refactor: Rename event parameters to fields

This commit renames the `parameters` field in event definitions to `fields`. This change reflects the evolving nature of Tracee, which now supports various event types beyond just syscalls. The term "fields" more accurately describes the structured data within events, aligning with the concept of event schemas and the `data` section in the new event structure. This renaming also avoids future confusion with the planned introduction of "event parameters," which will be configurable settings for modifying event behavior.
aquasecurity · Nov 29, 2024 · abd8563 · abd8563
1 parent 0757020
commit abd8563
Show file tree

Hide file tree

Showing 24 changed files with 688 additions and 688 deletions.
diff --git a/pkg/bufferdecoder/decoder.go b/pkg/bufferdecoder/decoder.go
@@ -89,13 +89,13 @@ func (decoder *EbpfDecoder) DecodeContext(eCtx *EventContext) error {
 // DecodeArguments decodes the remaining buffer's argument values, according to the given event definition.
 // It should be called last, and after decoding the argnum with DecodeUint8.
 //
-// Argument array passed should be initialized with the size of len(evtParams).
-func (decoder *EbpfDecoder) DecodeArguments(args []trace.Argument, argnum int, evtParams []trace.ArgMeta, evtName string, eventId events.ID) error {
+// Argument array passed should be initialized with the size of len(evtFields).
+func (decoder *EbpfDecoder) DecodeArguments(args []trace.Argument, argnum int, evtFields []trace.ArgMeta, evtName string, eventId events.ID) error {
 	for i := 0; i < argnum; i++ {
 		idx, arg, err := readArgFromBuff(
 			eventId,
 			decoder,
-			evtParams,
+			evtFields,
 		)
 		if err != nil {
 			logger.Errorw("error reading argument from buffer", "error", errfmt.Errorf("failed to read argument %d of event %s: %v", i, evtName, err))
@@ -108,9 +108,9 @@ func (decoder *EbpfDecoder) DecodeArguments(args []trace.Argument, argnum int, e
 	}
 
 	// Fill missing arguments metadata
-	for i := 0; i < len(evtParams); i++ {
+	for i := 0; i < len(evtFields); i++ {
 		if args[i].Value == nil {
-			args[i].ArgMeta = evtParams[i]
+			args[i].ArgMeta = evtFields[i]
 			args[i].Value = args[i].Zero
 		}
 	}

diff --git a/pkg/bufferdecoder/eventsreader.go b/pkg/bufferdecoder/eventsreader.go
@@ -49,7 +49,7 @@ const (
 
 // readArgFromBuff read the next argument from the buffer.
 // Return the index of the argument and the parsed argument.
-func readArgFromBuff(id events.ID, ebpfMsgDecoder *EbpfDecoder, params []trace.ArgMeta,
+func readArgFromBuff(id events.ID, ebpfMsgDecoder *EbpfDecoder, fields []trace.ArgMeta,
 ) (
 	uint, trace.Argument, error,
 ) {
@@ -62,11 +62,11 @@ func readArgFromBuff(id events.ID, ebpfMsgDecoder *EbpfDecoder, params []trace.A
 	if err != nil {
 		return 0, arg, errfmt.Errorf("error reading arg index: %v", err)
 	}
-	if int(argIdx) >= len(params) {
+	if int(argIdx) >= len(fields) {
 		return 0, arg, errfmt.Errorf("invalid arg index %d", argIdx)
 	}
-	arg.ArgMeta = params[argIdx]
-	argType := GetParamType(arg.Type)
+	arg.ArgMeta = fields[argIdx]
+	argType := GetFieldType(arg.Type)
 
 	switch argType {
 	case u8T:
@@ -196,8 +196,8 @@ func readArgFromBuff(id events.ID, ebpfMsgDecoder *EbpfDecoder, params []trace.A
 	return uint(argIdx), arg, nil
 }
 
