model

package
v0.34.0-rc.12 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Feb 24, 2022 License: Apache-2.0 Imports: 19 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// MaxSegmentLength defines the maximum length of each segment of a path
	MaxSegmentLength = 255

	// MaxPathDepth defines the maximum depth of a path
	MaxPathDepth = 1500

	// PathSuffix defines the suffix used for path fields
	PathSuffix = ".path"

	// NameSuffix defines the suffix used for name fields
	NameSuffix = ".name"
)
View Source
const (
	LowerLayer = 1 << iota
	UpperLayer
)

File flags

Variables

View Source
var (

	// BPFCmdConstants is the list of BPF commands
	BPFCmdConstants = map[string]BPFCmd{
		"BPF_MAP_CREATE":                  BpfMapCreateCmd,
		"BPF_MAP_LOOKUP_ELEM":             BpfMapLookupElemCmd,
		"BPF_MAP_UPDATE_ELEM":             BpfMapUpdateElemCmd,
		"BPF_MAP_DELETE_ELEM":             BpfMapDeleteElemCmd,
		"BPF_MAP_GET_NEXT_KEY":            BpfMapGetNextKeyCmd,
		"BPF_PROG_LOAD":                   BpfProgLoadCmd,
		"BPF_OBJ_PIN":                     BpfObjPinCmd,
		"BPF_OBJ_GET":                     BpfObjGetCmd,
		"BPF_PROG_ATTACH":                 BpfProgAttachCmd,
		"BPF_PROG_DETACH":                 BpfProgDetachCmd,
		"BPF_PROG_TEST_RUN":               BpfProgTestRunCmd,
		"BPF_PROG_RUN":                    BpfProgTestRunCmd,
		"BPF_PROG_GET_NEXT_ID":            BpfProgGetNextIDCmd,
		"BPF_MAP_GET_NEXT_ID":             BpfMapGetNextIDCmd,
		"BPF_PROG_GET_FD_BY_ID":           BpfProgGetFdByIDCmd,
		"BPF_MAP_GET_FD_BY_ID":            BpfMapGetFdByIDCmd,
		"BPF_OBJ_GET_INFO_BY_FD":          BpfObjGetInfoByFdCmd,
		"BPF_PROG_QUERY":                  BpfProgQueryCmd,
		"BPF_RAW_TRACEPOINT_OPEN":         BpfRawTracepointOpenCmd,
		"BPF_BTF_LOAD":                    BpfBtfLoadCmd,
		"BPF_BTF_GET_FD_BY_ID":            BpfBtfGetFdByIDCmd,
		"BPF_TASK_FD_QUERY":               BpfTaskFdQueryCmd,
		"BPF_MAP_LOOKUP_AND_DELETE_ELEM":  BpfMapLookupAndDeleteElemCmd,
		"BPF_MAP_FREEZE":                  BpfMapFreezeCmd,
		"BPF_BTF_GET_NEXT_ID":             BpfBtfGetNextIDCmd,
		"BPF_MAP_LOOKUP_BATCH":            BpfMapLookupBatchCmd,
		"BPF_MAP_LOOKUP_AND_DELETE_BATCH": BpfMapLookupAndDeleteBatchCmd,
		"BPF_MAP_UPDATE_BATCH":            BpfMapUpdateBatchCmd,
		"BPF_MAP_DELETE_BATCH":            BpfMapDeleteBatchCmd,
		"BPF_LINK_CREATE":                 BpfLinkCreateCmd,
		"BPF_LINK_UPDATE":                 BpfLinkUpdateCmd,
		"BPF_LINK_GET_FD_BY_ID":           BpfLinkGetFdByIDCmd,
		"BPF_LINK_GET_NEXT_ID":            BpfLinkGetNextIDCmd,
		"BPF_ENABLE_STATS":                BpfEnableStatsCmd,
		"BPF_ITER_CREATE":                 BpfIterCreateCmd,
		"BPF_LINK_DETACH":                 BpfLinkDetachCmd,
		"BPF_PROG_BIND_MAP":               BpfProgBindMapCmd,
	}

	// BPFHelperFuncConstants is the list of BPF helper func constants
	BPFHelperFuncConstants = map[string]BPFHelperFunc{}/* 166 elements not displayed */

	// BPFMapTypeConstants is the list of BPF map type constants
	BPFMapTypeConstants = map[string]BPFMapType{
		"BPF_MAP_TYPE_UNSPEC":                BpfMapTypeUnspec,
		"BPF_MAP_TYPE_HASH":                  BpfMapTypeHash,
		"BPF_MAP_TYPE_ARRAY":                 BpfMapTypeArray,
		"BPF_MAP_TYPE_PROG_ARRAY":            BpfMapTypeProgArray,
		"BPF_MAP_TYPE_PERF_EVENT_ARRAY":      BpfMapTypePerfEventArray,
		"BPF_MAP_TYPE_PERCPU_HASH":           BpfMapTypePercpuHash,
		"BPF_MAP_TYPE_PERCPU_ARRAY":          BpfMapTypePercpuArray,
		"BPF_MAP_TYPE_STACK_TRACE":           BpfMapTypeStackTrace,
		"BPF_MAP_TYPE_CGROUP_ARRAY":          BpfMapTypeCgroupArray,
		"BPF_MAP_TYPE_LRU_HASH":              BpfMapTypeLruHash,
		"BPF_MAP_TYPE_LRU_PERCPU_HASH":       BpfMapTypeLruPercpuHash,
		"BPF_MAP_TYPE_LPM_TRIE":              BpfMapTypeLpmTrie,
		"BPF_MAP_TYPE_ARRAY_OF_MAPS":         BpfMapTypeArrayOfMaps,
		"BPF_MAP_TYPE_HASH_OF_MAPS":          BpfMapTypeHashOfMaps,
		"BPF_MAP_TYPE_DEVMAP":                BpfMapTypeDevmap,
		"BPF_MAP_TYPE_SOCKMAP":               BpfMapTypeSockmap,
		"BPF_MAP_TYPE_CPUMAP":                BpfMapTypeCPUmap,
		"BPF_MAP_TYPE_XSKMAP":                BpfMapTypeXskmap,
		"BPF_MAP_TYPE_SOCKHASH":              BpfMapTypeSockhash,
		"BPF_MAP_TYPE_CGROUP_STORAGE":        BpfMapTypeCgroupStorage,
		"BPF_MAP_TYPE_REUSEPORT_SOCKARRAY":   BpfMapTypeReuseportSockarray,
		"BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE": BpfMapTypePercpuCgroupStorage,
		"BPF_MAP_TYPE_QUEUE":                 BpfMapTypeQueue,
		"BPF_MAP_TYPE_STACK":                 BpfMapTypeStack,
		"BPF_MAP_TYPE_SK_STORAGE":            BpfMapTypeSkStorage,
		"BPF_MAP_TYPE_DEVMAP_HASH":           BpfMapTypeDevmapHash,
		"BPF_MAP_TYPE_STRUCT_OPS":            BpfMapTypeStructOps,
		"BPF_MAP_TYPE_RINGBUF":               BpfMapTypeRingbuf,
		"BPF_MAP_TYPE_INODE_STORAGE":         BpfMapTypeInodeStorage,
		"BPF_MAP_TYPE_TASK_STORAGE":          BpfMapTypeTaskStorage,
	}

	// BPFProgramTypeConstants is the list of BPF program type constants
	BPFProgramTypeConstants = map[string]BPFProgramType{
		"BPF_PROG_TYPE_UNSPEC":                  BpfProgTypeUnspec,
		"BPF_PROG_TYPE_SOCKET_FILTER":           BpfProgTypeSocketFilter,
		"BPF_PROG_TYPE_KPROBE":                  BpfProgTypeKprobe,
		"BPF_PROG_TYPE_SCHED_CLS":               BpfProgTypeSchedCls,
		"BPF_PROG_TYPE_SCHED_ACT":               BpfProgTypeSchedAct,
		"BPF_PROG_TYPE_TRACEPOINT":              BpfProgTypeTracepoint,
		"BPF_PROG_TYPE_XDP":                     BpfProgTypeXdp,
		"BPF_PROG_TYPE_PERF_EVENT":              BpfProgTypePerfEvent,
		"BPF_PROG_TYPE_CGROUP_SKB":              BpfProgTypeCgroupSkb,
		"BPF_PROG_TYPE_CGROUP_SOCK":             BpfProgTypeCgroupSock,
		"BPF_PROG_TYPE_LWT_IN":                  BpfProgTypeLwtIn,
		"BPF_PROG_TYPE_LWT_OUT":                 BpfProgTypeLwtOut,
		"BPF_PROG_TYPE_LWT_XMIT":                BpfProgTypeLwtXmit,
		"BPF_PROG_TYPE_SOCK_OPS":                BpfProgTypeSockOps,
		"BPF_PROG_TYPE_SK_SKB":                  BpfProgTypeSkSkb,
		"BPF_PROG_TYPE_CGROUP_DEVICE":           BpfProgTypeCgroupDevice,
		"BPF_PROG_TYPE_SK_MSG":                  BpfProgTypeSkMsg,
		"BPF_PROG_TYPE_RAW_TRACEPOINT":          BpfProgTypeRawTracepoint,
		"BPF_PROG_TYPE_CGROUP_SOCK_ADDR":        BpfProgTypeCgroupSockAddr,
		"BPF_PROG_TYPE_LWT_SEG6LOCAL":           BpfProgTypeLwtSeg6local,
		"BPF_PROG_TYPE_LIRC_MODE2":              BpfProgTypeLircMode2,
		"BPF_PROG_TYPE_SK_REUSEPORT":            BpfProgTypeSkReuseport,
		"BPF_PROG_TYPE_FLOW_DISSECTOR":          BpfProgTypeFlowDissector,
		"BPF_PROG_TYPE_CGROUP_SYSCTL":           BpfProgTypeCgroupSysctl,
		"BPF_PROG_TYPE_RAW_TRACEPOINT_WRITABLE": BpfProgTypeRawTracepointWritable,
		"BPF_PROG_TYPE_CGROUP_SOCKOPT":          BpfProgTypeCgroupSockopt,
		"BPF_PROG_TYPE_TRACING":                 BpfProgTypeTracing,
		"BPF_PROG_TYPE_STRUCT_OPS":              BpfProgTypeStructOps,
		"BPF_PROG_TYPE_EXT":                     BpfProgTypeExt,
		"BPF_PROG_TYPE_LSM":                     BpfProgTypeLsm,
		"BPF_PROG_TYPE_SK_LOOKUP":               BpfProgTypeSkLookup,
	}

