chore(events): export parse functions as a go module

go.mod

@@ -1,16 +1,15 @@
 module github.com/aquasecurity/tracee
 
-go 1.21
-
-toolchain go1.21.5
+go 1.21.6
 
 require (
 	github.com/IBM/fluent-forward-go v0.2.1
 	github.com/Masterminds/sprig/v3 v3.2.3
 	github.com/aquasecurity/libbpfgo v0.7.0-libbpf-1.4
 	github.com/aquasecurity/tracee/api v0.0.0-20240531131043-a237ddf7b190
+	github.com/aquasecurity/tracee/pkg/events/parsers v0.0.0
 	github.com/aquasecurity/tracee/signatures/helpers v0.0.0-20240122160245-67dec940088c
-	github.com/aquasecurity/tracee/types v0.0.0-20240122122429-7f84f526758d
+	github.com/aquasecurity/tracee/types v0.0.0-20240531175500-73839cfd71e6
 	github.com/containerd/containerd v1.7.14
 	github.com/docker/docker v24.0.9+incompatible
 	github.com/golang/protobuf v1.5.4
@@ -30,7 +29,7 @@ require (
 	github.com/urfave/cli/v2 v2.3.0
 	go.uber.org/goleak v1.3.0
 	go.uber.org/zap v1.25.0
-	golang.org/x/sys v0.18.0
+	golang.org/x/sys v0.20.0
 	google.golang.org/grpc v1.62.1
 	google.golang.org/protobuf v1.33.0
 	gopkg.in/yaml.v2 v2.4.0
@@ -73,6 +72,7 @@ require (
 	github.com/magiconair/properties v1.8.7 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattn/go-runewidth v0.0.10 // indirect
+	github.com/moby/moby v26.1.3+incompatible // indirect
 	github.com/moby/sys/sequential v0.5.0 // indirect
 	github.com/moby/sys/user v0.1.0 // indirect
 	github.com/moby/term v0.5.0 // indirect
@@ -104,7 +104,6 @@ require (
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240123012728-ef4313101c80 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
-	gotest.tools/v3 v3.4.0 // indirect
 	k8s.io/apiextensions-apiserver v0.28.3 // indirect
 	k8s.io/component-base v0.28.3 // indirect
 	k8s.io/klog/v2 v2.100.1 // indirect
@@ -179,3 +178,5 @@ require (
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	kernel.org/pub/linux/libs/security/libcap/psx v1.2.68 // indirect
 )
+
+replace github.com/aquasecurity/tracee/pkg/events/parsers => ./pkg/events/parsers

