile: pb.EventId_security_kernel_read_file, + events.SecurityInodeMknod: pb.EventId_security_inode_mknod, + events.SecurityPostReadFile: pb.EventId_security_post_read_file, + events.SecurityInodeSymlinkEventId: pb.EventId_security_inode_symlink_event_id, + events.SecurityMmapFile: pb.EventId_security_mmap_file, + events.SecurityFileMprotect: pb.EventId_security_file_mprotect, + events.SocketDup: pb.EventId_socket_dup, + events.HiddenInodes: pb.EventId_hidden_inodes, + events.KernelWrite: pb.EventId_kernel_write, + events.ProcCreate: pb.EventId_proc_create, + events.KprobeAttach: pb.EventId_kprobe_attach, + events.CallUsermodeHelper: pb.EventId_call_usermode_helper, + events.DirtyPipeSplice: pb.EventId_dirty_pipe_splice, + events.DebugfsCreateFile: pb.EventId_debugfs_create_file, + events.SyscallTableCheck: pb.EventId_syscall_table_check, + events.DebugfsCreateDir: pb.EventId_debugfs_create_dir, + events.DeviceAdd: pb.EventId_device_add, + events.RegisterChrdev: pb.EventId_register_chrdev, + events.SharedObjectLoaded: pb.EventId_shared_object_loaded, + events.DoInitModule: pb.EventId_do_init_module, + events.SocketAccept: pb.EventId_socket_accept, + events.LoadElfPhdrs: pb.EventId_load_elf_phdrs, + events.HookedProcFops: pb.EventId_hooked_proc_fops, + events.PrintNetSeqOps: pb.EventId_print_net_seq_ops, + events.TaskRename: pb.EventId_task_rename, + events.SecurityInodeRename: pb.EventId_security_inode_rename, + events.DoSigaction: pb.EventId_do_sigaction, + events.BpfAttach: pb.EventId_bpf_attach, + events.KallsymsLookupName: pb.EventId_kallsyms_lookup_name, + events.DoMmap: pb.EventId_do_mmap, + events.PrintMemDump: pb.EventId_print_mem_dump, + events.VfsUtimes: pb.EventId_vfs_utimes, + events.DoTruncate: pb.EventId_do_truncate, + events.FileModification: pb.EventId_file_modification, + events.InotifyWatch: pb.EventId_inotify_watch, + events.SecurityBpfProg: pb.EventId_security_bpf_prog, + events.ProcessExecuteFailed: pb.EventId_process_execute_failed, + events.SecurityPathNotify: pb.EventId_security_path_notify, + events.SetFsPwd: pb.EventId_set_fs_pwd, + events.HiddenKernelModuleSeeker: pb.EventId_hidden_kernel_module_seeker, + events.ModuleLoad: pb.EventId_module_load, + events.ModuleFree: pb.EventId_module_free, + events.ExecuteFinished: pb.EventId_execute_finished, + events.ProcessExecuteFailedInternal: pb.EventId_security_bprm_creds_for_exec, // Events from user-space translation section