probes

package
v0.0.0-...-561fc3e Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 25, 2024 License: Apache-2.0 Imports: 13 Imported by: 0

Documentation

Overview

Package probes holds probes related files

Package probes holds probes related files

Index

Constants

View Source
const (
	// DentryResolverKernKey is the key to the kernel dentry resolver tail call program
	DentryResolverKernKey uint32 = iota
	// ActivityDumpFilterKey is the key to the kernel activity dump filter tail call program
	ActivityDumpFilterKey
	// DentryResolverKernInputs is the key to the kernel dentry segment resolver tail call program without full syscall context
	DentryResolverKernInputs
	// DentryResolverERPCKey is the key to the eRPC dentry resolver tail call program
	DentryResolverERPCKey
	// DentryResolverParentERPCKey is the key to the eRPC dentry parent resolver tail call program
	DentryResolverParentERPCKey
	// DentryResolverSegmentERPCKey is the key to the eRPC dentry segment resolver tail call program
	DentryResolverSegmentERPCKey
)
View Source
const (
	// DentryResolverOpenCallbackKprobeKey is the key to the callback program to execute after resolving the dentry of an open event
	DentryResolverOpenCallbackKprobeKey uint32 = iota + 1
	// DentryResolverSetAttrCallbackKprobeKey is the key to the callback program to execute after resolving the dentry of an setattr event
	DentryResolverSetAttrCallbackKprobeKey
	// DentryResolverMkdirCallbackKprobeKey is the key to the callback program to execute after resolving the dentry of an mkdir event
	DentryResolverMkdirCallbackKprobeKey
	// DentryResolverMountStageOneCallbackKprobeKey is the key to the callback program to execute after resolving the root dentry of a new mount
	DentryResolverMountStageOneCallbackKprobeKey
	// DentryResolverMountStageTwoCallbackKprobeKey is the key to the callback program to execute after resolving the mountpoint dentry a new mount
	DentryResolverMountStageTwoCallbackKprobeKey
	// DentryResolverSecurityInodeRmdirCallbackKprobeKey is the key to the callback program to execute after resolving the dentry of an rmdir or unlink event
	DentryResolverSecurityInodeRmdirCallbackKprobeKey
	// DentryResolverSetXAttrCallbackKprobeKey is the key to the callback program to execute after resolving the dentry of an setxattr event
	DentryResolverSetXAttrCallbackKprobeKey
	// DentryResolverUnlinkCallbackKprobeKey is the key to the callback program to execute after resolving the dentry of an unlink event
	DentryResolverUnlinkCallbackKprobeKey
	// DentryResolverLinkSrcCallbackKprobeKey is the key to the callback program to execute after resolving the source dentry of a link event
	DentryResolverLinkSrcCallbackKprobeKey
	// DentryResolverLinkDstCallbackKprobeKey is the key to the callback program to execute after resolving the destination dentry of a link event
	DentryResolverLinkDstCallbackKprobeKey
	// DentryResolverRenameCallbackKprobeKey is the key to the callback program to execute after resolving the destination dentry of a rename event
	DentryResolverRenameCallbackKprobeKey
	// DentryResolverSELinuxCallbackKprobeKey is the key to the callback program to execute after resolving the destination dentry of a selinux event
	DentryResolverSELinuxCallbackKprobeKey
	// DentryResolverChdirCallbackKprobeKey is the key to the callback program to execute after resolving the dentry of an chdir event
	DentryResolverChdirCallbackKprobeKey
	// DentryResolverCGroupWriteCallbackKprobeKey is the key to the callback program to execute after resolving the dentry of a newly created cgroup
	DentryResolverCGroupWriteCallbackKprobeKey
)
View Source
const (
	// DentryResolverOpenCallbackTracepointKey is the key to the callback program to execute after resolving the dentry of an open event
	DentryResolverOpenCallbackTracepointKey uint32 = iota + 1
	// DentryResolverMkdirCallbackTracepointKey is the key to the callback program to execute after resolving the dentry of an mkdir event
	DentryResolverMkdirCallbackTracepointKey
	// DentryResolverMountStageOneCallbackTracepointKey is the key to the callback program to execute after resolving the root dentry of a new mount
	DentryResolverMountStageOneCallbackTracepointKey
	// DentryResolverMountStageTwoCallbackTracepointKey is the key to the callback program to execute after resolving the mountpoint dentry a new mount
	DentryResolverMountStageTwoCallbackTracepointKey
	// DentryResolverLinkDstCallbackTracepointKey is the key to the callback program to execute after resolving the destination dentry of a link event
	DentryResolverLinkDstCallbackTracepointKey
	// DentryResolverRenameCallbackTracepointKey is the key to the callback program to execute after resolving the destination dentry of a rename event
	DentryResolverRenameCallbackTracepointKey
	// DentryResolverChdirCallbackTracepointKey is the key to the callback program to execute after resolving the dentry of an chdir event
	DentryResolverChdirCallbackTracepointKey
	// DentryResolverCGroupWriteCallbackTracepointKey is the key to the callback program to execute after resolving the dentry of a newly created cgroup
	DentryResolverCGroupWriteCallbackTracepointKey
)
View Source
const (
	// TCDNSRequestKey is the key to the DNS request program
	TCDNSRequestKey uint32 = iota + 1
	// TCDNSRequestParserKey is the key to the DNS request parser program
	TCDNSRequestParserKey
	// TCIMDSRequestParserKey is the key to the IMDS request program
	TCIMDSRequestParserKey
)
View Source
const (
	// TCRawPacketFilterKey  is the key to the raw packet filter program
	// reserve 5 tail calls for the filtering
	TCRawPacketFilterKey uint32 = iota
	// TCRawPacketParserSenderKey is the key to the raw packet sender program
	TCRawPacketParserSenderKey = TCRawPacketFilterKey + RawPacketFilterMaxTailCall // reserved key for filter tail calls
)
View Source
const (
	// ExecGetEnvsOffsetKey is the key to the program that computes the environment variables offset
	ExecGetEnvsOffsetKey uint32 = iota
	// ExecParseArgsEnvsSplitKey is the key to the program that splits the parsing of arguments and environment variables between tailcalls
	ExecParseArgsEnvsSplitKey
	// ExecParseArgsEnvsKey is the key to the program that parses arguments and then environment variables
	ExecParseArgsEnvsKey
)
View Source
const (
	// Entry indicates that the entry kprobe should be expanded
	Entry = 1 << 0
	// Exit indicates that the exit kretprobe should be expanded
	Exit = 1 << 1
	// ExpandTime32 indicates that the _time32 suffix should be added to the provided probe if needed
	ExpandTime32 = 1 << 2