go.sum

@@ -29,8 +29,8 @@ github.com/aquasecurity/tracee/api v0.0.0-20240531131043-a237ddf7b190 h1:NJ69oea
 github.com/aquasecurity/tracee/api v0.0.0-20240531131043-a237ddf7b190/go.mod h1:jXLAr/iFkfaNTuNcdbx2blngdMD/qaAfxQe9rCL9jwk=
 github.com/aquasecurity/tracee/signatures/helpers v0.0.0-20240122160245-67dec940088c h1:Gms5lUHPIq+OpI5HjcZ+l0NZHhSwBd/47nyUZY89c+M=
 github.com/aquasecurity/tracee/signatures/helpers v0.0.0-20240122160245-67dec940088c/go.mod h1:SSh6X96P8pT/9B6eBl6ptBo8QnaSCNCZHMOZ1iXyPUw=
-github.com/aquasecurity/tracee/types v0.0.0-20240122122429-7f84f526758d h1:6CQjy5G6Cj/VKm8RP1uZnBZxDgfyGo15HfWFnYrkGro=
-github.com/aquasecurity/tracee/types v0.0.0-20240122122429-7f84f526758d/go.mod h1:J0f9nzJWrFmFgMoK0s4Yirfh82vfKMatXytd1YdfU2I=
+github.com/aquasecurity/tracee/types v0.0.0-20240531175500-73839cfd71e6 h1:2rCXNs7elaI1EWSyVNMsOmOMulnhcxSUQVY2ykgym+4=
+github.com/aquasecurity/tracee/types v0.0.0-20240531175500-73839cfd71e6/go.mod h1:J0f9nzJWrFmFgMoK0s4Yirfh82vfKMatXytd1YdfU2I=
 github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q=
 github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE=
 github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
@@ -248,6 +248,8 @@ github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zx
 github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
 github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg=
 github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc=
+github.com/moby/moby v26.1.3+incompatible h1:gIzra6kadTUzPUZWpyUfkaLKymz9I8gANMB1NKk2pF0=
+github.com/moby/moby v26.1.3+incompatible/go.mod h1:fDXVQ6+S340veQPv35CzDahGBmHsiclFwfEygB/TWMc=
 github.com/moby/sys/mountinfo v0.6.2 h1:BzJjoreD5BMFNmD9Rus6gdd1pLuecOFPt8wC+Vygl78=
 github.com/moby/sys/mountinfo v0.6.2/go.mod h1:IJb6JQeOklcdMU9F5xQ8ZALD+CUr5VlGpwtX+VE0rpI=
 github.com/moby/sys/sequential v0.5.0 h1:OPvI35Lzn9K04PBbCLW0g4LcFAJgHsvXsRyewg5lXtc=
@@ -455,7 +457,6 @@ golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5h
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -466,8 +467,8 @@ golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4=
-golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y=
+golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
@@ -493,7 +494,6 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn
 golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
 golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.4.0/go.mod h1:UE5sM2OK9E/d67R0ANs2xJizIymRP5gJU295PvKXxjQ=
@@ -558,8 +558,8 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo=
 gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
-gotest.tools/v3 v3.4.0 h1:ZazjZUfuVeZGLAmlKKuyv3IKP5orXcwtOwDQH6YVr6o=
-gotest.tools/v3 v3.4.0/go.mod h1:CtbdzLSsqVhDgMtKsx03ird5YTGB3ar27v0u/yKBW5g=
+gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU=
+gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 k8s.io/api v0.28.3 h1:Gj1HtbSdB4P08C8rs9AR94MfSGpRhJgsS+GF9V26xMM=

pkg/ebpf/events_pipeline.go

@@ -4,13 +4,17 @@ import (
 	"bytes"
 	"context"
 	"encoding/binary"
+	"fmt"
 	"strconv"
 	"sync"
 	"unsafe"
 
+	bpf "github.com/aquasecurity/libbpfgo"
+
 	"github.com/aquasecurity/tracee/pkg/bufferdecoder"
 	"github.com/aquasecurity/tracee/pkg/errfmt"
 	"github.com/aquasecurity/tracee/pkg/events"
+	"github.com/aquasecurity/tracee/pkg/events/parsers"
 	"github.com/aquasecurity/tracee/pkg/logger"
 	"github.com/aquasecurity/tracee/pkg/policy"
 	"github.com/aquasecurity/tracee/pkg/utils"
@@ -724,13 +728,30 @@ func (t *Tracee) handleError(err error) {
 // printers).
 func (t *Tracee) parseArguments(e *trace.Event) error {
 	if t.config.Output.ParseArguments {
-		err := events.ParseArgs(e)
+		err := parsers.ParseArgs(e)
 		if err != nil {
 			return errfmt.WrapError(err)
 		}
 