events.NetPacketIPv4: pb.EventId_net_packet_ipv4, diff --git a/tests/e2e-inst-signatures/e2e-process_execute_failed.go b/tests/e2e-inst-signatures/e2e-process_execute_failed.go index 58d86171a85d..8dee9d89e4b8 100644 --- a/tests/e2e-inst-signatures/e2e-process_execute_failed.go +++ b/tests/e2e-inst-signatures/e2e-process_execute_failed.go @@ -80,7 +80,7 @@ func (sig *e2eProcessExecuteFailed) OnEvent(event protocol.Event) error { return err } case "process_execute_failed": - filePath, err := helpers.GetTraceeStringArgumentByName(eventObj, "path") + filePath, err := helpers.GetTraceeStringArgumentByName(eventObj, "pathname") if err != nil { return err } From ae969e2cf91b5e413a68ef6aa52d3a66a19d9061 Mon Sep 17 00:00:00 2001 From: Ori Glassman Date: Thu, 5 Sep 2024 14:24:54 +0300 Subject: [PATCH 2/2] update protoc --- api/v1beta1/event.pb.go | 100 ++++++++++++++++++++-------------------- 1 file changed, 50 insertions(+), 50 deletions(-) diff --git a/api/v1beta1/event.pb.go b/api/v1beta1/event.pb.go index 930dc52c6e92..e6798aef32e8 100644 --- a/api/v1beta1/event.pb.go +++ b/api/v1beta1/event.pb.go @@ -560,7 +560,7 @@ const ( EventId_module_load EventId = 1082 EventId_module_free EventId = 1083 EventId_execute_finished EventId = 1084 - EventId_security_bprm_creds_for_exec EventId = 1085 + EventId_process_execute_failed_internal EventId = 1085 // Events originated from user-space EventId_net_packet_ipv4 EventId = 2000 EventId_net_packet_ipv6 EventId = 2001 @@ -1126,7 +1126,7 @@ var ( 1082: "module_load", 1083: "module_free", 1084: "execute_finished", - 1085: "security_bprm_creds_for_exec", + 1085: "process_execute_failed_internal", 2000: "net_packet_ipv4", 2001: "net_packet_ipv6", 2002: "net_packet_tcp", @@ -1688,7 +1688,7 @@ var ( "module_load": 1082, "module_free": 1083, "execute_finished": 1084, - "security_bprm_creds_for_exec": 1085, + "process_execute_failed_internal": 1085, "net_packet_ipv4": 2000, "net_packet_ipv6": 2001, "net_packet_tcp": 2002, @@ -2795,7 +2795,7 @@ var file_api_v1beta1_event_proto_rawDesc = []byte{ 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0x22, 0x0a, 0x0c, 0x4b, 0x38, 0x73, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, - 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x2a, 0xf8, 0x4b, + 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x2a, 0xfb, 0x4b, 0x0a, 0x07, 0x45, 0x76, 0x65, 0x6e, 0x74, 0x49, 0x64, 0x12, 0x0f, 0x0a, 0x0b, 0x75, 0x6e, 0x73, 0x70, 0x65, 0x63, 0x69, 