	// BPFAttachTypeConstants is the list of BPF attach type constants
	BPFAttachTypeConstants = map[string]BPFAttachType{
		"BPF_CGROUP_INET_INGRESS":      BpfCgroupInetIngress,
		"BPF_CGROUP_INET_EGRESS":       BpfCgroupInetEgress,
		"BPF_CGROUP_INET_SOCK_CREATE":  BpfCgroupInetSockCreate,
		"BPF_CGROUP_SOCK_OPS":          BpfCgroupSockOps,
		"BPF_SK_SKB_STREAM_PARSER":     BpfSkSkbStreamParser,
		"BPF_SK_SKB_STREAM_VERDICT":    BpfSkSkbStreamVerdict,
		"BPF_CGROUP_DEVICE":            BpfCgroupDevice,
		"BPF_SK_MSG_VERDICT":           BpfSkMsgVerdict,
		"BPF_CGROUP_INET4_BIND":        BpfCgroupInet4Bind,
		"BPF_CGROUP_INET6_BIND":        BpfCgroupInet6Bind,
		"BPF_CGROUP_INET4_CONNECT":     BpfCgroupInet4Connect,
		"BPF_CGROUP_INET6_CONNECT":     BpfCgroupInet6Connect,
		"BPF_CGROUP_INET4_POST_BIND":   BpfCgroupInet4PostBind,
		"BPF_CGROUP_INET6_POST_BIND":   BpfCgroupInet6PostBind,
		"BPF_CGROUP_UDP4_SENDMSG":      BpfCgroupUDP4Sendmsg,
		"BPF_CGROUP_UDP6_SENDMSG":      BpfCgroupUDP6Sendmsg,
		"BPF_LIRC_MODE2":               BpfLircMode2,
		"BPF_FLOW_DISSECTOR":           BpfFlowDissector,
		"BPF_CGROUP_SYSCTL":            BpfCgroupSysctl,
		"BPF_CGROUP_UDP4_RECVMSG":      BpfCgroupUDP4Recvmsg,
		"BPF_CGROUP_UDP6_RECVMSG":      BpfCgroupUDP6Recvmsg,
		"BPF_CGROUP_GETSOCKOPT":        BpfCgroupGetsockopt,
		"BPF_CGROUP_SETSOCKOPT":        BpfCgroupSetsockopt,
		"BPF_TRACE_RAW_TP":             BpfTraceRawTp,
		"BPF_TRACE_FENTRY":             BpfTraceFentry,
		"BPF_TRACE_FEXIT":              BpfTraceFexit,
		"BPF_MODIFY_RETURN":            BpfModifyReturn,
		"BPF_LSM_MAC":                  BpfLsmMac,
		"BPF_TRACE_ITER":               BpfTraceIter,
		"BPF_CGROUP_INET4_GETPEERNAME": BpfCgroupInet4Getpeername,
		"BPF_CGROUP_INET6_GETPEERNAME": BpfCgroupInet6Getpeername,
		"BPF_CGROUP_INET4_GETSOCKNAME": BpfCgroupInet4Getsockname,
		"BPF_CGROUP_INET6_GETSOCKNAME": BpfCgroupInet6Getsockname,
		"BPF_XDP_DEVMAP":               BpfXdpDevmap,
		"BPF_CGROUP_INET_SOCK_RELEASE": BpfCgroupInetSockRelease,
		"BPF_XDP_CPUMAP":               BpfXdpCPUmap,
		"BPF_SK_LOOKUP":                BpfSkLookup,
		"BPF_XDP":                      BpfXdp,
		"BPF_SK_SKB_VERDICT":           BpfSkSkbVerdict,
	}

	// SECLConstants are constants available in runtime security agent rules
	SECLConstants = map[string]interface{}{

		"true":  &eval.BoolEvaluator{Value: true},
		"false": &eval.BoolEvaluator{Value: false},
	}
)
View Source
var (
	// ErrNotEnoughData is returned when the buffer is too small to unmarshal the event
	ErrNotEnoughData = errors.New("not enough data")

	// ErrStringArrayOverflow returned when there is a string array overflow
	ErrStringArrayOverflow = errors.New("string array overflow")

	// ErrNonPrintable returned when a string contains non printable char
	ErrNonPrintable = errors.New("non printable")
)
View Source
var ByteOrder binary.ByteOrder

ByteOrder holds the hosts byte order

View Source
var (

	// KernelCapabilityConstants list of kernel capabilities
	KernelCapabilityConstants = map[string]uint64{
		"CAP_AUDIT_CONTROL":      1 << unix.CAP_AUDIT_CONTROL,
		"CAP_AUDIT_READ":         1 << unix.CAP_AUDIT_READ,
		"CAP_AUDIT_WRITE":        1 << unix.CAP_AUDIT_WRITE,
		"CAP_BLOCK_SUSPEND":      1 << unix.CAP_BLOCK_SUSPEND,
		"CAP_BPF":                1 << unix.CAP_BPF,
		"CAP_CHECKPOINT_RESTORE": 1 << unix.CAP_CHECKPOINT_RESTORE,
		"CAP_CHOWN":              1 << unix.CAP_CHOWN,
		"CAP_DAC_OVERRIDE":       1 << unix.CAP_DAC_OVERRIDE,
		"CAP_DAC_READ_SEARCH":    1 << unix.CAP_DAC_READ_SEARCH,
		"CAP_FOWNER":             1 << unix.CAP_FOWNER,
		"CAP_FSETID":             1 << unix.CAP_FSETID,
		"CAP_IPC_LOCK":           1 << unix.CAP_IPC_LOCK,
		"CAP_IPC_OWNER":          1 << unix.CAP_IPC_OWNER,
		"CAP_KILL":               1 << unix.CAP_KILL,
		"CAP_LAST_CAP":           1 << unix.CAP_LAST_CAP,
		"CAP_LEASE":              1 << unix.CAP_LEASE,
		"CAP_LINUX_IMMUTABLE":    1 << unix.CAP_LINUX_IMMUTABLE,
		"CAP_MAC_ADMIN":          1 << unix.CAP_MAC_ADMIN,
		"CAP_MAC_OVERRIDE":       1 << unix.CAP_MAC_OVERRIDE,
		"CAP_MKNOD":              1 << unix.CAP_MKNOD,
		"CAP_NET_ADMIN":          1 << unix.CAP_NET_ADMIN,
		"CAP_NET_BIND_SERVICE":   1 << unix.CAP_NET_BIND_SERVICE,
		"CAP_NET_BROADCAST":      1 << unix.CAP_NET_BROADCAST,
		"CAP_NET_RAW":            1 << unix.CAP_NET_RAW,
		"CAP_PERFMON":            1 << unix.CAP_PERFMON,
		"CAP_SETFCAP":            1 << unix.CAP_SETFCAP,
		"CAP_SETGID":             1 << unix.CAP_SETGID,
		"CAP_SETPCAP":            1 << unix.CAP_SETPCAP,
		"CAP_SETUID":             1 << unix.CAP_SETUID,
		"CAP_SYSLOG":             1 << unix.CAP_SYSLOG,
		"CAP_SYS_ADMIN":          1 << unix.CAP_SYS_ADMIN,
		"CAP_SYS_BOOT":           1 << unix.CAP_SYS_BOOT,
		"CAP_SYS_CHROOT":         1 << unix.CAP_SYS_CHROOT,
		"CAP_SYS_MODULE":         1 << unix.CAP_SYS_MODULE,
		"CAP_SYS_NICE":           1 << unix.CAP_SYS_NICE,
		"CAP_SYS_PACCT":          1 << unix.CAP_SYS_PACCT,
		"CAP_SYS_PTRACE":         1 << unix.CAP_SYS_PTRACE,
		"CAP_SYS_RAWIO":          1 << unix.CAP_SYS_RAWIO,
		"CAP_SYS_RESOURCE":       1 << unix.CAP_SYS_RESOURCE,
		"CAP_SYS_TIME":           1 << unix.CAP_SYS_TIME,
		"CAP_SYS_TTY_CONFIG":     1 << unix.CAP_SYS_TTY_CONFIG,
		"CAP_WAKE_ALARM":         1 << unix.CAP_WAKE_ALARM,
	}
)
View Source
var SECLLegacyFields = map[eval.Field]eval.Field{

	"chmod.filename": "chmod.file.path",
	"chmod.basename": "chmod.file.name",
	"chmod.mode":     "chmod.file.destination.mode",

	"chown.filename": "chown.file.path",
	"chown.basename": "chown.file.name",
	"chown.uid":      "chown.file.destination.uid",
	"chown.user":     "chown.file.destination.user",
	"chown.gid":      "chown.file.destination.gid",
	"chown.group":    "chown.file.destination.group",

	"open.filename": "open.file.path",
	"open.basename": "open.file.name",
	"open.mode":     "open.file.destination.mode",

	"mkdir.filename": "mkdir.file.path",
	"mkdir.basename": "mkdir.file.name",
	"mkdir.mode":     "mkdir.file.destination.mode",

	"rmdir.filename": "rmdir.file.path",
	"rmdir.basename": "rmdir.file.name",

	"rename.old.filename": "rename.file.path",
	"rename.old.basename": "rename.file.name",
	"rename.new.filename": "rename.file.destination.path",
	"rename.new.basename": "rename.file.destination.name",

	"unlink.filename": "unlink.file.path",
	"unlink.basename": "unlink.file.name",

	"utimes.filename": "utimes.file.path",
	"utimes.basename": "utimes.file.name",

	"link.source.filename": "link.file.path",
	"link.source.basename": "link.file.name",
	"link.target.filename": "link.file.destination.path",
	"link.target.basename": "link.file.destination.name",