 		if t.config.Output.ParseArgumentsFDs {
-			return events.ParseArgsFDs(e, uint64(t.getOrigEvtTimestamp(e)), t.FDArgPathMap)
+			return ParseArgsFDs(e, uint64(t.getOrigEvtTimestamp(e)), t.FDArgPathMap)
+		}
+	}
+
+	return nil
+}
+
+func ParseArgsFDs(event *trace.Event, origTimestamp uint64, fdArgPathMap *bpf.BPFMap) error {
+	if fdArg := parsers.GetArg(event, "fd"); fdArg != nil {
+		if fd, isInt32 := fdArg.Value.(int32); isInt32 {
+			ts := origTimestamp
+			bs, err := fdArgPathMap.GetValue(unsafe.Pointer(&ts))
+			if err != nil {
+				return errfmt.WrapError(err)
+			}
+
+			fpath := string(bytes.Trim(bs, "\x00"))
+			fdArg.Value = fmt.Sprintf("%d=%s", fd, fpath)
 		}
 	}
 

pkg/ebpf/net_capture.go

@@ -9,6 +9,7 @@ import (
 	"github.com/google/gopacket/layers"
 
 	"github.com/aquasecurity/tracee/pkg/events"
+	"github.com/aquasecurity/tracee/pkg/events/parsers"
 	"github.com/aquasecurity/tracee/pkg/logger"
 	"github.com/aquasecurity/tracee/types/trace"
 )
@@ -103,7 +104,7 @@ func (t *Tracee) processNetCapEvent(event *trace.Event) {
 
 		// sanity checks
 
-		payloadArg := events.GetArg(event, "payload")
+		payloadArg := parsers.GetArg(event, "payload")
 		if payloadArg == nil {
 			logger.Debugw("Network capture: no payload packet")
 			return

pkg/ebpf/processor_funcs.go

@@ -16,6 +16,7 @@ import (
 	"github.com/aquasecurity/tracee/pkg/errfmt"
 	"github.com/aquasecurity/tracee/pkg/events"
 	"github.com/aquasecurity/tracee/pkg/events/parse"
+	"github.com/aquasecurity/tracee/pkg/events/parsers"
 	"github.com/aquasecurity/tracee/pkg/filehash"
 	"github.com/aquasecurity/tracee/pkg/logger"
 	"github.com/aquasecurity/tracee/pkg/utils"
@@ -102,7 +103,7 @@ func (t *Tracee) processReadEvent(event *trace.Event) error {
 
 // processKernelReadFile processes a security read event and changes the read type value.
 func processKernelReadFile(event *trace.Event) error {
-	readTypeArg := events.GetArg(event, "type")
+	readTypeArg := parsers.GetArg(event, "type")
 	readTypeInt, ok := readTypeArg.Value.(int32)
 	if !ok {
 		return errfmt.Errorf("missing argument %s in event %s", "type", event.EventName)
@@ -287,7 +288,7 @@ func (t *Tracee) processHookedProcFops(event *trace.Event) error {
 		}
 		hookedFops = append(hookedFops, trace.HookedSymbolData{SymbolName: functionName, ModuleOwner: hookingFunction.Owner})
 	}
-	err = events.SetArgValue(event, hookedFopsPointersArgName, hookedFops)
+	err = parsers.SetArgValue(event, hookedFopsPointersArgName, hookedFops)
 	if err != nil {
 		return err
 	}
@@ -326,15 +327,15 @@ func (t *Tracee) processPrintMemDump(event *trace.Event) error {
 		return errfmt.WrapError(err)
 	}
 	arch = string(bytes.TrimRight(utsName.Machine[:], "\x00"))
-	err = events.SetArgValue(event, "arch", arch)
+	err = parsers.SetArgValue(event, "arch", arch)
 	if err != nil {
 		return err
 	}
-	err = events.SetArgValue(event, "symbol_name", symbol.Name)
+	err = parsers.SetArgValue(event, "symbol_name", symbol.Name)
 	if err != nil {
 		return err
 	}
-	err = events.SetArgValue(event, "symbol_owner", symbol.Owner)
+	err = parsers.SetArgValue(event, "symbol_owner", symbol.Owner)
 	if err != nil {
 		return err
 	}
@@ -394,7 +395,7 @@ func (t *Tracee) processSchedProcessFork(event *trace.Event) error {
 // normalizeEventArgTime normalizes the event arg time to be relative to tracee start time or
 // current time.
 func (t *Tracee) normalizeEventArgTime(event *trace.Event, argName string) error {
-	arg := events.GetArg(event, argName)
+	arg := parsers.GetArg(event, argName)
 	if arg == nil {
 		return errfmt.Errorf("couldn't find argument %s of event %s", argName, event.EventName)
 	}

pkg/events/derive/net_packet_helpers.go

@@ -12,7 +12,7 @@ import (
 	"github.com/google/gopacket/layers"
 