	// EntryAndExit indicates that both the entry kprobe and exit kretprobe should be expanded
	EntryAndExit = Entry | Exit
)
View Source
const (
	// RawPacketFilterMaxTailCall defines the maximum of tail calls
	RawPacketFilterMaxTailCall = 5
)
View Source
const (
	// SecurityAgentUID is the UID used for all the runtime security module probes
	SecurityAgentUID = "security"
)

Variables

View Source
var (
	// EventsPerfRingBufferSize is the buffer size of the perf buffers used for events.
	// PLEASE NOTE: for the perf ring buffer usage metrics to be accurate, the provided value must have the
	// following form: (1 + 2^n) * pages. Checkout https://github.com/DataDog/ebpf for more.
	EventsPerfRingBufferSize = 256 * os.Getpagesize()
)
View Source
var RawPacketTCProgram = []string{
	"classifier_raw_packet_egress",
	"classifier_raw_packet_ingress",
}

RawPacketTCProgram returns the list of TC classifier sections

View Source
var RuntimeArch string

RuntimeArch holds the CPU architecture of the running machine

View Source
var SyscallMonitorSelectors = []manager.ProbesSelector{
	&manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFFuncName: "sys_enter"}},
}

SyscallMonitorSelectors is the list of probes that should be activated for the syscall monitor feature

Functions

func AllBPFProbeWriteUserProgramFunctions

func AllBPFProbeWriteUserProgramFunctions() []string

AllBPFProbeWriteUserProgramFunctions returns the list of program functions that use the bpf_probe_write_user helper

func AllMapSpecEditors

func AllMapSpecEditors(numCPU int, opts MapSpecEditorOpts) map[string]manager.MapSpecEditor