	"setxattr.filename":  "setxattr.file.path",
	"setxattr.basename":  "setxattr.file.name",
	"setxattr.namespace": "setxattr.file.destination.namespace",
	"setxattr.name":      "setxattr.file.destination.name",

	"removexattr.filename":  "removexattr.file.path",
	"removexattr.basename":  "removexattr.file.name",
	"removexattr.namespace": "removexattr.file.destination.namespace",
	"removexattr.name":      "removexattr.file.destination.name",

	"exec.filename":         "exec.file.path",
	"exec.overlay_numlower": "exec.file.overlay_numlower",
	"exec.basename":         "exec.file.name",
	"exec.name":             "exec.comm",

	"process.filename":           "process.file.path",
	"process.basename":           "process.file.name",
	"process.name":               "process.comm",
	"process.ancestors.filename": "process.ancestors.file.path",
	"process.ancestors.basename": "process.ancestors.file.name",
	"process.ancestors.name":     "process.ancestors.comm",
}

SECLLegacyFields contains the list of the legacy attributes we need to support

View Source
var (
	// SECLVariables set of variables
	SECLVariables = map[string]eval.VariableValue{
		"process.pid": {
			IntFnc: func(ctx *eval.Context) int {
				return int((*Event)(ctx.Object).ProcessContext.Process.Pid)
			},
		},
	}
)

Functions

func FindContainerID

func FindContainerID(s string) string

FindContainerID extracts the first sub string that matches the pattern of a container ID

func GetEventTypePerCategory

func GetEventTypePerCategory() map[EventCategory][]eval.EventType

GetEventTypePerCategory returns the event types per category

func GetHostByteOrder

func GetHostByteOrder() binary.ByteOrder

GetHostByteOrder guesses the hosts byte order

func IsAlphaNumeric

func IsAlphaNumeric(r rune) bool

IsAlphaNumeric returns whether a character is either a digit or a letter

func IsPrintable

func IsPrintable(s string) bool

IsPrintable returns whether the string does contain only unicode printable

func IsPrintableASCII

func IsPrintableASCII(s string) bool

IsPrintableASCII returns whether the string does contain only ASCII char

func SliceToArray

func SliceToArray(src []byte, dst unsafe.Pointer)

SliceToArray copy src bytes to dst. Destination should have enough space

func StringifyHelpersList

func StringifyHelpersList(input []uint32) []string

StringifyHelpersList returns a string list representation of a list of helpers

func UnmarshalBinary

func UnmarshalBinary(data []byte, binaryUnmarshalers ...BinaryUnmarshaler) (int, error)

UnmarshalBinary calls a series of BinaryUnmarshaler

func UnmarshalPrintableString

func UnmarshalPrintableString(data []byte, size int) (string, error)

UnmarshalPrintableString unmarshal printable string

func UnmarshalString

func UnmarshalString(data []byte, size int) (string, error)

UnmarshalString unmarshal string

func UnmarshalStringArray

func UnmarshalStringArray(data []byte) ([]string, error)

UnmarshalStringArray extract array of string for array of byte

Types

type ArgsEntry

type ArgsEntry struct {
	*ArgsEnvsCacheEntry

	Values    []string
	Truncated bool
	// contains filtered or unexported fields
}

ArgsEntry defines a args cache entry

func (*ArgsEntry) ToArray

func (p *ArgsEntry) ToArray() ([]string, bool)

ToArray returns args as array

type ArgsEnvs

type ArgsEnvs struct {
	ID        uint32
	Size      uint32
	ValuesRaw [256]byte
}

ArgsEnvs raw value for args and envs

type ArgsEnvsCacheEntry

type ArgsEnvsCacheEntry struct {
	ArgsEnvs
	// contains filtered or unexported fields
}

ArgsEnvsCacheEntry defines a args/envs base entry

func NewArgsEnvsCacheEntry

func NewArgsEnvsCacheEntry(onRelease func(_ *ArgsEnvsCacheEntry)) *ArgsEnvsCacheEntry

NewArgsEnvsCacheEntry returns a new args/env cache entry

func (*ArgsEnvsCacheEntry) Append

func (p *ArgsEnvsCacheEntry) Append(entry *ArgsEnvsCacheEntry)

Append an entry to the list

func (*ArgsEnvsCacheEntry) Release

func (p *ArgsEnvsCacheEntry) Release()

Release decrement and eventually release the entry

func (*ArgsEnvsCacheEntry) Retain

func (p *ArgsEnvsCacheEntry) Retain()

Retain increment ref counter

type ArgsEnvsEvent

type ArgsEnvsEvent struct {
	ArgsEnvs
}

ArgsEnvsEvent defines a args/envs event

func (*ArgsEnvsEvent) UnmarshalBinary

func (e *ArgsEnvsEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type BPFAttachType

type BPFAttachType uint32

BPFAttachType is used to define attach type constants

const (
	// BpfCgroupInetIngress attach type
	BpfCgroupInetIngress BPFAttachType = iota + 1
	// BpfCgroupInetEgress attach type
	BpfCgroupInetEgress
	// BpfCgroupInetSockCreate attach type
	BpfCgroupInetSockCreate
	// BpfCgroupSockOps attach type
	BpfCgroupSockOps
	// BpfSkSkbStreamParser attach type
	BpfSkSkbStreamParser
	// BpfSkSkbStreamVerdict attach type
	BpfSkSkbStreamVerdict
	// BpfCgroupDevice attach type
	BpfCgroupDevice
	// BpfSkMsgVerdict attach type
	BpfSkMsgVerdict
	// BpfCgroupInet4Bind attach type
	BpfCgroupInet4Bind
	// BpfCgroupInet6Bind attach type
	BpfCgroupInet6Bind
	// BpfCgroupInet4Connect attach type
	BpfCgroupInet4Connect
	// BpfCgroupInet6Connect attach type
	BpfCgroupInet6Connect
	// BpfCgroupInet4PostBind attach type
	BpfCgroupInet4PostBind
	// BpfCgroupInet6PostBind attach type
	BpfCgroupInet6PostBind
	// BpfCgroupUDP4Sendmsg attach type
	BpfCgroupUDP4Sendmsg
	// BpfCgroupUDP6Sendmsg attach type
	BpfCgroupUDP6Sendmsg
	// BpfLircMode2 attach type
	BpfLircMode2
	// BpfFlowDissector attach type
	BpfFlowDissector
	// BpfCgroupSysctl attach type
	BpfCgroupSysctl
	// BpfCgroupUDP4Recvmsg attach type
	BpfCgroupUDP4Recvmsg
	// BpfCgroupUDP6Recvmsg attach type
	BpfCgroupUDP6Recvmsg
	// BpfCgroupGetsockopt attach type
	BpfCgroupGetsockopt
	// BpfCgroupSetsockopt attach type
	BpfCgroupSetsockopt
	// BpfTraceRawTp attach type
	BpfTraceRawTp
	// BpfTraceFentry attach type
	BpfTraceFentry
	// BpfTraceFexit attach type
	BpfTraceFexit
	// BpfModifyReturn attach type
	BpfModifyReturn
	// BpfLsmMac attach type
	BpfLsmMac
	// BpfTraceIter attach type
	BpfTraceIter
	// BpfCgroupInet4Getpeername attach type
	BpfCgroupInet4Getpeername
	// BpfCgroupInet6Getpeername attach type
	BpfCgroupInet6Getpeername
	// BpfCgroupInet4Getsockname attach type
	BpfCgroupInet4Getsockname
	// BpfCgroupInet6Getsockname attach type
	BpfCgroupInet6Getsockname
	// BpfXdpDevmap attach type
	BpfXdpDevmap
	// BpfCgroupInetSockRelease attach type
	BpfCgroupInetSockRelease
	// BpfXdpCPUmap attach type
	BpfXdpCPUmap
	// BpfSkLookup attach type
	BpfSkLookup
	// BpfXdp attach type
	BpfXdp
	// BpfSkSkbVerdict attach type
	BpfSkSkbVerdict
)

func (BPFAttachType) String

func (t BPFAttachType) String() string

type BPFCmd

type BPFCmd uint64

BPFCmd represents a BPF command

const (
	// BpfMapCreateCmd command
	BpfMapCreateCmd BPFCmd = iota
	// BpfMapLookupElemCmd command
	BpfMapLookupElemCmd
	// BpfMapUpdateElemCmd command
	BpfMapUpdateElemCmd
	// BpfMapDeleteElemCmd command
	BpfMapDeleteElemCmd
	// BpfMapGetNextKeyCmd command
	BpfMapGetNextKeyCmd
	// BpfProgLoadCmd command
	BpfProgLoadCmd
	// BpfObjPinCmd command
	BpfObjPinCmd
	// BpfObjGetCmd command
	BpfObjGetCmd
	// BpfProgAttachCmd command
	BpfProgAttachCmd
	// BpfProgDetachCmd command
	BpfProgDetachCmd
	// BpfProgTestRunCmd command
	BpfProgTestRunCmd
	// BpfProgGetNextIDCmd command
	BpfProgGetNextIDCmd
	// BpfMapGetNextIDCmd command
	BpfMapGetNextIDCmd
	// BpfProgGetFdByIDCmd command
	BpfProgGetFdByIDCmd
	// BpfMapGetFdByIDCmd command
	BpfMapGetFdByIDCmd
	// BpfObjGetInfoByFdCmd command
	BpfObjGetInfoByFdCmd
	// BpfProgQueryCmd command
	BpfProgQueryCmd
	// BpfRawTracepointOpenCmd command
	BpfRawTracepointOpenCmd
	// BpfBtfLoadCmd command
	BpfBtfLoadCmd
	// BpfBtfGetFdByIDCmd command
	BpfBtfGetFdByIDCmd
	// BpfTaskFdQueryCmd command
	BpfTaskFdQueryCmd
	// BpfMapLookupAndDeleteElemCmd command
	BpfMapLookupAndDeleteElemCmd
	// BpfMapFreezeCmd command
	BpfMapFreezeCmd
	// BpfBtfGetNextIDCmd command
	BpfBtfGetNextIDCmd
	// BpfMapLookupBatchCmd command
	BpfMapLookupBatchCmd
	// BpfMapLookupAndDeleteBatchCmd command
	BpfMapLookupAndDeleteBatchCmd
	// BpfMapUpdateBatchCmd command
	BpfMapUpdateBatchCmd
	// BpfMapDeleteBatchCmd command
	BpfMapDeleteBatchCmd
	// BpfLinkCreateCmd command
	BpfLinkCreateCmd
	// BpfLinkUpdateCmd command
	BpfLinkUpdateCmd
	// BpfLinkGetFdByIDCmd command
	BpfLinkGetFdByIDCmd
	// BpfLinkGetNextIDCmd command
	BpfLinkGetNextIDCmd
	// BpfEnableStatsCmd command
	BpfEnableStatsCmd
	// BpfIterCreateCmd command
	BpfIterCreateCmd
	// BpfLinkDetachCmd command
	BpfLinkDetachCmd
	// BpfProgBindMapCmd command
	BpfProgBindMapCmd
)

func (BPFCmd) String

func (cmd BPFCmd) String() string

type BPFEvent

type BPFEvent struct {
	SyscallEvent

	Map     BPFMap     `field:"map"`  // eBPF map involved in the BPF command
	Program BPFProgram `field:"prog"` // eBPF program involved in the BPF command
	Cmd     uint32     `field:"cmd"`  // BPF command name
}