-func GetParamType(paramType string) ArgType {
-	switch paramType {
+func GetFieldType(fieldType string) ArgType {
+	switch fieldType {
 	case "int", "pid_t", "uid_t", "gid_t", "mqd_t", "clockid_t", "const clockid_t", "key_t", "key_serial_t", "timer_t":
 		return intT
 	case "unsigned int", "u32":

diff --git a/pkg/bufferdecoder/eventsreader_test.go b/pkg/bufferdecoder/eventsreader_test.go
@@ -15,7 +15,7 @@ func TestReadArgFromBuff(t *testing.T) {
 	testCases := []struct {
 		name          string
 		input         []byte
-		params        []trace.ArgMeta
+		fields        []trace.ArgMeta
 		expectedArg   interface{}
 		expectedError error
 	}{
@@ -24,71 +24,71 @@ func TestReadArgFromBuff(t *testing.T) {
 			input: []byte{0,
 				0xFF, 0xFF, 0xFF, 0xFF, // -1
 			},
-			params:      []trace.ArgMeta{{Type: "int", Name: "int0"}},
+			fields:      []trace.ArgMeta{{Type: "int", Name: "int0"}},
 			expectedArg: int32(-1),
 		},
 		{
 			name: "uintT",
 			input: []byte{0,
 				0xFF, 0xFF, 0xFF, 0xFF, // 4294967295
 			},
-			params:      []trace.ArgMeta{{Type: "unsigned int", Name: "uint0"}},
+			fields:      []trace.ArgMeta{{Type: "unsigned int", Name: "uint0"}},
 			expectedArg: uint32(4294967295),
 		},
 		{
 			name: "longT",
 			input: []byte{0,
 				0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, // -1
 			},
-			params:      []trace.ArgMeta{{Type: "long", Name: "long0"}},
+			fields:      []trace.ArgMeta{{Type: "long", Name: "long0"}},
 			expectedArg: int64(-1),
 		},
 		{
 			name: "ulongT",
 			input: []byte{0,
 				0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, // 18446744073709551615
 			},
-			params:      []trace.ArgMeta{{Type: "unsigned long", Name: "ulong0"}},
+			fields:      []trace.ArgMeta{{Type: "unsigned long", Name: "ulong0"}},
 			expectedArg: uint64(18446744073709551615),
 		},
 		{
 			name: "modeT",
 			input: []byte{0,
 				0xB6, 0x11, 0x0, 0x0, // 0x000011B6 == 010666 == S_IFIFO|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH
 			},
-			params:      []trace.ArgMeta{{Type: "mode_t", Name: "modeT0"}},
+			fields:      []trace.ArgMeta{{Type: "mode_t", Name: "modeT0"}},
 			expectedArg: uint32(0x11b6),
 		},
 		{
 			name: "devT",
 			input: []byte{0,
 				0xFF, 0xFF, 0xFF, 0xFF, // 4294967295
 			},
-			params:      []trace.ArgMeta{{Type: "dev_t", Name: "devT0"}},
+			fields:      []trace.ArgMeta{{Type: "dev_t", Name: "devT0"}},
 			expectedArg: uint32(4294967295),
 		},
 		{
 			name: "offT",
 			input: []byte{0,
 				0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, // 18446744073709551615
 			},
-			params:      []trace.ArgMeta{{Type: "off_t", Name: "offT0"}},
+			fields:      []trace.ArgMeta{{Type: "off_t", Name: "offT0"}},
 			expectedArg: uint64(18446744073709551615),
 		},
 		{
 			name: "loffT",
 			input: []byte{0,
 				0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, // 18446744073709551615
 			},
-			params:      []trace.ArgMeta{{Type: "loff_t", Name: "loffT0"}},
+			fields:      []trace.ArgMeta{{Type: "loff_t", Name: "loffT0"}},
 			expectedArg: uint64(18446744073709551615),
 		},
 		{ // This is expected to fail. TODO: change pointer parsed type to uint64
 			name: "pointerT",
 			input: []byte{0,