 	"github.com/aquasecurity/tracee/pkg/dnscache"
-	"github.com/aquasecurity/tracee/pkg/events"
+	"github.com/aquasecurity/tracee/pkg/events/parsers"
 	"github.com/aquasecurity/tracee/pkg/logger"
 	"github.com/aquasecurity/tracee/types/trace"
 )
@@ -82,7 +82,7 @@ func strToLower(given string) string {
 
 // parsePayloadArg returns the packet payload from the event.
 func parsePayloadArg(event *trace.Event) ([]byte, error) {
-	payloadArg := events.GetArg(event, "payload")
+	payloadArg := parsers.GetArg(event, "payload")
 	if payloadArg == nil {
 		return nil, noPayloadError()
 	}

pkg/events/parsers/data_parsers.go

@@ -8,9 +8,8 @@ import (
 	"strings"
 	"sync/atomic"
 
+	"github.com/moby/moby/pkg/parsers/kernel"
 	"golang.org/x/sys/unix"
-
-	"github.com/aquasecurity/tracee/pkg/utils/environment"
 )
 
 type SystemFunctionArgument interface {
@@ -264,7 +263,10 @@ func ParseOpenFlagArgument(rawValue uint64) (OpenFlagArgument, error) {
 	}
 
 	if len(f) == 0 {
-		return OpenFlagArgument{}, fmt.Errorf("no valid open flag values present in raw value: 0x%x", rawValue)
+		return OpenFlagArgument{}, fmt.Errorf(
+			"no valid open flag values present in raw value: 0x%x",
+			rawValue,
+		)
 	}
 
 	return OpenFlagArgument{rawValue: rawValue, stringValue: strings.Join(f, "|")}, nil
@@ -3262,7 +3264,7 @@ func ParseLegacyGUPFlags(rawValue uint64) LegacyGUPFlag {
 var currentOSGUPFlagsParse uint32
 var skipDetermineGUPFlagsFunc uint32
 
-const gupFlagsChangeVersion = "6.3.0"
+var gupFlagsChangeVersion, _ = kernel.ParseRelease("6.3.0")
 
 // ParseGUPFlagsCurrentOS parse the GUP flags received according to current machine OS version.
 // It uses optimizations to perform better than ParseGUPFlagsForOS
@@ -3272,21 +3274,14 @@ func ParseGUPFlagsCurrentOS(rawValue uint64) (SystemFunctionArgument, error) {
 		legacyParsing
 	)
 	if atomic.LoadUint32(&skipDetermineGUPFlagsFunc) == 0 {
-		osInfo, err := environment.GetOSInfo()
-		if err != nil {
-			return nil, fmt.Errorf("error getting current OS info - %s", err)
-		}
-		compare, err := osInfo.CompareOSBaseKernelRelease(gupFlagsChangeVersion)
+		currentVersion, err := kernel.GetKernelVersion()
 		if err != nil {
-			return nil, fmt.Errorf(
-				"error comparing OS versions to determine how to parse GUP flags - %s",
-				err,
-			)
+			return nil, fmt.Errorf("error getting current kernel version - %s", err)
 		}
-		if compare == environment.KernelVersionOlder {
-			atomic.StoreUint32(&currentOSGUPFlagsParse, legacyParsing)
-		} else {
+		if kernel.CompareKernelVersion(*currentVersion, *gupFlagsChangeVersion) >= 0 {
 			atomic.StoreUint32(&currentOSGUPFlagsParse, newVersionsParsing)
+		} else {
+			atomic.StoreUint32(&currentOSGUPFlagsParse, legacyParsing)
 		}
 		// Avoid doing this check in the future
 		atomic.StoreUint32(&skipDetermineGUPFlagsFunc, 1)
@@ -3305,19 +3300,17 @@ func ParseGUPFlagsCurrentOS(rawValue uint64) (SystemFunctionArgument, error) {
 }
 
