From 9ac7394a42e7110b3a9b6d090e991322ecf445e5 Mon Sep 17 00:00:00 2001 From: Paul Cacheux Date: Thu, 28 Nov 2024 19:08:38 +0100 Subject: [PATCH 1/6] [CWS] collect resolved fields in context --- pkg/security/secl/compiler/eval/context.go | 15 + .../generators/accessors/accessors.tmpl | 2 + pkg/security/secl/model/accessors_unix.go | 1410 +++++++++++++++++ pkg/security/secl/model/accessors_windows.go | 151 ++ 4 files changed, 1578 insertions(+) diff --git a/pkg/security/secl/compiler/eval/context.go b/pkg/security/secl/compiler/eval/context.go index dc8804a459c50..6348329b3ed6b 100644 --- a/pkg/security/secl/compiler/eval/context.go +++ b/pkg/security/secl/compiler/eval/context.go @@ -35,6 +35,8 @@ type Context struct { now time.Time CachedAncestorsCount int + + resolvedFields []string } // Now return and cache the `now` timestamp @@ -61,6 +63,19 @@ func (c *Context) Reset() { clear(c.Registers) clear(c.RegisterCache) c.CachedAncestorsCount = 0 + clear(c.resolvedFields) +} + +func (c *Context) AppendResolvedField(field string) { + if field == "" { + return + } + + c.resolvedFields = append(c.resolvedFields, field) +} + +func (c *Context) GetResolvedFields() []string { + return c.resolvedFields } // NewContext return a new Context diff --git a/pkg/security/secl/compiler/generators/accessors/accessors.tmpl b/pkg/security/secl/compiler/generators/accessors/accessors.tmpl index 979b8776cc535..4829db9985f8a 100644 --- a/pkg/security/secl/compiler/generators/accessors/accessors.tmpl +++ b/pkg/security/secl/compiler/generators/accessors/accessors.tmpl @@ -67,6 +67,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval {{- end}} {{- if and $Field.Iterator (not $Field.IsIterator) }} EvalFnc: func(ctx *eval.Context) []{{$Field.ReturnType}} { + ctx.AppendResolvedField(field) {{if $Field.Handler}} ev := ctx.Event.(*Event) {{end}} @@ -181,6 +182,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval {{- else}} {{- $ReturnType := $Field.ReturnType}} EvalFnc: func(ctx *eval.Context) {{$Field.GetArrayPrefix}}{{$ReturnType}} { + ctx.AppendResolvedField(field) {{- if not (and $Field.IsLength $Field.IsIterator)}} ev := ctx.Event.(*Event) {{end}} diff --git a/pkg/security/secl/model/accessors_unix.go b/pkg/security/secl/model/accessors_unix.go index 2d8d69b7f0c7a..50664604aaf6a 100644 --- a/pkg/security/secl/model/accessors_unix.go +++ b/pkg/security/secl/model/accessors_unix.go @@ -86,6 +86,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "bind.addr.family": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Bind.AddrFamily) }, @@ -95,6 +96,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "bind.addr.ip": return &eval.CIDREvaluator{ EvalFnc: func(ctx *eval.Context) net.IPNet { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.Bind.Addr.IPNet }, @@ -104,6 +106,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "bind.addr.is_public": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveIsIPPublic(ev, &ev.Bind.Addr) }, @@ -113,6 +116,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "bind.addr.port": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Bind.Addr.Port) }, @@ -122,6 +126,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "bind.protocol": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Bind.Protocol) }, @@ -131,6 +136,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "bind.retval": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Bind.SyscallEvent.Retval) }, @@ -140,6 +146,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "bpf.cmd": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.BPF.Cmd) }, @@ -149,6 +156,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "bpf.map.name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.BPF.Map.Name }, @@ -158,6 +166,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "bpf.map.type": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.BPF.Map.Type) }, @@ -167,6 +176,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "bpf.prog.attach_type": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.BPF.Program.AttachType) }, @@ -176,6 +186,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "bpf.prog.helpers": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) result := make([]int, len(ev.BPF.Program.Helpers)) for i, v := range ev.BPF.Program.Helpers { @@ -189,6 +200,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "bpf.prog.name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.BPF.Program.Name }, @@ -198,6 +210,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "bpf.prog.tag": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.BPF.Program.Tag }, @@ -207,6 +220,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "bpf.prog.type": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.BPF.Program.Type) }, @@ -216,6 +230,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "bpf.retval": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.BPF.SyscallEvent.Retval) }, @@ -225,6 +240,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "capset.cap_effective": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Capset.CapEffective) }, @@ -234,6 +250,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "capset.cap_permitted": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Capset.CapPermitted) }, @@ -243,6 +260,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "cgroup.file.inode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.CGroupContext.CGroupFile.Inode) }, @@ -252,6 +270,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "cgroup.file.mount_id": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.CGroupContext.CGroupFile.MountID) }, @@ -261,6 +280,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "cgroup.id": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveCGroupID(ev, &ev.CGroupContext) }, @@ -270,6 +290,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "cgroup.manager": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveCGroupManager(ev, &ev.CGroupContext) }, @@ -279,6 +300,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chdir.file.change_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Chdir.File.FileFields.CTime) }, @@ -288,6 +310,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chdir.file.filesystem": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Chdir.File) }, @@ -297,6 +320,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chdir.file.gid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Chdir.File.FileFields.GID) }, @@ -306,6 +330,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chdir.file.group": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Chdir.File.FileFields) }, @@ -315,6 +340,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chdir.file.hashes": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Chdir.File) }, @@ -324,6 +350,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chdir.file.in_upper_layer": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Chdir.File.FileFields) }, @@ -333,6 +360,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chdir.file.inode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Chdir.File.FileFields.PathKey.Inode) }, @@ -342,6 +370,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chdir.file.mode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Chdir.File.FileFields.Mode) }, @@ -351,6 +380,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chdir.file.modification_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Chdir.File.FileFields.MTime) }, @@ -360,6 +390,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chdir.file.mount_id": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Chdir.File.FileFields.PathKey.MountID) }, @@ -370,6 +401,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Chdir.File) }, @@ -380,6 +412,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Chdir.File)) }, @@ -389,6 +422,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chdir.file.package.name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolvePackageName(ev, &ev.Chdir.File) }, @@ -398,6 +432,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chdir.file.package.source_version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Chdir.File) }, @@ -407,6 +442,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chdir.file.package.version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Chdir.File) }, @@ -417,6 +453,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFilePath(ev, &ev.Chdir.File) }, @@ -427,6 +464,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Chdir.File)) }, @@ -436,6 +474,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chdir.file.rights": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.FieldHandlers.ResolveRights(ev, &ev.Chdir.File.FileFields)) }, @@ -445,6 +484,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chdir.file.uid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Chdir.File.FileFields.UID) }, @@ -454,6 +494,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chdir.file.user": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Chdir.File.FileFields) }, @@ -463,6 +504,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chdir.retval": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Chdir.SyscallEvent.Retval) }, @@ -472,6 +514,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chdir.syscall.path": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveSyscallCtxArgsStr1(ev, &ev.Chdir.SyscallContext) }, @@ -481,6 +524,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chmod.file.change_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Chmod.File.FileFields.CTime) }, @@ -490,6 +534,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chmod.file.destination.mode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Chmod.Mode) }, @@ -499,6 +544,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chmod.file.destination.rights": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Chmod.Mode) }, @@ -508,6 +554,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chmod.file.filesystem": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Chmod.File) }, @@ -517,6 +564,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chmod.file.gid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Chmod.File.FileFields.GID) }, @@ -526,6 +574,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chmod.file.group": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Chmod.File.FileFields) }, @@ -535,6 +584,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chmod.file.hashes": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Chmod.File) }, @@ -544,6 +594,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chmod.file.in_upper_layer": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Chmod.File.FileFields) }, @@ -553,6 +604,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chmod.file.inode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Chmod.File.FileFields.PathKey.Inode) }, @@ -562,6 +614,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chmod.file.mode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Chmod.File.FileFields.Mode) }, @@ -571,6 +624,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chmod.file.modification_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Chmod.File.FileFields.MTime) }, @@ -580,6 +634,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chmod.file.mount_id": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Chmod.File.FileFields.PathKey.MountID) }, @@ -590,6 +645,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Chmod.File) }, @@ -600,6 +656,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Chmod.File)) }, @@ -609,6 +666,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chmod.file.package.name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolvePackageName(ev, &ev.Chmod.File) }, @@ -618,6 +676,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chmod.file.package.source_version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Chmod.File) }, @@ -627,6 +686,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chmod.file.package.version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Chmod.File) }, @@ -637,6 +697,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFilePath(ev, &ev.Chmod.File) }, @@ -647,6 +708,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Chmod.File)) }, @@ -656,6 +718,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chmod.file.rights": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.FieldHandlers.ResolveRights(ev, &ev.Chmod.File.FileFields)) }, @@ -665,6 +728,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chmod.file.uid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Chmod.File.FileFields.UID) }, @@ -674,6 +738,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chmod.file.user": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Chmod.File.FileFields) }, @@ -683,6 +748,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chmod.retval": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Chmod.SyscallEvent.Retval) }, @@ -692,6 +758,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chmod.syscall.mode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.FieldHandlers.ResolveSyscallCtxArgsInt2(ev, &ev.Chmod.SyscallContext)) }, @@ -701,6 +768,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chmod.syscall.path": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveSyscallCtxArgsStr1(ev, &ev.Chmod.SyscallContext) }, @@ -710,6 +778,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chown.file.change_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Chown.File.FileFields.CTime) }, @@ -719,6 +788,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chown.file.destination.gid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Chown.GID) }, @@ -728,6 +798,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chown.file.destination.group": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveChownGID(ev, &ev.Chown) }, @@ -737,6 +808,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chown.file.destination.uid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Chown.UID) }, @@ -746,6 +818,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chown.file.destination.user": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveChownUID(ev, &ev.Chown) }, @@ -755,6 +828,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chown.file.filesystem": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Chown.File) }, @@ -764,6 +838,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chown.file.gid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Chown.File.FileFields.GID) }, @@ -773,6 +848,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chown.file.group": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Chown.File.FileFields) }, @@ -782,6 +858,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chown.file.hashes": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Chown.File) }, @@ -791,6 +868,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chown.file.in_upper_layer": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Chown.File.FileFields) }, @@ -800,6 +878,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chown.file.inode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Chown.File.FileFields.PathKey.Inode) }, @@ -809,6 +888,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chown.file.mode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Chown.File.FileFields.Mode) }, @@ -818,6 +898,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chown.file.modification_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Chown.File.FileFields.MTime) }, @@ -827,6 +908,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chown.file.mount_id": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Chown.File.FileFields.PathKey.MountID) }, @@ -837,6 +919,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Chown.File) }, @@ -847,6 +930,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Chown.File)) }, @@ -856,6 +940,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chown.file.package.name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolvePackageName(ev, &ev.Chown.File) }, @@ -865,6 +950,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chown.file.package.source_version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Chown.File) }, @@ -874,6 +960,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chown.file.package.version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Chown.File) }, @@ -884,6 +971,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFilePath(ev, &ev.Chown.File) }, @@ -894,6 +982,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Chown.File)) }, @@ -903,6 +992,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chown.file.rights": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.FieldHandlers.ResolveRights(ev, &ev.Chown.File.FileFields)) }, @@ -912,6 +1002,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chown.file.uid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Chown.File.FileFields.UID) }, @@ -921,6 +1012,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chown.file.user": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Chown.File.FileFields) }, @@ -930,6 +1022,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chown.retval": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Chown.SyscallEvent.Retval) }, @@ -939,6 +1032,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chown.syscall.gid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.FieldHandlers.ResolveSyscallCtxArgsInt3(ev, &ev.Chown.SyscallContext)) }, @@ -948,6 +1042,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chown.syscall.path": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveSyscallCtxArgsStr1(ev, &ev.Chown.SyscallContext) }, @@ -957,6 +1052,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "chown.syscall.uid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.FieldHandlers.ResolveSyscallCtxArgsInt2(ev, &ev.Chown.SyscallContext)) }, @@ -966,6 +1062,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "connect.addr.family": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Connect.AddrFamily) }, @@ -975,6 +1072,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "connect.addr.ip": return &eval.CIDREvaluator{ EvalFnc: func(ctx *eval.Context) net.IPNet { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.Connect.Addr.IPNet }, @@ -984,6 +1082,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "connect.addr.is_public": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveIsIPPublic(ev, &ev.Connect.Addr) }, @@ -993,6 +1092,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "connect.addr.port": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Connect.Addr.Port) }, @@ -1002,6 +1102,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "connect.protocol": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Connect.Protocol) }, @@ -1011,6 +1112,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "connect.retval": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Connect.SyscallEvent.Retval) }, @@ -1020,6 +1122,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "container.created_at": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.FieldHandlers.ResolveContainerCreatedAt(ev, ev.BaseEvent.ContainerContext)) }, @@ -1029,6 +1132,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "container.id": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveContainerID(ev, ev.BaseEvent.ContainerContext) }, @@ -1038,6 +1142,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "container.runtime": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveContainerRuntime(ev, ev.BaseEvent.ContainerContext) }, @@ -1047,6 +1152,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "container.tags": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveContainerTags(ev, ev.BaseEvent.ContainerContext) }, @@ -1056,6 +1162,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "dns.id": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.DNS.ID) }, @@ -1065,6 +1172,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "dns.question.class": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.DNS.Class) }, @@ -1074,6 +1182,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "dns.question.count": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.DNS.Count) }, @@ -1083,6 +1192,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "dns.question.length": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.DNS.Size) }, @@ -1093,6 +1203,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.DNS.Name }, @@ -1103,6 +1214,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.DNS.Name) }, @@ -1112,6 +1224,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "dns.question.type": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.DNS.Type) }, @@ -1121,6 +1234,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "event.async": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveAsync(ev) }, @@ -1130,6 +1244,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "event.hostname": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveHostname(ev, &ev.BaseEvent) }, @@ -1139,6 +1254,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "event.origin": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.BaseEvent.Origin }, @@ -1148,6 +1264,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "event.os": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.BaseEvent.Os }, @@ -1157,6 +1274,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "event.service": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveService(ev, &ev.BaseEvent) }, @@ -1166,6 +1284,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "event.timestamp": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.FieldHandlers.ResolveEventTimestamp(ev, &ev.BaseEvent)) }, @@ -1175,6 +1294,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.args": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessArgs(ev, ev.Exec.Process) }, @@ -1184,6 +1304,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.args_flags": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessArgsFlags(ev, ev.Exec.Process) }, @@ -1193,6 +1314,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.args_options": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessArgsOptions(ev, ev.Exec.Process) }, @@ -1202,6 +1324,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.args_truncated": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessArgsTruncated(ev, ev.Exec.Process) }, @@ -1211,6 +1334,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.argv": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessArgv(ev, ev.Exec.Process) }, @@ -1220,6 +1344,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.argv0": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessArgv0(ev, ev.Exec.Process) }, @@ -1229,6 +1354,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.auid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Exec.Process.Credentials.AUID) }, @@ -1238,6 +1364,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.cap_effective": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Exec.Process.Credentials.CapEffective) }, @@ -1247,6 +1374,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.cap_permitted": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Exec.Process.Credentials.CapPermitted) }, @@ -1256,6 +1384,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.cgroup.file.inode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Exec.Process.CGroup.CGroupFile.Inode) }, @@ -1265,6 +1394,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.cgroup.file.mount_id": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Exec.Process.CGroup.CGroupFile.MountID) }, @@ -1274,6 +1404,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.cgroup.id": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveCGroupID(ev, &ev.Exec.Process.CGroup) }, @@ -1283,6 +1414,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.cgroup.manager": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveCGroupManager(ev, &ev.Exec.Process.CGroup) }, @@ -1292,6 +1424,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.comm": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.Exec.Process.Comm }, @@ -1301,6 +1434,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.container.id": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessContainerID(ev, ev.Exec.Process) }, @@ -1310,6 +1444,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.created_at": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, ev.Exec.Process)) }, @@ -1319,6 +1454,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.egid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Exec.Process.Credentials.EGID) }, @@ -1328,6 +1464,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.egroup": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.Exec.Process.Credentials.EGroup }, @@ -1337,6 +1474,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.envp": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessEnvp(ev, ev.Exec.Process) }, @@ -1346,6 +1484,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.envs": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessEnvs(ev, ev.Exec.Process) }, @@ -1355,6 +1494,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.envs_truncated": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, ev.Exec.Process) }, @@ -1364,6 +1504,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.euid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Exec.Process.Credentials.EUID) }, @@ -1373,6 +1514,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.euser": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.Exec.Process.Credentials.EUser }, @@ -1382,6 +1524,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.file.change_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.IsNotKworker() { return 0 @@ -1394,6 +1537,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.file.filesystem": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.IsNotKworker() { return "" @@ -1406,6 +1550,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.file.gid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.IsNotKworker() { return 0 @@ -1418,6 +1563,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.file.group": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.IsNotKworker() { return "" @@ -1430,6 +1576,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.file.hashes": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.IsNotKworker() { return []string{} @@ -1442,6 +1589,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.file.in_upper_layer": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.IsNotKworker() { return false @@ -1454,6 +1602,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.file.inode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.IsNotKworker() { return 0 @@ -1466,6 +1615,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.file.mode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.IsNotKworker() { return 0 @@ -1478,6 +1628,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.file.modification_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.IsNotKworker() { return 0 @@ -1490,6 +1641,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.file.mount_id": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.IsNotKworker() { return 0 @@ -1503,6 +1655,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.IsNotKworker() { return "" @@ -1516,6 +1669,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exec.Process.FileEvent)) }, @@ -1525,6 +1679,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.file.package.name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.IsNotKworker() { return "" @@ -1537,6 +1692,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.file.package.source_version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.IsNotKworker() { return "" @@ -1549,6 +1705,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.file.package.version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.IsNotKworker() { return "" @@ -1562,6 +1719,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.IsNotKworker() { return "" @@ -1575,6 +1733,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Exec.Process.FileEvent)) }, @@ -1584,6 +1743,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.file.rights": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.IsNotKworker() { return 0 @@ -1596,6 +1756,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.file.uid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.IsNotKworker() { return 0 @@ -1608,6 +1769,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.file.user": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.IsNotKworker() { return "" @@ -1620,6 +1782,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.fsgid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Exec.Process.Credentials.FSGID) }, @@ -1629,6 +1792,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.fsgroup": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.Exec.Process.Credentials.FSGroup }, @@ -1638,6 +1802,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.fsuid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Exec.Process.Credentials.FSUID) }, @@ -1647,6 +1812,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.fsuser": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.Exec.Process.Credentials.FSUser }, @@ -1656,6 +1822,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.gid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Exec.Process.Credentials.GID) }, @@ -1665,6 +1832,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.group": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.Exec.Process.Credentials.Group }, @@ -1674,6 +1842,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.interpreter.file.change_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.HasInterpreter() { return 0 @@ -1686,6 +1855,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.interpreter.file.filesystem": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.HasInterpreter() { return "" @@ -1698,6 +1868,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.interpreter.file.gid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.HasInterpreter() { return 0 @@ -1710,6 +1881,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.interpreter.file.group": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.HasInterpreter() { return "" @@ -1722,6 +1894,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.interpreter.file.hashes": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.HasInterpreter() { return []string{} @@ -1734,6 +1907,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.interpreter.file.in_upper_layer": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.HasInterpreter() { return false @@ -1746,6 +1920,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.interpreter.file.inode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.HasInterpreter() { return 0 @@ -1758,6 +1933,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.interpreter.file.mode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.HasInterpreter() { return 0 @@ -1770,6 +1946,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.interpreter.file.modification_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.HasInterpreter() { return 0 @@ -1782,6 +1959,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.interpreter.file.mount_id": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.HasInterpreter() { return 0 @@ -1795,6 +1973,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.HasInterpreter() { return "" @@ -1808,6 +1987,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exec.Process.LinuxBinprm.FileEvent)) }, @@ -1817,6 +1997,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.interpreter.file.package.name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.HasInterpreter() { return "" @@ -1829,6 +2010,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.interpreter.file.package.source_version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.HasInterpreter() { return "" @@ -1841,6 +2023,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.interpreter.file.package.version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.HasInterpreter() { return "" @@ -1854,6 +2037,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.HasInterpreter() { return "" @@ -1867,6 +2051,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Exec.Process.LinuxBinprm.FileEvent)) }, @@ -1876,6 +2061,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.interpreter.file.rights": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.HasInterpreter() { return 0 @@ -1888,6 +2074,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.interpreter.file.uid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.HasInterpreter() { return 0 @@ -1900,6 +2087,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.interpreter.file.user": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exec.Process.HasInterpreter() { return "" @@ -1912,6 +2100,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.is_exec": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.Exec.Process.IsExec }, @@ -1921,6 +2110,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.is_kworker": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.Exec.Process.PIDContext.IsKworker }, @@ -1930,6 +2120,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.is_thread": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessIsThread(ev, ev.Exec.Process) }, @@ -1939,6 +2130,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.pid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Exec.Process.PIDContext.Pid) }, @@ -1948,6 +2140,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.ppid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Exec.Process.PPid) }, @@ -1957,6 +2150,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.syscall.path": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveSyscallCtxArgsStr1(ev, &ev.Exec.SyscallContext) }, @@ -1966,6 +2160,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.tid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Exec.Process.PIDContext.Tid) }, @@ -1975,6 +2170,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.tty_name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.Exec.Process.TTYName }, @@ -1984,6 +2180,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.uid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Exec.Process.Credentials.UID) }, @@ -1993,6 +2190,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.user": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.Exec.Process.Credentials.User }, @@ -2002,6 +2200,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.user_session.k8s_groups": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveK8SGroups(ev, &ev.Exec.Process.UserSession) }, @@ -2011,6 +2210,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.user_session.k8s_uid": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveK8SUID(ev, &ev.Exec.Process.UserSession) }, @@ -2020,6 +2220,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.user_session.k8s_username": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveK8SUsername(ev, &ev.Exec.Process.UserSession) }, @@ -2029,6 +2230,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.args": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessArgs(ev, ev.Exit.Process) }, @@ -2038,6 +2240,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.args_flags": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessArgsFlags(ev, ev.Exit.Process) }, @@ -2047,6 +2250,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.args_options": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessArgsOptions(ev, ev.Exit.Process) }, @@ -2056,6 +2260,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.args_truncated": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessArgsTruncated(ev, ev.Exit.Process) }, @@ -2065,6 +2270,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.argv": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessArgv(ev, ev.Exit.Process) }, @@ -2074,6 +2280,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.argv0": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessArgv0(ev, ev.Exit.Process) }, @@ -2083,6 +2290,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.auid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Exit.Process.Credentials.AUID) }, @@ -2092,6 +2300,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.cap_effective": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Exit.Process.Credentials.CapEffective) }, @@ -2101,6 +2310,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.cap_permitted": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Exit.Process.Credentials.CapPermitted) }, @@ -2110,6 +2320,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.cause": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Exit.Cause) }, @@ -2119,6 +2330,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.cgroup.file.inode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Exit.Process.CGroup.CGroupFile.Inode) }, @@ -2128,6 +2340,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.cgroup.file.mount_id": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Exit.Process.CGroup.CGroupFile.MountID) }, @@ -2137,6 +2350,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.cgroup.id": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveCGroupID(ev, &ev.Exit.Process.CGroup) }, @@ -2146,6 +2360,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.cgroup.manager": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveCGroupManager(ev, &ev.Exit.Process.CGroup) }, @@ -2155,6 +2370,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.code": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Exit.Code) }, @@ -2164,6 +2380,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.comm": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.Exit.Process.Comm }, @@ -2173,6 +2390,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.container.id": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessContainerID(ev, ev.Exit.Process) }, @@ -2182,6 +2400,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.created_at": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, ev.Exit.Process)) }, @@ -2191,6 +2410,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.egid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Exit.Process.Credentials.EGID) }, @@ -2200,6 +2420,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.egroup": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.Exit.Process.Credentials.EGroup }, @@ -2209,6 +2430,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.envp": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessEnvp(ev, ev.Exit.Process) }, @@ -2218,6 +2440,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.envs": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessEnvs(ev, ev.Exit.Process) }, @@ -2227,6 +2450,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.envs_truncated": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, ev.Exit.Process) }, @@ -2236,6 +2460,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.euid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Exit.Process.Credentials.EUID) }, @@ -2245,6 +2470,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.euser": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.Exit.Process.Credentials.EUser }, @@ -2254,6 +2480,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.file.change_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.IsNotKworker() { return 0 @@ -2266,6 +2493,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.file.filesystem": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.IsNotKworker() { return "" @@ -2278,6 +2506,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.file.gid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.IsNotKworker() { return 0 @@ -2290,6 +2519,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.file.group": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.IsNotKworker() { return "" @@ -2302,6 +2532,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.file.hashes": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.IsNotKworker() { return []string{} @@ -2314,6 +2545,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.file.in_upper_layer": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.IsNotKworker() { return false @@ -2326,6 +2558,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.file.inode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.IsNotKworker() { return 0 @@ -2338,6 +2571,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.file.mode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.IsNotKworker() { return 0 @@ -2350,6 +2584,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.file.modification_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.IsNotKworker() { return 0 @@ -2362,6 +2597,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.file.mount_id": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.IsNotKworker() { return 0 @@ -2375,6 +2611,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.IsNotKworker() { return "" @@ -2388,6 +2625,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exit.Process.FileEvent)) }, @@ -2397,6 +2635,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.file.package.name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.IsNotKworker() { return "" @@ -2409,6 +2648,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.file.package.source_version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.IsNotKworker() { return "" @@ -2421,6 +2661,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.file.package.version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.IsNotKworker() { return "" @@ -2434,6 +2675,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.IsNotKworker() { return "" @@ -2447,6 +2689,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Exit.Process.FileEvent)) }, @@ -2456,6 +2699,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.file.rights": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.IsNotKworker() { return 0 @@ -2468,6 +2712,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.file.uid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.IsNotKworker() { return 0 @@ -2480,6 +2725,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.file.user": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.IsNotKworker() { return "" @@ -2492,6 +2738,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.fsgid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Exit.Process.Credentials.FSGID) }, @@ -2501,6 +2748,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.fsgroup": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.Exit.Process.Credentials.FSGroup }, @@ -2510,6 +2758,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.fsuid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Exit.Process.Credentials.FSUID) }, @@ -2519,6 +2768,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.fsuser": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.Exit.Process.Credentials.FSUser }, @@ -2528,6 +2778,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.gid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Exit.Process.Credentials.GID) }, @@ -2537,6 +2788,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.group": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.Exit.Process.Credentials.Group }, @@ -2546,6 +2798,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.interpreter.file.change_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.HasInterpreter() { return 0 @@ -2558,6 +2811,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.interpreter.file.filesystem": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.HasInterpreter() { return "" @@ -2570,6 +2824,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.interpreter.file.gid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.HasInterpreter() { return 0 @@ -2582,6 +2837,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.interpreter.file.group": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.HasInterpreter() { return "" @@ -2594,6 +2850,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.interpreter.file.hashes": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.HasInterpreter() { return []string{} @@ -2606,6 +2863,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.interpreter.file.in_upper_layer": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.HasInterpreter() { return false @@ -2618,6 +2876,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.interpreter.file.inode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.HasInterpreter() { return 0 @@ -2630,6 +2889,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.interpreter.file.mode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.HasInterpreter() { return 0 @@ -2642,6 +2902,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.interpreter.file.modification_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.HasInterpreter() { return 0 @@ -2654,6 +2915,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.interpreter.file.mount_id": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.HasInterpreter() { return 0 @@ -2667,6 +2929,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.HasInterpreter() { return "" @@ -2680,6 +2943,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exit.Process.LinuxBinprm.FileEvent)) }, @@ -2689,6 +2953,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.interpreter.file.package.name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.HasInterpreter() { return "" @@ -2701,6 +2966,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.interpreter.file.package.source_version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.HasInterpreter() { return "" @@ -2713,6 +2979,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.interpreter.file.package.version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.HasInterpreter() { return "" @@ -2726,6 +2993,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.HasInterpreter() { return "" @@ -2739,6 +3007,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Exit.Process.LinuxBinprm.FileEvent)) }, @@ -2748,6 +3017,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.interpreter.file.rights": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.HasInterpreter() { return 0 @@ -2760,6 +3030,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.interpreter.file.uid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.HasInterpreter() { return 0 @@ -2772,6 +3043,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.interpreter.file.user": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Exit.Process.HasInterpreter() { return "" @@ -2784,6 +3056,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.is_exec": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.Exit.Process.IsExec }, @@ -2793,6 +3066,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.is_kworker": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.Exit.Process.PIDContext.IsKworker }, @@ -2802,6 +3076,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.is_thread": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessIsThread(ev, ev.Exit.Process) }, @@ -2811,6 +3086,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.pid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Exit.Process.PIDContext.Pid) }, @@ -2820,6 +3096,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.ppid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Exit.Process.PPid) }, @@ -2829,6 +3106,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.tid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Exit.Process.PIDContext.Tid) }, @@ -2838,6 +3116,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.tty_name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.Exit.Process.TTYName }, @@ -2847,6 +3126,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.uid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Exit.Process.Credentials.UID) }, @@ -2856,6 +3136,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.user": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.Exit.Process.Credentials.User }, @@ -2865,6 +3146,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.user_session.k8s_groups": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveK8SGroups(ev, &ev.Exit.Process.UserSession) }, @@ -2874,6 +3156,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.user_session.k8s_uid": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveK8SUID(ev, &ev.Exit.Process.UserSession) }, @@ -2883,6 +3166,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.user_session.k8s_username": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveK8SUsername(ev, &ev.Exit.Process.UserSession) }, @@ -2892,6 +3176,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "imds.aws.is_imds_v2": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.IMDS.AWS.IsIMDSv2 }, @@ -2901,6 +3186,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "imds.aws.security_credentials.type": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.IMDS.AWS.SecurityCredentials.Type }, @@ -2910,6 +3196,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "imds.cloud_provider": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.IMDS.CloudProvider }, @@ -2919,6 +3206,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "imds.host": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.IMDS.Host }, @@ -2928,6 +3216,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "imds.server": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.IMDS.Server }, @@ -2937,6 +3226,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "imds.type": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.IMDS.Type }, @@ -2946,6 +3236,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "imds.url": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.IMDS.URL }, @@ -2955,6 +3246,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "imds.user_agent": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.IMDS.UserAgent }, @@ -2964,6 +3256,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "link.file.change_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Link.Source.FileFields.CTime) }, @@ -2973,6 +3266,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "link.file.destination.change_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Link.Target.FileFields.CTime) }, @@ -2982,6 +3276,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "link.file.destination.filesystem": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Link.Target) }, @@ -2991,6 +3286,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "link.file.destination.gid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Link.Target.FileFields.GID) }, @@ -3000,6 +3296,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "link.file.destination.group": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Link.Target.FileFields) }, @@ -3009,6 +3306,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "link.file.destination.hashes": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Link.Target) }, @@ -3018,6 +3316,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "link.file.destination.in_upper_layer": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Link.Target.FileFields) }, @@ -3027,6 +3326,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "link.file.destination.inode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Link.Target.FileFields.PathKey.Inode) }, @@ -3036,6 +3336,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "link.file.destination.mode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Link.Target.FileFields.Mode) }, @@ -3045,6 +3346,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "link.file.destination.modification_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Link.Target.FileFields.MTime) }, @@ -3054,6 +3356,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "link.file.destination.mount_id": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Link.Target.FileFields.PathKey.MountID) }, @@ -3064,6 +3367,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Link.Target) }, @@ -3074,6 +3378,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Link.Target)) }, @@ -3083,6 +3388,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "link.file.destination.package.name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolvePackageName(ev, &ev.Link.Target) }, @@ -3092,6 +3398,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "link.file.destination.package.source_version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Link.Target) }, @@ -3101,6 +3408,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "link.file.destination.package.version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Link.Target) }, @@ -3111,6 +3419,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFilePath(ev, &ev.Link.Target) }, @@ -3121,6 +3430,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Link.Target)) }, @@ -3130,6 +3440,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "link.file.destination.rights": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.FieldHandlers.ResolveRights(ev, &ev.Link.Target.FileFields)) }, @@ -3139,6 +3450,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "link.file.destination.uid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Link.Target.FileFields.UID) }, @@ -3148,6 +3460,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "link.file.destination.user": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Link.Target.FileFields) }, @@ -3157,6 +3470,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "link.file.filesystem": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Link.Source) }, @@ -3166,6 +3480,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "link.file.gid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Link.Source.FileFields.GID) }, @@ -3175,6 +3490,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "link.file.group": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Link.Source.FileFields) }, @@ -3184,6 +3500,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "link.file.hashes": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Link.Source) }, @@ -3193,6 +3510,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "link.file.in_upper_layer": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Link.Source.FileFields) }, @@ -3202,6 +3520,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "link.file.inode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Link.Source.FileFields.PathKey.Inode) }, @@ -3211,6 +3530,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "link.file.mode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Link.Source.FileFields.Mode) }, @@ -3220,6 +3540,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "link.file.modification_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Link.Source.FileFields.MTime) }, @@ -3229,6 +3550,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "link.file.mount_id": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Link.Source.FileFields.PathKey.MountID) }, @@ -3239,6 +3561,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Link.Source) }, @@ -3249,6 +3572,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Link.Source)) }, @@ -3258,6 +3582,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "link.file.package.name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolvePackageName(ev, &ev.Link.Source) }, @@ -3267,6 +3592,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "link.file.package.source_version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Link.Source) }, @@ -3276,6 +3602,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "link.file.package.version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Link.Source) }, @@ -3286,6 +3613,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFilePath(ev, &ev.Link.Source) }, @@ -3296,6 +3624,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Link.Source)) }, @@ -3305,6 +3634,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "link.file.rights": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.FieldHandlers.ResolveRights(ev, &ev.Link.Source.FileFields)) }, @@ -3314,6 +3644,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "link.file.uid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Link.Source.FileFields.UID) }, @@ -3323,6 +3654,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "link.file.user": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Link.Source.FileFields) }, @@ -3332,6 +3664,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "link.retval": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Link.SyscallEvent.Retval) }, @@ -3341,6 +3674,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "link.syscall.destination.path": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveSyscallCtxArgsStr2(ev, &ev.Link.SyscallContext) }, @@ -3350,6 +3684,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "link.syscall.path": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveSyscallCtxArgsStr1(ev, &ev.Link.SyscallContext) }, @@ -3359,6 +3694,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "load_module.args": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveModuleArgs(ev, &ev.LoadModule) }, @@ -3368,6 +3704,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "load_module.args_truncated": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.LoadModule.ArgsTruncated }, @@ -3377,6 +3714,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "load_module.argv": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveModuleArgv(ev, &ev.LoadModule) }, @@ -3386,6 +3724,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "load_module.file.change_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.LoadModule.File.FileFields.CTime) }, @@ -3395,6 +3734,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "load_module.file.filesystem": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.LoadModule.File) }, @@ -3404,6 +3744,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "load_module.file.gid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.LoadModule.File.FileFields.GID) }, @@ -3413,6 +3754,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "load_module.file.group": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.LoadModule.File.FileFields) }, @@ -3422,6 +3764,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "load_module.file.hashes": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.LoadModule.File) }, @@ -3431,6 +3774,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "load_module.file.in_upper_layer": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.LoadModule.File.FileFields) }, @@ -3440,6 +3784,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "load_module.file.inode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.LoadModule.File.FileFields.PathKey.Inode) }, @@ -3449,6 +3794,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "load_module.file.mode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.LoadModule.File.FileFields.Mode) }, @@ -3458,6 +3804,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "load_module.file.modification_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.LoadModule.File.FileFields.MTime) }, @@ -3467,6 +3814,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "load_module.file.mount_id": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.LoadModule.File.FileFields.PathKey.MountID) }, @@ -3477,6 +3825,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileBasename(ev, &ev.LoadModule.File) }, @@ -3487,6 +3836,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.LoadModule.File)) }, @@ -3496,6 +3846,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "load_module.file.package.name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolvePackageName(ev, &ev.LoadModule.File) }, @@ -3505,6 +3856,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "load_module.file.package.source_version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.LoadModule.File) }, @@ -3514,6 +3866,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "load_module.file.package.version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.LoadModule.File) }, @@ -3524,6 +3877,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFilePath(ev, &ev.LoadModule.File) }, @@ -3534,6 +3888,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.LoadModule.File)) }, @@ -3543,6 +3898,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "load_module.file.rights": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.FieldHandlers.ResolveRights(ev, &ev.LoadModule.File.FileFields)) }, @@ -3552,6 +3908,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "load_module.file.uid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.LoadModule.File.FileFields.UID) }, @@ -3561,6 +3918,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "load_module.file.user": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.LoadModule.File.FileFields) }, @@ -3570,6 +3928,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "load_module.loaded_from_memory": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.LoadModule.LoadedFromMemory }, @@ -3579,6 +3938,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "load_module.name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.LoadModule.Name }, @@ -3588,6 +3948,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "load_module.retval": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.LoadModule.SyscallEvent.Retval) }, @@ -3597,6 +3958,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "mkdir.file.change_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Mkdir.File.FileFields.CTime) }, @@ -3606,6 +3968,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "mkdir.file.destination.mode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Mkdir.Mode) }, @@ -3615,6 +3978,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "mkdir.file.destination.rights": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Mkdir.Mode) }, @@ -3624,6 +3988,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "mkdir.file.filesystem": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Mkdir.File) }, @@ -3633,6 +3998,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "mkdir.file.gid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Mkdir.File.FileFields.GID) }, @@ -3642,6 +4008,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "mkdir.file.group": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Mkdir.File.FileFields) }, @@ -3651,6 +4018,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "mkdir.file.hashes": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Mkdir.File) }, @@ -3660,6 +4028,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "mkdir.file.in_upper_layer": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Mkdir.File.FileFields) }, @@ -3669,6 +4038,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "mkdir.file.inode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Mkdir.File.FileFields.PathKey.Inode) }, @@ -3678,6 +4048,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "mkdir.file.mode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Mkdir.File.FileFields.Mode) }, @@ -3687,6 +4058,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "mkdir.file.modification_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Mkdir.File.FileFields.MTime) }, @@ -3696,6 +4068,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "mkdir.file.mount_id": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Mkdir.File.FileFields.PathKey.MountID) }, @@ -3706,6 +4079,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Mkdir.File) }, @@ -3716,6 +4090,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Mkdir.File)) }, @@ -3725,6 +4100,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "mkdir.file.package.name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolvePackageName(ev, &ev.Mkdir.File) }, @@ -3734,6 +4110,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "mkdir.file.package.source_version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Mkdir.File) }, @@ -3743,6 +4120,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "mkdir.file.package.version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Mkdir.File) }, @@ -3753,6 +4131,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFilePath(ev, &ev.Mkdir.File) }, @@ -3763,6 +4142,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Mkdir.File)) }, @@ -3772,6 +4152,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "mkdir.file.rights": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.FieldHandlers.ResolveRights(ev, &ev.Mkdir.File.FileFields)) }, @@ -3781,6 +4162,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "mkdir.file.uid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Mkdir.File.FileFields.UID) }, @@ -3790,6 +4172,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "mkdir.file.user": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Mkdir.File.FileFields) }, @@ -3799,6 +4182,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "mkdir.retval": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Mkdir.SyscallEvent.Retval) }, @@ -3808,6 +4192,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "mmap.file.change_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.MMap.File.FileFields.CTime) }, @@ -3817,6 +4202,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "mmap.file.filesystem": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.MMap.File) }, @@ -3826,6 +4212,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "mmap.file.gid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.MMap.File.FileFields.GID) }, @@ -3835,6 +4222,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "mmap.file.group": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.MMap.File.FileFields) }, @@ -3844,6 +4232,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "mmap.file.hashes": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.MMap.File) }, @@ -3853,6 +4242,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "mmap.file.in_upper_layer": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.MMap.File.FileFields) }, @@ -3862,6 +4252,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "mmap.file.inode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.MMap.File.FileFields.PathKey.Inode) }, @@ -3871,6 +4262,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "mmap.file.mode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.MMap.File.FileFields.Mode) }, @@ -3880,6 +4272,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "mmap.file.modification_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.MMap.File.FileFields.MTime) }, @@ -3889,6 +4282,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "mmap.file.mount_id": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.MMap.File.FileFields.PathKey.MountID) }, @@ -3899,6 +4293,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileBasename(ev, &ev.MMap.File) }, @@ -3909,6 +4304,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.MMap.File)) }, @@ -3918,6 +4314,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "mmap.file.package.name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolvePackageName(ev, &ev.MMap.File) }, @@ -3927,6 +4324,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "mmap.file.package.source_version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.MMap.File) }, @@ -3936,6 +4334,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "mmap.file.package.version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.MMap.File) }, @@ -3946,6 +4345,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFilePath(ev, &ev.MMap.File) }, @@ -3956,6 +4356,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.MMap.File)) }, @@ -3965,6 +4366,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "mmap.file.rights": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.FieldHandlers.ResolveRights(ev, &ev.MMap.File.FileFields)) }, @@ -3974,6 +4376,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "mmap.file.uid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.MMap.File.FileFields.UID) }, @@ -3983,6 +4386,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "mmap.file.user": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.MMap.File.FileFields) }, @@ -3992,6 +4396,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "mmap.flags": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.MMap.Flags) }, @@ -4001,6 +4406,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "mmap.protection": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.MMap.Protection) }, @@ -4010,6 +4416,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "mmap.retval": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.MMap.SyscallEvent.Retval) }, @@ -4019,6 +4426,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "mount.fs_type": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.Mount.Mount.FSType }, @@ -4028,6 +4436,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "mount.mountpoint.path": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveMountPointPath(ev, &ev.Mount) }, @@ -4037,6 +4446,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "mount.retval": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Mount.SyscallEvent.Retval) }, @@ -4046,6 +4456,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "mount.root.path": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveMountRootPath(ev, &ev.Mount) }, @@ -4055,6 +4466,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "mount.source.path": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveMountSourcePath(ev, &ev.Mount) }, @@ -4064,6 +4476,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "mount.syscall.fs_type": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveSyscallCtxArgsStr3(ev, &ev.Mount.SyscallContext) }, @@ -4073,6 +4486,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "mount.syscall.mountpoint.path": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveSyscallCtxArgsStr2(ev, &ev.Mount.SyscallContext) }, @@ -4082,6 +4496,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "mount.syscall.source.path": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveSyscallCtxArgsStr1(ev, &ev.Mount.SyscallContext) }, @@ -4091,6 +4506,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "mprotect.req_protection": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.MProtect.ReqProtection }, @@ -4100,6 +4516,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "mprotect.retval": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.MProtect.SyscallEvent.Retval) }, @@ -4109,6 +4526,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "mprotect.vm_protection": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.MProtect.VMProtection }, @@ -4118,6 +4536,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "network.destination.ip": return &eval.CIDREvaluator{ EvalFnc: func(ctx *eval.Context) net.IPNet { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.NetworkContext.Destination.IPNet }, @@ -4127,6 +4546,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "network.destination.is_public": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveIsIPPublic(ev, &ev.NetworkContext.Destination) }, @@ -4136,6 +4556,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "network.destination.port": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.NetworkContext.Destination.Port) }, @@ -4145,6 +4566,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "network.device.ifname": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveNetworkDeviceIfName(ev, &ev.NetworkContext.Device) }, @@ -4154,6 +4576,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "network.l3_protocol": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.NetworkContext.L3Protocol) }, @@ -4163,6 +4586,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "network.l4_protocol": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.NetworkContext.L4Protocol) }, @@ -4172,6 +4596,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "network.size": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.NetworkContext.Size) }, @@ -4181,6 +4606,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "network.source.ip": return &eval.CIDREvaluator{ EvalFnc: func(ctx *eval.Context) net.IPNet { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.NetworkContext.Source.IPNet }, @@ -4190,6 +4616,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "network.source.is_public": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveIsIPPublic(ev, &ev.NetworkContext.Source) }, @@ -4199,6 +4626,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "network.source.port": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.NetworkContext.Source.Port) }, @@ -4208,6 +4636,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ondemand.arg1.str": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveOnDemandArg1Str(ev, &ev.OnDemand) }, @@ -4217,6 +4646,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ondemand.arg1.uint": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.FieldHandlers.ResolveOnDemandArg1Uint(ev, &ev.OnDemand)) }, @@ -4226,6 +4656,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ondemand.arg2.str": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveOnDemandArg2Str(ev, &ev.OnDemand) }, @@ -4235,6 +4666,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ondemand.arg2.uint": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.FieldHandlers.ResolveOnDemandArg2Uint(ev, &ev.OnDemand)) }, @@ -4244,6 +4676,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ondemand.arg3.str": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveOnDemandArg3Str(ev, &ev.OnDemand) }, @@ -4253,6 +4686,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ondemand.arg3.uint": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.FieldHandlers.ResolveOnDemandArg3Uint(ev, &ev.OnDemand)) }, @@ -4262,6 +4696,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ondemand.arg4.str": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveOnDemandArg4Str(ev, &ev.OnDemand) }, @@ -4271,6 +4706,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ondemand.arg4.uint": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.FieldHandlers.ResolveOnDemandArg4Uint(ev, &ev.OnDemand)) }, @@ -4280,6 +4716,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ondemand.name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveOnDemandName(ev, &ev.OnDemand) }, @@ -4289,6 +4726,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "open.file.change_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Open.File.FileFields.CTime) }, @@ -4298,6 +4736,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "open.file.destination.mode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Open.Mode) }, @@ -4307,6 +4746,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "open.file.filesystem": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Open.File) }, @@ -4316,6 +4756,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "open.file.gid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Open.File.FileFields.GID) }, @@ -4325,6 +4766,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "open.file.group": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Open.File.FileFields) }, @@ -4334,6 +4776,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "open.file.hashes": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Open.File) }, @@ -4343,6 +4786,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "open.file.in_upper_layer": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Open.File.FileFields) }, @@ -4352,6 +4796,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "open.file.inode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Open.File.FileFields.PathKey.Inode) }, @@ -4361,6 +4806,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "open.file.mode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Open.File.FileFields.Mode) }, @@ -4370,6 +4816,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "open.file.modification_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Open.File.FileFields.MTime) }, @@ -4379,6 +4826,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "open.file.mount_id": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Open.File.FileFields.PathKey.MountID) }, @@ -4389,6 +4837,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Open.File) }, @@ -4399,6 +4848,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Open.File)) }, @@ -4408,6 +4858,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "open.file.package.name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolvePackageName(ev, &ev.Open.File) }, @@ -4417,6 +4868,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "open.file.package.source_version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Open.File) }, @@ -4426,6 +4878,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "open.file.package.version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Open.File) }, @@ -4436,6 +4889,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFilePath(ev, &ev.Open.File) }, @@ -4446,6 +4900,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Open.File)) }, @@ -4455,6 +4910,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "open.file.rights": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.FieldHandlers.ResolveRights(ev, &ev.Open.File.FileFields)) }, @@ -4464,6 +4920,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "open.file.uid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Open.File.FileFields.UID) }, @@ -4473,6 +4930,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "open.file.user": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Open.File.FileFields) }, @@ -4482,6 +4940,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "open.flags": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Open.Flags) }, @@ -4491,6 +4950,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "open.retval": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Open.SyscallEvent.Retval) }, @@ -4500,6 +4960,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "open.syscall.flags": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.FieldHandlers.ResolveSyscallCtxArgsInt2(ev, &ev.Open.SyscallContext)) }, @@ -4509,6 +4970,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "open.syscall.mode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.FieldHandlers.ResolveSyscallCtxArgsInt3(ev, &ev.Open.SyscallContext)) }, @@ -4518,6 +4980,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "open.syscall.path": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveSyscallCtxArgsStr1(ev, &ev.Open.SyscallContext) }, @@ -4527,6 +4990,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "packet.destination.ip": return &eval.CIDREvaluator{ EvalFnc: func(ctx *eval.Context) net.IPNet { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.RawPacket.NetworkContext.Destination.IPNet }, @@ -4536,6 +5000,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "packet.destination.is_public": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveIsIPPublic(ev, &ev.RawPacket.NetworkContext.Destination) }, @@ -4545,6 +5010,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "packet.destination.port": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.RawPacket.NetworkContext.Destination.Port) }, @@ -4554,6 +5020,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "packet.device.ifname": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveNetworkDeviceIfName(ev, &ev.RawPacket.NetworkContext.Device) }, @@ -4564,6 +5031,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: PacketFilterMatching, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.RawPacket.Filter }, @@ -4573,6 +5041,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "packet.l3_protocol": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.RawPacket.NetworkContext.L3Protocol) }, @@ -4582,6 +5051,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "packet.l4_protocol": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.RawPacket.NetworkContext.L4Protocol) }, @@ -4591,6 +5061,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "packet.size": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.RawPacket.NetworkContext.Size) }, @@ -4600,6 +5071,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "packet.source.ip": return &eval.CIDREvaluator{ EvalFnc: func(ctx *eval.Context) net.IPNet { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.RawPacket.NetworkContext.Source.IPNet }, @@ -4609,6 +5081,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "packet.source.is_public": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveIsIPPublic(ev, &ev.RawPacket.NetworkContext.Source) }, @@ -4618,6 +5091,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "packet.source.port": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.RawPacket.NetworkContext.Source.Port) }, @@ -4627,6 +5101,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "packet.tls.version": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.RawPacket.TLSContext.Version) }, @@ -4636,6 +5111,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.args": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -4663,6 +5139,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.args_flags": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -4690,6 +5167,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.args_options": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -4717,6 +5195,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.args_truncated": return &eval.BoolArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.BoolCache[field]; ok { return result @@ -4744,6 +5223,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.argv": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -4771,6 +5251,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.argv0": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -4798,6 +5279,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.auid": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -4824,6 +5306,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.cap_effective": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -4850,6 +5333,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.cap_permitted": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -4876,6 +5360,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.cgroup.file.inode": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -4902,6 +5387,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.cgroup.file.mount_id": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -4928,6 +5414,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.cgroup.id": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -4955,6 +5442,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.cgroup.manager": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -4982,6 +5470,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.comm": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) if result, ok := ctx.StringCache[field]; ok { return result } @@ -5008,6 +5497,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.container.id": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -5035,6 +5525,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.created_at": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.IntCache[field]; ok { return result @@ -5062,6 +5553,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.egid": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -5088,6 +5580,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.egroup": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) if result, ok := ctx.StringCache[field]; ok { return result } @@ -5114,6 +5607,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.envp": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -5141,6 +5635,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.envs": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -5168,6 +5663,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.envs_truncated": return &eval.BoolArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.BoolCache[field]; ok { return result @@ -5195,6 +5691,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.euid": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -5221,6 +5718,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.euser": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) if result, ok := ctx.StringCache[field]; ok { return result } @@ -5247,6 +5745,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.file.change_time": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -5279,6 +5778,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.file.filesystem": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -5312,6 +5812,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.file.gid": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -5344,6 +5845,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.file.group": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -5377,6 +5879,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.file.hashes": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -5410,6 +5913,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.file.in_upper_layer": return &eval.BoolArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.BoolCache[field]; ok { return result @@ -5443,6 +5947,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.file.inode": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -5475,6 +5980,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.file.mode": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -5507,6 +6013,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.file.modification_time": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -5539,6 +6046,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.file.mount_id": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -5572,6 +6080,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringArrayEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -5606,6 +6115,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntArrayEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.IntCache[field]; ok { return result @@ -5633,6 +6143,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.file.package.name": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -5666,6 +6177,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.file.package.source_version": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -5699,6 +6211,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.file.package.version": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -5733,6 +6246,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringArrayEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -5767,6 +6281,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntArrayEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.IntCache[field]; ok { return result @@ -5794,6 +6309,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.file.rights": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.IntCache[field]; ok { return result @@ -5827,6 +6343,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.file.uid": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -5859,6 +6376,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.file.user": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -5892,6 +6410,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.fsgid": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -5918,6 +6437,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.fsgroup": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) if result, ok := ctx.StringCache[field]; ok { return result } @@ -5944,6 +6464,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.fsuid": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -5970,6 +6491,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.fsuser": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) if result, ok := ctx.StringCache[field]; ok { return result } @@ -5996,6 +6518,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.gid": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -6022,6 +6545,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.group": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) if result, ok := ctx.StringCache[field]; ok { return result } @@ -6048,6 +6572,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.interpreter.file.change_time": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -6080,6 +6605,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.interpreter.file.filesystem": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -6113,6 +6639,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.interpreter.file.gid": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -6145,6 +6672,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.interpreter.file.group": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -6178,6 +6706,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.interpreter.file.hashes": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -6211,6 +6740,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.interpreter.file.in_upper_layer": return &eval.BoolArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.BoolCache[field]; ok { return result @@ -6244,6 +6774,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.interpreter.file.inode": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -6276,6 +6807,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.interpreter.file.mode": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -6308,6 +6840,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.interpreter.file.modification_time": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -6340,6 +6873,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.interpreter.file.mount_id": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -6373,6 +6907,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringArrayEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -6407,6 +6942,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntArrayEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.IntCache[field]; ok { return result @@ -6434,6 +6970,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.interpreter.file.package.name": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -6467,6 +7004,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.interpreter.file.package.source_version": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -6500,6 +7038,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.interpreter.file.package.version": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -6534,6 +7073,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringArrayEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -6568,6 +7108,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntArrayEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.IntCache[field]; ok { return result @@ -6595,6 +7136,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.interpreter.file.rights": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.IntCache[field]; ok { return result @@ -6628,6 +7170,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.interpreter.file.uid": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -6660,6 +7203,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.interpreter.file.user": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -6693,6 +7237,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.is_exec": return &eval.BoolArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []bool { + ctx.AppendResolvedField(field) if result, ok := ctx.BoolCache[field]; ok { return result } @@ -6719,6 +7264,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.is_kworker": return &eval.BoolArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []bool { + ctx.AppendResolvedField(field) if result, ok := ctx.BoolCache[field]; ok { return result } @@ -6745,6 +7291,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.is_thread": return &eval.BoolArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.BoolCache[field]; ok { return result @@ -6772,6 +7319,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.length": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) iterator := &ProcessAncestorsIterator{} return iterator.Len(ctx) }, @@ -6781,6 +7329,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.pid": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -6807,6 +7356,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.ppid": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -6833,6 +7383,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.tid": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -6859,6 +7410,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.tty_name": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) if result, ok := ctx.StringCache[field]; ok { return result } @@ -6885,6 +7437,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.uid": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -6911,6 +7464,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.user": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) if result, ok := ctx.StringCache[field]; ok { return result } @@ -6937,6 +7491,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.user_session.k8s_groups": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -6964,6 +7519,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.user_session.k8s_uid": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -6991,6 +7547,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.user_session.k8s_username": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -7018,6 +7575,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.args": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessArgs(ev, &ev.BaseEvent.ProcessContext.Process) }, @@ -7027,6 +7585,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.args_flags": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessArgsFlags(ev, &ev.BaseEvent.ProcessContext.Process) }, @@ -7036,6 +7595,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.args_options": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessArgsOptions(ev, &ev.BaseEvent.ProcessContext.Process) }, @@ -7045,6 +7605,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.args_truncated": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessArgsTruncated(ev, &ev.BaseEvent.ProcessContext.Process) }, @@ -7054,6 +7615,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.argv": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessArgv(ev, &ev.BaseEvent.ProcessContext.Process) }, @@ -7063,6 +7625,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.argv0": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessArgv0(ev, &ev.BaseEvent.ProcessContext.Process) }, @@ -7072,6 +7635,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.auid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.BaseEvent.ProcessContext.Process.Credentials.AUID) }, @@ -7081,6 +7645,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.cap_effective": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.BaseEvent.ProcessContext.Process.Credentials.CapEffective) }, @@ -7090,6 +7655,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.cap_permitted": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.BaseEvent.ProcessContext.Process.Credentials.CapPermitted) }, @@ -7099,6 +7665,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.cgroup.file.inode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.BaseEvent.ProcessContext.Process.CGroup.CGroupFile.Inode) }, @@ -7108,6 +7675,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.cgroup.file.mount_id": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.BaseEvent.ProcessContext.Process.CGroup.CGroupFile.MountID) }, @@ -7117,6 +7685,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.cgroup.id": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveCGroupID(ev, &ev.BaseEvent.ProcessContext.Process.CGroup) }, @@ -7126,6 +7695,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.cgroup.manager": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveCGroupManager(ev, &ev.BaseEvent.ProcessContext.Process.CGroup) }, @@ -7135,6 +7705,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.comm": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.BaseEvent.ProcessContext.Process.Comm }, @@ -7144,6 +7715,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.container.id": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessContainerID(ev, &ev.BaseEvent.ProcessContext.Process) }, @@ -7153,6 +7725,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.created_at": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, &ev.BaseEvent.ProcessContext.Process)) }, @@ -7162,6 +7735,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.egid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.BaseEvent.ProcessContext.Process.Credentials.EGID) }, @@ -7171,6 +7745,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.egroup": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.BaseEvent.ProcessContext.Process.Credentials.EGroup }, @@ -7180,6 +7755,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.envp": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessEnvp(ev, &ev.BaseEvent.ProcessContext.Process) }, @@ -7189,6 +7765,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.envs": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessEnvs(ev, &ev.BaseEvent.ProcessContext.Process) }, @@ -7198,6 +7775,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.envs_truncated": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, &ev.BaseEvent.ProcessContext.Process) }, @@ -7207,6 +7785,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.euid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.BaseEvent.ProcessContext.Process.Credentials.EUID) }, @@ -7216,6 +7795,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.euser": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.BaseEvent.ProcessContext.Process.Credentials.EUser }, @@ -7225,6 +7805,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.file.change_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { return 0 @@ -7237,6 +7818,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.file.filesystem": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { return "" @@ -7249,6 +7831,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.file.gid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { return 0 @@ -7261,6 +7844,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.file.group": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { return "" @@ -7273,6 +7857,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.file.hashes": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { return []string{} @@ -7285,6 +7870,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.file.in_upper_layer": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { return false @@ -7297,6 +7883,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.file.inode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { return 0 @@ -7309,6 +7896,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.file.mode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { return 0 @@ -7321,6 +7909,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.file.modification_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { return 0 @@ -7333,6 +7922,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.file.mount_id": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { return 0 @@ -7346,6 +7936,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { return "" @@ -7359,6 +7950,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent)) }, @@ -7368,6 +7960,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.file.package.name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { return "" @@ -7380,6 +7973,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.file.package.source_version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { return "" @@ -7392,6 +7986,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.file.package.version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { return "" @@ -7405,6 +8000,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { return "" @@ -7418,6 +8014,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent)) }, @@ -7427,6 +8024,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.file.rights": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { return 0 @@ -7439,6 +8037,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.file.uid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { return 0 @@ -7451,6 +8050,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.file.user": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.IsNotKworker() { return "" @@ -7463,6 +8063,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.fsgid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.BaseEvent.ProcessContext.Process.Credentials.FSGID) }, @@ -7472,6 +8073,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.fsgroup": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.BaseEvent.ProcessContext.Process.Credentials.FSGroup }, @@ -7481,6 +8083,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.fsuid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.BaseEvent.ProcessContext.Process.Credentials.FSUID) }, @@ -7490,6 +8093,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.fsuser": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.BaseEvent.ProcessContext.Process.Credentials.FSUser }, @@ -7499,6 +8103,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.gid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.BaseEvent.ProcessContext.Process.Credentials.GID) }, @@ -7508,6 +8113,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.group": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.BaseEvent.ProcessContext.Process.Credentials.Group }, @@ -7517,6 +8123,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.interpreter.file.change_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { return 0 @@ -7529,6 +8136,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.interpreter.file.filesystem": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { return "" @@ -7541,6 +8149,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.interpreter.file.gid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { return 0 @@ -7553,6 +8162,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.interpreter.file.group": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { return "" @@ -7565,6 +8175,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.interpreter.file.hashes": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { return []string{} @@ -7577,6 +8188,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.interpreter.file.in_upper_layer": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { return false @@ -7589,6 +8201,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.interpreter.file.inode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { return 0 @@ -7601,6 +8214,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.interpreter.file.mode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { return 0 @@ -7613,6 +8227,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.interpreter.file.modification_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { return 0 @@ -7625,6 +8240,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.interpreter.file.mount_id": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { return 0 @@ -7638,6 +8254,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { return "" @@ -7651,6 +8268,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent)) }, @@ -7660,6 +8278,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.interpreter.file.package.name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { return "" @@ -7672,6 +8291,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.interpreter.file.package.source_version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { return "" @@ -7684,6 +8304,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.interpreter.file.package.version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { return "" @@ -7697,6 +8318,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { return "" @@ -7710,6 +8332,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Process.LinuxBinprm.FileEvent)) }, @@ -7719,6 +8342,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.interpreter.file.rights": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { return 0 @@ -7731,6 +8355,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.interpreter.file.uid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { return 0 @@ -7743,6 +8368,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.interpreter.file.user": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.Process.HasInterpreter() { return "" @@ -7755,6 +8381,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.is_exec": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.BaseEvent.ProcessContext.Process.IsExec }, @@ -7764,6 +8391,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.is_kworker": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.BaseEvent.ProcessContext.Process.PIDContext.IsKworker }, @@ -7773,6 +8401,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.is_thread": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessIsThread(ev, &ev.BaseEvent.ProcessContext.Process) }, @@ -7782,6 +8411,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.args": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return "" @@ -7794,6 +8424,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.args_flags": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return []string{} @@ -7806,6 +8437,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.args_options": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return []string{} @@ -7818,6 +8450,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.args_truncated": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return false @@ -7830,6 +8463,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.argv": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return []string{} @@ -7842,6 +8476,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.argv0": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return "" @@ -7854,6 +8489,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.auid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return 0 @@ -7866,6 +8502,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.cap_effective": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return 0 @@ -7878,6 +8515,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.cap_permitted": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return 0 @@ -7890,6 +8528,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.cgroup.file.inode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return 0 @@ -7902,6 +8541,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.cgroup.file.mount_id": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return 0 @@ -7914,6 +8554,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.cgroup.id": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return "" @@ -7926,6 +8567,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.cgroup.manager": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return "" @@ -7938,6 +8580,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.comm": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return "" @@ -7950,6 +8593,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.container.id": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return "" @@ -7962,6 +8606,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.created_at": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return 0 @@ -7974,6 +8619,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.egid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return 0 @@ -7986,6 +8632,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.egroup": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return "" @@ -7998,6 +8645,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.envp": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return []string{} @@ -8010,6 +8658,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.envs": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return []string{} @@ -8022,6 +8671,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.envs_truncated": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return false @@ -8034,6 +8684,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.euid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return 0 @@ -8046,6 +8697,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.euser": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return "" @@ -8058,6 +8710,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.file.change_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return 0 @@ -8073,6 +8726,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.file.filesystem": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return "" @@ -8088,6 +8742,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.file.gid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return 0 @@ -8103,6 +8758,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.file.group": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return "" @@ -8118,6 +8774,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.file.hashes": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return []string{} @@ -8133,6 +8790,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.file.in_upper_layer": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return false @@ -8148,6 +8806,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.file.inode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return 0 @@ -8163,6 +8822,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.file.mode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return 0 @@ -8178,6 +8838,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.file.modification_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return 0 @@ -8193,6 +8854,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.file.mount_id": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return 0 @@ -8209,6 +8871,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return "" @@ -8225,6 +8888,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent)) }, @@ -8234,6 +8898,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.file.package.name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return "" @@ -8249,6 +8914,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.file.package.source_version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return "" @@ -8264,6 +8930,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.file.package.version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return "" @@ -8280,6 +8947,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return "" @@ -8296,6 +8964,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent)) }, @@ -8305,6 +8974,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.file.rights": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return 0 @@ -8320,6 +8990,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.file.uid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return 0 @@ -8335,6 +9006,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.file.user": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return "" @@ -8350,6 +9022,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.fsgid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return 0 @@ -8362,6 +9035,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.fsgroup": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return "" @@ -8374,6 +9048,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.fsuid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return 0 @@ -8386,6 +9061,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.fsuser": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return "" @@ -8398,6 +9074,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.gid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return 0 @@ -8410,6 +9087,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.group": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return "" @@ -8422,6 +9100,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.interpreter.file.change_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return 0 @@ -8437,6 +9116,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.interpreter.file.filesystem": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return "" @@ -8452,6 +9132,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.interpreter.file.gid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return 0 @@ -8467,6 +9148,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.interpreter.file.group": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return "" @@ -8482,6 +9164,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.interpreter.file.hashes": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return []string{} @@ -8497,6 +9180,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.interpreter.file.in_upper_layer": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return false @@ -8512,6 +9196,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.interpreter.file.inode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return 0 @@ -8527,6 +9212,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.interpreter.file.mode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return 0 @@ -8542,6 +9228,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.interpreter.file.modification_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return 0 @@ -8557,6 +9244,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.interpreter.file.mount_id": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return 0 @@ -8573,6 +9261,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return "" @@ -8589,6 +9278,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent)) }, @@ -8598,6 +9288,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.interpreter.file.package.name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return "" @@ -8613,6 +9304,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.interpreter.file.package.source_version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return "" @@ -8628,6 +9320,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.interpreter.file.package.version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return "" @@ -8644,6 +9337,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return "" @@ -8660,6 +9354,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Parent.LinuxBinprm.FileEvent)) }, @@ -8669,6 +9364,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.interpreter.file.rights": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return 0 @@ -8684,6 +9380,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.interpreter.file.uid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return 0 @@ -8699,6 +9396,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.interpreter.file.user": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return "" @@ -8714,6 +9412,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.is_exec": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return false @@ -8726,6 +9425,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.is_kworker": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return false @@ -8738,6 +9438,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.is_thread": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return false @@ -8750,6 +9451,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.pid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return 0 @@ -8762,6 +9464,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.ppid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return 0 @@ -8774,6 +9477,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.tid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return 0 @@ -8786,6 +9490,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.tty_name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return "" @@ -8798,6 +9503,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.uid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return 0 @@ -8810,6 +9516,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.user": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return "" @@ -8822,6 +9529,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.user_session.k8s_groups": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return []string{} @@ -8834,6 +9542,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.user_session.k8s_uid": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return "" @@ -8846,6 +9555,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.user_session.k8s_username": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return "" @@ -8858,6 +9568,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.pid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.BaseEvent.ProcessContext.Process.PIDContext.Pid) }, @@ -8867,6 +9578,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ppid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.BaseEvent.ProcessContext.Process.PPid) }, @@ -8876,6 +9588,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.tid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.BaseEvent.ProcessContext.Process.PIDContext.Tid) }, @@ -8885,6 +9598,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.tty_name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.BaseEvent.ProcessContext.Process.TTYName }, @@ -8894,6 +9608,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.uid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.BaseEvent.ProcessContext.Process.Credentials.UID) }, @@ -8903,6 +9618,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.user": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.BaseEvent.ProcessContext.Process.Credentials.User }, @@ -8912,6 +9628,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.user_session.k8s_groups": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveK8SGroups(ev, &ev.BaseEvent.ProcessContext.Process.UserSession) }, @@ -8921,6 +9638,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.user_session.k8s_uid": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveK8SUID(ev, &ev.BaseEvent.ProcessContext.Process.UserSession) }, @@ -8930,6 +9648,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.user_session.k8s_username": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveK8SUsername(ev, &ev.BaseEvent.ProcessContext.Process.UserSession) }, @@ -8939,6 +9658,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.request": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.PTrace.Request) }, @@ -8948,6 +9668,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.retval": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.PTrace.SyscallEvent.Retval) }, @@ -8957,6 +9678,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.args": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -8984,6 +9706,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.args_flags": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -9011,6 +9734,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.args_options": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -9038,6 +9762,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.args_truncated": return &eval.BoolArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.BoolCache[field]; ok { return result @@ -9065,6 +9790,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.argv": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -9092,6 +9818,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.argv0": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -9119,6 +9846,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.auid": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -9145,6 +9873,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.cap_effective": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -9171,6 +9900,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.cap_permitted": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -9197,6 +9927,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.cgroup.file.inode": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -9223,6 +9954,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.cgroup.file.mount_id": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -9249,6 +9981,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.cgroup.id": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -9276,6 +10009,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.cgroup.manager": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -9303,6 +10037,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.comm": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) if result, ok := ctx.StringCache[field]; ok { return result } @@ -9329,6 +10064,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.container.id": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -9356,6 +10092,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.created_at": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.IntCache[field]; ok { return result @@ -9383,6 +10120,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.egid": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -9409,6 +10147,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.egroup": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) if result, ok := ctx.StringCache[field]; ok { return result } @@ -9435,6 +10174,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.envp": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -9462,6 +10202,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.envs": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -9489,6 +10230,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.envs_truncated": return &eval.BoolArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.BoolCache[field]; ok { return result @@ -9516,6 +10258,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.euid": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -9542,6 +10285,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.euser": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) if result, ok := ctx.StringCache[field]; ok { return result } @@ -9568,6 +10312,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.file.change_time": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -9600,6 +10345,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.file.filesystem": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -9633,6 +10379,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.file.gid": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -9665,6 +10412,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.file.group": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -9698,6 +10446,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.file.hashes": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -9731,6 +10480,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.file.in_upper_layer": return &eval.BoolArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.BoolCache[field]; ok { return result @@ -9764,6 +10514,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.file.inode": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -9796,6 +10547,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.file.mode": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -9828,6 +10580,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.file.modification_time": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -9860,6 +10613,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.file.mount_id": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -9893,6 +10647,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringArrayEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -9927,6 +10682,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntArrayEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.IntCache[field]; ok { return result @@ -9954,6 +10710,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.file.package.name": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -9987,6 +10744,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.file.package.source_version": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -10020,6 +10778,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.file.package.version": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -10054,6 +10813,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringArrayEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -10088,6 +10848,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntArrayEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.IntCache[field]; ok { return result @@ -10115,6 +10876,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.file.rights": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.IntCache[field]; ok { return result @@ -10148,6 +10910,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.file.uid": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -10180,6 +10943,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.file.user": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -10213,6 +10977,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.fsgid": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -10239,6 +11004,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.fsgroup": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) if result, ok := ctx.StringCache[field]; ok { return result } @@ -10265,6 +11031,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.fsuid": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -10291,6 +11058,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.fsuser": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) if result, ok := ctx.StringCache[field]; ok { return result } @@ -10317,6 +11085,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.gid": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -10343,6 +11112,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.group": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) if result, ok := ctx.StringCache[field]; ok { return result } @@ -10369,6 +11139,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.interpreter.file.change_time": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -10401,6 +11172,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.interpreter.file.filesystem": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -10434,6 +11206,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.interpreter.file.gid": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -10466,6 +11239,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.interpreter.file.group": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -10499,6 +11273,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.interpreter.file.hashes": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -10532,6 +11307,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.interpreter.file.in_upper_layer": return &eval.BoolArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.BoolCache[field]; ok { return result @@ -10565,6 +11341,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.interpreter.file.inode": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -10597,6 +11374,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.interpreter.file.mode": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -10629,6 +11407,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.interpreter.file.modification_time": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -10661,6 +11440,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.interpreter.file.mount_id": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -10694,6 +11474,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringArrayEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -10728,6 +11509,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntArrayEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.IntCache[field]; ok { return result @@ -10755,6 +11537,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.interpreter.file.package.name": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -10788,6 +11571,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.interpreter.file.package.source_version": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -10821,6 +11605,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.interpreter.file.package.version": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -10855,6 +11640,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringArrayEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -10889,6 +11675,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntArrayEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.IntCache[field]; ok { return result @@ -10916,6 +11703,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.interpreter.file.rights": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.IntCache[field]; ok { return result @@ -10949,6 +11737,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.interpreter.file.uid": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -10981,6 +11770,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.interpreter.file.user": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -11014,6 +11804,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.is_exec": return &eval.BoolArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []bool { + ctx.AppendResolvedField(field) if result, ok := ctx.BoolCache[field]; ok { return result } @@ -11040,6 +11831,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.is_kworker": return &eval.BoolArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []bool { + ctx.AppendResolvedField(field) if result, ok := ctx.BoolCache[field]; ok { return result } @@ -11066,6 +11858,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.is_thread": return &eval.BoolArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.BoolCache[field]; ok { return result @@ -11093,6 +11886,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.length": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) iterator := &ProcessAncestorsIterator{} return iterator.Len(ctx) }, @@ -11102,6 +11896,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.pid": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -11128,6 +11923,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.ppid": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -11154,6 +11950,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.tid": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -11180,6 +11977,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.tty_name": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) if result, ok := ctx.StringCache[field]; ok { return result } @@ -11206,6 +12004,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.uid": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -11232,6 +12031,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.user": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) if result, ok := ctx.StringCache[field]; ok { return result } @@ -11258,6 +12058,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.user_session.k8s_groups": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -11285,6 +12086,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.user_session.k8s_uid": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -11312,6 +12114,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ancestors.user_session.k8s_username": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -11339,6 +12142,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.args": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessArgs(ev, &ev.PTrace.Tracee.Process) }, @@ -11348,6 +12152,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.args_flags": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessArgsFlags(ev, &ev.PTrace.Tracee.Process) }, @@ -11357,6 +12162,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.args_options": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessArgsOptions(ev, &ev.PTrace.Tracee.Process) }, @@ -11366,6 +12172,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.args_truncated": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessArgsTruncated(ev, &ev.PTrace.Tracee.Process) }, @@ -11375,6 +12182,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.argv": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessArgv(ev, &ev.PTrace.Tracee.Process) }, @@ -11384,6 +12192,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.argv0": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessArgv0(ev, &ev.PTrace.Tracee.Process) }, @@ -11393,6 +12202,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.auid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.PTrace.Tracee.Process.Credentials.AUID) }, @@ -11402,6 +12212,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.cap_effective": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.PTrace.Tracee.Process.Credentials.CapEffective) }, @@ -11411,6 +12222,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.cap_permitted": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.PTrace.Tracee.Process.Credentials.CapPermitted) }, @@ -11420,6 +12232,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.cgroup.file.inode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.PTrace.Tracee.Process.CGroup.CGroupFile.Inode) }, @@ -11429,6 +12242,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.cgroup.file.mount_id": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.PTrace.Tracee.Process.CGroup.CGroupFile.MountID) }, @@ -11438,6 +12252,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.cgroup.id": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveCGroupID(ev, &ev.PTrace.Tracee.Process.CGroup) }, @@ -11447,6 +12262,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.cgroup.manager": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveCGroupManager(ev, &ev.PTrace.Tracee.Process.CGroup) }, @@ -11456,6 +12272,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.comm": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.PTrace.Tracee.Process.Comm }, @@ -11465,6 +12282,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.container.id": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessContainerID(ev, &ev.PTrace.Tracee.Process) }, @@ -11474,6 +12292,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.created_at": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, &ev.PTrace.Tracee.Process)) }, @@ -11483,6 +12302,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.egid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.PTrace.Tracee.Process.Credentials.EGID) }, @@ -11492,6 +12312,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.egroup": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.PTrace.Tracee.Process.Credentials.EGroup }, @@ -11501,6 +12322,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.envp": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessEnvp(ev, &ev.PTrace.Tracee.Process) }, @@ -11510,6 +12332,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.envs": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessEnvs(ev, &ev.PTrace.Tracee.Process) }, @@ -11519,6 +12342,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.envs_truncated": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, &ev.PTrace.Tracee.Process) }, @@ -11528,6 +12352,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.euid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.PTrace.Tracee.Process.Credentials.EUID) }, @@ -11537,6 +12362,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.euser": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.PTrace.Tracee.Process.Credentials.EUser }, @@ -11546,6 +12372,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.file.change_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.IsNotKworker() { return 0 @@ -11558,6 +12385,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.file.filesystem": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.IsNotKworker() { return "" @@ -11570,6 +12398,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.file.gid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.IsNotKworker() { return 0 @@ -11582,6 +12411,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.file.group": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.IsNotKworker() { return "" @@ -11594,6 +12424,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.file.hashes": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.IsNotKworker() { return []string{} @@ -11606,6 +12437,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.file.in_upper_layer": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.IsNotKworker() { return false @@ -11618,6 +12450,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.file.inode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.IsNotKworker() { return 0 @@ -11630,6 +12463,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.file.mode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.IsNotKworker() { return 0 @@ -11642,6 +12476,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.file.modification_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.IsNotKworker() { return 0 @@ -11654,6 +12489,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.file.mount_id": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.IsNotKworker() { return 0 @@ -11667,6 +12503,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.IsNotKworker() { return "" @@ -11680,6 +12517,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.PTrace.Tracee.Process.FileEvent)) }, @@ -11689,6 +12527,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.file.package.name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.IsNotKworker() { return "" @@ -11701,6 +12540,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.file.package.source_version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.IsNotKworker() { return "" @@ -11713,6 +12553,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.file.package.version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.IsNotKworker() { return "" @@ -11726,6 +12567,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.IsNotKworker() { return "" @@ -11739,6 +12581,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.PTrace.Tracee.Process.FileEvent)) }, @@ -11748,6 +12591,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.file.rights": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.IsNotKworker() { return 0 @@ -11760,6 +12604,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.file.uid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.IsNotKworker() { return 0 @@ -11772,6 +12617,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.file.user": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.IsNotKworker() { return "" @@ -11784,6 +12630,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.fsgid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.PTrace.Tracee.Process.Credentials.FSGID) }, @@ -11793,6 +12640,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.fsgroup": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.PTrace.Tracee.Process.Credentials.FSGroup }, @@ -11802,6 +12650,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.fsuid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.PTrace.Tracee.Process.Credentials.FSUID) }, @@ -11811,6 +12660,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.fsuser": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.PTrace.Tracee.Process.Credentials.FSUser }, @@ -11820,6 +12670,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.gid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.PTrace.Tracee.Process.Credentials.GID) }, @@ -11829,6 +12680,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.group": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.PTrace.Tracee.Process.Credentials.Group }, @@ -11838,6 +12690,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.interpreter.file.change_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.HasInterpreter() { return 0 @@ -11850,6 +12703,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.interpreter.file.filesystem": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.HasInterpreter() { return "" @@ -11862,6 +12716,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.interpreter.file.gid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.HasInterpreter() { return 0 @@ -11874,6 +12729,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.interpreter.file.group": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.HasInterpreter() { return "" @@ -11886,6 +12742,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.interpreter.file.hashes": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.HasInterpreter() { return []string{} @@ -11898,6 +12755,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.interpreter.file.in_upper_layer": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.HasInterpreter() { return false @@ -11910,6 +12768,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.interpreter.file.inode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.HasInterpreter() { return 0 @@ -11922,6 +12781,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.interpreter.file.mode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.HasInterpreter() { return 0 @@ -11934,6 +12794,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.interpreter.file.modification_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.HasInterpreter() { return 0 @@ -11946,6 +12807,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.interpreter.file.mount_id": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.HasInterpreter() { return 0 @@ -11959,6 +12821,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.HasInterpreter() { return "" @@ -11972,6 +12835,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent)) }, @@ -11981,6 +12845,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.interpreter.file.package.name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.HasInterpreter() { return "" @@ -11993,6 +12858,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.interpreter.file.package.source_version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.HasInterpreter() { return "" @@ -12005,6 +12871,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.interpreter.file.package.version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.HasInterpreter() { return "" @@ -12018,6 +12885,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.HasInterpreter() { return "" @@ -12031,6 +12899,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.PTrace.Tracee.Process.LinuxBinprm.FileEvent)) }, @@ -12040,6 +12909,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.interpreter.file.rights": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.HasInterpreter() { return 0 @@ -12052,6 +12922,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.interpreter.file.uid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.HasInterpreter() { return 0 @@ -12064,6 +12935,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.interpreter.file.user": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.Process.HasInterpreter() { return "" @@ -12076,6 +12948,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.is_exec": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.PTrace.Tracee.Process.IsExec }, @@ -12085,6 +12958,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.is_kworker": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.PTrace.Tracee.Process.PIDContext.IsKworker }, @@ -12094,6 +12968,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.is_thread": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessIsThread(ev, &ev.PTrace.Tracee.Process) }, @@ -12103,6 +12978,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.args": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return "" @@ -12115,6 +12991,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.args_flags": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return []string{} @@ -12127,6 +13004,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.args_options": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return []string{} @@ -12139,6 +13017,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.args_truncated": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return false @@ -12151,6 +13030,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.argv": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return []string{} @@ -12163,6 +13043,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.argv0": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return "" @@ -12175,6 +13056,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.auid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return 0 @@ -12187,6 +13069,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.cap_effective": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return 0 @@ -12199,6 +13082,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.cap_permitted": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return 0 @@ -12211,6 +13095,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.cgroup.file.inode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return 0 @@ -12223,6 +13108,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.cgroup.file.mount_id": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return 0 @@ -12235,6 +13121,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.cgroup.id": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return "" @@ -12247,6 +13134,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.cgroup.manager": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return "" @@ -12259,6 +13147,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.comm": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return "" @@ -12271,6 +13160,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.container.id": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return "" @@ -12283,6 +13173,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.created_at": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return 0 @@ -12295,6 +13186,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.egid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return 0 @@ -12307,6 +13199,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.egroup": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return "" @@ -12319,6 +13212,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.envp": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return []string{} @@ -12331,6 +13225,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.envs": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return []string{} @@ -12343,6 +13238,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.envs_truncated": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return false @@ -12355,6 +13251,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.euid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return 0 @@ -12367,6 +13264,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.euser": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return "" @@ -12379,6 +13277,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.file.change_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return 0 @@ -12394,6 +13293,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.file.filesystem": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return "" @@ -12409,6 +13309,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.file.gid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return 0 @@ -12424,6 +13325,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.file.group": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return "" @@ -12439,6 +13341,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.file.hashes": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return []string{} @@ -12454,6 +13357,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.file.in_upper_layer": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return false @@ -12469,6 +13373,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.file.inode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return 0 @@ -12484,6 +13389,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.file.mode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return 0 @@ -12499,6 +13405,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.file.modification_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return 0 @@ -12514,6 +13421,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.file.mount_id": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return 0 @@ -12530,6 +13438,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return "" @@ -12546,6 +13455,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.PTrace.Tracee.Parent.FileEvent)) }, @@ -12555,6 +13465,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.file.package.name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return "" @@ -12570,6 +13481,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.file.package.source_version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return "" @@ -12585,6 +13497,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.file.package.version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return "" @@ -12601,6 +13514,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return "" @@ -12617,6 +13531,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.PTrace.Tracee.Parent.FileEvent)) }, @@ -12626,6 +13541,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.file.rights": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return 0 @@ -12641,6 +13557,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.file.uid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return 0 @@ -12656,6 +13573,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.file.user": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return "" @@ -12671,6 +13589,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.fsgid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return 0 @@ -12683,6 +13602,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.fsgroup": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return "" @@ -12695,6 +13615,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.fsuid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return 0 @@ -12707,6 +13628,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.fsuser": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return "" @@ -12719,6 +13641,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.gid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return 0 @@ -12731,6 +13654,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.group": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return "" @@ -12743,6 +13667,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.interpreter.file.change_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return 0 @@ -12758,6 +13683,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.interpreter.file.filesystem": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return "" @@ -12773,6 +13699,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.interpreter.file.gid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return 0 @@ -12788,6 +13715,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.interpreter.file.group": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return "" @@ -12803,6 +13731,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.interpreter.file.hashes": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return []string{} @@ -12818,6 +13747,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.interpreter.file.in_upper_layer": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return false @@ -12833,6 +13763,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.interpreter.file.inode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return 0 @@ -12848,6 +13779,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.interpreter.file.mode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return 0 @@ -12863,6 +13795,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.interpreter.file.modification_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return 0 @@ -12878,6 +13811,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.interpreter.file.mount_id": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return 0 @@ -12894,6 +13828,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return "" @@ -12910,6 +13845,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent)) }, @@ -12919,6 +13855,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.interpreter.file.package.name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return "" @@ -12934,6 +13871,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.interpreter.file.package.source_version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return "" @@ -12949,6 +13887,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.interpreter.file.package.version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return "" @@ -12965,6 +13904,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return "" @@ -12981,6 +13921,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.PTrace.Tracee.Parent.LinuxBinprm.FileEvent)) }, @@ -12990,6 +13931,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.interpreter.file.rights": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return 0 @@ -13005,6 +13947,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.interpreter.file.uid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return 0 @@ -13020,6 +13963,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.interpreter.file.user": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return "" @@ -13035,6 +13979,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.is_exec": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return false @@ -13047,6 +13992,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.is_kworker": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return false @@ -13059,6 +14005,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.is_thread": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return false @@ -13071,6 +14018,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.pid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return 0 @@ -13083,6 +14031,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.ppid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return 0 @@ -13095,6 +14044,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.tid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return 0 @@ -13107,6 +14057,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.tty_name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return "" @@ -13119,6 +14070,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.uid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return 0 @@ -13131,6 +14083,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.user": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return "" @@ -13143,6 +14096,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.user_session.k8s_groups": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return []string{} @@ -13155,6 +14109,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.user_session.k8s_uid": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return "" @@ -13167,6 +14122,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.parent.user_session.k8s_username": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.PTrace.Tracee.HasParent() { return "" @@ -13179,6 +14135,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.pid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.PTrace.Tracee.Process.PIDContext.Pid) }, @@ -13188,6 +14145,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.ppid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.PTrace.Tracee.Process.PPid) }, @@ -13197,6 +14155,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.tid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.PTrace.Tracee.Process.PIDContext.Tid) }, @@ -13206,6 +14165,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.tty_name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.PTrace.Tracee.Process.TTYName }, @@ -13215,6 +14175,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.uid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.PTrace.Tracee.Process.Credentials.UID) }, @@ -13224,6 +14185,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.user": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.PTrace.Tracee.Process.Credentials.User }, @@ -13233,6 +14195,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.user_session.k8s_groups": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveK8SGroups(ev, &ev.PTrace.Tracee.Process.UserSession) }, @@ -13242,6 +14205,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.user_session.k8s_uid": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveK8SUID(ev, &ev.PTrace.Tracee.Process.UserSession) }, @@ -13251,6 +14215,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "ptrace.tracee.user_session.k8s_username": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveK8SUsername(ev, &ev.PTrace.Tracee.Process.UserSession) }, @@ -13260,6 +14225,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "removexattr.file.change_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.RemoveXAttr.File.FileFields.CTime) }, @@ -13269,6 +14235,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "removexattr.file.destination.name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveXAttrName(ev, &ev.RemoveXAttr) }, @@ -13278,6 +14245,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "removexattr.file.destination.namespace": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveXAttrNamespace(ev, &ev.RemoveXAttr) }, @@ -13287,6 +14255,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "removexattr.file.filesystem": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.RemoveXAttr.File) }, @@ -13296,6 +14265,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "removexattr.file.gid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.RemoveXAttr.File.FileFields.GID) }, @@ -13305,6 +14275,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "removexattr.file.group": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.RemoveXAttr.File.FileFields) }, @@ -13314,6 +14285,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "removexattr.file.hashes": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.RemoveXAttr.File) }, @@ -13323,6 +14295,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "removexattr.file.in_upper_layer": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.RemoveXAttr.File.FileFields) }, @@ -13332,6 +14305,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "removexattr.file.inode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.RemoveXAttr.File.FileFields.PathKey.Inode) }, @@ -13341,6 +14315,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "removexattr.file.mode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.RemoveXAttr.File.FileFields.Mode) }, @@ -13350,6 +14325,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "removexattr.file.modification_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.RemoveXAttr.File.FileFields.MTime) }, @@ -13359,6 +14335,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "removexattr.file.mount_id": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.RemoveXAttr.File.FileFields.PathKey.MountID) }, @@ -13369,6 +14346,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileBasename(ev, &ev.RemoveXAttr.File) }, @@ -13379,6 +14357,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.RemoveXAttr.File)) }, @@ -13388,6 +14367,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "removexattr.file.package.name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolvePackageName(ev, &ev.RemoveXAttr.File) }, @@ -13397,6 +14377,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "removexattr.file.package.source_version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.RemoveXAttr.File) }, @@ -13406,6 +14387,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "removexattr.file.package.version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.RemoveXAttr.File) }, @@ -13416,6 +14398,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFilePath(ev, &ev.RemoveXAttr.File) }, @@ -13426,6 +14409,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.RemoveXAttr.File)) }, @@ -13435,6 +14419,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "removexattr.file.rights": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.FieldHandlers.ResolveRights(ev, &ev.RemoveXAttr.File.FileFields)) }, @@ -13444,6 +14429,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "removexattr.file.uid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.RemoveXAttr.File.FileFields.UID) }, @@ -13453,6 +14439,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "removexattr.file.user": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.RemoveXAttr.File.FileFields) }, @@ -13462,6 +14449,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "removexattr.retval": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.RemoveXAttr.SyscallEvent.Retval) }, @@ -13471,6 +14459,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "rename.file.change_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Rename.Old.FileFields.CTime) }, @@ -13480,6 +14469,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "rename.file.destination.change_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Rename.New.FileFields.CTime) }, @@ -13489,6 +14479,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "rename.file.destination.filesystem": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Rename.New) }, @@ -13498,6 +14489,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "rename.file.destination.gid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Rename.New.FileFields.GID) }, @@ -13507,6 +14499,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "rename.file.destination.group": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Rename.New.FileFields) }, @@ -13516,6 +14509,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "rename.file.destination.hashes": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Rename.New) }, @@ -13525,6 +14519,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "rename.file.destination.in_upper_layer": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Rename.New.FileFields) }, @@ -13534,6 +14529,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "rename.file.destination.inode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Rename.New.FileFields.PathKey.Inode) }, @@ -13543,6 +14539,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "rename.file.destination.mode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Rename.New.FileFields.Mode) }, @@ -13552,6 +14549,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "rename.file.destination.modification_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Rename.New.FileFields.MTime) }, @@ -13561,6 +14559,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "rename.file.destination.mount_id": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Rename.New.FileFields.PathKey.MountID) }, @@ -13571,6 +14570,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Rename.New) }, @@ -13581,6 +14581,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Rename.New)) }, @@ -13590,6 +14591,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "rename.file.destination.package.name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolvePackageName(ev, &ev.Rename.New) }, @@ -13599,6 +14601,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "rename.file.destination.package.source_version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Rename.New) }, @@ -13608,6 +14611,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "rename.file.destination.package.version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Rename.New) }, @@ -13618,6 +14622,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFilePath(ev, &ev.Rename.New) }, @@ -13628,6 +14633,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Rename.New)) }, @@ -13637,6 +14643,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "rename.file.destination.rights": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.FieldHandlers.ResolveRights(ev, &ev.Rename.New.FileFields)) }, @@ -13646,6 +14653,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "rename.file.destination.uid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Rename.New.FileFields.UID) }, @@ -13655,6 +14663,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "rename.file.destination.user": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Rename.New.FileFields) }, @@ -13664,6 +14673,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "rename.file.filesystem": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Rename.Old) }, @@ -13673,6 +14683,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "rename.file.gid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Rename.Old.FileFields.GID) }, @@ -13682,6 +14693,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "rename.file.group": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Rename.Old.FileFields) }, @@ -13691,6 +14703,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "rename.file.hashes": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Rename.Old) }, @@ -13700,6 +14713,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "rename.file.in_upper_layer": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Rename.Old.FileFields) }, @@ -13709,6 +14723,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "rename.file.inode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Rename.Old.FileFields.PathKey.Inode) }, @@ -13718,6 +14733,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "rename.file.mode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Rename.Old.FileFields.Mode) }, @@ -13727,6 +14743,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "rename.file.modification_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Rename.Old.FileFields.MTime) }, @@ -13736,6 +14753,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "rename.file.mount_id": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Rename.Old.FileFields.PathKey.MountID) }, @@ -13746,6 +14764,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Rename.Old) }, @@ -13756,6 +14775,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Rename.Old)) }, @@ -13765,6 +14785,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "rename.file.package.name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolvePackageName(ev, &ev.Rename.Old) }, @@ -13774,6 +14795,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "rename.file.package.source_version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Rename.Old) }, @@ -13783,6 +14805,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "rename.file.package.version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Rename.Old) }, @@ -13793,6 +14816,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFilePath(ev, &ev.Rename.Old) }, @@ -13803,6 +14827,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Rename.Old)) }, @@ -13812,6 +14837,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "rename.file.rights": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.FieldHandlers.ResolveRights(ev, &ev.Rename.Old.FileFields)) }, @@ -13821,6 +14847,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "rename.file.uid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Rename.Old.FileFields.UID) }, @@ -13830,6 +14857,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "rename.file.user": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Rename.Old.FileFields) }, @@ -13839,6 +14867,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "rename.retval": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Rename.SyscallEvent.Retval) }, @@ -13848,6 +14877,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "rename.syscall.destination.path": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveSyscallCtxArgsStr2(ev, &ev.Rename.SyscallContext) }, @@ -13857,6 +14887,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "rename.syscall.path": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveSyscallCtxArgsStr1(ev, &ev.Rename.SyscallContext) }, @@ -13866,6 +14897,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "rmdir.file.change_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Rmdir.File.FileFields.CTime) }, @@ -13875,6 +14907,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "rmdir.file.filesystem": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Rmdir.File) }, @@ -13884,6 +14917,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "rmdir.file.gid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Rmdir.File.FileFields.GID) }, @@ -13893,6 +14927,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "rmdir.file.group": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Rmdir.File.FileFields) }, @@ -13902,6 +14937,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "rmdir.file.hashes": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Rmdir.File) }, @@ -13911,6 +14947,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "rmdir.file.in_upper_layer": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Rmdir.File.FileFields) }, @@ -13920,6 +14957,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "rmdir.file.inode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Rmdir.File.FileFields.PathKey.Inode) }, @@ -13929,6 +14967,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "rmdir.file.mode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Rmdir.File.FileFields.Mode) }, @@ -13938,6 +14977,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "rmdir.file.modification_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Rmdir.File.FileFields.MTime) }, @@ -13947,6 +14987,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "rmdir.file.mount_id": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Rmdir.File.FileFields.PathKey.MountID) }, @@ -13957,6 +14998,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Rmdir.File) }, @@ -13967,6 +15009,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Rmdir.File)) }, @@ -13976,6 +15019,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "rmdir.file.package.name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolvePackageName(ev, &ev.Rmdir.File) }, @@ -13985,6 +15029,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "rmdir.file.package.source_version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Rmdir.File) }, @@ -13994,6 +15039,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "rmdir.file.package.version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Rmdir.File) }, @@ -14004,6 +15050,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFilePath(ev, &ev.Rmdir.File) }, @@ -14014,6 +15061,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Rmdir.File)) }, @@ -14023,6 +15071,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "rmdir.file.rights": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.FieldHandlers.ResolveRights(ev, &ev.Rmdir.File.FileFields)) }, @@ -14032,6 +15081,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "rmdir.file.uid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Rmdir.File.FileFields.UID) }, @@ -14041,6 +15091,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "rmdir.file.user": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Rmdir.File.FileFields) }, @@ -14050,6 +15101,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "rmdir.retval": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Rmdir.SyscallEvent.Retval) }, @@ -14059,6 +15111,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "selinux.bool.name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveSELinuxBoolName(ev, &ev.SELinux) }, @@ -14068,6 +15121,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "selinux.bool.state": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.SELinux.BoolChangeValue }, @@ -14077,6 +15131,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "selinux.bool_commit.state": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.SELinux.BoolCommitValue }, @@ -14086,6 +15141,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "selinux.enforce.status": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.SELinux.EnforceStatus }, @@ -14095,6 +15151,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "setgid.egid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.SetGID.EGID) }, @@ -14104,6 +15161,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "setgid.egroup": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveSetgidEGroup(ev, &ev.SetGID) }, @@ -14113,6 +15171,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "setgid.fsgid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.SetGID.FSGID) }, @@ -14122,6 +15181,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "setgid.fsgroup": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveSetgidFSGroup(ev, &ev.SetGID) }, @@ -14131,6 +15191,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "setgid.gid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.SetGID.GID) }, @@ -14140,6 +15201,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "setgid.group": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveSetgidGroup(ev, &ev.SetGID) }, @@ -14149,6 +15211,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "setuid.euid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.SetUID.EUID) }, @@ -14158,6 +15221,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "setuid.euser": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveSetuidEUser(ev, &ev.SetUID) }, @@ -14167,6 +15231,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "setuid.fsuid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.SetUID.FSUID) }, @@ -14176,6 +15241,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "setuid.fsuser": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveSetuidFSUser(ev, &ev.SetUID) }, @@ -14185,6 +15251,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "setuid.uid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.SetUID.UID) }, @@ -14194,6 +15261,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "setuid.user": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveSetuidUser(ev, &ev.SetUID) }, @@ -14203,6 +15271,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "setxattr.file.change_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.SetXAttr.File.FileFields.CTime) }, @@ -14212,6 +15281,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "setxattr.file.destination.name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveXAttrName(ev, &ev.SetXAttr) }, @@ -14221,6 +15291,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "setxattr.file.destination.namespace": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveXAttrNamespace(ev, &ev.SetXAttr) }, @@ -14230,6 +15301,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "setxattr.file.filesystem": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.SetXAttr.File) }, @@ -14239,6 +15311,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "setxattr.file.gid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.SetXAttr.File.FileFields.GID) }, @@ -14248,6 +15321,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "setxattr.file.group": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.SetXAttr.File.FileFields) }, @@ -14257,6 +15331,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "setxattr.file.hashes": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.SetXAttr.File) }, @@ -14266,6 +15341,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "setxattr.file.in_upper_layer": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.SetXAttr.File.FileFields) }, @@ -14275,6 +15351,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "setxattr.file.inode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.SetXAttr.File.FileFields.PathKey.Inode) }, @@ -14284,6 +15361,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "setxattr.file.mode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.SetXAttr.File.FileFields.Mode) }, @@ -14293,6 +15371,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "setxattr.file.modification_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.SetXAttr.File.FileFields.MTime) }, @@ -14302,6 +15381,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "setxattr.file.mount_id": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.SetXAttr.File.FileFields.PathKey.MountID) }, @@ -14312,6 +15392,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileBasename(ev, &ev.SetXAttr.File) }, @@ -14322,6 +15403,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.SetXAttr.File)) }, @@ -14331,6 +15413,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "setxattr.file.package.name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolvePackageName(ev, &ev.SetXAttr.File) }, @@ -14340,6 +15423,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "setxattr.file.package.source_version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.SetXAttr.File) }, @@ -14349,6 +15433,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "setxattr.file.package.version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.SetXAttr.File) }, @@ -14359,6 +15444,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFilePath(ev, &ev.SetXAttr.File) }, @@ -14369,6 +15455,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.SetXAttr.File)) }, @@ -14378,6 +15465,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "setxattr.file.rights": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.FieldHandlers.ResolveRights(ev, &ev.SetXAttr.File.FileFields)) }, @@ -14387,6 +15475,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "setxattr.file.uid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.SetXAttr.File.FileFields.UID) }, @@ -14396,6 +15485,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "setxattr.file.user": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.SetXAttr.File.FileFields) }, @@ -14405,6 +15495,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "setxattr.retval": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.SetXAttr.SyscallEvent.Retval) }, @@ -14414,6 +15505,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.pid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Signal.PID) }, @@ -14423,6 +15515,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.retval": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Signal.SyscallEvent.Retval) }, @@ -14432,6 +15525,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.args": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -14459,6 +15553,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.args_flags": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -14486,6 +15581,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.args_options": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -14513,6 +15609,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.args_truncated": return &eval.BoolArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.BoolCache[field]; ok { return result @@ -14540,6 +15637,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.argv": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -14567,6 +15665,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.argv0": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -14594,6 +15693,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.auid": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -14620,6 +15720,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.cap_effective": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -14646,6 +15747,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.cap_permitted": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -14672,6 +15774,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.cgroup.file.inode": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -14698,6 +15801,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.cgroup.file.mount_id": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -14724,6 +15828,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.cgroup.id": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -14751,6 +15856,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.cgroup.manager": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -14778,6 +15884,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.comm": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) if result, ok := ctx.StringCache[field]; ok { return result } @@ -14804,6 +15911,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.container.id": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -14831,6 +15939,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.created_at": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.IntCache[field]; ok { return result @@ -14858,6 +15967,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.egid": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -14884,6 +15994,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.egroup": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) if result, ok := ctx.StringCache[field]; ok { return result } @@ -14910,6 +16021,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.envp": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -14937,6 +16049,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.envs": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -14964,6 +16077,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.envs_truncated": return &eval.BoolArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.BoolCache[field]; ok { return result @@ -14991,6 +16105,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.euid": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -15017,6 +16132,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.euser": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) if result, ok := ctx.StringCache[field]; ok { return result } @@ -15043,6 +16159,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.file.change_time": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -15075,6 +16192,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.file.filesystem": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -15108,6 +16226,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.file.gid": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -15140,6 +16259,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.file.group": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -15173,6 +16293,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.file.hashes": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -15206,6 +16327,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.file.in_upper_layer": return &eval.BoolArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.BoolCache[field]; ok { return result @@ -15239,6 +16361,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.file.inode": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -15271,6 +16394,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.file.mode": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -15303,6 +16427,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.file.modification_time": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -15335,6 +16460,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.file.mount_id": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -15368,6 +16494,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringArrayEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -15402,6 +16529,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntArrayEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.IntCache[field]; ok { return result @@ -15429,6 +16557,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.file.package.name": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -15462,6 +16591,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.file.package.source_version": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -15495,6 +16625,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.file.package.version": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -15529,6 +16660,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringArrayEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -15563,6 +16695,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntArrayEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.IntCache[field]; ok { return result @@ -15590,6 +16723,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.file.rights": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.IntCache[field]; ok { return result @@ -15623,6 +16757,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.file.uid": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -15655,6 +16790,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.file.user": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -15688,6 +16824,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.fsgid": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -15714,6 +16851,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.fsgroup": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) if result, ok := ctx.StringCache[field]; ok { return result } @@ -15740,6 +16878,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.fsuid": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -15766,6 +16905,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.fsuser": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) if result, ok := ctx.StringCache[field]; ok { return result } @@ -15792,6 +16932,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.gid": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -15818,6 +16959,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.group": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) if result, ok := ctx.StringCache[field]; ok { return result } @@ -15844,6 +16986,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.interpreter.file.change_time": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -15876,6 +17019,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.interpreter.file.filesystem": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -15909,6 +17053,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.interpreter.file.gid": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -15941,6 +17086,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.interpreter.file.group": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -15974,6 +17120,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.interpreter.file.hashes": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -16007,6 +17154,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.interpreter.file.in_upper_layer": return &eval.BoolArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.BoolCache[field]; ok { return result @@ -16040,6 +17188,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.interpreter.file.inode": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -16072,6 +17221,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.interpreter.file.mode": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -16104,6 +17254,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.interpreter.file.modification_time": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -16136,6 +17287,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.interpreter.file.mount_id": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -16169,6 +17321,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringArrayEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -16203,6 +17356,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntArrayEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.IntCache[field]; ok { return result @@ -16230,6 +17384,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.interpreter.file.package.name": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -16263,6 +17418,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.interpreter.file.package.source_version": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -16296,6 +17452,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.interpreter.file.package.version": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -16330,6 +17487,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringArrayEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -16364,6 +17522,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntArrayEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.IntCache[field]; ok { return result @@ -16391,6 +17550,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.interpreter.file.rights": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.IntCache[field]; ok { return result @@ -16424,6 +17584,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.interpreter.file.uid": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -16456,6 +17617,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.interpreter.file.user": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -16489,6 +17651,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.is_exec": return &eval.BoolArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []bool { + ctx.AppendResolvedField(field) if result, ok := ctx.BoolCache[field]; ok { return result } @@ -16515,6 +17678,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.is_kworker": return &eval.BoolArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []bool { + ctx.AppendResolvedField(field) if result, ok := ctx.BoolCache[field]; ok { return result } @@ -16541,6 +17705,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.is_thread": return &eval.BoolArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.BoolCache[field]; ok { return result @@ -16568,6 +17733,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.length": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) iterator := &ProcessAncestorsIterator{} return iterator.Len(ctx) }, @@ -16577,6 +17743,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.pid": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -16603,6 +17770,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.ppid": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -16629,6 +17797,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.tid": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -16655,6 +17824,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.tty_name": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) if result, ok := ctx.StringCache[field]; ok { return result } @@ -16681,6 +17851,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.uid": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -16707,6 +17878,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.user": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) if result, ok := ctx.StringCache[field]; ok { return result } @@ -16733,6 +17905,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.user_session.k8s_groups": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -16760,6 +17933,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.user_session.k8s_uid": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -16787,6 +17961,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ancestors.user_session.k8s_username": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -16814,6 +17989,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.args": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessArgs(ev, &ev.Signal.Target.Process) }, @@ -16823,6 +17999,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.args_flags": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessArgsFlags(ev, &ev.Signal.Target.Process) }, @@ -16832,6 +18009,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.args_options": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessArgsOptions(ev, &ev.Signal.Target.Process) }, @@ -16841,6 +18019,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.args_truncated": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessArgsTruncated(ev, &ev.Signal.Target.Process) }, @@ -16850,6 +18029,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.argv": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessArgv(ev, &ev.Signal.Target.Process) }, @@ -16859,6 +18039,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.argv0": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessArgv0(ev, &ev.Signal.Target.Process) }, @@ -16868,6 +18049,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.auid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Signal.Target.Process.Credentials.AUID) }, @@ -16877,6 +18059,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.cap_effective": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Signal.Target.Process.Credentials.CapEffective) }, @@ -16886,6 +18069,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.cap_permitted": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Signal.Target.Process.Credentials.CapPermitted) }, @@ -16895,6 +18079,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.cgroup.file.inode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Signal.Target.Process.CGroup.CGroupFile.Inode) }, @@ -16904,6 +18089,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.cgroup.file.mount_id": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Signal.Target.Process.CGroup.CGroupFile.MountID) }, @@ -16913,6 +18099,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.cgroup.id": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveCGroupID(ev, &ev.Signal.Target.Process.CGroup) }, @@ -16922,6 +18109,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.cgroup.manager": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveCGroupManager(ev, &ev.Signal.Target.Process.CGroup) }, @@ -16931,6 +18119,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.comm": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.Signal.Target.Process.Comm }, @@ -16940,6 +18129,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.container.id": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessContainerID(ev, &ev.Signal.Target.Process) }, @@ -16949,6 +18139,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.created_at": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, &ev.Signal.Target.Process)) }, @@ -16958,6 +18149,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.egid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Signal.Target.Process.Credentials.EGID) }, @@ -16967,6 +18159,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.egroup": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.Signal.Target.Process.Credentials.EGroup }, @@ -16976,6 +18169,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.envp": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessEnvp(ev, &ev.Signal.Target.Process) }, @@ -16985,6 +18179,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.envs": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessEnvs(ev, &ev.Signal.Target.Process) }, @@ -16994,6 +18189,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.envs_truncated": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessEnvsTruncated(ev, &ev.Signal.Target.Process) }, @@ -17003,6 +18199,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.euid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Signal.Target.Process.Credentials.EUID) }, @@ -17012,6 +18209,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.euser": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.Signal.Target.Process.Credentials.EUser }, @@ -17021,6 +18219,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.file.change_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.IsNotKworker() { return 0 @@ -17033,6 +18232,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.file.filesystem": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.IsNotKworker() { return "" @@ -17045,6 +18245,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.file.gid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.IsNotKworker() { return 0 @@ -17057,6 +18258,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.file.group": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.IsNotKworker() { return "" @@ -17069,6 +18271,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.file.hashes": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.IsNotKworker() { return []string{} @@ -17081,6 +18284,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.file.in_upper_layer": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.IsNotKworker() { return false @@ -17093,6 +18297,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.file.inode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.IsNotKworker() { return 0 @@ -17105,6 +18310,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.file.mode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.IsNotKworker() { return 0 @@ -17117,6 +18323,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.file.modification_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.IsNotKworker() { return 0 @@ -17129,6 +18336,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.file.mount_id": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.IsNotKworker() { return 0 @@ -17142,6 +18350,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.IsNotKworker() { return "" @@ -17155,6 +18364,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Signal.Target.Process.FileEvent)) }, @@ -17164,6 +18374,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.file.package.name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.IsNotKworker() { return "" @@ -17176,6 +18387,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.file.package.source_version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.IsNotKworker() { return "" @@ -17188,6 +18400,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.file.package.version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.IsNotKworker() { return "" @@ -17201,6 +18414,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.IsNotKworker() { return "" @@ -17214,6 +18428,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Signal.Target.Process.FileEvent)) }, @@ -17223,6 +18438,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.file.rights": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.IsNotKworker() { return 0 @@ -17235,6 +18451,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.file.uid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.IsNotKworker() { return 0 @@ -17247,6 +18464,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.file.user": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.IsNotKworker() { return "" @@ -17259,6 +18477,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.fsgid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Signal.Target.Process.Credentials.FSGID) }, @@ -17268,6 +18487,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.fsgroup": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.Signal.Target.Process.Credentials.FSGroup }, @@ -17277,6 +18497,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.fsuid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Signal.Target.Process.Credentials.FSUID) }, @@ -17286,6 +18507,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.fsuser": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.Signal.Target.Process.Credentials.FSUser }, @@ -17295,6 +18517,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.gid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Signal.Target.Process.Credentials.GID) }, @@ -17304,6 +18527,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.group": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.Signal.Target.Process.Credentials.Group }, @@ -17313,6 +18537,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.interpreter.file.change_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.HasInterpreter() { return 0 @@ -17325,6 +18550,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.interpreter.file.filesystem": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.HasInterpreter() { return "" @@ -17337,6 +18563,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.interpreter.file.gid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.HasInterpreter() { return 0 @@ -17349,6 +18576,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.interpreter.file.group": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.HasInterpreter() { return "" @@ -17361,6 +18589,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.interpreter.file.hashes": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.HasInterpreter() { return []string{} @@ -17373,6 +18602,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.interpreter.file.in_upper_layer": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.HasInterpreter() { return false @@ -17385,6 +18615,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.interpreter.file.inode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.HasInterpreter() { return 0 @@ -17397,6 +18628,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.interpreter.file.mode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.HasInterpreter() { return 0 @@ -17409,6 +18641,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.interpreter.file.modification_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.HasInterpreter() { return 0 @@ -17421,6 +18654,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.interpreter.file.mount_id": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.HasInterpreter() { return 0 @@ -17434,6 +18668,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.HasInterpreter() { return "" @@ -17447,6 +18682,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Signal.Target.Process.LinuxBinprm.FileEvent)) }, @@ -17456,6 +18692,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.interpreter.file.package.name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.HasInterpreter() { return "" @@ -17468,6 +18705,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.interpreter.file.package.source_version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.HasInterpreter() { return "" @@ -17480,6 +18718,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.interpreter.file.package.version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.HasInterpreter() { return "" @@ -17493,6 +18732,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.HasInterpreter() { return "" @@ -17506,6 +18746,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Signal.Target.Process.LinuxBinprm.FileEvent)) }, @@ -17515,6 +18756,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.interpreter.file.rights": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.HasInterpreter() { return 0 @@ -17527,6 +18769,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.interpreter.file.uid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.HasInterpreter() { return 0 @@ -17539,6 +18782,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.interpreter.file.user": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.Process.HasInterpreter() { return "" @@ -17551,6 +18795,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.is_exec": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.Signal.Target.Process.IsExec }, @@ -17560,6 +18805,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.is_kworker": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.Signal.Target.Process.PIDContext.IsKworker }, @@ -17569,6 +18815,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.is_thread": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessIsThread(ev, &ev.Signal.Target.Process) }, @@ -17578,6 +18825,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.args": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return "" @@ -17590,6 +18838,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.args_flags": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return []string{} @@ -17602,6 +18851,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.args_options": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return []string{} @@ -17614,6 +18864,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.args_truncated": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return false @@ -17626,6 +18877,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.argv": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return []string{} @@ -17638,6 +18890,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.argv0": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return "" @@ -17650,6 +18903,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.auid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return 0 @@ -17662,6 +18916,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.cap_effective": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return 0 @@ -17674,6 +18929,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.cap_permitted": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return 0 @@ -17686,6 +18942,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.cgroup.file.inode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return 0 @@ -17698,6 +18955,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.cgroup.file.mount_id": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return 0 @@ -17710,6 +18968,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.cgroup.id": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return "" @@ -17722,6 +18981,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.cgroup.manager": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return "" @@ -17734,6 +18994,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.comm": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return "" @@ -17746,6 +19007,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.container.id": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return "" @@ -17758,6 +19020,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.created_at": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return 0 @@ -17770,6 +19033,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.egid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return 0 @@ -17782,6 +19046,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.egroup": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return "" @@ -17794,6 +19059,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.envp": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return []string{} @@ -17806,6 +19072,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.envs": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return []string{} @@ -17818,6 +19085,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.envs_truncated": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return false @@ -17830,6 +19098,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.euid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return 0 @@ -17842,6 +19111,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.euser": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return "" @@ -17854,6 +19124,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.file.change_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return 0 @@ -17869,6 +19140,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.file.filesystem": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return "" @@ -17884,6 +19156,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.file.gid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return 0 @@ -17899,6 +19172,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.file.group": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return "" @@ -17914,6 +19188,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.file.hashes": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return []string{} @@ -17929,6 +19204,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.file.in_upper_layer": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return false @@ -17944,6 +19220,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.file.inode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return 0 @@ -17959,6 +19236,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.file.mode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return 0 @@ -17974,6 +19252,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.file.modification_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return 0 @@ -17989,6 +19268,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.file.mount_id": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return 0 @@ -18005,6 +19285,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return "" @@ -18021,6 +19302,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Signal.Target.Parent.FileEvent)) }, @@ -18030,6 +19312,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.file.package.name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return "" @@ -18045,6 +19328,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.file.package.source_version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return "" @@ -18060,6 +19344,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.file.package.version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return "" @@ -18076,6 +19361,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return "" @@ -18092,6 +19378,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Signal.Target.Parent.FileEvent)) }, @@ -18101,6 +19388,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.file.rights": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return 0 @@ -18116,6 +19404,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.file.uid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return 0 @@ -18131,6 +19420,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.file.user": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return "" @@ -18146,6 +19436,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.fsgid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return 0 @@ -18158,6 +19449,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.fsgroup": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return "" @@ -18170,6 +19462,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.fsuid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return 0 @@ -18182,6 +19475,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.fsuser": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return "" @@ -18194,6 +19488,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.gid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return 0 @@ -18206,6 +19501,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.group": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return "" @@ -18218,6 +19514,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.interpreter.file.change_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return 0 @@ -18233,6 +19530,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.interpreter.file.filesystem": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return "" @@ -18248,6 +19546,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.interpreter.file.gid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return 0 @@ -18263,6 +19562,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.interpreter.file.group": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return "" @@ -18278,6 +19578,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.interpreter.file.hashes": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return []string{} @@ -18293,6 +19594,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.interpreter.file.in_upper_layer": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return false @@ -18308,6 +19610,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.interpreter.file.inode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return 0 @@ -18323,6 +19626,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.interpreter.file.mode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return 0 @@ -18338,6 +19642,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.interpreter.file.modification_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return 0 @@ -18353,6 +19658,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.interpreter.file.mount_id": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return 0 @@ -18369,6 +19675,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return "" @@ -18385,6 +19692,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Signal.Target.Parent.LinuxBinprm.FileEvent)) }, @@ -18394,6 +19702,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.interpreter.file.package.name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return "" @@ -18409,6 +19718,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.interpreter.file.package.source_version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return "" @@ -18424,6 +19734,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.interpreter.file.package.version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return "" @@ -18440,6 +19751,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return "" @@ -18456,6 +19768,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Signal.Target.Parent.LinuxBinprm.FileEvent)) }, @@ -18465,6 +19778,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.interpreter.file.rights": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return 0 @@ -18480,6 +19794,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.interpreter.file.uid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return 0 @@ -18495,6 +19810,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.interpreter.file.user": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return "" @@ -18510,6 +19826,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.is_exec": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return false @@ -18522,6 +19839,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.is_kworker": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return false @@ -18534,6 +19852,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.is_thread": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return false @@ -18546,6 +19865,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.pid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return 0 @@ -18558,6 +19878,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.ppid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return 0 @@ -18570,6 +19891,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.tid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return 0 @@ -18582,6 +19904,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.tty_name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return "" @@ -18594,6 +19917,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.uid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return 0 @@ -18606,6 +19930,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.user": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return "" @@ -18618,6 +19943,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.user_session.k8s_groups": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return []string{} @@ -18630,6 +19956,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.user_session.k8s_uid": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return "" @@ -18642,6 +19969,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.parent.user_session.k8s_username": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.Signal.Target.HasParent() { return "" @@ -18654,6 +19982,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.pid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Signal.Target.Process.PIDContext.Pid) }, @@ -18663,6 +19992,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.ppid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Signal.Target.Process.PPid) }, @@ -18672,6 +20002,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.tid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Signal.Target.Process.PIDContext.Tid) }, @@ -18681,6 +20012,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.tty_name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.Signal.Target.Process.TTYName }, @@ -18690,6 +20022,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.uid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Signal.Target.Process.Credentials.UID) }, @@ -18699,6 +20032,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.user": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.Signal.Target.Process.Credentials.User }, @@ -18708,6 +20042,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.user_session.k8s_groups": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveK8SGroups(ev, &ev.Signal.Target.Process.UserSession) }, @@ -18717,6 +20052,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.user_session.k8s_uid": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveK8SUID(ev, &ev.Signal.Target.Process.UserSession) }, @@ -18726,6 +20062,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.target.user_session.k8s_username": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveK8SUsername(ev, &ev.Signal.Target.Process.UserSession) }, @@ -18735,6 +20072,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "signal.type": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Signal.Type) }, @@ -18744,6 +20082,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "splice.file.change_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Splice.File.FileFields.CTime) }, @@ -18753,6 +20092,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "splice.file.filesystem": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Splice.File) }, @@ -18762,6 +20102,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "splice.file.gid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Splice.File.FileFields.GID) }, @@ -18771,6 +20112,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "splice.file.group": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Splice.File.FileFields) }, @@ -18780,6 +20122,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "splice.file.hashes": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Splice.File) }, @@ -18789,6 +20132,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "splice.file.in_upper_layer": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Splice.File.FileFields) }, @@ -18798,6 +20142,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "splice.file.inode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Splice.File.FileFields.PathKey.Inode) }, @@ -18807,6 +20152,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "splice.file.mode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Splice.File.FileFields.Mode) }, @@ -18816,6 +20162,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "splice.file.modification_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Splice.File.FileFields.MTime) }, @@ -18825,6 +20172,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "splice.file.mount_id": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Splice.File.FileFields.PathKey.MountID) }, @@ -18835,6 +20183,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Splice.File) }, @@ -18845,6 +20194,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Splice.File)) }, @@ -18854,6 +20204,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "splice.file.package.name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolvePackageName(ev, &ev.Splice.File) }, @@ -18863,6 +20214,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "splice.file.package.source_version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Splice.File) }, @@ -18872,6 +20224,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "splice.file.package.version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Splice.File) }, @@ -18882,6 +20235,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFilePath(ev, &ev.Splice.File) }, @@ -18892,6 +20246,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Splice.File)) }, @@ -18901,6 +20256,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "splice.file.rights": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.FieldHandlers.ResolveRights(ev, &ev.Splice.File.FileFields)) }, @@ -18910,6 +20266,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "splice.file.uid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Splice.File.FileFields.UID) }, @@ -18919,6 +20276,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "splice.file.user": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Splice.File.FileFields) }, @@ -18928,6 +20286,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "splice.pipe_entry_flag": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Splice.PipeEntryFlag) }, @@ -18937,6 +20296,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "splice.pipe_exit_flag": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Splice.PipeExitFlag) }, @@ -18946,6 +20306,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "splice.retval": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Splice.SyscallEvent.Retval) }, @@ -18955,6 +20316,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "unlink.file.change_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Unlink.File.FileFields.CTime) }, @@ -18964,6 +20326,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "unlink.file.filesystem": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Unlink.File) }, @@ -18973,6 +20336,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "unlink.file.gid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Unlink.File.FileFields.GID) }, @@ -18982,6 +20346,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "unlink.file.group": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Unlink.File.FileFields) }, @@ -18991,6 +20356,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "unlink.file.hashes": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Unlink.File) }, @@ -19000,6 +20366,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "unlink.file.in_upper_layer": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Unlink.File.FileFields) }, @@ -19009,6 +20376,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "unlink.file.inode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Unlink.File.FileFields.PathKey.Inode) }, @@ -19018,6 +20386,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "unlink.file.mode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Unlink.File.FileFields.Mode) }, @@ -19027,6 +20396,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "unlink.file.modification_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Unlink.File.FileFields.MTime) }, @@ -19036,6 +20406,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "unlink.file.mount_id": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Unlink.File.FileFields.PathKey.MountID) }, @@ -19046,6 +20417,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Unlink.File) }, @@ -19056,6 +20428,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Unlink.File)) }, @@ -19065,6 +20438,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "unlink.file.package.name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolvePackageName(ev, &ev.Unlink.File) }, @@ -19074,6 +20448,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "unlink.file.package.source_version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Unlink.File) }, @@ -19083,6 +20458,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "unlink.file.package.version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Unlink.File) }, @@ -19093,6 +20469,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFilePath(ev, &ev.Unlink.File) }, @@ -19103,6 +20480,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Unlink.File)) }, @@ -19112,6 +20490,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "unlink.file.rights": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.FieldHandlers.ResolveRights(ev, &ev.Unlink.File.FileFields)) }, @@ -19121,6 +20500,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "unlink.file.uid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Unlink.File.FileFields.UID) }, @@ -19130,6 +20510,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "unlink.file.user": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Unlink.File.FileFields) }, @@ -19139,6 +20520,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "unlink.flags": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Unlink.Flags) }, @@ -19148,6 +20530,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "unlink.retval": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Unlink.SyscallEvent.Retval) }, @@ -19157,6 +20540,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "unlink.syscall.dirfd": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.FieldHandlers.ResolveSyscallCtxArgsInt1(ev, &ev.Unlink.SyscallContext)) }, @@ -19166,6 +20550,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "unlink.syscall.flags": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.FieldHandlers.ResolveSyscallCtxArgsInt3(ev, &ev.Unlink.SyscallContext)) }, @@ -19175,6 +20560,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "unlink.syscall.path": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveSyscallCtxArgsStr2(ev, &ev.Unlink.SyscallContext) }, @@ -19184,6 +20570,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "unload_module.name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.UnloadModule.Name }, @@ -19193,6 +20580,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "unload_module.retval": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.UnloadModule.SyscallEvent.Retval) }, @@ -19202,6 +20590,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "utimes.file.change_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Utimes.File.FileFields.CTime) }, @@ -19211,6 +20600,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "utimes.file.filesystem": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFilesystem(ev, &ev.Utimes.File) }, @@ -19220,6 +20610,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "utimes.file.gid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Utimes.File.FileFields.GID) }, @@ -19229,6 +20620,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "utimes.file.group": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFieldsGroup(ev, &ev.Utimes.File.FileFields) }, @@ -19238,6 +20630,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "utimes.file.hashes": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveHashesFromEvent(ev, &ev.Utimes.File) }, @@ -19247,6 +20640,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "utimes.file.in_upper_layer": return &eval.BoolEvaluator{ EvalFnc: func(ctx *eval.Context) bool { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFieldsInUpperLayer(ev, &ev.Utimes.File.FileFields) }, @@ -19256,6 +20650,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "utimes.file.inode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Utimes.File.FileFields.PathKey.Inode) }, @@ -19265,6 +20660,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "utimes.file.mode": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Utimes.File.FileFields.Mode) }, @@ -19274,6 +20670,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "utimes.file.modification_time": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Utimes.File.FileFields.MTime) }, @@ -19283,6 +20680,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "utimes.file.mount_id": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Utimes.File.FileFields.PathKey.MountID) }, @@ -19293,6 +20691,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Utimes.File) }, @@ -19303,6 +20702,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkBasename, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Utimes.File)) }, @@ -19312,6 +20712,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "utimes.file.package.name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolvePackageName(ev, &ev.Utimes.File) }, @@ -19321,6 +20722,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "utimes.file.package.source_version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolvePackageSourceVersion(ev, &ev.Utimes.File) }, @@ -19330,6 +20732,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "utimes.file.package.version": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolvePackageVersion(ev, &ev.Utimes.File) }, @@ -19340,6 +20743,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFilePath(ev, &ev.Utimes.File) }, @@ -19350,6 +20754,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: ProcessSymlinkPathname, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Utimes.File)) }, @@ -19359,6 +20764,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "utimes.file.rights": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.FieldHandlers.ResolveRights(ev, &ev.Utimes.File.FileFields)) }, @@ -19368,6 +20774,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "utimes.file.uid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Utimes.File.FileFields.UID) }, @@ -19377,6 +20784,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "utimes.file.user": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileFieldsUser(ev, &ev.Utimes.File.FileFields) }, @@ -19386,6 +20794,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "utimes.retval": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Utimes.SyscallEvent.Retval) }, @@ -19395,6 +20804,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "utimes.syscall.path": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveSyscallCtxArgsStr1(ev, &ev.Utimes.SyscallContext) }, diff --git a/pkg/security/secl/model/accessors_windows.go b/pkg/security/secl/model/accessors_windows.go index 9bd0e32d553b9..6f15992c5aab1 100644 --- a/pkg/security/secl/model/accessors_windows.go +++ b/pkg/security/secl/model/accessors_windows.go @@ -43,6 +43,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "change_permission.new_sd": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveNewSecurityDescriptor(ev, &ev.ChangePermission) }, @@ -52,6 +53,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "change_permission.old_sd": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveOldSecurityDescriptor(ev, &ev.ChangePermission) }, @@ -61,6 +63,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "change_permission.path": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.ChangePermission.ObjectName }, @@ -70,6 +73,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "change_permission.type": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.ChangePermission.ObjectType }, @@ -79,6 +83,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "change_permission.user_domain": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.ChangePermission.UserDomain }, @@ -88,6 +93,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "change_permission.username": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.ChangePermission.UserName }, @@ -97,6 +103,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "container.created_at": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.FieldHandlers.ResolveContainerCreatedAt(ev, ev.BaseEvent.ContainerContext)) }, @@ -106,6 +113,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "container.id": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveContainerID(ev, ev.BaseEvent.ContainerContext) }, @@ -115,6 +123,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "container.runtime": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveContainerRuntime(ev, ev.BaseEvent.ContainerContext) }, @@ -124,6 +133,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "container.tags": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveContainerTags(ev, ev.BaseEvent.ContainerContext) }, @@ -134,6 +144,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.WindowsPathCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFimFilePath(ev, &ev.CreateNewFile.File) }, @@ -144,6 +155,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.WindowsPathCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFimFilePath(ev, &ev.CreateNewFile.File)) }, @@ -154,6 +166,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFimFileBasename(ev, &ev.CreateNewFile.File) }, @@ -164,6 +177,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFimFileBasename(ev, &ev.CreateNewFile.File)) }, @@ -174,6 +188,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.WindowsPathCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileUserPath(ev, &ev.CreateNewFile.File) }, @@ -184,6 +199,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.WindowsPathCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFileUserPath(ev, &ev.CreateNewFile.File)) }, @@ -193,6 +209,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "create.registry.key_name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.CreateRegistryKey.Registry.KeyName }, @@ -202,6 +219,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "create.registry.key_name.length": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.CreateRegistryKey.Registry.KeyName) }, @@ -212,6 +230,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.CreateRegistryKey.Registry.KeyPath }, @@ -222,6 +241,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.CreateRegistryKey.Registry.KeyPath) }, @@ -231,6 +251,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "create_key.registry.key_name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.CreateRegistryKey.Registry.KeyName }, @@ -240,6 +261,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "create_key.registry.key_name.length": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.CreateRegistryKey.Registry.KeyName) }, @@ -250,6 +272,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.CreateRegistryKey.Registry.KeyPath }, @@ -260,6 +283,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.CreateRegistryKey.Registry.KeyPath) }, @@ -270,6 +294,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.WindowsPathCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFimFilePath(ev, &ev.DeleteFile.File) }, @@ -280,6 +305,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.WindowsPathCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFimFilePath(ev, &ev.DeleteFile.File)) }, @@ -290,6 +316,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFimFileBasename(ev, &ev.DeleteFile.File) }, @@ -300,6 +327,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFimFileBasename(ev, &ev.DeleteFile.File)) }, @@ -310,6 +338,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.WindowsPathCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileUserPath(ev, &ev.DeleteFile.File) }, @@ -320,6 +349,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.WindowsPathCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFileUserPath(ev, &ev.DeleteFile.File)) }, @@ -329,6 +359,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "delete.registry.key_name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.DeleteRegistryKey.Registry.KeyName }, @@ -338,6 +369,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "delete.registry.key_name.length": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.DeleteRegistryKey.Registry.KeyName) }, @@ -348,6 +380,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.DeleteRegistryKey.Registry.KeyPath }, @@ -358,6 +391,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.DeleteRegistryKey.Registry.KeyPath) }, @@ -367,6 +401,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "delete_key.registry.key_name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.DeleteRegistryKey.Registry.KeyName }, @@ -376,6 +411,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "delete_key.registry.key_name.length": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.DeleteRegistryKey.Registry.KeyName) }, @@ -386,6 +422,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.DeleteRegistryKey.Registry.KeyPath }, @@ -396,6 +433,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.DeleteRegistryKey.Registry.KeyPath) }, @@ -405,6 +443,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "event.hostname": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveHostname(ev, &ev.BaseEvent) }, @@ -414,6 +453,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "event.origin": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.BaseEvent.Origin }, @@ -423,6 +463,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "event.os": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.BaseEvent.Os }, @@ -432,6 +473,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "event.service": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveService(ev, &ev.BaseEvent) }, @@ -441,6 +483,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "event.timestamp": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.FieldHandlers.ResolveEventTimestamp(ev, &ev.BaseEvent)) }, @@ -451,6 +494,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessCmdLine(ev, ev.Exec.Process) }, @@ -460,6 +504,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.container.id": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.Exec.Process.ContainerID }, @@ -469,6 +514,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.created_at": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, ev.Exec.Process)) }, @@ -478,6 +524,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.envp": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessEnvp(ev, ev.Exec.Process) }, @@ -487,6 +534,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.envs": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessEnvs(ev, ev.Exec.Process) }, @@ -497,6 +545,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exec.Process.FileEvent) }, @@ -507,6 +556,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exec.Process.FileEvent)) }, @@ -517,6 +567,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.WindowsPathCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFilePath(ev, &ev.Exec.Process.FileEvent) }, @@ -527,6 +578,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.WindowsPathCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Exec.Process.FileEvent)) }, @@ -536,6 +588,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.pid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Exec.Process.PIDContext.Pid) }, @@ -545,6 +598,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.ppid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Exec.Process.PPid) }, @@ -554,6 +608,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.user": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveUser(ev, ev.Exec.Process) }, @@ -563,6 +618,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.user_sid": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.Exec.Process.OwnerSidString }, @@ -572,6 +628,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.cause": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Exit.Cause) }, @@ -582,6 +639,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessCmdLine(ev, ev.Exit.Process) }, @@ -591,6 +649,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.code": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Exit.Code) }, @@ -600,6 +659,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.container.id": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.Exit.Process.ContainerID }, @@ -609,6 +669,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.created_at": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, ev.Exit.Process)) }, @@ -618,6 +679,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.envp": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessEnvp(ev, ev.Exit.Process) }, @@ -627,6 +689,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.envs": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessEnvs(ev, ev.Exit.Process) }, @@ -637,6 +700,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exit.Process.FileEvent) }, @@ -647,6 +711,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exit.Process.FileEvent)) }, @@ -657,6 +722,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.WindowsPathCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFilePath(ev, &ev.Exit.Process.FileEvent) }, @@ -667,6 +733,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.WindowsPathCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Exit.Process.FileEvent)) }, @@ -676,6 +743,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.pid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Exit.Process.PIDContext.Pid) }, @@ -685,6 +753,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.ppid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Exit.Process.PPid) }, @@ -694,6 +763,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.user": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveUser(ev, ev.Exit.Process) }, @@ -703,6 +773,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.user_sid": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.Exit.Process.OwnerSidString }, @@ -712,6 +783,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "open.registry.key_name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.OpenRegistryKey.Registry.KeyName }, @@ -721,6 +793,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "open.registry.key_name.length": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.OpenRegistryKey.Registry.KeyName) }, @@ -731,6 +804,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.OpenRegistryKey.Registry.KeyPath }, @@ -741,6 +815,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.OpenRegistryKey.Registry.KeyPath) }, @@ -750,6 +825,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "open_key.registry.key_name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.OpenRegistryKey.Registry.KeyName }, @@ -759,6 +835,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "open_key.registry.key_name.length": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.OpenRegistryKey.Registry.KeyName) }, @@ -769,6 +846,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.OpenRegistryKey.Registry.KeyPath }, @@ -779,6 +857,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.OpenRegistryKey.Registry.KeyPath) }, @@ -789,6 +868,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringArrayEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -816,6 +896,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.container.id": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) if result, ok := ctx.StringCache[field]; ok { return result } @@ -842,6 +923,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.created_at": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.IntCache[field]; ok { return result @@ -869,6 +951,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.envp": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -896,6 +979,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.envs": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -924,6 +1008,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringArrayEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -952,6 +1037,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntArrayEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.IntCache[field]; ok { return result @@ -980,6 +1066,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringArrayEvaluator{ OpOverrides: eval.WindowsPathCmp, EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -1008,6 +1095,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntArrayEvaluator{ OpOverrides: eval.WindowsPathCmp, EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.IntCache[field]; ok { return result @@ -1035,6 +1123,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.length": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) iterator := &ProcessAncestorsIterator{} return iterator.Len(ctx) }, @@ -1044,6 +1133,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.pid": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -1070,6 +1160,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.ppid": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -1096,6 +1187,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.user": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -1123,6 +1215,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.user_sid": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) if result, ok := ctx.StringCache[field]; ok { return result } @@ -1150,6 +1243,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessCmdLine(ev, &ev.BaseEvent.ProcessContext.Process) }, @@ -1159,6 +1253,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.container.id": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.BaseEvent.ProcessContext.Process.ContainerID }, @@ -1168,6 +1263,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.created_at": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, &ev.BaseEvent.ProcessContext.Process)) }, @@ -1177,6 +1273,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.envp": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessEnvp(ev, &ev.BaseEvent.ProcessContext.Process) }, @@ -1186,6 +1283,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.envs": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessEnvs(ev, &ev.BaseEvent.ProcessContext.Process) }, @@ -1196,6 +1294,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent) }, @@ -1206,6 +1305,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent)) }, @@ -1216,6 +1316,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.WindowsPathCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent) }, @@ -1226,6 +1327,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.WindowsPathCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent)) }, @@ -1236,6 +1338,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return "" @@ -1248,6 +1351,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.container.id": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return "" @@ -1260,6 +1364,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.created_at": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return 0 @@ -1272,6 +1377,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.envp": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return []string{} @@ -1284,6 +1390,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.envs": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return []string{} @@ -1297,6 +1404,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return "" @@ -1310,6 +1418,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent)) }, @@ -1320,6 +1429,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.WindowsPathCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return "" @@ -1333,6 +1443,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.WindowsPathCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent)) }, @@ -1342,6 +1453,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.pid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return 0 @@ -1354,6 +1466,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.ppid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return 0 @@ -1366,6 +1479,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.user": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return "" @@ -1378,6 +1492,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.user_sid": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return "" @@ -1390,6 +1505,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.pid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.BaseEvent.ProcessContext.Process.PIDContext.Pid) }, @@ -1399,6 +1515,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ppid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.BaseEvent.ProcessContext.Process.PPid) }, @@ -1408,6 +1525,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.user": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveUser(ev, &ev.BaseEvent.ProcessContext.Process) }, @@ -1417,6 +1535,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.user_sid": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.BaseEvent.ProcessContext.Process.OwnerSidString }, @@ -1427,6 +1546,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.WindowsPathCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFimFilePath(ev, &ev.RenameFile.New) }, @@ -1437,6 +1557,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.WindowsPathCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFimFilePath(ev, &ev.RenameFile.New)) }, @@ -1447,6 +1568,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFimFileBasename(ev, &ev.RenameFile.New) }, @@ -1457,6 +1579,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFimFileBasename(ev, &ev.RenameFile.New)) }, @@ -1467,6 +1590,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.WindowsPathCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileUserPath(ev, &ev.RenameFile.New) }, @@ -1477,6 +1601,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.WindowsPathCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFileUserPath(ev, &ev.RenameFile.New)) }, @@ -1487,6 +1612,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.WindowsPathCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFimFilePath(ev, &ev.RenameFile.Old) }, @@ -1497,6 +1623,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.WindowsPathCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFimFilePath(ev, &ev.RenameFile.Old)) }, @@ -1507,6 +1634,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFimFileBasename(ev, &ev.RenameFile.Old) }, @@ -1517,6 +1645,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFimFileBasename(ev, &ev.RenameFile.Old)) }, @@ -1527,6 +1656,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.WindowsPathCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileUserPath(ev, &ev.RenameFile.Old) }, @@ -1537,6 +1667,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.WindowsPathCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFileUserPath(ev, &ev.RenameFile.Old)) }, @@ -1546,6 +1677,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "set.registry.key_name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.SetRegistryKeyValue.Registry.KeyName }, @@ -1555,6 +1687,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "set.registry.key_name.length": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.SetRegistryKeyValue.Registry.KeyName) }, @@ -1565,6 +1698,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.SetRegistryKeyValue.Registry.KeyPath }, @@ -1575,6 +1709,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.SetRegistryKeyValue.Registry.KeyPath) }, @@ -1584,6 +1719,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "set.registry.value_name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.SetRegistryKeyValue.ValueName }, @@ -1593,6 +1729,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "set.registry.value_name.length": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.SetRegistryKeyValue.ValueName) }, @@ -1602,6 +1739,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "set.value_name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.SetRegistryKeyValue.ValueName }, @@ -1611,6 +1749,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "set_key_value.registry.key_name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.SetRegistryKeyValue.Registry.KeyName }, @@ -1620,6 +1759,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "set_key_value.registry.key_name.length": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.SetRegistryKeyValue.Registry.KeyName) }, @@ -1630,6 +1770,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.SetRegistryKeyValue.Registry.KeyPath }, @@ -1640,6 +1781,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.SetRegistryKeyValue.Registry.KeyPath) }, @@ -1649,6 +1791,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "set_key_value.registry.value_name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.SetRegistryKeyValue.ValueName }, @@ -1658,6 +1801,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "set_key_value.registry.value_name.length": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.SetRegistryKeyValue.ValueName) }, @@ -1667,6 +1811,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "set_key_value.value_name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.SetRegistryKeyValue.ValueName }, @@ -1677,6 +1822,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.WindowsPathCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFimFilePath(ev, &ev.WriteFile.File) }, @@ -1687,6 +1833,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.WindowsPathCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFimFilePath(ev, &ev.WriteFile.File)) }, @@ -1697,6 +1844,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFimFileBasename(ev, &ev.WriteFile.File) }, @@ -1707,6 +1855,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFimFileBasename(ev, &ev.WriteFile.File)) }, @@ -1717,6 +1866,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.WindowsPathCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileUserPath(ev, &ev.WriteFile.File) }, @@ -1727,6 +1877,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.WindowsPathCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFileUserPath(ev, &ev.WriteFile.File)) }, From 9c84cb22905d68813707fddf212d466d143a82ea Mon Sep 17 00:00:00 2001 From: Paul Cacheux Date: Thu, 28 Nov 2024 19:11:23 +0100 Subject: [PATCH 2/6] use this data to not resolve new fields in func tests collection --- pkg/security/secl/rules/collected_events_functests.go | 10 +++++++++- pkg/security/secl/rules/collected_events_regular.go | 2 +- pkg/security/secl/rules/ruleset.go | 2 +- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/pkg/security/secl/rules/collected_events_functests.go b/pkg/security/secl/rules/collected_events_functests.go index eda8cfdb28948..812b12b247583 100644 --- a/pkg/security/secl/rules/collected_events_functests.go +++ b/pkg/security/secl/rules/collected_events_functests.go @@ -10,6 +10,7 @@ package rules import ( "errors" + "slices" "sync" "github.com/DataDog/datadog-agent/pkg/security/secl/compiler/eval" @@ -22,7 +23,7 @@ type EventCollector struct { eventsCollected []CollectedEvent } -func (ec *EventCollector) CollectEvent(rs *RuleSet, event eval.Event, result bool) { +func (ec *EventCollector) CollectEvent(rs *RuleSet, ctx *eval.Context, event eval.Event, result bool) { ec.Lock() defer ec.Unlock() var fieldNotSupportedError *eval.ErrNotSupported @@ -34,7 +35,14 @@ func (ec *EventCollector) CollectEvent(rs *RuleSet, event eval.Event, result boo Fields: make(map[string]interface{}, len(rs.fields)), } + resolvedFields := ctx.GetResolvedFields() + for _, field := range rs.fields { + // skip fields that have not been resolved + if !slices.Contains(resolvedFields, field) { + continue + } + fieldEventType, err := event.GetFieldEventType(field) if err != nil { rs.logger.Errorf("failed to get event type for field %s: %v", field, err) diff --git a/pkg/security/secl/rules/collected_events_regular.go b/pkg/security/secl/rules/collected_events_regular.go index bbac542fe9479..dc9b42defeadd 100644 --- a/pkg/security/secl/rules/collected_events_regular.go +++ b/pkg/security/secl/rules/collected_events_regular.go @@ -15,7 +15,7 @@ type EventCollector struct { } // CollectEvent collects event -func (ec *EventCollector) CollectEvent(_ *RuleSet, _ eval.Event, _ bool) { +func (ec *EventCollector) CollectEvent(_ *RuleSet, _ *eval.Context, _ eval.Event, _ bool) { // no-op } diff --git a/pkg/security/secl/rules/ruleset.go b/pkg/security/secl/rules/ruleset.go index 2e34abf5d0aa3..90be57e0b71a9 100644 --- a/pkg/security/secl/rules/ruleset.go +++ b/pkg/security/secl/rules/ruleset.go @@ -603,7 +603,7 @@ func (rs *RuleSet) Evaluate(event eval.Event) bool { // no-op in the general case, only used to collect events in functional tests // for debugging purposes - rs.eventCollector.CollectEvent(rs, event, result) + rs.eventCollector.CollectEvent(rs, ctx, event, result) return result } From b37b390f4b2f7438ebd2f8a15eb87d4faf1dccc2 Mon Sep 17 00:00:00 2001 From: Paul Cacheux Date: Thu, 28 Nov 2024 19:44:53 +0100 Subject: [PATCH 3/6] make `AppendResolvedField` a no-op outside of tests --- pkg/security/secl/compiler/eval/context.go | 9 +-------- .../secl/compiler/eval/context_funtests.go | 18 ++++++++++++++++++ .../secl/compiler/eval/context_regular.go | 13 +++++++++++++ 3 files changed, 32 insertions(+), 8 deletions(-) create mode 100644 pkg/security/secl/compiler/eval/context_funtests.go create mode 100644 pkg/security/secl/compiler/eval/context_regular.go diff --git a/pkg/security/secl/compiler/eval/context.go b/pkg/security/secl/compiler/eval/context.go index 6348329b3ed6b..038a24634b353 100644 --- a/pkg/security/secl/compiler/eval/context.go +++ b/pkg/security/secl/compiler/eval/context.go @@ -66,14 +66,7 @@ func (c *Context) Reset() { clear(c.resolvedFields) } -func (c *Context) AppendResolvedField(field string) { - if field == "" { - return - } - - c.resolvedFields = append(c.resolvedFields, field) -} - +// GetResolvedFields returns the resolved fields, always empty outside of functional tests func (c *Context) GetResolvedFields() []string { return c.resolvedFields } diff --git a/pkg/security/secl/compiler/eval/context_funtests.go b/pkg/security/secl/compiler/eval/context_funtests.go new file mode 100644 index 0000000000000..4c0a56683d9ea --- /dev/null +++ b/pkg/security/secl/compiler/eval/context_funtests.go @@ -0,0 +1,18 @@ +// Unless explicitly stated otherwise all files in this repository are licensed +// under the Apache License Version 2.0. +// This product includes software developed at Datadog (https://www.datadoghq.com/). +// Copyright 2016-present Datadog, Inc. + +//go:build functionaltests + +// Package eval holds eval related files +package eval + +// AppendResolvedField instructs the context that this field has been resolved +func (c *Context) AppendResolvedField(field string) { + if field == "" { + return + } + + c.resolvedFields = append(c.resolvedFields, field) +} diff --git a/pkg/security/secl/compiler/eval/context_regular.go b/pkg/security/secl/compiler/eval/context_regular.go new file mode 100644 index 0000000000000..b2a8ff0d71851 --- /dev/null +++ b/pkg/security/secl/compiler/eval/context_regular.go @@ -0,0 +1,13 @@ +// Unless explicitly stated otherwise all files in this repository are licensed +// under the Apache License Version 2.0. +// This product includes software developed at Datadog (https://www.datadoghq.com/). +// Copyright 2016-present Datadog, Inc. + +//go:build !functionaltests + +// Package eval holds eval related files +package eval + +// AppendResolvedField is a no-op outside of functional tests +func (c *Context) AppendResolvedField(_ string) { +} From f2494b3e608394c140ba55257fc83826cc33175b Mon Sep 17 00:00:00 2001 From: Paul Cacheux Date: Thu, 28 Nov 2024 20:01:13 +0100 Subject: [PATCH 4/6] Revert "[CWS] tests: stop collecting hash field values on non-matching events (#31268)" This reverts commit 7310b82e76e38fa0db4ab30b637ad6952afb73f3. --- pkg/security/secl/compiler/eval/evaluators.go | 51 ------------------- .../secl/rules/collected_events_functests.go | 10 ---- 2 files changed, 61 deletions(-) diff --git a/pkg/security/secl/compiler/eval/evaluators.go b/pkg/security/secl/compiler/eval/evaluators.go index df2d7ab22609e..784d65a7c7bb5 100644 --- a/pkg/security/secl/compiler/eval/evaluators.go +++ b/pkg/security/secl/compiler/eval/evaluators.go @@ -18,7 +18,6 @@ type Evaluator interface { IsDeterministicFor(field Field) bool GetField() string IsStatic() bool - GetWeight() int } // BoolEvaluator returns a bool as result of the evaluation @@ -53,11 +52,6 @@ func (b *BoolEvaluator) IsStatic() bool { return b.EvalFnc == nil } -// GetWeight returns the weight of the evaluator -func (b *BoolEvaluator) GetWeight() int { - return b.Weight -} - // IntEvaluator returns an int as result of the evaluation type IntEvaluator struct { EvalFnc func(ctx *Context) int @@ -92,11 +86,6 @@ func (i *IntEvaluator) IsStatic() bool { return i.EvalFnc == nil } -// GetWeight returns the weight of the evaluator -func (i *IntEvaluator) GetWeight() int { - return i.Weight -} - // StringEvaluator returns a string as result of the evaluation type StringEvaluator struct { EvalFnc func(ctx *Context) string @@ -131,11 +120,6 @@ func (s *StringEvaluator) IsStatic() bool { return s.EvalFnc == nil } -// GetWeight returns the weight of the evaluator -func (s *StringEvaluator) GetWeight() int { - return s.Weight -} - // GetValue returns the evaluator value func (s *StringEvaluator) GetValue(ctx *Context) string { if s.EvalFnc == nil { @@ -190,11 +174,6 @@ func (s *StringArrayEvaluator) IsStatic() bool { return s.EvalFnc == nil } -// GetWeight returns the weight of the evaluator -func (s *StringArrayEvaluator) GetWeight() int { - return s.Weight -} - // AppendValue append the given value func (s *StringArrayEvaluator) AppendValue(value string) { s.Values = append(s.Values, value) @@ -230,11 +209,6 @@ func (s *StringValuesEvaluator) IsStatic() bool { return s.EvalFnc == nil } -// GetWeight returns the weight of the evaluator -func (s *StringValuesEvaluator) GetWeight() int { - return s.Weight -} - // Compile the underlying StringValues func (s *StringValuesEvaluator) Compile(opts StringCmpOpts) error { return s.Values.Compile(opts) @@ -301,11 +275,6 @@ func (i *IntArrayEvaluator) IsStatic() bool { return i.EvalFnc == nil } -// GetWeight returns the weight of the evaluator -func (i *IntArrayEvaluator) GetWeight() int { - return i.Weight -} - // AppendValues to the array evaluator func (i *IntArrayEvaluator) AppendValues(values ...int) { i.Values = append(i.Values, values...) @@ -343,11 +312,6 @@ func (b *BoolArrayEvaluator) IsStatic() bool { return b.EvalFnc == nil } -// GetWeight returns the weight of the evaluator -func (b *BoolArrayEvaluator) GetWeight() int { - return b.Weight -} - // AppendValues to the array evaluator func (b *BoolArrayEvaluator) AppendValues(values ...bool) { b.Values = append(b.Values, values...) @@ -386,11 +350,6 @@ func (s *CIDREvaluator) IsStatic() bool { return s.EvalFnc == nil } -// GetWeight returns the weight of the evaluator -func (s *CIDREvaluator) GetWeight() int { - return s.Weight -} - // CIDRValuesEvaluator returns a net.IP type CIDRValuesEvaluator struct { EvalFnc func(ctx *Context) *CIDRValues @@ -422,11 +381,6 @@ func (s *CIDRValuesEvaluator) IsStatic() bool { return s.EvalFnc == nil } -// GetWeight returns the weight of the evaluator -func (s *CIDRValuesEvaluator) GetWeight() int { - return s.Weight -} - // CIDRArrayEvaluator returns an array of net.IPNet type CIDRArrayEvaluator struct { EvalFnc func(ctx *Context) []net.IPNet @@ -459,8 +413,3 @@ func (s *CIDRArrayEvaluator) GetField() string { func (s *CIDRArrayEvaluator) IsStatic() bool { return s.EvalFnc == nil } - -// GetWeight returns the weight of the evaluator -func (s *CIDRArrayEvaluator) GetWeight() int { - return s.Weight -} diff --git a/pkg/security/secl/rules/collected_events_functests.go b/pkg/security/secl/rules/collected_events_functests.go index 812b12b247583..25754a4c574c6 100644 --- a/pkg/security/secl/rules/collected_events_functests.go +++ b/pkg/security/secl/rules/collected_events_functests.go @@ -16,8 +16,6 @@ import ( "github.com/DataDog/datadog-agent/pkg/security/secl/compiler/eval" ) -const maxFieldWeight = 999 - type EventCollector struct { sync.Mutex eventsCollected []CollectedEvent @@ -52,14 +50,6 @@ func (ec *EventCollector) CollectEvent(rs *RuleSet, ctx *eval.Context, event eva continue } - // for non-matching events, we want to avoid resolving costly fields (e.g. file hashes) - // to avoid impacting events that should be matching - if !result { - if evaluator, err := rs.model.GetEvaluator(field, ""); err == nil && evaluator.GetWeight() > maxFieldWeight { - continue - } - } - value, err := event.GetFieldValue(field) if err != nil { // GetFieldValue returns the default type value with ErrNotSupported in case the field Check test fails From 44815fb8c6cbf7614ed945211a1a463cbe4f3ba4 Mon Sep 17 00:00:00 2001 From: Paul Cacheux Date: Thu, 28 Nov 2024 20:32:38 +0100 Subject: [PATCH 5/6] `inv -e security-agent.sync-secl-win-pkg` --- pkg/security/seclwin/model/accessors_win.go | 151 ++++++++++++++++++++ 1 file changed, 151 insertions(+) diff --git a/pkg/security/seclwin/model/accessors_win.go b/pkg/security/seclwin/model/accessors_win.go index 4b14373018f29..d7f989e58bd93 100644 --- a/pkg/security/seclwin/model/accessors_win.go +++ b/pkg/security/seclwin/model/accessors_win.go @@ -41,6 +41,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "change_permission.new_sd": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveNewSecurityDescriptor(ev, &ev.ChangePermission) }, @@ -50,6 +51,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "change_permission.old_sd": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveOldSecurityDescriptor(ev, &ev.ChangePermission) }, @@ -59,6 +61,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "change_permission.path": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.ChangePermission.ObjectName }, @@ -68,6 +71,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "change_permission.type": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.ChangePermission.ObjectType }, @@ -77,6 +81,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "change_permission.user_domain": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.ChangePermission.UserDomain }, @@ -86,6 +91,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "change_permission.username": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.ChangePermission.UserName }, @@ -95,6 +101,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "container.created_at": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.FieldHandlers.ResolveContainerCreatedAt(ev, ev.BaseEvent.ContainerContext)) }, @@ -104,6 +111,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "container.id": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveContainerID(ev, ev.BaseEvent.ContainerContext) }, @@ -113,6 +121,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "container.runtime": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveContainerRuntime(ev, ev.BaseEvent.ContainerContext) }, @@ -122,6 +131,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "container.tags": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveContainerTags(ev, ev.BaseEvent.ContainerContext) }, @@ -132,6 +142,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.WindowsPathCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFimFilePath(ev, &ev.CreateNewFile.File) }, @@ -142,6 +153,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.WindowsPathCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFimFilePath(ev, &ev.CreateNewFile.File)) }, @@ -152,6 +164,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFimFileBasename(ev, &ev.CreateNewFile.File) }, @@ -162,6 +175,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFimFileBasename(ev, &ev.CreateNewFile.File)) }, @@ -172,6 +186,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.WindowsPathCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileUserPath(ev, &ev.CreateNewFile.File) }, @@ -182,6 +197,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.WindowsPathCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFileUserPath(ev, &ev.CreateNewFile.File)) }, @@ -191,6 +207,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "create.registry.key_name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.CreateRegistryKey.Registry.KeyName }, @@ -200,6 +217,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "create.registry.key_name.length": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.CreateRegistryKey.Registry.KeyName) }, @@ -210,6 +228,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.CreateRegistryKey.Registry.KeyPath }, @@ -220,6 +239,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.CreateRegistryKey.Registry.KeyPath) }, @@ -229,6 +249,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "create_key.registry.key_name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.CreateRegistryKey.Registry.KeyName }, @@ -238,6 +259,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "create_key.registry.key_name.length": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.CreateRegistryKey.Registry.KeyName) }, @@ -248,6 +270,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.CreateRegistryKey.Registry.KeyPath }, @@ -258,6 +281,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.CreateRegistryKey.Registry.KeyPath) }, @@ -268,6 +292,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.WindowsPathCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFimFilePath(ev, &ev.DeleteFile.File) }, @@ -278,6 +303,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.WindowsPathCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFimFilePath(ev, &ev.DeleteFile.File)) }, @@ -288,6 +314,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFimFileBasename(ev, &ev.DeleteFile.File) }, @@ -298,6 +325,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFimFileBasename(ev, &ev.DeleteFile.File)) }, @@ -308,6 +336,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.WindowsPathCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileUserPath(ev, &ev.DeleteFile.File) }, @@ -318,6 +347,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.WindowsPathCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFileUserPath(ev, &ev.DeleteFile.File)) }, @@ -327,6 +357,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "delete.registry.key_name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.DeleteRegistryKey.Registry.KeyName }, @@ -336,6 +367,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "delete.registry.key_name.length": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.DeleteRegistryKey.Registry.KeyName) }, @@ -346,6 +378,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.DeleteRegistryKey.Registry.KeyPath }, @@ -356,6 +389,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.DeleteRegistryKey.Registry.KeyPath) }, @@ -365,6 +399,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "delete_key.registry.key_name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.DeleteRegistryKey.Registry.KeyName }, @@ -374,6 +409,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "delete_key.registry.key_name.length": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.DeleteRegistryKey.Registry.KeyName) }, @@ -384,6 +420,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.DeleteRegistryKey.Registry.KeyPath }, @@ -394,6 +431,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.DeleteRegistryKey.Registry.KeyPath) }, @@ -403,6 +441,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "event.hostname": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveHostname(ev, &ev.BaseEvent) }, @@ -412,6 +451,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "event.origin": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.BaseEvent.Origin }, @@ -421,6 +461,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "event.os": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.BaseEvent.Os }, @@ -430,6 +471,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "event.service": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveService(ev, &ev.BaseEvent) }, @@ -439,6 +481,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "event.timestamp": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.FieldHandlers.ResolveEventTimestamp(ev, &ev.BaseEvent)) }, @@ -449,6 +492,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessCmdLine(ev, ev.Exec.Process) }, @@ -458,6 +502,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.container.id": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.Exec.Process.ContainerID }, @@ -467,6 +512,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.created_at": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, ev.Exec.Process)) }, @@ -476,6 +522,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.envp": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessEnvp(ev, ev.Exec.Process) }, @@ -485,6 +532,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.envs": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessEnvs(ev, ev.Exec.Process) }, @@ -495,6 +543,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exec.Process.FileEvent) }, @@ -505,6 +554,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exec.Process.FileEvent)) }, @@ -515,6 +565,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.WindowsPathCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFilePath(ev, &ev.Exec.Process.FileEvent) }, @@ -525,6 +576,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.WindowsPathCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Exec.Process.FileEvent)) }, @@ -534,6 +586,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.pid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Exec.Process.PIDContext.Pid) }, @@ -543,6 +596,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.ppid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Exec.Process.PPid) }, @@ -552,6 +606,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.user": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveUser(ev, ev.Exec.Process) }, @@ -561,6 +616,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exec.user_sid": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.Exec.Process.OwnerSidString }, @@ -570,6 +626,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.cause": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Exit.Cause) }, @@ -580,6 +637,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessCmdLine(ev, ev.Exit.Process) }, @@ -589,6 +647,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.code": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Exit.Code) }, @@ -598,6 +657,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.container.id": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.Exit.Process.ContainerID }, @@ -607,6 +667,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.created_at": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, ev.Exit.Process)) }, @@ -616,6 +677,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.envp": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessEnvp(ev, ev.Exit.Process) }, @@ -625,6 +687,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.envs": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessEnvs(ev, ev.Exit.Process) }, @@ -635,6 +698,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exit.Process.FileEvent) }, @@ -645,6 +709,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.Exit.Process.FileEvent)) }, @@ -655,6 +720,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.WindowsPathCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFilePath(ev, &ev.Exit.Process.FileEvent) }, @@ -665,6 +731,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.WindowsPathCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.Exit.Process.FileEvent)) }, @@ -674,6 +741,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.pid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Exit.Process.PIDContext.Pid) }, @@ -683,6 +751,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.ppid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.Exit.Process.PPid) }, @@ -692,6 +761,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.user": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveUser(ev, ev.Exit.Process) }, @@ -701,6 +771,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "exit.user_sid": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.Exit.Process.OwnerSidString }, @@ -710,6 +781,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "open.registry.key_name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.OpenRegistryKey.Registry.KeyName }, @@ -719,6 +791,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "open.registry.key_name.length": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.OpenRegistryKey.Registry.KeyName) }, @@ -729,6 +802,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.OpenRegistryKey.Registry.KeyPath }, @@ -739,6 +813,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.OpenRegistryKey.Registry.KeyPath) }, @@ -748,6 +823,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "open_key.registry.key_name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.OpenRegistryKey.Registry.KeyName }, @@ -757,6 +833,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "open_key.registry.key_name.length": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.OpenRegistryKey.Registry.KeyName) }, @@ -767,6 +844,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.OpenRegistryKey.Registry.KeyPath }, @@ -777,6 +855,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.OpenRegistryKey.Registry.KeyPath) }, @@ -787,6 +866,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringArrayEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -814,6 +894,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.container.id": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) if result, ok := ctx.StringCache[field]; ok { return result } @@ -840,6 +921,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.created_at": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.IntCache[field]; ok { return result @@ -867,6 +949,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.envp": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -894,6 +977,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.envs": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -922,6 +1006,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringArrayEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -950,6 +1035,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntArrayEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.IntCache[field]; ok { return result @@ -978,6 +1064,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringArrayEvaluator{ OpOverrides: eval.WindowsPathCmp, EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -1006,6 +1093,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntArrayEvaluator{ OpOverrides: eval.WindowsPathCmp, EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.IntCache[field]; ok { return result @@ -1033,6 +1121,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.length": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) iterator := &ProcessAncestorsIterator{} return iterator.Len(ctx) }, @@ -1042,6 +1131,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.pid": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -1068,6 +1158,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.ppid": return &eval.IntArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []int { + ctx.AppendResolvedField(field) if result, ok := ctx.IntCache[field]; ok { return result } @@ -1094,6 +1185,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.user": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if result, ok := ctx.StringCache[field]; ok { return result @@ -1121,6 +1213,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ancestors.user_sid": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) if result, ok := ctx.StringCache[field]; ok { return result } @@ -1148,6 +1241,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessCmdLine(ev, &ev.BaseEvent.ProcessContext.Process) }, @@ -1157,6 +1251,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.container.id": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.BaseEvent.ProcessContext.Process.ContainerID }, @@ -1166,6 +1261,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.created_at": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.FieldHandlers.ResolveProcessCreatedAt(ev, &ev.BaseEvent.ProcessContext.Process)) }, @@ -1175,6 +1271,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.envp": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessEnvp(ev, &ev.BaseEvent.ProcessContext.Process) }, @@ -1184,6 +1281,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.envs": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveProcessEnvs(ev, &ev.BaseEvent.ProcessContext.Process) }, @@ -1194,6 +1292,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent) }, @@ -1204,6 +1303,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent)) }, @@ -1214,6 +1314,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.WindowsPathCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent) }, @@ -1224,6 +1325,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.WindowsPathCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Process.FileEvent)) }, @@ -1234,6 +1336,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return "" @@ -1246,6 +1349,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.container.id": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return "" @@ -1258,6 +1362,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.created_at": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return 0 @@ -1270,6 +1375,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.envp": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return []string{} @@ -1282,6 +1388,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.envs": return &eval.StringArrayEvaluator{ EvalFnc: func(ctx *eval.Context) []string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return []string{} @@ -1295,6 +1402,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return "" @@ -1308,6 +1416,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFileBasename(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent)) }, @@ -1318,6 +1427,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.WindowsPathCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return "" @@ -1331,6 +1441,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.WindowsPathCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFilePath(ev, &ev.BaseEvent.ProcessContext.Parent.FileEvent)) }, @@ -1340,6 +1451,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.pid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return 0 @@ -1352,6 +1464,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.ppid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return 0 @@ -1364,6 +1477,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.user": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return "" @@ -1376,6 +1490,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.parent.user_sid": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) if !ev.BaseEvent.ProcessContext.HasParent() { return "" @@ -1388,6 +1503,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.pid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.BaseEvent.ProcessContext.Process.PIDContext.Pid) }, @@ -1397,6 +1513,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.ppid": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return int(ev.BaseEvent.ProcessContext.Process.PPid) }, @@ -1406,6 +1523,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.user": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveUser(ev, &ev.BaseEvent.ProcessContext.Process) }, @@ -1415,6 +1533,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "process.user_sid": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.BaseEvent.ProcessContext.Process.OwnerSidString }, @@ -1425,6 +1544,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.WindowsPathCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFimFilePath(ev, &ev.RenameFile.New) }, @@ -1435,6 +1555,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.WindowsPathCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFimFilePath(ev, &ev.RenameFile.New)) }, @@ -1445,6 +1566,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFimFileBasename(ev, &ev.RenameFile.New) }, @@ -1455,6 +1577,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFimFileBasename(ev, &ev.RenameFile.New)) }, @@ -1465,6 +1588,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.WindowsPathCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileUserPath(ev, &ev.RenameFile.New) }, @@ -1475,6 +1599,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.WindowsPathCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFileUserPath(ev, &ev.RenameFile.New)) }, @@ -1485,6 +1610,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.WindowsPathCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFimFilePath(ev, &ev.RenameFile.Old) }, @@ -1495,6 +1621,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.WindowsPathCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFimFilePath(ev, &ev.RenameFile.Old)) }, @@ -1505,6 +1632,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFimFileBasename(ev, &ev.RenameFile.Old) }, @@ -1515,6 +1643,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFimFileBasename(ev, &ev.RenameFile.Old)) }, @@ -1525,6 +1654,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.WindowsPathCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileUserPath(ev, &ev.RenameFile.Old) }, @@ -1535,6 +1665,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.WindowsPathCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFileUserPath(ev, &ev.RenameFile.Old)) }, @@ -1544,6 +1675,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "set.registry.key_name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.SetRegistryKeyValue.Registry.KeyName }, @@ -1553,6 +1685,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "set.registry.key_name.length": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.SetRegistryKeyValue.Registry.KeyName) }, @@ -1563,6 +1696,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.SetRegistryKeyValue.Registry.KeyPath }, @@ -1573,6 +1707,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.SetRegistryKeyValue.Registry.KeyPath) }, @@ -1582,6 +1717,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "set.registry.value_name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.SetRegistryKeyValue.ValueName }, @@ -1591,6 +1727,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "set.registry.value_name.length": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.SetRegistryKeyValue.ValueName) }, @@ -1600,6 +1737,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "set.value_name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.SetRegistryKeyValue.ValueName }, @@ -1609,6 +1747,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "set_key_value.registry.key_name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.SetRegistryKeyValue.Registry.KeyName }, @@ -1618,6 +1757,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "set_key_value.registry.key_name.length": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.SetRegistryKeyValue.Registry.KeyName) }, @@ -1628,6 +1768,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.SetRegistryKeyValue.Registry.KeyPath }, @@ -1638,6 +1779,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.SetRegistryKeyValue.Registry.KeyPath) }, @@ -1647,6 +1789,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "set_key_value.registry.value_name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.SetRegistryKeyValue.ValueName }, @@ -1656,6 +1799,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "set_key_value.registry.value_name.length": return &eval.IntEvaluator{ EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.SetRegistryKeyValue.ValueName) }, @@ -1665,6 +1809,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval case "set_key_value.value_name": return &eval.StringEvaluator{ EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.SetRegistryKeyValue.ValueName }, @@ -1675,6 +1820,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.WindowsPathCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFimFilePath(ev, &ev.WriteFile.File) }, @@ -1685,6 +1831,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.WindowsPathCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFimFilePath(ev, &ev.WriteFile.File)) }, @@ -1695,6 +1842,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFimFileBasename(ev, &ev.WriteFile.File) }, @@ -1705,6 +1853,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.CaseInsensitiveCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFimFileBasename(ev, &ev.WriteFile.File)) }, @@ -1715,6 +1864,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.StringEvaluator{ OpOverrides: eval.WindowsPathCmp, EvalFnc: func(ctx *eval.Context) string { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return ev.FieldHandlers.ResolveFileUserPath(ev, &ev.WriteFile.File) }, @@ -1725,6 +1875,7 @@ func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Eval return &eval.IntEvaluator{ OpOverrides: eval.WindowsPathCmp, EvalFnc: func(ctx *eval.Context) int { + ctx.AppendResolvedField(field) ev := ctx.Event.(*Event) return len(ev.FieldHandlers.ResolveFileUserPath(ev, &ev.WriteFile.File)) }, From d421d18125e891a0fc037b6dcab7eab7fa397c29 Mon Sep 17 00:00:00 2001 From: Paul Cacheux Date: Fri, 29 Nov 2024 09:30:07 +0100 Subject: [PATCH 6/6] fix filename --- .../compiler/eval/{context_funtests.go => context_functests.go} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename pkg/security/secl/compiler/eval/{context_funtests.go => context_functests.go} (100%) diff --git a/pkg/security/secl/compiler/eval/context_funtests.go b/pkg/security/secl/compiler/eval/context_functests.go similarity index 100% rename from pkg/security/secl/compiler/eval/context_funtests.go rename to pkg/security/secl/compiler/eval/context_functests.go