 				0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
 			},
-			params:      []trace.ArgMeta{{Type: "void*", Name: "pointer0"}},
+			fields:      []trace.ArgMeta{{Type: "void*", Name: "pointer0"}},
 			expectedArg: uintptr(0xFFFFFFFFFFFFFFFF),
 		},
 		{
@@ -97,7 +97,7 @@ func TestReadArgFromBuff(t *testing.T) {
 				16, 0, 0, 0, // len=16
 				47, 117, 115, 114, 47, 98, 105, 110, 47, 100, 111, 99, 107, 101, 114, 0, // /usr/bin/docker
 			},
-			params:      []trace.ArgMeta{{Type: "const char*", Name: "str0"}},
+			fields:      []trace.ArgMeta{{Type: "const char*", Name: "str0"}},
 			expectedArg: "/usr/bin/docker",
 		},
 		{
@@ -109,7 +109,7 @@ func TestReadArgFromBuff(t *testing.T) {
 				7, 0, 0, 0, // len=7
 				100, 111, 99, 107, 101, 114, 0, // docker
 			},
-			params:      []trace.ArgMeta{{Type: "const char*const*", Name: "strArr0"}},
+			fields:      []trace.ArgMeta{{Type: "const char*const*", Name: "strArr0"}},
 			expectedArg: []string{"/usr/bin", "docker"},
 		},
 		{
@@ -120,7 +120,7 @@ func TestReadArgFromBuff(t *testing.T) {
 				47, 117, 115, 114, 47, 98, 105, 110, 0, // /usr/bin
 				100, 111, 99, 107, 101, 114, 0, // docker
 			},
-			params:      []trace.ArgMeta{{Type: "const char**", Name: "argsArr0"}},
+			fields:      []trace.ArgMeta{{Type: "const char**", Name: "argsArr0"}},
 			expectedArg: []string{"/usr/bin", "docker"},
 		},
 		{
@@ -131,7 +131,7 @@ func TestReadArgFromBuff(t *testing.T) {
 				0xFF, 0xFF, 0xFF, 0xFF, // sin_addr=255.255.255.255
 				0, 0, 0, 0, 0, 0, 0, 0, // padding[8]
 			},
-			params:      []trace.ArgMeta{{Type: "struct sockaddr*", Name: "sockAddr0"}},
+			fields:      []trace.ArgMeta{{Type: "struct sockaddr*", Name: "sockAddr0"}},
 			expectedArg: map[string]string(map[string]string{"sa_family": "AF_INET", "sin_addr": "255.255.255.255", "sin_port": "65535"}),
 		},
 		{
@@ -140,7 +140,7 @@ func TestReadArgFromBuff(t *testing.T) {
 				1, 0, // sa_family=AF_UNIX
 				47, 116, 109, 112, 47, 115, 111, 99, 107, 101, 116, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 101, 110, 0, 0, 0, // sun_path=/tmp/socket
 			},
-			params:      []trace.ArgMeta{{Type: "struct sockaddr*", Name: "sockAddr0"}},
+			fields:      []trace.ArgMeta{{Type: "struct sockaddr*", Name: "sockAddr0"}},
 			expectedArg: map[string]string{"sa_family": "AF_UNIX", "sun_path": "/tmp/socket"},
 		},
 		{
@@ -153,15 +153,15 @@ func TestReadArgFromBuff(t *testing.T) {
 			input: []byte{0,
 				0, 0, 0, 1, // len=16777216
 			},
-			params:        []trace.ArgMeta{{Type: "const char*", Name: "str0"}},
+			fields:        []trace.ArgMeta{{Type: "const char*", Name: "str0"}},
 			expectedError: errors.New("string size too big: 16777216"),
 		},
 		{
-			name: "multiple params",
+			name: "multiple fields",
 			input: []byte{1,
 				0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, // 18446744073709551615
 			},
-			params:      []trace.ArgMeta{{Type: "const char*", Name: "str0"}, {Type: "off_t", Name: "offT1"}},
+			fields:      []trace.ArgMeta{{Type: "const char*", Name: "str0"}, {Type: "off_t", Name: "offT1"}},
 			expectedArg: uint64(18446744073709551615),
 		},
 	}
@@ -173,7 +173,7 @@ func TestReadArgFromBuff(t *testing.T) {
 			t.Parallel()
 