0x66, 0x69, 0x65, 0x64, 0x10, 0x00, 0x12, 0x08, 0x0a, 0x04, 0x72, 0x65, 0x61, 0x64, 0x10, 0x01, 0x12, 0x09, 0x0a, 0x05, 0x77, 0x72, 0x69, 0x74, 0x65, 0x10, 0x02, 0x12, @@ -3361,52 +3361,52 @@ var file_api_v1beta1_event_proto_rawDesc = []byte{ 0x10, 0xb9, 0x08, 0x12, 0x10, 0x0a, 0x0b, 0x6d, 0x6f, 0x64, 0x75, 0x6c, 0x65, 0x5f, 0x6c, 0x6f, 0x61, 0x64, 0x10, 0xba, 0x08, 0x12, 0x10, 0x0a, 0x0b, 0x6d, 0x6f, 0x64, 0x75, 0x6c, 0x65, 0x5f, 0x66, 0x72, 0x65, 0x65, 0x10, 0xbb, 0x08, 0x12, 0x15, 0x0a, 0x10, 0x65, 0x78, 0x65, 0x63, 0x75, - 0x74, 0x65, 0x5f, 0x66, 0x69, 0x6e, 0x69, 0x73, 0x68, 0x65, 0x64, 0x10, 0xbc, 0x08, 0x12, 0x21, - 0x0a, 0x1c, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x5f, 0x62, 0x70, 0x72, 0x6d, 0x5f, - 0x63, 0x72, 0x65, 0x64, 0x73, 0x5f, 0x66, 0x6f, 0x72, 0x5f, 0x65, 0x78, 0x65, 0x63, 0x10, 0xbd, - 0x08, 0x12, 0x14, 0x0a, 0x0f, 0x6e, 0x65, 0x74, 0x5f, 0x70, 0x61, 0x63, 0x6b, 0x65, 0x74, 0x5f, - 0x69, 0x70, 0x76, 0x34, 0x10, 0xd0, 0x0f, 0x12, 0x14, 0x0a, 0x0f, 0x6e, 0x65, 0x74, 0x5f, 0x70, - 0x61, 0x63, 0x6b, 0x65, 0x74, 0x5f, 0x69, 0x70, 0x76, 0x36, 0x10, 0xd1, 0x0f, 0x12, 0x13, 0x0a, - 0x0e, 0x6e, 0x65, 0x74, 0x5f, 0x70, 0x61, 0x63, 0x6b, 0x65, 0x74, 0x5f, 0x74, 0x63, 0x70, 0x10, - 0xd2, 0x0f, 0x12, 0x13, 0x0a, 0x0e, 0x6e, 0x65, 0x74, 0x5f, 0x70, 0x61, 0x63, 0x6b, 0x65, 0x74, - 0x5f, 0x75, 0x64, 0x70, 0x10, 0xd3, 0x0f, 0x12, 0x14, 0x0a, 0x0f, 0x6e, 0x65, 0x74, 0x5f, 0x70, - 0x61, 0x63, 0x6b, 0x65, 0x74, 0x5f, 0x69, 0x63, 0x6d, 0x70, 0x10, 0xd4, 0x0f, 0x12, 0x16, 0x0a, - 0x11, 0x6e, 0x65, 0x74, 0x5f, 0x70, 0x61, 0x63, 0x6b, 0x65, 0x74, 0x5f, 0x69, 0x63, 0x6d, 0x70, - 0x76, 0x36, 0x10, 0xd5, 0x0f, 0x12, 0x13, 0x0a, 0x0e, 0x6e, 0x65, 0x74, 0x5f, 0x70, 0x61, 0x63, - 0x6b, 0x65, 0x74, 0x5f, 0x64, 0x6e, 0x73, 0x10, 0xd6, 0x0f, 0x12, 0x1b, 0x0a, 0x16, 0x6e, 0x65, - 0x74, 0x5f, 0x70, 0x61, 0x63, 0x6b, 0x65, 0x74, 0x5f, 0x64, 0x6e, 0x73, 0x5f, 0x72, 0x65, 0x71, - 0x75, 0x65, 0x73, 0x74, 0x10, 0xd7, 0x0f, 0x12, 0x1c, 0x0a, 0x17, 0x6e, 0x65, 0x74, 0x5f, 0x70, - 0x61, 0x63, 0x6b, 0x65, 0x74, 0x5f, 0x64, 0x6e, 0x73, 0x5f, 0x72, 0x65, 0x73, 0x70, 0x6f, 0x6e, - 0x73, 0x65, 0x10, 0xd8, 0x0f, 0x12, 0x14, 0x0a, 0x0f, 0x6e, 0x65, 0x74, 0x5f, 0x70, 0x61, 0x63, - 0x6b, 0x65, 0x74, 0x5f, 0x68, 0x74, 0x74, 0x70, 0x10, 0xd9, 0x0f, 0x12, 0x1c, 0x0a, 0x17, 0x6e, - 0x65, 0x74, 0x5f, 0x70, 0x61, 0x63, 0x6b, 0x65, 0x74, 0x5f, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x72, - 