[CWS] commonize ptrace process fields (#44759)

### What does this PR do?

### Motivation

### Describe how you validated your changes

### Additional Notes


Co-authored-by: sylvain.afchain <sylvain.afchain@datadoghq.com>

Author: safchain

pkg/security/generators/accessors/accessors.go

@@ -839,7 +839,7 @@ func newField(allFields map[string]*common.StructField, fieldName string, inputF
 		if field, ok := allFields[fieldPath]; ok {
 			if field.IsOrigTypePtr {
 				// process & exec context are set in the template
-				if !strings.HasPrefix(fieldName, "process.") && !strings.HasPrefix(fieldName, "exec.") && !strings.HasPrefix(fieldName, "exit.") {
+				if !strings.HasPrefix(fieldName, "process.") && !strings.HasPrefix(fieldName, "exec.") && !strings.HasPrefix(fieldName, "exit.") && !strings.HasPrefix(fieldName, "ptrace.") {
 					result += fmt.Sprintf("if ev.%s == nil { ev.%s = &%s{} }\n", field.Name, field.Name, field.OrigType)
 				}
 			} else if field.IsArray && fieldPath != inputField.Name {

pkg/security/generators/accessors/accessors.tmpl

@@ -344,8 +344,8 @@ func (ev *Event) SetFieldValue(field eval.Field, value interface{}) error {
 		mappedField = newField
 	}
 
-	if strings.HasPrefix(mappedField, "process.") || strings.HasPrefix(mappedField, "exec.") || strings.HasPrefix(mappedField, "exit.") {
-		ev.initProcess()
+	if strings.HasPrefix(mappedField, "process.") || strings.HasPrefix(mappedField, "exec.") || strings.HasPrefix(mappedField, "exit.") || strings.HasPrefix(mappedField, "ptrace.") {
+		ev.initPointerFields()
 	}
 
 	switch mappedField {

pkg/security/secl/model/accessors_helpers.go

@@ -30,7 +30,7 @@ func (ev *Event) GetFieldValue(field eval.Field) (interface{}, error) {
 	return value, nil
 }
 
-func (ev *Event) initProcess() {
+func (ev *Event) initPointerFields() {
 	if ev.BaseEvent.ProcessContext == nil {
 		ev.BaseEvent.ProcessContext = &ProcessContext{}
 	}
@@ -42,6 +42,9 @@ func (ev *Event) initProcess() {
 	}
 
 	ev.initProcessEventTypes()
+
+	// init platform specific pointer fields
+	ev.initPlatformPointerFields()
 }
 
 // nolint: unused

pkg/security/secl/model/accessors_unix.go

@@ -126,6 +126,14 @@ func TestSetFieldValue(t *testing.T) {
 	for _, field := range event.GetFields() {
 		// use a fresh event to not get polluted by previous SetFieldValue
 		event = NewFakeEvent()
+		eventType, _, _, _, err := event.GetFieldMetadata(field)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		if evt, _ := ParseEvalEventType(eventType); evt != UnknownEventType {
+			event.Type = uint32(evt)
+		}
 
 		_, kind, _, _, err := event.GetFieldMetadata(field)
 		if err != nil {

pkg/security/secl/model/accessors_windows.go

@@ -1100,3 +1100,17 @@ type TracerMemfdSealEvent struct {
 	SyscallEvent
 	Fd uint32
 }
+
+func (e *Event) initPlatformPointerFields() {
+	if e.GetEventType() == PTraceEventType {
+		if e.PTrace.Tracee == nil {
+			e.PTrace.Tracee = &ProcessContext{}
+		}
+		if e.PTrace.Tracee.Ancestor == nil {
+			e.PTrace.Tracee.Ancestor = &ProcessCacheEntry{}
+		}
+		if e.PTrace.Tracee.Parent == nil {
+			e.PTrace.Tracee.Parent = &e.PTrace.Tracee.Ancestor.ProcessContext.Process
+		}
+	}
+}

pkg/security/secl/model/model_test.go

@@ -258,3 +258,5 @@ func (pc *ProcessCacheEntry) Hash() eval.ScopeHashKey {
 func (pc *ProcessCacheEntry) ParentScope() (eval.VariableScope, bool) {
 	return pc.Ancestor, pc.Ancestor != nil
 }
+
+func (e *Event) initPlatformPointerFields() {}