feat(events): parse access_remote_vm args

Parse vm and gup flags arguments of access_remote_vm.

pkg/events/parse_args.go

@@ -4,12 +4,14 @@ import (
  "bytes"
  "fmt"
  "strconv"
+ "sync"
  "unsafe"
 
  bpf "github.com/aquasecurity/libbpfgo"
  "github.com/aquasecurity/libbpfgo/helpers"
 
  "github.com/aquasecurity/tracee/pkg/errfmt"
+ "github.com/aquasecurity/tracee/pkg/logger"
  "github.com/aquasecurity/tracee/types/trace"
 )
 
@@ -280,7 +282,7 @@ func ParseArgs(event *trace.Event) error {
  case AccessRemoteVm:
  if gupFlagsArg := GetArg(event, "gup_flags"); gupFlagsArg != nil {
  if gupFlags, isUint := gupFlagsArg.Value.(uint32); isUint {
- parsedGupFlags := helpers.ParseGUPFlags(uint64(gupFlags))
+ parsedGupFlags := parseGUPFlags(uint64(gupFlags))
  parseOrEmptyString(gupFlagsArg, parsedGupFlags, nil)
  }
  }
@@ -295,6 +297,34 @@ func ParseArgs(event *trace.Event) error {
  return nil
 }
 
+var useLegacyGUPFlagsParse bool
+var determineGUPFlags sync.Once
+
+// Use the correct parsing function according to OS version to parse GUP flags
+func parseGUPFlags(gupFlagsVal uint64) helpers.SystemFunctionArgument {
+ determineGUPFlags.Do(func() {
+ osInfo, err := helpers.GetOSInfo()
+ if err != nil {
+ logger.Errorw("missing osinfo to determine how to parse GUP flags", "error", err)
+ return
+ }
+ compare, err := osInfo.CompareOSBaseKernelRelease("6.3.0")
+ if err != nil {
+ logger.Errorw("error comparing versions to determine how to parse GUP flags", "error", err)
+ return
+ }
+ if compare == helpers.KernelVersionOlder {
+ useLegacyGUPFlagsParse = true
+ }
+ })
+
+ if useLegacyGUPFlagsParse {
+ return helpers.ParseLegacyGUPFlags(gupFlagsVal)
+ } else {
+ return helpers.ParseGUPFlags(gupFlagsVal)
+ }
+}
+
 func ParseArgsFDs(event *trace.Event, fdArgPathMap *bpf.BPFMap) error {
  if fdArg := GetArg(event, "fd"); fdArg != nil {
  if fd, isInt32 := fdArg.Value.(int32); isInt32 {