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x10, 0xda, 0x0f, 0x12, 0x1d, 0x0a, 0x18, 0x6e, 0x65, 0x74, - 0x5f, 0x70, 0x61, 0x63, 0x6b, 0x65, 0x74, 0x5f, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x72, 0x65, 0x73, - 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x10, 0xdb, 0x0f, 0x12, 0x11, 0x0a, 0x0c, 0x6e, 0x65, 0x74, 0x5f, - 0x66, 0x6c, 0x6f, 0x77, 0x5f, 0x65, 0x6e, 0x64, 0x10, 0xdc, 0x0f, 0x12, 0x17, 0x0a, 0x12, 0x6e, - 0x65, 0x74, 0x5f, 0x66, 0x6c, 0x6f, 0x77, 0x5f, 0x74, 0x63, 0x70, 0x5f, 0x62, 0x65, 0x67, 0x69, - 0x6e, 0x10, 0xdd, 0x0f, 0x12, 0x15, 0x0a, 0x10, 0x6e, 0x65, 0x74, 0x5f, 0x66, 0x6c, 0x6f, 0x77, - 0x5f, 0x74, 0x63, 0x70, 0x5f, 0x65, 0x6e, 0x64, 0x10, 0xde, 0x0f, 0x12, 0x14, 0x0a, 0x0f, 0x6d, - 0x61, 0x78, 0x5f, 0x75, 0x73, 0x65, 0x72, 0x5f, 0x6e, 0x65, 0x74, 0x5f, 0x69, 0x64, 0x10, 0xdf, - 0x0f, 0x12, 0x14, 0x0a, 0x0f, 0x6e, 0x65, 0x74, 0x5f, 0x74, 0x63, 0x70, 0x5f, 0x63, 0x6f, 0x6e, - 0x6e, 0x65, 0x63, 0x74, 0x10, 0xe0, 0x0f, 0x12, 0x14, 0x0a, 0x0f, 0x69, 0x6e, 0x69, 0x74, 0x5f, - 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x73, 0x10, 0xe1, 0x0f, 0x12, 0x15, 0x0a, - 0x10, 0x63, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x5f, 0x63, 0x72, 0x65, 0x61, 0x74, - 0x65, 0x10, 0xe2, 0x0f, 0x12, 0x15, 0x0a, 0x10, 0x63, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, - 0x72, 0x5f, 0x72, 0x65, 0x6d, 0x6f, 0x76, 0x65, 0x10, 0xe3, 0x0f, 0x12, 0x17, 0x0a, 0x12, 0x65, - 0x78, 0x69, 0x73, 0x74, 0x69, 0x6e, 0x67, 0x5f, 0x63, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, - 0x72, 0x10, 0xe4, 0x0f, 0x12, 0x13, 0x0a, 0x0e, 0x68, 0x6f, 0x6f, 0x6b, 0x65, 0x64, 0x5f, 0x73, - 0x79, 0x73, 0x63, 0x61, 0x6c, 0x6c, 0x10, 0xe5, 0x0f, 0x12, 0x13, 0x0a, 0x0e, 0x68, 0x6f, 0x6f, - 0x6b, 0x65, 0x64, 0x5f, 0x73, 0x65, 0x71, 0x5f, 0x6f, 0x70, 0x73, 0x10, 0xe6, 0x0f, 0x12, 0x13, - 0x0a, 0x0e, 0x73, 0x79, 0x6d, 0x62, 0x6f, 0x6c, 0x73, 0x5f, 0x6c, 0x6f, 0x61, 0x64, 0x65, 0x64, - 0x10, 0xe7, 0x0f, 0x12, 0x16, 0x0a, 0x11, 0x73, 0x79, 0x6d, 0x62, 0x6f, 0x6c, 0x73, 0x5f, 0x63, - 0x6f, 0x6c, 0x6c, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x10, 0xe8, 0x0f, 0x12, 0x19, 0x0a, 0x14, 0x68, - 0x69, 0x64, 0x64, 0x65, 0x6e, 0x5f, 0x6b, 0x65, 0x72, 0x6e, 0x65, 0x6c, 0x5f, 0x6d, 0x6f, 0x64, - 0x75, 0x6c, 0x65, 0x10, 0xe9, 0x0f, 0x12, 0x10, 0x0a, 0x0b, 0x66, 0x74, 0x72, 0x61, 0x63, 0x65, - 0x5f, 0x68, 0x6f, 0x6f, 0x6b, 0x10, 0xea, 0x0f, 0x42, 0x2b, 0x5a, 0x29, 0x67, 0x69, 0x74, 0x68, - 