BPFEvent represents a BPF event

func (*BPFEvent) UnmarshalBinary

func (e *BPFEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type BPFHelperFunc

type BPFHelperFunc uint32

BPFHelperFunc represents a BPF helper function

const (
	// BpfUnspec helper function
	BpfUnspec BPFHelperFunc = iota
	// BpfMapLookupElem helper function
	BpfMapLookupElem
	// BpfMapUpdateElem helper function
	BpfMapUpdateElem
	// BpfMapDeleteElem helper function
	BpfMapDeleteElem
	// BpfProbeRead helper function
	BpfProbeRead
	// BpfKtimeGetNs helper function
	BpfKtimeGetNs
	// BpfTracePrintk helper function
	BpfTracePrintk
	// BpfGetPrandomU32 helper function
	BpfGetPrandomU32
	// BpfGetSmpProcessorID helper function
	BpfGetSmpProcessorID
	// BpfSkbStoreBytes helper function
	BpfSkbStoreBytes
	// BpfL3CsumReplace helper function
	BpfL3CsumReplace
	// BpfL4CsumReplace helper function
	BpfL4CsumReplace
	// BpfTailCall helper function
	BpfTailCall
	// BpfCloneRedirect helper function
	BpfCloneRedirect
	// BpfGetCurrentPidTgid helper function
	BpfGetCurrentPidTgid
	// BpfGetCurrentUIDGid helper function
	BpfGetCurrentUIDGid
	// BpfGetCurrentComm helper function
	BpfGetCurrentComm
	// BpfGetCgroupClassid helper function
	BpfGetCgroupClassid
	// BpfSkbVlanPush helper function
	BpfSkbVlanPush
	// BpfSkbVlanPop helper function
	BpfSkbVlanPop
	// BpfSkbGetTunnelKey helper function
	BpfSkbGetTunnelKey
	// BpfSkbSetTunnelKey helper function
	BpfSkbSetTunnelKey
	// BpfPerfEventRead helper function
	BpfPerfEventRead
	// BpfRedirect helper function
	BpfRedirect
	// BpfGetRouteRealm helper function
	BpfGetRouteRealm
	// BpfPerfEventOutput helper function
	BpfPerfEventOutput
	// BpfSkbLoadBytes helper function
	BpfSkbLoadBytes
	// BpfGetStackid helper function
	BpfGetStackid
	// BpfCsumDiff helper function
	BpfCsumDiff
	// BpfSkbGetTunnelOpt helper function
	BpfSkbGetTunnelOpt
	// BpfSkbSetTunnelOpt helper function
	BpfSkbSetTunnelOpt
	// BpfSkbChangeProto helper function
	BpfSkbChangeProto
	// BpfSkbChangeType helper function
	BpfSkbChangeType
	// BpfSkbUnderCgroup helper function
	BpfSkbUnderCgroup
	// BpfGetHashRecalc helper function
	BpfGetHashRecalc
	// BpfGetCurrentTask helper function
	BpfGetCurrentTask
	// BpfProbeWriteUser helper function
	BpfProbeWriteUser
	// BpfCurrentTaskUnderCgroup helper function
	BpfCurrentTaskUnderCgroup
	// BpfSkbChangeTail helper function
	BpfSkbChangeTail
	// BpfSkbPullData helper function
	BpfSkbPullData
	// BpfCsumUpdate helper function
	BpfCsumUpdate
	// BpfSetHashInvalid helper function
	BpfSetHashInvalid
	// BpfGetNumaNodeID helper function
	BpfGetNumaNodeID
	// BpfSkbChangeHead helper function
	BpfSkbChangeHead
	// BpfXdpAdjustHead helper function
	BpfXdpAdjustHead
	// BpfProbeReadStr helper function
	BpfProbeReadStr
	// BpfGetSocketCookie helper function
	BpfGetSocketCookie
	// BpfGetSocketUID helper function
	BpfGetSocketUID
	// BpfSetHash helper function
	BpfSetHash
	// BpfSetsockopt helper function
	BpfSetsockopt
	// BpfSkbAdjustRoom helper function
	BpfSkbAdjustRoom
	// BpfRedirectMap helper function
	BpfRedirectMap
	// BpfSkRedirectMap helper function
	BpfSkRedirectMap
	// BpfSockMapUpdate helper function
	BpfSockMapUpdate
	// BpfXdpAdjustMeta helper function
	BpfXdpAdjustMeta
	// BpfPerfEventReadValue helper function
	BpfPerfEventReadValue
	// BpfPerfProgReadValue helper function
	BpfPerfProgReadValue
	// BpfGetsockopt helper function
	BpfGetsockopt
	// BpfOverrideReturn helper function
	BpfOverrideReturn
	// BpfSockOpsCbFlagsSet helper function
	BpfSockOpsCbFlagsSet
	// BpfMsgRedirectMap helper function
	BpfMsgRedirectMap
	// BpfMsgApplyBytes helper function
	BpfMsgApplyBytes
	// BpfMsgCorkBytes helper function
	BpfMsgCorkBytes
	// BpfMsgPullData helper function
	BpfMsgPullData
	// BpfBind helper function
	BpfBind
	// BpfXdpAdjustTail helper function
	BpfXdpAdjustTail
	// BpfSkbGetXfrmState helper function
	BpfSkbGetXfrmState
	// BpfGetStack helper function
	BpfGetStack
	// BpfSkbLoadBytesRelative helper function
	BpfSkbLoadBytesRelative
	// BpfFibLookup helper function
	BpfFibLookup
	// BpfSockHashUpdate helper function
	BpfSockHashUpdate
	// BpfMsgRedirectHash helper function
	BpfMsgRedirectHash
	// BpfSkRedirectHash helper function
	BpfSkRedirectHash
	// BpfLwtPushEncap helper function
	BpfLwtPushEncap
	// BpfLwtSeg6StoreBytes helper function
	BpfLwtSeg6StoreBytes
	// BpfLwtSeg6AdjustSrh helper function
	BpfLwtSeg6AdjustSrh
	// BpfLwtSeg6Action helper function
	BpfLwtSeg6Action
	// BpfRcRepeat helper function
	BpfRcRepeat
	// BpfRcKeydown helper function
	BpfRcKeydown
	// BpfSkbCgroupID helper function
	BpfSkbCgroupID
	// BpfGetCurrentCgroupID helper function
	BpfGetCurrentCgroupID
	// BpfGetLocalStorage helper function
	BpfGetLocalStorage
	// BpfSkSelectReuseport helper function
	BpfSkSelectReuseport
	// BpfSkbAncestorCgroupID helper function
	BpfSkbAncestorCgroupID
	// BpfSkLookupTCP helper function
	BpfSkLookupTCP
	// BpfSkLookupUDP helper function
	BpfSkLookupUDP
	// BpfSkRelease helper function
	BpfSkRelease
	// BpfMapPushElem helper function
	BpfMapPushElem
	// BpfMapPopElem helper function
	BpfMapPopElem
	// BpfMapPeekElem helper function
	BpfMapPeekElem
	// BpfMsgPushData helper function
	BpfMsgPushData
	// BpfMsgPopData helper function
	BpfMsgPopData
	// BpfRcPointerRel helper function
	BpfRcPointerRel
	// BpfSpinLock helper function
	BpfSpinLock
	// BpfSpinUnlock helper function
	BpfSpinUnlock
	// BpfSkFullsock helper function
	BpfSkFullsock
	// BpfTCPSock helper function
	BpfTCPSock
	// BpfSkbEcnSetCe helper function
	BpfSkbEcnSetCe
	// BpfGetListenerSock helper function
	BpfGetListenerSock
	// BpfSkcLookupTCP helper function
	BpfSkcLookupTCP
	// BpfTCPCheckSyncookie helper function
	BpfTCPCheckSyncookie
	// BpfSysctlGetName helper function
	BpfSysctlGetName
	// BpfSysctlGetCurrentValue helper function
	BpfSysctlGetCurrentValue
	// BpfSysctlGetNewValue helper function
	BpfSysctlGetNewValue
	// BpfSysctlSetNewValue helper function
	BpfSysctlSetNewValue
	// BpfStrtol helper function
	BpfStrtol
	// BpfStrtoul helper function
	BpfStrtoul
	// BpfSkStorageGet helper function
	BpfSkStorageGet
	// BpfSkStorageDelete helper function
	BpfSkStorageDelete
	// BpfSendSignal helper function
	BpfSendSignal
	// BpfTCPGenSyncookie helper function
	BpfTCPGenSyncookie
	// BpfSkbOutput helper function
	BpfSkbOutput
	// BpfProbeReadUser helper function
	BpfProbeReadUser
	// BpfProbeReadKernel helper function
	BpfProbeReadKernel
	// BpfProbeReadUserStr helper function
	BpfProbeReadUserStr
	// BpfProbeReadKernelStr helper function
	BpfProbeReadKernelStr
	// BpfTCPSendAck helper function
	BpfTCPSendAck
	// BpfSendSignalThread helper function
	BpfSendSignalThread
	// BpfJiffies64 helper function
	BpfJiffies64
	// BpfReadBranchRecords helper function
	BpfReadBranchRecords
	// BpfGetNsCurrentPidTgid helper function
	BpfGetNsCurrentPidTgid
	// BpfXdpOutput helper function
	BpfXdpOutput
	// BpfGetNetnsCookie helper function
	BpfGetNetnsCookie
	// BpfGetCurrentAncestorCgroupID helper function
	BpfGetCurrentAncestorCgroupID
	// BpfSkAssign helper function
	BpfSkAssign
	// BpfKtimeGetBootNs helper function
	BpfKtimeGetBootNs
	// BpfSeqPrintf helper function
	BpfSeqPrintf
	// BpfSeqWrite helper function
	BpfSeqWrite
	// BpfSkCgroupID helper function
	BpfSkCgroupID
	// BpfSkAncestorCgroupID helper function
	BpfSkAncestorCgroupID
	// BpfRingbufOutput helper function
	BpfRingbufOutput
	// BpfRingbufReserve helper function
	BpfRingbufReserve
	// BpfRingbufSubmit helper function
	BpfRingbufSubmit
	// BpfRingbufDiscard helper function
	BpfRingbufDiscard
	// BpfRingbufQuery helper function
	BpfRingbufQuery
	// BpfCsumLevel helper function
	BpfCsumLevel
	// BpfSkcToTCP6Sock helper function
	BpfSkcToTCP6Sock
	// BpfSkcToTCPSock helper function
	BpfSkcToTCPSock
	// BpfSkcToTCPTimewaitSock helper function
	BpfSkcToTCPTimewaitSock
	// BpfSkcToTCPRequestSock helper function
	BpfSkcToTCPRequestSock
	// BpfSkcToUDP6Sock helper function
	BpfSkcToUDP6Sock
	// BpfGetTaskStack helper function
	BpfGetTaskStack
	// BpfLoadHdrOpt helper function
	BpfLoadHdrOpt
	// BpfStoreHdrOpt helper function
	BpfStoreHdrOpt
	// BpfReserveHdrOpt helper function
	BpfReserveHdrOpt
	// BpfInodeStorageGet helper function
	BpfInodeStorageGet
	// BpfInodeStorageDelete helper function
	BpfInodeStorageDelete
	// BpfDPath helper function
	BpfDPath
	// BpfCopyFromUser helper function
	BpfCopyFromUser
	// BpfSnprintfBtf helper function
	BpfSnprintfBtf
	// BpfSeqPrintfBtf helper function
	BpfSeqPrintfBtf
	// BpfSkbCgroupClassid helper function
	BpfSkbCgroupClassid
	// BpfRedirectNeigh helper function
	BpfRedirectNeigh
	// BpfPerCPUPtr helper function
	BpfPerCPUPtr
	// BpfThisCPUPtr helper function
	BpfThisCPUPtr
	// BpfRedirectPeer helper function
	BpfRedirectPeer
	// BpfTaskStorageGet helper function
	BpfTaskStorageGet
	// BpfTaskStorageDelete helper function
	BpfTaskStorageDelete
	// BpfGetCurrentTaskBtf helper function
	BpfGetCurrentTaskBtf
	// BpfBprmOptsSet helper function
	BpfBprmOptsSet
	// BpfKtimeGetCoarseNs helper function
	BpfKtimeGetCoarseNs
	// BpfImaInodeHash helper function
	BpfImaInodeHash
	// BpfSockFromFile helper function
	BpfSockFromFile
	// BpfCheckMtu helper function
	BpfCheckMtu
	// BpfForEachMapElem helper function
	BpfForEachMapElem
	// BpfSnprintf helper function
	BpfSnprintf
)