AllMapSpecEditors returns the list of map editors

func AllMaps

func AllMaps() []*manager.Map

AllMaps returns the list of maps of the runtime security module

func AllPerfMaps

func AllPerfMaps() []*manager.PerfMap

AllPerfMaps returns the list of perf maps of the runtime security module

func AllProbes

func AllProbes(fentry bool) []*manager.Probe

AllProbes returns the list of all the probes of the runtime security module

func AllRingBuffers

func AllRingBuffers() []*manager.RingBuffer

AllRingBuffers returns the list of ring buffers of the runtime security module

func AllTailRoutes

func AllTailRoutes(eRPCDentryResolutionEnabled, networkEnabled, rawPacketEnabled, supportMmapableMaps bool) []manager.TailCallRoute

AllTailRoutes returns the list of all the tail call routes

func ExpandSyscallProbes

func ExpandSyscallProbes(probe *manager.Probe, fentry bool, flag int, compat ...bool) []*manager.Probe

ExpandSyscallProbes returns the list of available hook probes for the syscall func name of the provided probe

func ExpandSyscallProbesSelector

func ExpandSyscallProbesSelector(UID string, section string, fentry bool, flag int, compat ...bool) []manager.ProbesSelector

ExpandSyscallProbesSelector returns the list of a ProbesSelector required to query all the probes available for a syscall

func GetAllTCProgramFunctions

func GetAllTCProgramFunctions() []string

GetAllTCProgramFunctions returns the list of TC classifier sections

func GetOnDemandProbes

func GetOnDemandProbes() []*manager.Probe

GetOnDemandProbes returns all the on-demand probes

func GetOnDemandRegularProbe

func GetOnDemandRegularProbe() *manager.Probe

GetOnDemandRegularProbe returns the on-demand probe used for regular (non-sycall) function hooking

func GetOnDemandSyscallProbe

func GetOnDemandSyscallProbe() *manager.Probe

GetOnDemandSyscallProbe returns the on-demand probe used for sycall function hooking

func GetPerfBufferStatisticsMaps

func GetPerfBufferStatisticsMaps() map[string]string

GetPerfBufferStatisticsMaps returns the list of maps used to monitor the performances of each perf buffers

func GetRawPacketTCProgramFunctions

func GetRawPacketTCProgramFunctions() []string

GetRawPacketTCProgramFunctions returns the raw packet functions

func GetRingBufferStatisticsMaps

func GetRingBufferStatisticsMaps() map[string]string

GetRingBufferStatisticsMaps returns the list of maps used to monitor the performances of each ring buffer

func GetSelectorsPerEventType

func GetSelectorsPerEventType(fentry bool) map[eval.EventType][]manager.ProbesSelector

GetSelectorsPerEventType returns the list of probes that should be activated for each event

func GetSyscallFnName

func GetSyscallFnName(name string) string

GetSyscallFnName returns the hook point for the provided syscall name

func GetTCProbes

func GetTCProbes(withNetworkIngress bool, withRawPacket bool) []*manager.Probe

GetTCProbes returns the list of TCProbes

func NetworkNFNatSelectors

func NetworkNFNatSelectors() []manager.ProbesSelector

NetworkNFNatSelectors is the list of probes that should be activated if the `nf_nat` module is loaded

func NetworkSelectors

func NetworkSelectors() []manager.ProbesSelector

NetworkSelectors is the list of probes that should be activated when the network is enabled

func NetworkVethSelectors

func NetworkVethSelectors() []manager.ProbesSelector

NetworkVethSelectors is the list of probes that should be activated if the `veth` module is loaded

func ShouldUseModuleLoadTracepoint

func ShouldUseModuleLoadTracepoint() bool

ShouldUseModuleLoadTracepoint returns true if we should use module load tracepoint

func ShouldUseSyscallExitTracepoints

func ShouldUseSyscallExitTracepoints() bool

ShouldUseSyscallExitTracepoints returns true if the kernel version is old and we need to use tracepoints to handle syscall exits instead of kretprobes

func SnapshotSelectors

func SnapshotSelectors() []manager.ProbesSelector

SnapshotSelectors selectors required during the snapshot

Types

type MapSpecEditorOpts

type MapSpecEditorOpts struct {
	TracedCgroupSize        int
	UseMmapableMaps         bool
	UseRingBuffers          bool
	RingBufferSize          uint32
	PathResolutionEnabled   bool
	SecurityProfileMaxCount int
	ReducedProcPidCacheSize bool
}

MapSpecEditorOpts defines some options of the map spec editor

Directories

Path Synopsis
Package rawpacket holds rawpacket related files
Package rawpacket holds rawpacket related files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL