feat(datastores): add SyscallStore for syscall ID/name mapping

Implement a new SyscallStore datastore that provides:
- GetSyscallName(id int32): lookup syscall name by ID
- GetSyscallID(name string): lookup syscall ID by name

The store wraps events.Core and provides architecture-specific
syscall information (x86 vs ARM). Uses int32 for syscall IDs
to match kernel ABI and protobuf definitions.

This enables detectors to resolve syscall names without direct
access to internal pkg/events structures.

Includes comprehensive unit tests

Author: yanivagman

api/v1beta1/datastores/interfaces.go

@@ -101,3 +101,18 @@ type SystemStore interface {
 	// This data is immutable and never changes during the Tracee process lifetime
 	GetSystemInfo() *SystemInfo
 }
+
+// SyscallStore provides access to syscall metadata for the current architecture
+type SyscallStore interface {
+	DataStore
+
+	// GetSyscallName returns the syscall name for a given ID
+	// Returns empty string and false if the syscall ID is not found
+	// Note: Syscall IDs are architecture-specific (x86 vs ARM)
+	GetSyscallName(id int32) (string, bool)
+
+	// GetSyscallID returns the syscall ID for a given name
+	// Returns 0 and false if the syscall name is not found
+	// Note: Syscall IDs are architecture-specific (x86 vs ARM)
+	GetSyscallID(name string) (int32, bool)
+}

api/v1beta1/datastores/registry.go

@@ -17,6 +17,9 @@ type Registry interface {
 	// System returns the system information datastore
 	System() SystemStore
 
+	// Syscalls returns the syscall information datastore
+	Syscalls() SyscallStore
+
 	// GetCustom retrieves a custom datastore by name
 	// Returns ErrNotFound if the datastore is not registered
 	GetCustom(name string) (DataStore, error)

pkg/datastores/registry.go

@@ -20,6 +20,7 @@ type Registry struct {
 	kernelSymbolStore datastores.KernelSymbolStore
 	dnsStore          datastores.DNSStore
 	systemStore       datastores.SystemStore
+	syscallStore      datastores.SyscallStore
 }
 
 // NewRegistry creates a new datastore registry
@@ -84,6 +85,10 @@ func (r *Registry) RegisterStore(name string, store datastores.DataStore, requir
 		if ss, ok := store.(datastores.SystemStore); ok {
 			r.systemStore = ss
 		}
+	case "syscall":
+		if sc, ok := store.(datastores.SyscallStore); ok {
+			r.syscallStore = sc
+		}
 	}
 
 	r.stores[name] = store
@@ -116,6 +121,11 @@ func (r *Registry) System() datastores.SystemStore {
 	return r.systemStore
 }
 
+// Syscalls returns the syscall information datastore
+func (r *Registry) Syscalls() datastores.SyscallStore {
+	return r.syscallStore
+}
+
 // GetCustom returns a custom datastore by name with type safety
 func (r *Registry) GetCustom(name string) (datastores.DataStore, error) {
 	r.mu.RLock()

pkg/datastores/syscall/store.go

@@ -0,0 +1,83 @@
+package syscall
+
+import (
+	"time"
+
+	"github.com/aquasecurity/tracee/api/v1beta1/datastores"
+	"github.com/aquasecurity/tracee/pkg/events"
+)
+
+// Store implements the SyscallStore interface by wrapping events.DefinitionGroup
+// It provides access to syscall metadata for the current architecture
+type Store struct {
+	eventCore *events.DefinitionGroup
+}
+
+// New creates a new SyscallStore with the provided event definitions
+func New(eventCore *events.DefinitionGroup) datastores.SyscallStore {
+	return &Store{
+		eventCore: eventCore,
+	}
+}
+
+// Name returns the datastore name
+func (s *Store) Name() string {
+	return "syscall"
+}
+
+// GetHealth returns the health status of the datastore
+// SyscallStore is always healthy since it wraps immutable event definitions
+func (s *Store) GetHealth() *datastores.HealthInfo {
+	return &datastores.HealthInfo{
+		Status:    datastores.HealthHealthy,
+		Message:   "syscall store operational",
+		LastCheck: time.Now(),
+	}
+}
+
+// GetMetrics returns operational metrics for the datastore
+func (s *Store) GetMetrics() *datastores.DataStoreMetrics {
+	return &datastores.DataStoreMetrics{
+		ItemCount:    0, // Not tracked for syscall store
+		SuccessCount: 0,
+		ErrorCount:   0,
+		CacheHits:    0,
+		CacheMisses:  0,
+		LastAccess:   time.Now(),
+	}
+}
+
+// GetSyscallName returns the syscall name for a given ID
+// Returns empty string and false if the syscall ID is not found or is not a syscall
+func (s *Store) GetSyscallName(id int32) (string, bool) {
+	def := s.eventCore.GetDefinitionByID(events.ID(id))
+
+	// Check if definition was found (Undefined means not found)
+	if def.GetID() == events.Undefined {
+		return "", false
+	}
+
+	// Only return name if this is actually a syscall
+	if !def.IsSyscall() {
+		return "", false
+	}
+
+	return def.GetName(), true
+}
+
+// GetSyscallID returns the syscall ID for a given name
+// Returns 0 and false if the syscall name is not found or is not a syscall
+func (s *Store) GetSyscallID(name string) (int32, bool) {
+	id, found := s.eventCore.GetDefinitionIDByName(name)
+	if !found {
+		return 0, false
+	}
+
+	// Verify this is actually a syscall
+	def := s.eventCore.GetDefinitionByID(id)
+	if def.GetID() == events.Undefined || !def.IsSyscall() {
+		return 0, false
+	}
+
+	return int32(id), true
+}