 // ParseGUPFlagsForOS parse the GUP flags received according to given OS version.
-func ParseGUPFlagsForOS(osInfo *environment.OSInfo, rawValue uint64) (SystemFunctionArgument, error) {
-	compare, err := osInfo.CompareOSBaseKernelRelease(gupFlagsChangeVersion)
+func ParseGUPFlagsForOS(kernelVersion string, rawValue uint64) (
+	SystemFunctionArgument, error,
+) {
+	parsedVersion, err := kernel.ParseRelease(kernelVersion)
 	if err != nil {
-		return nil, fmt.Errorf(
-			"error comparing OS versions to determine how to parse GUP flags - %s",
-			err,
-		)
+		return nil, fmt.Errorf("error parsing given kernel version - %s", err)
 	}
-
-	if compare == environment.KernelVersionOlder {
-		return ParseLegacyGUPFlags(rawValue), nil
+	if kernel.CompareKernelVersion(*parsedVersion, *gupFlagsChangeVersion) >= 0 {
+		return ParseGUPFlags(rawValue), nil
 	}
-	return ParseGUPFlags(rawValue), nil
+	return ParseLegacyGUPFlags(rawValue), nil
 }
 
 // =====================================================
@@ -3589,3 +3582,47 @@ func ParseFsNotifyObjType(rawValue uint64) (FsNotifyObjType, error) {
 	}
 	return v, nil
 }
+
+// =====================================================
+
+// BpfAttachType is the type of probe the BPF program was attach to.
+// This type is not of the kernel, but unique to Tracee. It must match the
+// `bpf_attach_type_e` enum in the bpf code.
+type BpfAttachType struct {
+	rawValue    int32
+	stringValue string
+}
+
+var (
+	BPF_RAW_TRACEPOINT = BpfAttachType{rawValue: 0, stringValue: "raw_tracepoint"}
+	PERF_TRACEPOINT    = BpfAttachType{rawValue: 1, stringValue: "tracepoint"}
+	PERF_KPROBE        = BpfAttachType{rawValue: 2, stringValue: "kprobe"}
+	PERF_KRETPROBE     = BpfAttachType{rawValue: 3, stringValue: "kretprobe"}
+	PERF_UPROBE        = BpfAttachType{rawValue: 4, stringValue: "uprobe"}
+	PERF_URETPROBE     = BpfAttachType{rawValue: 5, stringValue: "uretprobe"}
+)
+
+var attachTypeMap = map[int32]BpfAttachType{
+	int32(BPF_RAW_TRACEPOINT.Value()): BPF_RAW_TRACEPOINT,
+	int32(PERF_TRACEPOINT.Value()):    PERF_TRACEPOINT,
+	int32(PERF_KPROBE.Value()):        PERF_KPROBE,
+	int32(PERF_KRETPROBE.Value()):     PERF_KRETPROBE,
+	int32(PERF_UPROBE.Value()):        PERF_UPROBE,
+	int32(PERF_URETPROBE.Value()):     PERF_URETPROBE,
+}
+
+func (attachType BpfAttachType) Value() uint64 {
+	return uint64(attachType.rawValue)
+}
+
+func (attachType BpfAttachType) String() string {
+	return attachType.stringValue
+}
+
+func ParseBpfAttachType(attachType int32) (BpfAttachType, error) {
+	v, ok := attachTypeMap[attachType]
+	if !ok {
+		return BpfAttachType{}, fmt.Errorf("not a valid argument: %d", attachType)
+	}
+	return v, nil
+}