argument parsers improvements

pkg/bufferdecoder/eventsreader.go

@@ -255,9 +255,9 @@ func readSockaddrFromBuff(ebpfMsgDecoder *EbpfDecoder) (map[string]string, error
 	}
 	socketDomainArg, err := parsers.ParseSocketDomainArgument(uint64(family))
 	if err != nil {
-		socketDomainArg = parsers.AF_UNSPEC
+		socketDomainArg = parsers.AF_UNSPEC.String()
 	}
-	res["sa_family"] = socketDomainArg.String()
+	res["sa_family"] = socketDomainArg
 	switch family {
 	case 1: // AF_UNIX
 		/*

pkg/events/parse_args.go

@@ -23,7 +23,8 @@ func ParseArgs(event *trace.Event) error {
 		}
 	}
 
-	switch ID(event.EventID) {
+	evtID := ID(event.EventID)
+	switch evtID {
 	case MemProtAlert:
 		if alertArg := GetArg(event, "alert"); alertArg != nil {
 			if alert, isUint32 := alertArg.Value.(uint32); isUint32 {
@@ -83,8 +84,8 @@ func ParseArgs(event *trace.Event) error {
 		}
 	case Prctl:
 		if optArg := GetArg(event, "option"); optArg != nil {
-			if opt, isInt32 := optArg.Value.(int32); isInt32 {
-				parsePrctlOption(optArg, uint64(opt))
+			if option, isInt32 := optArg.Value.(int32); isInt32 {
+				parsePrctlOption(optArg, uint64(option))
 			}
 		}
 	case Socketcall:
@@ -115,16 +116,27 @@ func ParseArgs(event *trace.Event) error {
 				parseSocketType(typeArg, uint64(typ))
 			}
 		}
-	case Access, Faccessat:
+	case Access:
 		if modeArg := GetArg(event, "mode"); modeArg != nil {
 			if mode, isInt32 := modeArg.Value.(int32); isInt32 {
 				parseAccessMode(modeArg, uint64(mode))
 			}
 		}
+	case Faccessat:
+		if modeArg := GetArg(event, "mode"); modeArg != nil {
+			if mode, isInt32 := modeArg.Value.(int32); isInt32 {
+				parseAccessMode(modeArg, uint64(mode))
+			}
+		}
+		if flagsArg := GetArg(event, "flags"); flagsArg != nil {
+			if flags, isInt32 := flagsArg.Value.(int32); isInt32 {
+				parseFaccessatFlag(flagsArg, uint64(flags))
+			}
+		}
 	case Execveat:
 		if flagsArg := GetArg(event, "flags"); flagsArg != nil {
 			if flags, isInt32 := flagsArg.Value.(int32); isInt32 {
-				parseExecFlag(flagsArg, uint64(flags))
+				parseExecveatFlag(flagsArg, uint64(flags))
 			}
 		}
 	case Open, Openat, SecurityFileOpen:
@@ -139,6 +151,13 @@ func ParseArgs(event *trace.Event) error {
 				parseInodeMode(modeArg, uint64(mode))
 			}
 		}
+		if evtID == Fchmodat {
+			if flagsArg := GetArg(event, "flags"); flagsArg != nil {
+				if flags, isInt32 := flagsArg.Value.(int32); isInt32 {
+					parseFchmodatFlag(flagsArg, uint64(flags))
+				}
+			}
+		}
 	case Clone:
 		if flagsArg := GetArg(event, "flags"); flagsArg != nil {
 			if flags, isUint64 := flagsArg.Value.(uint64); isUint64 {
@@ -257,6 +276,12 @@ func ParseArgsFDs(event *trace.Event, origTimestamp uint64, fdArgPathMap *bpf.BP
 		}
 	}
 
+	if dirfdArg := GetArg(event, "dirfd"); dirfdArg != nil {
+		if dirfd, isInt32 := dirfdArg.Value.(int32); isInt32 {
+			parseDirfdAt(dirfdArg, uint64(dirfd))
+		}
+	}
+
 	return nil
 }
 

pkg/events/parse_args_helpers.go

@@ -3,11 +3,21 @@ package events
 import (
 	"strconv"
 
+	"golang.org/x/sys/unix"
+
 	"github.com/aquasecurity/tracee/pkg/events/parsers"
 	"github.com/aquasecurity/tracee/pkg/logger"
 	"github.com/aquasecurity/tracee/types/trace"
 )
 
+func parseDirfdAt(arg *trace.Argument, dirfd uint64) {
+	if int32(dirfd) == unix.AT_FDCWD {
+		arg.Type = "string"
+		arg.Value = "AT_FDCWD"
+		return
+	}
+}
+
 func parseMMapProt(arg *trace.Argument, prot uint64) {
 	mmapProtArgument := parsers.ParseMmapProt(prot)
 	arg.Type = "string"
@@ -21,7 +31,7 @@ func parseSocketDomainArgument(arg *trace.Argument, domain uint64) {
 		arg.Value = strconv.FormatUint(domain, 10)
 		return
 	}
-	arg.Value = socketDomainArgument.String()
+	arg.Value = socketDomainArgument
 }
 
 func parseSocketType(arg *trace.Argument, typ uint64) {
@@ -61,7 +71,7 @@ func parseCapability(arg *trace.Argument, capability uint64) {
 		arg.Value = strconv.FormatUint(capability, 10)
 		return
 	}
-	arg.Value = capabilityFlagArgument.String()
+	arg.Value = capabilityFlagArgument
 }
 
 func parseMemProtAlert(arg *trace.Argument, alert uint32) {
@@ -93,17 +103,17 @@ func parsePtraceRequestArgument(arg *trace.Argument, req uint64) {
 		arg.Value = strconv.FormatUint(req, 10)
 		return
 	}
-	arg.Value = ptraceRequestArgument.String()
+	arg.Value = ptraceRequestArgument
 }
 
