tracee
tracee copied to clipboard
aquasecurity
Feature/virtual mem flags parse
1. Explain what the PR does
feat(events): parse access_remote_vm args
Parse vm and gup flags arguments of access_remote_vm.
2. Explain how to test it
3. Other comments
The first commit is being already rebased/reviewed in another PR. The last commit is about the flags parsing and I think we should do the version distincting inside the helper package with a generic function that opts for one or another (or something similar).
The problem with this approach is that you don't know how to user want to use the API.
If this library will be used on the flag from a different machine than the one it was traced in, then the function will return the wrong flag.
So I think the current API is good, but we can add a function of ParseGUPFlagsCurrentOS with the logic I have here.
If this library will be used on the flag from a different machine than the one it was traced in, then the function will return the wrong flag.
You're probably thinking about analyze mode. In that case, we're also missing OSinfo information from the running environment, no ? Thinking about it, like said previously, I believe we should add metadata to the output file (that would include information about running environment). And more on that, if that is true than the function from the helper should accept "current running version" argument and decide by itself.
Either way, I think the decision to parse legacy or not should be delegated to the helper itself. ParseCurrent or ParseSpecific(version) or anything like it, up to you.
We have this update https://github.com/aquasecurity/tracee/pull/3875
Please rebase your PR against main to make use of the new workflow setup.
