v1

type EBPFMeta struct {
	Progs []string
	Maps  []string
}

type Group struct {
	ID   int
	Name string
}

type Process struct {
	ProcessVisible
	EBPFMeta
	User
	Group

	// Name (proc/[pid]/comm)
	// This file exposes the process's comm value—that is, the
	// command name associated with the process.
	Name string

	// CommandLine (/proc/[pid]/cmdline)
	// This read-only file holds the complete command line for
	// the process, unless the process is a zombie.  In the
	// latter case, there is nothing in this file: that is, a
	// read on this file will return 0 characters
	CommandLine string

	// EBPF is an xpid specific field that attempts to detect
	// if a specific PID is running any eBPF related probes or maps.
	//
	// Will be set to true is eBPF is detected.
	EBPF bool

	// Container is an xpid specific field that attempts to detect
	// if a specific PID is running as a container
	//
	// Will be set to true if we suspect this is a container PID
	Container bool

	// Thread is a bool that will be set if the process is part of
	// a thread pool, or has a TGID that is unique from PID
	//
	// Reading from /proc/[pid]/status
	Thread bool

	// The process unique ID.
	PID int64
}

type ProcessVisible struct {

	// Opendir is if the /proc/[pid] directory can be "opened" or "listed".
	// Failing Opendir is a sign that the process may be attempted to being
	// obfuscated to the user at runtime.
	Opendir int

	// Chdir is if the /proc/[pid] directory can be "navigated" or "changed to".
	// Failing chdir is a sign that the current user has invalid permission,
	// or that something in the kernel is preventing the user from open the directory.
	Chdir int

	// After opendir we see if we can "list" files inside of the directory.
	// This call happens at a higher level and will see if a directory
	// within proc can be found by opening it's parent directory for listing.
	//
	// In this case /proc is typically opened, and then the pid directories are
	// matched against!
	Dent int
}

type User struct {
	ID   int
	Name string
}