Merge pull request #73 from kubescape/feature/upper-layer

Feature/upper layer

Author: slashben

etc/app-profile.crd.yaml

@@ -61,6 +61,8 @@ spec:
                               type: string
                           path:
                             type: string
+                          upperLayer:
+                            type: boolean
                     name:
                       type: string
                     opens:

pkg/collector/collector.go

@@ -338,9 +338,10 @@ func (cm *CollectorManager) CollectContainerEvents(id *ContainerId) {
 			// Check if execve event is already in container profile or if it has no path name (Some execve events do not have a path name).
 			if !execEventExists(event, containerProfile.Execs) || event.PathName == "" {
 				containerProfile.Execs = append(containerProfile.Execs, ExecCalls{
-					Path: event.PathName,
-					Args: event.Args,
-					Envs: event.Env,
+					Path:       event.PathName,
+					UpperLayer: event.UpperLayer,
+					Args:       event.Args,
+					Envs:       event.Env,
 				})
 			}
 		}
@@ -571,7 +572,7 @@ func (cm *CollectorManager) mergeApplicationProfiles(existingApplicationProfile
 			// Merge execve events
 			filteredExecs := []ExecCalls{}
 			for _, exec := range containerProfile.Execs {
-				if !execEventExists(&tracing.ExecveEvent{PathName: exec.Path, Args: exec.Args, Env: exec.Envs}, existingContainer.Execs) {
+				if !execEventExists(&tracing.ExecveEvent{PathName: exec.Path, UpperLayer: exec.UpperLayer, Args: exec.Args, Env: exec.Envs}, existingContainer.Execs) {
 					filteredExecs = append(filteredExecs, exec)
 				}
 			}
@@ -768,7 +769,7 @@ func (cm *CollectorManager) OnContainerActivityEvent(event *tracing.ContainerAct
 
 func execEventExists(execEvent *tracing.ExecveEvent, execCalls []ExecCalls) bool {
 	for _, call := range execCalls {
-		if execEvent.PathName == call.Path && slices.Equal(execEvent.Args, call.Args) && slices.Equal(execEvent.Env, call.Envs) {
+		if execEvent.PathName == call.Path && slices.Equal(execEvent.Args, call.Args) && slices.Equal(execEvent.Env, call.Envs) && execEvent.UpperLayer == call.UpperLayer {
 			return true
 		}
 	}

pkg/collector/types.go

@@ -6,9 +6,10 @@ import (
 )
 
 type ExecCalls struct {
-	Path string   `json:"path" yaml:"path"`
-	Args []string `json:"args" yaml:"args"`
-	Envs []string `json:"envs" yaml:"envs"`
+	Path       string   `json:"path" yaml:"path"`
+	UpperLayer bool     `json:"upperLayer" yaml:"upperLayer"`
+	Args       []string `json:"args" yaml:"args"`
+	Envs       []string `json:"envs" yaml:"envs"`
 }
 
 type NetworkCalls struct {

pkg/tracing/events.go

@@ -58,9 +58,10 @@ type GeneralEvent struct {
 type ExecveEvent struct {
 	GeneralEvent
 
-	PathName string
-	Args     []string
-	Env      []string
+	PathName   string
+	UpperLayer bool
+	Args       []string
+	Env        []string
 }
 
 type OpenEvent struct {

pkg/tracing/ig.go

@@ -408,9 +408,10 @@ func (t *Tracer) execEventCallback(event *tracerexectype.Event) {
 				Timestamp:     int64(event.Timestamp),
 				EventType:     ExecveEventType,
 			},
-			PathName: event.Args[0],
-			Args:     event.Args[1:],
-			Env:      []string{},
+			PathName:   event.Args[0],
+			UpperLayer: event.UpperLayer,
+			Args:       event.Args[1:],
+			Env:        []string{},
 		}
 		for _, eventSink := range t.eventSinks {
 			eventSink.SendExecveEvent(execveEvent)