-func parsePrctlOption(arg *trace.Argument, opt uint64) {
+func parsePrctlOption(arg *trace.Argument, option uint64) {
 	arg.Type = "string"
-	prctlOptionArgument, err := parsers.ParsePrctlOption(opt)
+	prctlOptionArgument, err := parsers.ParsePrctlOption(option)
 	if err != nil {
-		arg.Value = strconv.FormatUint(opt, 10)
+		arg.Value = strconv.FormatUint(option, 10)
 		return
 	}
-	arg.Value = prctlOptionArgument.String()
+	arg.Value = prctlOptionArgument
 }
 
 func parseSocketcallCall(arg *trace.Argument, call uint64) {
@@ -113,7 +123,7 @@ func parseSocketcallCall(arg *trace.Argument, call uint64) {
 		arg.Value = strconv.FormatUint(call, 10)
 		return
 	}
-	arg.Value = socketCallArgument.String()
+	arg.Value = socketCallArgument
 }
 
 func parseAccessMode(arg *trace.Argument, mode uint64) {
@@ -123,17 +133,37 @@ func parseAccessMode(arg *trace.Argument, mode uint64) {
 		arg.Value = strconv.FormatUint(mode, 10)
 		return
 	}
-	arg.Value = accessModeArgument.String()
+	arg.Value = accessModeArgument
+}
+
+func parseFaccessatFlag(arg *trace.Argument, flags uint64) {
+	arg.Type = "string"
+	faccessatFlagArgument, err := parsers.ParseFaccessatFlag(flags)
+	if err != nil {
+		arg.Value = strconv.FormatUint(flags, 10)
+		return
+	}
+	arg.Value = faccessatFlagArgument
+}
+
+func parseFchmodatFlag(arg *trace.Argument, flags uint64) {
+	arg.Type = "string"
+	fchmodatFlagArgument, err := parsers.ParseFchmodatFlag(flags)
+	if err != nil {
+		arg.Value = strconv.FormatUint(flags, 10)
+		return
+	}
+	arg.Value = fchmodatFlagArgument
 }
 
-func parseExecFlag(arg *trace.Argument, flags uint64) {
+func parseExecveatFlag(arg *trace.Argument, flags uint64) {
 	arg.Type = "string"
-	execFlagArgument, err := parsers.ParseExecFlag(flags)
+	execFlagArgument, err := parsers.ParseExecveatFlag(flags)
 	if err != nil {
 		arg.Value = strconv.FormatUint(flags, 10)
 		return
 	}
-	arg.Value = execFlagArgument.String()
+	arg.Value = execFlagArgument
 }
 
 func parseOpenFlagArgument(arg *trace.Argument, flags uint64) {
@@ -143,7 +173,7 @@ func parseOpenFlagArgument(arg *trace.Argument, flags uint64) {
 		arg.Value = strconv.FormatUint(flags, 10)
 		return
 	}
-	arg.Value = openFlagArgument.String()
+	arg.Value = openFlagArgument
 }
 
 func parseCloneFlags(arg *trace.Argument, flags uint64) {
@@ -153,7 +183,7 @@ func parseCloneFlags(arg *trace.Argument, flags uint64) {
 		arg.Value = strconv.FormatUint(flags, 10)
 		return
 	}
-	arg.Value = cloneFlagArgument.String()
+	arg.Value = cloneFlagArgument
 }
 
 func parseBPFCmd(arg *trace.Argument, cmd uint64) {
@@ -163,7 +193,7 @@ func parseBPFCmd(arg *trace.Argument, cmd uint64) {
 		arg.Value = strconv.FormatUint(cmd, 10)
 		return
 	}
-	arg.Value = bpfCommandArgument.String()
+	arg.Value = bpfCommandArgument
 }
 
 func parseSocketLevel(arg *trace.Argument, level uint64) {

pkg/events/parse_args_helpers_test.go

@@ -24,7 +24,7 @@ func TestParseArgsHelpers(t *testing.T) {
 	TestParsePrctlOption(t)
 	TestParseSocketcallCall(t)
 	TestParseAccessMode(t)
-	TestParseExecFlag(t)
+	TestParseExecveatFlag(t)
 	TestParseOpenFlagArgument(t)
 	TestParseCloneFlags(t)
 	TestParseBPFCmd(t)
@@ -755,7 +755,7 @@ func TestParseAccessMode(t *testing.T) {
 						Name: "mode",
 						Type: "string",
 					},
-					Value: "R_OK|W_OK|X_OK",
+					Value: "X_OK|W_OK|R_OK",
 				},
 			},
 		},
@@ -776,7 +776,7 @@ func TestParseAccessMode(t *testing.T) {
 		})
 	}
 }
-func TestParseExecFlag(t *testing.T) {
+func TestParseExecveatFlag(t *testing.T) {
 	testCases := []struct {
 		name         string
 		args         []trace.Argument
@@ -833,7 +833,7 @@ func TestParseExecFlag(t *testing.T) {
 			event := &trace.Event{
 				Args: testCase.args,
 			}
-			parseExecFlag(GetArg(event, "flags"), testCase.args[0].Value.(uint64))
+			parseExecveatFlag(GetArg(event, "flags"), testCase.args[0].Value.(uint64))
 			for _, expArg := range testCase.expectedArgs {
 				arg := GetArg(event, expArg.Name)
 				assert.Equal(t, expArg, *arg)