func (BPFHelperFunc) String

func (f BPFHelperFunc) String() string

type BPFMap

type BPFMap struct {
	ID   uint32 `field:"-"`    // ID of the eBPF map
	Type uint32 `field:"type"` // Type of the eBPF map
	Name string `field:"-"`    // Name of the eBPF map
}

BPFMap represents a BPF map

func (*BPFMap) UnmarshalBinary

func (m *BPFMap) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type BPFMapType

type BPFMapType uint32

BPFMapType is used to define map type constants

const (
	// BpfMapTypeUnspec map type
	BpfMapTypeUnspec BPFMapType = iota
	// BpfMapTypeHash map type
	BpfMapTypeHash
	// BpfMapTypeArray map type
	BpfMapTypeArray
	// BpfMapTypeProgArray map type
	BpfMapTypeProgArray
	// BpfMapTypePerfEventArray map type
	BpfMapTypePerfEventArray
	// BpfMapTypePercpuHash map type
	BpfMapTypePercpuHash
	// BpfMapTypePercpuArray map type
	BpfMapTypePercpuArray
	// BpfMapTypeStackTrace map type
	BpfMapTypeStackTrace
	// BpfMapTypeCgroupArray map type
	BpfMapTypeCgroupArray
	// BpfMapTypeLruHash map type
	BpfMapTypeLruHash
	// BpfMapTypeLruPercpuHash map type
	BpfMapTypeLruPercpuHash
	// BpfMapTypeLpmTrie map type
	BpfMapTypeLpmTrie
	// BpfMapTypeArrayOfMaps map type
	BpfMapTypeArrayOfMaps
	// BpfMapTypeHashOfMaps map type
	BpfMapTypeHashOfMaps
	// BpfMapTypeDevmap map type
	BpfMapTypeDevmap
	// BpfMapTypeSockmap map type
	BpfMapTypeSockmap
	// BpfMapTypeCPUmap map type
	BpfMapTypeCPUmap
	// BpfMapTypeXskmap map type
	BpfMapTypeXskmap
	// BpfMapTypeSockhash map type
	BpfMapTypeSockhash
	// BpfMapTypeCgroupStorage map type
	BpfMapTypeCgroupStorage
	// BpfMapTypeReuseportSockarray map type
	BpfMapTypeReuseportSockarray
	// BpfMapTypePercpuCgroupStorage map type
	BpfMapTypePercpuCgroupStorage
	// BpfMapTypeQueue map type
	BpfMapTypeQueue
	// BpfMapTypeStack map type
	BpfMapTypeStack
	// BpfMapTypeSkStorage map type
	BpfMapTypeSkStorage
	// BpfMapTypeDevmapHash map type
	BpfMapTypeDevmapHash
	// BpfMapTypeStructOps map type
	BpfMapTypeStructOps
	// BpfMapTypeRingbuf map type
	BpfMapTypeRingbuf
	// BpfMapTypeInodeStorage map type
	BpfMapTypeInodeStorage
	// BpfMapTypeTaskStorage map type
	BpfMapTypeTaskStorage
)

func (BPFMapType) String

func (t BPFMapType) String() string

type BPFProgram

type BPFProgram struct {
	ID         uint32   `field:"-"`                // ID of the eBPF program
	Type       uint32   `field:"type"`             // Type of the eBPF program
	AttachType uint32   `field:"attach_type"`      // Attach type of the eBPF program
	Helpers    []uint32 `field:"-,ResolveHelpers"` // eBPF helpers used by the eBPF program
	Name       string   `field:"-"`                // Name of the eBPF program
}

BPFProgram represents a BPF program

func (*BPFProgram) UnmarshalBinary

func (p *BPFProgram) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type BPFProgramType

type BPFProgramType uint32

BPFProgramType is used to define program type constants

const (
	// BpfProgTypeUnspec program type
	BpfProgTypeUnspec BPFProgramType = iota
	// BpfProgTypeSocketFilter program type
	BpfProgTypeSocketFilter
	// BpfProgTypeKprobe program type
	BpfProgTypeKprobe
	// BpfProgTypeSchedCls program type
	BpfProgTypeSchedCls
	// BpfProgTypeSchedAct program type
	BpfProgTypeSchedAct
	// BpfProgTypeTracepoint program type
	BpfProgTypeTracepoint
	// BpfProgTypeXdp program type
	BpfProgTypeXdp
	// BpfProgTypePerfEvent program type
	BpfProgTypePerfEvent
	// BpfProgTypeCgroupSkb program type
	BpfProgTypeCgroupSkb
	// BpfProgTypeCgroupSock program type
	BpfProgTypeCgroupSock
	// BpfProgTypeLwtIn program type
	BpfProgTypeLwtIn
	// BpfProgTypeLwtOut program type
	BpfProgTypeLwtOut
	// BpfProgTypeLwtXmit program type
	BpfProgTypeLwtXmit
	// BpfProgTypeSockOps program type
	BpfProgTypeSockOps
	// BpfProgTypeSkSkb program type
	BpfProgTypeSkSkb
	// BpfProgTypeCgroupDevice program type
	BpfProgTypeCgroupDevice
	// BpfProgTypeSkMsg program type
	BpfProgTypeSkMsg
	// BpfProgTypeRawTracepoint program type
	BpfProgTypeRawTracepoint
	// BpfProgTypeCgroupSockAddr program type
	BpfProgTypeCgroupSockAddr
	// BpfProgTypeLwtSeg6local program type
	BpfProgTypeLwtSeg6local
	// BpfProgTypeLircMode2 program type
	BpfProgTypeLircMode2
	// BpfProgTypeSkReuseport program type
	BpfProgTypeSkReuseport
	// BpfProgTypeFlowDissector program type
	BpfProgTypeFlowDissector
	// BpfProgTypeCgroupSysctl program type
	BpfProgTypeCgroupSysctl
	// BpfProgTypeRawTracepointWritable program type
	BpfProgTypeRawTracepointWritable
	// BpfProgTypeCgroupSockopt program type
	BpfProgTypeCgroupSockopt
	// BpfProgTypeTracing program type
	BpfProgTypeTracing
	// BpfProgTypeStructOps program type
	BpfProgTypeStructOps
	// BpfProgTypeExt program type
	BpfProgTypeExt
	// BpfProgTypeLsm program type
	BpfProgTypeLsm
	// BpfProgTypeSkLookup program type
	BpfProgTypeSkLookup
)

func (BPFProgramType) String

func (t BPFProgramType) String() string

type BinaryUnmarshaler

type BinaryUnmarshaler interface {
	UnmarshalBinary(data []byte) (int, error)
}

BinaryUnmarshaler interface implemented by every event type

type CapsetEvent

type CapsetEvent struct {
	CapEffective uint64 `field:"cap_effective"` // Effective capability set of the process
	CapPermitted uint64 `field:"cap_permitted"` // Permitted capability set of the process
}