 			decoder := New(tc.input)
-			_, actual, err := readArgFromBuff(0, decoder, tc.params)
+			_, actual, err := readArgFromBuff(0, decoder, tc.fields)
 
 			if tc.expectedError != nil {
 				assert.ErrorContains(t, err, tc.expectedError.Error())

diff --git a/pkg/cmd/gptdocs.go b/pkg/cmd/gptdocs.go
@@ -193,7 +193,7 @@ func (r GPTDocsRunner) GenerateSyscall(
 
 	var y []byte
 
-	y, err = yaml.Marshal(evt.GetParams())
+	y, err = yaml.Marshal(evt.GetFields())
 	if err != nil {
 		logger.Errorw("Error marshaling event", "err", err)
 	}
@@ -213,7 +213,7 @@ given syscall. The template for this markdown file is the following:
 	reqStr := fmt.Sprintf("%s"+ // head
 		"\n%s\n\n"+ // template
 		"The event, or syscall, name is \"%s\" "+
-		"and the parameter names and types are:\n"+
+		"and the field names and types are:\n"+
 		"\n%s\n",
 		headNote, templateYaml, evt.GetName(), eventArgsYaml,
 	)

diff --git a/pkg/cmd/initialize/sigs/sigs_test.go b/pkg/cmd/initialize/sigs/sigs_test.go
@@ -174,7 +174,7 @@ func Test_CreateEventsFromSigs(t *testing.T) {
 				assert.Equal(t, expected.IsInternal(), eventDefinition.IsInternal())
 				assert.Equal(t, expected.IsSyscall(), eventDefinition.IsSyscall())
 				assert.ElementsMatch(t, expected.GetSets(), eventDefinition.GetSets())
-				assert.ElementsMatch(t, expected.GetParams(), eventDefinition.GetParams())
+				assert.ElementsMatch(t, expected.GetFields(), eventDefinition.GetFields())
 
 				dependencies := eventDefinition.GetDependencies()
 				expDependencies := expected.GetDependencies()

diff --git a/pkg/cmd/list.go b/pkg/cmd/list.go
@@ -13,9 +13,9 @@ import (
 
 func PrintEventList(includeSigs bool, wideOutput bool) {
 	// TODO: Create String() method in types trace.ArgMeta
-	paramsToString := func(params []trace.ArgMeta) string {
+	fieldsToString := func(fields []trace.ArgMeta) string {
 		strSlice := []string{}
-		for _, p := range params {
+		for _, p := range fields {
 			strSlice = append(strSlice, p.Type+" "+p.Name)
 		}
 		return strings.Join(strSlice, ", ")
@@ -50,7 +50,7 @@ func PrintEventList(includeSigs bool, wideOutput bool) {
 		return []string{
 			evtDef.GetName(),
 			strings.Join(evtDef.GetSets(), ", "),
-			paramsToString(evtDef.GetParams()),
+			fieldsToString(evtDef.GetFields()),
 		}
 	}
 

diff --git a/pkg/ebpf/c/common/buffer.h b/pkg/ebpf/c/common/buffer.h
@@ -386,12 +386,12 @@ statfunc int save_args_to_submit_buf(event_data_t *event, args_t *args)
     void *arg;
     short family;
 
-    if (unlikely(event->config.param_types == 0))
+    if (unlikely(event->config.field_types == 0))
         return 0;
 
 #pragma unroll
     for (i = 0; i < 6; i++) {
-        type = DEC_ARG(i, event->config.param_types);
+        type = DEC_ARG(i, event->config.field_types);
 
         // bounds check for the verifier
         if (unlikely(type > ARG_TYPE_MAX_ARRAY))

diff --git a/pkg/ebpf/c/common/context.h b/pkg/ebpf/c/common/context.h
@@ -194,7 +194,7 @@ statfunc int init_program_data(program_data_t *p, void *ctx, u32 event_id)
         p->event->config.submit_for_policies = 0;
         event_config_t *event_config = get_event_config(event_id, p->event->context.policies_version);
         if (event_config != NULL) {
-            p->event->config.param_types = event_config->param_types;
+            p->event->config.field_types = event_config->field_types;
             p->event->config.submit_for_policies = event_config->submit_for_policies;
         }
     }
@@ -251,7 +251,7 @@ statfunc bool reset_event(event_data_t *event, u32 event_id)
     if (event_config == NULL)
         return false;
 
-    event->config.param_types = event_config->param_types;
+    event->config.field_types = event_config->field_types;
     event->config.submit_for_policies = event_config->submit_for_policies;
     event->context.matched_policies = event_config->submit_for_policies;
 

diff --git a/pkg/ebpf/c/types.h b/pkg/ebpf/c/types.h
@@ -348,7 +348,7 @@ typedef struct config_entry {
 
 typedef struct event_config {
     u64 submit_for_policies;
-    u64 param_types;
+    u64 field_types;
 } event_config_t;
 
 enum capture_options_e

diff --git a/pkg/ebpf/controlplane/signal.go b/pkg/ebpf/controlplane/signal.go
@@ -30,10 +30,10 @@ func (sig *signal) Unmarshal(buffer []byte) error {
 		return errfmt.Errorf("failed to get event %d configuration", sig.id)
 	}
 	eventDefinition := events.Core.GetDefinitionByID(sig.id)
-	evtParams := eventDefinition.GetParams()
+	evtFields := eventDefinition.GetFields()
 	evtName := eventDefinition.GetName()
-	sig.args = make([]trace.Argument, len(evtParams))
-	err = ebpfDecoder.DecodeArguments(sig.args, int(argnum), evtParams, evtName, sig.id)
+	sig.args = make([]trace.Argument, len(evtFields))
+	err = ebpfDecoder.DecodeArguments(sig.args, int(argnum), evtFields, evtName, sig.id)
 	if err != nil {
 		return errfmt.Errorf("failed to decode signal arguments: %v", err)
 	}

diff --git a/pkg/ebpf/events_pipeline.go b/pkg/ebpf/events_pipeline.go
@@ -182,10 +182,10 @@ func (t *Tracee) decodeEvents(ctx context.Context, sourceChan chan []byte) (<-ch
 				continue
 			}
 			eventDefinition := events.Core.GetDefinitionByID(eventId)
-			evtParams := eventDefinition.GetParams()
+			evtFields := eventDefinition.GetFields()
 			evtName := eventDefinition.GetName()
-			args := make([]trace.Argument, len(evtParams))
-			err := ebpfMsgDecoder.DecodeArguments(args, int(argnum), evtParams, evtName, eventId)
+			args := make([]trace.Argument, len(evtFields))
+			err := ebpfMsgDecoder.DecodeArguments(args, int(argnum), evtFields, evtName, eventId)
 			if err != nil {
 				t.handleError(err)
 				continue

diff --git a/pkg/ebpf/tracee.go b/pkg/ebpf/tracee.go
@@ -68,7 +68,7 @@ type Tracee struct {
 	// Events
 	eventsSorter     *sorting.EventsChronologicalSorter
 	eventsPool       *sync.Pool
-	eventsParamTypes map[events.ID][]bufferdecoder.ArgType
+	eventsFieldTypes map[events.ID][]bufferdecoder.ArgType
 	eventProcessor   map[events.ID][]func(evt *trace.Event) error
 	eventDerivations derive.Table
 	// Artifacts
@@ -415,14 +415,14 @@ func (t *Tracee) Init(ctx gocontext.Context) error {
 		return errfmt.Errorf("error initializing event derivation map: %v", err)
 	}
 
-	// Initialize events parameter types map
+	// Initialize events field types map
 
-	t.eventsParamTypes = make(map[events.ID][]bufferdecoder.ArgType)
+	t.eventsFieldTypes = make(map[events.ID][]bufferdecoder.ArgType)
 	for _, eventDefinition := range events.Core.GetDefinitions() {
 		id := eventDefinition.GetID()
-		params := eventDefinition.GetParams()
-		for _, param := range params {
-			t.eventsParamTypes[id] = append(t.eventsParamTypes[id], bufferdecoder.GetParamType(param.Type))
+		fields := eventDefinition.GetFields()
+		for _, field := range fields {
+			t.eventsFieldTypes[id] = append(t.eventsFieldTypes[id], bufferdecoder.GetFieldType(field.Type))
 		}
 	}
 
@@ -1115,7 +1115,7 @@ func (t *Tracee) populateFilterMaps(updateProcTree bool) error {
 	polCfg, err := t.policyManager.UpdateBPF(
 		t.bpfModule,
 		t.containers,
-		t.eventsParamTypes,
+		t.eventsFieldTypes,
 		true,
 		updateProcTree,
 	)
@@ -1277,7 +1277,7 @@ func (t *Tracee) initBPF() error {
 	}
 
 	// returned PoliciesConfig is not used here, therefore it's discarded
-	_, err = t.policyManager.UpdateBPF(t.bpfModule, t.containers, t.eventsParamTypes, false, true)
+	_, err = t.policyManager.UpdateBPF(t.bpfModule, t.containers, t.eventsFieldTypes, false, true)
 	if err != nil {
 		return errfmt.WrapError(err)
 	}