Feature/proctree query time

go.mod

@@ -8,7 +8,7 @@ require (
 	github.com/aquasecurity/libbpfgo v0.5.0-libbpf-1.2
 	github.com/aquasecurity/libbpfgo/helpers v0.4.6-0.20231123142329-37c4b843a539
 	github.com/aquasecurity/tracee/api v0.0.0-20231013014739-b32a168ee6a8
-	github.com/aquasecurity/tracee/types v0.0.0-20231123143520-9a6b89efc320
+	github.com/aquasecurity/tracee/types v0.0.0-20231128135314-cfe4d6426ccc
 	github.com/containerd/containerd v1.7.0
 	github.com/docker/docker v24.0.7+incompatible
 	github.com/golang/protobuf v1.5.3

go.sum

@@ -69,8 +69,8 @@ github.com/aquasecurity/libbpfgo/helpers v0.4.6-0.20231123142329-37c4b843a539 h1
 github.com/aquasecurity/libbpfgo/helpers v0.4.6-0.20231123142329-37c4b843a539/go.mod h1:1fGKke5pgH4xYvZ7HqDbLSi/R5zfRFH2K+c9kLp9L34=
 github.com/aquasecurity/tracee/api v0.0.0-20231013014739-b32a168ee6a8 h1:NGzPDvQofEG04CoPZjSSRoFMxnSd3Brh39BY1dmdyZM=
 github.com/aquasecurity/tracee/api v0.0.0-20231013014739-b32a168ee6a8/go.mod h1:l1W65+m4KGg2i61fiPaQ/o4OQCrNtNnkPTEdysF5Zpw=
-github.com/aquasecurity/tracee/types v0.0.0-20231123143520-9a6b89efc320 h1:p98V5N6wwG1TLpHGSeUsXbC96XdkdJDhRkcMo+xxXNE=
-github.com/aquasecurity/tracee/types v0.0.0-20231123143520-9a6b89efc320/go.mod h1:kHvgUMXGq5QEqSLPgu4RwGSJEoCuMQJnEkGk8OAcSUc=
+github.com/aquasecurity/tracee/types v0.0.0-20231128135314-cfe4d6426ccc h1:T3yH0mYENclyBdxwbof0+5hVk7bFFB+aaPKESqS1Zg4=
+github.com/aquasecurity/tracee/types v0.0.0-20231128135314-cfe4d6426ccc/go.mod h1:kHvgUMXGq5QEqSLPgu4RwGSJEoCuMQJnEkGk8OAcSUc=
 github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q=
 github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE=
 github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=

pkg/proctree/datasource.go

@@ -25,9 +25,9 @@ func (ptds *DataSource) Keys() []string {
 // Schema returns the schema of the DataSource.
 func (ptds *DataSource) Schema() string {
 	schemaMap := map[string]string{
-		"process_info":    "datasource.ProcessInfo",
-		"thread_info":     "datasource.ThreadInfo",
-		"process_lineage": "datasource.ProcessLineage",
+		"process_info":    "datasource.TimeRelevantInfo[datasource.ProcessInfo]",
+		"thread_info":     "datasource.TimeRelevantInfo[datasource.ThreadInfo]",
+		"process_lineage": "datasource.TimeRelevantInfo[datasource.ProcessLineage]",
 	}
 	schema, _ := json.Marshal(schemaMap)
 	return string(schema)
@@ -89,7 +89,7 @@ func (ptds *DataSource) Get(key interface{}) (map[string]interface{}, error) {
 // exportProcessInfo returns information of the given Process at the given query time.
 func (ptds *DataSource) exportProcessInfo(
 	process *Process, queryTime time.Time,
-) datasource.ProcessInfo {
+) datasource.TimeRelevantInfo[datasource.ProcessInfo] {
 	// Pick the objects related to the process from the process tree.
 	info := process.GetInfo()
 	executable := process.GetExecutable()
@@ -126,46 +126,52 @@ func (ptds *DataSource) exportProcessInfo(
 	infoFeed := info.GetFeedAt(queryTime)
 
 	// Export the information as the expected datasource process structure.
-	return datasource.ProcessInfo{
-		EntityId:          process.GetHash(),
-		Pid:               infoFeed.Pid,
-		NsPid:             infoFeed.NsPid,
-		Ppid:              infoFeed.PPid,
-		ContainerId:       "",         // TODO: Add
-		Cmd:               []string{}, // TODO: Add
-		ExecutionBinary:   exportFileInfo(executable, queryTime),
-		Interpreter:       exportFileInfo(interpreter, queryTime),
-		Interp:            exportFileInfo(interp, queryTime),
-		StartTime:         info.GetStartTime(),
-		ExecTime:          time.Unix(0, 0), // TODO: Add
-		ExitTime:          info.GetExitTime(),
-		ParentEntityId:    process.GetParentHash(),
-		ThreadsIds:        aliveThreads,
-		ChildProcessesIds: aliveChildren,
-		IsAlive:           info.IsAliveAt(queryTime),
+	return datasource.TimeRelevantInfo[datasource.ProcessInfo]{
+		Info: datasource.ProcessInfo{
+			EntityId:          process.GetHash(),
+			Pid:               infoFeed.Pid,
+			NsPid:             infoFeed.NsPid,
+			Ppid:              infoFeed.PPid,
+			ContainerId:       "",         // TODO: Add
+			Cmd:               []string{}, // TODO: Add
+			ExecutionBinary:   exportFileInfo(executable, queryTime),
+			Interpreter:       exportFileInfo(interpreter, queryTime),
+			Interp:            exportFileInfo(interp, queryTime),
+			StartTime:         info.GetStartTime(),
+			ExecTime:          time.Unix(0, 0), // TODO: Add
+			ExitTime:          info.GetExitTime(),
+			ParentEntityId:    process.GetParentHash(),
+			ThreadsIds:        aliveThreads,
+			ChildProcessesIds: aliveChildren,
+			IsAlive:           info.IsAliveAt(queryTime),
+		},
+		Timestamp: queryTime,
 	}
 }
 