CapsetEvent represents a capset event

func (*CapsetEvent) UnmarshalBinary

func (e *CapsetEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type ChmodEvent

type ChmodEvent struct {
	SyscallEvent
	File FileEvent `field:"file"`
	Mode uint32    `field:"file.destination.mode" field:"file.destination.rights"` // New mode/rights of the chmod-ed file
}

ChmodEvent represents a chmod event

func (*ChmodEvent) UnmarshalBinary

func (e *ChmodEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type ChmodMode

type ChmodMode int

ChmodMode represent a chmod mode bitmask value

func (ChmodMode) String

func (m ChmodMode) String() string

type ChownEvent

type ChownEvent struct {
	SyscallEvent
	File  FileEvent `field:"file"`
	UID   uint32    `field:"file.destination.uid"`                   // New UID of the chown-ed file's owner
	User  string    `field:"file.destination.user,ResolveChownUID"`  // New user of the chown-ed file's owner
	GID   uint32    `field:"file.destination.gid"`                   // New GID of the chown-ed file's owner
	Group string    `field:"file.destination.group,ResolveChownGID"` // New group of the chown-ed file's owner
}

ChownEvent represents a chown event

func (*ChownEvent) UnmarshalBinary

func (e *ChownEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type ContainerContext

type ContainerContext struct {
	ID   string   `field:"id,ResolveContainerID"`          // ID of the container
	Tags []string `field:"tags,ResolveContainerTags:9999"` // Tags of the container
}

ContainerContext holds the container context of an event

func (*ContainerContext) UnmarshalBinary

func (e *ContainerContext) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type Credentials

type Credentials struct {
	UID   uint32 `field:"uid"`   // UID of the process
	GID   uint32 `field:"gid"`   // GID of the process
	User  string `field:"user"`  // User of the process
	Group string `field:"group"` // Group of the process

	EUID   uint32 `field:"euid"`   // Effective UID of the process
	EGID   uint32 `field:"egid"`   // Effective GID of the process
	EUser  string `field:"euser"`  // Effective user of the process
	EGroup string `field:"egroup"` // Effective group of the process

	FSUID   uint32 `field:"fsuid"`   // FileSystem-uid of the process
	FSGID   uint32 `field:"fsgid"`   // FileSystem-gid of the process
	FSUser  string `field:"fsuser"`  // FileSystem-user of the process
	FSGroup string `field:"fsgroup"` // FileSystem-group of the process

	CapEffective uint64 `field:"cap_effective"` // Effective capability set of the process
	CapPermitted uint64 `field:"cap_permitted"` // Permitted capability set of the process
}

Credentials represents the kernel credentials of a process

func (*Credentials) UnmarshalBinary

func (e *Credentials) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type EnvsEntry

type EnvsEntry struct {
	*ArgsEnvsCacheEntry

	Values    map[string]string
	Truncated bool
	// contains filtered or unexported fields
}

EnvsEntry defines a args cache entry

func (*EnvsEntry) Get

func (p *EnvsEntry) Get(key string) string

Get returns the value for the given key

func (*EnvsEntry) Keys added in v0.34.0

func (p *EnvsEntry) Keys() ([]string, bool)

Keys returns only keys

func (*EnvsEntry) ToMap

func (p *EnvsEntry) ToMap() (map[string]string, bool)

ToMap returns envs as map

type Event

type Event struct {
	ID           string    `field:"-"`
	Type         uint64    `field:"-"`
	TimestampRaw uint64    `field:"-"`
	Timestamp    time.Time `field:"timestamp"` // Timestamp of the event

	ProcessContext   ProcessContext   `field:"process" event:"*"`
	SpanContext      SpanContext      `field:"-"`
	ContainerContext ContainerContext `field:"container"`

	Chmod       ChmodEvent    `field:"chmod" event:"chmod"`             // [7.27] [File] A file’s permissions were changed
	Chown       ChownEvent    `field:"chown" event:"chown"`             // [7.27] [File] A file’s owner was changed
	Open        OpenEvent     `field:"open" event:"open"`               // [7.27] [File] A file was opened
	Mkdir       MkdirEvent    `field:"mkdir" event:"mkdir"`             // [7.27] [File] A directory was created
	Rmdir       RmdirEvent    `field:"rmdir" event:"rmdir"`             // [7.27] [File] A directory was removed
	Rename      RenameEvent   `field:"rename" event:"rename"`           // [7.27] [File] A file/directory was renamed
	Unlink      UnlinkEvent   `field:"unlink" event:"unlink"`           // [7.27] [File] A file was deleted
	Utimes      UtimesEvent   `field:"utimes" event:"utimes"`           // [7.27] [File] Change file access/modification times
	Link        LinkEvent     `field:"link" event:"link"`               // [7.27] [File] Create a new name/alias for a file
	SetXAttr    SetXAttrEvent `field:"setxattr" event:"setxattr"`       // [7.27] [File] Set exteneded attributes
	RemoveXAttr SetXAttrEvent `field:"removexattr" event:"removexattr"` // [7.27] [File] Remove extended attributes
	Exec        ExecEvent     `field:"exec" event:"exec"`               // [7.27] [Process] A process was executed or forked

	SetUID SetuidEvent `field:"setuid" event:"setuid"` // [7.27] [Process] A process changed its effective uid
	SetGID SetgidEvent `field:"setgid" event:"setgid"` // [7.27] [Process] A process changed its effective gid
	Capset CapsetEvent `field:"capset" event:"capset"` // [7.27] [Process] A process changed its capacity set

	SELinux  SELinuxEvent  `field:"selinux" event:"selinux"`   // [7.30] [Kernel] An SELinux operation was run
	BPF      BPFEvent      `field:"bpf" event:"bpf"`           // [7.33] [Kernel] A BPF command was executed
	PTrace   PTraceEvent   `field:"ptrace" event:"ptrace"`     // [7.34] [Kernel] [Experimental] A ptrace command was executed
	MMap     MMapEvent     `field:"mmap" event:"mmap"`         // [7.34] [Kernel] [Experimental] A mmap command was executed
	MProtect MProtectEvent `field:"mprotect" event:"mprotect"` // [7.34] [Kernel] [Experimental] A mprotect command was executed

	Mount            MountEvent            `field:"-"`
	Umount           UmountEvent           `field:"-"`
	InvalidateDentry InvalidateDentryEvent `field:"-"`
	ArgsEnvs         ArgsEnvsEvent         `field:"-"`
	MountReleased    MountReleasedEvent    `field:"-"`
}

Event represents an event sent from the kernel genaccessors

func (*Event) GetEventType

func (e *Event) GetEventType() EventType

GetEventType returns the event type of the event

func (*Event) GetFieldEventType

func (e *Event) GetFieldEventType(field eval.Field) (eval.EventType, error)

func (*Event) GetFieldType

func (e *Event) GetFieldType(field eval.Field) (reflect.Kind, error)

func (*Event) GetFieldValue

func (e *Event) GetFieldValue(field eval.Field) (interface{}, error)

func (*Event) GetFields

func (e *Event) GetFields() []eval.Field

func (*Event) GetPointer

func (e *Event) GetPointer() unsafe.Pointer

GetPointer return an unsafe.Pointer of the Event

func (*Event) GetTags

func (e *Event) GetTags() []string

GetTags returns the list of tags specific to this event

func (*Event) GetType

func (e *Event) GetType() string

GetType returns the event type

func (*Event) SetFieldValue

func (e *Event) SetFieldValue(field eval.Field, value interface{}) error

func (*Event) UnmarshalBinary

func (e *Event) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type EventCategory

type EventCategory = string

EventCategory category type

const (
	// FIMCategory FIM events
	FIMCategory EventCategory = "File Activity"
	// ProcessCategory process events
	ProcessCategory EventCategory = "Process Activity"
	// KernelCategory Kernel events
	KernelCategory EventCategory = "Kernel Activity"
)

Event categories

func GetAllCategories added in v0.34.0

func GetAllCategories() []EventCategory

GetAllCategories returns all categories

func GetEventTypeCategory

func GetEventTypeCategory(eventType eval.EventType) EventCategory

GetEventTypeCategory returns the category for the given event type

type EventType

type EventType uint64

EventType describes the type of an event sent from the kernel

const (
	// UnknownEventType unknow event
	UnknownEventType EventType = iota
	// FileOpenEventType File open event
	FileOpenEventType
	// FileMkdirEventType Folder creation event
	FileMkdirEventType
	// FileLinkEventType Hard link creation event
	FileLinkEventType
	// FileRenameEventType File or folder rename event
	FileRenameEventType
	// FileUnlinkEventType Unlink event
	FileUnlinkEventType
	// FileRmdirEventType Rmdir event
	FileRmdirEventType
	// FileChmodEventType Chmod event
	FileChmodEventType
	// FileChownEventType Chown event
	FileChownEventType
	// FileUtimesEventType Utime event
	FileUtimesEventType
	// FileSetXAttrEventType Setxattr event
	FileSetXAttrEventType
	// FileRemoveXAttrEventType Removexattr event
	FileRemoveXAttrEventType
	// FileMountEventType Mount event
	FileMountEventType
	// FileUmountEventType Umount event
	FileUmountEventType
	// ForkEventType Fork event
	ForkEventType
	// ExecEventType Exec event
	ExecEventType
	// ExitEventType Exit event
	ExitEventType
	// InvalidateDentryEventType Dentry invalidated event
	InvalidateDentryEventType
	// SetuidEventType setuid event
	SetuidEventType
	// SetgidEventType setgid event
	SetgidEventType
	// CapsetEventType capset event
	CapsetEventType
	// ArgsEnvsEventType args and envs event
	ArgsEnvsEventType
	// MountReleasedEventType sent when a mount point is released
	MountReleasedEventType
	// SELinuxEventType selinux event
	SELinuxEventType
	// BPFEventType bpf event
	BPFEventType
	// PTraceEventType PTrace event
	PTraceEventType
	// MMapEventType MMap event
	MMapEventType
	// MProtectEventType MProtect event
	MProtectEventType
	// MaxEventType is used internally to get the maximum number of kernel events.
	MaxEventType