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x2f, 0x61, 0x71, 0x75, 0x61, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, - 0x74, 0x79, 0x2f, 0x74, 0x72, 0x61, 0x63, 0x65, 0x65, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, - 0x62, 0x65, 0x74, 0x61, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x74, 0x65, 0x5f, 0x66, 0x69, 0x6e, 0x69, 0x73, 0x68, 0x65, 0x64, 0x10, 0xbc, 0x08, 0x12, 0x24, + 0x0a, 0x1f, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x65, 0x78, 0x65, 0x63, 0x75, 0x74, + 0x65, 0x5f, 0x66, 0x61, 0x69, 0x6c, 0x65, 0x64, 0x5f, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x61, + 0x6c, 0x10, 0xbd, 0x08, 0x12, 0x14, 0x0a, 0x0f, 0x6e, 0x65, 0x74, 0x5f, 0x70, 0x61, 0x63, 0x6b, + 0x65, 0x74, 0x5f, 0x69, 0x70, 0x76, 0x34, 0x10, 0xd0, 0x0f, 0x12, 0x14, 0x0a, 0x0f, 0x6e, 0x65, + 0x74, 0x5f, 0x70, 0x61, 0x63, 0x6b, 0x65, 0x74, 0x5f, 0x69, 0x70, 0x76, 0x36, 0x10, 0xd1, 0x0f, + 0x12, 0x13, 0x0a, 0x0e, 0x6e, 0x65, 0x74, 0x5f, 0x70, 0x61, 0x63, 0x6b, 0x65, 0x74, 0x5f, 0x74, + 0x63, 0x70, 0x10, 0xd2, 0x0f, 0x12, 0x13, 0x0a, 0x0e, 0x6e, 0x65, 0x74, 0x5f, 0x70, 0x61, 0x63, + 0x6b, 0x65, 0x74, 0x5f, 0x75, 0x64, 0x70, 0x10, 0xd3, 0x0f, 0x12, 0x14, 0x0a, 0x0f, 0x6e, 0x65, + 0x74, 0x5f, 0x70, 0x61, 0x63, 0x6b, 0x65, 0x74, 0x5f, 0x69, 0x63, 0x6d, 0x70, 0x10, 0xd4, 0x0f, + 0x12, 0x16, 0x0a, 0x11, 0x6e, 0x65, 0x74, 0x5f, 0x70, 0x61, 0x63, 0x6b, 0x65, 0x74, 0x5f, 0x69, + 0x63, 0x6d, 0x70, 0x76, 0x36, 0x10, 0xd5, 0x0f, 0x12, 0x13, 0x0a, 0x0e, 0x6e, 0x65, 0x74, 0x5f, + 0x70, 0x61, 0x63, 0x6b, 0x65, 0x74, 0x5f, 0x64, 0x6e, 0x73, 0x10, 0xd6, 0x0f, 0x12, 0x1b, 0x0a, + 0x16, 0x6e, 0x65, 0x74, 0x5f, 0x70, 0x61, 0x63, 0x6b, 0x65, 0x74, 0x5f, 0x64, 0x6e, 0x73, 0x5f, + 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x10, 0xd7, 0x0f, 0x12, 0x1c, 0x0a, 0x17, 0x6e, 0x65, + 0x74, 0x5f, 0x70, 0x61, 0x63, 0x6b, 0x65, 0x74, 0x5f, 0x64, 0x6e, 0x73, 0x5f, 0x72, 0x65, 0x73, + 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x10, 0xd8, 0x0f, 0x12, 0x14, 0x0a, 0x0f, 0x6e, 0x65, 0x74, 0x5f, + 0x70, 0x61, 0x63, 0x6b, 0x65, 0x74, 0x5f, 0x68, 0x74, 0x74, 0x70, 0x10, 0xd9, 0x0f, 0x12, 0x1c, + 0x0a, 0x17, 0x6e, 0x65, 0x74, 0x5f, 0x70, 0x61, 0x63, 0x6b, 0x65, 0x74, 0x5f, 0x68, 0x74, 0x74, + 0x70, 0x5f, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x10, 0xda, 0x0f, 0x12, 0x1d, 0x0a, 0x18, + 0x6e, 0x65, 0x74, 0x5f, 0x70, 0x61, 0x63, 0x6b, 0x65, 0x74, 0x5f, 0x68, 0x74, 0x74, 0x70, 0x5f, + 