 // exportThreadInfo returns information of the given Thread at the given query time.
 func (ptds *DataSource) exportThreadInfo(
 	thread *Thread, queryTime time.Time,
-) datasource.ThreadInfo {
+) datasource.TimeRelevantInfo[datasource.ThreadInfo] {
 	// Pick the objects related to the thread from the process tree.
 	info := thread.GetInfo()
 	infoFeed := info.GetFeedAt(queryTime)
 
 	// Export the information as the expected datasource thread structure.
-	return datasource.ThreadInfo{
-		EntityId:  thread.GetHash(),
-		Tid:       infoFeed.Tid,
-		NsTid:     infoFeed.NsTid,
-		Pid:       infoFeed.Pid,
-		UserId:    infoFeed.Uid,
-		GroupId:   infoFeed.Gid,
-		StartTime: info.GetStartTime(),
-		ExitTime:  info.GetExitTime(),
-		Name:      infoFeed.Name,
-		IsAlive:   info.IsAliveAt(queryTime),
+	return datasource.TimeRelevantInfo[datasource.ThreadInfo]{
+		Info: datasource.ThreadInfo{
+			EntityId:  thread.GetHash(),
+			Tid:       infoFeed.Tid,
+			NsTid:     infoFeed.NsTid,
+			Pid:       infoFeed.Pid,
+			UserId:    infoFeed.Uid,
+			GroupId:   infoFeed.Gid,
+			StartTime: info.GetStartTime(),
+			ExitTime:  info.GetExitTime(),
+			Name:      infoFeed.Name,
+			IsAlive:   info.IsAliveAt(queryTime),
+		},
+		Timestamp: queryTime,
 	}
 }
 

signatures/helpers/proctree.go

@@ -41,22 +41,22 @@ func GetProcessTreeDataSource(ctx detect.SignatureContext) (*ProcessTreeDS, erro
 
 // GetThreadInfo query the datasource for the information of a specific thread.
 func (ptds *ProcessTreeDS) GetThreadInfo(threadKey datasource.ThreadKey) (
-	*datasource.ThreadInfo, error,
+	*datasource.TimeRelevantInfo[datasource.ThreadInfo], error,
 ) {
 	threadQueryAnswer, err := ptds.ds.Get(threadKey)
 	if err != nil {
 		return nil, fmt.Errorf("could not find thread for thread %d", threadKey.EntityId)
 	}
-	threadInfo, ok := threadQueryAnswer["thread_info"].(datasource.ThreadInfo)
+	threadInfo, ok := threadQueryAnswer["thread_info"].(datasource.TimeRelevantInfo[datasource.ThreadInfo])
 	if !ok {
 		return nil, fmt.Errorf("could not extract info of thread %d", threadKey.EntityId)
 	}
 	return &threadInfo, nil
 }
 
 // GetEventThreadInfo get the information of the thread emitting the current event
-func (ptds *ProcessTreeDS) GetEventThreadInfo(eventObj trace.Event) (
-	*datasource.ThreadInfo, error,
+func (ptds *ProcessTreeDS) GetEventThreadInfo(eventObj *trace.Event) (
+	*datasource.TimeRelevantInfo[datasource.ThreadInfo], error,
 ) {
 	queryKey := datasource.ThreadKey{
 		EntityId: eventObj.ThreadEntityId,
@@ -67,23 +67,23 @@ func (ptds *ProcessTreeDS) GetEventThreadInfo(eventObj trace.Event) (
 
 // GetProcessInfo query the datasource for the information of a specific process.
 func (ptds *ProcessTreeDS) GetProcessInfo(processKey datasource.ProcKey) (
-	*datasource.ProcessInfo, error,
+	*datasource.TimeRelevantInfo[datasource.ProcessInfo], error,
 ) {
 	// Pick the process info from the data source
 	procQueryAnswer, err := ptds.ds.Get(processKey)
 	if err != nil {
 		return nil, fmt.Errorf("could not find process for process %d", processKey.EntityId)
 	}
-	procInfo, ok := procQueryAnswer["process_info"].(datasource.ProcessInfo)
+	procInfo, ok := procQueryAnswer["process_info"].(datasource.TimeRelevantInfo[datasource.ProcessInfo])
 	if !ok {
 		return nil, fmt.Errorf("could not extract info of process %d", processKey.EntityId)
 	}
 	return &procInfo, nil
 }
 
 // GetEventProcessInfo get the information of the process emitting the current event
-func (ptds *ProcessTreeDS) GetEventProcessInfo(eventObj trace.Event) (
-	*datasource.ProcessInfo, error,
+func (ptds *ProcessTreeDS) GetEventProcessInfo(eventObj *trace.Event) (
+	*datasource.TimeRelevantInfo[datasource.ProcessInfo], error,
 ) {
 	queryKey := datasource.ProcKey{
 		EntityId: eventObj.ProcessEntityId,
@@ -112,7 +112,7 @@ func (ptds *ProcessTreeDS) GetProcessLineage(lineageKey datasource.LineageKey) (
 // GetEventProcessLineage get the process lineage information of the process emitting the
 // current event.
 func (ptds *ProcessTreeDS) GetEventProcessLineage(
-	eventObj trace.Event,
+	eventObj *trace.Event,
 	maxDepth int,
 ) (*datasource.ProcessLineage, error) {
 	queryKey := datasource.LineageKey{