	// FirstDiscarderEventType first event that accepts discarders
	FirstDiscarderEventType = FileOpenEventType

	// LastDiscarderEventType last event that accepts discarders
	LastDiscarderEventType = FileRemoveXAttrEventType

	// CustomLostReadEventType is the custom event used to report lost events detected in user space
	CustomLostReadEventType EventType = iota
	// CustomLostWriteEventType is the custom event used to report lost events detected in kernel space
	CustomLostWriteEventType
	// CustomRulesetLoadedEventType is the custom event used to report that a new ruleset was loaded
	CustomRulesetLoadedEventType
	// CustomNoisyProcessEventType is the custom event used to report the detection of a noisy process
	CustomNoisyProcessEventType
	// CustomForkBombEventType is the custom event used to report the detection of a fork bomb
	CustomForkBombEventType
	// CustomTruncatedParentsEventType is the custom event used to report that the parents of a path were truncated
	CustomTruncatedParentsEventType
)

func ParseEvalEventType

func ParseEvalEventType(eventType eval.EventType) EventType

ParseEvalEventType convert a eval.EventType (string) to its uint64 representation the current algorithm is not efficient but allows us to reduce the number of conversion functions

func (EventType) String

func (t EventType) String() string

type ExecEvent

type ExecEvent struct {
	Process
}

ExecEvent represents a exec event

func (*ExecEvent) UnmarshalBinary

func (e *ExecEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type FileEvent

type FileEvent struct {
	FileFields
	PathnameStr string `field:"path,ResolveFilePath"`             // File's path
	BasenameStr string `field:"name,ResolveFileBasename"`         // File's basename
	Filesytem   string `field:"filesystem,ResolveFileFilesystem"` // File's filesystem

	PathResolutionError error `field:"-"`
}

FileEvent is the common file event type

func (*FileEvent) GetPathResolutionError

func (e *FileEvent) GetPathResolutionError() string

GetPathResolutionError returns the path resolution error as a string if there is one

func (*FileEvent) UnmarshalBinary

func (e *FileEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type FileFields

type FileFields struct {
	UID   uint32 `field:"uid"`                               // UID of the file's owner
	User  string `field:"user,ResolveFileFieldsUser"`        // User of the file's owner
	GID   uint32 `field:"gid"`                               // GID of the file's owner
	Group string `field:"group,ResolveFileFieldsGroup"`      // Group of the file's owner
	Mode  uint16 `field:"mode" field:"rights,ResolveRights"` // Mode/rights of the file
	CTime uint64 `field:"change_time"`                       // Change time of the file
	MTime uint64 `field:"modification_time"`                 // Modification time of the file

	MountID      uint32 `field:"mount_id"`                                     // Mount ID of the file
	Inode        uint64 `field:"inode"`                                        // Inode of the file
	InUpperLayer bool   `field:"in_upper_layer,ResolveFileFieldsInUpperLayer"` // Indicator of the file layer, in an OverlayFS for example

	NLink  uint32 `field:"-"`
	PathID uint32 `field:"-"`
	Flags  int32  `field:"-"`
}

FileFields holds the information required to identify a file

func (*FileFields) GetInLowerLayer

func (f *FileFields) GetInLowerLayer() bool

GetInLowerLayer returns whether a file is in a lower layer

func (*FileFields) GetInUpperLayer

func (f *FileFields) GetInUpperLayer() bool

GetInUpperLayer returns whether a file is in the upper layer

func (f *FileFields) HasHardLinks() bool

HasHardLinks returns whether the file has hardlink

func (*FileFields) UnmarshalBinary

func (e *FileFields) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type InvalidateDentryEvent

type InvalidateDentryEvent struct {
	Inode             uint64
	MountID           uint32
	DiscarderRevision uint32
}

InvalidateDentryEvent defines a invalidate dentry event

func (*InvalidateDentryEvent) UnmarshalBinary

func (e *InvalidateDentryEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type KernelCapability

type KernelCapability uint64

KernelCapability represents a kernel capability bitmask value

func (KernelCapability) String

func (kc KernelCapability) String() string

func (KernelCapability) StringArray

func (kc KernelCapability) StringArray() []string

StringArray returns the kernel capabilities as an array of strings

type LinkEvent

type LinkEvent struct {
	SyscallEvent
	Source FileEvent `field:"file"`
	Target FileEvent `field:"file.destination"`
}

LinkEvent represents a link event

func (*LinkEvent) UnmarshalBinary

func (e *LinkEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type MMapEvent added in v0.34.0

type MMapEvent struct {
	SyscallEvent

	File       FileEvent `field:"file"`
	Addr       uint64    `field:"-"`
	Offset     uint64    `field:"-"`
	Len        uint32    `field:"-"`
	Protection int       `field:"protection"`
	Flags      int       `field:"flags"`
}

MMapEvent represents a mmap event

func (*MMapEvent) UnmarshalBinary added in v0.34.0

func (e *MMapEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type MMapFlag added in v0.34.0

type MMapFlag int

MMapFlag represents a mmap flag value

func (MMapFlag) String added in v0.34.0

func (mmf MMapFlag) String() string

type MProtectEvent added in v0.34.0

type MProtectEvent struct {
	SyscallEvent

	VMStart       uint64 `field:"-"`
	VMEnd         uint64 `field:"-"`
	VMProtection  int    `field:"vm_protection"`
	ReqProtection int    `field:"req_protection"`
}

MProtectEvent represents a mprotect event

func (*MProtectEvent) UnmarshalBinary added in v0.34.0

func (e *MProtectEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshals a binary representation of itself

type MkdirEvent

type MkdirEvent struct {
	SyscallEvent
	File FileEvent `field:"file"`
	Mode uint32    `field:"file.destination.mode" field:"file.destination.rights"` // Mode/rights of the new directory
}

MkdirEvent represents a mkdir event

func (*MkdirEvent) UnmarshalBinary

func (e *MkdirEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type Model

type Model struct{}

Model describes the data model for the runtime security agent events

func (*Model) GetEvaluator

func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Evaluator, error)

func (*Model) GetEventTypes

func (m *Model) GetEventTypes() []eval.EventType

func (*Model) GetIterator

func (m *Model) GetIterator(field eval.Field) (eval.Iterator, error)

func (*Model) NewEvent

func (m *Model) NewEvent() eval.Event

NewEvent returns a new Event

func (*Model) ValidateField

func (m *Model) ValidateField(field eval.Field, fieldValue eval.FieldValue) error

ValidateField validates the value of a field

type MountEvent

type MountEvent struct {
	SyscallEvent
	MountID                       uint32
	GroupID                       uint32
	Device                        uint32
	ParentMountID                 uint32
	ParentInode                   uint64
	FSType                        string
	MountPointStr                 string
	MountPointPathResolutionError error
	RootMountID                   uint32
	RootInode                     uint64
	RootStr                       string
	RootPathResolutionError       error

	FSTypeRaw [16]byte
}

MountEvent represents a mount event

func (*MountEvent) GetFSType

func (m *MountEvent) GetFSType() string

GetFSType returns the filesystem type of the mountpoint

func (*MountEvent) GetMountPointPathResolutionError

func (m *MountEvent) GetMountPointPathResolutionError() string

GetMountPointPathResolutionError returns the mount point path resolution error as a string if there is one

func (*MountEvent) GetRootPathResolutionError

func (m *MountEvent) GetRootPathResolutionError() string

GetRootPathResolutionError returns the root path resolution error as a string if there is one

func (*MountEvent) IsOverlayFS

func (m *MountEvent) IsOverlayFS() bool

IsOverlayFS returns whether it is an overlay fs

func (*MountEvent) UnmarshalBinary

func (e *MountEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type MountReleasedEvent

type MountReleasedEvent struct {
	MountID           uint32
	DiscarderRevision uint32
}

MountReleasedEvent defines a mount released event

func (*MountReleasedEvent) UnmarshalBinary

func (e *MountReleasedEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type OpenEvent

type OpenEvent struct {
	SyscallEvent
	File  FileEvent `field:"file"`
	Flags uint32    `field:"flags"`                 // Flags used when opening the file
	Mode  uint32    `field:"file.destination.mode"` // Mode of the created file
}

OpenEvent represents an open event

func (*OpenEvent) UnmarshalBinary

func (e *OpenEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type OpenFlags

type OpenFlags int

OpenFlags represents an open flags bitmask value

func (OpenFlags) String

func (f OpenFlags) String() string

func (OpenFlags) StringArray

func (f OpenFlags) StringArray() []string

StringArray returns the open flags as an array of strings

type PTraceEvent added in v0.34.0

type PTraceEvent struct {
	SyscallEvent

	Request                 uint32             `field:"request"`
	PID                     uint32             `field:"-"`
	Address                 uint64             `field:"-"`
	Tracee                  ProcessContext     `field:"tracee"`
	TraceeProcessCacheEntry *ProcessCacheEntry `field:"-"`
}

PTraceEvent represents a ptrace event

func (*PTraceEvent) UnmarshalBinary added in v0.34.0

func (e *PTraceEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type PTraceRequest added in v0.34.0

type PTraceRequest uint32

PTraceRequest represents a ptrace request value

func (PTraceRequest) String added in v0.34.0

func (f PTraceRequest) String() string

type Process

type Process struct {
	// proc_cache_t
	FileFields FileFields `field:"file"`

	Pid uint32 `field:"pid"` // Process ID of the process (also called thread group ID)
	Tid uint32 `field:"tid"` // Thread ID of the thread

	PathnameStr         string `field:"file.path"`       // Path of the process executable
	BasenameStr         string `field:"file.name"`       // Basename of the path of the process executable
	Filesystem          string `field:"file.filesystem"` // FileSystem of the process executable
	PathResolutionError error  `field:"-"`