0x72, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x10, 0xdb, 0x0f, 0x12, 0x11, 0x0a, 0x0c, 0x6e, + 0x65, 0x74, 0x5f, 0x66, 0x6c, 0x6f, 0x77, 0x5f, 0x65, 0x6e, 0x64, 0x10, 0xdc, 0x0f, 0x12, 0x17, + 0x0a, 0x12, 0x6e, 0x65, 0x74, 0x5f, 0x66, 0x6c, 0x6f, 0x77, 0x5f, 0x74, 0x63, 0x70, 0x5f, 0x62, + 0x65, 0x67, 0x69, 0x6e, 0x10, 0xdd, 0x0f, 0x12, 0x15, 0x0a, 0x10, 0x6e, 0x65, 0x74, 0x5f, 0x66, + 0x6c, 0x6f, 0x77, 0x5f, 0x74, 0x63, 0x70, 0x5f, 0x65, 0x6e, 0x64, 0x10, 0xde, 0x0f, 0x12, 0x14, + 0x0a, 0x0f, 0x6d, 0x61, 0x78, 0x5f, 0x75, 0x73, 0x65, 0x72, 0x5f, 0x6e, 0x65, 0x74, 0x5f, 0x69, + 0x64, 0x10, 0xdf, 0x0f, 0x12, 0x14, 0x0a, 0x0f, 0x6e, 0x65, 0x74, 0x5f, 0x74, 0x63, 0x70, 0x5f, + 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x10, 0xe0, 0x0f, 0x12, 0x14, 0x0a, 0x0f, 0x69, 0x6e, + 0x69, 0x74, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x73, 0x10, 0xe1, 0x0f, + 0x12, 0x15, 0x0a, 0x10, 0x63, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x5f, 0x63, 0x72, + 0x65, 0x61, 0x74, 0x65, 0x10, 0xe2, 0x0f, 0x12, 0x15, 0x0a, 0x10, 0x63, 0x6f, 0x6e, 0x74, 0x61, + 0x69, 0x6e, 0x65, 0x72, 0x5f, 0x72, 0x65, 0x6d, 0x6f, 0x76, 0x65, 0x10, 0xe3, 0x0f, 0x12, 0x17, + 0x0a, 0x12, 0x65, 0x78, 0x69, 0x73, 0x74, 0x69, 0x6e, 0x67, 0x5f, 0x63, 0x6f, 0x6e, 0x74, 0x61, + 0x69, 0x6e, 0x65, 0x72, 0x10, 0xe4, 0x0f, 0x12, 0x13, 0x0a, 0x0e, 0x68, 0x6f, 0x6f, 0x6b, 0x65, + 0x64, 0x5f, 0x73, 0x79, 0x73, 0x63, 0x61, 0x6c, 0x6c, 0x10, 0xe5, 0x0f, 0x12, 0x13, 0x0a, 0x0e, + 0x68, 0x6f, 0x6f, 0x6b, 0x65, 0x64, 0x5f, 0x73, 0x65, 0x71, 0x5f, 0x6f, 0x70, 0x73, 0x10, 0xe6, + 0x0f, 0x12, 0x13, 0x0a, 0x0e, 0x73, 0x79, 0x6d, 0x62, 0x6f, 0x6c, 0x73, 0x5f, 0x6c, 0x6f, 0x61, + 0x64, 0x65, 0x64, 0x10, 0xe7, 0x0f, 0x12, 0x16, 0x0a, 0x11, 0x73, 0x79, 0x6d, 0x62, 0x6f, 0x6c, + 0x73, 0x5f, 0x63, 0x6f, 0x6c, 0x6c, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x10, 0xe8, 0x0f, 0x12, 0x19, + 0x0a, 0x14, 0x68, 0x69, 0x64, 0x64, 0x65, 0x6e, 0x5f, 0x6b, 0x65, 0x72, 0x6e, 0x65, 0x6c, 0x5f, + 0x6d, 0x6f, 0x64, 0x75, 0x6c, 0x65, 0x10, 0xe9, 0x0f, 0x12, 0x10, 0x0a, 0x0b, 0x66, 0x74, 0x72, + 0x61, 0x63, 0x65, 0x5f, 0x68, 0x6f, 0x6f, 0x6b, 0x10, 0xea, 0x0f, 0x42, 0x2b, 0x5a, 0x29, 0x67, + 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x2f, 0x61, 0x71, 0x75, 0x61, 0x73, 0x65, 0x63, + 0x75, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x74, 0x72, 0x61, 0x63, 0x65, 0x65, 0x2f, 0x61, 0x70, 0x69, + 0x2f, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var (