Merge pull request #426 from kubescape/fix/enricher_syscalls

Added syscalls consts
kubescape · Dec 5, 2024 · 293b090 · 293b090
2 parents addb2f0 + 39a27d8
commit 293b090
Show file tree

Hide file tree

Showing 5 changed files with 17 additions and 8 deletions.
diff --git a/pkg/containerwatcher/v1/consts.go b/pkg/containerwatcher/v1/consts.go
@@ -0,0 +1,13 @@
+package containerwatcher
+
+// The numbers can be arbitrary identifiers since they're not actually used for system calls,
+// so we don't need to handle other architecture specifically.
+const (
+	SYS_LINKAT    = 265
+	SYS_LINK      = 86
+	SYS_SYMLINKAT = 266
+	SYS_SYMLINK   = 88
+	SYS_OPEN      = 2
+	SYS_OPENAT    = 257
+	SYS_EXECVE    = 59
+)
diff --git a/pkg/containerwatcher/v1/exec.go b/pkg/containerwatcher/v1/exec.go
@@ -7,7 +7,6 @@ import (
 	tracerexectype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/exec/types"
 	"github.com/inspektor-gadget/inspektor-gadget/pkg/types"
 	events "github.com/kubescape/node-agent/pkg/ebpf/events"
-	"golang.org/x/sys/unix"
 )
 
 func (ch *IGContainerWatcher) execEventCallback(event *tracerexectype.Event) {
@@ -16,7 +15,7 @@ func (ch *IGContainerWatcher) execEventCallback(event *tracerexectype.Event) {
 	}
 
 	execEvent := &events.ExecEvent{Event: *event}
-	ch.enrichEvent(execEvent, []uint64{unix.SYS_EXECVE, unix.SYS_EXECVEAT})
+	ch.enrichEvent(execEvent, []uint64{SYS_EXECVE})
 
 	if event.Retval > -1 && event.Comm != "" {
 		ch.execWorkerChan <- execEvent

diff --git a/pkg/containerwatcher/v1/hardlink.go b/pkg/containerwatcher/v1/hardlink.go
@@ -5,7 +5,6 @@ import (
 
 	tracerhardlink "github.com/kubescape/node-agent/pkg/ebpf/gadgets/hardlink/tracer"
 	tracerhardlinktype "github.com/kubescape/node-agent/pkg/ebpf/gadgets/hardlink/types"
-	"golang.org/x/sys/unix"
 
 	"github.com/inspektor-gadget/inspektor-gadget/pkg/types"
 	"github.com/kubescape/go-logger"
@@ -22,7 +21,7 @@ func (ch *IGContainerWatcher) hardlinkEventCallback(event *tracerhardlinktype.Ev
 		return
 	}
 
-	ch.enrichEvent(event, []uint64{unix.SYS_LINK, unix.SYS_LINKAT})
+	ch.enrichEvent(event, []uint64{SYS_LINK, SYS_LINKAT})
 
 	ch.hardlinkWorkerChan <- event
 }

diff --git a/pkg/containerwatcher/v1/open.go b/pkg/containerwatcher/v1/open.go
@@ -7,7 +7,6 @@ import (
 	traceropentype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/open/types"
 	"github.com/inspektor-gadget/inspektor-gadget/pkg/types"
 	events "github.com/kubescape/node-agent/pkg/ebpf/events"
-	"golang.org/x/sys/unix"
 )
 
 func (ch *IGContainerWatcher) openEventCallback(event *traceropentype.Event) {
@@ -16,7 +15,7 @@ func (ch *IGContainerWatcher) openEventCallback(event *traceropentype.Event) {
 	}
 
 	openEvent := &events.OpenEvent{Event: *event}
-	ch.enrichEvent(openEvent, []uint64{unix.SYS_OPEN, unix.SYS_OPENAT})
+	ch.enrichEvent(openEvent, []uint64{SYS_OPEN, SYS_OPENAT})
 
 	if event.Err > -1 && event.FullPath != "" {
 		ch.openWorkerChan <- openEvent

diff --git a/pkg/containerwatcher/v1/symlink.go b/pkg/containerwatcher/v1/symlink.go
@@ -5,7 +5,6 @@ import (
 
 	tracersymlink "github.com/kubescape/node-agent/pkg/ebpf/gadgets/symlink/tracer"
 	tracersymlinktype "github.com/kubescape/node-agent/pkg/ebpf/gadgets/symlink/types"
-	"golang.org/x/sys/unix"
 
 	"github.com/inspektor-gadget/inspektor-gadget/pkg/types"
 	"github.com/kubescape/go-logger"
@@ -17,7 +16,7 @@ func (ch *IGContainerWatcher) symlinkEventCallback(event *tracersymlinktype.Even
 		return
 	}
 
-	ch.enrichEvent(event, []uint64{unix.SYS_SYMLINK, unix.SYS_SYMLINKAT})
+	ch.enrichEvent(event, []uint64{SYS_SYMLINK, SYS_SYMLINKAT})
 
 	if isDroppedEvent(event.Type, event.Message) {
 		logger.L().Ctx(ch.ctx).Warning("symlink tracer got drop events - we may miss some realtime data", helpers.Interface("event", event), helpers.String("error", event.Message))