	ContainerID string `field:"container.id"` // Container ID

	TTYName string `field:"tty_name"` // Name of the TTY associated with the process
	Comm    string `field:"comm"`     // Comm attribute of the process

	// pid_cache_t
	ForkTime time.Time `field:"-"`
	ExitTime time.Time `field:"-"`
	ExecTime time.Time `field:"-"`

	CreatedAt uint64 `field:"created_at,ResolveProcessCreatedAt"` // Timestamp of the creation of the process

	Cookie uint32 `field:"cookie"` // Cookie of the process
	PPid   uint32 `field:"ppid"`   // Parent process ID

	// credentials_t section of pid_cache_t
	Credentials

	ArgsID uint32 `field:"-"`
	EnvsID uint32 `field:"-"`

	ArgsEntry *ArgsEntry `field:"-"`
	EnvsEntry *EnvsEntry `field:"-"`

	// defined to generate accessors, ArgsTruncated and EnvsTruncated are used during by unmarshaller
	Argv0         string   `field:"argv0,ResolveProcessArgv0:100"`                                                                                         // First argument of the process
	Args          string   `field:"args,ResolveProcessArgs:100"`                                                                                           // Arguments of the process (as a string)
	Argv          []string `field:"argv,ResolveProcessArgv:100" field:"args_flags,ResolveProcessArgsFlags" field:"args_options,ResolveProcessArgsOptions"` // Arguments of the process (as an array)
	ArgsTruncated bool     `field:"args_truncated,ResolveProcessArgsTruncated"`                                                                            // Indicator of arguments truncation
	Envs          []string `field:"envs,ResolveProcessEnvs:100"`                                                                                           // Environment variables of the process
	EnvsTruncated bool     `field:"envs_truncated,ResolveProcessEnvsTruncated"`                                                                            // Indicator of environment variables truncation

	// cache version
	ScrubbedArgvResolved  bool     `field:"-"`
	ScrubbedArgv          []string `field:"-"`
	ScrubbedArgsTruncated bool     `field:"-"`
}

Process represents a process

func (*Process) GetPathResolutionError

func (e *Process) GetPathResolutionError() string

GetPathResolutionError returns the path resolution error as a string if there is one

func (*Process) UnmarshalBinary

func (e *Process) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type ProcessAncestorsIterator

type ProcessAncestorsIterator struct {
	// contains filtered or unexported fields
}

ProcessAncestorsIterator defines an iterator of ancestors

func (*ProcessAncestorsIterator) Front

Front returns the first element

func (*ProcessAncestorsIterator) Next

Next returns the next element

type ProcessCacheEntry

type ProcessCacheEntry struct {
	ProcessContext
	// contains filtered or unexported fields
}

ProcessCacheEntry this struct holds process context kept in the process tree

func NewProcessCacheEntry

func NewProcessCacheEntry(onRelease func(_ *ProcessCacheEntry)) *ProcessCacheEntry

NewProcessCacheEntry returns a new process cache entry

func (*ProcessCacheEntry) Exec

func (pc *ProcessCacheEntry) Exec(entry *ProcessCacheEntry)

Exec replace a process

func (*ProcessCacheEntry) Exit

func (pc *ProcessCacheEntry) Exit(exitTime time.Time)

Exit a process

func (*ProcessCacheEntry) Fork

func (pc *ProcessCacheEntry) Fork(childEntry *ProcessCacheEntry)

Fork returns a copy of the current ProcessCacheEntry

func (*ProcessCacheEntry) Release

func (e *ProcessCacheEntry) Release()

Release decrement and eventually release the entry

func (*ProcessCacheEntry) Reset

func (e *ProcessCacheEntry) Reset()

Reset the entry

func (*ProcessCacheEntry) Retain

func (e *ProcessCacheEntry) Retain()

Retain increment ref counter

func (*ProcessCacheEntry) SetAncestor

func (pc *ProcessCacheEntry) SetAncestor(parent *ProcessCacheEntry)

SetAncestor set the ancestor

type ProcessContext

type ProcessContext struct {
	Process

	Ancestor *ProcessCacheEntry `field:"ancestors,,ProcessAncestorsIterator"`
}

ProcessContext holds the process context of an event

func (*ProcessContext) UnmarshalBinary

func (p *ProcessContext) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type Protection added in v0.34.0

type Protection int

Protection represents a virtual memory protection bitmask value

func (Protection) String added in v0.34.0

func (p Protection) String() string

type RenameEvent

type RenameEvent struct {
	SyscallEvent
	Old               FileEvent `field:"file"`
	New               FileEvent `field:"file.destination"`
	DiscarderRevision uint32    `field:"-"`
}

RenameEvent represents a rename event

func (*RenameEvent) UnmarshalBinary

func (e *RenameEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type RetValError

type RetValError int

RetValError represents a syscall return error value

func (RetValError) String

func (f RetValError) String() string

type RmdirEvent

type RmdirEvent struct {
	SyscallEvent
	File              FileEvent `field:"file"`
	DiscarderRevision uint32    `field:"-"`
}

RmdirEvent represents a rmdir event

func (*RmdirEvent) UnmarshalBinary

func (e *RmdirEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type SELinuxEvent

type SELinuxEvent struct {
	File            FileEvent        `field:"-"`
	EventKind       SELinuxEventKind `field:"-"`
	BoolName        string           `field:"bool.name,ResolveSELinuxBoolName"` // SELinux boolean name
	BoolChangeValue string           `field:"bool.state"`                       // SELinux boolean new value
	BoolCommitValue bool             `field:"bool_commit.state"`                // Indicator of a SELinux boolean commit operation
	EnforceStatus   string           `field:"enforce.status"`                   // SELinux enforcement status (one of "enforcing", "permissive", "disabled"")
}

SELinuxEvent represents a selinux event

func (*SELinuxEvent) UnmarshalBinary

func (e *SELinuxEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type SELinuxEventKind

type SELinuxEventKind uint32

SELinuxEventKind represents the event kind for SELinux events

const (
	// SELinuxBoolChangeEventKind represents SELinux boolean change events
	SELinuxBoolChangeEventKind SELinuxEventKind = iota
	// SELinuxStatusChangeEventKind represents SELinux status change events
	SELinuxStatusChangeEventKind
	// SELinuxBoolCommitEventKind represents SELinux boolean commit events
	SELinuxBoolCommitEventKind
)

type SetXAttrEvent

type SetXAttrEvent struct {
	SyscallEvent
	File      FileEvent `field:"file"`
	Namespace string    `field:"file.destination.namespace,ResolveXAttrNamespace"` // Namespace of the extended attribute
	Name      string    `field:"file.destination.name,ResolveXAttrName"`           // Name of the extended attribute

	NameRaw [200]byte
}

SetXAttrEvent represents an extended attributes event

func (*SetXAttrEvent) UnmarshalBinary

func (e *SetXAttrEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type SetgidEvent

type SetgidEvent struct {
	GID     uint32 `field:"gid"`                          // New GID of the process
	Group   string `field:"group,ResolveSetgidGroup"`     // New group of the process
	EGID    uint32 `field:"egid"`                         // New effective GID of the process
	EGroup  string `field:"egroup,ResolveSetgidEGroup"`   // New effective group of the process
	FSGID   uint32 `field:"fsgid"`                        // New FileSystem GID of the process
	FSGroup string `field:"fsgroup,ResolveSetgidFSGroup"` // New FileSystem group of the process
}

SetgidEvent represents a setgid event

func (*SetgidEvent) UnmarshalBinary

func (e *SetgidEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type SetuidEvent

type SetuidEvent struct {
	UID    uint32 `field:"uid"`                        // New UID of the process
	User   string `field:"user,ResolveSetuidUser"`     // New user of the process
	EUID   uint32 `field:"euid"`                       // New effective UID of the process
	EUser  string `field:"euser,ResolveSetuidEUser"`   // New effective user of the process
	FSUID  uint32 `field:"fsuid"`                      // New FileSystem UID of the process
	FSUser string `field:"fsuser,ResolveSetuidFSUser"` // New FileSystem user of the process
}

SetuidEvent represents a setuid event

func (*SetuidEvent) UnmarshalBinary

func (e *SetuidEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type SpanContext

type SpanContext struct {
	SpanID  uint64 `field:"_"`
	TraceID uint64 `field:"_"`
}

SpanContext describes a span context

func (*SpanContext) UnmarshalBinary

func (s *SpanContext) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type SyscallEvent

type SyscallEvent struct {
	Retval int64 `field:"retval"` // Return value of the syscall
}

SyscallEvent contains common fields for all the event

func (*SyscallEvent) UnmarshalBinary

func (e *SyscallEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type UmountEvent

type UmountEvent struct {
	SyscallEvent
	MountID uint32
}

UmountEvent represents an umount event

func (*UmountEvent) UnmarshalBinary

func (e *UmountEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type UnlinkEvent

type UnlinkEvent struct {
	SyscallEvent
	File              FileEvent `field:"file"`
	Flags             uint32    `field:"-"`
	DiscarderRevision uint32    `field:"-"`
}

UnlinkEvent represents an unlink event

func (*UnlinkEvent) UnmarshalBinary

func (e *UnlinkEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type UnlinkFlags

type UnlinkFlags int

UnlinkFlags represents an unlink flags bitmask value

func (UnlinkFlags) String

func (f UnlinkFlags) String() string

func (UnlinkFlags) StringArray

func (f UnlinkFlags) StringArray() []string

StringArray returns the unlink flags as an array of strings

type UtimesEvent

type UtimesEvent struct {
	SyscallEvent
	File  FileEvent `field:"file"`
	Atime time.Time `field:"-"`
	Mtime time.Time `field:"-"`
}

UtimesEvent represents a utime event

func (*UtimesEvent) UnmarshalBinary

func (e *UtimesEvent) UnmarshalBinary(data []byte) (int, error)

UnmarshalBinary unmarshalls a binary representation of itself

type VMFlag added in v0.34.0

type VMFlag int

VMFlag represents a VM_* bitmask value

func (VMFlag) String added in v0.34.0

func (vmf VMFlag) String() string

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL